In September 2017, Equifax disclosed that a failure to patch one of its Internet servers against a pervasive software flaw — in a Web component known as Apache — led to a breach that exposed personal data on 147 million Americans. Now experts are warning that blueprints showing malicious hackers how to exploit a newly-discovered Apache Struts are available online, leaving countless organizations in a rush to apply new updates and plug the hole before attackers can use it to wriggle inside.

- apache - Experts Urge Rapid Patching of ‘Struts’ Bug — Krebs on Security

On Aug. 22, the Apache Software Foundation released software updates to fix a critical vulnerability in Apache Struts, a Web application platform used by an estimated 6 percent of Fortune 0 companies. Unfortunately, computer code that can be used to exploit the bug has since been posted online, meaning bad guys now have precise instructions on how to break into vulnerable, unpatched servers.

Attackers can exploit a Web site running the vulnerable Apache Struts installation using nothing more than a Web browser. The bad guy simply needs to send the right request to the site and the Web server will run any command of the attacker’s choosing. At that point, the intruder could take any number of actions, such as adding or deleting files, or copying internal databases.

An alert about the Apache security update was posted Wednesday by Semmle, the San Francisco software company whose researchers discovered the bug.

“The widespread use of Struts by leading enterprises, along with the proven potential impact of this sort of , illustrate the that this poses,” the alert warns.

“Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” wrote Semmle co-founder Pavel Avgustinov. “A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.”

The timeline in the 2017 Equifax breach highlights how quickly attackers can take advantage of Struts flaws. On March 7, 2017, Apache released a patch for a similarly dangerous Struts flaw, and within 24 hours of that update security experts began tracking signs that attackers were exploiting vulnerable servers.

Just three days after the patch was released, attackers found Equifax’s servers were vulnerable to the Apache Struts flaw, and used the vulnerability as an initial entry point into the credit bureau’s network.

- equifaxhack - Experts Urge Rapid Patching of ‘Struts’ Bug — Krebs on Security

A slide from “We are all Equifax,” an RSA talk given in April 2018 by Derek Weeks.

The vulnerability affects all supported versions of Struts 2. Users of Struts 2.3 should upgrade to version 2.3.35; users of Struts 2.5 should upgrade to 2.5.17.

More technical details about this bug from its discoverer, Man Yue Mo, are here. The Apache Software Foundation’s advisory is here.

- 2 - Experts Urge Rapid Patching of ‘Struts’ Bug — Krebs on Security

Tags: , , , , ,

Source link


Please enter your comment!
Please enter your name here