STRUTS 2 & YOU · Apache Struts 2 • Open-source web application framework • Used to develop...

WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018

CONFIDENTIAL

1© 2018 CONFIDENTIAL

STRUTS 2 & YOUWhat we learned from the big Struts 2 exploit, vulnerabilities and what you

can do to protect your apps now

Arshan Dabirsiaghi, Founder & Chief Scientist

[email protected]

@nahsra

June 6, 2018


CONFIDENTIAL

2

AGENDA

• The reality of software today

• Analysis of the Struts 2 framework (and others like it)

• Going forward – what you can do right now and what we need to do as a

community

• How we can help


CONFIDENTIAL

3WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018

CONFIDENTIAL

3

THE REALITY OF SOFTWARE TODAY


CONFIDENTIAL

4

THE REALITY OF SOFTWARE TODAY

Vulnerable

Vulnerable

Your software:

Built by you

Vulnerable components = exposed software = higher risk

Third party building

blocks

Your software:

Assembled


CONFIDENTIAL

5

THE LIBRARY SECURITY PROBLEM

Library Vulnerability

Information

Security

Mailing Lists

Library

Mailing Lists

Twitter

pastebin

Threat

Intelligence

x 100+

libraries

x all your

apps

Developers


CONFIDENTIAL

6

PERSPECTIVE

How You See Your

Applications

How Attackers See

Your Business

WWW

Support (3rd party)

Admin

Salesforce

plugin

Analytics Analytics

Support (3rd party)

Admin

Salesforce

plugin

www

Uses Struts 2

Non-standard auth,

less secure

Blatant XSS,

customer info


CONFIDENTIAL

7

THE “AVERAGE” APPLICATION

Source: Contrast Security Research, 2017, N=1668 applications


CONFIDENTIAL

8

A MAJOR DISCONNECT BETWEEN THE RISK &

RISK TOLERANCE FOR OPEN SOURCE

SECURITYRisk Tolerance

• The risk tolerance of vulnerabilities in custom code: let’s spend millions on this

• The risk tolerance of vulnerabilities in libraries? Oh well whatever

Training & Remediation

• Developer secure code training? Hell yes, let’s spend millions on this

• Library developers? Oh well whatever

Don’t ignore the 71% of code that you didn’t build


CONFIDENTIAL


CONFIDENTIAL

9

STRUTS 2 & OTHERS LIKE IT – AN INTRODUCTION


CONFIDENTIAL

10

STRUTS 2- A WIDELY USED COMPONENT

Not so popular anymore

Apache Struts 2

• Open-source web application framework

• Used to develop Java web applications

• History of security failures resulting from

centering around expression language

Spring:

72%

Struts 2:

4%

Usage of Popular JAVA Frameworks


CONFIDENTIAL

11

STRUTS2

DEPENDENCIES

transitive


CONFIDENTIAL

12

IMPACT: IT’S NOT JUST YOUR APPS!

“Multiple Cisco products incorporate a version of the Apache Struts

2 package that is affected by these vulnerabilities.

This advisory will be updated as additional information becomes

available.”

Source: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2

“Oracle has stepped outside its usual quarterly security fix cycle to

address the latest Apache Struts 2 vulnerability…

[…] sprawling product set meant fixes had to be deployed across

more than 20 products including Siebel Apps, Oracle

Communications Policy Management, 21 financial services

products, the WebLogic Server, the MySQL Enterprise Monitor, and

its Retail XBRi Loss Prevention software.


CONFIDENTIAL


CONFIDENTIAL

13

THE PROBLEM WITH STRUTS 2


CONFIDENTIAL

14

WE ARE NOT HERE TO JUDGE STRUTS2


CONFIDENTIAL

15

WHAT WE CAN DO TO PROVE AN OSS PROJECT

IS SAFE?

• Assess the security track record

• Assess the quality of committers

• Assess the code

• Assess how they talk about security topics


CONFIDENTIAL

16

ASSESS THE TRACK RECORD

2017-5638 2017-9793 2017-9804 2017-9805 2017-12611

Severity High Medium Low High High

TypeRemote code

execution

Denial of

Service

Denial of

Service

Remote code

execution

Remote code

execution

TargetJakarta multi-

part parser

Struts 2 URL

Validator

Struts 2 URL

Validator

Struts 2 REST

plugin

Freemarker

plugin

CauseMulti-parser

mishandles file

upload

Long-running

regex

Fix for

incompletenes

s of CVE-

2017-9793 fix

Struts 2

deserializes

user input

unsafely

Struts 2

mistakenly

evaluates user

input

Via a #cmd=

string in a

crafted

Content-Type

HTTP header

Via specially

crafted URL

Via specially

crafted URL

Via

unconfigured

XStream

Via parameters

or headers,

most likely

Source of Equifax breach


CONFIDENTIAL

17

ASSESS THE CODE: CVE-2017-5638 (”THE

EQUIFAX ONE”)

POST /login HTTP/1.0

Host: acme.com

Content-Type: %{(#_='multipart/form-data')...

