Whether Apache Struts Vulnerability or Other, Learn from Equifax Breach.
As we are still coming to terms with the full ramifications of the Equifax data breach, some initial reports indicate Apache Struts vulnerabilities (first reported 1H 2017) as the cause. Even though not confirmed, it highlights how critical it is to ensure web infrastructure is patched for these vulnerabilities and network infrastructure is able to detect and block any exploiting attempts that leverage these vulnerabilities or their variants.
There are multiple Struts vulnerabilities that are being discussed as the cause of the attack. The most prominent ones are CVE-2017-5638 and CVE-2017-9805. Incidentally, Ixia’s Application and Threat Intelligence (ATI) research team has already covered CVE-2017-5638 extensively in this blog. Even then, the blog indicated the CVE was highly active with multiple hacker groups. This particular exploit was also added to our strike center in our March update.
Map of the average hits on the ATI honeypot during the discovery of CVE-2017-5638 zero day
The CVE-2017-9805 that is also hypothesized as one of the candidates had been found later. However, it is believed that the vulnerability was present for the past nine years, so any older or unpatched system may have been affected.
The affected software revisions that may have the vulnerabilities are Struts 2.1.2 - 2.3.33 and 2.5 - 2.5.12. CVE-2017-9805 exploits a remote command execution vulnerability in Apache Struts. The vulnerability is due to insecure deserialization of data by XStreamHandler in Apache Struts REST Plugin. Successful exploitation may result in executing arbitrary code on the target system. Leveraging the vulnerability, hackers can possibly extract databases or any other files, upload a back door and get a reverse shell, etc. This article from Github provides a script and few simple commands that can be executed on a python shell to check for the existence of the vulnerability on a particular server.
If your system comes back as unpatched, it’s recommended to upgrade to Apache Struts version 2.5.13 or 2.3.34.
ATI will add coverage of CVE-2017-9805 in the September 12, 2017 release, ATI-2017-18. Once installed, search for CVE-2017-9805 or s2-052 in strike center and to locate the vulnerability. This strike uses the HTTP POST request, and there are six different variants of this strike that you can leverage in addition to the HTTP evasions. Check this blog to know more about testing variants of vulnerabilities. Apart from using variants, apply several HTTP evasions on top of this vulnerability to ensure the network and security infrastructure can block this vulnerability in all of its forms.
Leverage Subscription Service to Stay Ahead of Attacks
The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.