Tuesday, May 3, 2022

Validate SpringShell Vulnerabilities with Azure Network Security

Author: Eliran Azulai, Principal Program Manager, Azure Networking 

Co-author: Gunjan Jain, Principal PM Manager, Azure Networking 

 

If you were wondering how to protect your resources from the latest Spring Framework exploits. This blog will guide you step-by-step on how to detect and protect against SpringShell vulnerabilities using our native network security services, Azure Firewall Premium and Azure Web Application. You can utilize one of these services or all of them for a Multi-layered security approach. For more in-depth information on the SpringShell vulnerability and guidance for protection and detection, please check out the blog published by the Microsoft Threat Intelligence Team.

 

Prerequisites for each service

  1. Enable IDPS and TLS inspection on Azure Firewall Premium
  2. Enable SpringShell WAF rules on your Azure Front Door WAF (they are disabled by default):
  • Rule group: MS-ThreatIntel-WebShells, Rule Id: 99005006 – Spring4Shell Interaction Attempt
  • Rule group: MS-ThreatIntel-CVEs, Rule Id: 99001014 – Attempted Spring Cloud routing-expression injection (CVE-2022-22963)
  • Rule group: MS-ThreatIntel-CVEs, Rule Id: 99001015 – Attempted Spring Framework unsafe class object exploitation (CVE-2022-22965)
  • Rule group: MS-ThreatIntel-CVEs, Rule Id: 99001016 – Attempted Spring Cloud Gateway Actuator injection (CVE-2022-22947)

 

SaleemBseeu_0-1651512764366.png

 

    3. No need to enable SpringShell WAF rules on Azure Application Gateway WAF V2 as they are enabled by default:

  • Rule Id: 800110 – Spring4Shell Interaction Attempt
  • Rule Id: 800111 – Attempted Spring Cloud routing-expression injection – CVE-2022-22963
  • Rule Id: 800112 – Attempted Spring Framework unsafe class object exploitation – CVE-2022-22965
  • Rule Id: 800113 – Attempted Spring Cloud Gateway Actuator injection – CVE-2022-22947

 

SaleemBseeu_1-1651512764381.png

 

Testing the exploit in Azure Firewall Premium lab

To provide customers with a safe environment to simulate the exploits, we developed a lab setup built with an application that is vulnerable to the Spring4Shell exploit (CVE-2022-22965). You can follow the instructions provided in this GitHub repository to build your own setup.

  1. Setup requires deploying VNETs in hub-and-spoke model. Firewall, in the hub and spokes, is configured to forward traffic to the hub Firewall for inspection.

 

SaleemBseeu_1-1651512335612.png

SaleemBseeu_0-1651514491639.png

 

  1. Configure two Linux machines in the spokes as shown in the diagram above.
  2. Make sure the Spring application is available at http://localhost:8080/helloworld/greeting

 

SaleemBseeu_3-1651512764387.png

 

  1. Run the exploit.py script locally to view the exploit impact on the server, as shown below:

 

SaleemBseeu_4-1651512764394.png

 

  1. Run the exploit.py script across the network and verify Azure Firewall blocks the exploit.

 

SaleemBseeu_5-1651512764396.png

 

  1. Check out Premium Firewall logs to verify the exploit was blocked.

 

SaleemBseeu_6-1651512764447.png

 

Testing the exploit with Azure WAF on Azure Front Door

  1. Setup Azure Front Door with an attached WAF policy. You can use your existing Azure Front Door deployment or set up a new Azure Front Door with an attached WAF policy.
  2. Ensure WAF SpringShell rules are enabled to get protection from SpringShell threats.
  3. Replace domain name with your domain name in the following command and run the command in a browser to simulate the exploit:

        https://www.<mydomain>.com/test.jsp?pwd=test\&cmd=cat+/secret/file

  1. Check Azure Front Door WAF logs to verify the exploit is blocked.

 

SaleemBseeu_7-1651512764491.png

 

Testing the exploit with Azure WAF on Azure Application Gateway

  1. Setup Azure Application Gateway WAF v2 with an attached WAF policy. You can use your existing Azure Application Gateway setup or create a new Azure Application Gateway with a WAF policy.  
  2. Replace domain name with your domain name in the following command and run the command in a browser to simulate the exploit:

         https://www.<mydomain>.com/test.jsp?pwd=test\&cmd=cat+/secret/file

  1. Check Azure Application Gateway WAF logs to verify the exploit is blocked.

 

SaleemBseeu_8-1651512764541.png

 

 

Learn More

Azure Firewall Premium and Azure WAF provide advanced threat protection capabilities to help detect and protect against SpringShell and other exploits. For more information on everything we covered above, please see the following documentation:

 

 

Posted at https://sl.advdat.com/3y9kLkqhttps://sl.advdat.com/3y9kLkq