Introduction

There has been a swift upturn in concern among cybersecurity experts and organizations as threat actors launch attack attempts on internet-accessible Apache Struts 2 instances. This is due to the recent exposure of a dangerous remote code execution (RCE) flaw. With the potential to put data and system security at serious risk, swift and organized action is being called to contain the problem and avoid potentially significant damage.

Alarm at Attack Attempts on Apache Struts 2 Instances

Multiple cybersecurity firms have reported observing exploitation attempts on Apache Struts 2 instances targeting a specific critical severity bug. Tracked as CVE-2023-50164, this defect is concerning due to the significant level of threat it presents. Specifically, it allows attackers to deploy a malicious file and thus achieve remote code execution (RCE), putting the entire system at risk. As of now, it is still unclear whether the attackers have been successful with their exploits in any of the targeted environments.

Immediate Call for Patches to Be Applied

In response to the identification and exposure of this flaw, an urgent call has been made for patches to be applied to all affected systems. The bug impacts a wide range of Struts versions (2.0.0 to 2.3.37, 2.5.0 to 2.5.32, and 6.0.0 to 6.3). Apache, the managing body behind the Struts framework, has promptly released corresponding patches to address and resolve CVE-2023-50164. Therefore, Organizations are encouraged to apply these patches immediately to protect their systems and data from potential threats and ensure their ongoing cybersecurity.

Details of the Vulnerability

The recently disclosed vulnerability identified and tracked as CVE-2023-50164 in the Apache Struts 2 instances has brought about significant alarm amongst cyber security experts. It poses a crucial threat due to its capacity to allow remote code execution (RCE), a dangerous exploit that, if successful, allows attackers to run arbitrary code on targeted servers remotely.

The Defect Discovered in Apache's /upload.action Endpoint

The discovered defect places the "/upload.action" endpoint of Apache Struts 2 instances right at the heart of the potential exploit. This endpoint is designed to handle the uploading of files onto the server, making it an attractive entry point for attackers aiming to upload malicious payloads. It is specifically this endpoint that the flaw CVE-2023-50164 affects, allowing a malicious file to be uploaded that could lead to a successful RCE campaign.

Explanation of Parameter Pollution and Exploitation Process

The vulnerability can be traced back to a type of web vulnerability known as parameter pollution. This is a situation where the system allows an attacker to introduce an extra parameter into the request. In the case of the Struts 2 instances, the extra parameter introduced by the attacker is designed to overwrite an internal file name variable, thus paving the way for uploading the attacker’s selected malicious file.

The exploitation process begins with the attacker manipulating the request to the "/upload.action" endpoint. They introduce an additional parameter written in lowercase. This is where parameter pollution comes into play: the lowercase format allows it to override the existing internal filename variable, enabling the attacker to assume control over the file's name being uploaded.

Persistence of the Malicious Payload When Parameters are Manipulated

The flaw also creates an opportunity for the attacker's malicious payload to persist on the system after the parameters have been manipulated. Since the filename is overwritten, the malicious file is stored on the server under the name provided by the attacker and can then be executed. This opens up the possibility for further exploitation, leading to potentially significant damage. Organizations being called upon to urgently apply the provided patches are a measure of the serious threat level presented by this vulnerability.

Broad Exploitation and Malicious Attacks by Multiple Threat Actors

The distinct features of the bug, such as enabling remote code execution, have attracted a broad range of threat actors utilizing varied attack strategies. This vulnerability allows these malicious entities to upload a damaging payload to susceptible servers, causing significant disruptions. Quick to seize such opportunities, North Korean state-affiliated groups have been active perpetrators in this context, using similar methods in the past to exploit vulnerabilities within employment platforms for malicious intents.

Difficulties for Attackers in Exploiting the Vulnerability at Scale

Despite the vulnerability's potential severity, attackers face significant challenges in exploiting this flaw at scale. Unlike previous instances where RCE vulnerabilities were easily exploited for mass attacks — as seen in the infamous 2017 Equifax breach — this particular flaw requires more intricate manipulations to achieve the desired malevolent outcomes. This inherent complexity renders widescale exploitation more challenging for threat actors, offering a slight respite for potential targets.

Apache's Efforts to Address the Bug with Patches

In response to this escalating issue, Apache has acted swiftly, releasing patches to address and resolve the flaws of the affected versions. As the managing body behind the Struts framework, Apache has a prime role in leading response efforts for such issues. Through releasing these patches, Apache has effectively provided a ‘fix’ for the flaw that will prevent it from being exploited.

Strong Recommendation for Users to Upgrade to a Patched Version Immediately

Given the severity of the potential risk, a strong recommendation has been issued by Apache and echoed by cybersecurity firms for users to upgrade to a patched version as soon as possible. This will effectively neutralize the risk of the flaw in the affected versions. A delay in taking this step exposes the system to the threat of malicious exploits, positioning an upgrade as the most effective immediate measure toward securing the system. It is imperative that organizations heed this advice and implement the recommended patches swiftly to nullify the potential for exploitation and secure their data and systems.