A new security flaw detected in Apache Struts allows an unauthenticated attacker to execute arbitrary code on a vulnerable system.
Extent of the problem
The vulnerability is contained in the FreeMarker functionality of the Apache Struts 2 package. FreeMarker Template Language is widely used in Apache Struts and numerous Java-based projects. Developers can use it to bind parameter values sent from a user application to a server with internal declared variables of the application.
Incorrect performance makes it possible for attackers to send Object Graph Navigation Language (OGNL) expressions to the server, the processing of which can cause arbitrary code execution.
Currently, the vulnerability is confirmed in several Cisco products:
- Cisco Digital Media Manager — no patch will be issued as the product support was officially ceased on August 19, 2016
- Cisco Hosted Collaboration Solution for Contact Center
- Cisco Unified Contact Center Enterprise
- Cisco Unified Intelligent Contact Management Enterprise
Over 20 Cisco products are still under investigation to determine whether they have security flaws. Finalized information will be available in Security Advisory update.
Not only Cisco: breaking into Equifax
Apart from CVE-2017-12611 (S2-053), several similar security flaws, including CVE-2017-9805 (S2-052), CVE-2017-9791 (S2-048), and CVE-2017-5638 (S2-045), had already been detected in Apache Struts. The media informed that hackers exploited a vulnerability in Apache Struts to steal client records of credit reporting agency Equifax. Exact details of the attack are still being confirmed.
According to Leigh-Anne Galloway, an expert at Positive Technologies, such attacks can be used to steal credit card data or use information about people having a good credit score to cheat banks and get loans.
Moreover, Equifax\’s website used to set up credit account monitoring also turned out to have a vulnerability hackers could exploit to steal users\’ data.
In the aftermath of Equifax\’s breach, the development team of Apache Struts issued a statement with a recommendation to all users of the framework advising usage of special tools to ensure infrastructure security. One of the tools to prevent attacks exploiting such vulnerabilities is WAF (we develop our own PT Application Firewall).
How to protect yourself
Although a number of Cisco products are vulnerable to CVE-2017-12611, it is likely this will not have large-scale consequences, because an application under attack needs to have a specific configuration for this vulnerability to be exploited successfully. If developers do not use FreeMarker Template Language structures or apply exclusively read-only entities to initialize attributes, it is impossible to exploit the fault.
Moreover, Positive Technologies recommends application developers install Apache Struts version 2.5.12 or 2.3.34, which contain more restricted FreeMarker configuration. This would also reduce the risk of a successful attack.