Critical Vulnerability Patched in Apache Struts

The Apache Struts web development framework has received new security updates to address a critical vulnerability that could allow attackers to compromise web applications and servers.

Apache Struts is widely used for developing web applications in enterprise environments. The failure to patch a known critical vulnerability in the framework led to the massive data breach announced last year at Equifax.

The new flaw, tracked as CVE-2018-11776, was discovered by Man Yue Mo from the Security Research Team at Semmle, a company whose technology can find vulnerabilities in source code by using a specially developed query language. The company’s research team found similar flaws in Struts in the past.

“It is possible to perform a RCE [remote code execution] attack when namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace,” the Struts developers said in a security advisory. “Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.”

Users are advised to update their Struts deployments to versions 2.3.34 or 2.5.16, depending on which branch they use. Older versions of Struts that are no longer officially supported also might be vulnerable.

Developers also can protect their applications by verifying that they always set a namespace for their defined results in configurations, as well as a value or action of all URL tags in JSPs. However, the Struts team warns that this workaround is weak and the best course of action is to update the framework to a patched version, especially since the new releases only contain this security fix and shouldn’t cause any incompatibilities with existing code.

Apache Struts is an attractive target for hackers and, judging by past incidents, proof-of-concept exploits and real-world attacks are likely to appear soon.

“Critical remote code execution vulnerabilities like the one that affected Equifax and the one we announced today are incredibly dangerous for several reasons: Struts is used for publicly accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,” Pavel Avgustinov, VP of Engineering at Semmle, said via email. “A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It’s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.”

Turla Cyberespionage Group Controls Infected Computers via Hidden Emails

The Turla cyberespionage group uses an unusual command-and-control technique: Commands are embedded in PDF files that are sent to victims via email and are then hidden by the malicious program.

Turla or Uroboros, is a highly successful APT group of Russian origin that has been targeting government organizations, state officials, diplomats and military authorities from many countries since 2008. Its main backdoor program dates back to 2009 and has undergone many modifications and improvements over the years.

“The most recently discovered version, from April 2018, incorporates the ability to execute malicious PowerShell scripts directly in computer memory, which is a tactic that threat actors of various stripes have been embracing in the past few years,” researchers from antivirus vendor ESET said in a blog post.

ESET has also published a new paper that analyzes the backdoor in detail, including its ability to receive commands and exfiltrate data through PDF files, a functionality that was added over the past two years.

The Turla backdoor targeted The Bat! email client in the past, which is popular in Eastern Europe, but recent versions are focused on Microsoft Outlook. In particular, the backdoor uses the COM object hijacking technique to achieve persistence on computers and to attach itself to the Outlook process. This allows it to activate itself each time the application is opened.

Furthermore, the backdoor abuses Outlook’s Messaging Application Programming Interface (MAPI) to access victims’ mailboxes. This allows it to gather and exfiltrate data about received emails, but also to hide emails received from attackers and to block notifications about them.

“In each incoming email, the backdoor checks for the presence of a PDF that may contain commands from the attacker,” the researchers said. “In fact, it is ‘operator-agnostic,’ meaning that it accepts commands from anybody who can encode them into a PDF document. As a corollary, Turla’s operators are able to regain control of the backdoor by sending a command from any email address, should any of their hardcoded – but updatable – email addresses be blocked.”

Similarly, exfiltrated data is encoded into a PDF document and emailed back to the attackers, making it the only cyberespionage threat that is fully and exclusively controlled via email and PDF attachments.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin