Source: cve-assign@fb.com
Buck parser-cache command loads/saves state using Java serialized object. If the state information is maliciously crafted, deserializing it could lead to code execution. This issue affects Buck versions prior to v2018.06.25.01.
Buck, a build system, is vulnerable to remote code execution (RCE) due to insecure deserialization of Java serialized objects within its parser-cache functionality. Attackers can craft malicious serialized objects to execute arbitrary code on systems running vulnerable versions of Buck, potentially leading to complete system compromise and data exfiltration.
Step 1: Payload Creation: The attacker crafts a malicious Java serialized object (payload) designed to execute arbitrary code upon deserialization. This payload leverages Java's deserialization capabilities to instantiate and execute malicious classes or methods.
Step 2: Payload Delivery: The attacker needs to get the malicious payload into the Buck parser-cache. This could be achieved by manipulating the build process, injecting the payload into a shared cache location, or exploiting other vulnerabilities to write the malicious serialized object to the cache.
Step 3: Cache Loading: When Buck attempts to load the parser cache, it deserializes the attacker-controlled serialized object using readObject().
Step 4: Code Execution: During deserialization, the malicious code embedded within the payload is executed, granting the attacker control over the system. This could involve executing shell commands, downloading malware, or exfiltrating sensitive data.
The vulnerability stems from the use of Java's built-in serialization mechanism to store and retrieve the state of the Buck parser cache. When Buck loads the cache, it deserializes the saved object without proper validation or filtering of the input. This allows an attacker to craft a malicious serialized object containing instructions to execute arbitrary code during the deserialization process. The root cause is the lack of input validation and sanitization of the serialized data, allowing for the execution of attacker-controlled code within the context of the Buck process. Specifically, the readObject() method, when used on untrusted input, can be exploited to instantiate arbitrary classes and execute their methods, leading to RCE. This is a classic example of an insecure deserialization vulnerability.
While no specific APTs are directly linked to this CVE, insecure deserialization vulnerabilities are commonly exploited by various threat actors. The impact of this vulnerability could be severe, potentially leading to supply chain attacks if the build system is compromised. This vulnerability is not listed on the CISA KEV at the time of this report, but the potential for exploitation warrants close monitoring.
Monitor network traffic for unusual connections originating from systems running Buck, especially those related to build processes.
Analyze file system activity for the creation or modification of files related to the Buck parser cache, looking for suspicious serialized object files.
Examine process execution logs for unexpected processes or commands spawned by the Buck process.
Implement file integrity monitoring on Buck-related files to detect unauthorized modifications.
Review Java deserialization logs for suspicious activity, such as the instantiation of unexpected classes during deserialization.
Use static analysis tools to scan the Buck codebase for insecure deserialization patterns.
Upgrade Buck to a version that addresses the vulnerability (v2018.06.25.01 or later).
Implement input validation and sanitization for all data deserialized by Buck, ensuring that only trusted data is processed.
Consider using a safer deserialization framework or library that provides better security controls, such as the java.io.ObjectInputFilter interface (Java 9+).
Restrict access to the Buck parser cache to authorized users and processes only.
Regularly scan the Buck codebase for insecure deserialization vulnerabilities using static analysis tools.
Implement a Web Application Firewall (WAF) to filter malicious requests.