Public attacks and scans looking for exposed Apache webservers have ramped up dramatically since Monday when a vulnerability in the Struts 2 web application framework was patched and proof-of-concept exploit code was introduced into Metasploit.
The vulnerability, CVE-2017-5638, was already under attack in the wild prior to Monday’s disclosure, but since then, the situation has worsened and experts fear it’s going to linger for a while.
“The second someone starts working on a Metasploit module, it’s a ramp-up for rapid exploitation by a large number of people,” said Craig Williams, senior technical leader for Cisco’s Talos research outfit. “We’re basically seeing a huge number of people continue to exploit the vulnerability. That’s likely going to continue to increase. I think what we’re also going to see is people going to try to scan for the vulnerability.”
The flaw lives in the Jakarta Multipart parser upload function in Apache. It allows an attacker to easily make a maliciously crafted request (a malicious Content-Type value) to an Apache webserver and have it execute. Struts 2.3.5 to Struts 2.3.31 are affected as are Struts 2.5 to 2.5.10; admins are urged to upgrade immediately to Struts 2.3.32 or 2.5.10.1.
Talk of the vulnerability surfaced on Chinese forums, according to Vincente Motos, who posted an advisory on the HackPlayers website. Motos said a notorious Apache Struts hacker known as Nike Zheng posted a public proof-of-concept exploit demonstrating the simplicity in which an attacker could inject operating system commands.
The attacks are particularly risky to anyone running their Apache webservers as root, which is not a suggested practice. Williams said it’s unclear whether an attacker can benignly scan for vulnerable servers in order to determine the version and context under which Struts is running, whether as Apache or root, for example. But as with some older internet-wide bugs, there are a large number of scans happening.
“[Attacks] look like requests to a webserver with a malformed piece,” Williams said. “Unless you’re looking for it, it’s easy not to see the malformed content type.”
An attacker, he said, would need to just modify one line depending on the operating system the target is running, Windows or Linux, and have it download a malicious binary from the web.
“Unfortunately, due to the nature of command-line injections like this, it’s very easy to modify,” Williams said. “And that’s why I think we’re going to continue to see exploitation rise for the foreseeable future.”
The risks are severe for an organization running an exposed Apache server if it’s compromised.
“The sky’s the limit,” Williams said. “If I’m a bad guy, depending on what my game is, I can take over your webserver and use that to move laterally through your network. If I’m super insidious, I can use that to look for your domain controller and if I can find a way to compromise your password hashes, say from the Linux server I compromised, I can possibly log in to your domain controller and use that to push malware to all your machines. I could ransom off your webserver, all kinds of terrible things.”
Williams said Cisco has observed that the majority of public attacks feature a number of Linux bots used for DDoS attacks taking advantage of this vulnerability, along with an IRC bouncer, and a malware sample related to the bill gates botnet.
Williams cautioned as well that connected devices in the IoT space could also be a major concern, since Struts 2 likely runs there.
“I’m going to guess there’s a reasonable number of devices running it, and due to the nature of IoT, those aren’t going to be patched any time soon. So this is going to be an issue for the foreseeable future.”
Given the availability of patches and detection rules, it’s likely that public attacks are going to be largely mitigated and as more detection rules surface, public exploits should be less useful to attackers.
“Due to the fact that it’s relatively easy to go inside and modify an attack, it’s going to be bad and it’s going to plague us for some time,” Williams said. “Good news is that detecting it is not that difficult.”