What is CVE-2020-1938?
CVE-2020-1938, also known as “Ghostcat,” is a critical vulnerability found in Apache Tomcat, a widely used open-source web server and servlet container. This vulnerability allows an attacker to read or include arbitrary files in the web server’s configuration, potentially leading to the disclosure of sensitive information or remote code execution. It affects multiple versions of Apache Tomcat, including 6.x, 7.x, 8.x, and 9.x, making it a significant risk for any organization using these versions.
CVSS Score and Severity
- CVSS Score: 9.8 (Critical)
- Severity: The CVSS score of 9.8 out of 10 reflects the critical nature of this vulnerability. It is classified as “Critical” due to its potential to allow unauthorized file access and code execution, which could lead to complete server compromise.
So what’s the problem?
The primary issue with CVE-2020-1938 is that it allows attackers to exploit the Apache JServ Protocol (AJP), a binary protocol used by Tomcat to communicate with other web servers. If the AJP port is exposed to the internet or accessible by untrusted users, attackers can read or include files from the server’s webroot directory, leading to the disclosure of sensitive information or the execution of arbitrary code. This vulnerability is particularly dangerous because it can be exploited remotely and can lead to a full compromise of the affected Tomcat server.
Background and Context
Background on the vulnerability
CVE-2020-1938 was discovered in early 2020 and is related to the AJP connector in Apache Tomcat. The AJP connector is designed to handle binary protocol communication between Tomcat and other web servers like Apache HTTP Server. However, due to improper access controls and configuration, the AJP connector could be exploited to access sensitive files on the server or execute malicious code. This vulnerability was particularly concerning for organizations that exposed the AJP port to the internet without proper security measures.
Description of the Vulnerability (CVE-2020-1938)
The vulnerability exists due to insufficient access control in the AJP connector configuration in Apache Tomcat. Specifically, the AJP connector allows users to interact with the server’s file system, potentially reading or including arbitrary files from the webroot directory. An attacker can exploit this by sending specially crafted AJP messages to the server, which could lead to the disclosure of sensitive information such as configuration files or source code. In some cases, it could also lead to remote code execution if the attacker can include and execute a malicious file.
Root Cause Analysis
The root cause of CVE-2020-1938 is the improper configuration and insufficient access control in the AJP connector. By default, the AJP connector was enabled and configured to listen on all interfaces, which could allow untrusted users or remote attackers to access it if the port was not adequately secured. The lack of authentication and proper access restrictions on this connector made it possible for attackers to exploit the vulnerability and interact with the server’s file system.
Impact and Exploitation
The impact of CVE-2020-1938
Exploiting CVE-2020-1938 can have several serious impacts:
- Sensitive Information Disclosure: An attacker could read arbitrary files from the Tomcat server, potentially exposing sensitive data such as configuration files, application source code, or user credentials.
- Remote Code Execution: In scenarios where an attacker can include and execute a malicious file, this vulnerability could lead to complete server compromise, allowing the attacker to run arbitrary commands or install malware on the server.
- Server Compromise: A successful exploitation could lead to a full server takeover, giving the attacker control over the Tomcat instance and potentially the underlying operating system.
Exploit
To exploit CVE-2020-1938, an attacker must be able to send crafted AJP messages to a vulnerable Tomcat server. The exploitation process involves:
- Identifying a target Tomcat server with the AJP port exposed.
- Crafting AJP messages that request specific files from the server’s webroot directory.
- If successful, the attacker can retrieve sensitive files or include and execute a malicious file, leading to further compromise.
In-the-Wild Attacks
CVE-2020-1938 has been actively exploited in the wild, particularly in environments where the AJP port was exposed to the internet. Attackers have used this vulnerability to access sensitive files and, in some cases, gain remote code execution on vulnerable servers. The widespread use of Apache Tomcat and the critical nature of this vulnerability have made it a popular target for attackers.
Vulnerable code/package in the application
The vulnerable code is located within the AJP connector implementation in Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x. The AJP connector is responsible for handling binary protocol communication between Tomcat and other web servers. The lack of proper access controls and the default configuration of the AJP connector are the primary factors that make this vulnerability exploitable.
Statistics on vulnerability
CVE-2020-1938 has affected a large number of Apache Tomcat installations worldwide, particularly those with misconfigured or exposed AJP ports. Security researchers have reported numerous cases of exploitation, highlighting the importance of securing the AJP port or disabling it altogether if not needed.
