According to a detailed analysis of the problem by security researcher Tobias Neitzel, Java RMI services can be targeted using server-side request forgery (SSRF) attacks. Server-side request forgery (SSRF) is a type of attack that allows attackers to send fraudulent requests to other systems by exploiting a vulnerable web server.
Requests between HTTP servers can be initiated by web applications. These are commonly used to retrieve remote resources such as software updates or to import metadata from a URL or another web application. Such inter-server requests are not inherently harmful, but if not performed correctly, they can expose a server to server-side request forgery. When user-controllable data is utilized to construct the target URL, an SSRF vulnerability is introduced. An attacker can then use an SSRF attack to initiate or control requests from the vulnerable server by changing a parameter value in the vulnerable web application.
Java RMI is an object-oriented Remote Procedure Call (RPC) mechanism that is included in the vast majority of Java installations. The technology can be used by software developers to make functionality available through a network. Java RMI relies on serialized Java objects for communication, a mechanism that attackers can exploit despite the fact that the technology has been hardened and tempered in recent years, according to Neitzel.
“As with all SSRF techniques, the major problem is that attackers may be able to attack RMI services that are supposed to only be accessed from trusted networks,” Neitzel explained. “Securing RMI properly is not that intuitive and there is a lot of hidden attack surface. Instead of configuring it properly, administrators often take the easy route and only allow access from trusted networks or clients.”
JMX is the most often utilized RMI service. Neitzel demonstrated that SSRF can be used to compromise a backend JMX service, but only if the system delivers responses from the backend service and accepts arbitrary bytes inside them. Similarly, SSRF-based attacks on default RMI components like the RMI registry are conceivable, but only if the system enables arbitrary bytes to be delivered to the backend service.
The German researcher goes on to list security best practices and counter-measures for RMI services against potential attacks in his blog post. These include enabling TLS-enabled communication for all RMI endpoints, employing deserialization filters, and implementing stricter authentication controls.