Critical vulnerability in TIBCO Data Virtualization software. Patch now

Pedro Ribeiro, founder and researcher at UK security firm Agile Information Security, claims to have found a method to perform a remote code execution (RCE) attack on some older but still available versions of TIBCO Data Virtualization (TDV), an enterprise data virtualization platform. The specialist assures that the RCE is achieved by abusing some security problems in the BlazeDS and Java BeanShell libraries, which received updates years ago.

The expert mentions that he managed to design this Ruby exploit after finding an unauthenticated Action Message Format (MFA) endpoint API. This implementation proved vulnerable to insecure Java deserialization and an unsupported Java library that was part of an exploit chain.

The report mentions that the exploitation would affect Linux and Windows hosts. The latest version of TDV (v4.3), was released in May 2021 and fixed the issue in a seemingly unintentional way, all with the removal of the AMF endpoint vulnerable to a flaw detected in 2017.

Ribeiro had previously designed methods to exploit flaws in DrayTek VigorACS and Cisco ISE, all based on the abuse of a jrmp ysoserial payload that returns the malicious object to the caller. However, this technique became obsolete starting with TDV v8.3, which implements JEP-290 for filtering some kinds of malicious developments. The researcher managed to execute the RCE condition in TDV v8.3 using a JEP-290 evasion technique, initially designed by expert Matthuas Kaiser.

The researcher sent a detailed report to TIBCO in which he also requested that the company confirm that TDV v8.4 is not affected by this condition. TIBCO confirmed that the report would be analyzed, although Ribeiro would not be credited until it was fully demonstrated that the potential security patches were effective.

Because he was unhappy with the company’s disclosure policy, Ribeiro decided to go ahead and publish his full report: “I think I did the right thing by disclosing the exploit; it’s time companies like this stop treating the researchers like cattle”, the expert concluded.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.