FreeBSD : java 7.x -- security manager bypass (d5e0317e-5e45-11e2-a113-c48508086173)

medium Nessus Plugin ID 63589
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

US CERT reports :

Java 7 Update 10 and earlier versions of Java 7 contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states, 'If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission('setSecurityManager') permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException'.

By leveraging the vulnerability in the Java Management Extensions (JMX) MBean components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving the Reflection API and the invokeWithArguments method of the MethodHandle class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing.
Oracle Java 7 update 10 and earlier Java 7 versions are affected. The invokeWithArguments method was introduced with Java 7, so therefore Java 6 is not affected.

This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.

Esteban Guillardoy from Immunity Inc. additionally clarifies on the recursive reflection exploitation technique :

The real issue is in the native sun.reflect.Reflection.getCallerClass method.

We can see the following information in the Reflection source code :

Returns the class of the method realFramesToSkip frames up the stack (zero-based), ignoring frames associated with java.lang.reflect.Method.invoke() and its implementation.

So what is happening here is that they forgot to skip the frames related to the new Reflection API and only the old reflection API is taken into account.

This exploit does not only affect Java applets, but every piece of software that relies on the Java Security Manager for sandboxing executable code is affected: malicious code can totally disable Security Manager.

For users who are running native Web browsers with enabled Java plugin, the workaround is to remove the java/icedtea-web port and restart all browser instances.

For users who are running Linux Web browser flavors, the workaround is either to disable the Java plugin in browser or to upgrade linux-sun-* packages to the non-vulnerable version.

It is not recommended to run untrusted applets using appletviewer, since this may lead to the execution of the malicious code on vulnerable versions on JDK/JRE.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?eaf95a3d

http://www.nessus.org/u?db189fad

http://www.nessus.org/u?c297fbb3

Plugin Details

Severity: Medium

ID: 63589

File Name: freebsd_pkg_d5e0317e5e4511e2a113c48508086173.nasl

Version: 1.10

Type: local

Published: 1/17/2013

Updated: 1/6/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Low

Score: 2.7

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:linux-sun-jdk, p-cpe:/a:freebsd:freebsd:linux-sun-jre, p-cpe:/a:freebsd:freebsd:openjdk7, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 1/14/2013

Vulnerability Publication Date: 1/10/2013

Reference Information

CVE: CVE-2013-0433

CERT: 625617