CVE-2024-50379 | Tomcat | RCE
| Vulnerability | CVE-2024-50379 |
|---|---|
| Description | CVE-2024-50379 is a critical Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in Apache Tomcat. It allows remote code execution (RCE) on case-insensitive file systems when the default servlet is configured to permit write operations (a non-default setting). This flaw arises during JavaServer Pages (JSP) compilation, where an attacker can exploit the timing discrepancy between the security check and the file operation to execute arbitrary code. (NVD) |
| Affected Systems | - Apache Tomcat versions: - 11.0.0-M1 through 11.0.1 - 10.1.0-M1 through 10.1.33 - 9.0.0.M1 through 9.0.97 - Systems running on case-insensitive file systems (e.g., Windows) with the default servlet’s readonly initialization parameter set to false. |
| Attack Vector | Remote: An attacker can exploit this vulnerability by uploading a JSP file to a vulnerable Tomcat server configured to allow write operations via the default servlet on a case-insensitive file system. |
| Exploitation Techniques | - TOCTOU Race Condition: The attacker exploits the time gap between the security check and the file operation during JSP compilation. - Case-Insensitive File Overwrite: On case-insensitive file systems, filenames like file.jsp and FILE.JSP are considered identical. An attacker can upload a benign JSP file and then overwrite it with a malicious one using a differently cased filename, bypassing security checks.- Arbitrary Code Execution: Once the malicious JSP file is in place, it can be executed by accessing it through the web server, leading to remote code execution. |
| Proof of Concept (PoC) | A PoC demonstrating this vulnerability involves: 1. Uploading a Benign JSP File: The attacker uploads a harmless JSP file (e.g., file.jsp) to the server.2. Overwriting with Malicious JSP: Leveraging the TOCTOU race condition, the attacker quickly uploads a malicious JSP file with a differently cased filename (e.g., FILE.JSP), causing the server to overwrite the original file without re-evaluating security permissions.3. Executing Malicious Code: The attacker accesses the malicious JSP file via the web server, triggering the execution of arbitrary code on the server. (Medium Article) |
| The Impact of the Bug | - Unauthorized remote code execution on the server. - Potential full system compromise, allowing attackers to manipulate server operations, access sensitive data, or deploy further malware. - Elevated risk in environments where the default servlet is misconfigured to allow write operations on case-insensitive file systems. |
| How to Detect Infections | - Log Analysis: Review server logs for unusual file upload activities, especially multiple uploads with filenames differing only in case. - File Integrity Monitoring: Implement monitoring to detect unexpected changes in JSP files, particularly those occurring in quick succession. - Configuration Audits: Regularly audit server configurations to ensure the default servlet’s readonly parameter is correctly set to prevent unauthorized write operations. |
| Mitigation Steps | - Update Apache Tomcat: Upgrade to the fixed versions: - 11.0.2 - 10.1.34 - 9.0.98 - Configure Default Servlet: Ensure the readonly initialization parameter of the default servlet is set to true to prevent write operations.- Deploy on Case-Sensitive File Systems: If possible, use case-sensitive file systems to mitigate this class of vulnerabilities. - Implement Security Controls: Restrict file upload capabilities to authenticated and authorized users, and validate uploaded files to prevent malicious content. |
| Workarounds | - Disable Write Access: Configure the default servlet to disable write access by setting the readonly parameter to true.- Monitor File Uploads: Implement monitoring mechanisms to detect and alert on suspicious file upload activities, especially those involving JSP files. |
| References | - NVD - CVE-2024-50379 - CVE - CVE-2024-50379 - Medium Article - Deep Dive & POC of CVE-2024-50379 |