GeoServer RCE Vulnerability (CVE-2024-36401) Being Exploited In the Wild
Overview
The SonicWall Capture Labs threat research team became aware of a remote code execution vulnerability in GeoServer, assessed its impact and developed mitigation measures. GeoServer is a community-driven project that allows users to share and edit geospatial data. It supports industry-standard OGC protocols, including Web Feature Service (WFS), Web Map Service (WMS) and Web Coverage Service (WCS). Identified as CVE-2024-36401, GeoServer versions before 2.24.4, 2.25.2 and 2.23.6 allow an unauthenticated threat actor to execute arbitrary code remotely, earning a critical CVSS score of 9.8. Since this vulnerability has made its way into CISA’s Known Exploited Vulnerabilities (KEV) Catalog, users are strongly encouraged to upgrade their instances to the latest applicable fixed version, as mentioned by the vendor in the advisory.
Technical Overview
This vulnerability is caused by a flaw in the GeoTools library API used by GeoServer to process attribute names. The API passes the names in an unsafe way to the commons-jxpath library, which poses a risk of executing arbitrary code when evaluating XPath expressions. According to the advisory, the XPath evaluation is meant to be used only by complex feature types such as Application Schema data stores. However, it is also mistakenly applied to simple feature types, making the vulnerability applicable to all GeoServer instances.
Triggering the Vulnerability
The vulnerability can be leveraged through Open Geospatial Consortium (OGC) request parameters such as WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute. For instance, the sample request with a malicious payload could be crafted as seen in Figure 1. Notice the Linux “touch” command in the ValueReference attribute of the GetPropertyValue tag.
Figure 1: Sample attack request
The flaw was addressed by introducing the patch to improve the handling of XPath expression by GeoTools. For instance, the improved XmlXpathUtilites class to evaluate XPathValues can be seen in Figure 2.
Figure 2: Patched XmlXpathUtilites Class
Leveraging the vulnerability mentioned above requires the attacker to have network access to the target vulnerable system and to send a maliciously crafted request, as seen in Figure 1. Successfully exploiting the attack would result in the creation of a file named ‘poc2’ in the /tmp/ directory, as seen in Figure 3.
Figure 3: Execution of POC
Exploitation
To exploit this vulnerability, an attacker must send a request with a system command in any of the following fields: WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic or WPS Execute. Exploiting this vulnerability yields a remote threat actor to execute arbitrary code on the server, posing a high impact on the confidentiality, integrity and availability of the system without requiring user interaction. The exploitation of the affected system using the WFS GetFeature field and ncat commands is demonstrated in Figure 4.
Figure 4: Exploit in action
SonicWall Protections
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
- IPS: 20144 GeoServer OGC Remote Code Execution
- IPS: 20145 GeoServer OGC Remote Code Execution 2
- IPS: 20182 GeoServer OGC Remote Code Execution 3
Remediation Recommendations
Considering the vulnerability is being exploited in the wild as well as the availability of the public POC, users are strongly encouraged to upgrade their instances to the latest versions, as mentioned in the vendor advisory.
Users who cannot upgrade their instances right away can remove the file gt-complex-x.y.jar (x.y represents GeoTools version) from their GeoServer instance. GeoTools versions prior to 30.4, 31.2 and 29.6 are vulnerable. Although it will remove the vulnerable code, it may cause complications by breaking certain legitimate functionality of GeoServer. The path of the gt-complex module is WEB-INF/lib/gt-complex-x.y.jar and webapps/geoserver/WEB-INF/lib/gt-complex-x.y.jar respectively for war-based and binary-based deployments.