Alert: Exploited Remote Code Execution Vulnerability Discovered in GeoServer GeoTools Software

July 16, 2024NewsroomVulnerability / Infrastructure Security

The Cybersecurity and Infrastructure Security Agency (CISA) of the United States issued a warning on Monday urging action to address a critical security vulnerability affecting OSGeo Ge

July 16, 2024NewsroomVulnerability / Infrastructure Security

CISA Warns of Actively Exploited RCE Flaw in GeoServer GeoTools Software

The Cybersecurity and Infrastructure Security Agency (CISA) of the United States issued a warning on Monday urging action to address a critical security vulnerability affecting OSGeo GeoServer GeoTools. This warning was based on confirmed instances of exploitation.

GeoServer is a Java-based open-source server software that enables users to collaborate on and modify geospatial data. It serves as the primary implementation of the Open Geospatial Consortium (OGC) Web Feature Service (WFS) and Web Coverage Service (WCS) standards.

The vulnerability identified as CVE-2024-36401 (CVSS score: 9.8) enables remote code execution through specific inputs. This flaw stems from multiple OGC request parameters that allow unauthenticated users to execute remote code against a default GeoServer installation by inappropriately evaluating property names as XPath expressions.

This issue has been resolved in versions 2.23.6, 2.24.4, and 2.25.2, with security researcher Steve Ikeoka being recognized for discovering it.

The manner in which the vulnerability is being exploited in real-world scenarios remains unclear. GeoServer has confirmed that the vulnerability can be exploited through various requests, including WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute.

The maintainers have also addressed another critical vulnerability (CVE-2024-36404, CVSS score: 9.8) that could lead to remote code execution if certain GeoTools functionality is used to evaluate XPath expressions supplied via user input. This second flaw has been fixed in versions 29.6, 30.4, and 31.2.

Given the active exploitation of CVE-2024-36401, federal agencies are mandated to apply the updates provided by the vendor before August 5, 2024.

Meanwhile, reports have surfaced regarding the active exploitation of a remote code execution vulnerability in the Ghostscript document conversion toolkit (CVE-2024-29510), enabling attackers to break out of the -dSAFER sandbox and execute arbitrary code.

This vulnerability, addressed in version 10.03.1 following responsible disclosure by Codean Labs on March 14, 2024, has been weaponized to gain shell access on vulnerable systems according to ReadMe developer Bill Mill.

Enjoyed this article? Stay connected with us on Twitter and LinkedIn for more exclusive updates.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts