Mitigating OWASP Web Application Risk: Vulnerable and Outdated Components using F5 BIG-IP

Introduction

In the world of modern web application development, leveraging third-party libraries and frameworks is a common practice. Developers use these components to accelerate the development process, add features, and implement best practices.

However, while this can reduce development time, it also opens the door to significant security vulnerabilities if those components are outdated or unpatched. One of the most critical security risks identified in the OWASP Web Top 10 - 2021 is the use of Vulnerable and Outdated Components (A6). This risk involves relying on outdated third-party software that may have known security flaws, leaving applications exposed to cyberattacks.

What Are Vulnerable and Outdated Components?

In modern software development, most applications are built on a combination of custom code and third-party libraries, frameworks, and components. These third-party components, whether they are open-source or commercially supported, are typically used to save time and avoid reinventing the wheel. However, over time, these components can become outdated, ignored or don’t receive updates that patch known vulnerabilities. If developers continue using older versions without updating, they risk introducing significant security threats into their applications.

OWASP defines "Vulnerable and Outdated Components" as components that are no longer maintained or have known security flaws. Attackers actively search for these types of endpoints and exploit these vulnerabilities, so it is crucial to regularly update software components to mitigate the risk of exploitation. Unfortunately, many organizations fail to do so, either due to a lack of awareness, resources, or concerns over compatibility issues.

Example: Struts 2 Vulnerability

One of the most infamous examples of a vulnerable and outdated component leading to significant security issues is the Apache Struts 2 vulnerability (CVE-2017-5638). Apache Struts 2 is a popular open-source framework used for building Java-based web applications. It has been widely adopted by many large enterprises, making it a prime target for attackers.

The Vulnerability

In March 2017, a critical vulnerability was discovered in Struts 2. The vulnerability allowed attackers to execute remote code on the affected servers, leading to remote code execution (RCE). The flaw existed in Struts 2’s file upload feature, which failed to properly validate and process certain HTTP request headers. Specifically, the vulnerability occurred when attackers could manipulate the Content-Type header, sending malicious data that the server would execute, giving attackers full control over the affected system.

This flaw was extremely severe, as it allowed an attacker to run arbitrary commands on the server, potentially leading to:

Complete server takeover
Data theft or loss
Injecting malware
Denial-of-service (DoS) attacks

The vulnerability was classified as CVE-2017-5638 and was rated critical due to its potential to compromise entire systems. Apache Struts 2 issued a patch to fix this vulnerability, but many organisations were slow to apply the update. As a result, numerous applications remained vulnerable, leaving them exposed to attacks.

Real-World Impact: The Equifax Breach

Source: Equifax Data Breach

The Struts 2 vulnerability gained global attention when it was linked to the Equifax breach in 2017. Equifax, one of the largest credit reporting agencies in the U.S., was breached by attackers who exploited this very flaw in Struts 2. The breach led to the exposure of personal data of over 147 million people, including names, addresses, Social Security numbers, and other sensitive information. The breach is considered one of the largest and most damaging data leaks in history.

The Equifax breach demonstrated the catastrophic consequences of failing to patch a known vulnerability in a widely used framework. Although the vulnerability in Struts 2 was publicly disclosed and patched, Equifax failed to update its systems in time, resulting in a massive data loss.

Attack Demonstration:

For this attack demonstration we are going to use an application shown in the screenshots which is built using Struts 2 framework and we will see how we can exploit the Struts 2 vulnerability. This application is added as a pool member to BIG-IP and can be accessed via a virtual server. For more information on how to configure a pool, refer to how to add pool member.

Below is the exploit script, which we can leverage for performing Remote Command Execution.

Syntax for executing the script:

python3 < script name > < complete URL of the application > < command to execute >

Now let’s execute the command “cat /etc/passwd” using the exploit script

The exploit ran successfully as it retrieved the contents of /etc/passwd file of the target server. This is just the tip of the iceberg, and attackers can basically execute any command of their wish and perform malicious activities that can cause severe damage to the application.

Mitigation using BIG-IP Advanced WAF:

Login to BIG-IP console, Navigate to Security > Application Security > Security Policies > and create an application policy with below configurations.

Policy Template: Rapid Deployment Policy

Enforcement mode: Blocking

Signature Staging: Enabled

Policy Building Learning Mode: Automatic

Virtual Sever: < Virtual server on which juice shop application is accessible>

Other configs are set to default values

Note: Staging is enabled by default while creating the application security policy and the default staging period is 7 days. It can be tuned according to the customer requirement. For more information related to staging, refer to Attack Signatures & Staging.

Let’s re-run the exploit script once again and as you can see below, script execution failed since the request got rejected by F5 Advanced WAF.

Advanced WAF events log also shows that the request was rejected since it is a threat campaign initiated to exploit the Struts 2 vulnerability.

Conclusion:

This article throws some light on the Struts 2 vulnerability (CVE-2017-5638), one of the dangers posed by vulnerable and outdated components. It highlights how a single unpatched vulnerability in a widely used framework can lead to catastrophic consequences, including data breaches, server compromise, and damage to an organisation's reputation and how we can protect it using F5 BIG-IP Advanced WAF.