Recently, NSFOCUS has received a slew of reports from customers in the finance, telecom, and Internet sectors on similar security events. Through analysis, NSFOCUS believes that these events are all associated with the malware-infected WebLogic Server (WLS) host. Specifically, attackers exploit the WLS component vulnerability (CVE-2017-10271) to attack the WLS middleware host via a crafted payload, which will lead to download and execution of a cryptocurrency miner.
- WebLogic Server 10.3.6.0.0
- WebLogic Server 220.127.116.11.0
- WebLogic Server 18.104.22.168.0
- WebLogic Server 22.214.171.124.0
The preceding WLS versions are all officially supported by Oracle.
- WebLogic Server 126.96.36.199
This wave of attacks was aimed to download and execute cryptocurrency miners. Therefore, at the host level, the malware can be detected by monitoring host system resources and analyzing processes; at the network level, the C&C address pool and Bitcoin mining pool can be monitored for corresponding domain names and IP addresses so as to discover other infected hosts.
For a Linux host, first, check the /tmp directory for suspicious files owned by any WebLogic account, such as watch-smartd, Carbon, and default.
Then analyze processes and system resources to check whether there are suspicious processes launched by any WebLogic account.
Finally, use the deployed firewall or intrusion prevention device to monitor the C&C address pool and Bitcoin mining pool for the following domain names and IP addresses:
Oracle has fixed the WLS component vulnerability (CVE-2017-10271) in its October update. Users are advised to download the update and upgrade the application to the latest as soon as possible.
The update is available in the following link:
According to the PoC exploit, the vulnerability exists in the CoordinatorPortType interface of the wls-wsat component. If this component is not applied in the WLS cluster, users are advised to make a backup of and delete this component for the time being.
1. Delete the WebLogic wls-wsat component as follows (the actual path may vary):
|rm -f /home/WebLogic/Oracle/Middleware/wlserver_10.3/server/lib/wls-wsat.war
rm -f /home/WebLogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/.internal/wls-wsat.war
rm -rf /home/WebLogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/wls-wsat
2. Restart the WebLogic domain controller service.
|DOMAIN_NAME/bin/stopWeblogic.sh # Terminates the service.
DOMAIN_NAME/bin/startManagedWebLogic.sh # Starts the service.
For details about how to restart the WebLogic service, see the following document:
Use NSFOCUS’s detection products or service to detect the vulnerability:
- For Internet-facing assets, use the emergency vulnerability detection service of NSFOCUS Cloud to check for the vulnerability online. The service is available at the following link:
- For intranet assets, use NSFOCUS RSAS V5/V6 or WVSS to check for the vulnerability:
- Remote Security Assessment System (RSAS V6):
- Remote Security Assessment System (RSAS V5):
- Web Vulnerability Scanning System (WVSS):
- For intranet assets, use NSFOCUS NIDS to check for the vulnerability:
Network Intrusion Detection System (NIDS):
You should upgrade your devices to the latest version by downloading upgrade packages from the preceding links before using them to detect vulnerabilities.
Use NSFOCUS’s protection products (NIPS, NIDS, or NF) to protect against the vulnerability:
- Network Intrusion Prevention System (NIPS):
- Next-Generation Firewall (NF):
- Web Application Firewall (WAF):
You should upgrade your devices to the latest version by downloading upgrade packages from the preceding links before using them for protection.
The following is a security advisory released by Oracle in April, which provides various patches for its vulnerable products:
The following is a patch update advisory released in October:
“A remote user can exploit a flaw in the Oracle WebLogic Server WLS Security component to gain elevated privileges [CVE-2017-10271]”
The preceding is a description of the CVE-2017-10271 vulnerability from https://securitytracker.com/id/1039608.
A PoC test has the following result:
A drill-down analysis finds that this is still a vulnerability in XMLDecoder. The next step is to analyze patch code. Let’s start with the patch for the CVE-2017-3506 vulnerability. In the weblogic/wsee/workarea/WorkContextXmlInputAdapter.java file, a method “validate” is added. Its implementation mechanism is as follows:
Simply put, in the process of parsing XML, if the Element field value is Object, an exception is thrown. Such a fix seems a bit amateur. That is why the CVE-2017-10271 vulnerability occurs. In a previous analysis of the October patch update for Oracle WebLogic, we found that code related to WorkContextXmlInputAdapter addressed only the DoS vulnerability, without imposing any restrictions on the use of “new”, “method”, and “void” like the CVE-2017-10271 patch. The patch for the CVE-2017-3506 vulnerability can be bypassed with other approaches. For example, changing object to void is a typical approach. As this vulnerability is for Bitcoin mining, a PoC can be created via the keyword new for deserialized execution.
Then why code can be executed in the process of parsing XMLDecoder? A dynamic analysis will provide the answer. Use the following PoC as an example.
According to this PoC, a JdbcRowSetImpl instance is first generated. Then the SET method of this instance is called to initialize its attributes. After the setAutoCommit interface is called, a class is remotely loaded and initialized based on the value of dataSourceName. The following figure shows the output of the call stack.
For the preceding PoC, Oracle released the following patch for CVE-2017-10271:
This is quite a complete patch capable of preventing security bypass by imposing restrictions on the use of such fields as object, new, method, void, and array.