CVE-2017-9830 in CrashPlan
Summary
by MITRE
Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the org.apache.commons.ssl.rmi.DateRMI Java class, because (upon instantiation) it creates an RMI server that listens on a TCP port and deserializes objects sent by TCP clients.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/21/2019
The vulnerability identified as CVE-2017-9830 represents a critical remote code execution flaw within Code42 CrashPlan version 5.4.x, specifically through the org.apache.commons.ssl.rmi.DateRMI Java class implementation. This vulnerability stems from the insecure deserialization of remote objects within a remote method invocation context, creating an attack surface that allows malicious actors to execute arbitrary code on affected systems. The flaw exists because the DateRMI class initializes an RMI server that listens on a TCP port and automatically deserializes objects received from remote clients without proper validation or sanitization.
The technical implementation of this vulnerability involves the exploitation of the Java deserialization mechanism within the RMI framework. When the DateRMI class is instantiated, it establishes an RMI server that accepts incoming TCP connections and processes serialized Java objects sent by clients. This design pattern creates a dangerous execution flow where untrusted data can be deserialized and executed within the context of the running application. The vulnerability aligns with CWE-502, which categorizes insecure deserialization as a significant security risk, particularly when deserialization occurs in privileged contexts. Attackers can craft malicious serialized objects that, when processed by the vulnerable RMI server, trigger arbitrary code execution on the target system.
The operational impact of this vulnerability is severe and far-reaching, as it allows remote attackers to gain complete control over systems running vulnerable versions of Code42 CrashPlan. The attack surface extends beyond simple code execution to include potential privilege escalation, data exfiltration, and persistence mechanisms. Given that Code42 CrashPlan is typically deployed in enterprise environments for backup and disaster recovery operations, the compromise of such systems can lead to catastrophic data loss and system infiltration. The vulnerability affects systems where the RMI service is exposed to untrusted networks, making it particularly dangerous in cloud and hybrid environments where network boundaries are less defined.
The exploitation of CVE-2017-9830 follows patterns consistent with the ATT&CK framework's execution and privilege escalation tactics. Attackers can leverage this vulnerability through the execution of malicious serialized payloads that bypass traditional security controls, including firewalls and network segmentation. The attack chain typically involves initial reconnaissance to identify vulnerable systems, followed by crafting and sending malicious serialized objects that exploit the deserialization flaw. Organizations should implement network segmentation to restrict access to RMI endpoints, disable unnecessary RMI services, and apply the vendor-provided patches immediately. Additionally, monitoring for unusual RMI traffic patterns and implementing application-level firewalls can help detect and prevent exploitation attempts. The vulnerability demonstrates the importance of proper input validation and secure coding practices in distributed systems, particularly those involving remote method invocation and object serialization mechanisms.