Remote Code Execution (RCE) Attacks on Apache Struts

6a01156f8c7ad8970c01b8d24e2b78970c

Since 2010, 68 vulnerabilities of Apache Struts—the popular open source framework used for building web applications—have been published. Although all of them have been mitigated through patches, hackers still constantly exploit these vulnerabilities to launch attacks.

The most commonly exploited Apache Struts vulnerabilities are known as Remote Code Execution (RCE), which allows the attacker to take over the server by running arbitrary malicious code. Out of those 68 published Apache Struts vulnerabilities, hackers used Object Graph Navigation Language (OGNL) expressions in 12 of them. This is particularly dangerous as OGNL expressions are used on Apache Struts for most processes.

Researchers at the Imperva Defense Center analyzed data over a three-month period and recorded more than 40,000 attacks on Apache Struts vulnerabilities. In this blog post, we break down RCE attacks that use Apache Struts vulnerabilities to remotely execute OGNL code on an attacked server. Read on for analysis of the vulnerabilities and attack vectors, a look at the massive usage of old, unpatched vulnerabilities as the attackers’ favorite method of operation, and a review of the geographic distribution of attacks. We also cover mitigation strategies using the Imperva SecureSphere Web Application Firewall.

Apache Struts Vulnerabilities

In our analysis of attack data we noticed four major Apache Struts vulnerabilities – CVE-2013-2115, CVE-2013-2251, CVE-2016-3081 and CVE-2016-4438 – all of which are prone to RCE attacks using OGNL code and are patched in the current version of Apache Struts distribution.

Apache_Struts_Vulnerabilities

Table 1 – Apache Struts most common vulnerabilities

Here is an example of malicious code that an attacker tried to remotely execute by sending it in a parameter:

Apache_Struts_Injected_Code_Example

Figure 1 – Injected code example

This attack is trying to take advantage of the vulnerability described in CVE-2013-2251. The code pattern is in a prefix “redirect:” followed by “${malicious code}.” A vulnerable unpatched server will not sanitize the malicious code inside the brackets correctly and will run the code as is on the server. The malicious code in this example is trying to print the path to one of the server’s main directories. In this reconnaissance attempt, the attacker is trying to assess whether the server is vulnerable to the attack.

Attacks Analysis

In our research, one out of every two web applications experienced targeted attacks on Apache Struts vulnerabilities.  Two patched Apache Struts vulnerabilities from 2013 make up for nearly 80% of the attacks on Apache Struts vulnerabilities in the last three months (see Figure 2). Attackers launch reconnaissance attacks on a variety of web applications to find one that is not patched. This tactic is very effective—attackers send many requests to web applications only to assess whether a vulnerability exists in the application, and if it does, they launch crafted malicious code on the vulnerable application.

Apache_Struts_Attack_Analysis

Figure 2 – Attack type distribution

The attackers can be divided into two groups by their attack characteristic (see Figure 3):

  • Attackers targeting Apache Struts vulnerabilities, launching the same kind of attack on many different web applications, trying to find the ones that are vulnerable. We noticed that these attackers rely on older Apache Struts vulnerabilities, as they try to take advantage of unpatched applications that can be easily compromised using a single, automated technique.
  • Attackers targeting a single web application, trying to launch many different kinds of attacks to identify any unpatched vulnerabilities, among them Apache Struts vulnerabilities, in order to find whether a particular application is vulnerable to any attack.

Apache_Struts_Types_of_Attackers

Figure 3 – Different types of attackers

Figure 4 illustrates attackers’ geo-location distribution. In general attacks are distributed in equal proportions among large countries like the U.S., China, the UK, etc. In the case of attacks on Apache Struts vulnerabilities, there’s a clear bias towards China, as almost 50% of all attacks on Apache Struts vulnerabilities come from China.

Apache_Struts_Attackers_Location

Figure 4 – Attackers’ geographic location distribution

Typically, after vulnerabilities are published and mitigated, code that exploits these vulnerabilities is published openly on the Internet. In addition, sample code that exploits Apache Struts vulnerabilities is available to anyone on the Internet.

Attack Mitigation – Virtual Patching

One way to mitigate these targeted attacks is via Apache Struts patches. Patching the web server can be a never-ending race. New patches are released much faster than organizations can run them through staging, testing and then push them into production. An alternative solution is virtual patching through an external security tool like a Web Application Firewall (WAF), which provides immediate protection to the web servers and applications maintaining business continuity while the right patch is developed, staged and tested.

Learn more about virtual patching using the Imperva SecureSphere Web Application Firewall.