Cisco Event Response: Oracle Security Alert for CVE-2012-4681

Threat Summary: September 6, 2012

On August 22, 2012 Cisco Security Intelligence Operations (SIO) telemetry collection and analysis systems detected endpoints accessing websites that were being equipped to host and distribute a malicious Java Archive (JAR). On August 23 the initial attempt to download the JAR occurred but was prevented. Execution of the malicious JAR results in the exploitation of a 0-day vulnerability in the Java Runtime Environment (JRE).

This vulnerability was assigned CVE-2012-4681 and Oracle published its Security Alert for CVE-2012-4681 on August 30, 2012 to address and disclose affected products. This vulnerability only applies to client deployments of Java. Client endpoints running JRE Version 7 Update 6 and prior are vulnerable to CVE-2012-4681.

This vulnerability should be considered an urgent risk and users are strongly advised to apply the patch published by Oracle in the Security Alert.

The vulnerability exists because the affected software fails to properly restrict access to the setSecurityManager() function. An unauthenticated, remote attacker could exploit this vulnerability to bypass Java sandbox restrictions by convincing a user to visit a crafted HTML document or website that is designed to submit malicious input to the vulnerable system. Successful exploitation could allow the attacker to execute arbitrary code with elevated privileges on the system.

Threat Updates

September 10, 2012: The Cisco Product Security Incident Response Team (PSIRT) has investigated and determined no Cisco products are affected by CVE-2012-4681.

Cisco Security
Intelligence Operations

Event Intelligence

The following table identifies Cisco Security Intelligence Operations content that is associated with this Oracle Security Alert:

Oracle Security Alert	Cisco IntelliShield Alerts	CVE ID	Cisco Mitigations	CVSS Base Score
Oracle Security Alert for CVE-2012-4681 Oracle Java 7 Security Manager Bypass Vulnerability	Vulnerability Alert: Oracle Java Security Manager Bypass Arbitrary Code Execution Vulnerability	CVE-2012-4681	IPS Signature 1421/0 (S664) Cisco IronPort Web Security Appliance (WSA) Cisco ScanSafe Cloud Web Security	10.0
	Security Activity Bulletin: Oracle Java Multiple Unspecified Vulnerabilities Update	CVE-2012-4681		10.0
		CVE-2012-1682	-	10.0
		CVE-2012-3136	-	10.0
		CVE-2012-0547	-	0.0

Cisco Security Intelligence Operations Analysis

Cisco SIO is monitoring the threat landscape and has observed multiple download attempts of malicious JAR files that exploit CVE-2012-4681. These download attempts were prevented using existing countermeasures and controls by Cisco IronPort Web Security Appliance devices and Cisco ScanSafe Cloud Web Security services.

The primary market segments from which Cisco SIO has observed download attempts are Energy, Oil, and Gas and Pharmaceutical and Chemical.

An SIO analyst has also published a series of blog posts about this Java 0-day vulnerability and the risks and mitigations associated with it.

Web-based threats continue to evolve and exploit combinations continue to target endpoints using various tactics. Users may consider reevaluating browsing habits, securing your web browser, and the web browsers used to access various types of resources.

Cisco SIO has observed multiple exploit kits (BlackHole, Sakura, Nuclear, and RedKit) using CVE-2012-4681 as an attack vector. Exploit kit authors will continue to add this vulnerability to their kits, and it is strongly advised that users take action and perform one of the recommended countermeasures and controls provided in the next section of this Event Response.

Additionally, Cisco SIO detected and correlated sources hosting and distributing the malicious JAR exploiting CVE-2012-4681 and determined that the sources were also affiliated with the Nitro Exploit Kit back on August 1, 2012.

Impact on Cisco Products

The Cisco Product Security Incident Response Team (PSIRT) has investigated whether Cisco products are affected by CVE-2012-4681. PSIRT has determined there are currently no products affected by this vulnerability. If the Cisco PSIRT teams discovers that a product is vulnerable to CVE-2012-4681, then information about affected products will be published at Cisco Security Advisories and Responses. As always, ensure that you monitor reports from Cisco PSIRT for any Cisco product related vulnerabilities.

