Embed Size (px)
Citation preview
@spoole167
Anatomy of Java Vulnerabilities
Steve Poole @spoole167
www.ibm.com
@spoole167
About me
Steve Poole
IBM Lead Engineer / Developer advocate
@spoole167
Making Java Real Since Version 0.9
Open Source Advocate
DevOps Practitioner (whatever that means!)
Driving Change
@spoole167
The scaryStuff looks like this
The scaryStuff looks like this
This talk is a technical horror story
The TechnicalStuff looks like this
The scaryStuff looks like this
https://www.flickr.com/photos/koolmann/
@spoole167
What is a Vulnerability?What is a Vulnerability?
@spoole167
What is a vulnerability?
“A vulnerability is a bug which can be exploited by an attacker”
Exploits can attack your availabilityBringing your system down by making it crashMaking your system unresponsive though excessive memory / CPU / network
usageExploits can reduce Integrity
Modification of application dataArbitrary code execution
Exploits can breech confidentialityPrivilege elevationExposure of sensitive information
@spoole167
Why should you care?Why should you care?
https://www.flickr.com/photos/koolmann/
Cybercrime realities
http
s://
ww
w.fl
ickr
.com
/pho
tos/
stig
nyga
ard/
Do you think cybercriminals are lone hackers?
Organized Cybercrime is the most profitable type of crime
• In 2016 Cybercrime was estimated to be worth 445 Billion Dollars a Year
• In 2013 the United Nations Office on Drugs and Crime (UNODC) estimated globally the illicit drug trade was worth 435 Billion Dollars
• Guess which one has the least risk to the criminal?• Guess which is growing the fastest?• Guess which one is the hardest to prosecute?
• Guess which one is predicted to reach 2100 Billion Dollars by 2019?
@spoole167
A simple example of a vulnerability
A simple example of a vulnerability
@spoole167
Java Vulnerability exampleIn a version of a java communications library a long time ago.
A Properties object which mapped labels to classnames
“decode” = “org.foo.decoder.Decoder”
When the class couldn’t be instantiated an exception was returned
“Cannot instantiate ‘decoder’ class ‘org.foo.decoder.Decoder’”
@spoole167
Unfortunately When retrieving the label if it wasn’t found in the Properties object then the
library looked in the System Properties object.
The result?
A remote attacker could systematically retrieve the value of every System Property.
“Cannot instantiate ’user.home’ class ‘/Users/joe’”
So who are the bad guys?
https://www.flickr.com/photos/monsieurlui/
A mirror of you?
• Organized and methodical • organized like startup companies. • “employ” highly experienced developers with deep knowledge • Constantly innovating malware, seeking out vulnerabilities• Sharing what they find with each other (for $ of course)
• Goal focused• the average age of a cybercriminal is 35 years old.
Who’s being targeted?
• Middle level executives – afraid of their bosses?• New joiners – easy to make a mistake?• Busy and harassed key individuals – too busy to take time to consider?• Disgruntled employees – want to hurt the company? Make some $?
• And Developers – the golden goose.
The bad guys prey on the weak, vulnerable and ignorant
Developers
• Why ?•We know the inside story•We write the code•We have elevated privileges•We are over trusting•We use other peoples code and tools without inspection• we are ignorant of security matters
The bad guys prey on the weak, vulnerable and ignorant
Don’t agree?
“The bad guys prey on the weak, vulnerable and ignorant:
That’s you”
Ever googled for:
“very trusting trust manager”
“Getting Java to accept all certs over HTTPS”
“How to Trust Any SSL Certificate”
“Disable Certificate Validation in Java”
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkClientTrusted( X509Certificate[] certs, String authType) { } public void checkServerTrusted( X509Certificate[] certs, String authType) { } public boolean isClientTrusted( X509Certificate[] cert) { return true; } public boolean isServerTrusted( X509Certificate[] cert) { return true; } } };
Ever written something
like this?
We’ve all done something like that“A vulnerability is a bug which can be exploited by an attacker”
We’ve all done something like that“A vulnerability is a bug which can be exploited by an attacker”
“A vulnerability is also a feature which can be exploited by an attacker”
Vulnerabilities• Bugs and design flaws in your software and
the software you use.• Everyone has them.
