Apache Struts Understanding how Apache Struts ... attack that resulted in a mega data breach. ......

Click here to load reader

  • date post

    26-May-2018
  • Category

    Documents

  • view

    218
  • download

    1

Embed Size (px)

Transcript of Apache Struts Understanding how Apache Struts ... attack that resulted in a mega data breach. ......

  • RiskSense Platform the industrys most comprehensive, intelligent platform for managing cyber risk.

    S P O T L I G H T

    Apache Struts Understanding how Apache Struts vulnerabilitiescould impact your organization

  • Apache Struts is a free, open-source Model View Controller (MVC) framework. Introduced around 2006, this framework is extensively used in creating Java-based web applications. Over the last 12 years, we have observed an increase in Apache Struts weaponization; with this information in mind, an unpatched Apache Struts vulnerability (CVE-2017-5638) was the foundation of a significant data breach that put Apache Struts into the spotlight. This weakness emphasized the impending risks for Apache Struts-based applications. Even today, scanners do not detect all known vulnerabilities; as of 10/10/2017, the leading scanners still missed 25 total unique Common Vulnerabilities and Exposures (CVEs).

    In this spotlight report, we analyze Apache Struts-related vulnerability weaponization patterns spanning the last decade. We also provide insight into exploit patterns and explain how these patterns can define an organizations risk management strategy.

    Page 2

    Introduction

    CVE-2017-5638 Timeline

    Apache Struts Vulnerabilities Weaponization Patterns

    Weaponization Timeline and Exploit Patterns

    What Does This Mean for Organizational Cyber Risk Management?

    3

    3

    4

    6

    7

    Table of Contents

    Apache Struts in the Spotlight November 2017

    Spotlight Apache Struts Understanding how Apache Struts vulnerabilities could imapct your organization

    Background

  • Apache Struts in the Spotlight November 2017

    Mega Data BreachBreaking News

    Attack Occured

    3 4 5 6 7 8 9 109.7. 2017

    CVE-2017-5638 Published

    RiskSense Prioritized CVE-2017-5638 in the Platform

    3 4

    Exploit Released

    3.6.17NVD Released3.10.17

    3.9.17 3.25.17

    CVE-2017-5638 Timeline

    Introduction

    Figure 1

    Developers use Apache Struts MVC framework to build Internet-facing web applications that regularly accept and execute user input. User inputs are processed at the server side using parsers or internal objects. These input handlers are subjected to remote code execution (RCE)-based exploits and arbitrary command injections resulting from underlying implementation flaws. Among the 27 Apache Struts vulnerabilities found with exploits, we observed the following:

    The average vulnerability disclosure time latency for RCE-based vulnerabilities is 39 days and 29 days for non-RCE-based vulnerabilities.

    The exploit belonging to both the remote and web application category is CVE-2017-5638.

    CVE-2017-5638 is an incorrect exception handling, error message generating vulnerability present during file upload attempts in Jakarta Multipart parser in the following Apache Struts versions:

    Apache Struts 2.2.3.x before 2.3.32 Apache Struts 2.5.x before 2.5.10.1

    This vulnerability allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. Figure 1 shows CVE-2017-5638s overall timeline, including the vulnerabilitys initial disclosure and exploitation in the wild. While the vendor disclosed the vulnerability and patch on 03/06/2017, an applicable exploit was released on 03/09/2017. It is important to note that RiskSense was the only organization that uncovered the related exploit so early. We were able to do this by tracking Apache Struts code commits in Github.

    The vulnerability was accepted into the National Vulnerability Database (NVD) on 03/10/2017. It should be noted that the NVD had a delay of four days in accepting and publishing this critical vulnerability. This delay between a vendor disclosing a vulnerability and the vulnerabilitys publication in the NVD is known as vulnera-bility disclosure time latency. Based on the prevalence of the exploit in the wild, RiskSense prioritized this vulnerability for our clients on 03/25/2017. As predicted by RiskSense (based on the exploits trend in the wild), the vulnerability was used in a high-pro-file attack that resulted in a mega data breach.

    Page 3 Spotlight Apache Struts Understanding how Apache Struts vulnerabilities could imapct your organization

    Table 1

    Exploit Type

    RCE

    Non-RCE

    Both

    17 days after vendor disclosure

    30 days after vendor disclosure

    3 days after vendor disclosure

    20

    6

    1

    Weaponization Latency (in Days)Exploit Count

  • Apache Struts in the Spotlight November 2017

    Page 4

    After analyzing CVE-2017-5638s event timeline, it is evident that a critical vulnerability had not been prioritized in the target organization's risk management process. There may be several reasons for such lack of prioritization, such as:

    Unavailability of an actionable intelligence platform Weak risk prioritization strategy

    An efficient risk management strategy demands a proper vulnerability prioritization process. RiskSenses vulnerability prioritization process is supported by weaponization pattern mining and exploitability analysis. Weaponization is defined as creating malicious content (such as malware, exploits, etc.) that

    exploits a vulnerability. Here, we present our findings on vulnerability weaponization and related exploit patterns for Apache Struts vulnerabilities. Such exploit pattern analysis allows us to predict exploitability of vulnerabilities, and correlat-ing this information with the target client infrastructure allows us to better prioritize vulnerabilities for efficient remediation.

