Security researchers have spotted a remote code execution zero-day, tracked as CVE-2017-5638, in Apache Struts 2, and the bad news is that threat actors in the wild are already exploiting it.
According to the experts from Cisco Talos that flaws affected the Jakarta-based file upload Multipart parser under Apache Struts 2, sys admins need to urgently apply the security upgrade. The CVE-2017-5638 is documented at Rapid7’s Metasploit Framework GitHub site, attackers in the wild are exploiting a publicly available PoC code that triggers the issue.
“Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory.” reads the security advisory published by the Talos group. “Talos began investigating for exploitation attempts and found a high number of exploitation events.”
The issue was first spotted by the Chinese developer Nike Zheng, the attack sends an invalid Content-Type value to the uploader throwing an exception creating the condition for the remote code execution.
The attackers can exploit the vulnerability to remotely take over a system as explained by Qualys who also shared a probe (QID 11771 in VULNSIGS-2.3.559-2) to detect the presence of this issue.
“A remote code execution vulnerability exists in Apache Jakarta multipart parser. If exploited, this issue can allow attacker to remotely and without needtake complete control of the system. Needless to say we think this is a high priority issue and the consequence of a successful attack is dire. The issue is triggered when the software tries to parse the need of any credentials take complete control of the system. Needless to say we think this is a high priority issue and the consequence of a successful attack is dire. The issue is triggered when the software tries to parse the Content-Type HTTP header. “
Below there is an example of some simple probing attacks detected by Talos group, the attempts are ongoing, attackers just check to see if a system is vulnerable by executing a simple Linux based command.
“The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution. ” reads the analysis shared by Talos.
The experts also observed malicious attacks which turn off firewall processes on the target servers and then drop malicious payloads.
“This example is a little more aggressive with its attack. The steps include stopping the Linux firewall as well as SUSE Linux firewall. Final steps include downloading a malicious payload from a web server and execution of said payload. The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet. This isn’t uncommon for Linux based compromise as a payload is downloaded and executed from a privileged account.” continues Talos.
The researchers also observed more sophisticated attack that attempt to trigger the issue to gain persistence on the target,
“The difference with this particular example is the attempted persistence. The adversary attempts to copy the file to a benign directory and then ensure that both the executable runs and that the firewall service will be disabled when the system boots.”
(Security Affairs – Apache Struts 2, hacking)