On August 22, 2018, Beijing time, Apache Software Foundation (ASF) released a security bulletin, announcing a remote code execution vulnerability (CVE-2018-11776, CNVD-2018-15894, or CNNVD-201808-740) in Apache Struts 2. This vulnerability exists in either of the following cases:

  1. The namespace value is not set for a result defined in underlying XML configurations. Also, upper action configurations either lack a namespace or have a wildcard namespace.
  2. A URL tag, which does not have the value and action set, is used. At the same time, upper action configurations contain no namespace or have a wildcard namespace.

For details, visit the following link:https://cwiki.apache.org/confluence/display/WW/S2-057

Affected Versions

  • Struts 2.3–2.3.34
  • Struts 2.5–2.5.16

Unaffected Versions

  • Struts 2.3.35
  • Struts 2.5.17

Technical Solution

Version Detection

  • Configuration File Detection

This vulnerability exists in Struts components of old versions. Application systems that employ such components are prone to remote attacks. Therefore, application developers are advised to check whether Struts components in use are vulnerable.

You can check the version of Struts components in the Maven configuration file pom.xml:

<dependency>

<groupId>org.apache.struts</groupId>

<artifactId>struts2-core</artifactId>

<version>2.5.13</version>

</dependency>

If the component version, as indicated in red in the preceding figure, is vulnerable, please upgrade Struts 2 to the latest version for long-term effective protection.

  • Component Name Detection

In the Linux system, you can run the following command to find the current struts2-core package. Amid the command output, the struts2-core package name contains the version name. You can check whether this version is vulnerable. If yes, please upgrade Struts 2 to the latest version.

find / -name struts2-core-*.jar

Official Fix

ASF has fixed this vulnerability in the latest versions. Users of this software are advised to upgrade 2.3.* to 2.3.35 or 2.5.* to 2.5.17 by downloading the new versions from the following links:

Struts2.3.35: http://mirrors.hust.edu.cn/apache/struts/2.3.35/struts-2.3.35-all.zip

Struts2.5.17: http://mirrors.hust.edu.cn/apache/struts/2.5.17/struts-2.5.17-all.zip

Workaround

Check Struts 2’s all configuration files, including struts.xml, to see if there are package nodes without namespace. If yes, define namespace for them.

<package name=”user” namespace=”/user” extends=”struts-default”>

<action name=”login”>

</action>

</package>

NSFOCUS’s Recommendations

  1. Using NSFOCUS’s Detection Product or Service to Detect the Vulnerability

For Internet-facing assets, use the emergency vulnerability detection service of NSFOCUS Cloud to check for the vulnerability online. The service is available at the following link:

For internal assets, use NSFOCUS NIDS, RSAS V5 and V6, and WVSS to check for the vulnerability:

Users should upgrade devices to the latest version by downloading upgrade packages from the preceding links before using them to detect vulnerabilities.

2. Using NSFOCUS’s Protection Product to Protect Against the Vulnerability

3. Upgrade Package/Rule Base Versions of Detection and Protection Products

Detection Product Upgrade Package/Rule Base Version
NIDS V5.6.7.732, V5.6.8.732, V5.6.9.18479, V5.6.10.18479
RSAS V5’s web plug-in package V051758
RSAS V6’s web plug-in package V6.0R02F00.1004
WVSS V6’s web plug-in package V6.0R03F00.113
UTS V5.6.10.18479

 

Protection Product Upgrade Package/Rule Base Version
NIPS V5.6.7.732, V5.6.8.732, V5.6.9.18479, V5.6.10.18479
NF V5.6.7.732, V6.0.1.732
WAF V6.0.5.1.39591, V6.0.7.0.39590, V6.0.6.1.39589

For details, see “Appendix: Product Use Guides”.

Technical Anlaysis

Patch Comparison

As shown in the following figure, the newly released patch mainly has the cleanNamespaceName method added to check the validity of the namespace names against a whitelist. The official vulnerability description and remediation solution reveal that this vulnerability is an OGNL expression injection vulnerability.

Dynamic Analysis

A few hours after the vulnerability release, the vulnerability discoverer announced the entire vulnerability discovery process, giving a detailed analysis of the vulnerability. For details, visit the following link: https://lgtm.com/blog/apache_struts_CVE-2018-11776

This blog post uses the Apache Struts 2 showcase project as an example. The struts-actionchaining.xml file is modified as follows:

  1. <struts>
  2.        <package name=”actionchaining” extends=”struts-default” >
  3.                 <action name=”actionChain1″ class=”org.apache.struts2.showcase.actionchaining.ActionChain1″>
  4.                         <result type=”redirectAction”>
  5.                                  <param name = “actionName”>register2</param>
  6.                         </result>
  7.                  </action>
  8.         </package>
  1. </struts>

In this case, all requests to actionChain1.action are redirected to register2. Also, the ServletActionRedirectResult.execute method in the execution chain is invoked. See the following figure.

As shown in the preceding figure, the tmpLocation dictionary, contaminated by the namespace field, is set as a proof of concept (PoC) which is scheduled to execute. This is why the namespace field needs to be sanitized. Following up the namespace field, we can see the execution of the StrutsResultSupport.execute method in the execution chain, i.e., the parent class of the parent class of ServletActionRedirectResult.

As the conditionParse method, which uses OGNL expressions for data calculation, is widely used in Apache Struts 2, historical vulnerabilities concerning OGNL expressions should also be deemed to exist in this method. Of course, it is ASP that should be primarily responsible for vulnerabilities in its products. However, what it actually does is fix individual vulnerabilities that are reported without eradicating the root problem. The conditionParse method is implemented as follows:

As shown in the preceding figure, the conditionParse method also uses the TextParseUtil.translateVariables method. Continuing tracking the execution process, we can see the execution of the “evaluate” method in OgnlTextParser in the call stack. Specifically, the “evaluate” method first checks whether the expression passed to the “evaluate” method is valid, for example, checking for the existence of the ${} or %{} pair, before invoking evaluator.evaluate for evaluation. The complicated evaluation process is an execution chain on the whole. The following figure shows how the call stack works.

As shown in the preceding figure, at the top is the execution of the constructor function of ProcessBuilder through reflection. In the middle are some operations performed during chain execution.
Let’s take a look at parameters which are used during evaluation for OGNL security enhancement.

The point is that the following classes are added to the blacklist:

    class ognl.DefaultMemberAccess

class com.opensymphony.xwork2.ognl.SecurityMemberAccess

class java.lang.ProcessBuilder

At last, the calculator is displayed as shown below, representing a successful RCE vulnerability exploit.

 

Appendix: Product Use Guides

Custom Rule Configuration on WAF

Users can do as follows to configure a custom rule:

  • On WAF under Security Management > Rule Database Management > Custom Rules > Custom, click Create.

  • Set the name of the custom rule to s2-057.

  • Set other parameters as follows and then click OK:

Inspection Object: URI-path

Matching Relationship: Regular Expression Including

Inspection Value: java\.lang\.(Runtime|ProcessBuilder)

After the configuration, constraints are displayed, as shown in the red frame of the following figure.

  • Create a custom policy by clicking Create under Security Management > Policy Management > Policy Type > Others > Custom Policy.

  • Type s2-057 as the policy name, select the newly created s2-057 rule from the rule list, and then click OK.

  • Apply the newly created custom policy to the website to be protected by choosing Security Management > Website Protection > Website to be protected > Web Security Protection.

  • In the Others area, select the custom policy s2-057 and click OK. Then WAF can provide protection for the specific website according to the custom rule.

Protection Configuration on WAF

  • Download the rule base update from the following link:

http://update.nsfocus.com/update/downloads/id/22273

http://update.nsfocus.com/update/downloads/id/19090

  • On WAF, choose System Management > System Tools > Rule Upgrade.

  • In the Manual Upgrade area, browse to the update file and click Submit.

 

Protection Configuration on NIPS

NIPS users can address this vulnerability by updating the rule base. The procedure is as follows:

  • Download the latest rule base of NIPS from the official website. Following is a link to the latest rule base for NIPS V5.6.10:

http://update.nsfocus.com/update/downloads/id/22260

http://update.nsfocus.com/update/downloads/id/21006

  • On NIPS, under System > System Update > Offline Update, browse to the update file just downloaded and click Upload.

  • After the update is installed, find the rule by ID 24298 in the default rule base and view rule details.

Note:

After the update is installed, the engine automatically restarts to make it take effect, which does not disconnect any sessions, but may cause the loss of three to five packets during ping operations. Therefore, it is recommended that the update be installed at an appropriate time.

 

Scanning Configuration on WVSS

WVSS users should download and install the latest plug-in to address this vulnerability. The procedure is as follows:

  • Download the latest plug-in of WVSS from the official website. Following is a link to the latest plug-in for WVSS V6.0: http://update.nsfocus.com/update/downloads/id/22283
  • On WVSS, under Services > System Upgrade, in the Manual Upgrade area, click Browse to find the update file just downloaded.

  • Click Upgrade.
  • Wait for the installation to complete. Then create a custom scanning template to scan the system for this vulnerability.

 

NSFOCUS Threat Situation Awareness Platform (TSA)

Access BSA and then select Rule Engine and create a network intrusion detection rule, with parameters as follows:

  • Mode: Expert
  • Category: Network intrusion
  • SQL: select sip, dip, sum(last_times) as atk_count, sip, dip, min(timestamp) as start_time, max(timestamp) as end_time, concat_agg(related_id_list) as related_id_list from internal_app_bsaips.ipslog where rule_id =24298 group by sip, dip

Click Next and then set parameters as follows on the Attribute Configuration page

  • Name: struts_057 vulnerability attack
  • Risk Level: High
  • Phase: Exploitation
  • Timeout: 1800 (default)
  • Duration: 3600 (default)
  • Merged Attribute: sip, dip
  • Event Type: System intrusion – exploit
  • Rule Description: This event is an attack launched by exploiting a struts 2 vulnerability.
  • Recommendation: An attack initiated by our own assets indicates that such assets have been compromised. If an attack targets our assets deployed with the struts service, please check whether such assets contain the vulnerability described in event details.

