Attackers are currently exploiting a critical vulnerability, indexed CVE-2017-5638, allowing them to obtain nearly absolute control over web servers used by banks, government agencies, and big Internet companies. The attacks were disclosed by Vicente Motos from Hack Players, who wrote that “If you run it against a vulnerable application, the result will be the remote execution of commands with the user running the server”.
Here is CVE-2017-5638’s official description given by MITRE:
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 126.96.36.199 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.
Attacks Based on CVE-2017-5638 Observed and Blocked by Researchers
The vulnerability resides in the Apache Struts 2 Web application framework and is easy to exploit. What is troublesome is that the flaw is still under attack even after it was patched on Monday. The attacks are based on commands injections into Struts servers that haven’t been patched yet. In addition, researchers say that two other working exploits are publicly available.
The researchers from Hack Players said they dedicated many hours reporting to companies, governments, manufacturers, and individuals, urging them to patch the bug immediately. Unfortunately, the flaw has already become famous among criminals and there are plenty of massive attempts based on it.
Cisco researchers said they were witnessing a high number of exploitation events attempting to perform a range of malicious activities. For example, commands are injected into web pages meant to stop the firewall protecting the server. Next is the download and installation of malware, where the payload may vary according to the attacker’s preference. The payloads may be IRC bouncers, denial-of-service bots, packages that turn servers into botnets. Cisco researchers are currently observing and blocking malicious attempts that broadly fit into two categories: probing and malware distribution. Many of the attacked sites have already been taken down, making the payloads not available any longer.
More about CVE-2017-5638
The flaw resides in the Jakarta file upload multipart parser, which is a standard part of the framework and only needs a supporting library to function, as explained by Arstechnica.
Apache Struts versions impacted by the bug include Struts 2.3.5 through 2.3.31, and 2.5 through 2.5.10. Servers running any of these versions should upgrade to 2.3.32 or 188.8.131.52 immediately, as advised by researchers.
One other thing has puzzled researchers from different companies. How is it possible that the vulnerability is being exploited so massive 48 hours after the patch was made available? One possible scenario is that the Apache Struts maintainers didn’t evaluate the risk adequately enough rating it as high risk and in the meantime stating it posed a possible remote code execution danger. Other independent researchers have dubbed the flaw trivial to exploit, high reliable and requiring no authentication to carry out an attack.