Hackers are exploiting RCE Vulnerability (CVE-2023-35042) in GeoServer

GeoServer, the open-source software written in Java that allows users to view and edit geospatial data, has lately been hit by a new security vulnerability. This software, adhering to open standards set by the Open Geospatial Consortium (OGC), is a go-to platform for the creation of flexible maps and data sharing. However, this mighty server is now under attack.

The security vulnerability known as CVE-2023-35042 has emerged as a significant threat, targeting GeoServer 2 configurations, and enabling remote attackers to execute arbitrary code. The vulnerability leverages the `java.lang.Runtime.getRuntime().exec` method within a `wps:Execute` request to execute its malicious payload. This security flaw was witnessed in wild exploits in June 2023, sending waves of concern among the user community.

Security researcher Johannes Ullrich was among the first to note increased scans against GeoServer last week. Utilizing a traditional playbook, Ullrich redirected these scans to a GeoServer instance. He deliberately used an older version of GeoServer to verify if the scans sought to exploit an existing vulnerability. However, the findings were both surprising and concerning.

It turned out that a vulnerability was not even necessary for the attack. Rather, akin to the recent NiFi attacks, the perpetrators exploited a built-in code execution feature. The default installation of the server, as deployed by Ullrich, did not necessitate any credentials – a fact that the attackers took full advantage of.

For the safety of the experiment, Ullrich had wisely installed GeoServer in a docker container. This layer of security prevented any real execution of the attack code. As the container lacked tools like curl, it effectively disabled the automatic downloading of any additional malicious payload. However, for the purpose of further analysis, Ullrich manually downloaded the payloads later.

Shortly after setting up this controlled environment, Ullrich observed multiple exploit requests arriving from IP address 109.237.96.251. These requests leveraged the Web Processing Server (WPS) feature of GeoServer. Specifically, the attackers utilized the “Execute” operation, capable of performing processes with user-defined input values and required output data items.

The exploit requests were surprisingly straightforward, executing a simple bash request that used curl to fetch and run additional code. Upon close examination, it became evident that the ultimate objective of these attacks was to install the “kinsing” crypto miner.

This unfolding saga of CVE-2023-35042 vulnerability reveals a stark reality about the current state of software security. Even with no explicit vulnerabilities in the code, threat actors can exploit the built-in features of a system to perpetrate attacks. Hence, the need for robust security measures and constant vigilance is greater than ever.

Developers and administrators using GeoServer should take immediate steps to address the CVE-2023-35042 vulnerability. Regular updates, rigorous scanning, and strong access controls should be an integral part of any security strategy.