WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
1© 2018 CONFIDENTIAL
STRUTS 2 & YOUWhat we learned from the big Struts 2 exploit, vulnerabilities and what you
can do to protect your apps now
Arshan Dabirsiaghi, Founder & Chief Scientist
@nahsra
June 6, 2018
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
2
AGENDA
• The reality of software today
• Analysis of the Struts 2 framework (and others like it)
• Going forward – what you can do right now and what we need to do as a
community
• How we can help
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
3WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
3
THE REALITY OF SOFTWARE TODAY
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
4
THE REALITY OF SOFTWARE TODAY
Vulnerable
Vulnerable
Your software:
Built by you
Vulnerable components = exposed software = higher risk
Third party building
blocks
Your software:
Assembled
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
5
THE LIBRARY SECURITY PROBLEM
Library Vulnerability
Information
Security
Mailing Lists
Library
Mailing Lists
pastebin
Threat
Intelligence
x 100+
libraries
x all your
apps
Developers
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
6
PERSPECTIVE
How You See Your
Applications
How Attackers See
Your Business
WWW
Support (3rd party)
Admin
Salesforce
plugin
Analytics Analytics
Support (3rd party)
Admin
Salesforce
plugin
www
Uses Struts 2
Non-standard auth,
less secure
Blatant XSS,
customer info
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
7
THE “AVERAGE” APPLICATION
Source: Contrast Security Research, 2017, N=1668 applications
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
8
A MAJOR DISCONNECT BETWEEN THE RISK &
RISK TOLERANCE FOR OPEN SOURCE
SECURITYRisk Tolerance
• The risk tolerance of vulnerabilities in custom code: let’s spend millions on this
• The risk tolerance of vulnerabilities in libraries? Oh well whatever
Training & Remediation
• Developer secure code training? Hell yes, let’s spend millions on this
• Library developers? Oh well whatever
Don’t ignore the 71% of code that you didn’t build
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
9WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
9
STRUTS 2 & OTHERS LIKE IT – AN INTRODUCTION
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
10
STRUTS 2- A WIDELY USED COMPONENT
Not so popular anymore
Apache Struts 2
• Open-source web application framework
• Used to develop Java web applications
• History of security failures resulting from
centering around expression language
Spring:
72%
Struts 2:
4%
Usage of Popular JAVA Frameworks
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
11
STRUTS2
DEPENDENCIES
transitive
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
12
IMPACT: IT’S NOT JUST YOUR APPS!
“Multiple Cisco products incorporate a version of the Apache Struts
2 package that is affected by these vulnerabilities.
This advisory will be updated as additional information becomes
available.”
Source: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
“Oracle has stepped outside its usual quarterly security fix cycle to
address the latest Apache Struts 2 vulnerability…
[…] sprawling product set meant fixes had to be deployed across
more than 20 products including Siebel Apps, Oracle
Communications Policy Management, 21 financial services
products, the WebLogic Server, the MySQL Enterprise Monitor, and
its Retail XBRi Loss Prevention software.
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
13WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
13
THE PROBLEM WITH STRUTS 2
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
14
WE ARE NOT HERE TO JUDGE STRUTS2
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
15
WHAT WE CAN DO TO PROVE AN OSS PROJECT
IS SAFE?
• Assess the security track record
• Assess the quality of committers
• Assess the code
• Assess how they talk about security topics
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
16
ASSESS THE TRACK RECORD
2017-5638 2017-9793 2017-9804 2017-9805 2017-12611
Severity High Medium Low High High
TypeRemote code
execution
Denial of
Service
Denial of
Service
Remote code
execution
Remote code
execution
TargetJakarta multi-
part parser
Struts 2 URL
Validator
Struts 2 URL
Validator
Struts 2 REST
plugin
Freemarker
plugin
CauseMulti-parser
mishandles file
upload
Long-running
regex
Fix for
incompletenes
s of CVE-
2017-9793 fix
Struts 2
deserializes
user input
unsafely
Struts 2
mistakenly
evaluates user
input
Via a #cmd=
string in a
crafted
Content-Type
HTTP header
Via specially
crafted URL
Via specially
crafted URL
Via
unconfigured
XStream
Via parameters
or headers,
most likely
Source of Equifax breach
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
17
ASSESS THE CODE: CVE-2017-5638 (”THE
EQUIFAX ONE”)
POST /login HTTP/1.0
Host: acme.com
Content-Type: %{(#_='multipart/form-data')...
