Left of Boom: Proactive Spring4Shell Detection with the Noname API Security Platform

April 6, 2022

Daren Presbitero Senior Solution Architect

Post Featured Image

Introduction

Between March 29th and March 31st, 2022, a zero day vulnerability was discovered in the Spring Framework, a popular framework used by Java developers. The vulnerability allowed for remote code execution (RCE) and was dubbed “Spring4Shell” (CVE-2022-22965).

On March 30th, 2022 proof of concept exploit code was released into the public domain and it was then determined that the Noname API Security Platform detected the Spring4Shell exploit and subsequent payloads proactively, without the need for any updates to the detection engine or detection signatures. How was this possible when other security solutions required signatures? It did this through a comprehensive platform that includes multiple methods of detection and response. Posture Management analyzes and detects misconfigured and misformatted APIs, and Runtime Protection detects suspicious behavior and API abuse.

left-of-boom-blog-image

Detection Method 1: Posture Management

The Noname API Security Platform proactively highlights the Spring4Shell exploit by comparing the incoming client requests and outgoing server replies observed through real traffic analysis, with what is “expected” for that API through its approved Open API Specification (OAS). If a new field or unexpected value is observed, it is considered to have violated the contracted OAS and an exception is flagged for further analysis. In the below image, you see that there is a Diff[erence] between the OAS contract and what was observed when the exploit was run.

left-of-boom-2

In the image below you can see that the delta consists of API requests that contain new field names that do not conform to the API specification for that API. class.module*** fields are the way in which the Spring4Shell vulnerability is exploited.

left-of-boom-3

Detection Method 2: Runtime Protection

The Noname API Security Platform proactively detected the Spring4Shell payloads as anomalies that align with Command Injection attempts. It did this through a machine-learning (ML) model and the threat was labeled through a classification label via logic matching.

left-of-boom-4

Summary

The Noname API Security Platform proactively detected the Spring4Shell exploit and payloads before it was known to the world, or “Left of Boom”. The Noname Platform uses multiple methods of analysis and detection that encompass posture management and runtime security. Through continuous analysis and scrutiny of API traffic compared with its contracted specifications it was able to determine key differences that helped identify the exploit. Through machine learning and classification it detected traffic anomalies that indicated an injection of remote commands; which in turn translates to “remote code execution” (RCE) as documented in the published CVE. These two indicators based on documented schema and anomalies represent actionable alerts for any security operations staff. Responders could then take action against the compromised API and attacker to reduce the impact to the organization.