CVE-2020-12835 in ReadyAPI SoapUI Pro
Summary
by MITRE
An issue was discovered in SmartBear ReadyAPI SoapUI Pro 3.2.5. Due to unsafe use of an Java RMI based protocol in an unsafe configuration, an attacker can inject malicious serialized objects into the communication, resulting in remote code execution in the context of a client-side Network Licensing Protocol component.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/21/2020
The vulnerability identified as CVE-2020-12835 affects SmartBear ReadyAPI SoapUI Pro version 3.2.5 and represents a critical security flaw in the application's network licensing protocol implementation. This issue stems from the unsafe handling of Java Remote Method Invocation (RMI) communications within a vulnerable configuration that permits malicious object deserialization. The flaw exists specifically within the client-side Network Licensing Protocol component, making it particularly concerning as it can be exploited to achieve remote code execution on systems running the affected software. The vulnerability's impact extends beyond simple network access as it provides attackers with the capability to execute arbitrary code within the security context of the licensed client application.
The technical root cause of this vulnerability lies in the improper implementation of Java RMI communication channels that fail to validate or sanitize serialized object data received from remote endpoints. When the client-side licensing protocol processes network requests containing maliciously crafted serialized objects, the Java runtime environment attempts to deserialize these objects without adequate security controls. This unsafe deserialization process allows attackers to inject malicious code that executes within the context of the client application, effectively providing remote code execution capabilities. The vulnerability is classified under CWE-502 as "Deserialization of Untrusted Data" and aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: Python" and T1059.001 for "Command and Scripting Interpreter: PowerShell" when considering the potential execution paths available to attackers.
The operational impact of this vulnerability is significant as it enables attackers to gain unauthorized access to systems running the affected software without requiring authentication or physical access. Attackers can leverage this vulnerability to install malware, establish persistence mechanisms, or escalate privileges within the compromised environment. The attack surface is particularly concerning because the vulnerability exists in the licensing protocol component, which may be active on systems that are not otherwise exposed to direct network attacks. This means that even systems with restricted network access could be compromised if they attempt to communicate with malicious endpoints or if attackers have access to internal network resources. The vulnerability also demonstrates the broader risk associated with legacy software components that continue to use outdated communication protocols without proper security hardening.
Mitigation strategies for CVE-2020-12835 should focus on immediate remediation through software updates provided by SmartBear, as well as network-level protections to prevent unauthorized communication with the vulnerable licensing protocol. Organizations should implement network segmentation to isolate systems running the affected software from critical network segments and establish firewall rules that block unnecessary RMI traffic. The recommended approach includes disabling the network licensing protocol if it is not essential for operations, or configuring the software to use secure communication channels with proper object validation. Security teams should also monitor for suspicious network traffic patterns and implement intrusion detection systems to identify potential exploitation attempts. Additionally, organizations should conduct comprehensive vulnerability assessments to identify other legacy components that may be using similar unsafe RMI configurations, as this vulnerability type is commonly found in older enterprise applications that have not been properly updated or hardened against modern security threats.