CVE-2023-4528: Java Deserialization 脆弱性 in JSCAPE管辖 (Fixed)

Last updated at Wed, 27 Dec 2023 14:49:07 GMT

In August 2023, Rapid7 discovered a Java deserialization vulnerability in Redwood Software’s JSCAPE管辖 安全托管文件传输产品. The vulnerability was later assigned CVE-2023-4528. It can be exploited by sending an XML-encoded Java object to the 管理器服务 port, 哪一个, 默认情况下, 是TCP端口10880(通过SSL). 成功ful exploitation can run arbitrary Java code as the 根 Linux或 系统 Windows用户. CVE-2023-4528 is trivial to exploit if an attacker has 网work-level access to the 管理 port 和 the 管理器服务 is enabled (哪一个 is the default). We strongly recommend taking the server down (or disabling the 管理器服务) until it can be patched.

产品描述

CVE-2023-4528 affects all versions of JSCAPE管辖 Server prior to version 2023.1.9 on all platforms (Windows, Linux, 和 MacOS). 看到 JSCAPE咨询 了解更多信息.

发现者

This issue was discovered by 罗恩Bowes of Rapid7. It is being disclosed in accordance with Rapid7’s 漏洞披露策略.

供应商声明

CVE-2023-4528 has been addressed in JSCAPE version 2023.1.9 哪一个 is now available for customer deployment. JSCAPE customers have been notified 和 our support teams are available 24/7 to assist. Redwood appreciates the collaboration with Rapid7 和 our cybersecurity partners. 如需更多资料，请参阅: http://www.jscape.com/blog/binary-management-service-patch-cve-2023-4528

影响

成功ful exploitation executes arbitrary Java code as the Linux 根 或Windows 系统 用户. The most likely attack vector will run Java code such as java.朗.运行时.get运行时 ().exec(“...shell命令...");, but it's also possible to create a Java-only payload to avoid executing another process (和 t在这里fore wouldn’t be as easily detectable).

Once an attacker executes code at that level, they have full control of the system. 他们可以窃取数据, 转向攻击其他网络设备, 清除入侵的证据, 建立持久性, 以及他们选择的任何东西. 值得注意的是, t在这里 appear to be very few (if any) instances of JSCAPE管辖 Server with their 管理 ports exposed to the inter网, 哪一个 significantly reduces attackers’ ability to reach the affected service.

妥协指标

成功ful exploitation will be evident in 日志 files. Windows日志文件为 C:\program files\MFT Server\var\日志\server0.日志，而Linux是 / opt / mft_server / var / 日志 / server0.日志. Any warning or error 消息 that reference "Management 连接" should be investigated — in particular, 类强制转换异常，例如:

08.22.2023 15:56:51 [WARNING] Management 连接 error: [10.0.0.77:10880 <-> 10.0.0.227:40085].
com.jscape.跑龙套.网.连接.连接ConnectionException美元:类java.朗.运行时不能强制转换为类com.jscape.i网.mftserver.适配器.管理.协议.消息.消息(java.朗.运行时在java模块中.base of loader 'bootstrap'; com.jscape.i网.mftserver.适配器.管理.协议.消息.消息 is in unnamed module of loader 'app')
	在com.jscape.跑龙套.网.连接.连接ConnectionException美元.包装(未知来源)
	在com.jscape.跑龙套.网.连接.Sync消息ConnectionSyncRawBase.读(未知源)
	在com.jscape.跑龙套.网.连接.Async消息ConnectionSyncRawBase.readNext消息(未知来源)
	在com.jscape.跑龙套.网.连接.Async消息ConnectionSyncRawBase.运行(未知源)
	在java.基地/ java.跑龙套.并发.执行人RunnableAdapter美元.调用(执行人.java: 539)
	在java.基地/ java.跑龙套.并发.FutureTask.运行(FutureTask.java: 264)
	在java.基地/ java.跑龙套.并发.线程PoolExecutor.runWorker (线程PoolExecutor.java: 1136)
	在java.基地/ java.跑龙套.并发.美元线程PoolExecutor工人.运行(线程PoolExecutor.java: 635)
	在java.基地/ java.朗.线程.(线程运行.java: 833)
原因:java.io.IOException:类java.朗.运行时不能强制转换为类com.jscape.i网.mftserver.适配器.管理.协议.消息.消息(java.朗.运行时在java模块中.base of loader 'bootstrap'; com.jscape.i网.mftserver.适配器.管理.协议.消息.消息 is in unnamed module of loader 'app')
	在com.jscape.跑龙套.at.b(未知源)
	在com.jscape.跑龙套.az.(未知源)
	在com.jscape.i网.mftserver.适配器.管理.协议.a.(未知源)
	在com.jscape.i网.mftserver.适配器.管理.协议.a.读(未知源)
	... 8更多
原因:java.朗.ClassCastException: java类.朗.运行时不能强制转换为类com.jscape.i网.mftserver.适配器.管理.协议.消息.消息(java.朗.运行时在java模块中.base of loader 'bootstrap'; com.jscape.i网.mftserver.适配器.管理.协议.消息.消息 is in unnamed module of loader 'app')
	... 10个

服务器期望 消息 class, 和 the exploit sends a different class such as java.朗.运行时，该操作失败并创建一条错误消息.

Note that a more cleverly written exploit may not be this obvious in 日志 files.

修复

Rapid7 recommends that JSCAPE管辖 Server customers immediately upgrade their instance(s) of MFT Server to version 2023.1.9 (upgrade documentation from Redwood Software 在这里).

JSCAPE管辖 customers should also close port 10880 to the public inter网, ensuring that external/public access to the binary 管理 service port (typically 10880) that is used by JSCAPE comm和 line 跑龙套ities is blocked. Settings for this port can be found in the administrative interface under Settings > 管理器服务 > 管理器服务.

As a temporary mitigation before 应用ing the patch, administrators can block access to the Management Service. 在配置页面(http://(服务器):11880 /设置/设置)，要么改变 主机/ IP 选项 管理器服务 页面 127.0.0.1. 另外，在 访问 tab, set up an IP filter (or block all IP addresses). Rapid7验证了这两种选择都有效.

For more information, see Redwood Software’s 咨询.

Rapid7客户

InsightVM 和 Nexpose customers can assess their exposure to CVE-2023-4528 with a vulnerability check available in the September 7 content release.

时间轴

• 2023年8月22日: Rapid7发现漏洞
• 2023年8月23日: Rapid7 reports the vulnerability to Redwood Software
• 2023年8月24日- 2023年9月6日 Rapid7 和 Redwood Software discuss patching 和 disclosure timelines
• 2023年9月7日: 这种披露