Aperçu
CVE-2024-40711 is a critical remote code execution (RCE) vulnerability caused by unsafe deserialization of untrusted data. An unauthenticated attacker can exploit this vulnerability by sending a malicious serialized payload, allowing arbitrary code execution on the affected system. This is a classic deserialization attack that requires no authentication or user interaction. La vulnérabilité a été divulguée le September 7, 2024. CISA a identifié CVE-2024-40711 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The vulnerability exists in a deserialization process that fails to properly validate or sanitize untrusted data before deserializing it. Attackers can craft malicious serialized objects that, when deserialized, execute arbitrary code with the privileges of the application. This is a classic Java deserialization gadget chain attack, though it may affect other languages that support object deserialization (Python pickle, PHP, .NET, etc.).
La vulnérabilité est classifiée comme CWE-502 (Deserialization of Untrusted Data) etCWE-94 (Improper Control of Generation of Code (Code Injection)) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary code with the privileges of the affected application. This can lead to complete system compromise, including data theft, malware installation, lateral movement within the network, ransomware deployment, and denial of service. The attacker gains the same privileges as the application process, potentially allowing root/SYSTEM level access depending on how the application is deployed.
Mitigation et contournements
Comme contournements temporaires : disable deserialization of untrusted data entirely. if the application must deserialize data, implement strict input validation and use allowlist-based deserialization filters to restrict which classes can be deserialized.; implement cryptographic signing and verification of serialized objects using hmac or digital signatures. only deserialize objects that have valid signatures from a trusted source.; use java deserialization filtering (jep 290) by configuring java.io.serialization.filter properties to restrict which classes can be deserialized. create allowlist of safe classes.; migrate from binary serialization formats (java serialization, pickle, etc.) to safer alternatives like json, xml, or protocol buffers with explicit schema validation.; deploy web application firewalls (waf) or network intrusion detection systems (ids) configured to detect and block suspicious serialized payloads. look for known gadget chain signatures.; implement network segmentation and access controls to limit exposure of affected services. restrict network access to the minimum necessary sources., et remove or isolate vulnerable gadget chain libraries from the application classpath if they are not needed. libraries like commons-collections, commons-beanutils, spring-core, xstream, and others commonly provide gadget chains..
Recommandation de CISA : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
