Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638)
Update
In the recent days we have noticed a new exploit variant related to this vulnerability. This new exploit attempts to inject Java code into the file name parameter of the multipart upload request.
Figure 1: Request example containing the new exploitation vector.
ASM is able to mitigate this new exploit variant using the following user-defined signature:
content:"com"; content:"opensymphony"; distance:0; re2:"/\bcom[\.\/]opensymphony\b/";
An official ASM Security Update including this fix has already been released.
An advisory has been published regarding a critical 0-day Remote Code Execution vulnerability in Apache Struts. The vulnerability resides in the Apache Jakarta multipart parser and is triggered when it tries to parse the Content-Type header of the HTTP request, allowing remote attackers to execute arbitrary code on the vulnerable server.
An exploit for this vulnerability has already been published.
Mitigation with Big-IP ASM
ASM customers are already protected against this vulnerability.
While exploiting this vulnerability attacker will try to send a malicious HTTP multipart request containing multiple Java code injection payloads.
Figure 2: An attempt to exploit this vulnerability as it was cought on our honeypot.
The exploitation attempt will be detected by many existing Java Code Injection attack signatures and several OS command execution ones.
Figure 3: Exploit blocked with Attack Signature (200003459)
Figure 4: Exploit blocked with Attack Signature (200003471)
Figure 5: Exploit blocked with Attack Signature (200004153)
Figure 6: Exploit blocked with Attack Signature (200003450)
Figure 7: Exploit blocked with Attack Signature (200003058)
Figure 8: Exploit blocked with Attack Signature (200003441)
Mitigating with iRules
In the event you do not yet have ASM in your toolbelt, F5 has updated the official KB article to include an iRule that will protect your vulnerable web servers behind the BIG-IP.
Mitigating the 0-day with F5 Silverline WAF
Much like on-prem BIG-IP ASM customers, F5 Silverline WAF customers are already protected against this 0-day vulnerability. The exploitation attempt will be detected by the existing JAVA code injection and command execution attack signatures built within Silverline WAF standard policies.
The following is a WAF Policy Violations Search that shows blocked requests that match the Signature IDs representative of CVE-2017-5638:
- kurktchiev_1459Nimbostratus
Can someone give us the Categories these signatures live in if we want to build a policy that just enables them for rapid response to this particular threat
- Jonathan_124522Nimbostratus
I have all these sigs in place and whitehat is saying still vulnerable.