A high-severity authentication bypass vulnerability in a widely used open source Java framework is under active exploit by threat actors, who are using the flaw to deploy backdoors to unpatched servers, the US Cybersecurity and Infrastructure Security Agency (CISA) and security researchers are warning.
The scenario could pose a significant supplychain threat for any unpatched software that uses the affected Java library, which is found in the ZK Java Web Framework, experts said.
The CISA has added CVE-2022-36537, which affects ZK Java Web Framework versions 9.6.1, 126.96.36.199, 188.8.131.52, 184.108.40.206, and 220.127.116.11, to its catalog of Known Exploited Vulnerabilities (KEV).
The flaw, found in ZK Framework AuUploader servlets, could allow an attacker “to retrieve the content of a file located in the Web context,” and thus steal sensitive information, according to the KEV listing. “This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager,” CISA said.
Indeed, the flaw first drew widespread attention in October 2022 when ConnectWise sounded an alarm over its existence in its products — specifically, ConnectWise Recover and R1Soft server backup manager technologies. Senior security researchers John Hammond and Caleb Stewart at Huntress subsequently published a blogpost about how the flaw can be exploited.
In an update to that blog post published concurrent with the CISA’s advisory, Huntress warned that “the vulnerability discovered last year in ConnectWise’s R1Soft Server Backup Manager software has now been seen exploited in the wild to deploy backdoors on hundreds of servers via CVE-2022-36537.”
CISA and Huntress both based their warnings on research from Fox-IT published Feb. 22 that found evidence of a threat actor using a vulnerable version of ConnectWise R1Soft Server Backup Manager software “as an initial point of access and as a platform to control downstream systems connected via the R1Soft Backup Agent,” the researchers wrote in a blog post.
“This agent is installed on systems to support being backed up by the R1Soft server software and typically runs with high privileges,” according to the post. “This means that after the adversary initially gained access via the R1Soft server software it was able to execute commands on all systems running the agent connected to this R1Soft server.”
History of the Flaw
For its part, ConnectWise moved swiftly to patch the products in October, pushing out an automatic update to both the cloud and client instances of ConnectWise Server Backup Manager (SBM), and urging customers of the R1Soft server backup manager to upgrade immediately to the new SBM v6.16.4.
A researcher from Germany-based security vendor Code White GmbH was the first to identify CVE-2022-36537 and report it to the maintainers of the ZK Java Web Framework in May 2022. They fixed the issue in version 9.6.2 of the framework.
ConnectWise became aware of the flaw in its products when another researcher from the same company discovered that ConnectWise’s R1Soft SBM technology was using the vulnerable version of the ZK library and reported the issue to the company, according to the Huntress blog post.
When the company did not respond in 90 days, the researcher teased a few details on how the flaw could be exploited on Twitter, which researchers from Huntress used to replicate the vulnerability and refine a proof-of-concept (PoC) exploit.
Huntress researchers ultimately demonstrated they could leverage the vulnerability to leak server private keys, software license information, and system configuration files and eventually gain remote code execution in the context of a system superuser.
At the time, researchers identified “upwards of 5,000 exposed server manager backup instances via Shodan — all of which had the potential to be exploited by threat actors, along with their registered hosts,” they said. But they surmised that the vulnerability had the potential to impact significantly more machines than that.
Supply Chain at Risk
When Huntress did its analysis of the flaw, there was no evidence of active exploit. Now, with that scenario changed, any unpatched versions of the ZK Java Web Framework found not only in ConnectWise but also other products are fair game for threat actors, which could create significant risk for the supply chain.
Fox-IT’s research indicates that worldwide exploitation of ConnectWise’s R1Soft server software started around the end of November, soon after Huntress released its PoC.
“With the help of fingerprinting, we have identified multiple compromised hosting providers globally,” the researchers wrote.
In fact, Fox-IT researchers said on Jan. 9 that they had identified a “total of 286 servers running R1Soft server software with a specific backdoor.”
CISA is urging that any organizations still using unpatched versions of the affected ConnectWise products update their products “per vendor instructions,” according to the KEV listing. And while, so far, the existence of the flaw is known only in the ConnectWise products, other software using unpatched versions of the framework would be vulnerable as well.