The vulnerability: CVE-2023-50164

On December 7th, 2023, Apache released an update that addresses a critical Remote Code Execution (RCE) vulnerability in Struts. The vulnerability is tracked as CVE-2023-50164 and has a CVSS of 9.8 (CRITICAL).

Apache Struts is a versatile framework for developing Java web applications, known for its efficiency in creating scalable and easily maintainable solutions. It follows a Model-View-Controller (MVC) architecture, and is widely utilised by various vendors in their product and services portfolio, and by organisations as in-house built applications.

The vulnerability can be exploited by an attacker by manipulating file upload parameters, potentially leading to the upload of malicious files and subsequent server-side detonation (e.g. JSP files).

Threat Intelligence assessment

At this time, mnemonic's assessment is that the vulnerability poses a medium-to-high threat for organisations for the following reasons:

• In its worst-case scenario, the vulnerability is a pre-authentication RCE that allows threat actors to execute arbitrary code on the targeted server.
• Proof of Concept (POC) code is publicly available and detailed technical write-ups have been released, making it easier for threat actors to weaponise and to customise their exploitation arsenal.
• There are on-going vulnerability scannings being executed at scale and distinct exploitation attempts where threat actors are trying to deploy web shells.
• The threat landscape is in development and we assess that it is likely that stable and precise exploits will emerge. This includes the discovery of yet unknown vulnerable products and applications.

We consider the following factors to lower the risk level at this stage:

• Although the vulnerable framework exists in a wide range of product and services, the critical CVSS level may not be relevant in every implementation. Variations are expected between different vendors and products, potentially leading to differences in vulnerability even with a common, vulnerable version.
• There are several preconditions and dependencies on the targeted application's configuration that have to be met in order for a successful exploit to take place. This includes sufficient exposure and access to the application web interface (described later).

We emphasise that this is a developing vulnerability and new information is likely to impact the threat level over the coming weeks.

Affected systems

The following versions of the framework are vulnerable:

• Struts 2.0.0 - Struts 2.3.37 (EOL)
• Struts 2.5.0 - Struts 2.5.32
• Struts 6.0.0 - Struts 6.3.0

Vendors are currently assessing their exposure to this vulnerability, such as:

• Cisco
• Red Hat
• Veritas

Technical details

The vulnerability stems from a path traversal issue within file upload parameters of the "ActionSupport" class, allowing attackers to upload malicious files and execute arbitrary code on the targeted server.

The class exhibits a bug in filename parameter filtering during file uploads, allowing arbitrary file write on a Struts Java server. This capability enables attackers to write server-side rendered files, like JSP files, into a target directory. Upon requesting the file, the JSP payload is executed, resulting in a compromised server.

Successful exploitation involves uploading two files in a single POST request via the 'upload.action' action, with the first being benign and the second containing path traversal strings in the 'uploadFileName' parameter, (e.g. "../../"). As an example, for a web shell to be successfully deployed, the dropped file (e.g. 'webshell.jsp') must be in a valid route that an attacker can remotely reach, which will vary between implementations. This is likely to encourage vendor-specific research to determine the precise path for dropping a web shell.

Preconditions

The exploitation of CVE-2023-50164 involves several preconditions that are dependent on the behaviour and implementation of the application using Apache Struts:

• The application must use the Struts "ActionSupport" class of a vulnerable framework version in some capacity; and
• The functionality must be exposed either without authentication (e.g. over Internet) or post-authentication (which should entail some mechanisms for access control and -logging); and
• While the vulnerability exists in the default configuration of Apache Struts, exploitability depends on the deployment (e.g. without any further input sanitisation of the arguments).

Timeline

• December 2nd - The vulnerability reported by researcher Steven Seeley of Source Incite.
• December 7th - Apache releases a patch to mitigate the vulnerability.
• December 10th - First public technical write-up published.
• December 12th - Cisco announces investigation of vulnerability.
• December 12th - First public POCs released, incl. technical write-up.

Recommendations

mnemonic recommends the following actions:

• For developers: Upgrade to Struts 2.5.33 or Struts 6.3.0.2 or greater.
• Check your organisations inventory list for known vulnerable products and contact vendors if needed.
• Prevent access from the Internet and other untrusted networks to exposed web interfaces, especially unauthenticated.
  Implement a WAF (Web Application Firewall) in front of exposed web interfaces, and consider adding rewrite-logic of "/../" to backend application servers.
• Monitor the backend application servers for ad-hoc creation and execution of JSP files in sensitive directories.

Detection coverage for Argus MDR customers

We are continuously monitoring the situation and developing detection logic for our Argus services.