In the last couple of weeks there has been a lot of talk about the latest breach of Equifax, the credit score and FICO information system provider. The Equifax breach exposed a whopping 143 million users’ data which included very detailed PII, such as names connected to social security numbers, credit cards and credit scores. The information breached is mind baffling! There has also been talk of the Equifax C-Suite selling off their shares prior to announcing the breach. Equifax had known about the breach at least two months before disclosing it. Equifax released the scope and scale of the breach. According to Equifax, unknown and unauthorized intruders used a known Apache Struts vulnerability to gain access to Equifax enterprise systems. Equifax stated they do not have any idea of attribution at this time. After researching further of how the breach occurred in the first place, it was revealed that Equifax system administrators had failed to perform proper cyber hygiene. They did not patch the known vulnerability mentioned above as Apache Struts, which is the known Common Vulnerability Exposure CVE-2017-5638. The known Apache Struts vulnerability allowed a remote attacker to execute arbitrary code on any Equifax server which was running an application that was built using the Apache Struts framework and its popular REST communication plugin. The REpresentational State Transfer architecture framework known as the REST Communication plug-in within Apache Struts is an architecture framework that is often used in development software for the production of web services. Redport Information Assurance, LLC security researchers suggests that all web developers immediately apply the Apache Struts patch which was released last month in August, 2017. Since this latest breach which involves the older Apache Struts vulnerability CVE-2017-5638 there has been a newer vulnerability version discovered and it was publicly disclosed in a new DHS security advisory. This new vulnerability, identified as CVE-2017-9805, has manifested also due to the way the REST communication plug-in mentioned above uses XStreamHandler. XStream has been used for deserialization without any type of filtering. As a result, another remote, unauthenticated threat actor could achieve the same remote code execution on a host running another vulnerable version of Apache Struts. At this time Redport IA, LLC has not found the new and appropriate patch for this new vulnerability of Apache Struts and recommends web developers to proceed with caution and to stay on the look-out for another Apache Struts patch to be released in the up and coming weeks.

By Dr. Randall Sylvertooth

References:

https://www.usatoday.com/story/tech/2017/09/12/how-did-equifax
https://threatpost.com/patch-released-for-critical-apache-struts.



For more information about Redport’s information assurance and cyber security services, visit www.redport-ia.com, email us at info@redport-ia.com, like us on Facebook, and follow us on Twitter@redport_ia.

Gaithersburg, MD, USA