Equifax attackers got in through an Apache Struts flaw?

Have the attackers responsible for the Equifax data breach exploited a vulnerability in Apache Struts, a popular open source framework for developing web applications, to compromise the company’s networks?

Equifax Apache Struts flaw

Equifax has yet to share more details about how the attack was pulled off, but a report by financial services firm Robert W. Baird & Co. says the company’s “understanding” is that it was an Apache Struts flaw that did the trick.

Which flaw was it (if it indeed was)?

Quartz reported it was CVE-2017-9805, publicly revealed last week after it had been patched by the Apache Software Foundation. But, the publication later said it was possible that it was CVE-2017-5638, whose existence was disclosed in March 2017 and was, at the time, under active exploitation.

René Gielen, writing in his name and that of the Apache Struts Project Management Committee, pointed out that “at this point in time it is not clear which Struts vulnerability would have been utilized, if any.”

The Equifax breach was detected in July, he wrote, so the attackers either exploited a then unknown vulnerability – unknown to the Foundation, that is, making it a de-facto zero-day – or they exploited a known vulnerability for which Equifax didn’t implement a released patch.

Contrast Security CTO Jeff Williams says the second possibility is more likely, but that the first one should not yet be discounted.

Plugging security holes

Gielen also made sure to note that the Struts team is quick to respond to security researchers’ notifications about found flaws, and fixes them as quickly as possible.

“We then publicly announce the problem description and how to fix it. Even if exploit code is known to us, we try to hold back this information for several weeks to give Struts Framework users as much time as possible to patch their software products before exploits will pop up in the wild. However, since vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities,” he noted.

The team’s advice to businesses and individuals utilizing Apache Struts – as well as any other open or closed source supporting library in their software products and services – includes keeping track of announcements affecting this products and versions, and establishing a process to quickly roll out a security fix release of their software product (once these frameworks or libraries have been updated).

Cisco, for example, is currently in the process of determining which of its products are affected by the critical CVE-2017-9805 flaw, along with two other Struts flaws that were classified as less severe, and plans to push out fixes soon.