Probes, Malware Target Remote Command Execution Flaw
Apache Struts 2 installations are being targeted – and hacked in large numbers – by attackers who are exploiting a zero-day flaw in the platform to remotely execute code, security researchers warn.
See Also: 2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry
The attacks “fall into two broad categories – probing and malware distribution,” says Cisco Talos security engineer Nick Biasini in a blog post.
Open source Apache Struts 2 is a widely used computing platform that runs Java Enterprise Edition. Numerous sites use Struts, including airlines, car-rental firms and e-commerce shops as well as not-to-profit organizations, social networks and government agencies.
The remote-code execution flaw vulnerability in Struts that’s being actively exploited – CVE-2017-5638 – exists in the Jakarta Multipart parser, which is used for uploading files. Security researcher Nike Zheng at Fremont, Calif.-based DBAPPSecurity is credited with finding the flaw, which an attacker can exploit for unauthenticated remote code execution by crafting a special Content-Type value in an HTTP request.
“An attacker can create an invalid value for Content-Type which will cause vulnerable software to throw an exception,” security researcher Tom Sellers at security firm Rapid7 says in a blog post. “When the software is preparing the error message for display, a flaw in the Apache Struts Jakarta Mulitpart parser causes the malicious Content-Type value to be executed instead of displayed.”
The latest versions of Apache Struts fix the flaw. “If you are using Jakarta-based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 220.127.116.11,” Apache says in a March 6 security alert. “You can also switch to a different implementation of the Multipart parser.” Security experts say other workarounds could also be put in place, for example via Web application firewalls and intrusion detection systems.
Warning to Exploit: Less Than 24 Hours
Public knowledge of this flaw dates from Apache’s March 6 security advisory.
On March 7, a proof-of-concept exploit for the flaw was added to Rapid7’s open source penetration testing tool Metasploit.
Cisco Talos says it saw the PoC get put to use almost immediately for in-the-wild attacks. “The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands – i.e. ‘whoami’ – as well as more sophisticated commands including pulling down a malicious ELF [executable Linux file],” says Cisco’s Biasini referring respectively to probing efforts versus outright malicious attacks.
Some of the Linux-based malware being downloaded to exploited systems is designed to launch distributed denial-of-service attacks, Cisco Talos says, while others function as IRC bouncers or install malicious code related to the
Sellers says all firms should review their software inventories to ensure they know how many Struts implementations they’re running. “If you are using Apache Struts this would be a great time to review Apache’s documentation on the vulnerability and then survey your environment for vulnerable hosts,” he says. “Remember that Apache products are often bundled with other software so you may have vulnerable hosts of which you are unaware. Expect Nexpose and Metasploit coverage to be available soon to help with detection and validation efforts.”