java deserialize vulnerability

The Security Vulnerability That Puts Millions of Application Backends at Risk. Yours Included

What happened to Sony?

Last year Sony dominated the headlines over two major security breaches during the Christmas season. The first attack, orchestrated by a group of young hackers called Lizard Squad, resulted in the complete shutdown of Sony Playstation’s online gaming services for gamers around the world. The second attack was speculated to be North Korea's warning call for Sony’s new film, The Interview, which had a plot to kill North Korea’s no. 1 boss, Kim Jong-un. Under this breach, Sony lost a significant amount of sensitive and business data including Social Security Numbers, private email messages, salary info of 47 000 employees together with intellectual properties such as scripts for new films.

However, we are not talking about 2014. We want to know what happened to Sony three years earlier. In 2011, Sony was hit by another security breach, this time, architected by just a lone hacker. The hacker infiltrated through Sony’s PlayStation Network and got access to sensitive info of 77 million customers. The info included customers’ usernames, security questions, passwords and other personal data.

Sony’s Chief Information Officer (CIO), Shinji Hasejima, went public to shed light on what went wrong and how the network was compromised. According to Sony’s CIO, Sony’s network followed a typical 3-layer (or 3-tier) architect that included a web server, a web application server, and a database server. Hasejima believed that the weakest link was the application server and that the attacker exploited vulnerabilities found on the web application server and got access to the database server that contained valuable personal and corporate data. [1]

sony hacks

What is an application server?

An application server is a software framework that resides in the middle-tier of a server-centric architecture and provides an environment where an application can run. For example, in a 3-tier application stack, the first (presentation) is a web server that provides the Graphical User Interface (GUI), the second (logic) is an application server that provides the business logic, coordinates the application and process commands, and the third (data) is a database server that stores data to be exchanged to above two layers.

Together with the database server, the application server constitutes the backend of a web or mobile application.

To summarize, a backend, e.g. mobile backend, is sort of a repository of everything that makes your app presence and mobile apps run smoothly. In many cases, all the information in the backend is stored in the data center or on the cloud.

he Internet and web technologies have never been secured. Can you imagine how secure the mobile technologies? It’s primed for even more vulnerabilities and attacks.

A mobile application of your enterprise likely has a backend that can be exploited

Mobile application servers are inherently insecure because they consist of extensive stacks of software. Each piece can contain bugs including risky zero-day vulnerabilities as seen in above Sony hack.

Recently FoxGlove Security researchers published a serious vulnerability that can put millions of application backend at risk.

Mobile applications use the same web-app technology for their backends, thus suffer the same vulnerability.

This vulnerability, referred as Java Deserialize, was found in Apache Commons library, a popular library used in Java applications and other middleware products such as Oracle Weblogic, IBM Websphere, Redhat JBoss, Jenkins, and OpenNMS . “The flaw is specifically in the Collections component of Apache Commons and stems from unsafe deserialization of Java objects. In programming languages, serialization is the process of converting data to a binary format for storing it in a file or memory, or for sending it over the network. Deserialization is the reverse of that process.” [2]

The team at Foxglove Security described in detail their exploits against products and demonstrated how easy it was for attackers to exploit this vulnerability and gain complete remote control over an application server. For example, they can insert a malicious object into a data stream and have it execute on the app server. Foxglove team found 1300 results from GitHub’s public software by searching for the phrase “commons collection.”

However, there are likely more custom-built enterprise Java mobile application backends that use this Apache Common library.

java deserialize vulnerability

Impact to enterprise environments

This has a huge impact on enterprises that operate these at-risk mobile applications that can be compromised. Contrast Security’s CTO, Jeff Williams, said that hackers could “steal or corrupt any data accessible from that server, steal the application's code, change the application, or even use that server as a launching point for further attacks now that they are inside the data center.” [3]

Nowadays enterprises are racing to adopt mobile applications. Their employees and customers can access information via the mobile application anytime when there is a connection. The enterprise mobile application needs to access data remotely, over a public network. It communicates with its backend residing inside the enterprise’s private network.

It’s even more alarming for enterprises knowing that 85% of all cyber attacks happen at the application backend, at the entry point from the public network into the data center. The network entry point from the public to the private network represents that weakest point. Once the backend is compromised, all data within the enterprise become vulnerable. Read this article to learn more about the application backend and the Importance and value of backend security.

backend attacks security

Why your enterprise likely has this vulnerability?

IBM and Oracle, two big enterprise software providers, have invested a lot of their Enterprise application stack and major platforms into Java. In the March 2014 Gartner’s “Market Share: All Software Markets, Worldwide 2013”, Oracle’s Weblogic claimed the top spot in the application server category, and IBM continued to be the leader in application infrastructure and middleware software.

Java-based backends have been and will continue to dominate the enterprise backend market. If 85% of cyber attacks target the backend, the risk stems from this vulnerability is sky high against the enterprises.

mobile backend security

Recommend fixes, mitigation and solution

Install patches to update affected mobile app backends

Companies have either released patched (Jenkins) or are working on a permanent resolution (Oracle, Apache Common Collections).

