Cisco Cloud Web Security Connector JMX/RMI Remote Code Execution

CVE-2015-0689

    Type

  • JMX/RMI Remote Code Execution
  • Severity

  • High
  • Affected products

  • Cloud Web Security Connector
  • CVE Reference

  • CVE-2015-0689
Timeline
17/11/2014Reported to Cisco.
17/11/2014Cisco confirmed reception.
12/12/2014MWR InfoSecurity requested current status.
12/12/2014Cisco confirmed that a PSIRT case id has been assigned and awaited action from an incident manager.
06/01/2015Cisco requested further information on the issue.
20/01/2015MWR InfoSecurity provided additional information, however no response was received.
10/02/2015MWR InfoSecurity confirmed that the issue has been fixed on latest version (3.0.1.9). CWS Connector release notes mention that JMX has been disabled since 3.0.1.7, however no notification from Cisco was provided.
24/02/2015MWR InfoSecurity contacted Cisco again, however no response was received.
30/03/2015MWR InfoSecurity contacted Cisco again. Cisco informed MWR InfoSecurity that the issue will be investigated.
06/04/2015Cisco verified the issue, assigned a CVE and released an advisory on their portal.
10/04/2015Cisco requested a co-ordinated public release and MWR received confirmation from Cisco that the CVE was associated with the issue reported.
17/04/2015Advisory published.

A vulnerability exists in Cisco Cloud Web Security Connector which allows unauthenticated users to gain unauthorised access with administrative privileges on the target host. Cisco confirmed this vulnerability and assigned CVE-2015-0689.

Description

Cisco Cloud Web Security (CWS) is a Software-as-a-Service solution which offers scanning and filtering capabilities on user requested Internet traffic. CWS filters out content that is inappropriate or does not conform to a defined policy. Cisco CWS Connector acts as a proxy to redirect the web traffic to CWS service.

Cisco CWS Connector running on Microsoft Windows systems ships with its own Java Runtime Environment (JRE) and exposes a Java Management Extensions (JMX) interface that does not require authentication. A vulnerability exists in CWS Connector which allows unauthenticated users to gain unauthorised access with administrative privileges on the target host.

Impact

An unauthenticated attacker who is able to access the port on which the JMX interface is exposed can use this flaw to achieve Remote Code Execution (RCE). The service runs with “SYSTEM” privileges on a Microsoft Windows operating system and thus an adversary may gain complete control of the host.

Cause

The default installation of CWS Connector version 3.0.1.2 on Microsoft Windows includes and uses its own JRE 1.6 which has a JMX endpoint enabled by default that does not require authentication.

Interim Workaround

Enable the on host firewall to prevent access to the JMX interface on TCP port 1099.

Solution

Upgrade to Cisco CWS Connector 3.0.1.7 or later versions.

Technical details

On Microsoft Windows operating systems, CWS Connector 3.0.1.2 ships with JRE v1.6. The default deployment of CWS Connector on Windows exposes a JMX endpoint on TCP port 1099. In addition, the JMX interface is not configured to require authentication.

A JMX agent provides the capability to remotely manage and monitor Java applications running on the Java Virtual Machine (JVM). Due to the lack of authentication, a user could craft their own Managed Beans (MBeans) and execute arbitrary code through the Java application served on the JVM.

The CWS Connector application is executed as a Windows service in the context of the “NT AUTHORITY\SYSTEM” user. An attacker capable of executing code through the exposed JMX endpoint could gain administrative access, fully compromising the confidentiality, integrity, and availability of the host.