A security vulnerability in the Quarkus Java framework has been discovered that would allow attackers to achieve remote code execution on affected systems, according to a recently released report. The vulnerability, tracked as CVE-2022-4116, can be trivially abused by threat actors with no privilege requirements on the affected system.
The vulnerability exists in the Dev UI portion of the Dev Mode of Quarkus, which allows developers to monitor the status of applications, change configurations, migrate databases, and more. Since Dev Mode is bound to localhost, exploitation of this vulnerability requires a drive-by localhost attack to be performed. The most likely method of achieving this would be for a malicious actor to trick a developer user running Quarkus into visiting a specially crafted website that contains malicious JavaScript code designed to exploit the vulnerability. This could be achieved through the use of targeted attacks, such as spear-phishing or watering hole attacks, or by serving malicious ads on websites frequented by developers.
While the exploit only affects the Dev Mode component of Quarkus, the impact of exploitation is high due to the possibility of an attacker compromising the entire system. This could establish a foothold within an environment that the attacker can then use to pivot and compromise more critical infrastructure.
Analyst Notes
It is highly recommended for all users of the Quarkus Java framework to update to versions 2.14.2.Final and 2.13.5.Final (LTS) to fix the exploit as soon as possible. This fix forces the Dev UI to check the origin header of the request and only accept requests where the value is localhost. Since this header is set by the browser and is not modifiable by JavaScript run within the browser, exploitation of this vulnerability cannot be performed by malicious JavaScript code hosted on a website. If the patch cannot be implemented immediately, a workaround to prevent this from being exploited in the meantime would be to move all non-application endpoints to a random root path. Since the exploit relies on using default paths for the location to the Quarkus Dev UI component, modifying the base root path of the component to a non-default location can prevent the exploit from working. It is also recommended for developers to limit web browsing activity from development boxes. Running insecure, localhost-bound development applications is not limited to Quarkus; there are a number of other frameworks that operate in a similar manner and may likewise be vulnerable to drive-by localhost attacks. Due to this, limiting non-essential web browsing and outbound network connections from these developer boxes can help prevent a system from accidentally being exploited due to malicious JavaScript hosted on an external website.
https://thehackernews.com/2022/12/researchers-disclose-critical-rce.html
https://www.contrastsecurity.com/security-influencers/localhost-attack-against-quarkus-developers-contrast-security
