A Survey of Scans for GeoServer Vulnerabilities

Published: 2024-08-06. Last Updated: 2024-08-06 14:20:15 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

A little bit over a year ago, I wrote about scans for GeoServer [1][2]. GeoServer is a platform to process geographic data [3]. It makes it easy to share geospatial data in various common standard formats. Recently, new vulnerabilities were discovered in GeoServer, prompting me to look again at what our honeypots pick up [4].

Let's first look at the "big picture": How many scans did we see? The total number of requests for URLs starting with "/geoserver" was 211,143 since the beginning of the year.

number of geoserver scans from 2023 to today,

Interest in GeoServer started in 2023. It ceased after August but then came back early this year. After the latest SQL exploit was discovered (July 5th), scans for GeoServer surged.

When I wrote about the GeoServer scans last year, a reader noted that Shadowserver had just started scanning for GeoServer. Indeed, most of the time, all GeoServer scans on particular days can be attributed to researchers. In addition to Shadowserver, Internet Census (associated with BitSight) is scanning for GeoServer instances. Personally, I think this is a good thing. Shadowserver will notify ISPs who host insecure instances, and they will find them before the bad guys. 

scnas from researchers vs total scans showing that most of the time all scans come from researchers.

If you are interested, you can retrieve a list of research IPs from our API [5]

Once we remove the scans we identified as "research," these are the top countries from which scans originate:

Top Countries
Country Count
China 26,844
South Korea 2,890
USA 2,549
Germany 1,685
Sweden 1,593
Russia 1,516
Canada 1,417
Brazil 1,137
Hong Kong 984
Indonesia 729

The most common URLs scanned:

URL Count
/geoserver/web/ 37654
/geoserver/web/wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage?lang=en 4811
/geoserver/wms 1651
/geoserver 1432
/geoserver/web/wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage 333
/geoserver/ 37
/geoserver/bad397/ 37
/geoserver/TestWfsPost 26
/geoserver/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage 25
/geoserver/ows 17

"/geoserver/web" is the default "Home Page" of GeoServer. "/geoserver/wms" URLs is what we have seen in the past. Current exploits for CVE-2024-36401 use "/geoserver/wfs". These URLs didn't make the top 10.

 

[1] https://isc.sans.edu/diary/Geoserver+Attack+Details+More+Cryptominers+against+Unconfigured+WebApps/29936
[2] https://isc.sans.edu/diary/Ongoing+scans+for+Geoserver/29926
[3] https://geoserver.org/
[4] https://medium.com/@knownsec404team/geoserver-sql-injection-vulnerability-analysis-cve-2023-25157-413c1f9818c3
[5] https://isc.sans.edu/api
[6] https://github.com/bigb0x/CVE-2024-36401/blob/main/cve-2024-36401.py

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
0 comment(s)
ISC Stormcast For Tuesday, August 6th, 2024 https://isc.sans.edu/podcastdetail/9084

Comments


Diary Archives