Apache Foundation Refutes Involvement in Equifax Breach

The Vice President of the Apache Struts PMC says the attackers likely used an unknown Struts zero day or an earlier announced vulnerability.

A group of developers behind Apache Struts, believed by some to be the culprit behind last week’s Equifax breach, took umbrage with those claims over the weekend.

René Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it’s unclear which vulnerability, if any was exploited.

The letter, which was written on behalf of the Struts PMC, was spurred by an internal analyst report published last week that suggested data from Equifax’s servers was breached via an unnamed Apache Struts flaw.

The report penned by Jeffrey Meuler, a senior research analyst with Baird Equity Research, the research arm of the financial services firm Robert W. Baird & Co, did not provide a source for the finding. Meuler did not immediately return a request for further comment when contacted on Monday.

Gielen’s letter took particular issue with a Quartz.com article that initially alleged CVE-2017-9805, a critical remote code execution vulnerability that the ASF patched last Tuesday, was the Struts vulnerability to blame for the breach of 143 million Americans’ records. The Quartz article – since edited – initially claimed that CVE-2017-9805 had existed in the wild for nine years, something Gielen had a hard time buying. Gielen said Saturday that since the breach was detected back in July, it’s likely the Equifax attackers either used an unknown Struts zero day or an earlier announced vulnerability on an unpatched Equifax server.

Gielen says the ASF takes “enormous efforts” to secure software it produces, like Struts, and makes a conscious effort to hold back sensitive information around vulnerabilities. There is no silver bullet for preventing exploits from surfacing in the wild however.

“Since vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.”

If the attackers had used CVE-2017-9805, it would have been considered a zero day at the time, but according to Gielen, the Apache PMC was only recently notified of the vulnerability – something it quickly remedied.

“We were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,” Gielen said, “What we saw here is common software engineering business — people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It’s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.”

Gielen concluded his letter with a series of best practices for businesses who use Apache Struts to follow, including being aware which framework/libraries are used in their setup, that processes to roll out security fixes are established, and perhaps most importantly, to understand that complex software can contain flaws.

An Apache spokeswoman told Reuters on Friday that it appeared Equifax had not applied patches for flaws discovered this year.

It’s unclear exactly which vulnerability the spokeswoman was referring to. The Struts vulnerability fixed last week affected all web apps that used the framework’s REST plugin. Another Struts vulnerability, CVE-2017-5638, was publicized and incorporated into Metasploit in March. That flaw stemmed from Struts’ Jakarta Multipart parser upload functionality and allowed an attacker to execute requests to an Apache webserver. Researchers with Cisco Talos, who found the bug, said it was being exploited in the wild when it was disclosed.

Researchers with Contrast Security posit it’s more likely the attacker used CVE-2017-5638, an expression language injection vulnerability leveraged via the content-type header, to hit Equifax.

“The first vulnerability from March seems much more likely because it’s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,” Jeff Williams, Contrast’s co-founder and chief technology officer, wrote Saturday.

Williams echoed a few sentiments made by Gielen, including the fact that maintaining the security of libraries can be tricky but should remain a focus for businesses.

“Keeping libraries up to date isn’t a small amount of work, as these changes come out frequently. Often these changes require rewriting, retesting, and redeploying the application, which can take months. I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,” Williams said.

Equifax, which has yet to respond to a request for comment for this article or previous articles, remains in damage control mode.

The company on Monday said it would be changing how it generates PINs for customers who want to initiate a security freeze on their accounts. The response was presumably in response to a series of tweets that went viral on Friday night calling out Equifax for using hardcoded PINs that mirrored the date and time they were requested, a format the company allegedly has followed for more than a decade.

The company said in an update to its site that going forward consumers placing a security freeze will be given a randomly generated PIN. Users who previously froze their credit will have to mail the company directly to change it, however.

The company on Monday also apologized for lengthy call center wait times and stressed that users who sign up for TrustedID Premier, the company’s ID theft protection and credit monitoring service, will not be charged as soon as the year runs out.

The company also took a moment on Monday to reiterate that signing up for the free credit monitoring service doesn’t waive a consumer’s right to take legal action.

The company clarified its TrustedID Premier policy on Friday afternoon after it was pressed repeated by consumers and politicians alike. One politician in particular, Eric Schneiderman, New York’s Attorney General, opened a formal investigation into the breach on Friday, calling out the company’s arbitration clause policy.

As expected multiple lawsuits have been filed against the company in wake of the breach. One class action suit, filed late Thursday night, alleges Equifax “negligently failed to maintain adequate technological safeguards to protect [the plaintiffs’] information from unauthorized access by hackers.” The suit seeks as much as $70 billion in damages nationally.

“Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,” the complaint also reads.

*This article was updated at 5 p.m. to include insight from Contrast Security re: CVE-2017-5638 and Equifax.

Suggested articles