Last updated at Tue, 25 Apr 2023 22:26:40 GMT
What’s up?
As if October 2020 hasn’t been scary enough, Rapid7 Labs, the SANS Internet Storm Center (ISC), and other researchers have caught attackers opting for tricks instead of treats this week as they seek out and attempt to compromise internet-facing WebLogic servers that are vulnerable to CVE-2020-14882 (AttackerKB Analysis), which is an unauthenticated remote code execution (complete compromise) weakness in the Console component of Oracle WebLogic servers.
Before we sift through the candy loot bag of vulnerability and exploit details, we must pause and urge Oracle WebLogic Server customers to patch as soon as possible.
Vulnerability and exposure details
On Oct. 20, 2020, Oracle issued an advisory for CVE-2020-14882 in its quarterly critical patch update. The vulnerability is trivial to exploit, with a proof-of-concept (PoC) already available, courtesy of a researcher who goes by the handle Jang. The aforelinked Medium post is worth taking the time to translate and walk through, as it provides seriously detailed information on the path Jang took to eventually craft an exploit in a single HTTP GET request.
Affected WebLogic versions include:
- 10.3.6.0.0
- 12.1.3.0.0
- 12.2.1.3.0
- 12.2.1.4.0
- 14.1.1.0.0
Rapid7 Labs found just over 2,000 WebLogic Console endpoints on HTTP port 7001 today (Oct. 29, 2020) with a wide version distribution:
| version | n |
|---|---|
| 10.3.6.0 | 457 |
| 12.2.1.3.0 | 435 |
| 12.2.1.4.0 | 403 |
| 10.3.0.0 | 350 |
| 12.1.3.0.0 | 111 |
| 10.3.5.0 | 83 |
| 12.2.1.2.0 | 75 |
| 12.2.1.0.0 | 68 |
| 14.1.1.0.0 | 28 |
| 12.2.1.1.0 | 16 |
| 10.3.6.0.0 | 12 |
| 12.1.1.0 | 10 |
| 10.3.2.0 | 8 |
| 12.1.2.0.0 | 7 |
| 10.3.3.0 | 5 |
| 10.3.1.0 | 4 |
| 10.3.4.0 | 1 |
From this scan, it appears that 111 (12.1.3.0.0) are definitely vulnerable, with an additional 457 (10.3.6.0) potentially also vulnerable (while Oracle does include the version string in the HTML source it is not a precise version string, so some of these could be patched already).
Attacker activity
The SANS Internet Storm Center was first to confirm that active exploitation is in progress, and Rapid7 Labs has also seen evidence of opportunistic attackers seeking out vulnerable WebLogic instances.
Due to the widespread dissemination of the proof-of-concept code and evidence of active weaponization/exploitation, we expect to see continued attacks both on the public internet and within organizations where attackers have or will gain footholds.
Patch, mitigation, and detection guidance
Organizations running Oracle WebLogic Server should patch as quickly as possible. Those that are waiting for a yet-to-occur patch cycle to address CVE-2020-14882 would be well advised to break that cycle in favor of patching as soon as they can. Organizations that are unable to patch immediately should consider the following recommendations as partial mitigations, with the understanding that no mitigation is as effective as patching:
- Ensure the admin portal is not exposed to the public internet; blocking access to the admin portal (TCP port 7001 by default) may act as a partial mitigation until CVE-2020-14882 can be patched.
- Review application logs for HTTP requests that include the double-encoded path traversal
%252E%252E%252Fand the admin portalconsole.portalin the request URI. - Monitor network traffic for suspicious HTTP requests if you have the ability to do so.
- Monitor for any suspicious processes created by the application, such as
cmd.exeor/bin/sh.
Updates
- 2020-11-02 — Oracle has issued a supplementary advisory for a new CVE (CVE-2020-14750) which covers an additional, similar unauthenticated remote code execution vulnerability in the same WebLogic component.
