CVE-2011-2894: Spring Framework and Spring Security serialization-based remoting vulnerabilities

[s2-security <s2-security () vmware com>]

CVE-2011-2894: Spring Framework and Spring Security serialization-based remoting vulnerabilities

Severity: Critical

Versions Affected:

Spring Framework:
    3.0.0 to 3.0.5

Spring Security:
    2.0.0 to 2.0.6
    3.0.0 to 3.0.5

Earlier versions may also be affected

Description:

Several issues have been reported which may affect applications which de-serialize objects from an untrusted source 
such as a remote client. It is possible for a malicious client to inject undesirable behaviour into the server by 
serializing proxies rather than specific class instances, or by taking advantage of internal AOP interfaces which were 
being exposed through the remote service, in addition to the service interface.


Example:

It is possible to serialize a sub-classed DefaultListableBeanFactory instance from the client to the server and use it 
to execute chosen commands on the server, using the "java.lang.Runtime" class. The attack can be executed by 
serializing a java.lang.Proxy instance in combination with an InvocationHandler or by injecting the exploit as a 
substitute target source through the exposed org.springframework.aop.framework.Advised interface of an exported remote 
service.

Spring Security's remoting allows an authentication token (an implementation of the Authentication interface) to be 
passed from the client, which is authenticated on the server. By crafting a proxy instance, it is possible to 
circumvent the server-side checking of the submitted token.


Mitigation:

Applications which use serialization-based remoting are likely to be vulnerable. In the long-term, we would recommend 
users migrate away from serialization-based remoting in cases where the client cannot be trusted, as it is a potential 
source of vulnerabilities in both Spring and non-Spring applications.

All users may mitigate this issue by upgrading to Spring Framework 3.0.6 and Spring Security 3.0.6. Spring Framework 
users should make use of the additional features introduced to prevent deserialization of malicious proxies. These are 
described below.

Users of Spring Security 2.0.x may upgrade to 2.0.7


Fix:

RemoteInvocationSerializingExporter (the base class for HttpInvokerServiceExporter) now has an "acceptProxyClasses" 
flag which should be set to false if using Spring remoting. This will prevent any deserialization of proxies through 
Spring remoting, thus providing additional protection against future attacks of this kind which may use other 
serializable classes.

DefaultListableBeanFactory instances can no longer be deserialized other than through a SerializedBeanFactoryReference, 
which resolves to an existing bean factory instance on the server side. In addition, the serialization ID can be 
customized, to prevent a client from guessing it, by setting a value for "contextId" in the web.xml file as a 
context-param and as an init-param for instances of FrameworkServlet (such as Spring's DispatcherServlet).

RemoteExporter now uses an "opaque" proxy to limit exported methods to those of the service interface. This prevent 
access to interfaces such as org.springframework.aop.framework.Advised.

Spring Security remoting has been changed to prevent the submission of an Authentication instance by a remote client. 
It now only supports username/password authentication. This removes any possibility of an untrusted Authentication 
object being created on the server and prevents any of the associated attack vectors.

Credit:

The issue was discovered by Wouter Coekaerts (http://wouter.coekaerts.be/).

History:
2011-09-09: Original advisory

References:
[1] http://www.springsource.com/security/cve-2011-2731