Remote Code Execution
What Is Remote Code Execution (RCE)?
Remote code execution (RCE) is a type of security vulnerability that allows attackers to run arbitrary code on a remote machine, connecting to it over public or private networks.
RCE is considered part of a broader group of vulnerabilities known as arbitrary code execution (ACE) — RCE are possibly the most severe type of ACE, because they can be exploited even if an attacker has no prior access to the system or device. RCE is equivalent to a full compromise of the affected system or application, and can result in serious consequences such as data loss, service disruption, deployment of ransomware or other malware, and lateral movement of the attacker to other sensitive IT systems.
Impact of Remote Code Execution Attacks
RCE vulnerabilities can have severe impacts on a system or application, including:
- Penetration — attackers can use RCE vulnerabilities as their first entry into a network or environment.
- Privilege escalation — in many cases, servers have internal vulnerabilities which can only be seen by those with inside access. RCE allows an attacker to discover and exploit these vulnerabilities, escalating privileges and gaining access to connected systems.
- Sensitive data exposure — RCE can be used to exfiltrate data from vulnerable systems by installing data-stealing malware or directly executing commands. This can range from simple copying of unencrypted data to memory-scraping malware that looks for credentials in system memory.
- Denial of Service (DoS) — an RCE vulnerability allows attackers to execute code on a system. This code can be used to exhaust system resources and crash the system, or to leverage the system’s resources to conduct DoS against third parties.
- Cryptomining — a common next step after exploiting RCE is to run cryptomining or cryptojacking malware that uses the computing resources of an infected device to mine cryptocurrencies, to the financial benefit of the attacker.
- Ransomware — possibly the most dangerous consequence of RCE is that attackers can deploy ransomware on the affected application or server, and spread ransomware through the network, denying users access to their files until they pay a ransom.
Types of RCE Attacks
There are several types of RCE attacks. The most common are:
- Injection attack — various applications allow user-supplied input to execute commands. Attackers can provide deliberately malformed input data to execute arbitrary code.
- Deserialization attack — applications often use serialization to organize data for easier communication. Deserialization programs can interpret user-supplied serialized data as executable code.
- Out-of-bounds write — applications often allocate fixed memory chunks to store data. Memory allocation flaws allow attackers to supply inputs that write outside the buffer — the memory stores executable code, including malicious code.
Remote Code Execution Exploit Techniques
There are two primary methods for performing RCE: remote code evaluation and stored code evaluation.
Remote Code Evaluation
Code evaluation occurs when functions that evaluate code accept user input. For example, some applications allow users to generate variable names using their usernames — the users control their usernames, so they can create a username including malicious code, and influence applications that enable input evaluation for a certain programming language.
Stored Code Evaluation
This method differs from standard remote code evaluation because it relies on the interpreter parsing files rather than specific language functions. The interpreter should not execute files with user input. Web applications often have an upload functionality but do not sufficiently validate the files.
For example, an application might have a control panel for each user with specific language variable settings, which it stores in a config file. Attackers can modify the language parameter to inject code into the configuration file, allowing them to execute arbitrary commands.
Examples of Known Remote Code Execution Vulnerabilities
Here are some of the most significant RCE vulnerabilities discovered in recent years:
- CVE-2021–44228 (Log4Shell) — a vulnerability in Apache Log4j 2.x, which was followed by additional Log4j vulnerabilities CVE-2021–45046 and a CVE-2021–45105. It affects multiple versions of Log4j, a common logging library used by millions of Java applications, including some of the world’s biggest online services. It allows attackers to execute code remotely even if they are not authenticated, by creating a malicious LDAP server and accessing it via the Log4j JndiLookup class.
- CVE-2021–1844 — a vulnerability in operating system modules of Apple iOS, macOS, watchOS, and Safari. When a victim uses a vulnerable device to access an attacker-controlled URL, the operating system executes a malicious payload on that device.
- CVE-2020–17051 — a vulnerability affecting a Microsoft Windows communication protocol, NFS v3. An attacker can use it to connect to a vulnerable NFS server and send a payload to run on the target endpoint.
- CVE-2019–8942 — a vulnerability in WordPress 5.0.0, allowing attackers to execute arbitrary code in WordPress by uploading a specially crafted image file that includes PHP code in its Exif metadata.
Mitigation and Detection of RCE Attacks
Remote code execution attacks can exploit various vulnerabilities, so protecting against them requires a multi-faceted approach. Here are some best practices to detect and mitigate RCE attacks:
- Sanitize inputs — attackers often exploit deserialization and injection vulnerabilities to perform RCE. Validating and sanitizing user-supplied input before allowing the application to use it will help prevent various RCE attack types.
- Manage memory securely — attackers can exploit memory management issues like buffer overflows. It is important to run regular vulnerability scans for all applications to identify buffer overflow and memory-related vulnerabilities to remediate issues before an attacker can perform RCE.
- Inspect traffic — RCE attacks involve attackers manipulating network traffic by exploiting code vulnerabilities to access a corporate system. Organizations should implement a network security solution that detects remote access and control of their systems and blocks attempted exploits of vulnerable applications.
- Control access — RCE gives attackers a foothold in the target network that they can use to expand access and execute more damaging attacks. Access controls and techniques like network segmentation, zero trust policies, and access management platforms can help prevent lateral movement, ensuring that attackers cannot escalate an attacker after gaining initial access to the target system.
Remote Code Execution Protection with Imperva
Imperva provides two security capabilities that effectively protect against RCE attacks:
- Web Application Firewall — Prevent attacks with world-class analysis of web traffic to your applications.
- Runtime Application Self-Protection (RASP) — Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog.
Beyond RCE protection, Imperva provides comprehensive protection for applications, APIs, and microservices:
API Security — Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.
Advanced Bot Protection — Prevent business logic attacks from all access points — websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping.
DDoS Protection — Block attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets — whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.
Attack Analytics — Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.
Client-Side Protection — Gain visibility and control over third-party JavaScript code to reduce the risk of supply chain fraud, prevent data breaches, and client-side attacks.