Java deserialization attacks: What are they and how do they work?

Java deserialization vulnerabilities are continuing to crop up in a wide variety of products. A recent example was discovered in a controller implementation of the Extensible Authentication Protocol offered by TP-Link Technologies Co. Ltd., a Chinese networking equipment manufacturer. How do Java deserialization vulnerabilities, like the one found in the TP-Link EAP Controller, work and how do they expose wireless access points in this case?

TP-Link's EAP Controller implementation for Linux is used to remotely control wireless access points sold by the company. Recently, the software was found to have Java deserialization vulnerabilities that enabled attackers to exploit the affected wireless access points.

This type of attack occurs when an unauthenticated attacker deserializes untrusted or malformed data. The serialized output of an object instance, known as plaintext, can be reconstructed into a malformed object instance.

In this case, the vulnerability is exacerbated because the affected EAP controller uses a Java Remote Method Invocation (RMI) interface that lacks an authentication mechanism. This Java deserialization vulnerability derives from an older version of the Apache Commons Collection library.

When an attacker injects malformed data to exploit this vulnerability, it enables him to change application logic, remotely execute code and control the targeted device or server. Likewise, the root cause of the problem is that the remote execution service doesn't provide user authentication before the attacker deserializes the malformed data.

TP-Link's EAP controller v2.5.3 and earlier versions include a Java remote method that doesn't require an attacker to authenticate. An unauthenticated attacker can then use the RMI service commands to run deserialization attacks against the target EAP Controller server that is used to connect to wireless access points.

The RMI protocol enables an attacker to use RMI service commands for the vulnerable EAP controller to control the targeted server. The attacker can then inject malicious Java functions or malformed data before launching a deserialization attack. The attacker can request the controller to create a new administrative user for the target server.

Currently, a controller software update is available on the TP-Link website, and all of the company's products should be updated in order to prevent this attack. However, if your company must use older software, you could mitigate the risks by updating the vulnerable libraries.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)