(@java.lang.Runtime@getRuntime().
exec('curl localhost:8000'))}
Application with Struts 2
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
18
CVE-2017-5638 (”THE EQUIFAX ONE”)
core/src/main/java/com/opensymphony/xwork2/util/LocalizedTextUtil.java:
570: // get default571: GetDefaultMessageReturnArg result;572: if (indexedTextName == null) {573: result = getDefaultMessage(aTextName, locale, valueStack, args, defaultMessage);574: } else {575: result = getDefaultMessage(aTextName, locale, valueStack, args, null);576: if (result != null && result.message != null) {577: return result.message;578: }579: result = getDefaultMessage(indexedTextName, locale, valueStack, args, defaultMessage);
MessageFormat mf = buildMessageFormat(TextParseUtil.translateVariables(message, valueStack), locale);
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
19
ASSESS HOW THEY TALK ABOUT SECURITY
Possible?!
What?!
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
20
WE IMMEDIATELY SEE ONGOING ATTACKS
• China (within 24
hours of advisory!)
• India
• Russia
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
21
CVE-2017-9793/CVE-2017-9804 (”THE BURIED
ONE”)
POST /search?q=ftp://aaaaaaaaaaaaaaa{ HTTP/1.0
Host: acme.com
Application with Struts 2
Severity Low
X
What?!?!
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
22
CVE-2017-9793/CVE-2017-9804 (”THE BURIED
ONE”)
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
23
CVE-2017-9805 (”THE NEW BIG ONE”)
POST /login HTTP/1.0
Host: acme.com
Content-Type: text/xml
<map><entry>...
class="java.lang.ProcessBuilder”>...</map>
Application with Struts 2
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
24
CVE-2017-12611 (”A BAD ONE I’M LESS WORRIED
ABOUT”)
POST /login HTTP/1.0
Host: acme.com
Content-Type: text/xml
redirectUri=%{(#[email protected]@DEFAULT..
Application with Struts 2
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
25
EXCUSES
• “It’s risky to upgrade to such a new version“
– Ok, you learned your lesson now – being that far behind prevents you from upgrading quick
• “Patching is harder than you think”
– We all know this – time to grow up
– If the “Buy Now” button was broke – you think they’d say no, and say ’patching is hard’?
• “Security is about tradeoffs”
– Ok, show me what you traded off in exchange for “Internet-facing security”?
• “Our scanners didn’t find it this vulnerability”
– Why are you scanning stuff you own?
– You need an inventory.
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
26
USING TRADITIONAL TECHNIQUES, WOULD YOU
HAVE RESPONDED TO THE CVE?
1. Learn of the new CVE
2. Identify all the places in their software portfolio they are exposed
3. Allocate Engineering+Ops+Security resources to bring vulnerable
applications down and/or put temporary workaround in place
4. Patch Applications & Re-test
5. Deploy Fixed Applications
Hackers move faster than large enterprises. This is an impossible feat.
Equifax had approximately 75 days to complete all of these steps.
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
27WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
27
GOING FORWARD
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
28
What to do
1Understand frameworks and
libraries you use
• Quickly inventory applications with vulnerable Struts 2 and dependencies
• List associated vulnerabilities and prioritize
• Export vulnerabilities to GRC systems
2Quickly roll out patched
software
• Update Struts 2 versions where possible
• Add virtual patches in production where not possible
3Security Policy must
assume software is flawed
• Re-test all vulnerable applications - pen test for business logic, IAST for basics
• Ensure coverage for vulnerabilities in security testing of upcoming releases
4 Establish security layers• Have explicit protection against known CVEs as part of a layered defense
strategy (e.g., DDoS protection, network firewall, identity & access management)
5Establish monitoring for
unusual access patterns
• Report application data flow & authentication logs to SIEM
• Establish IR workflow for application attacks
WHAT YOU CAN DO NOW
Quickly identify and secure custom and third party software to reduce risk
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
29WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
29
HOW WE CAN HELP
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
30
CONTRAST: WHAT IS IT?
Ordinary Insecure
ApplicationAGENT
Adds missing security capabilities
at runtime without changing
existing code…
Self-Protecting
Application
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
31
CONTRAST: PROTECTING YOUR CUSTOM CODE
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
32
CONTRAST: LIBRARY INVENTORY
Inventory generated upon
deploying Contrast agent
Library risk assessment
Current & latest versions
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
33
CONTRAST: LIBRARY ASSESSMENT
You’re vulnerable
And you use it
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
34
CONTRAST: LIBRARY PROTECTION
Redacted
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
35
LEADER
Software Development
Solution
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
36WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018
CONFIDENTIAL
36
QUESTIONS?
Top Related