Anti-Malware , DDoS , Technology

Apache Struts 2 Under Zero-Day Attack, Update Now

Probes, Malware Target Remote Command Execution Flaw
Apache Struts 2 Under Zero-Day Attack, Update Now
Attackers have been probing Apache Struts 2 implementations, security experts warn (image: Cisco Talos).

Apache Struts 2 installations are being targeted - and hacked in large numbers - by attackers who are exploiting a zero-day flaw in the platform to remotely execute code, security researchers warn.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

The attacks "fall into two broad categories - probing and malware distribution," says Cisco Talos security engineer Nick Biasini in a blog post.

Open source Apache Struts 2 is a widely used computing platform that runs Java Enterprise Edition. Numerous sites use Struts, including airlines, car-rental firms and e-commerce shops as well as not-for-profit organizations, social networks and government agencies.

The remote-code execution vulnerability in Struts that's being actively exploited - CVE-2017-5638 - exists in the Jakarta Multipart parser, which is used for uploading files. Security researcher Nike Zheng at Fremont, Calif.-based DBAPPSecurity is credited with finding the flaw, which an attacker can exploit for unauthenticated remote code execution by crafting a special Content-Type value in an HTTP request.

"An attacker can create an invalid value for Content-Type which will cause vulnerable software to throw an exception," security researcher Tom Sellers at security firm Rapid7 says in a blog post. "When the software is preparing the error message for display, a flaw in the Apache Struts Jakarta Mulitpart parser causes the malicious Content-Type value to be executed instead of displayed."

The latest versions of Apache Struts fix the flaw. "If you are using Jakarta-based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1," Apache says in a March 6 security alert. "You can also switch to a different implementation of the Multipart parser." Security experts say other workarounds could also be put in place, for example via Web application firewalls and intrusion detection systems.

Warning to Exploit: Less Than 24 Hours

Public knowledge of this flaw dates from Apache's March 6 security advisory.

On March 7, a proof-of-concept exploit for the flaw was added to Rapid7's open source penetration testing tool Metasploit.

Cisco Talos says it saw the PoC get put to use almost immediately for in-the-wild attacks. "The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands - i.e. 'whoami' - as well as more sophisticated commands including pulling down a malicious ELF [executable Linux file]," says Cisco's Biasini referring respectively to probing efforts versus outright malicious attacks.

Some attackers have been attempting to exploit the flaw in Apache Struts 2 to disable the Linux firewall and SUSE Linux firewall upon reboot - as shown - and then install a malicious executable (source: Cisco Talos).

Some of the Linux-based malware being downloaded to exploited systems is designed to launch distributed denial-of-service attacks, Cisco Talos says, while others function as IRC bouncers or install malicious code related to the BillGates botnet.

"Considering this is actively being exploited it is highly recommended that you upgrade immediately," Biasini says.

Honeypots Clock Attack Waves

Rapid7's Sellers, who contributes code to the Metasploit project, says that the company's honeypots have detected at least two large attack waves to date, both emanating from hosts in China. The first wave, which began March 7, issued commands that, if executed, "would have caused a vulnerable target to download binaries from the attacking server." The second wave was spotted March 8 and appeared to be attempting to install the XOR DDoS Trojan onto Linux systems.

"Based on the traffic we are seeing at this time it would appear that the bulk of the non-targeted malicious traffic appears to be limited attacks from a couple of sources," Sellers says in a March 9 blog post. "This could change significantly tomorrow if attackers determine that there is value in exploiting this vulnerability."

Attempted CVE-2017-5638 exploits logged by Rapid7's honeypots from March 7 to 9.

Sellers says all firms should review their software inventories to ensure they know how many Struts implementations they're running. "If you are using Apache Struts this would be a great time to review Apache's documentation on the vulnerability and then survey your environment for vulnerable hosts," he says. "Remember that Apache products are often bundled with other software so you may have vulnerable hosts of which you are unaware. Expect Nexpose and Metasploit coverage to be available soon to help with detection and validation efforts."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network