Virtual Application Patch CVE-2017-9805

Friday, September 15, 2017
Summary 

Problem:

The REST Plugin in Apache Struts versions 2.1.2 through 2.3.x (before 2.3.34) and 2.5.x (before 2.5.13) uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering. This can cause Remote Code Execution when deserializing XML payloads. Source: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805

Background:

CVE-2017-9805 was utilized to exploit Equifax and has revealed pre-existing utilization of this exploit in the wild. Customers whose application environment utilizes these affected versions of Apache Struts without any type filtering should patch immediately. As an interim stop gap measure, customers should utilize the recommended aFlex in order to mitigate the risk to their infrastructure.

A10 has identified active scanning for this vulnerability.

Workarounds and Mitigations 

Recommended aFlex for Mitigation

The following aFlex is recommended to be applied for CVE-2017-9805.

when HTTP_REQUEST {
  HTTP::collect 65534
}
when HTTP_REQUEST_DATA {
   set cve “CVE-2017-9805"
   set client_ip [IP::client_addr]
   set body [HTTP::payload]
   set content_type [string tolower [HTTP::header values "Content-Type"]]
   if { $content_type contains "xml" } {
       if { [regexp {\s*.*<\/command>} [string tolower $body] matchall foo] } {
         log “CVE-VIOLATION: $cve  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805 Action: rejecting request from $client_ip“
         reject
    }
   }
}

Exploit Testing Script

You can download and view the exploit script here: https://www.exploit-db.com/exploits/42627

Optimization of aFlex

An application may utilize the same framework, but it might differ in behavior due to variances in logic. Through the optimization of aFlex you can ensure the least amount of time is spent evaluating the request. This can be achieved by the following methods, but it is not limited to them:

  • Limit the HTTP method to a specific verb example: if { [HTTP::method] == "POST"}
  • Evaluate a specific URI::path.
  • Limit the Utilize switch statements to match a larger set or URLs

Disclaimer: The recommendations provided in this document is derived from multiple data sources and can only protect against known variants that are currently disclosed and is for generalized cases. Functional testing has been performed but there is no claim made on performance. Each application is different and A10 SERT can assist with in-depth analysis for special cases. If additional analysis is required, please contact A10 Technical Support to have your case escalated to the A10 SERT team

Modification History 
RevisionDateDescription
1.0
April 19, 2018

Created web page