May 11, 2020

GHSL-2020-029: Server-Side template injection in Apache Syncope (RCE) - CVE-2020-1959

Alvaro Muñoz

Summary

A Server-Side Template Injection was identified in Apache Syncope enabling attackers to inject arbitrary Java EL expressions, leading to a Remote Code Execution (RCE) vulnerability.

Product

Apache Syncope

Tested Version

2.1.5

Issues found

GHSL-2020-029 Details - Remote Code Execution - JavaEL Injection (CVE-2020-1959)

It is possible to run arbitrary code on the server (with Syncope service account privileges) by injecting arbitrary Java Expression Language (EL) expressions.

Apache Syncope uses Java Bean Validation (JSR 380) custom constraint validators such as org.apache.syncope.core.persistence.jpa.validation.entity.AnyObjectValidator When building custom constraint violation error messages, it is important to understand that they support different types of interpolation, including Java EL expressions. Therefore if an attacker can inject arbitrary data in the error message template being passed to ConstraintValidatorContext.buildConstraintViolationWithTemplate() argument, he will be able to run arbitrary Java code. Unfortunately, it is common that validated (and therefore, normally untrusted) bean properties flow into the custom error message.

public class AnyObjectValidator extends AbstractValidator<AnyObjectCheck, AnyObject> {

    @Override
    public boolean isValid(final AnyObject anyObject, final ConstraintValidatorContext context) {
        context.disableDefaultConstraintViolation();

        boolean isValid = anyObject.getName() != null && KEY_PATTERN.matcher(anyObject.getName()).matches();

        if (!isValid) {
            context.buildConstraintViolationWithTemplate(
                    getTemplate(EntityViolationType.InvalidName, anyObject.getName())).
                    addPropertyNode("name").addConstraintViolation();
        }

        return isValid;
    }
}

There are a total of 25 validators using ConstraintValidatorContext.buildConstraintViolationWithTemplate(0) out of which 20 appear to be vulnerable (reflecting validated value in the error message)

Impact

This issue may lead to Remote Code execution.

Remediation

There are different approaches to remediate the issue:

  • Do not include validated bean properties in the custom error message.
  • Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization logic can be found here.
  • Disable the EL interpolation and only use ParameterMessageInterpolator:
Validator validator = Validation.byDefaultProvider()
   .configure()
   .messageInterpolator( new ParameterMessageInterpolator() )
   .buildValidatorFactory()
   .getValidator();
  • Replace Hibernate-Validator with Apache BVal which in its latest version does not interpolate EL expressions by default. Note that this replacement may not be a simple drop-in replacement.

This issue was addressed in the following commit.

CVE

  • CVE-2020-1959

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

  • 02/18/2020: Report sent to Vendor (security@apache.org)
  • 03/12/2020: Ping them for acknowledgement
  • 03/25/2020: Got email reception confirmation
  • 03/26/2020: Issue is acknowledged
  • 04/01/2020: Apache sends fix and draft advisory
  • 05/11/2020: Public Advisory

Supporting Resources

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-029 in any communication regarding this issue.