SpeakUp" Linux trojan discovery

This document (7023707) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11

SUSE Linux Enterprise Server 12

SUSE Linux Enterprise Server 15

Situation

A new trojan / rootkit has been discovered codenamed "SpeakUp", affecting remote accessible servers over various intrusion vectors.

Checkpoint has published more information :

https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/

The trojan itself is not using new security vulnerabilities, but it exploits various already known security issues to inject into the system and then stays persistent.

Resolution

None of these issues are in SUSE supported packages

Cause

CVE-2018-20062 - Code execution in NoneCMS
CVE-2012-0874 - JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities
CVE-2010-1871 - JBoss Seam Framework remote code execution
JBoss AS 3/4/5/6 - Remote Command Execution
CVE-2017-10271 - Oracle WebLogic wls-wsat Component Deserialization RCE
CVE-2018-2894 - Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
Hadoop YARN ResourceManager – Command Execution
CVE-2016-3088 - Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability.

as well as

various password combinations to login in to Admin webpanels

Additional Information

SUSE recommends to manage all installed third party components on systems and to also use strong passwords on any intranet tools.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.