Apache servers under attack through easily exploitable Struts 2 flaw

A critical vulnerability in Apache Struts 2 is being actively and heavily exploited, even though the patch for it has been released on Monday.

Apache Struts 2 attack

System administrators are encouraged to upgrade to version 2.3.32 or 2.5.10.1 as soon as possible to avoid compromise.

What is Apache Struts 2, and how is the vulnerability exploited?

Apache Struts 2 is an open source web application framework for developing Java EE web applications.

The vulnerability (CVE-2017-5638), discovered and reported by Chinese developer Nike Zheng, affects the Jakarta file upload Multipart parser in Apache Struts 2. It allows attackers to include code in the “Content-Type” header of an HTTP request, so that it is executed by the web server.

Almost concurrently with the release of the security update that plugs the hole, a Metasploit module for targeting it has been made available.

Unfortunately, the vulnerability can be easily exploited as it requires no authentication, and two very reliable exploits have already been published online. Also, vulnerable servers are easy to discover through simple web scanning.

The attacks

SANS ISC and Cisco Talos say that they have witnessed many exploitation attempts and events since Monday.

Apache servers under attack through easily exploitable Struts 2 RCE flaw

“The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution,” the team shared. “The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet.”

Cisco has released Snort rules to block exploitation attempts. Given that these involve quite long “Content-Type” headers, SANS ISC CTO Johannes Ullrich says that it should be easy to catch them with Snort by lowering the “max_header_length” parameter in the http_inspect preprocessor to 500.