John Layden Jan 6, 2022 15:45 UTC
Updated: January 6, 2022 17:33 UTC
Security flaws breach trust boundaries
According to a detailed analysis of the issue by security researcher Tobias Neitzel, the Java RMI service can be attacked through a server-side request forgery (SSRF) attack.
Java RMI is an object-oriented remote procedure call (RPC) mechanism that is available on most Java installations. Software developers can use this technology to provide functionality over the network.
For communication, Neitzel found, Java RMI relies on serialized Java objects—a mechanism that attackers are often able to target, although the technology has undergone a process of hardening and tempering in recent years.
Get the latest security research news and analysis
in the detailed technical blog post, the researchers explain how default RMI components can be attacked to variable outcomes. Neitzel Says Potential Consequences Could Lead to Remote Code Execution daily swig.
SSRF attacks typically allow an attacker to trick a server-side application into making HTTP requests to a domain of the attacker’s choice, which opens the door to all kinds of malfeasance.
“As with all SSRF techniques, the main problem is that an attacker might be able to attack RMI services that should only be accessible from a trusted network,” explains Neitzel.
“Protecting RMI properly is not that intuitive, and there are a lot of hidden attack surfaces. Administrators often don’t configure it properly, instead taking the simple approach of allowing access only from trusted networks or clients.”
you might also like Indian academic bookseller Oswaal Books fixes alleged RCE and other critical vulnerabilities with Shopify reboot
Neitzel’s research shows that external attackers “may be able to exploit insecurely configure internal services by exploiting SSRF vulnerabilities in external services,” among other techniques.
The most commonly used RMI service is JMX. Neitzel showed that backend JMX services could be compromised via SSRF, but only provided that the system returned a response from the backend service and accepted arbitrary bytes in it.
Similarly, SSRF-based attacks on default RMI components (such as the RMI registry) are possible, although only if the system allows arbitrary bytes to be sent to the backend service.
“Java RMI is a binary protocol that requires a variety of different data types during communication,” Neitzel said.
mitigation
Susceptibility to SSRF attack is a symptom of a broader sense of insecurity that is common.
“Services may expose dangerous methods, do not implement deserialization filters, or be outdated and contain known vulnerabilities (such as remote class loading),” Neitzel told daily swig.
The German researcher’s blog post goes on to list security best practices and countermeasures for RMI services against potential attacks.
These include enabling TLS-secured communications for all RMI endpoints, using deserialization filters, and adding stronger authentication controls.
related SSRF Vulnerability Patched in Jamf Pro Mobile Security Platform
