This report is about a vulnerability given the identification of CVE-2020-1938 which affects the Apache Tomcat software package. Apache Tomcat is a Java based program that allows website maintainers to serve content with the Java programming language. CVE-2020-1938 has been addressed by the Apache Tomcat maintainers with a patch, but patch availability depends on the version you’re running. CVE-2020-1938 has been given the name of GhostCat by the security community.
Tactics, Techniques, and Procedures
The vulnerability is caused by the AJP connector within the Java Servlet being unable to process read/inclusion of file inputs. The reason this can occur is due to the default configuration inside Servlet having 0.0.0.0:8009 hard coded (does redirect to port 8443). This allows a remote attacker to read Java application files and potentially perform remote code execution via customized Java (.jar or similar file type) application to be uploaded to the server if file uploading is enabled in the server configuration. Potential bad actors can exploit this vulnerability without the need to authenticate. The AJP connector is enabled by default in all Apache Tomcat versions making them likely to be vulnerable to exploitation with an exception for patched versions of the software.
GhostCat Patch Availability:
Here is a guide to mapping your systems to the patches currently available:
- If you run Apache Tomcat version 9.0.30 or below – Update to Tomcat version 9.0.31
- If you run Apache Tomcat version 8.5.50 or below – Update to Tomcat version 8.5.51
- If you run Apache Tomcat version 7.0.99 or below – Update to Tomcat version 7.0.100
- Does affect Apache Tomcat version 6 – A patch hasn’t been released and is unlikely to be as that version of the software is no longer supported
Possible Impact of the GhostCat Vulnerability
- Remote attackers can read your Java application files.
- Remote attackers may be able to upload their own Java applications to your web server depending on your server’s configuration.
- Unauthorized access to a sensitive network port.
May affect a wide variety of web servers as Apache Tomcat comes bundled with a lot of other software packages/repositories.
It’s highly encouraged that you implement one of the patches available please, refer to the table above in the TTPs (Tactics, Techniques, and Procedures) section. If you cannot implement the patch for any business-related reason, consider reviewing the options below.
- If you don’t utilize the AJP connector comment out lines 115 to 121 in the /conf/server.xml file.
- You may be able to bypass the AJP connector entirely by having your developers upload their Java applications via a secure protocol like SCP (Secure Copy) directly to the web root directory. If you go with this method, lock down any ports using these secure file transfer protocols to ip addresses, ip ranges, or block external access to said port via the firewall.
- Implement the secretRequired attribute in the AJP connector configuration. This’ll serve as a password so, follow standard password complexity requirements when performing this action. You can use a password generator like the one built into LastPass to generate a random reasonably secure password.
- IBM X-Force Exchange
- Tenable Blog Post
- Meterpreter Write-Up
- About Remote Inclusion Vulnerabilities
- GitHub Proof-of-Concept Exploits:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.