Security researchers have discovered a Zero-Day vulnerability in the popular Apache Struts web application framework, which is being actively exploited in the wild.
Apache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON.
In a blog post published Monday, Cisco’s Threat intelligence firm Talos announced the team observed a number of active attacks against the zero-day vulnerability (CVE-2017-5638) in Apache Struts.
According to the researchers, the issue is a remote code execution vulnerability in the Jakarta Multipart parser of Apache Struts that could allow an attacker to execute malicious commands on the server when uploading files based on the parser.
“It is possible to perform an RCE attack with a malicious Content-Type value,” warned Apache. “If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user.”
The vulnerability, documented at Rapid7’s Metasploit Framework GitHub site, has been patched by Apache. So, if you are using the Jakarta-based file upload Multipart parser under Apache Struts 2, you are advised to upgrade to Apache Struts version 2.3.32 or 22.214.171.124 immediately.
Exploit Code Publicly Released
Since the Talos researchers detected public proof-of-concept (PoC) exploit code (which was uploaded to a Chinese site), the vulnerability is quite dangerous.
The researchers even detected “a high number of exploitation events,” the majority of which seem to be leveraging the publicly released PoC that is being used to run various malicious commands.
In some cases, the attackers executed simple “whoami” commands to see if the target system is vulnerable, while in others, the malicious attacks turned off firewall processes on the target and dropped payloads.
“Final steps include downloading a malicious payload from a web server and execution of said payload,” the researchers say. “The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the Bill Gates botnet… A payload is downloaded and executed from a privileged account.”
Attackers also attempted to gain persistence on infected hosts by adding a binary to the boot-up routine.
According to the researchers, the attackers tried to copy the file to a benign directory and ensure “that both the executable runs and that the firewall service will be disabled when the system boots.”
Both Cisco and Apache researchers urge administrators to upgrade their systems to Apache Struts version 2.3.32 or 126.96.36.199 as soon as possible. Admins can also switch to a different implementation of the Multipart parser.