Harvard University web flaw exposed it to remote attacks

A Harvard University subdomain vulnerability exposed the website to remote code execution (RCE) attacks, potentially allowing threat actors to steal and modify data stored on the website.

A WebLogic Server vulnerability, with a severity score of 9.8 out of 10, was plaguing Harvard University’s courses website, the Cybernews research team discovered.

WebLogic Server is a Java-based application server developed by Oracle, an American multinational computer technology corporation. The bug, discovered in 2020 and tracked as CVE-2020-2551, allows an attacker to remotely execute code on a vulnerable server without authentication.

“The most obvious and dangerous exploitation scenario is where an attacker can execute arbitrary code remotely without any authentication. By exploiting this vulnerability, the attacker can gain complete control of the vulnerable server and access or modify sensitive data or disrupt business operations,” researchers said.

The impacted website, courses.my.harvard.edu, requires users to log in, which means that a successful RCE attack could allow threat actors to obtain user login data.

The university responded with a comment after we published the article, saying no data was exposed.

“Harvard has investigated these reports and determined that our systems were not at risk and that no data was exposed,” the university’s representative told Cybernews.

“By exploiting this vulnerability, the attacker can gain complete control of the vulnerable server and access or modify sensitive data or disrupt business operations.”

researchers said.

What is a remote code execution attack?

RCE attacks are a golden opportunity for threat actors. One of the most devastating cyber incidents in history, the 2017 WannaCry worm, was an RCE attack. WannaCry impacted over 300,000 devices and caused billions of dollars in damages.

For example, a successful WebLogic Server attack could allow cybercriminals to install malicious code on a targeted device, such as keyloggers, ransomware, or other types of malware, to gain access to the server or steal sensitive data.

“In some cases, attackers can exploit this vulnerability to steal credentials from the server. By executing code remotely, attackers can intercept or modify traffic to steal usernames and passwords or other sensitive information,” researchers said.

A dedicated attack could allow attackers to plant themselves in a targeted network. In theory, compromising a vulnerable WebLogic Server provides threat actors with the necessary tools to attack other systems within the network.

How could it impact Harvard University?

The WebLogic Server bug researchers found in Harvard University’s subdomain allowed the execution of arbitrary code without authentication. In other words, the doors were wide open for anyone willing to come in.

“If attackers exploit this vulnerability, they can gain access to sensitive data stored on the vulnerable system. This could include confidential customer information, financial data, and intellectual property,” researchers said.

Attackers might have decided to steal and encrypt the stolen data, such as courses and user details, disrupting services provided via the affected subdomain or, depending on the school IT system’s architecture, encrypt the whole system.

What’s striking is that Oracle addressed the vulnerability three years ago, in April 2020. This was when COVID-19 was still a deadly novelty, and the world was just learning to live under a global lockdown.

How to mitigate the issue?

First and foremost, organizations should use the latest Oracle patch to fix the three-year-old bug in the system. Applying the patch will eliminate the vulnerability and protect the system from exploitation.

Additionally, organizations are advised to segment their networks. That way, malicious code cannot spill over from one system to another, minimizing the potential impact of a cyberattack.

“Organizations can implement access controls to limit who can access the WebLogic Server. Access controls can include authentication mechanisms, authorization policies, and multi-factor authentication,” researchers said.

Organizations should also monitor system activity to catch any irregular activity early on and conduct security audits to identify vulnerabilities and address them before they can be exploited.

Updated on July 14 [07:50 AM GMT] with a statement from the university.