Summary
On September 5, 2017, a critical remote code execution vulnerability (CVE-2017-9805) was disclosed in the Apache Struts framework. Apache Struts is a popular open source framework for Java web application development. All versions of application framework since 2008 until Apache Struts version 2.5.13 (released September 5, 2017) are vulnerable. Analysts have estimated that at least 65% of Fortune 100 companies are actively using applications built with the Apache Struts framework.
Successful exploitation of this vulnerability could allow remote attackers to execute malicious code and take full control of web servers which run the popular Apache Struts Representational State Transfer (REST) plugin. As of this writing, there are several working exploits for this vulnerability, including a plugin for the popular Metasploit framework.
All clients are advised to update their Apache Struts installations to version 2.5.13 as soon as possible and leverage the provided mitigation strategies in the meantime. Kudelski Security has already received reports of this vulnerability being used to actively exploit web servers and expects that attackers, including cybercrime actors, to continue exploiting this vulnerability for the foreseeable future.
Vulnerability Description
(CVE-2017-9805), a critical remote code execution vulnerability, takes advantage of a deserialization process that handles un-sanitized data, allowing data from HTTP requests or other sockets to be de-serialized into a Java object. The REST plugin does not apply any type filtering or sanitization to user controlled data, which allows attackers to force the server to execute their own arbitrary code during the deserialization of XML formatted data.
Utilizing a specially crafted XML payload and any web browser or several open source exploitation frameworks, an attacker may run arbitrary code on any web server using the framework. Once the attacker has gained access to the server, they could leverage this access to move laterally, steal user login information, compromise client data, or join the web server to one of several active linux botnets.
Affected Versions
All Apache Struts versions released since 2008 are known to be vulnerable. This includes versions between 2.5 to 2.5.12
The framework is vulnerable if the web application uses the popular REST plugin.
All but the latest Struts deployments are vulnerable, however, in order to determine if a system is vulnerable perform the following steps:
1. Find the “struts-core.jar” file
a. The file can be found using the `find` command on Linux or Windows Explorer search function on Windows
2. Unzip the struts-core.jar file
3. Open META-INF folder > MANIFEST.MF with a text editor
4. The Apache Struts version is shown on the “Specification Version:” line.
To verify if a specific Apache Struts deployment uses the “REST Plugin” perform the following steps:
1. Locate the “struts.xml” configuration file
a. The file can be found using the `find` command on Linux or Windows Explorer search function on Windows
2. Search “constant” with the following value:
name=”struts.mapper.class” value=”rest” />
Additionally, it is important that clients be aware that several devices (such as Cisco ISE and Cisco UC) use the Apache Struts framework and may also be vulnerable. The Cyber Fusion Center will work closely with our partners to identify any potentially vulnerable managed or supported security devices and communicate with our clients. Clients are also advised to contact vendors to request information about impact of this vulnerability and potential mitigations.
Mitigation and Response
The Apache Software Foundation released a new version of Apache Struts, version 2.5.13 which resolves this vulnerability. Kudelski Security highly recommends upgrading to the latest version of Struts as soon as possible. Due to the nature of the vulnerability, the patch modifies how Apache Struts processes XML data. As such, Kudelski Security recommends that applications written using the Struts framework be extensively and thoroughly tested to ensure desired functionality has not been impacted before applying the update in production environments.
For clients who do not need to parse or handle XML in their Apache Struts applications, but still use the REST plugin, Kudelski Security recommends limiting the plugin so that it only serves and respond to HTML and JSON data. This can be accomplished by editing the Apache Struts configuration file (struts.xml) and setting the following “constant”:
constant name="struts.action.extension"value="xhtml,,json"
As a temporary mitigation, Kudelski Security recommends that clients with Web Application Firewalls (WAFs), such as F5, apply any vendor supplied rules to block attempts to exploit this vulnerability. F5, a Kudelski Security partner, has released two ASM signatures (200003440 and 200004174) to detect and prevent exploitation of this vulnerability
For clients whose F5 devices are managed as part of the Cyber Fusion Center’s Security Device Management service, the Cyber Fusion Center has created a change request in order to get authorization to enable these rules on managed F5 devices.
The Kudelski Security Cyber Fusion Center has ensured that managed vulnerability scanners have been updated to identify the presence of this vulnerability within client’s environments and web applications.
The Kudelski Security Cyber Fusion Center continues to work with our partners to develop or deploy additional methods of detection across other managed and monitored security technologies.
Sources
Severe security vulnerability found in Apache Struts using lgtm.com (CVE-2017-9805)
https://lgtm.com/blog/apache_struts_CVE-2017-9805
05 September 2017 – Struts 2.5.13 General Availability
https://struts.apache.org/announce.html#a20170905
Apache Security Bulletin S2-052
https://cwiki.apache.org/confluence/display/WW/S2-052
Metasploit module to exploit vulnerability
https://github.com/rapid7/metasploit-framework/commit/5ea83fee5ee8c23ad95608b7e2022db5b48340ef
Kudelski Security Research 