Equifax felled by a months-old Apache Struts vulnerability

Comments Off on Equifax felled by a months-old Apache Struts vulnerability

Equifax today posted an announcement on their website with more information about what they believe is the source of the massive breach.

There are two key statements of interest for us, so let’s take a look:

We know that criminals exploited a US website application vulnerability.

This isn’t terribly surprising: Verizon’s DBIR research has repeatedly shown that web applications are the most common attack target by a large margin. The targets are plentiful, their security generally a bit more lax, and research has shown that the vulnerability/patch gap is even greater for web apps than it is for most other application types. But more on that gap in a moment.

The vulnerability was Apache Struts CVE-2017-5638

Wince. This Struts vulnerability (not to be confused with the more recent Return of Struts) was a nasty server-side remote code execution bug made known to the public in March of this year. Naked Security’s Paul Ducklin did a marvelous deep-dive into how it works in this blog post, but the key point is this:

Without logging in, without fetching the original web form page in the first place, and without even having any form data to upload, a crook may be able trigger this bug simply by visiting the web page listed in the action field of any of your web forms.

If you use Struts 2 somewhere in your network, and still haven’t applied the latest patch, you really ought to, because this vulnerability is easy to exploit by anyone who wants to try.

It’s possible that Equifax’s vulnerable servers weren’t specifically targeted but merely caught in a wide net cast by attackers looking to pwn any unpatched Apache servers they could find. Still, given this vulnerability was known in March and Equifax’s breach is timed for somewhere in May, that’s a more than two-month time span of a vulnerable server left wide open to attackers.

Create Account



Log In Your Account