    Figure 2 shows the Apache Struts-related vulnerabilities disclosure time latency patterns over the last ten years. The vulnerability disclosure time latency shows the latency (in days) between the vendor release date and NVD publication date for a given vulnerability. Vulnerability criticality is determined from the Common Vulnerability Scoring System (CVSS) score.

    Latency in days before a CVE appears in NVD

    4

    80

    15

    55

    289

    5

    17

    41

    41

    49

    49

    49

    14

    8

    55

    83

    17

    26

    66

    4

    54

    14

    14

    10

    5

    18

    39

    0

    5

    210 284

    156

    124

    0 days

    50 days

    100 days

    150 days

    200 days

    250 days

    10 2.610

    10

    10

    10

    9.3

    9.3

    9.3

    9.3

    9.3

    9.3

    9.3

    9.3

    9.3

    7.8

    7.57.5

    7.5 7.57.5

    7.5

    7.5

    7.5

    7.5

    6.8

    6.8

    6.4

    5.8

    5

    5

    5

    5

    5

    4.3

    4.34.3

    CVE-2017-5638CVE-2011-1772

    CVE-2016-3082

    CVE-2016-0785

    CVE-2013-4316

    CVE-2012-0838

    CVE-2016-3081

    CVE-2013-2251

    CVE-2013-2135

    CVE-2013-2134

    CVE-2013-2115

    CVE-2013-1966

    CVE-2013-1965

    CVE-2012-0392

    CVE-2012-0391

    CVE-2014-0114

    CVE-2014-0094

    CVE-2006-1546CVE-2017-9791

    Data is up-to-date as Oct 2nd, 2017

    CVE-2016-4438CVE-2016-4436

    CVE-2016-3087

    CVE-2015-1831

    CVE-2014-0113

    CVE-2014-0112

    CVE-2006-1547

    CVE-2017-9805

    CVE-2012-0394

    CVE-2013-2248

    CVE-2011-5057

    CVE-2012-1007

    CVE-2012-1006

    CVE-2005-3745

    CVE-2008-6504

    24 CVEs with CVSS > 7

    13 CVEswith CVSS < 7

    CVSS v2

    CVEs have applicable exploits

    Spotlight Apache Struts Understanding how Apache Struts vulnerabilities could imapct your organization

    Apache Struts Vulnerabilities Weaponization Patterns

    Figure 2

    CVE-2008-6505

    CVE-2010-1870

    CVE-2012-0393

  • Page 5 Spotlight Apache Struts Understanding how Apache Struts vulnerabilities could imapct your organization

    Table 2

    Table 3

    Apache Struts in the Spotlight November 2017

    We use the NVD as a reference for computing the vulnerability disclosure time latency, since the NVD is considered a standard repository for vulnerability publication and notification. The following table shows the Apache Struts-related CVEs with their severity, associated CVSS V2/V3 scores, NVD Vulnerability Latency, and Exploit Type. All CVSS scores provided below were

    obtained from the NVD. As such, the NVD applied CVSS V3 scores only for CVEs from 2016 and later. The NVD Vulnerability Disclosure Time Latency denotes the time (in days) it took from the vendors vulnerability disclosure to the NVDs vulnerability publication.

    We were able to make the following observations using the information in Table 2 and Figure 2:

    1. Table 2 and Figure 2 show that vulnerability disclosure time latency is present for the majority of vulnerabilities.2. Table 3 highlights the CVEs that have a time latency of more than 100 days:

    CVE

    CVE-2008-6504

    CVE-2012-0391

    CVE-2012-0838

    CVE-2016-4436

    284

    156

    210

    124

    Latency (in Days)

    CVE

    CVE-2011-1772

    CVE-2005-3745

    CVE-2012-1006

    CVE-2012-1007

    CVE-2008-6504

    CVE-2008-6505

    CVE-2010-1870

    CVE-2011-5057

    CVE-2014-0094

    CVE-2013-2248

    CVE-2012-0393

    CVE-2012-0394

    CVE-2017-9805

    CVE-2014-0112

    CVE-2014-0113

    CVE-2015-1831

    CVE-2016-3087

    CVE-2016-4436

    CVE-2016-4438

    CVE-2017-9791

    CVE-2006-1546

    CVE-2014-0114

    CVE-2006-1547

    CVE-2012-0391

    CVE-2012-0392

    CVE-2013-1965

    CVE-2013-1966

    CVE-2013-2115

    CVE-2013-2134

    CVE-2013-2135

    CVE-2013-2251

    CVE-2016-3081

    CVE-2012-0838

    CVE-2013-4316