GeoServer RCE Vulnerability (CVE-2024-36401) Actively Exploited in the Wild

“`html

Short Summary

The SonicWall Capture Labs threat research team identified a critical remote code execution vulnerability (CVE-2024-36401) in GeoServer, affecting versions prior to 2.24.4, 2.25.2, and 2.23.6. This vulnerability allows unauthenticated attackers to execute arbitrary code remotely, posing significant risks to system confidentiality, integrity, and availability. Users are advised to upgrade to the latest versions or take specific mitigation actions to protect their systems.

Key Points

  • Vulnerability Identified: CVE-2024-36401 in GeoServer.
  • Impact: Critical CVSS score of 9.8, allowing remote code execution.
  • Affected Versions: GeoServer versions before 2.24.4, 2.25.2, and 2.23.6.
  • Exploitation Method: Leveraging OGC request parameters such as WFS and WMS.
  • Mitigation: Upgrade to the latest versions or remove the vulnerable GeoTools library file.
  • SonicWall Protections: New IPS signatures released to protect against exploitation.

MITRE ATT&CK TTPs – created by AI

  • Execution (T1203):
    • Remote code execution through crafted OGC requests.
  • Exploitation for Client Execution (T1203):
    • Exploiting vulnerabilities in GeoServer to execute arbitrary code.
  • Command and Control (T1071):
    • Using network access to send malicious requests to the server.

“`

Overview

The SonicWall Capture Labs threat research team became aware of a remote code execution vulnerability in GeoServer, assessed its impact and developed mitigation measures. GeoServer is a community-driven project that allows users to share and edit geospatial data. It supports industry-standard OGC protocols, including Web Feature Service (WFS), Web Map Service (WMS) and Web Coverage Service (WCS). Identified as CVE-2024-36401, GeoServer versions before 2.24.4, 2.25.2 and 2.23.6 allow an unauthenticated threat actor to execute arbitrary code remotely, earning a critical CVSS score of 9.8. Since this vulnerability has made its way into CISA’s Known Exploited Vulnerabilities (KEV) Catalog, users are strongly encouraged to upgrade their instances to the latest applicable fixed version, as mentioned by the vendor in the advisory.

Technical Overview

This vulnerability is caused by a flaw in the GeoTools library API used by GeoServer to process attribute names. The API passes the names in an unsafe way to the commons-jxpath library, which poses a risk of executing arbitrary code when evaluating XPath expressions. According to the advisory, the XPath evaluation is meant to be used only by complex feature types such as Application Schema data stores. However, it is also mistakenly applied to simple feature types, making the vulnerability applicable to all GeoServer instances.

Triggering the Vulnerability

The vulnerability can be leveraged through Open Geospatial Consortium (OGC) request parameters such as WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute. For instance, the sample request with a malicious payload could be crafted as seen in Figure 1. Notice the Linux “touch” command in the ValueReference attribute of the GetPropertyValue tag.

Figure 1: Sample attack request

The flaw was addressed by introducing the patch to improve the handling of XPath expression by GeoTools. For instance, the improved XmlXpathUtilites class to evaluate XPathValues can be seen in Figure 2.

Figure 2: Patched XmlXpathUtilites Class

Leveraging the vulnerability mentioned above requires the attacker to have network access to the target vulnerable system and to send a maliciously crafted request, as seen in Figure 1. Successfully exploiting the attack would result in the creation of a file named ‘poc2’ in the /tmp/ directory, as seen in Figure 3.

Figure 3: Execution of POC

Exploitation

To exploit this vulnerability, an attacker must send a request with a system command in any of the following fields: WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic or WPS Execute. Exploiting this vulnerability yields a remote threat actor to execute arbitrary code on the server, posing a high impact on the confidentiality, integrity and availability of the system without requiring user interaction. The exploitation of the affected system using the WFS GetFeature field and ncat commands is demonstrated in Figure 4.

Figure 4: Exploit in action

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 20144 GeoServer OGC Remote Code Execution
  • IPS: 20145 GeoServer OGC Remote Code Execution 2
  • IPS: 20182 GeoServer OGC Remote Code Execution 3

Remediation Recommendations

Considering the vulnerability is being exploited in the wild as well as the availability of the public POC, users are strongly encouraged to upgrade their instances to the latest versions, as mentioned in the vendor advisory.

Users who cannot upgrade their instances right away can remove the file gt-complex-x.y.jar (x.y represents GeoTools version) from their GeoServer instance. GeoTools versions prior to 30.4, 31.2 and 29.6 are vulnerable. Although it will remove the vulnerable code, it may cause complications by breaking certain legitimate functionality of GeoServer. The path of the gt-complex module is WEB-INF/lib/gt-complex-x.y.jar and webapps/geoserver/WEB-INF/lib/gt-complex-x.y.jar respectively for war-based and binary-based deployments.

Relevant Links

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Source: Original Post