Description
A critical vulnerability has been identified in the authentication component of Apache Shiro when used with Spring dynamic controllers. A specially crafted request may cause an authentication bypass.
Affected Product(s)
- Apache Shiro versions below 1.5.2
- Debian Linux 8.0
Technical Details
Apache Shiro is a security framework for Java applications that provides a wide range of authentication, authorization, cryptography, and session management capabilities. The flaw, identified as CVE-2020-1957, is categorized under CWE-287, which signifies issues with improper authentication.
This vulnerability is specifically found when Apache Shiro is used in conjunction with Spring dynamic controllers. Since the matching process of Shiro’s interceptor and requestURI is different from the web framework’s matching process, crafted requests can result in authentication bypass.
Essentially, attackers can exploit this discrepancy to bypass the authentication mechanism altogether, allowing unauthorized access to protected resources. The versions of Shiro affected include all those prior to 1.5.2. Debian packages of Shiro are also affected, as identified in Debian security advisories DLA-2181-1 and DLA-2273-1.
In addition, Ubuntu has recognized this issue affecting versions 18.04 LTS and 20.04 LTS. The exploitation of this vulnerability involves sending specially crafted HTTP requests that modify the requestURI in such a way that Shiro’s authentication mechanism fails to process the request correctly. Consequently, the attacker can gain access to restricted resources without proper credentials. Detailed descriptions and proofs of concept can usually be found in various public discussions and advisories.
Several advisories, including those by NIST, Red Hat, IBM X-Force, and others, have highlighted this critical issue emphasizing the following:
- Apache Shiro < 1.5.2 allows an attacker to bypass authentication due to improper handling of crafted request bodies.
- Maven package `org.apache.shiro:shiro-core` is vulnerable in all its versions leading up to 1.5.2.
Additionally, a GitHub security advisory (GHSA-26gr-cvq3-qxgf) has linked this issue with improper path traversal handling.
A CVE overview from Mitre and detailed discussions on security forums, mailing lists, and vendor advisories further stress the importance of upgrading to the patched version. Additional technical details can be explored in mailing list discussions:
Thus, the combined insights from these discussions illustrate the intricate nature of the vulnerability and provide context on potential exploitation scenarios.
Weakness
The weakness associated with this vulnerability is categorized under CWE-287, which entails improper authentication. This means that the system does not sufficiently verify the identity of a user, process, or device. In this specific case, Shiro’s faulty request matching mechanism allows attackers to send crafted requests that end up bypassing authentication protocols.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system. This leads to significant security risks, such as data breaches, unauthorized data manipulation, and potentially the execution of malicious scripts.
Active Exploitation
We have observed activity from various threat actors utilizing this particular issue in Shiro to bypass authentication mechanisms. Notably, there have been several advisories and threat intelligence reports highlighting the utilization of CVE-2020-1957 by different attack groups targeting similar vulnerabilities in Java-based applications.
Ransomware Association
The vulnerability has been linked to ransomware attacks, specifically where ransomware operators exploit the authentication bypass to gain initial access to the system. This can lead to subsequent deployment of ransomware payloads, further encrypting sensitive data and disrupting operations.
Mitigation and Resolution
We have released a patch that addresses this vulnerability. Please update to version 1.5.2 of Apache Shiro immediately. This update ensures the proper matching of requestURI and Shiro interceptor, effectively preventing the authentication bypass mechanism.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Verify and ensure the update to Shiro version 1.5.2 or later.
- Consult the vendor advisories and security bulletins for detailed patch instructions.
- Review and assess all instances where Apache Shiro is used with Spring dynamic controllers.
- Implement additional security practices, such as multi-factor authentication, to mitigate entry points for attackers.
- Regularly monitor systems for unusual activity associated with the exploitation of this vulnerability.
Referencesย