• Researchers are looking for them all the time.
• So are the bad guys
https://www.flickr.com/photos/electronicfrontierfoundation/
@spoole167
The process of managing vulnerabilities
The process of managing vulnerabilities
@spoole167
“Common Vulnerabilities & Exposures”
https://cve.mitre.org
The Standard place find details about ‘CVEs’
International cyber security community effort
Common naming convention and unique references.
Allows you to know when a problem is resolved in something your using
@spoole167
‘CVEs’ https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=*
keywords=java serialization “12”keyword=java “1592”
@spoole167
CVE-2016-2510
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
CVE-2016-0686
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization.
CVE-2015-4805
Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization.
keywords=java serialization (first three as of May 11th)
@spoole167
CVE-2016-0686Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity,
and availability via vectors related to Serialization.
That’s all you will find about this fix
@spoole167
Common Vulnerability Scoring System
Base CVSS combines several aspects into a single scoreAttack vector and complexity – local, remote etc.Impact – integrity, confidentiality etc.Privileges required?
Represented as a base score and a CVSS vectorCVSS 9.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
Additional temporal CVSS considers aspects that may change over timeAvailability of an exploitAvailability of a fix
IBM X-ForceIBM’s security research organizationProvides base and temporal CVSS scores for all published CVEs
Database can be accessed via a REST API
@spoole167
Example CVSS vector
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector: N (network)Attack Complexity: L (low)Privileges Required: N (none)User Interaction: R (required)Scope: C (changed)Confidentiality impact: H (high)Integrity impact: H (high)Availability impact: H (high)
Using the CVSS v3.0 calculator
Low = 0.0-3.9. Medium= 4.0-6.9 High= 7.0-8.9 Critical = 9.0-10.0
Note – assessments are based onthe assumption that everyone behaves “sensibly” If you give everyone root access to amachine your mileage will differ
@spoole167
How are vulnerabilities communicated?
OracleCPU AdvisoryRisk Matrix
IBMJava and Product Security Bulletins
All IBM Security Bulletins are communicated on the PSIRT blogCan subscribe to Bulletins for specific products using My Notifications
Java SDK Developer Centre
Talking about the details of a fix or flaw in public is just like tweeting your credit card # and pin
So we dont
@spoole167
Oracle Critical Patch Updates
Released quarterly on set datesThird Tuesday in January, April, July, and October
Security releases are always odd-numbered
Version numbers have gaps to allow for out-of-cycle releasesE.g. 8u121, 8u131, 8u141JDK 9 will use semantic versioning
Each release contains CVE and security-in-depth fixesSecurity-in-depth issues are not described publicly
Patches merged into OpenJDK several weeks laterAll Oracle software updated on the same date – not just Java
@spoole167
IBM PSIRT Process
Product Security Incident Response Team
Java and every other IBM products follow IBM’s PSIRT processProcess and vulnerability tracking owned by a central teamEach product has a PSIRT representativeEach product communicates vulnerabilities to their consumersProcess details are IBM Confidential
Vulnerabilities must be fixed within timeframes depending on CVSS
Extremely urgent issues must be fixed more quicklyOut-of-cycle release if necessary
@spoole167
IBM PSIRT Process
Regular quarterly security releases to ship Oracle fixes
IBM-specific issues may also be fixed in these releases
Version numbers have gaps to allow for out-of-cycle releasesE.g. 8.0.3.0, 8.0.3.10
Aim to release as close to Oracle’s CPUs as possibleJava SDK update usually within two weeks
Security Bulletin published
@spoole167
How are vulnerabilities discovered?
How are vulnerabilities discovered?
@spoole167
How are Java vulnerabilities discovered?
Oracle/IBM internal development and testingDetails and test code shared on a need to know basisExploits never published externally
Third party researchers (white hats)Issues reported discreetlyDetails and exploits disclosed responsibly
Bad guys (black hats)Exploits published online – badExploits sold in secret – worse
@spoole167
What if I discover a vulnerability?