Countermeasures and Controls on Client Endpoints

CVE-2012-4681 only affects client deployments of Java 7 Update 6 and prior.

NOTE: By default, the Apple Mac OS X operating system is not affected by CVE-2012-4681, as Apple does not install Java version 7. For a Mac OS X system to be affected, an administrator would have to manually install an affected version of Java 7 Update 6 or prior.

There are several countermeasures and controls that customers can perform on client endpoints to prevent exploitation of CVE-2012-4681:

Upgrade and patch to Java 7 Update 7
Downgrade to Java 6 Update 35
Disable Java
Disable Java plug-in in web browsers

Safari
Chrome
Firefox
Internet Explorer (only partially disables, visit Vulnerability Note VU#636312 and search for Disable the Java plug-in and Java Deployment Toolkit for Internet Explorer)

Uninstall Java
Use the Mozilla Firefox NoScript extension
Only access Java applets from known, trusted sources

Resources

Oracle Security Alert for CVE-2012-4681
Oracle Security Alert - CVE-2012-4681 Risk Matrices
Oracle Software Security Assurance Blog: Security Alert for CVE-2012-4681 Released
Oracle Java SE Downloads
Oracle Java SE Development Kit 7 Downloads

Cisco Vulnerability Alert: Oracle Java Security Manager Bypass Arbitrary Code Execution Vulnerability
Cisco Security Blog: New Java Vulnerability Used in Targeted Attacks
Cisco Security Blog: Oracle Java Zero Day Vulnerabilities Risks and Mitigations Part 2
Cisco IPS Signature 1421/0: Java 7 Applet Remote Code Execution Vulnerability

Fireeye Blog: Zero-Day Season is Not Over Yet
Fireeye Blog: Java Zero-Day - First Outbreak
Pastie: CVE-2012-XXXX Java 0day

DeepEnd Research: CVE-2012-4681 Java 7 0-Day vulnerability analysis
AlienVault Labs: New Java 0day exploited in the wild
Immunity Products: Java 0day analysis (CVE-2012-4681)

Rapid7 Blog: Let's start the week with a new Java 0-day in Metasploit
Rapid7: Is your Java exploitable?

Microsoft MMPC: Protecting yourself from CVE-2012-4681 Java exploits

Mitre: CVE-2012-4681

Threatpost: Oracle Releases Fix For Java CVE-2012-4681 Flaw
Threatpost: Newest Java 7 Update Still Exploitable, Researcher Says
Threatpost: Use of Java Zero-Day Flaws Tied to Nitro Attack Crew
Threatpost: Researchers Identify Second New Java Bug
Threatpost: Detecting and Removing Vulnerable Java Versions
Threatpost: Details of New Java Exploit Emerge
Threatpost: New Java Zero Day Being Used in Targeted Attacks

Contagio: Java 7 0-day vulnerability analysis

KrebsonSecurity: Attackers Pounce on Zero-Day Java Exploit
KrebsonSecurity: Researchers: Java Zero-Day Leveraged Two Flaws

Symantec: New Java Zero-Day Vulnerability (CVE-2012-4681)

Websense Blogs: Posts for CVE-2012-4681

Sourcefire VRT: CVE-2012-4681: bypassing built-in java security

US-CERT: Vulnerability Note VU#636312, Oracle Java JRE 1.7 Expression.execute() and SunToolkit.getField() fail to restrict access to privileged code
US-CERT: Alert (TA12-240A), Oracle Java 7 Security Manager Bypass Vulnerability
US-CERT: Securing Your Web Browser

Security Explorations: SE-2012-01 Security vulnerabilities in Java SE

avast! blog: Blackhats adopt latest Java 0day

Cisco Related Products and Services Links

Cisco Intrusion Prevention System
Cisco IOS IPS
Cisco IOS NetFlow
Cisco IronPort Email and Web Security Appliances
Cisco ScanSafe Cloud Web Security
Cisco Services for IPS
Cisco Security IntelliShield Alert Manager Service
Cisco IPS Signature Downloads
Cisco IPS Signature Search Page

Return to Cisco Security Intelligence Operations