CVE-2017-9363
📋 TL;DR
CVE-2017-9363 is a critical vulnerability in Soffid IAM console that allows remote attackers to execute arbitrary code through untrusted Java deserialization in authentication requests. Attackers can achieve complete system compromise by sending specially crafted serialized objects. Organizations running Soffid IAM console versions before 1.7.5 are affected.
💻 Affected Systems
- Soffid Identity and Access Management Console
📦 What is this software?
Iam by Soffid
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with administrative privileges, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution leading to credential theft, privilege escalation, and deployment of ransomware or other malware.
If Mitigated
Limited impact if network segmentation, strict firewall rules, and updated versions prevent exploitation attempts.
🎯 Exploit Status
Java deserialization vulnerabilities are well-understood with numerous public exploit tools available. The authentication endpoint makes this particularly easy to target.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.5 and later
Vendor Advisory: http://www.soffid.com/security-advisory1-update/
Restart Required: Yes
Instructions:
1. Download Soffid IAM console version 1.7.5 or later from official vendor sources. 2. Backup current configuration and data. 3. Stop the Soffid IAM service. 4. Install the updated version. 5. Restart the service. 6. Verify functionality.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Soffid IAM console to only trusted IP addresses and networks.
Java Security Manager Configuration
allConfigure Java Security Manager with restrictive policies to limit serialization capabilities.
java -Djava.security.manager -Djava.security.policy=restrictive.policy -jar soffid-console.jar
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to only necessary users and systems
- Deploy web application firewall (WAF) with Java deserialization attack detection rules
🔍 How to Verify
Check if Vulnerable:
Check the Soffid IAM console version. If version is less than 1.7.5, the system is vulnerable.Check Version:
Check the console web interface or configuration files for version information, typically in /WEB-INF/version.properties or similar location.Verify Fix Applied:
Verify the installed version is 1.7.5 or later and test authentication functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual Java serialization errors in application logs
- Multiple failed authentication attempts with malformed data
- Unexpected process spawns or network connections from Java process
Network Indicators:
- HTTP POST requests to authentication endpoints containing serialized Java objects
- Unusual outbound connections from Soffid server
SIEM Query:
source="soffid.logs" AND ("java.io.ObjectInputStream" OR "Serialization" OR "deserialization") AND severity=ERROR