Report it responsibly
Oracle or OpenJDK component (e.g. HotSpot VM, AWT, Net, Plugin)Report it to Oracle
IBM component (e.g. J9VM, IBM ORB, IBM JCE/JSSE)Report it to IBM
What you should not do
Don’t shout about it!Don’t send a mail to an OpenJDK mailing listDon’t post the details on a forum/blogDon’t sell it to the bad guysDon’t worry about apparent lack of severity – always report it
@spoole167
How are Java vulnerabilities addressed?
Ideally as quickly as possible, but it depends onCVSSImpending disclosureResources
In general:
Issues categorised internallyFixes targeted for a future scheduled regular security releaseFixes may be deferred or brought forward if things changeExtremely urgent issues may trigger an out of cycle release
@spoole167
How vulnerable is Java really?How vulnerable is Java really?
@spoole167
Java’s reputation?
Little focus on security in 1990s and early 2000’sWhole IT industry, not just Java
Java’s worst year was 2013Over 160 CVE fixes – 45 in the October 2013 CPU aloneMultiple zero-day vulnerabilities and out-of-cycle releases
HOWEVER, the most widely publicised issues generally did not affect server-side software
Huge improvement over the last four years
Current levels are approximately 10 CVEs per CPU
@spoole167
Java vulnerabilities by year
@spoole167
Attack Vectors – Frequency
69% – Applet/Browser and Untrusted code
13% – Untrusted data
12% – Cryptographic issues
6% – Other
@spoole167
Vulnerability applicability
High CVSS is irrelevant if the issue does not apply to you
Java plugin flaws don’t apply to appserver deployments
JAXP issues aren’t relevant if you don’t parse untrusted XML data
Use the Oracle CPU Risk MatrixBase CVSS scores and vectorsConsider the attack vector for the vulnerabilityOracle Applicability notes
IBM customers: if in doubt, contact IBM SupportIBM Products have detailed applicability information
@spoole167
Attack VectorsAttack Vectors
@spoole167
Attack Vectors – Untrusted Code
Code is able to bypass or escape the SecurityManager
Sometimes incorrectly referred to as “client side” issues
Affects any application which runs untrusted code under a security managerSome server applications do this!
Flaw can be in any component on the classpath
Partial bypassExposure of sensitive information – e.g. system property values, heap contentsArbitrary network connections
Full bypassArbitrary code execution and access to operating systemMany server deployments run as root/admin
SecurityManager offers no protection against CPU DoS attacksInfinite loops
Less of a problem now that unsigned applets are not permitted by defaultApplets are deprecated in JDK 9
@spoole167
Attack Vectors – Plugin / Web Start
True “client-side” issuesAffect JREs installed as the system default
Exploits can be triggered remotely, usually via a browserMalicious applet or JNLP file
May involve platform or browser specific componentsInstaller/updaterWindows Registry entriesBrowser callbacksOS Shell behaviour (command line parsing)Inappropriate privilege elevation
Applets and browser plugins are deprecated in JDK 9
@spoole167
Attack Vectors – Untrusted Data
A Java SE API mishandles a specific type of dataXML, JPG, URLs, Fonts, JARs, StringsIssues tend to be more severe when the API is implemented natively
Maliciously-crafted data can exploit the bugDoS – CPU/memory usage, crashExposure of sensitive data – arbitrary memory accessArbitrary code execution – code injection, disabling of SecurityManager
Affects any application which handles the specific data type from untrusted sources
ExamplesA server application which allows users to upload imagesA server application which accepts SOAP requestsA server application with an XML-based REST API
@spoole167
Attack Vectors – Cryptographic Issues
Protocol flawsMany implementations affected (Java, GSKit, OpenSSL, Browsers)BEAST, POODLE, SLOTH, Logjam, Bar Mitzvah
Implementation flawsSpecific to JavaNo fancy names!
