Special thanks to John Dwyer for working on the POC that helped me write and validate detections methods.
Hi guys !
Vulnerabilities in the Spring framework have been found and communicated in an early announcement on Wednesday, even before the CVE-2022-22965 was published. The team has been working to publish a fix in emergency in the version 2.5.12.
There has been a lot of comparisons to it, but I hope it's not too much like log4j all over again for you!
But today I'm here to try and help in case some servers don't have the fix for any reason. So get your Web Server logs, I have to have 2 types of detection to propose you today!
YARA Rules
YARA rules ready to use
Once again, Florian Roth has been on top of things and released a few YARA rules that can help detect the exploit. You can find the rules here on Github.
These rules can be handy to deploy on your perimeter devices, but also in QRadar thanks to the IBM Security QRadar Manager for YARA Rules that you can find on the App Exchange.
The YARA app allows you to import the rules either manually or by pulling directly from Github. Once your namespace is created, the only thing you have to do is:
- Go to the Scan Data tab
- Select the data you want to scan, it could be either a saved search, an AQL search, raw payload or a file
- Select the namespace you created
- Run the scan !
We tested the rules in our lab
EXPL_POC_SpringCore_0day_Indicators_Mar22_1
For this rule, we actually found 2 proof-of-concepts that were a success in the exploit but one of them only was a match natively with the YARA rules. A quick look at the data showed that one of the POC was including a pwd argument in the command line while the other wasn't and the YARA rule is testing for:
$x2 = "?pwd=j&cmd=whoami"
Knowing that, you can decide to edit the YARA rule if you want to catch more cases, the YARA app makes everything really easy, you can watch the 1 minute video included below to see how to proceed.
Here is a sample of logs coming from one of the POCs (the one that doesn't match the default rule, so you know how to edit :) ):
172.16.1.10 - - [01/Apr/2022:09:05:16 -0400] "GET /shell.jsp?cmd=whoami HTTP/1.1" 200 2055
EXPL_POC_SpringCore_0day_Webshell_Mar22_1
As we are looking at logs, we started by modifying the rule to remove the condition "filesize < 200KB".
Once this was done, the rule was an immediate match !
Here is a sample of logs coming from one of the POCs:
172.16.1.10 - - [31/Mar/2022:19:46:55 -0400] "POST /SpringBootApp-0.0.1-SNAPSHOT/greeting HTTP/1.1" 200 321
- java.io.InputStream in = -.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } -
How to edit the rules and run the test in the YARA app
Nigel recorded a video to show you everything from the Github import, the modification of the rules and testing sample payloads (you can run an AQL search as well) :)
If you're unsure about how to use the app, it includes a step by step tutorial with a concrete example. You can also find additional information in the documentation.
QRadar Content
To build QRadar rules you can use the payloads I posted above as a support.
Here are the rules I propose you as a start, tune them to fit your needs:
Apply CVE-2022-22965 Part 1 on events which are detected by the Local system and when the event(s) were detected by one or more of Tomcat and when the event matches Payload Contains is getRuntime().exec, Payload Contains is request.getParameter("cmd") |
Apply CVE-2022-22965 Part 2 on events which are detected by the Local system and when the event(s) were detected by one or more of Tomcat and when the event matches Method (custom) is any of GET and when the event matches Payload Matches Regular Expression is \/.*\.jsp\?(pwd=j&)?cmd=.*?\s |
Apply CVE-2022-22965 potential exploit on events which are detected by the Local system and when CVE-2022-22965 Part 2 match at least 1 times in 30 minutes after any of CVE-2022-22965 Part 1 match |
I hope this will help. In any case, if you are directly impacted and in need of expert assistance, you can contact the IBM Security X-Force Incident Response team, who is available to assist 24×7, at US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.
Thanks again to John for being so responsive and helpful in providing data associated with this vulnerability and thanks to Nigel Sood for putting together the YARA video !
If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.
#Featured-area-1
#Featured-area-1-home
#QRadar