Is my JBoss / EAP Server Vulnerable to Samas Ransomware?

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform 5.x
  • Red Hat JBoss Enterprise Application Platform 4.3.x
  • Red Hat JBoss Enterprise Application Platform 4.2.x
  • Red Hat JBoss SOA Platform (SOA-P) 5.x
  • Red Hat JBoss SOA Platform (SOA-P) 4.3.x

Issue

  • I've read warnings about the Samas ransomware and want to know if I'm vulnerable?
  • The Samas ransomware reportedly uses JBoss servers to conduct network scans; can that happen to me?
  • I've read the following internet articles: No mas, Samas: What’s in this ransomware’s modus operandi? and FBI and Microsoft Warn of Samas Ransomware.
  • I'm concerned about Samas, SamSam, Kazi, or RDN/Ransomware.
  • Is my Jboss EAP deployment at risk to Ransomware. I would just like to confirm that our Jboss deployment(EAP 6.4.x) does not need to be patched to be secure.
  • Will samsam Vulnerability in Jboss server affect EAP 6?
  • The vulnerability specified in http://www.ithome.com.tw/news/105387, What version will be affected? We are using Jboss EAP 6.4.0, will it be affected too? In additions, do you know jboss-6.1.0.Final will be affected?
  • NOTE: On December 3, 2018, US-CERT issued a report https://www.us-cert.gov/ncas/alerts/AA18-337A for SamSam ransomware which discusses new variants of the malware that utilize Remote Desktop Protocol. While none of the variants described affect Red Hat software, anyone using Remote Desktop software should follow the practices listed in the Mitigations section of the report.

Resolution

Red Hat JBoss Enterprise products releases later than or including the versions listed below are not affected. Please ensure you're on one of these versions, or a later version:

  • Red Hat JBoss Enterprise Application Platform (EAP) 5.1.2
  • Red Hat JBoss Enterprise Application Platform (EAP) 4.3 CP08
  • Red Hat JBoss Enterprise Application Platform (EAP) 4.2 CP09
  • Red Hat JBoss SOA-Platform (SOA-P) 5.0.2
  • Red Hat JBoss SOA-Platform (SOA-P) 4.3 CP03

Reverse Proxy

Using a reverse proxy, such as httpd, and not exposing console functions to unprotected networks helps mitigate this attack.

Default Passwords

Please be aware that use of the suggested password in conf/props/jmx-console-users.properties is NOT recommended. Please ensure you use a password which is unique, easy for you to remember, but hard for others to guess.

This exploit attacks the following administration features of JBoss EAP 4.x, and 5.x

  • web-console.war
  • http-invoker.sar
  • jmx-console.war
  • jmx-invoker-adaptor-server.sar
  • admin-console.war

While these features are secured by default in versions listed above, it's recommended to prevent access to these features from the internet. Use reverse proxy such as HTTPD, and not exposing those features. If you're not using any of those features, it's best to remove them.

EAP, or SOA-P 4.3, or 4.2

Customers using EAP, or SOA-P versions 4.3, or 4.2 are advised to upgrade to at least the versions above, and in addition apply the following configuration change:

Edit this file:
jboss-as/server/<profile>/deploy/httpha-invoker.sar/invoker.war/WEB-INF/web.xml
Remove these lines:

         <http-method>GET</http-method>
         <http-method>POST</http-method>

EAP 5.1.1 and 5.1.0, and SOA-P 5.0.1

  • Upgrade to EAP 5.2.0
  • Upgrade to SOA-P 5.3.1
    If you cannot upgrade you should apply the following configuration change:

Edit this file:
jboss-as/server/<profile>/deploy/http(ha)-invoker.sar/invoker.war/WEB-INF/web.xml
Remove these lines:

         <http-method>GET</http-method>
         <http-method>POST</http-method>

EAP 5.0.1

Users of EAP 5.0.1 are advised to upgrade to version 5.2.0. However, if you cannot upgrade you should apply the above configuration change for EAP 5.1.0, and 5.1.1 in addition to this one:

Edit the following file:
jboss-as/server/<profile>/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml
Remove these lines:

   <http-method>GET</http-method>
   <http-method>POST</http-method>

EAP 5.0.0 and SOA-P 5.0.0

  • Upgrade to 5.2.0.
  • Upgrade to SOA-5.3.1
    However if you cannot upgrade, please apply the configuration changes suggested for EAP 5.0.1, and 5.1.1 as well as the following configuration change:

Edit this file:
jboss-as/server/<profile>/deploy/jmx-console.war/WEB-INF/web.xml
Remove these lines:

   <http-method>GET</http-method>
   <http-method>POST</http-method>

JBoss Application Server (AS) or Wildfly

JBoss Community Edition, (or after 2014 know as WildFly) releases of the JBoss Application Server prior to version 6.0.0.M3 are potentially vulnerable to this flaw if the default authentication settings are applied. Users of the community JBoss Application Server can secure their JMX Console on vulnerable versions by following the instructions here:

https://community.jboss.org/wiki/SecureTheJmxConsole

According to the latest FBI report distributed by Reuters on Monday 28th March 2016 the attack utilizes JexBoss to find vulnerable JBoss systems. These attacks have leveraged out-of-date, and unsecured systems to pivot attacks to other systems on the network.

Red Hat always recommends that system administrators apply the latest patches appropriate for their environments to remediate flaws such as these and others.

Root Cause

Unpatched JBoss servers can become infected with Samas by exploiting the vulnerabilities addressed in CVE-2010-0738, CVE-2010-1428, and CVE-2012-0874 which was made public between 26th April, 2010, and 21st January, 2013. A compromised server will begin scanning and mapping networks the JBoss server is connected to using a tool called reGeorg. The infected server will also use a rootkit called Derusbi to collect login information from network clients. The file payload of the attack is to encrypt user files on available internal computers using RSA-2048 encryption and notifying the end-user with a request for payment.

Diagnostic Steps

If you want to test if your JBoss instance is vulnerable to JexJBoss, and therefore the Samas Ransomeware you can use JexBoss to test the server. Instructions on how to test a server with JexBoss can be found here.

git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
python jexboss.py

OR:

Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip
unzip master.zip
cd jexboss-master
python jexboss.py

The Jexboss tools is not able to exploit any of the EAP versions listed in the resolution section automatically. However we still recommend preventing unauthorized requests to the server by following the steps in the resolution section.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments