Vulnerabilities affect versions 8.3 and below, but vendor inadvertently addressed exploit in 8.4

TIBCO Data Virtualization software vulnerable to RCE via third-party flaws, claims researcher

A security researcher says he’s achieved remote code execution (RCE) on older, still downloadable versions of TIBCO Data Virtualization (TDV) software by chaining vulnerabilities in outdated third-party components.

The flaws in TDV, a popular enterprise data virtualization platform, arise from issues in BlazeDS and Java BeanShell libraries that were fixed several years ago.

Pedro Ribeiro, founder and director of research at UK-based Agile Information Security, says he fashioned a Ruby exploit after finding an unauthenticated Action Message Format (AMF) API endpoint that was vulnerable to insecure Java deserialization and an outdated Java library containing a Java deserialization gadget chain.

Disclosure difficulties

The researcher says he published a technical write-up on July 16 without the vendor’s consent, having found the disclosure process, which he initiated on July 5, to be “a complete disaster”.

Despite having a “fully working remote exploit” – as demonstrated in this proof-of-concept video – he claims that TIBCO declined to confirm that it would issue a security advisory urging TDV customers to update their systems to the latest version, 8.4, or that all previous versions are vulnerable.

He notes that version 8.3, which is said to be affected, is still available for download to TIBCO customers.

Read more of the latest security research news

TIBCO responded by saying that its “fair disclosure” policy precluded them from confirming “issues before they are fixed”, and that it does “not assign CVEs nor issue security advisories for third-party code”.

TIBCO has yet to respond to The Daily Swig’s invitation to comment, but we will update this article if and when they do.

Accidental fix

Ribeiro says the vulnerability chain affects both Linux and Windows hosts.

The latest version, 4.3, was launched in May 2021 and fixed the issue – inadvertently, suggests Ribeiro – by removing the AMF endpoint that was vulnerable to CVE-2017-5641, a flaw dating back to 2017.

This critical BlazeDS library bug (CVSS 9.8) centers on a failure to “restrict which types were allowed for AMF(X) object deserialization by default,” according to the CVE description.

CATCH UP Italian hosting firm defends data breach notification delay

Ribeiro referred readers to research from Markus Wulftange and Moritz Bechler for further technical details.

The researcher says version 8.4 of TDV still ships with Java BeanShell library 2.0b4, which is vulnerable to CVE-2016-2510, a flaw that surfaced in 2016 (CVSS 8.1).

Exploit chain

Ribeiro said he previously exploited the BeanShell flaw in DrayTek VigorACS and Cisco ISE by abusing a “ysoserial JRMP payload to return a malicious object to the caller”.

However, this technique only worked up to TDV version 8.2, since 8.3 uses JEP-290 to “filter certain known bad classes and protect against malicious remote method invocations (RMI)”.

However, Ribeiro then achieved RCE on version 8.3 by leveraging a technique, pioneered by Matthias Kaiser, that bypasses JEP-290.

Rocky road to disclosure

Ribeiro said he sent three emails to TIBCO requesting confirmation that 8.4 was not vulnerable and whether they would issue an advisory and credit him for his research.

TIBCO initially confirmed it was investigating the report and that it would not “confirm issues before they are fixed, which may contribute to response time”.

It subsequently said that as a CVE Numbering Authority it discloses and assigns CVEs for vulnerabilities in TIBCO code, but for flaws “in third-party code, we would work with that third party to achieve a resolution”.

READ MORE CNAs and CVEs – Can allowing vendors to assign their own vulnerability IDs actually hinder security?

However, Ribeiro said that TIBCO’s vulnerability disclosure policy “doesn’t say anywhere that they don't confirm security issues to whoever reported them”.

He then sent a final email “telling them what I think of their disclosure policy” and saying he would release an advisory and exploit without their consent.

As of today (July 20), the researcher tells The Daily Swig that he has still not received a response to his last email, which he concedes was “pretty angry”.

“I think I did the right thing [in disclosing the exploit]”, he continues. “It’s time companies like TIBCO stop treating researchers like cattle, taking our reports, ignoring us and then try to sweep vulnerabilities under the rug.

“I have no desire to harm TIBCO customers, quite the contrary, and I hope that by releasing this I can force TIBCO’s hand to at least admit they have a serious vulnerability in their products and instruct all clients to upgrade to the latest version (for free).”

RELATED Chained vulnerabilities in Aruba Networks firmware allowed remote code execution on routers