0-day Vulnerability Scan: SpringShell or Spring4Shell

VenkatM 2022-03-31 11:47:32 UTC #1

Hello Folks. This is an urgent requirement to use BigFix to query the below details, SO please help me how to write the query for that.

CyberSecurity has just alerted me to a 0-day vulnerability which is called SpringShell or Spring4Shell. FCyberSecurity has only recently begun to put together the components by which the vulnerability will exploit a given system or systems. However, we would like to fully understand the potential UNIX/Linux servers that could be exposed by this latest vulnerability (i.e., attack surface). As a result, could you please write a script OR utilize BigFix to query the UNIX and Linux servers for the below-installed components?

• Java 9 or greater
• spring-beans*.jar

Below are a few links that have been shared with me related to this vulnerability:

• SpringShell: Spring Core RCE 0-day Vulnerability - Cyber Kendra

• Spring4Shell: Security Analysis of the latest Java RCE ‘0-day’ vulnerabilities in Spring | LunaSec

Could you please help me on this , that how to write the query or analysis to get the results.

fermt 2022-03-31 12:34:07 UTC #2

The official documentation from the Spring Framework engineers

dmccalla 2022-03-31 13:12:26 UTC #3

Do you have BigFix Inventory in place?

nicksberger 2022-03-31 13:20:11 UTC #4

Here’s a Task I created to detect where the Spring framework has been embedded in the WAR file.
We have the relevance targeting Linux hosts where Java process version is >=9

override wait
timeout_seconds=60
disposition=terminate
parameter "scriptFile" = "{parent folder of parent folder of client folder of current site}/detectSpring.sh"
delete "{parameter "scriptFile"}"
createfile until __end__ 
#!/bin/bash
test -d /var/opt/BESClient/ || mkdir -p /var/opt/BESClient/
for war in $(locate -b --regex '[.]war$'); do war_file=$(basename "$war"); echo $(file $war) | grep -qv ' directory' && mkdir -p /tmp/bigfix && cp "$war" /tmp/bigfix/ && cd /tmp/bigfix && unzip -qjun "$war_file" && if ls | egrep -q -e 'spring-beans-.*.jar' -e 'CachedIntrospectionResuLts.class'; then echo "$war"; fi; rm -rf /tmp/bigfix/*; done > /var/opt/BESClient/Spring.txt
exit 0
__end__ 
move __createfile "{parameter "scriptFile"}" 
wait chmod 555 "{parameter "scriptFile"}" 
wait /bin/bash "{parameter "scriptFile"}"

Blockquote

Property to read the output is -

if exists files "Spring.txt" of parent folders of parent folders of client folders of sites "actionsite" then unique values of (it as trimmed string) of (if exists property "locked lines" then locked lines of it else lines of it) of files "Spring.txt" of parent folders of parent folders of client folders of sites "actionsite" else "N/A"

How to display features of a sepecific type of file in a linux server

fermt 2022-03-31 13:29:46 UTC #5

I already tried using BFI and a search for spring-beans returns nothing. We are a software company for sure we expect results to show up.

JasonWalker 2022-03-31 14:36:19 UTC #6

I’m not certain whether the issue is limited to spring-beans. Based on the Spring blog post at https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted it seems there are potential exploits demonstrated in spring-mvc and spring-webflux.

I’m still looking but we may need to widen the search.

[edit: yes, they contain spring-beans. No, I can’t type ‘spring-beans-*’ without introducing a typo]

VenkatM 2022-03-31 14:37:24 UTC #7

Hi Dmccalla. No we dont have Inventroy module since we had Patch module license only .

JasonWalker 2022-04-01 19:11:32 UTC #8

Started a topic to consolidate info at Spring Framework RCE Vulnerability – Current BigFix Actions

JasonWalker 2022-04-02 14:07:53 UTC #9

I do like this method a lot, and it should provide a much faster scan for customers who have ‘locate’ installed & configured; I just don’t think I can depend on ‘locate’ being present for everyone.

nicksberger 2022-04-07 11:39:05 UTC #10

You seen this ? https://github.com/whitesource/spring4shell-detect

there’s actually a few scanners on github, i tested the qualys scanner … looked ok