Mitigation and Remediation
Mitigating CVE-2020-1938
Organizations can mitigate the risks associated with CVE-2020-1938 by:
- Updating Apache Tomcat: The most effective mitigation is to update Apache Tomcat to the latest version, where this vulnerability has been patched. The update ensures that the AJP connector is properly secured.
- Securing the AJP Port: If the AJP connector is required, it should be secured by binding it to a local interface only, implementing strong access controls, and using firewalls to restrict access to trusted hosts.
- Disabling AJP Connector: If the AJP connector is not needed, it should be disabled entirely to eliminate the attack vector.
Patch and Bypass: Fixes Added for CVE-2020-1938
The patch for CVE-2020-1938 involves changes to the default configuration of the AJP connector in Apache Tomcat. The connector is now disabled by default in new versions, and additional configuration options have been added to enforce stricter access controls. Organizations should ensure that their Tomcat installations are updated to a version that includes these fixes.
Proactive response
A proactive approach includes regularly reviewing and updating server configurations, conducting security audits of Tomcat installations, and ensuring that all exposed ports and services are adequately secured. Organizations should also monitor for any signs of exploitation and apply security patches promptly.
Proof of Concept (POC)
A basic POC for CVE-2020-1938 (Ghostcat) involves using a tool like cat_shell.jsp to access and execute commands on a vulnerable Tomcat server. Example:
curl 'http://<Tomcat-IP>:<port>/AJP13Exploit?cmd=whoami'This command sends a request to the vulnerable AJP connector, executing the whoami command on the server, demonstrating command execution.
Real-world Impact and Response
Timeline/changelog
- January 2020: Discovery of CVE-2020-1938 during a security audit of Apache Tomcat.
- February 2020: Public disclosure of the vulnerability and release of Apache Tomcat updates with the fix.
- March 2020: Widespread advisories issued to secure or disable the AJP connector in Tomcat installations.
- April 2020: Continued monitoring for potential exploitation and providing additional guidance on securing Tomcat servers.
Observed Activity
Since the disclosure of CVE-2020-1938, there have been numerous reports of its exploitation in the wild. Attackers have targeted vulnerable Tomcat servers with exposed AJP ports, leading to sensitive data breaches and, in some cases, full server compromise. The vulnerability has been particularly attractive to attackers due to its potential for remote code execution.
Mass Scanning
Following the disclosure of CVE-2020-1938, mass scanning for vulnerable Tomcat servers with exposed AJP ports increased significantly. Attackers used automated tools to identify vulnerable servers, which were then targeted for exploitation. This wave of scanning highlights the importance of securing or disabling unnecessary services.
Vulnerable Server Discovery
Vulnerable Tomcat servers can be discovered by attackers who scan for exposed AJP ports. Servers that are not properly configured to restrict access to the AJP connector are at high risk of exploitation. Administrators should ensure that their servers are not exposed to the internet or untrusted networks.
Reasoning and Scoring
Corporate networks impacted globally
CVE-2020-1938 has the potential to impact corporate networks globally, particularly in industries that rely heavily on Apache Tomcat for web applications and services. The vulnerability can be exploited to gain unauthorized access to sensitive information or to execute arbitrary code, leading to significant security breaches.
Corporate numbers impacted by countries
- United States: Widespread use of Apache Tomcat in enterprise environments, with many organizations at risk.
- Europe: Significant adoption of Tomcat in technology and financial sectors, leading to potential exposure.
- Asia: Extensive use of Tomcat in telecommunications and IT services, where secure web operations are critical.
Conclusion
Who should be paying attention to this?
System administrators, cybersecurity professionals, and organizations that use Apache Tomcat for web applications should prioritize attention to CVE-2020-1938. Ensuring that Tomcat servers are secure is critical for maintaining the overall security of web services and applications.
Who is exploiting it and how?
CVE-2020-1938 has been exploited by attackers who identify Tomcat servers with exposed AJP ports. These attackers craft malicious AJP messages to read sensitive files or include and execute arbitrary files on the server, leading to full server compromise.
How are things likely to develop?
As more organizations apply patches and secure their AJP ports, the risk of exploitation decreases. However, servers that remain unpatched or exposed are still vulnerable to attack. Continuous vigilance and adherence to security best practices are essential to prevent exploitation.
How long has it been around?
CVE-2020-1938 was disclosed in early 2020, but the underlying issue with the AJP connector may have existed for years before its discovery. This highlights the importance of regularly reviewing and securing server configurations, especially for widely used services like Apache Tomcat.
