Apache Struts 2 REST plugin Remote Code Execution (CVE-2017-9805)
In the recent days, a new critical Apache Struts 2 vulnerability was announced which allows remote attackers to execute arbitrary commands on the server. The original post (S2-052) has not published exploit details yet, most probably to allow organizations to properly patch their servers, though certain exploits are already available.
Deserialization vulnerabilities in a nutshell
Serialization is the process of converting an in-memory object to another format suitable for transportation over the network or outputting it to a disk. Deserialization is the opposite way around, instantiating an object in runtime from a data received over the network or read from a disk.
Deserialization vulnerabilities occur when applications accept serialized objects from users without first validating the inputted data.
JAVA deserialization vulnerabilities have been “making waves” since at least 2015. Recently, a new deserialization vulnerability was published affecting Apache Struts 2 REST plugin (CVE-2017-9805) which utilizes the JAVA XStream XML serialization library for deserializing the users input. The vulnerability is triggered when Apache Struts 2 REST plugin attempts to deserialize a specially crafted XML sent by the attacker and may consequently lead to Remote Code Execution.
Multiple proof of concept exploits were already published including a dedicated Metasploit Framework module.
Figure 1: Part of the specially crafted XML as sent by one of the POC exploits.
Mitigating the 0-day with BIG-IP ASM
BIG-IP ASM customers under any supported BIG-IP version are already protected against this 0-day vulnerability, as the exploitation attempt will be detected by the existing JAVA code injection and command execution attack signatures which can be found in signature sets that include “Command Execution” and “Server Side Code Injection” attack types or “Java Servlets/JSP” System.
The existing signatures are being proactive by detecting any attacker’s code injection or OS command execution attempts, without relying on specific 0day trigger that might allow the attacker to push this payload, making the application protection resistant to many future 0day vulnerabilities.
Following are ASM logs of blocked attempts to exploit protected Struts 2 application using the already available exploits.
Figure 2: Exploit blocked with Attack Signature (200004174)
Figure 3: Exploit blocked with Attack Signature (200003440)
Figure 4: Exploit blocked with Attack Signature (200100310)
Mitigating the 0-day with F5 Silverline WAF
Much like on-prem BIG-IP ASM customers, F5 Silverline WAF customers are already protected against this 0-day vulnerability. The exploitation attempt will be detected by the existing JAVA code injection and command execution attack signatures built within Silverline WAF standard policies.
The following is a WAF Policy Violations Search that shows blocked requests that match the Signature IDs representative of CVE-2017-9805: