Examining Apache Struts Remote Code Execution Vulnerabilities

Examining Apache Struts Remote Code Execution Vulnerabilities

On September 7th Equifax announced a major data breach affecting 143 million customers. The breach was the result of a Remote Code Execution (RCE) attack that exploited an vulnerability in Apache Struts software — an open source framework for creating web applications. On the same day as the breach announcement, Apache Struts published details of CVE- 2017-12611 – the fourth in a series of critical RCE vulnerabilities exposed in the Struts platform since March this year alone.

According to an Equifax statement, the data breach was discovered on 29th July, but admitted that sensitive data was accessible to the attacker from mid May. This means that Equifax systems had been compromised for at least 40 days before discovery, raising serious concerns about Equifax’s security practices.

Apache Struts responded quickly in a statement to clarify their position on the breach. Describing their policy of due diligence on securing their software quickly against reported vulnerabilities, Apache’s statement firmly rebuts reports that vulnerabilities published in either July or September could have been targeted unless the attacker had a zero-day exploit. In other words, the attacker would have needed knowledge of the vulnerabilities before Apache released their advisories and fixes.

The timeline of related events makes it clear that fixed versions of Struts were available at or before the security advisories were published, and that known exploits were not available in the wild beforehand. The timeline also bears witness to Apache's assertions of consistent good practise and tells us that the attack was likely to be a product of poor security practises on the part of Equifax.

Threat Check for Struts

A timeline of Apache Struts RCE vulnerabilities:

CVE

Disclosed

Exploit Available

Patch Issued

CVE-2017-5638

March 6, 2017

March 6, 2017

March 6, 2017

May 13, 2017 – 72 days post-disclosure – Equifax breach begins

CVE-2017-9791

July 7, 2017

July 7, 2017

July 7, 2017

July 29, 2017 – 149 days post-disclosure – Equifax discovers breach

CVE-2017-9805

September 5, 2017

September 6, 2017

September 5, 2017

CVE-2017-12611

September 7, 2017

September 7, 2017

September 5, 2017

September 7, 2017 – Equifax discloses breach


Let’s take a closer look at the four RCE vulnerabilities:

CVE-2017-5638 CVSS 2 Base Score 8.7

CVE-2017-5636 was initially described in the Apache advisory S2-045. Originally, the HTTP header ‘Content-Type’ was identified as the attack vector. However, a subsequent Apache advisory S2-046 provided additional vectors associated with the same vulnerability HTTP Headers ‘Content-Disposition’ & ‘Content-Length’.

Due to the additional technical details being released, it is advised to verify that you have received updated rule sets in order to validate existing mitigation strategies.  

The attacker can leverage these conditions to execute OGNL commands. OGNL is an expressive interpreted language that enables full command execution under the web user system privileges. Likewise, Content-Disposition and Content-Length HTTP headers are viable attack vectors.

Workaround: For users of affected versions, several immediate mitigation measures were available including the option to switch to a different implementation of the parser.

CVE-2017-9791 CVSS 2 Base Score 9.0

An attacker can achieve remote code execution in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x. A malicious `OGNL` expression that executes arbitrary system commands can be supplied as a field value when using the Struts 2 Struts 1 plugin.

When the relevant field is associated with a Struts 1 action and the malicious input is part of the error message used by the ActionMessage class, the 'OGNL' commands will get executed as the web server user.

Workaround: Always use resource keys instead of passing a raw message to the ActionMessage and never pass a raw value directly.

CVE-2017-9805 CVSS 2 Base Score 8.3

Apache Struts Allows Remote Code Execution when using the Struts REST plugin with `XStream` handler to deserialise XML requests. This vulnerability could manifest itself by providing crafted user-controlled data as an XML payload to the web application. Successful exploitation of the flaw could enable a hacker to gain full control of the affected server, finally letting the attacker infiltrate into other systems on the same network.

Workaround: Various workaround options are available with the best being to remove the Struts REST plugin if or when it’s not being used.

CVE-2017-12611 CVSS 2 Base Score 8.3

Apache Freemarker, wrapped in Struts, is a Java library that acts as a template engine to generate text output, such as HTML web pages, e-mails, configuration files, source code, etc., based on templates and changing data.

Affected applications allow the unsafe use of writable expression values in Freemarker content and an attacker can submit malicious values for processing, as additions to writable expressions. A successful attempt can result in RCE within the context of the affected application on the target system.

Workaround: There is currently no known workaround.

We can deduce from the timeline of events that Equifax was either unaware of or slow to respond to reports of known critical vulnerabilities in their system, and as a result had not upgraded to safer versions. This paucity of attention needlessly put the sensitive identifying data of some 143 million consumers at risk.

From the details pertaining to the vulnerabilities it is worth noting that all but the most recent had immediate workaround options, enabling companies like Equifax to devise a mitigation strategy even if patching or upgrading takes longer than is desirable, given the severity of the vulnerabilities in question.

Behind the Equifax Breach: A Deep Dive Into Apache Struts CVE-2017-5638


References and Further Reading

  1. https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628
  2. https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
  3. http://nypost.com/2017/09/08/equifax-blames-giant-breach-on-vendor-software-flaw/
  4. http://www.securityweek.com/apache-struts-flaw-reportedly-exploited-equifax-hack
  5. http://www.pymnts.com/safety-and-security/2017/equifax-blames-security-breach-on-open-source-software-flaw/
  6. https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/#comments
  7. https://www.linkedin.com/pulse/equifax-breach-missing-needles-igor-baikalov

Apache Struts Releases: https://struts.apache.org/downloads.html
Apache Struts Announcements: https://struts.apache.org/downloads.html

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

CVE-2017-7494: Dancing with the Samba Vulnerability

| May 26, 2017

Samba is an open source SMB/CIFS implementation that allows interoperability between Linux and Windows hosts via file and print sharing. A remote code execution vulnerability has been discovered in versions 3.5.0 onwards that may allow an attacker to upload and execute code as the root user. To

| MORE >

What MongoDB Can Tell Us About Security Awareness

| Jan 31, 2017

In recent weeks Bitcoin has risen to prices not seen since late 2013. Coincidently, there have been a number of ongoing attacks targeting insecure deployments of various open source database technologies (such as Mongo DB) . Is there a connection? Hacking groups are leveraging open source

| MORE >