Beware the WebLogic WLS-WSAT Component Deserialization RCE Exploit

In October 2017, Oracle disclosed CVE-2017-10271—a critical Java deserialization vulnerability in WebLogic's 'WLS Security' subcomponent—and released a patch to fix it. This disclosure by Oracle was the result of an incomplete patch for CVE-2017-3506, which is a similar vulnerability in WebLogic's 'Web Services' subcomponent.

After the public disclosure of the vulnerability and release of the patch, there wasn't much public information available about the vulnerability itself—until a proof of concept (POC) exploit for CVE-2017-10271 was released on December 23rd, 2017.  The exploit was released for CVE-2017-10271 and it shows that the Oracle WebLogic 'WLS-WSAT' vulnerability is due to insufficient validation of serialized XML data by the WorkContextXmlInputAdapter class. Essentially, malicious input passed to the XMLDecoder constructor and read functions within the WorkContextXmlInputAdapter class result in the deserialization of an arbitrary Java serialized object. The result is a remote code execution (RCE) exploit, and possibly a full takeover of the web server by any unauthenticated user with access to the network running an affected version of WebLogic's WLS-WSAT subcomponent.

According to the POC, the wls-wsat/CoordinatorPortType endpoint is where the vulnerability exists, but the endpoints below have also been listed as possible vulnerable entry points for this attack:

  • wls-wsat/RegistrationPortTypeRPC
  • wls-wsat/ParticipantPortType
  • wls-wsat/RegistrationRequesterPortType
  • wls-wsat/CoordinatorPortType11
  • wls-wsat/RegistrationPortTypeRPC11
  • wls-wsat/ParticipantPortType11
  • wls-wsat/RegistrationRequesterPortType11

Exploited by Bitcoin miners?

It's been widely reported that Bitcoin miners have been exploiting this vulnerability, and installing malware that mines Bitcoins on the compromised servers. According to SANS Dean of Research Johannes B. Ullrich, it only takes limited scripting skills to successfully exploit this flaw. Ullrich also suggests that many of the compromised WebLogic servers are running on public cloud servers.

In many cases, a script was dropped on the compromised WebLogic web servers that accidentally kills the WebLogic server (hopefully this alerted some of the victims of these attacks) before running the malicious miner. If you happen to be running a vulnerable WebLogic Server you should probably check for signs of malware in the form of CPU intensive processes.  

Samples of the malware used can be found here and here.

CVE-2017-10271 Affected Versions

WebLogic versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, or 12.2.1.2.0 are vulnerable to CVE-2017-10271 and CVE-2017-3506. If you are using any of the above versions, it is recommended you apply the latest patches from the Oracle website below as soon as possible. 

https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html

Unaffected Versions

  • WebLogic Server 12.2.1.3 is not vulnerable to CVE-2017-10271

It’s important to remain vigilant and do a little more digging even after you’ve patched, though. Ullrich cautions, “It is very likely that more sophisticated attackers used this to gain a persistent foothold on the system. In this case, the only “persistence” we noticed was the CRON job. But there are many more, and more difficult to detect, ways to gain persistence.”

Alert Logic Coverage

Alert Logic® ActiveWatch™ Managed Detection and Response researchers discovered the exploit and immediately requested our Security Operations Center (SOC) to manually search signatures to identify potential exploit attempts. Manual searches indicated active exploit activity, so SOC analysts notified customers and provided remediation guidance. Additional coverage was then quickly released over the holidays to expand on this insight and allow attempts to be verified as potentially successful in order to alert affected customers as quickly as possible.

Our web application firewall (WAF) Alert Logic Web Security Manager OSC_JAVA_CLASS signatures enable detection of this threat out of the box—similar to detection of many Apache Struts attacks. Threat Manager network intrusion detection system (IDS) signatures were in place and detected initial exploit attempts against Alert Logic customers. Expanded signatures have been released to increase visibility specific to this attack vector for Threat Manager and Cloud Insight as of December 29, 2017. Coverage for CVE-2017-10271 was added on January 10, 2018.

Due to the nature of the exploit, Alert Logic Log Manager is not an effective method of detecting exploits of these vulnerabilities.

About the Author

Joseph Hitchcock - Technical Security Evangelist

Joseph Hitchcock

Joe Hitchcock is passionate when it comes to system and network security. Initially self-taught, he started working as an independent contractor for small businesses doing malware removal and perimeter security. He started at Alert Logic in 2011 as a Network Security Analyst analyzing threat traffic and other attacks. Afterwards, he worked in Security Research and eventually became one of the first Analysts to work on the Web Security team supporting Web Security Manager WAF. He was eventually promoted to a Senior Web Security Analyst where his job included building custom security policies, researching new web attacks and adding custom signatures to better WSM detection.

Email Me | More Posts by Joseph Hitchcock