Click Complete to complete configuration of the network instruction detection rule and enable the rule in the rule list.

Create a website security rule as follows:

  • Mode: Expert
  • Category: Website security
  • SQL: select sip,dip,LOWER(protocol_type) as protocol_type,LOWER(domain) as domain,dport as dport ,uri as uri ,event_type as event_type_sub,min(timestamp) as start_time,max(timestamp) as end_time,sum(count_num) as atk_count,concat_agg(related_id_list) as related_id_list from internal_app_bsawss.waf_webseclog where rule_id =27004870 group by sip,dip,protocol_type,domain,dport,uri,event_type

Click Next and then set parameters as follows on the Attribute Configuration page

  • Name: struts_057 vulnerability attack
  • Risk Level: Medium
  • Phase: Exploitation
  • Timeout: 1800 (default)
  • Duration: 3600 (default)
  • Merged Attribute: sip, dip, protocol_type, domain, dport, uri
  • Event Type: System intrusion – exploit
  • Rule Description: This event is an attack launched by exploiting a struts 2 vulnerability.
  • Recommendation: An attack initiated by our own assets indicates that such assets have been compromised. If an attack targets our assets deployed with the struts service, please check whether such assets contain the vulnerability described in event details.

Click Complete to complete configuration of the website security rule and enable the rule in the rule list.

 

NSFOCUS Enterprise Security Platform (ESP)

Update the “Apache struts 2 vulnerability exploitation” rule:

  • Log in to ESP, choose Security Analysis > Event Rules, find the rule regarding Apache struts 2 vulnerability exploitation, and then click the edit button.
  • In the Rule Configuration area, click Set.
  • In the Filtering Conditions dialog box, add a rule ID 27004870 and click OK to close the dialog box.
  • Click OK to complete configuration.

 

NSFOCUS Threat Analysis and Management Platform (TAM, New Version)

Editing the “Apache struts 2 Vulnerability Attack Event” Rule

Note: If UTS has been upgraded, you can directly modify contents of the “Apache struts 2 vulnerability attack event” node by adding the latest rule of UTS regarding the struts 2 (S2-057) vulnerability.

  • Navigate to the rule configuration file (/home/bsauser/BSA/apps/bsa_tam2/conf) on TAM, back up mergeconf.xml, and then open this file by using vi.
  • Use /struts 2 to find the “Apache struts 2 vulnerability attack event” node. Add 24298 in the parentheses following rule_id in and save the changes. Then the rule automatically takes effect.

Creating a Custom Scenario

Note: If UTS has not been upgraded or you want to trace previous exploitation of the struts 2 vulnerability (S2-057), you can use the custom scenario function of TAM.

  • Access BSA and select the TAM app. Then choose Scenario Management > Scenario Configuration > Custom Scenario and click New.
  • After creating a custom scenario, edit it by adding the following content in SQL format (Traceback Scope and Traceback Start Time can be modified) and then click OK:

select sip,dip,-1 as sport,dport,min(timestamp) as start_time,max(timestamp) as end_time,first_value(sip_int) as sipv4_int,first_value(srccountryname) as src_country,first_value(srcsubdivisionname) as src_province,first_value(srccityname) as src_city,first_value(dip_int) as dipv4_int,first_value(dstcountryname) as dst_country,first_value(dstsubdivisionname) as dst_province,first_value(dstcityname) as dst_city from internal_app_bsatam2.tam_httplog where method=’GET’ and (uri like ‘%java.lang.Runtime%’ or uri like ‘%java.lang.ProcessBuilder%’) group by sip,dip,dport

 

Scanning Configuration on RSAS

RSAS users should visit the following link to download the latest plug-in to address this vulnerability.

The following is a link to the latest rule base that contains the S2-057 rule for RSAS V6.0 users:

http://update.nsfocus.com/update/downloads/id/22281

http://update.nsfocus.com/update/downloads/id/21006

  • On RSAS, under Services > System Upgrade, click Select File in the Manual Upgrade area and find the update file just downloaded.
  • Click Upgrade.
  • Wait for the installation to complete. Then create a custom scanning template to scan the system for this vulnerability.

 

Detection Configuration on UTS

  • Download the latest rule update of UTS from the following link: http://update.nsfocus.com/update/downloads/id/22290
  • On UTS, under System > System Upgrade > Offline Upgrade, browse to the update file just downloaded and click Upload.
  • Wait for the installation to complete.

 

Protection Configuration on NF

NF has added a rule in its rule base to address this vulnerability. Users should update the rule base as soon as possible after obtaining the latest version from the following link: http://update.nsfocus.com/update/downloads/id/22276

To install the update, perform the following procedure:

  • Download the latest rule base of NF from the official website. Following is a link to the latest rule base for NF V6.0.1: http://update.nsfocus.com/update/listNewNfDetail/v/rule6.0.1
  • On NF, under System > System Upgrade > Offline Upgrade, browse to the update file and click Upload.
  • Wait for the installation to complete.

Leave a Reply

Your email address will not be published. Required fields are marked *