Other companies have also provided fixes to rectify this issue. Contrast Security released a free Runtime Application Self-Protection (RASP) Protection Module to block exploitation attempts. Security researcher Luca Carettoni released SerialKiller, a Java deserialization library designed to secure applications from untrusted input.

Developers need to ensure they check and validate serialized object

While this vulnerability first appeared to be a flaw in the Java library, it has more to do with developers’ accepting untrusted input without checking or validating them. [4] published a blog post to teach developers how to mitigate this kind of vulnerability.

Isolate the mobile application’s backend from direct Internet exposure

Exposing the backend increases the risk for this kind of attack. It’s a good practice not to expose your application backend (especially running on Java) to the Internet. For example in case of using VPN, an automated scanning of your enterprise IT infrastructure landscape will not reveal what application backend you are using.

Thus, an enterprise mobile application architecture, besides the usual mobile app’s frontend, mobile app’s backend, has to include a security layer, responsible for the security of the application’s backend.

Monitoring

Besides setting up security defense to thwart attacks, it’s necessary to monitor traffic and see what’s going in and out of your enterprise and detect suspicious activities.

How SeaCat Mobile Secure Gateway Protects Enterprise Mobile Application Backend

Shield your mobile application backend from direct exposure to the Internet

SeaCat Mobile Secure Gateway sits in front of these layers, authorizing legitimate requests, detecting illegitimate ones from the Internet and shielding the application and database servers from direct attacks. The traffic is digitally signed which gives you much better control over who are accessing your backends.

Automated scans will not discover software and its version. Thus, your server will not be enlisted on a hacker's database for future attacks. When zero-day vulnerabilities are found, you will be spared from being exploited because hackers don't know that you are operating this application stack.

Monitor mobile traffic and track activities

The Mobile Secure Gateway can be integrated with an Intruder Detection System (IDS). Since the mobile application communication has very clear patterns, it is not difficult for the IDS to detect incorrect or malicious patterns. If this happens, IDS signals back to the Mobile Secure Gateway that a particular user is not trusted. The user’s cryptographical identity (key) is removed from the list of allowed users. Then this user will no longer be able to communicate with the Gateway, stopping further communication attempt to the backend. The Gateway can switch into a honeypot and record the hackers’ activities to see what he’s up to. It’s tricky to attack a defence system like this.

If you’d like to get a true assessment of your mobile application’s backend security, please request a FREE Demo. Or, to learn more about TeskaLabs’ SeaCat Mobile Secure Gateway and how we can help with the security of your enterprise mobile solutions, please visit www.teskalabs.com/products/seacat-mobile-secure-gateway.

Reference:

  1. http://www.develop-online.net/analysis/playsatation-network-how-it-was-breached/0117019
  2. http://www.pcworld.com/article/3004633/business-security/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html
  3. http://www.darkreading.com/informationweek-home/why-the-java-deserialization-bug-is-a-big-deal/d/d-id/1323237
  4. http://fishbowl.pastiche.org/2015/11/09/java_serialization_bug

Additional reading:

  1. Custom Made vs. Off-The-Shelf Mobile Apps – The Issue of Security
  2. You Can Build Apps for the Apple TV, But Do You Know How to Do It Securely?
  3. We Know Why 85% of Mobile Apps Suck in Security. Do You?
  4. 7 Reasons Why Testing the Security of Mobile Applications Is Crucial for Enterprises
  5. The Top 5 Mobile Application Security Issues You Need to Address When Developing Mobile Applications
  6. What Is a Mobile Application Containerization, or Wrapper, and Why Must It Die?

About the Author

Cindy Dam

TeskaLabs’ Marketing & Community Manager, Cindy Dam, has a penchant for hacking and storytelling. When she's not reading and writing about cyber hacking, she reads, writes, and comes up with mind and travel hacks.




You Might Be Interested in Reading These Articles

What Can We Do as Mobile App Developers in This BYOD Era?

Today we live in a mobile environment. There are more mobile devices connected to the Internet than human beings in the world. This has given us more freedom to choose to work from anywhere, anytime and given us the flexibility to take care of other important matters.

Continue reading ...

musing byod mobile

Published on February 03, 2015

Should I Use Contactless (NFC) Payment Cards?

Nowadays, almost all smartphones contain NFC (Near field communication) technology. Contactless cards use this technology when they communicate with contactless payment terminals to exchange needed information and proceed with the transaction. However, you can also do this by using your smartphone.

Continue reading ...

mobile

Published on February 16, 2016

Security Architect Jiri Kohout: It's up to Us to Define How Secure The Internet Will Be

The security of connected applications, IoT, or mobile platforms, is based not only on secure development, but also on widespread knowledge about info security. Every user should have minimum knowledge about security. Every public tender should demand security of the final product or service.

Continue reading ...

interview security

Published on September 15, 2015