JBoss exploit worm able to infect default Primo Front End installation

• Article Type: General
• Product: Primo
• Product Version: 3

Description:
[Fix script replaced with new version 2011-12-15]

A worm is exploiting a security exposure in the JBoss jmx-console installed on Primo’s FE. Using an HTTP HEAD request the worm bypasses the existing exposure mitigation and installs the web application zecmd (or iesvc). This application allows for the execution of arbitrary commands as the primo user. Using zecmd or iesvc, the worm downloads and extracts a package and starts a copy of the worm.

The worm is a Perl script that masks itself as another process. It first starts another Perl script, an IRC server, that also masks itself as another process. The worm then compiles a port scanner and begins scanning a random Class B subnet of IP addresses looking for JBoss servers on some set of ports. For every JBoss server found it attempts to propagate itself as described above.

To prevent infection, the jmx-console web application must be un-deployed. This is accomplished by moving jmx-console.war out of the Primo FE’s JBoss deployment directory (fe_deploy/deploy). The zecmd (or iesvc) web application, if installed, can be found in the management sub-directory (fe_deploy/deploy/management) and should be deleted. If infected, the processes mentioned above (the worm, the IRC server, and the port scanner) should be killed. Finally the JBoss bin directory, ${jpub_jb_bin}, needs to be cleaned up. All worm packages should be removed, as well as any file they extracted.

Customers may use these to prevent and/or remove an infection. We have also created a script to address this issue by making the changes outlined above. The script is attached to this KB Item as jmx297360.zip. Download this zip file to your FE server(s), unzip, and execute the file inside with the command, "ksh jmx297360.ksh", as the root user. It will log its activity to the screen and under the Primo root directory, to the file ./ng/primo/home/system/thirdparty/openserver/server/searchlog/jmx297360.log. You may contact Support if you need any assistance.

This fix is vital, but once it is in place, do not attempt to install any Primo service pack. Additionally, Primo's denial of service protection will not be active.

We have seen the following variations of this worm:
kisses.tar.gz (v1)
Scans port 80
Masks itself as
/usr/local/jboss/bin/tomcat
/usr/local/apache/bin/httpd -DSSL
Port Scanner: pnscan
kisses.tar.gz (v2)
Scans ports 80 & 8080
Masks itself as
/usr/local/jboss/bin/tomcat
/usr/local/apache/bin/httpd -DSSL
Port Scanner: pnscan



Update from 2011-12-15:

Dear Colleagues,

Following our fix of the JBoss vulnerability on October 19, we would like to inform you that an updated script is now available for download. Please see an updated script attached to this message.

The JBoss vulnerability is a situation where attackers can exploit the JMX console module in JBoss and can bypass the security in the JMX Console. This fix will protect the JMX Console Module by hardening and changing configuration files from similar attacks.

We encourage you to follow the instructions and apply the fix to maximize the security of your installation:

-download this zip file to your FE server(s)
-unzip, and execute the file with the command, "ksh jmx297360.ksh", as the root user
-it will log its activity to the screen and under the Primo root directory, to the file ./ng/primo/home/system/thirdparty/openserver/server/searchlog/jmx297360.log.
- to get the best results, rebooting the server is recommended.
Please contact Support if you need any assistance.

The background for the updated fix is that we have identified a mutation of the JBoss worm in question. While there is no risk for those who applied the original fix before 04:30 UTC on October 21, we prefer to adhere to a ‘better safe than sorry’ policy in this context, and recommend that you should nevertheless apply the updated fix.

In addition, we would like to inform you that the upcoming version 4.0 of Primo will include an upgraded version of JBoss, JBoss version 5.

Thanks

Resolution: