Attackers are targeting a critical vulnerability in the Apache Struts framework, using exploits that have been published online to go after thousands of vulnerable sites.
On Monday, the Apache Software Foundation published an advisory about the vulnerability, saying that the bug enabled remote code execution in certain situations. Almost immediately afterward, attackers began going after vulnerable sites with content-injection attacks. The flaw affects Struts versions 2.3.5 to 2.3.31 and 2.5 to 2.5.10.
“It is possible to perform a RCE attack with a malicious
Content-Type value. If the
Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user,” the Apache advisory says.
Researchers at Cisco’s Talos team have been looking at the exploitation attempts and found that most of them are using the publicly available exploit code, but there are a variety of different methods in use.
“Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands (i.e. whoami) as well as more sophisticated commands including pulling down a malicious ELF executable and execution,” Nick Biasini from the Talos team said in a post analyzing the exploits.
Some of he exploit attempts are relatively simple, while others are more sophisticated, some of which include attempts to gain persistence on compromised systems. Another technique goes after the firewalls protecting the target server and the download a malicious payload.
“The steps include stopping the Linux firewall as well as SUSE Linux firewall. Final steps include downloading a malicious payload from a web server and execution of said payload. The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet. This isn’t uncommon for Linux based compromise as a payload is downloaded and executed from a privileged account,” Biasini said.
Apache has released updated versions of the Struts framework to fix the vulnerability and is recommending that site owners upgrade as soon as possible.
Image: Rich Bowen, CC By license.