noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Town of Mammoth Lakes, CA

The Parcel Ribbon Cutting and Groundbreaking Event
Supreme Court of California

Meinhardt v. City of Sunnyvale 7/29/24 SC Case Details
Supreme Court of California

Bailey v. S.F. Dist. Attorney's Office 7/29/24 SC Case Details

Science and Technology

SonicWALL Inc.

29/07/2024 | Press release | Distributed by Public on 29/07/2024 17:00

GeoServer RCE Vulnerability (CVE 2024 36401) Being Exploited In the Wild

Overview

The SonicWall Capture Labs threat research team became aware of a remote code execution vulnerability in GeoServer, assessed its impact and developed mitigation measures. GeoServer is a community-driven project that allows users to share and edit geospatial data. It supports industry-standard OGC protocols, including Web Feature Service (WFS), Web Map Service (WMS) and Web Coverage Service (WCS). Identified as CVE-2024-36401, GeoServer versions before 2.24.4, 2.25.2 and 2.23.6 allow an unauthenticated threat actor to execute arbitrary code remotely, earning a critical CVSS score of 9.8. Since this vulnerability has made its way into CISA's Known Exploited Vulnerabilities (KEV) Catalog, users are strongly encouraged to upgrade their instances to the latest applicable fixed version, as mentioned by the vendor in the advisory.

Technical Overview

This vulnerability is caused by a flaw in the GeoTools library API used by GeoServer to process attribute names. The API passes the names in an unsafe way to the commons-jxpath library, which poses a risk of executing arbitrary code when evaluating XPath expressions. According to the advisory, the XPath evaluation is meant to be used only by complex feature types such as Application Schema data stores. However, it is also mistakenly applied to simple feature types, making the vulnerability applicable to all GeoServer instances.

Triggering the Vulnerability

The vulnerability can be leveraged through Open Geospatial Consortium (OGC) request parameters such as WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute. For instance, the sample request with a malicious payload could be crafted as seen in Figure 1. Notice the Linux "touch" command in the ValueReference attribute of the GetPropertyValue tag.

[Link]

Figure 1: Sample attack request

The flaw was addressed by introducing the patch to improve the handling of XPath expression by GeoTools. For instance, the improved XmlXpathUtilites class to evaluate XPathValues can be seen in Figure 2.

[Link]

Figure 2: Patched XmlXpathUtilites Class

Leveraging the vulnerability mentioned above requires the attacker to have network access to the target vulnerable system and to send a maliciously crafted request, as seen in Figure 1. Successfully exploiting the attack would result in the creation of a file named 'poc2' in the /tmp/ directory, as seen in Figure 3.

[Link]

Figure 3: Execution of POC

Exploitation

To exploit this vulnerability, an attacker must send a request with a system command in any of the following fields: WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic or WPS Execute. Exploiting this vulnerability yields a remote threat actor to execute arbitrary code on the server, posing a high impact on the confidentiality, integrity and availability of the system without requiring user interaction. The exploitation of the affected system using the WFS GetFeature field and ncat commands is demonstrated in Figure 4.

[Link]

Figure 4: Exploit in action

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

IPS: 20144 GeoServer OGC Remote Code Execution
IPS: 20145 GeoServer OGC Remote Code Execution 2
IPS: 20182 GeoServer OGC Remote Code Execution 3

Remediation Recommendations

Considering the vulnerability is being exploited in the wild as well as the availability of the public POC, users are strongly encouraged to upgrade their instances to the latest versions, as mentioned in the vendor advisory.

Users who cannot upgrade their instances right away can remove the file gt-complex-x.y.jar (x.y represents GeoTools version) from their GeoServer instance. GeoTools versions prior to 30.4, 31.2 and 29.6 are vulnerable. Although it will remove the vulnerable code, it may cause complications by breaking certain legitimate functionality of GeoServer. The path of the gt-complex module is WEB-INF/lib/gt-complex-x.y.jar and webapps/geoserver/WEB-INF/lib/gt-complex-x.y.jar respectively for war-based and binary-based deployments.

Relevant Links

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Sharing and Personal Tools

Please select the service you want to use:

Smartlinks | SonicWALL Inc. | News | Computer Hardware Manufacturers | Private Companies

Back

View original format