Variable ImpactDoSPrivate key exposureDecryption of encrypted data
@spoole167
Attack Vectors – Local
Can only be exploited by a local user
Exposure of sensitive dataE.g. temp files with inappropriate permissions
Code injectionE.g. native code loaded from an unexpected location due to bad LIBPATH
May lead to a remotely exploitable vulnerabilityE.g. local user plants malicious code which can be executed remotely
Usually low CVSS due to the access required
@spoole167
Deserialization Vulnerabilities
Abuse of the readObject() method of one or more classesreadObject() is invoked before the data is deserialized
Attackers use “gadget chains” in classes on the server’s classpathUsually a complex set of nested objects which result in a Runtime.exec()Costly to fix – servers may have multiple copies of the vulnerable code
Applications are vulnerable if they:Have the vulnerable code on their classpathAccept untrusted serialized data (this is much more common that you might think!)
Known for years, but came to prominence with problem in Apache Commons remote code execution
Many products affected – e.g. WebLogic, WebSphere, Tomcat, JBoss, Jenkins
Serialization filtering was added to the Java runtime in January 2017JEP 290 – Filter Incoming Serialization DataAllows classes to be whitelisted
@spoole167
ExamplesExamples
@spoole167
Example vulnerability
• Infinite loop in java.lang.Double.parseDouble()
• Triggered by the parsing of an obscure value• 2.2250738585072012e-308
• Bug was reported in 2001• Spent ten years in a public bug database without the impact being realised• A researcher rediscovered it, and the significance was realised
• Extremely easy to exploit and inflict a DoS, for example:• Website running on a Java platform• Send HTTP requests with headers set to the bad value• Server’s worker threads are quickly tied up in infinite loops
• Affected all Java releases and a huge number of deployments• Massive cost to Java Vendors and our customers to produce and apply patches
• CVSS score was only 5.0!• Good example of how CVSS does not necessarily describe the impact
@spoole167
Example vulnerability
• Apache Struts remote code execution
• Mishandling of HTTP request header (i.e. untrusted String data)• Essentially: untrusted String data passed into Runtime.exec() with no validation (!!!)• Actual chain of events is complicated and obscure (which is why it wasn’t noticed)• Trivial to exploit
• Actively exploited in the wild very quickly after patch release• Severity not clearly communicated• Easy to scan for vulnerable servers
• Struts is a component in many applications• Many copies, many versions, many places• All updates have to be properly tested• => Massive task to fully patch
@spoole167
Example vulnerability – JDWP
• JDWP = Java Debug Wire Protocol• Disabled by default – enabled with a command line option• JVM internals can be observed and modified remotely• No authentication required• Classes can be changed, code can be injected
• Well-known online banking website• JDWP enabled on public facing servers (!!!)• Presumably JDWP was enabled in development/test…
• Found by a researcher after a simple port scan• Bug bounty => ££££
• Simple fix – disable JDWP!
@spoole167
Example vulnerability
Found by a third party researcher who published the details
DLL side-loading vulnerability
Java runtime tries to load libraries from a non-existent folder
Incorrect path is used because a classpath URL is not decodedA space in the path is encoded as “%20” – C:\Program%20Files\...Any user on the system can create a folder with that name
Allows local users to inject code into other users’ Java processesPrivilege escalation if the target user has admin privileges
Once the malicious code is planted, the issue can be exploited remotely via an applet or Web Start application
Simple fix – decode the URL before using it as a library search path
“A vulnerability is a bug which can be exploited by an attacker”
“A vulnerability is also a feature which can be exploited by an attacker”
“A vulnerability is a bug which can be exploited by an attacker”
“A vulnerability is also a feature which can be exploited by an attacker”
“A vulnerability is also a developer aid which can be exploited by an attacker”
@spoole167
Summar
y
Keeping safe: it’s in your handsKeep current. Every vulnerability fix you apply is one less way in.
Compartmentalise. Separate data, code, access controls etc. Just like bulkhead doors in a ship: ensure one compromise doesn’t sink your boat.
Design for intrusion. Review you levels of ‘helpfulness’ and flexibility
Learn about Penetration Testing
Understand that making your development life easier makes the hackers job easier
@spoole167
Reducing Risk
• Keep all Java instances up to date• Don’t write custom security managers• Don’t write custom crypto code• Don’t write custom XML parsers• Use modern encryption protocols and algorithms• Be very careful with:• Untrusted data• Deserialization (including RMI and JMX)• JDWP• Runtime.exec()• Native code
@spoole167
Than
k yo
u
Any Que
stions
?
