Lucee Quarantine Mode

Hey Juan,

The Quarantine mode is something which secures your server to the highest level for penetration. Let me explain what is possible and what the background of this is. It might even be worth a blog post:

One of our customers had an issue with his site being attacked by a hacker (potential ex employee) who was able to upload code to the server which then would be executed. So he was able to upload CFM files somehow which downloaded stuff he wanted from the database etc. And being able to execute the code he downloaded the complete source code of the application.

What we came up with is the quarantine mode which allows you to run Lucee in 3 different levels:

  1.  Regular setup. You run Lucee as is with .cfm files being normally compiled to .class files the way you know it
    
  2.  Readonly setup. Lucee will not compile new or changed files but only execute existing .class files. This still would allow attackers to upload code into the cfclasses folder and attack the server in this way. But nonetheless way more secure than 1.
    
  3.  Quarantine mode. Lucee uses a tool to deploy .class files to the server which runs in this mode. The code is signed with a private SHA key. This key is not known at the server level as the deployment happens from the Preprod server or say the Jenkins server. Rasia has written such a deployment tool which signs .class files to do exactly that. This tool also rewrites the .lco files of the server (which you then can replace on your server) so that the server can only execute files that are decryptable by a public key.
    

The Deployment Tool (We called it Delila) also generates the private and the public key. The public key is one of the startup params of the public Lucee server.

Here are the advantages:

  • No editing of files on the live server anymore
  • No source file on the server anymore
  • Attackers can’t upload their own malicious code (unless they have the private key and to tool to encrypt class files)
  • No real performance hits (only on first read, but neglectable)
  • Additional hardening of the live server

Disadvantages:

  • No editing of files on the live server anymore
  • Updates are a little more complicated
  • Small performance hit
  • Error handling a little more complex (no stack trace in the error messages, as the source files normally are not on the server anymore)

I really think that this is a great improvement for Lucee. The deployment tool is not 100% ready for release yet, but it will soon. Let me know if you want to know anything else regarding the quarantine mode.

Sincerely
Gert Franz

2 Likes