Emerging Threats is aware of the announced Java Deserialization Vulnerability in JSCAPE MFT.
As of right now, there are limited details on exploitation that allow us to write highly confident rules. Additionally it appears that exploitation would occur with a TLS session occurring, by default, over tcp/port 10880.
Today we are releasing two information based rules in order to help responders identify potentially vulnerable hosts on their networks.
These rules are written in a method which allows them to alert when an “outbound” items are detected. This means, the source ip address of the alerts, should be within the defender’s monitored and operated network.
Details on each of the signatures are below.
Emerging Threats will continue to monitor for new information and create additional coverage as possible.
2047976 - JSCAPE MFT - Binary Management Service Default TLS Certificate
This signature is based on data collected by Censys, which indicated a few different TLS certificates being presented by JSCAPE MFT servers over port tcp/10880. The signature has been written to be a bit generic and cover most of the observed TLS Certificates.
Possible FNs
A keen reader will notice that the instances discovered by Censys show in the image above, is using TLSv1.3. TLSv1.3 does allow the certificates details to be encrypted within the TLS stream. In this case, when TLSv1.3 is used, this rule will likely False Negative as the IDS engine will not be able to observed the certificate details.
2047977 -JSCAPE MFT - HTTP Management Service Detected via Set-Cookie
This information signature is designed to alert on the HTTP Management interface. The intention is simply to provide a second method of finding potentially vulnerable JSCAPE MFT instances running within the monitored network.
Upon accessing some of the publicly available JSACPE Management interfaces running on port 11880, it was observed the presence of two unique cookies being set by the server: JSESSIONID_11880 and MFTCSX. These two values were used to create the rule.
Possible FNs
Based on the port number being in the JSESSIONID cookie name, there is the possibility of False Negative (not alerting when an alert is desired) due to the service running on a non-default port.
External References: