Lucee Quarantine Mode

Lucee Undocumented - dev.Objective() 2016 Lucee Quarantine Mode

“If you want to have any information about this, come and see me later.”

OK, Gert. Interested. What do you have?

Hey Juan,

The Quarantine mode is something which secures your server to the highest level for penetration. Let me explain what is possible and what the background of this is. It might even be worth a blog post:

One of our customers had an issue with his site being attacked by a hacker (potential ex employee) who was able to upload code to the server which then would be executed. So he was able to upload CFM files somehow which downloaded stuff he wanted from the database etc. And being able to execute the code he downloaded the complete source code of the application.

What we came up with is the quarantine mode which allows you to run Lucee in 3 different levels:

  1.  Regular setup. You run Lucee as is with .cfm files being normally compiled to .class files the way you know it
    
  2.  Readonly setup. Lucee will not compile new or changed files but only execute existing .class files. This still would allow attackers to upload code into the cfclasses folder and attack the server in this way. But nonetheless way more secure than 1.
    
  3.  Quarantine mode. Lucee uses a tool to deploy .class files to the server which runs in this mode. The code is signed with a private SHA key. This key is not known at the server level as the deployment happens from the Preprod server or say the Jenkins server. Rasia has written such a deployment tool which signs .class files to do exactly that. This tool also rewrites the .lco files of the server (which you then can replace on your server) so that the server can only execute files that are decryptable by a public key.
    

The Deployment Tool (We called it Delila) also generates the private and the public key. The public key is one of the startup params of the public Lucee server.

Here are the advantages:

  • No editing of files on the live server anymore
  • No source file on the server anymore
  • Attackers can’t upload their own malicious code (unless they have the private key and to tool to encrypt class files)
  • No real performance hits (only on first read, but neglectable)
  • Additional hardening of the live server

Disadvantages:

  • No editing of files on the live server anymore
  • Updates are a little more complicated
  • Small performance hit
  • Error handling a little more complex (no stack trace in the error messages, as the source files normally are not on the server anymore)

I really think that this is a great improvement for Lucee. The deployment tool is not 100% ready for release yet, but it will soon. Let me know if you want to know anything else regarding the quarantine mode.

Sincerely
Gert Franz

2 Likes

‘who was able to upload code to the server which then would be executed. So
he was able to upload CFM files somehow’

Hey Gert,

To be clear on the above - was this attack being perpetrated by the
hacker by taking advantage of an (as yet unknown) flaw with Lucee itself,
or was this a reflected attack after gaining access to the server by some
other port/service? Being able to upload .cfm files to a Lucee server
‘somehow’ isn’t very reassuring and while I agree the quarantine option is
a nice addition to Lucee in either case for production servers, the method
by which this attack took place seems to be being overlooked in favor of
simply applying a band-aid?

– Denny

Thanks, Gert.

I’ll be happy to test “quarantine mode” once it’s available.

I see it being very useful for CI / immutable servers - you can roll a
server forward or backwards to known sets of files just by pushing a
new/old file to it. This could be handy.

Tom

Sorry for the late reply, just saw this thread now, but the answer to your question is: No.

1 Like

The attack happened by a flaw in the source code of the application which an insider used agains its former employer.
And remember the issue has happened, because the attacker was able to tamper with the source code and not upload stuff. Just imagine if your server is read-only secured. Better than that, there is nothing in terms of Lucee. You don’t even have the source code on the server…

I know, replied a little late, but the topic get’s hot again as we have another customer with similar issues.