23
Aug 18

Experts Urge Rapid Patching of ‘Struts’ Bug

In September 2017, Equifax disclosed that a failure to patch one of its Internet servers against a pervasive software flaw — in a Web component known as Apache Struts — led to a breach that exposed personal data on 147 million Americans. Now security experts are warning that blueprints showing malicious hackers how to exploit a newly-discovered Apache Struts bug are available online, leaving countless organizations in a rush to apply new updates and plug the security hole before attackers can use it to wriggle inside.

On Aug. 22, the Apache Software Foundation released software updates to fix a critical vulnerability in Apache Struts, a Web application platform used by an estimated 65 percent of Fortune 100 companies. Unfortunately, computer code that can be used to exploit the bug has since been posted online, meaning bad guys now have precise instructions on how to break into vulnerable, unpatched servers.

Attackers can exploit a Web site running the vulnerable Apache Struts installation using nothing more than a Web browser. The bad guy simply needs to send the right request to the site and the Web server will run any command of the attacker’s choosing. At that point, the intruder could take any number of actions, such as adding or deleting files, or copying internal databases.

An alert about the Apache security update was posted Wednesday by Semmle, the San Francisco software company whose researchers discovered the bug.

“The widespread use of Struts by leading enterprises, along with the proven potential impact of this sort of vulnerability, illustrate the threat that this vulnerability poses,” the alert warns.

“Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” wrote Semmle co-founder Pavel Avgustinov. “A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.”

The timeline in the 2017 Equifax breach highlights how quickly attackers can take advantage of Struts flaws. On March 7, 2017, Apache released a patch for a similarly dangerous Struts flaw, and within 24 hours of that update security experts began tracking signs that attackers were exploiting vulnerable servers.

Just three days after the patch was released, attackers found Equifax’s servers were vulnerable to the Apache Struts flaw, and used the vulnerability as an initial entry point into the credit bureau’s network.

A slide from “We are all Equifax,” an RSA talk given in April 2018 by Derek Weeks.

The vulnerability affects all supported versions of Struts 2. Users of Struts 2.3 should upgrade to version 2.3.35; users of Struts 2.5 should upgrade to 2.5.17.

More technical details about this bug from its discoverer, Man Yue Mo, are here. The Apache Software Foundation’s advisory is here.

Tags: , , , , ,

21 comments

  1. The Sunshine State

    Good article

  2. They should start paying out to those whose information they’ve lost!

  3. Please tell me that this has nothing to do with their Apache OpenOffice product.

    • Nothing at all.

      That doesn’t mean OpenOffice can’t have security vulnerabilities of its own though.

  4. Equifax has not learned anything it would appear?

  5. here we go again I guess?

  6. This all reminds me so much of evolution in the workings. Maybe this will be a heads up to software development companies that quality matters, and when sales deadlines drives engineering workflow, a crash and burn scenario is in the making.

    Thanks Brian for another excellent article!

    • Mikey Doesn't Like It

      I agree, QC matters; in fact, it’s an absolute essential. But I accept that, even in the best software companies, unintentional bugs will surface despite the best of intentions — and kudos to those companies that respond quickly to issue patches.

      What none of us should accept is that too many organizations are slower than molasses in winter, to apply those patches and (hopefully) prevent fiascos like Equifax and many others from ever happening. It’s sad that shareholders don’t hold their executives’ feet to the fire for failing to take the most reasonable preventive steps. In most cases, WE suffer for their hubris.

  7. Meh, this isn’t the same as CVE-2017-5638, where you can just throw OGNL into a header and probably gain RCE. From the attacker’s perspective, they either need to manually find vulnerable struts actions they can exploit or blindly throw potential payloads at brute-forced struts actions, hoping they randomly find an action name. PoC from Github: https://github.com/xfox64x/CVE-2018-11776

    • and by now you should have a WAF or similar that blocks OGNL expressions in user input.

    • I assume #SHODAN could be used to find vulnerable servers? Am I right? And a big “DANG” too – my personal install of Apache on my Mac might need an update – groan.

      • Probably, but I’m not sure you can test for the existence of this bug without actually exploiting it. Someone please correct me if I am wrong.

    • Being unfamiliar with OGNL, I looked it up in Wikipedia. From they say there, no one should ever use it on any app that faces the WWW. Apache should know better.

  8. Hummm I wonder if T-Mobile’s demise last night was part of this….

  9. Equifax credit score better plummet at minimum of 150 pts.

  10. Looks like the FBI to me.

  11. Derek Weeks is totally absolutely brilliant. According to the caption under the illustration, in April he prepared and used an illustration which predicted that a large-scale exploit will begin in May, which would not be discovered until July 29, and that another vulnerability will be discovered on September 7. Can this man give us some stock tips? Power Ball or Megamillions numbers?

    • Note the date field of all of the CVEs mentioned in the timeline is 2017, not 2018. That’s right, we’ve been at this for over a year now.

  12. Readership1 (previously just Reader)

    So? It’s been several days now. Anyone get hacked? Such a big thing, I’m surprised that there was no update on anything happening as a result of the bug.

  13. It also has a spread of Cartoon T-funny maternity shirts for mom and dad (Rob) from Disney.