SonicWall Capture Labs researchers identified a critical remote code execution vulnerability (CVE-2024-36401) in GeoServer prior to fixed versions, allowing unauthenticated attackers to run arbitrary code remotely. Mitigations include upgrading to the latest versions or removing the vulnerable GeoTools library from affected deployments. #GeoServer #CVE-2024-36401 #GeoTools #SonicWall
Keypoints
- Vulnerability Identified: CVE-2024-36401 in GeoServer.
- Impact: Critical CVSS score of 9.8 enabling remote code execution.
- Affected Versions: GeoServer versions before 2.24.4, 2.25.2, and 2.23.6.
- Exploitation Method: Leveraging OGC request parameters such as WFS and WMS.
- Mitigation: Upgrade to the latest versions or remove the vulnerable GeoTools library file.
- SonicWall Protections: New IPS signatures released to protect against exploitation.
MITRE Techniques
- [T1203] Remote Code Execution β Remote code execution through crafted OGC requests. βRemote code execution through crafted OGC requests.β
- [T1203] Exploitation for Client Execution β Exploiting vulnerabilities in GeoServer to execute arbitrary code. βExploiting vulnerabilities in GeoServer to execute arbitrary code.β
- [T1071] Command and Control β Using network access to send malicious requests to the server. βUsing network access to send malicious requests to the server.β
Indicators of Compromise
- [File] gt-complex-x.y.jar β WEB-INF/lib/gt-complex-x.y.jar, webapps/geoserver/WEB-INF/lib/gt-complex-x.y.jar
- [File] poc2 β /tmp/poc2
- [Domain] geoserver.org β GeoServer official site referenced in the article
- [Domain] blog.sonicwall.com β Source of the original post