Due to the Jakarta Multipart parser in Apache Struts mishandling Content-Type headers, an attacker can remotely execute code on vulnerable systems.
Apache Software Foundation has patched a remote code execution vulnerability affecting the Jakarta Multipart parser in Apache Struts. Administrators need to update the popular Java application framework or put workarounds in place because the vulnerability is actively being targeted in attacks.
The issue affects Apache Struts versions 2.3.5 through 2.3.31 and versions 2.5 through 2.5.10. The presence of vulnerable code is enough to expose the system to attack—the web application doesn’t need to implement file upload for attackers to exploit the flaw, said researchers from Cisco Talos.
Talos “found a high number of exploitation events,” said Cisco threat researcher Nick Biasini. “With exploitation actively underway, Talos recommends immediate upgrading if possible or following the workaround referenced in the above security advisory.”
The remote code execution vulnerability (CVE-2017-5638) in the Jakarta Multipart parser is the result of improper handling of the Content-Type header, Apache said in its emergency security advisory. The header indicates the media type of the resource, such as when the client tells the server what type of data was sent as part of a POST or PUT request, or the server telling the client what type of content is being returned as part of the response. The flaw is triggered when Struts parses a malformed Content-Type HTTP header and lets attackers remotely take complete control of the system without needing any kind of authentication.
“It is possible to perform a RCE [remote code execution] attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user,” Apache said in its advisory.
- System administrators using Jakarta-based file upload Multipart parser, which is a standard part of the Struts2 framework, should upgrade to Apache Struts version 2.3.32 or 188.8.131.52.
- Alternatively, administrators can switch to a different implementation of the Multipart parser, such as the Pell parser plugin, which doesn’t use the Common-FileUpload library and is therefore not at risk.
- Another workaround is to implement a Servlet filter to validate Content-Type and throw away requests with suspicious values.
Cisco Talos observed two types of attacks: probing, to find out what the target network and systems look like, and malware distribution. The majority of the attacks appear to be using a publicly released proof of concept to run various commands, from simple commands such as
whoamito more sophisticated commands which can pull down and run malicious ELF executables. For example, an attacker can use
whoami as a probe to determine if the system is vulnerable and to find the user associated with the running service. If the command returns a power user, then the attacker can continue with a more sophisticated set of commands, Biasini said.
Talos also observed other attacks which turn off firewall processes and download malicious payloads from a remote server. “The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet,” Biasini wrote.
Apache classified the vulnerability (s2-045) as high risk in its advisory, but it doesn’t currently have a score under the Common Vulnerability Scoring System (CVSS). Considering this flaw doesn’t require the attacker to be authenticated; is not considered difficult to exploit; and can result in information disclosure and complete system compromise, the final score could be a 10, the highest, and most critical, rating possible under the system.
Qualys has developed a test probe, which sends a GET request in certain directories and try to run
ipconfig commands, to detect if the system is vulnerable, said Amol Sarwate, the director of engineering at Qualys. A Metasploit module is also already available.
If updating Struts is not an option, Cisco Talos researchers recommended configuring next-generation intrusion prevention systems, next-generation firewalls, and web application firewalls with the appropriate rules to block attempts to exploit the vulnerability. Cisco customers can get the latest sets of rules through Defense Center, FireSIGHT Management Center, or Snort.org (SID 41818, 41819), Biasini said.
“It is likely that the exploitation will continue in a wide scale since it is relatively trivial to exploit and there are clearly systems that are potentially vulnerable,” Biasini said.