SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
6 Sep 2017

New Apache Struts vulnerability puts many Fortune companies at risk

A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk.

The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability. All versions of Struts since 2008 are affected, said the researchers.

Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications. Man Yue Mo, a security researcher at LGTM, who led the effort that led to the bug's discovery, said that Struts is used in many publicly accessible web applications, such as airline booking and internet banking systems. Mo said that all a hacker needs "is a web browser." "I can't stress enough how incredibly easy this is to exploit," said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability.

"If you know what request to send, you can start any process on the web server running a vulnerable application," he said. The vulnerability is caused by how Struts deserializes untrusted data, Mo said. An attacker can exploit the flaw to run any command on an affected Struts server, even behind a company firewall. "If the server contains customer or user data it's not hard at all to collect that data and transfer it to somewhere else," van Schaik said. The attacker can also use the server as an entry point to other areas of the network, effectively bypassing the corporate firewall and gaining access to other shielded-off areas of the company, he said.

"An attacker can use the vulnerability to find the credentials, connect to the database server, and extract all data," he said. Worse, he added, an attacker could delete data. "A creative attacker will have a field day," he said. "And even worse: The organization under attack may not even notice until it is well too late."

An exploit has been developed by the security researchers but has not been released to give companies time to patch their systems. He said that he's not aware of anyone exploiting the vulnerability but warned that he expects this to change "within a few hours" of the bug's details being made public.

"Companies may indeed scramble to fix their infrastructure," van Schaik said. A source code fix was released some weeks prior, and Apache released a full patch on Tuesday to fix the vulnerability. But many companies will be vulnerable to attack until their systems are patched. Several government websites, including the IRS and California's Deptartment of Motor Vehicles, along with other major multinational companies, such as Virgin Atlantic and Vodafone, use the software and are potentially affected by the vulnerability -- but van Schaik said that the list was "the tip of the iceberg."

As many as 65 percent of the Fortune 500 are potentially affected by the vulnerability, said Fintan Ryan, an industry analyst at Redmonk, in an email. Ryan said the figure was based on the known usage of Struts across the Fortune 100, such as developer metrics and hiring data. He said that Struts is used typically to sustain or augment existing applications, rather than newer web applications.

There's no specific way for security researchers or attackers to externally test if a server is vulnerable without exploiting the vulnerability. "It turns out that there is no other way than to announce the vulnerability publicly and stress how important it is that people upgrade their Struts components," van Schaik said. "There is simply no other way to reach the companies who are affected," he said.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
information leaks
Source:
ZDNet
1464
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015