Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Struts vulnerability patch released by apache, patch now - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Struts vulnerability patch released by apache, patch now

UPDATE2: a Metasploit module has been released. Some limited workarounds may be available. Otherwise patch now!

UPDATE: a link to a working exploit has been seen. As of yet no IDS or WAF signatures/rules have been posted. (2017/09/05 20:30h EDT)

Anyone using Struts 2 should immediately upgrade to Struts 2.5.13 due to a  remote code execution vulnerability. It has been assigned CVE-2017-9805 and a detailed technical writeup is available here: https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement.

A work around would be to disable access to the REST API used by Struts as it does not correctly deserialize objects when invoked. 

Every once in a while along comes a vulnerability that should cause you to consider actually updating the platform your application runs on! Now that the patch is available it will not be long before a working exploit is out in the wild. 

Cheers,
Adrien de Beaupré, SANS Instructor and Co-author of #SEC642
Intru-shun.ca Inc.

Adrien de Beaupre

353 Posts
ISC Handler
Johannes mentioned disabling REST to mitigate exploitation. Has anyone confirmed this is effective with the public exploit code available? I'm not an Apache Struts admin but quick searches did not identify how to disable this. Any help with a link or steps on disabling would be greatly appreciated.
Anonymous

Posts
I believe that you can modify the configuration to restrict REST by setting the struts-plugin.xml value:
<constant name="struts.action.extension" value="xhtml,,json" />
as per: struts.apache.org/docs/…
and
struts.apache.org/docs/…

Can anyone validate, I do not have access to a Struts 2 install at the moment.
Can you remove the struts2-rest-plugin.jar file?

Cheers,
Adrien
Adrien de Beaupre

353 Posts Posts
ISC Handler
I saw an attempt on my website, posted details here: blog.nviso.be/2017/09/07/active-exploitation-of-struts-vulnerability-s2-052-cve-2017-9805/

Ping me if you want the pcap.
DidierStevens

180 Posts Posts
ISC Handler
Yes please -> handlers@isc.sans.edu
Adrien de Beaupre

353 Posts Posts
ISC Handler
I would like to see the pcap file please kwestin@gmail.com

Thank You
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!