Equifax, the credit scoring company that suffered a data breach that impacted as many as 143 million Americans, has blamed Apache Struts’s software flaw in its online databases as the real cause of its security breach.
Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java.
Jeffrey Meuler, an analyst at Robert W. Baird & Co., was told by the company that the breach had compromised the name, social security number, birthdate, and home address of its customers, which has prompted at least three congressional committees to consider probing the incident.
Jeff Williams, cofounder and CTO at Contrast Security, wrote in a blog post that two Struts flaws “jump out as possibilities” – CVE-2017-5638, an expression language vulnerability that was disclosed in March, and CVE-2017-9085, a single HTTP request containing an unsafe serialized object that was disclosed in September. The former “is far more likely, but the second is a very remote possibility” because the earlier flaw is “easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,” Williams wrote. To exploit the latter flaw, attackers would have had to have had it before its public release.
However, “for either vulnerability, the process is basically the same. The attacker sends a specific HTTP request containing some special syntax. In one case, an OGNL expression. In the other, a serialized object,” he said in comments emailed to SC Media. “The Equifax Struts application would receive this request, and get tricked into executing operating system commands.”
The report noted that the Struts open source software system is used by approximately 65 percent of Fortune 100 companies, including Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot and Showtime.
Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless, it's untrustworthy.
Apache Struts is a popular open-source software programming Model-View-Controller (MVC) framework for Java.
Jeffrey Meuler, an analyst at Robert W. Baird & Co., was told by the company that the breach had compromised the name, social security number, birthdate, and home address of its customers, which has prompted at least three congressional committees to consider probing the incident.
Jeff Williams, cofounder and CTO at Contrast Security, wrote in a blog post that two Struts flaws “jump out as possibilities” – CVE-2017-5638, an expression language vulnerability that was disclosed in March, and CVE-2017-9085, a single HTTP request containing an unsafe serialized object that was disclosed in September. The former “is far more likely, but the second is a very remote possibility” because the earlier flaw is “easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,” Williams wrote. To exploit the latter flaw, attackers would have had to have had it before its public release.
However, “for either vulnerability, the process is basically the same. The attacker sends a specific HTTP request containing some special syntax. In one case, an OGNL expression. In the other, a serialized object,” he said in comments emailed to SC Media. “The Equifax Struts application would receive this request, and get tricked into executing operating system commands.”
The report noted that the Struts open source software system is used by approximately 65 percent of Fortune 100 companies, including Lockheed Martin, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot and Showtime.
Equifax appears to be utterly and completely clueless about their own technology. Equifax's own data breach detector isn't just useless, it's untrustworthy.