Krebs just posted that Apache has released software fixes for a newly discovered vulnerability. And hackers already have exploit blueprints online.
Attackers can exploit sites running the exposed Apache Struts installation by sending the right request to the site, which will force the web server to run any command desired by the hacker–such as adding or deleting files or copying internal databases. IT security experts commented below.
Jeannie Warner, Security Manager at WhiteHat Security:
“Apache Struts is used by some of the world’s largest companies. The more common the vulnerability, the more it helps attackers simplify their process…and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There’s no time to waste—unless they want to be the next major breach victim.
Other steps organizations can take to mitigate the risk of breaches prior to fixing include 1) implementing web application firewalls (WAFs) or runtime application self-protection (RASP), 2) using software composition analysis (SCA) to find vulnerable platforms and third-party libraries and add them to standard patch management (where possible), and best of all, 3) making security testing a part of the entire lifecycle of an application. Security training and education, along with IT and Ops teams partnering with security to understand and prioritize how to mitigate risk, are also vital.”
Renaud Deraison, Co-founder and CTO at Tenable:
“APTs and nation-state attacks — be they from Russia or any other actor — are a real threat for a very small percentage of companies. In reality, the threats that most organisations are dealing with today are the result of foundational security issues, like failing to patch systems when a critical vulnerability is disclosed. This latest Apache Struts vulnerability is a reminder of the importance of a basic, critical but very unsexy security measure that every organisation should be doing: Maintain your systems. Many web based remote code execution vulnerabilities like this one are researched quickly, with publicly available exploits appearing in less than a few days after disclosure. As we saw with Equifax, cybercriminals are taking advantage of organisations that are either unwilling or unable to patch their systems, resulting in catastrophic consequences. Don’t let this flaw be the reason for the next mega breach. Upgrade to Apache Struts version 2.3.35 or 2.5.17 as soon as possible.”
Tim Mackey, Technical Evangelist at Black Duck by Synopsys:
“In 2016 and 2017, the Apache Struts community disclosed a series of remote code execution vulnerabilities. These vulnerabilities all related to the improper handling of unvalidated data. In identifying CVE-2018-11776, the researcher looked at prior remote code execution vulnerabilities within Struts to determine if there was a coding pattern which lead to them. As background, developers commonly use libraries of code, or development paradigms which have proven efficient, when creating new applications or features. This attribute is a positive when the library or paradigm is of high quality, but when a security defect is uncovered this same attribute often leads to a pattern of security issues.
In the case of CVE-2018-11776, the root cause was a lack of input validation on the URL passed to the Struts framework. Unlike CVE-2018-11776, the prior vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern – and this concern relates to any library framework.
Validating the input to a function requires a clear definition of what is acceptable. It equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it’s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.”