A new Apache Struts vulnerability (CVE-2018-11776), affecting versions 2.3 to 2.3.34 and 2.5 to 2.5.16, has been disclosed by security firm Semmle. This vulnerability allows a possible remote code execution for HTTP request “results with no namespace and upper action(s) with no or a wildcarded namespace. The same possibility exists when using a url tag, which has no value or action set, and also has upper action(s) have with no or a wildcarded namespace.”*
Since 2017, at least 12 reported Apache Struts CVEs have become easy exploits to incorporate in a wide variety of malicious campaigns from both crimeware and nation-state actors. This particular vulnerability can be exploited remotely, requires no authentication or elevated user privileges, and is often coupled with post-exploitation payloads for the compromise of targeted host networks.
Possible RCE means certain conditions apply
In order to use the exploit, a vulnerable redirection action with no namespace must be defined at the server side and, more specifically, at the core configuration file (struts.xml) – such as in the examples below from Xfox64X POC and jas502n.
An attacker will have to find the defined functions that allow the vulnerable redirection action at a targeted system that’s running a vulnerable Struts version. This condition certainly diminishes the likelihood of mass exploitation using this vulnerability.
The following proof of concept (POC) is a replication of the exploit provided by Xfox64x. As seen in the POC screenshots, CVE-2018-11776 is remotely executed and then payload runs gnome-calculator on a Linux system using a vulnerable version of the Apache Struts 2 application.
Figure 1. CVE-2018-11776 execution via browser
Figure 2. Subsequent code execution from within vulnerable Struts system
Because Apache Struts is commonly leveraged in the web tier of many organizations, any emerging Struts vulnerabilities should likely be prioritized for visibility and detection. JASK’s ASOC platform is capable of identifying exploit activity related to CVE-2018-11776 via either Zeppelin notebook functionality or custom Signal pattern logic as shown in the figures below.
Figure 3. Zeppelin notebook query of basic CVE-2018-11776 logic
Figure 4. ASOC new pattern creation for Apache Struts2 CVE-2018-11776
Figure 5. JASK ASOC Signal creation based on Apache Struts2 CVE-2018-11776 logic
JASK is modernizing security operations to reduce organizational risk and improve human efficiency. Through technology consolidation, enhanced AI and machine learning, the JASK Autonomous Security Operations Center (ASOC) platform automates the correlation and analysis of threat alerts, helping SOC analysts focus on high-priority threats, streamline investigations and deliver faster response times.