lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAF7bCPcsom6APNWFYvSByPTxs5PuQA-=4DK80jt+8uyDPZmkQg@mail.gmail.com>
Date: Wed, 25 Feb 2015 11:10:49 -0500
From: Ron Gutierrez <rgutierrez@...security.com>
To: fulldisclosure@...lists.org
Subject: [FD] GDS Labs Alert [CVE-2015-2080] - JetLeak Vulnerability: Remote
 Leakage Of Shared Buffers In Jetty Web Server

 GDS LABS ALERT: CVE-2015-2080
JetLeak Vulnerability Remote Leakage Of Shared Buffers In Jetty Web Server

SYNOPSIS
========
Gotham Digital Science discovered a critical information leakage
vulnerability in the Jetty web server that allows an unauthenticated remote
attacker to read arbitrary data from previous requests and responses
submitted to the server by other users.

The vulnerability was made public by the Jetty development team on the 24th
of February 2015 and included proof-of-concept exploit code. As a result,
GDS Labs recommends upgrading Jetty web server to a version patched against
this vulnerability as soon as possible.


IMPACT
======
Using a vulnerable version of the Jetty web server can lead to the
compromise of sensitive data including data passed within headers (e.g.
cookies, authentication tokens, etc.), as well as data passed in the POST
body (e.g. usernames, passwords, authentication tokens, CSRF tokens, PII,
etc.) of requests and responses handled by the web server.

The root cause of this vulnerability can be traced to exception handling
code that returns approximately 16 bytes of data from a shared buffer when
illegal characters are submitted in header values to the server. An
attacker can exploit this behavior by submitting carefully crafted requests
containing variable length strings of illegal characters to trigger the
exception and offset into the shared buffer. Since the shared buffer
contains user submitted data from previous requests, the Jetty server will
return specific data chunks from a previous exchange depending on the
attacker’s payload offset.


ARE YOU VULNERABLE?
===================
This vulnerability affects versions 9.2.3 to 9.2.8. GDS also found that
beta releases (including the beta releases of 9.3.x) are vulnerable.

GDS have created a simple python script that can be used to determine if a
Jetty HTTP server is vulnerable. The script code can be downloaded from the
GDS Github repository below:

    - https://github.com/GDSSecurity/Jetleak-Testing-Script

If running one of the vulnerable Jetty web server versions, Jetty
recommends that you upgrade to version 9.2.9.v20150224 immediately.
Organizations should also be aware that Jetty might be bundled within third
party products. GDS recommends referring to the Jetty Powered website (
http://eclipse.org/jetty/powered/) for a non-exhaustive list of products
that utilize Jetty. Due to Jetty being a fairly lightweight HTTP server, it
is also commonly used by a variety of embedded systems. Organizations
should contact any vendors that may be running a Jetty web server in order
to determine if their products are vulnerable and when any patches to
resolve this vulnerability will be made available.

We have encountered cases where development teams use Jetty as a
light-weight replacement for app servers such as Tomcat for internal
testing. Organizations should consider notifying their development teams
about the vulnerability and require teams to upgrade any vulnerable
versions of Jetty.

The latest release of the Jetty HTTP server is available for download at
the following locations:

    - Maven - http://central.maven.org/
    - Jetty Downloads - http://download.eclipse.org/jetty


REFERENCES
==========
A thorough technical analysis of the vulnerability is available on the GDS
blog at:

http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html

Jetty Vulnerability Announcement:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html

Jetty Vulnerability Advisory:

https://github.com/eclipse/jetty.project/blob/master/advisories/2015-02-24-httpparser-error-buffer-bleed.md


DISCLOSURE TIMELINE
===================
Feb 19, 2015 - Vulnerability report sent to security@...ipse.org using
SendSafely

Feb 23, 2015 - Jetty team downloads the vulnerability report

Feb 24, 2015 - Jetty team releases HTTP Server v9.2.9.v20150224 with bug
fix and publicly discloses vulnerability with exploit code

Feb 25, 2015 - GDS publicly discloses vulnerability


GDS commends the Jetty development team on their timely response and swift
remediation. It should be noted that the decision to publicly disclose the
vulnerability was made by the Jetty development team, independent of GDS.
GDS’ blog post and vulnerability disclosure was published after it was
discovered that Jetty had publicly disclosed the vulnerability.


CREDITS
=======
Stephen Komal from Gotham Digital Science for discovering the bug.


About GDS Labs
==============

Security Research & Development is a core focus and competitive advantage
for GDS. The GDS Labs team has the following primary directives:

    - Assessing cutting-edge technology stacks

    - Improving delivery efficiency through custom tool development

    - Finding & responsibly disclosing vulnerabilities in high value targets

    - Assessing the impact to our clients of high risk, publicly disclosed
vulnerabilities

The GDS Labs R&D team performs security research, with areas of current
focus including mobile application security, embedded systems, and
cryptography. GDS also participates in many security related organizations
and groups. GDS Labs is a value added service that our clients benefit from
on virtually every engagement that we perform.


About Gotham Digital Science
============================

Gotham Digital Science (GDS) is a specialist security consulting company
focused on helping our clients find, fix, and prevent security bugs in
mission critical network infrastructure, web-based software applications,
mobile apps and embedded systems. GDS is also committed to contributing to
the security and developer communities through sharing knowledge and
resources such as blog posts, security tool releases, vulnerability
disclosures, sponsoring and presenting at various industry conferences.

For more information on GDS, please contact info@...security.com or visit
http://www.gdssecurity.com.

-- 


Send safely and sleep soundly with our secure file sharing service, 
SendSafely (www.sendsafely.com)

------------------------------
This message is private and confidential. If you have received this message 
in error, please notify us and remove it from your system.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