Cisco Cloud Web Security Connector JMX/RMI Remote Code Execution
CVE-2015-0689
A vulnerability exists in Cisco Cloud Web Security Connector which allows unauthenticated users to gain unauthorised access with administrative privileges on the target host. Cisco confirmed this vulnerability and assigned CVE-2015-0689.
Description
Cisco Cloud Web Security (CWS) is a Software-as-a-Service solution which offers scanning and filtering capabilities on user requested Internet traffic. CWS filters out content that is inappropriate or does not conform to a defined policy. Cisco CWS Connector acts as a proxy to redirect the web traffic to CWS service.
Cisco CWS Connector running on Microsoft Windows systems ships with its own Java Runtime Environment (JRE) and exposes a Java Management Extensions (JMX) interface that does not require authentication. A vulnerability exists in CWS Connector which allows unauthenticated users to gain unauthorised access with administrative privileges on the target host.
Impact
An unauthenticated attacker who is able to access the port on which the JMX interface is exposed can use this flaw to achieve Remote Code Execution (RCE). The service runs with “SYSTEM” privileges on a Microsoft Windows operating system and thus an adversary may gain complete control of the host.
Cause
The default installation of CWS Connector version 3.0.1.2 on Microsoft Windows includes and uses its own JRE 1.6 which has a JMX endpoint enabled by default that does not require authentication.
Interim Workaround
Enable the on host firewall to prevent access to the JMX interface on TCP port 1099.
Solution
Upgrade to Cisco CWS Connector 3.0.1.7 or later versions.
Technical details
On Microsoft Windows operating systems, CWS Connector 3.0.1.2 ships with JRE v1.6. The default deployment of CWS Connector on Windows exposes a JMX endpoint on TCP port 1099. In addition, the JMX interface is not configured to require authentication.
A JMX agent provides the capability to remotely manage and monitor Java applications running on the Java Virtual Machine (JVM). Due to the lack of authentication, a user could craft their own Managed Beans (MBeans) and execute arbitrary code through the Java application served on the JVM.
The CWS Connector application is executed as a Windows service in the context of the “NT AUTHORITY\SYSTEM” user. An attacker capable of executing code through the exposed JMX endpoint could gain administrative access, fully compromising the confidentiality, integrity, and availability of the host.