Struts, the vulnerability recently found in a popular form of software (Apache Struts 2) offered by open source community, “The Apache Foundation”, has been discussed heavily amongst information security professionals recently. The reason being that criminals have jumped at the chance to hit high-profile organisations using the platform, Canada Revenue Agency’s website getting taken offline is just one example. How can it be exploited? A hacker connected to the internet from a coffee shop can change passwords, perform administrative tasks, install programs, and have free reign over their target’s server.
With many executives asking themselves, “are we affected by this?”, “to what extent?”, “have we implemented the recommended workarounds?”, Qualys have described how to protect your organisation from this critical bug that can pose severe consequences if left unaddressed.
A breakdown of the vulnerability
In its emergency security alert, Apache classified the vulnerability in Struts’ Jakarta Multipart parser as high risk, warning of remote code execution (RCE) attacks, which can lead to complete system compromises.
Specifically, the affected parser – present in Struts 2.3.5 to 2.3.31, and in 2.5 to 2.5.10 — mishandles file upload, which lets remote attackers execute arbitrary commands via a #cmd= string in a specially crafted Content-Type HTTP header, as described in the vulnerability’s CVE-2017-5638 entry.
Unfortunately, it’s very easy for hackers to spot vulnerable systems, and Struts exploits are publicly available, simple to carry out and reliable.
In our own detailed analysis, we noted that exploits of this vulnerability don’t necessarily require upload functionality to be implemented on a web app, and that they can be carried out with only the presence of a vulnerable library.
Now that we’re aware of who and what, the question remains as to how can this be rectified? The answer lies in a multistep process outlined below.
Vulnerability management: Perform a standard VM scan against your web servers. This solution may be leveraged when form based authentication is not necessary, is scalable and extremely efficient.
Application scanning: VM (Vulnerability Management) detection techniques will not take form methods for authentication into account. URL redirects are also not supported with the former detection method.
If form authentication and/or non-default paths and redirects are utilized within your Apache environments, utilising application scanning is your best option. It can perform complex authentication methods as well as offer an enhanced crawling engine to locate those hard to find directories, which is paramount in testing this vulnerability across your entire IT infrastructure.
The ability to crawl is paramount in properly finding, testing and detecting this vulnerability across your entire IT infrastructure and application environments and will allow you to do so on a large scale.
Application firewall: Implement a robust firewall that has the ability to easily block this vulnerability when upgrades or changes cannot be made due to change control or the possibility of breaking existing installations or legacy uses. The additional benefit to this is that a variety of customisations can be introduced to meet the specific security needs of your application.