Last week Equifax reported a huge data breach, hackers accessed its systems between mid-May and late July. The incident affected roughly 143 million U.S. consumers and some customers in the U.K. and Canada.
The hackers accessed customers’ personal information, including names, social security numbers, dates of birth, addresses and, for some consumers also the driver’s license numbers. Equifax reported that hackers also accessed credit card numbers of roughly 209,000 consumers in the United States and dispute documents belonging to 182,000 people.
The company did not provide details of the attack, it only revealed that attackers exploited a web application vulnerability to access the information.
“criminals exploited a U.S. website application vulnerability to gain access to certain files.” Stated Equifax.
More details on the attack were shared by the financial services firm Baird that claimed the hackers exploited a vulnerability in the Apache Struts framework used by Equifax for its web applications.
“Our understanding is that data entered (and retained) through consumer portals/interactions (consumers inquiring about their credit reports, disputes, etc.) and data around it was breached via the Apache Struts flaw,” states a report published by Baird.
Immediately security experts concluded that hackers have exploited the recently discovered critical vulnerability CVE-2017-9805 in Apache Struts.
The flaw was discovered by security researchers at LGTM (lgtm.com), it could be exploited by a remote attacker to run malicious code on the vulnerable servers.
The remote code execution vulnerability exists when the REST plugin is used with the XStream handler for XML payloads.
“Security researchers at lgtm.com have discovered a critical remote code execution vulnerability in Apache Struts — a popular open-source framework for developing web applications in the Java programming language.” states the security advisory published by lgtm.com.”All versions of Struts since 2008 are affected; all web applications using the framework’s popular REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency. This vulnerability has been addressed in Struts version 2.5.13.”
The vulnerability tracked as CVE-2017-9805 is related to the way Struts deserializes untrusted data, it affects all versions of Apache Struts since 2008, from Struts 2.5 to Struts 2.5.12.
The vulnerability was reported to Apache Struts development team in mid-July, but it was addressed only on September 5 with the release of Struts version 2.5.13.
According to the expert that has discovered the vulnerability, the flaw is easy to exploit, an attacker can trigger it by submitting a malicious XML code in a format.
“The Struts framework is used by an incredibly large number and variety of organizations. This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications. Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser. Organizations who use Struts should upgrade their components immediately.” said Man Yue Mo, the LGTM security researcher that discovered the vulnerability.
The lgtm security team has developed an exploit code for this vulnerability, but it hasn’t disclosed it.
However, on September 6, it was reported the availability of a #Metaslpoit module to exploit the CVE 2017-9805, the module is available at the following URL:
Currently the vulnerability is being exploited in the wild, anyway there is no evidence of exploitation before the patch was released.
Over the weekend the Apache Struts Project Management Committee (PMC) released an official statement to highlight that it is still unclear if the Equifax breach is linked to any Struts vulnerability, in particular the CVE-2017-9805.
“We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework. At this point in time it is not clear which Struts vulnerability would have been utilized, if any.” Wrote the veeo for Struts René Gielen, in a post,
Gielen, who analyzed the vulnerability timeline, explained that while Equifax was breached in mid-May 2017, the Struts vulnerability CVE-2017-9805 was announced only in early September 2017.
Gielen therefore speculates that “the attackers either used an earlier announced vulnerability on an unpatched Equifax server or exploited a vulnerability not known at this point in time [July] – a so-called Zero-Day-Exploit.”
The outlet QZ.com alleged that the hackers exploited a flaw in Apache Struts, it also pointed out that the vulnerability may have been present in Struts for nine years.
Apache development ream rejected the accusation with the following statement:
“Regarding the assertion that especially CVE-2017-9805 is a nine year old security flaw, one has to understand that there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years. If the latter was the case, the team would have had a hard time to provide a good answer why they did not fix this earlier. But this was actually not the case here – we were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP.”
It is more likely the hackers have targeted Equifax by exploiting the CVE-2017-5638 a vulnerability exploited in the wild since March.
“For either vulnerability, the process is basically the same. The attacker sends a specific HTTP request containing some special syntax,” explained Jeff Williams, co-founder and CTO at Contrast Security. “In one case, an OGNL expression. In the other, a serialized object. The Equifax Struts application would receive this request, and get tricked into executing operating system commands. The attacker can use these to take over the entire box – do anything the application can do. So, they probably stole the database credentials out of the application, ran some queries, and then exfiltrated the data to some server they control on the internet.”
New York Attorney General Eric T. Schneiderman announced the an official investigation into the Equifax security breach.
(Security Affairs – Struts CVE-2017-9805 RCE, Equifax)