This document discusses vulnerabilities in application frameworks and the importance of monitoring for vulnerabilities in third party libraries and components. It uses the Equifax breach as an example of how vulnerabilities in the Apache Struts framework were exploited to gain access and steal personal data. The document recommends that software developers and IT security teams regularly check all application components for known vulnerabilities and ensure components and libraries are kept up to date with the latest security patches. It also emphasizes the importance of detection mechanisms to identify suspicious activity resulting from exploited vulnerabilities.
4. How come?
• Initial attack vector:
Web server, Apache
Struts
• CVE-2017-9805
• CVE-2017-5638
5. Is it easy to exploit?
Google for:
”CVE-2017-5638 exploit”
<src= Exploit Database https://www.exploit-db.com/exploits/41570/>
https://www.flickr.com/photos/alijava/27634909445
(but it is not trivial to find such as bug)
6. What was next?
• ?
• Multiple backdoors
• Lateral movement
• Huge data transfers
– 143 mln user records
– 209 000 credit card numbers
Struts patched: 7 Mar
Vulnerabity disclosed: 10 Mar
Equifax was able to determine a
series of breaches had occurred
from May 13 through July 30
Nobody has noticed?
<src= CNN Tech http://money.cnn.com/2017/09/16/technology/equifax-breach-security-hole/index.html>
8. Server vulnerability exploitation
• In late 2015 one
of Polish banks
was pwned
(outdated
components)
• Intruder was
able to modify
transactions
source: www.zaufanatrzeciastrona.pl
~ 40 000 eur
9. Server vulnerability exploitation
Source: www.zaufanatrzeciastrona.pl
~ 92 000 eur
• In late 2015 one
of Polish banks
was pwned
(outdated
components)
• Intruder was
able to modify
transactions
12. Why frameworks are vulnerable?
• Internals are
complicated
• Execution path is not
obvious
• Years of development
and feature arms race
<img src= Łukasz Lenart "How secure your web framework is? Based on Apache Struts2„
https://www.slideshare.net/kravietz/struts2-howsecure/>
15. Am I vulnerable too?
1. What kind of framework/libraries are we
running?
– Check URL: e.g. .do .action Struts (probably)
– Ask developers ;)
– Check WEB-INF/lib
…
ognl-3.1.12.jar
struts2-config-browser-plugin-2.5.10.jar
struts2-convention-plugin-2.5.10.jar
struts2-core-2.5.10.jar
struts2-rest-plugin-2.5.10.jar
…
16. Am I vulnerable too?
2. Are those versions
vulnerable?
– vendor’s doc
– vendor’s Jira/Bugzilla/..
– NVD / CVE
17. Am I vulnerable too?
3. Are we using vulnerable functions?
S2-052 (CVE-2017-9805) – the non-default REST plugin has
to be enabled
S2-053 (CVE-2017-12611) – non-standard (considered wrong)
construction of freemarker tags
S2-045 (CVE-2017-5638) – exploited functionality is widely
implemented
More: Struts security app-ocalypse – IT security managers survival guide
24. It’s not 100% accurate
(but much better than nothing)
• It’s not trivial to assess what kind of libs are
used (CPE)
• Forks, proprietary modifications, etc.
• As up to date as vulnerability data feed (NVD)
25. Recomendations:
Software vendor / development team
Verify framework and libraries before each release (or build)
Integrate security verification into your software development process
OWASP Dependency Check
https://www.owasp.org/index.php/OWASP_Dependency_Check
Take care about security awareness of your development team.
Especially in field of components’ security.
26. Recomendations:
Software owner / IT security
During rutine security testing remember about application components
(WHITE BOX !)
Know your software stack: Build and maintain list of recommended
frameworks and libraries
Use WAF as a first line of defence
Enforce on your vendors / developers constant components’ updates
Monitor public information about your software stack security. Verify
your production systems (e.g. OWASP Dependency Check)
27. Don’t forget about detection !
• Build detection mechanisms INTO your software, e.g.
– Suspicious activity is easiest to detect on highier layers
(checkout OWASP AppSensor)
– Honeytokens
• Be prepared
– Incident response process
– Build your skills /
/ External professional support
28. Equifax and Struts are just an example !
Black Duck Report - The State of Open Source Security in Commercial Applications
https://info.blackducksoftware.com/rs/872-OLS-526/images/OSSAReportFINAL.pdf