The CVE-2017-5638 remote code execution zero-day has been exploiting by attackers in the wild, it affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10.
According to the experts from Cisco Talos, the flaw affects the Jakarta-based file upload Multipart parser under Apache Struts 2.
Tinfoil Security has published an online tool that allows website owners to check if they are vulnerable to CVE-2017-5638 attacks.
The issue was first spotted by the Chinese developer Nike Zheng, the attack sends an invalid Content-Type value to the uploader throwing an exception creating the condition for the remote code execution.
The issue is documented at Rapid7’s Metasploit Framework GitHub site and attackers in the wild are exploiting a publicly available PoC code that triggers the vulnerability.
“Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory.” reads the security advisory published by the Talos group. “Talos began investigating for exploitation attempts and found a high number of exploitation events.”
Now Cisco confirmed that the vulnerability affects the Cisco Identity Services Engine (ISE), the Prime Service Catalog Virtual Appliance, and the Unified SIP Proxy Software.
Cisco published a list of dozens of products that are not affected, but the experts are conducting further analysis to assess all the potentially impacted products.
“Cisco is investigating its product line to determine which products may be affected by this vulnerability and the impact on each affected product. Please refer to the Vulnerable Products andProducts Confirmed Not Vulnerable sections of this advisory for information about whether a product is affected.” reads the security advisory published by CISCO.
“The Vulnerable Products section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases.”
At the time the advisory was published, Cisco has not found any evidence of attacks targeting its products, but the company has warned users that a PoC exploit is publicly available.
The experts also observed malicious attacks which turn off firewall processes on the target servers and then drop malicious payloads such as IRC bouncers and DDoS bots.
According to the security Rapid7, the majority of malicious traffic comes from two machines located in Zhengzhou and Shanghai, China.
“Based on the traffic we are seeing at this time it would appear that the bulk of the non-targeted malicious traffic appears to be limited attacks from a couple of sources. This could change significantly tomorrow if attackers determine that there is value in exploiting this vulnerability.” reads the blog post published by Rapid 7.
Security vendors have started releasing firewall rules that could be used by administrators to protect their systems and block the attacks.
(Security Affairs – Apache Struts 2, CVE-2017-5638)