(@java.lang.Runtime@getRuntime().

exec('curl localhost:8000'))}

Application with Struts 2


CONFIDENTIAL

18

CVE-2017-5638 (”THE EQUIFAX ONE”)

core/src/main/java/com/opensymphony/xwork2/util/LocalizedTextUtil.java:

570: // get default571: GetDefaultMessageReturnArg result;572: if (indexedTextName == null) {573: result = getDefaultMessage(aTextName, locale, valueStack, args, defaultMessage);574: } else {575: result = getDefaultMessage(aTextName, locale, valueStack, args, null);576: if (result != null && result.message != null) {577: return result.message;578: }579: result = getDefaultMessage(indexedTextName, locale, valueStack, args, defaultMessage);

MessageFormat mf = buildMessageFormat(TextParseUtil.translateVariables(message, valueStack), locale);


CONFIDENTIAL

19

ASSESS HOW THEY TALK ABOUT SECURITY

Possible?!

What?!


CONFIDENTIAL

20

WE IMMEDIATELY SEE ONGOING ATTACKS

• China (within 24

hours of advisory!)

• India

• Russia


CONFIDENTIAL

21

CVE-2017-9793/CVE-2017-9804 (”THE BURIED

ONE”)

POST /search?q=ftp://aaaaaaaaaaaaaaa{ HTTP/1.0

Host: acme.com


Severity Low

X

What?!?!


CONFIDENTIAL

22

CVE-2017-9793/CVE-2017-9804 (”THE BURIED

ONE”)


CONFIDENTIAL

23

CVE-2017-9805 (”THE NEW BIG ONE”)


Host: acme.com

Content-Type: text/xml

<map><entry>...

class="java.lang.ProcessBuilder”>...</map>



CONFIDENTIAL

24

CVE-2017-12611 (”A BAD ONE I’M LESS WORRIED

ABOUT”)


Host: acme.com

Content-Type: text/xml

redirectUri=%{(#[email protected]@DEFAULT..



CONFIDENTIAL

25

EXCUSES

• “It’s risky to upgrade to such a new version“

– Ok, you learned your lesson now – being that far behind prevents you from upgrading quick

• “Patching is harder than you think”

– We all know this – time to grow up

– If the “Buy Now” button was broke – you think they’d say no, and say ’patching is hard’?

• “Security is about tradeoffs”

– Ok, show me what you traded off in exchange for “Internet-facing security”?

• “Our scanners didn’t find it this vulnerability”

– Why are you scanning stuff you own?

– You need an inventory.


CONFIDENTIAL

26

USING TRADITIONAL TECHNIQUES, WOULD YOU

HAVE RESPONDED TO THE CVE?

1. Learn of the new CVE

2. Identify all the places in their software portfolio they are exposed

3. Allocate Engineering+Ops+Security resources to bring vulnerable

applications down and/or put temporary workaround in place

4. Patch Applications & Re-test

5. Deploy Fixed Applications

Hackers move faster than large enterprises. This is an impossible feat.

Equifax had approximately 75 days to complete all of these steps.


CONFIDENTIAL


CONFIDENTIAL

27

GOING FORWARD


CONFIDENTIAL

28

What to do

1Understand frameworks and

libraries you use

• Quickly inventory applications with vulnerable Struts 2 and dependencies

• List associated vulnerabilities and prioritize

• Export vulnerabilities to GRC systems

2Quickly roll out patched

software

• Update Struts 2 versions where possible

• Add virtual patches in production where not possible

3Security Policy must

assume software is flawed

• Re-test all vulnerable applications - pen test for business logic, IAST for basics

• Ensure coverage for vulnerabilities in security testing of upcoming releases

4 Establish security layers• Have explicit protection against known CVEs as part of a layered defense

strategy (e.g., DDoS protection, network firewall, identity & access management)

5Establish monitoring for

unusual access patterns

• Report application data flow & authentication logs to SIEM

• Establish IR workflow for application attacks

WHAT YOU CAN DO NOW

Quickly identify and secure custom and third party software to reduce risk


CONFIDENTIAL


CONFIDENTIAL

29

HOW WE CAN HELP


CONFIDENTIAL

30

CONTRAST: WHAT IS IT?

Ordinary Insecure

ApplicationAGENT

Adds missing security capabilities

at runtime without changing

existing code…

Self-Protecting

Application


CONFIDENTIAL

31

CONTRAST: PROTECTING YOUR CUSTOM CODE


CONFIDENTIAL

32

CONTRAST: LIBRARY INVENTORY

Inventory generated upon

deploying Contrast agent

Library risk assessment

Current & latest versions


CONFIDENTIAL

33

CONTRAST: LIBRARY ASSESSMENT

You’re vulnerable

And you use it


CONFIDENTIAL

34

CONTRAST: LIBRARY PROTECTION

Redacted


CONFIDENTIAL

35

LEADER

Software Development

Solution


CONFIDENTIAL


CONFIDENTIAL

36

QUESTIONS?

STRUTS 2 & YOU · Apache Struts 2 • Open-source web application framework • Used to develop...

Documents

Transcript of STRUTS 2 & YOU · Apache Struts 2 • Open-source web application framework • Used to develop...