Full Report
Understanding the risks and impact of deploying dev-mode in production environments
Analysis Summary
# Vulnerability: Remote Code Execution via Exposed Java Debug Wire Protocol (JDWP)
## CVE Details
- CVE ID: Not explicitly assigned in the provided text (This describes a configuration risk rather than a specific software flaw/CVE, though related RCEs often receive CVEs when an application misconfigures defaults).
- CVSS Score: N/A (Severity is assessed based on context)
- CWE: CWE-400 (Uncontrolled Resource Consumption) or CWE-284 (Improper Access Control) based on misconfiguration leading to RCE.
## Affected Systems
- Products: Any Java application where the Java Virtual Machine (JVM) is launched with the JDWP debugging interface exposed to the network without authentication (e.g., TeamCity, Jenkins, Selenium Grid, Elasticsearch, Quarkus, Spring Boot, Apache Tomcat when run in debug mode).
- Versions: Any version of an application/service running a JVM configured to expose JDWP externally (e.g., *:-5005*).
- Configurations: JVM started with debug flags (e.g., `-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005`) exposed to the public internet or untrusted networks.
## Vulnerability Description
The vulnerability stems from the exposure of the **Java Debug Wire Protocol (JDWP)** interface without authentication or access control. JDWP is intended for authorized remote debugging but, when exposed externally, allows an unauthenticated attacker to connect, interact with the running JVM via low-level protocol commands, and execute arbitrary system commands using reflection against the `java.lang.Runtime` class (`getRuntime().exec()`). This leads directly to Remote Code Execution (RCE).
## Exploitation
- Status: Exploited in the wild (Observed targeting honeypots across multiple external actors).
- Complexity: Low (The attack relies on scanning for open ports and utilizing known JDWP command structures, potentially using tools like variants of `jdwp-shellifier`).
- Attack Vector: Network
## Impact
- Confidentiality: High (Full access to the running process environment).
- Integrity: High (Ability to execute arbitrary system commands, deploy malware, and modify host configuration).
- Availability: High (Ability to deploy resource-intensive payloads like cryptocurrency miners).
## Remediation
### Patches
No specific vendor patch is detailed as this is primarily a configuration issue. Remediation requires configuration change or patching the service to disable JDWP by default or protect it.
### Workarounds
1. **Disable JDWP:** Ensure that debug flags are removed from production startup configurations.
2. **Network Segmentation/Firewalling:** Restrict network access to the JDWP port (commonly 5005) to only trusted internal network segments or specific administrator IP addresses.
3. **Authentication/Securing:** If JDWP must be used, ensure it is tunnelled securely (e.g., over SSH) or protected by strong access control mechanisms, as JDWP itself lacks native authentication.
## Detection
- **Indicators of Compromise (IoCs):**
- File Hashes (SHA-1): `a923de9df0766d6c4be46191117b8cc6486cf19c`, `1879d5fa0c2ca816fcb261e96338e325e76dca09`, `18d83ba336ca6926ce8b9d68f104cff053f0c2f9`, `815bc1a79440cdc4a7e1d876ff2dc7bc4f53d25e`, etc. (See full IoC table).
- Network Indicators: Scanning activity targeting port 5005, JDWP handshake attempts.
- Command Patterns: Use of `curl`/`wget` followed by execution of shell scripts (`logservice.sh`, `o.sh`) in temporary/hidden directories (`/tmp`, `~/.config/logrotate`).
- Persistence: Modifications to shell startup files (`.bashrc`, `.profile`, etc.) and addition of cron jobs.
- **Detection Methods and Tools:**
- Network monitoring for unauthenticated JDWP handshake traffic on default or known JDWP ports.
- Runtime sensors can detect the specific sequence of JDWP exploitation commands, file drop activity, and execution of cryptomining services (XMRig).
- YARA rules targeting the observed payloads being dropped.
## References
- Wiz Research Team Investigation (General Context)
- Related tool/technique reference: [jdwp-shellifier](https://github.com/IOActive/jdwp-shellifier) (defanged for security)