Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Spring: It isn't just about Spring4Shell. Spring Cloud Function Vulnerabilities are being probed too. - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Spring: It isn't just about Spring4Shell. Spring Cloud Function Vulnerabilities are being probed too.

Our "First Seen URL" page did show attempts to access /actuator/gateway/routes this weekend. So I dug in a bit deeper to see what these scans are all about. The scans originate from 45.155.204.146 and have been going on for a few days already, but our first-seen list doesn't display them until they hit a threshold to consider the scans significant. We also see scans from a couple of our IPs, but at a much lower level.

A typical complete request from 45.155.204.146:

GET /actuator/gateway/routes HTTP/1.1
Host: [redacted]:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept-Encoding: gzip
Connection: close

The scan for /actuator/gateway/routes may be looking for systems that are possibly vulnerable to CVE-2022-22947 or other vulnerabilities in the Spring Cloud function (we had at least three different vulnerabilities recently). This vulnerability was patched at the beginning of March [1], and exploits are available. The actual exploit would include a JSON formated payload with the actual command to be executed. A simple code injection vulnerability, exploitation is trivial. But to be vulnerable, a system needs to use the Spring Cloud functions, which are not as popular as the basic Spring Core library vulnerable to Spring4Shell (cve-2022-22965). 

The same source also scans for various vulnerabilities, indicating that this test was added to a bot used to compromise multiple sites. Here is a partial list of other vulnerabilities scanned by this source:

/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh
/actuator/gateway/routes
/securityRealm/user/admin/search/index?q=a
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 
/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21
/?XDEBUG_SESSION_START=phpstorm 
/console/ 
/_ignition/execute-solution
/solr/admin/info/system?wt=json
/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21
/?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> 
/Autodiscover/Autodiscover.xml

 

[1] https://tanzu.vmware.com/security/cve-2022-22947

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022

Johannes

4504 Posts
ISC Handler
Apr 11th 2022

Sign Up for Free or Log In to start participating in the conversation!