Cisco informed customers on Friday that at least some of its products are affected by an Apache Struts2 command execution vulnerability that has been exploited in the wild over the past days.
The flaw has been confirmed to affect the Cisco Identity Services Engine (ISE), the Prime Service Catalog Virtual Appliance, and the Unified SIP Proxy Software. The networking giant has published a list of dozens of products that are not affected, but there are still many products under investigation.
While the vulnerability has been actively exploited to deliver malware, Cisco has not found any evidence of attacks targeting its products. Nevertheless, the company has warned users that exploits for this flaw are publicly available. It’s worth noting that Cisco’s Talos group was the first to warn of active attacks.
The security hole, identified as CVE-2017-5638, affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10, and it was addressed on March 6 with the release of versions 2.3.32 and 22.214.171.124. The first attacks were spotted one day later when someone published a proof-of-concept (PoC) exploit.
The vulnerability exists in the Jakarta Multipart parser and is caused by the improper handling of Content-Type header values. A remote, unauthenticated attacker can exploit the weakness to execute arbitrary commands by sending a specially crafted HTTP request.
Researchers observed exploitation attempts whose goal was to determine if a system is vulnerable, and ones where attackers attempted to deliver various types of malware, including IRC bouncers and DoS/DDoS bots.
Rapid7 has been monitoring attacks and, based on data from its honeypots, determined that much of the malicious traffic comes from two machines apparently located in China.
Cisco and other security vendors have started releasing firewall rules that should block such attacks. Tinfoil Security has made available an online tool that allows website owners to check if they are vulnerable to attacks exploiting CVE-2017-5638.