Emerging Threat: Remote Code Execution Flaw in Oracle WebLogic

Summary

During April 2019, Alert Logic research teams began tracking exploit attempts affecting users of Oracle WebLogic which could allow an attacker to run malicious software remotely.

An unauthenticated remote code execution in Oracle WebLogic allows attackers to remotely control victim hosts and execute code, install persistence and laterally move throughout the network. Exploit code has been released into the public domain and we have observed active attacks against our customer base using this vulnerability. This vulnerability can also be referred to as CNVD-C-2019-48814.

You may be affected if you run version 10.3.6.0.0 or 12.1.3.0.0 of Oracle WebLogic Server. Oracle has released a patch to mitigate this threat.

Alert Logic customers using our Fully Managed Web Application Firewall, in protect mode, are protected from this threat

Basically, a package that is included by default in some versions of WebLogic and provides communication services has a flaw when deserializing input information, an attacker can send a malicious HTTP request to gain the permissions of the target server and execute the command remotely without authorization:

Attack Steps

  1. Attacker incorporates exploit code into existing scripts to “fire and forget” exploit at public IP ranges
  2. Sends request with exploit code, usually uploading persistent access mechanism, e.g. a webshell, working through success indicators from script output.
  3. Oracle WebLogic will run the code and perform whatever action the attacker wanted

What is a Webshell? 

A webshell is a script or web page that enables remote administration of the underlying machine by a remote user. Most webshells are written in languages known to be supported by most web servers, e.g. PHP, Python, Ruby, Perl and ASP.

The shell gives the user the ability to create, edit, delete or download files, meaning that data on the system is at high risk of exfiltration and it is possible to upload and execute more specific or targeted code for disruption.

Timeline

17th April 2019

Vulnerability initially disclosed on the CNVD but no exploit code was available making it uncertain if the vulnerability could actually be exploited. The vulnerability affects all versions of WebLogic.

 

http://www.cnvd.org.cn/webinfo/show/4989

 

In lieu of a patch the announcement identified mitigating steps as

 

Delete the war package and restart WebLogic;

Control access to the URL of the /_async/* path through the access policy.

21st April 2019

The KnownSec 404 Team publish a blog about exploiting the vulnerability

 

https://medium.com/@knownseczoomeye/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93

24th April 2019

Telemetry signature data shows attempts to exploit the vulnerability

26th April 2019

Oracle release a patch for the vulnerability (outside of their usual patch schedule, indicating the severity of the vulnerability)

 

https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

Alert Logic content teams released a signature to detect attack traffic specifically for this vulnerability. Analysis of this traffic using SOC tooling indicated that attackers are attempting to exploit the vulnerability.

Classified as Emerging Threat to formalize next steps

  • Regular calls
  • Vulnerability ScanNetwork IDS and WAF coverage priority
  • Log Detection confirmed not applicable
  • Customer impact list
  • Customer reach out
  • Customer email

 

Web Application Firewall blocking coverage confirmed for customers running in protect mode

Scanning team and Major Incident Management identify list of customers running WebLogic, who are then contacted.

Vulnerability Scanning coverage deployed, marked as a PCI Audit fail for reporting and auditing

Knowledge Base Article published

 

https://support.alertlogic.com/hc/en-us/articles/360027739491-04-29-19-Oracle-WebLogic-async-Deserialization-RCE

Broader customer communications sent

1st May 2019

This blog published

Next Steps

SOC heightened awareness continues

Incident content released for automatic enriched incident generation.

 

Exploit Details

A highly critical remote code execution vulnerability has been discovered in the wls9_async_response package, which is included by default in some versions of Oracle WebLogic and provides asynchronous communication services for WebLogic Server. This vulnerability allows for remote attackers to execute arbitrary code on vulnerable servers.

Using this behavior attackers can cause victim hosts to fetch remote payloads - A remote code execution vulnerability allows attackers to execute arbitrary code on the victim box. This is likely to consist of commands to download and install persistence, such as malware or web shells. These malicious payloads could then be used to provide remote control over the victim host and allow further attacks (such as data exfiltration) or lateral movement on to other hosts in the network. This vulnerability allows attackers to eventually take over complete control of a vulnerable host once exploited.

When was this discovered/published and who published it?

The vulnerability was initially disclosed on the CNVD but no exploit code was available making it uncertain if the vulnerability could actually be exploited. The vulnerability affects all versions of WebLogic.

http://www.cnvd.org.cn/webinfo/show/4989

The vulnerability was confirmed officially by Oracle on 26 April 2019 as CVE-2019-6340 / SA-CORE-2019-003

https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

This impacts any organization that is running Oracle WebLogic who have not applied the

Impact

There are no public reports, at the time of writing, of specific businesses that have been affected by the threat, however hundreds of attack attempts for this vulnerability against Alert Logic customers have been observed so assume attempts are being made across the public IP ranges.

Patches

Available via the Oracle Security Advisory linked above, due to the severity of this vulnerability, Oracle is strongly recommending that customers apply the updates provided by the Advisory as soon as possible.