A financial analyst firm with ties to Equifax has reported a potential root cause of the massive breach at the credit reporting and monitoring. A Baird Equity Research report claims Equifax told the company that a vulnerability in the open-source Apache Struts framework was the root cause of the data breach.
“Our understanding is data retained by EFX primarily generated through consumer interactions was breached via the Apache Struts flaw,” the report stated.
To date, Equifax has neither publicly confirmed nor denied the claim that a flaw in Apache Struts was the root cause of the massive exploit that leaked data on 143 million Americans that was first publicly disclosed on Sept. 7. The only detail that Equifax has publicly stated about the root cause of the breach is that it was a web application vulnerability.
The Apache Software Foundation, which oversees the development of Struts, has responded to the claims that Struts may have been involved in the Equifax security breach.
“We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework,” René Gielen, vice president of Apache Struts, wrote in a statement. “At this point in time it is not clear which Struts vulnerability would have been utilized, if any.”
In recent months, multiple vulnerabilities have been patched in the Apache Struts framework. On Sept. 5, the Struts project issued an update for three software vulnerabilities, only one of which was rated as being critical. The critical vulnerability was identified by the Struts project as CVE-2017-9805 and is a possible remote code execution (RCE) attack vulnerability.
By its own admission, Equifax was breached in mid-May, months before CVE-2017-9805 was publicly disclosed and patched, making it unlikely it was the vulnerability used by attacker.
A more likely possibility is that attackers made use of a flaw that the Struts project fixed in March identified as CVE-2017-5638, which is also a RCE vulnerability. In the days immediately following the CVE-2017-5638 patch, opportunistic hackers went after unpatched systems. Among the publicly identified organizations that were exploited by the CVE-2017-5638, after the Struts project released an update, was the Canada Revenue Agency.
Among the challenges some organizations face updating Struts is the fact that it is often embedded as part of larger applications that update on different release cycles. For example, though CVE-2017-5638 was patched by the Apache Struts project on March 6, it wasn’t until April 18 that Oracle patched its software packages that included Struts.
“We as the Apache Struts PMC want to make clear that the development team puts enormous efforts in securing and hardening the software we produce, and fixing problems whenever they come to our attention,” Gielen stated.
Gielen and the Apache Struts project also offered some advice on how organizations can help to secure themselves from software vulnerability risks. Gielen recommends that organizations have a process to quickly implement software patches when they become available to help reduce risk.
Other recommendations for security best practices include having multiple layers of security technologies in place, as well as monitoring capabilities that can alert for potentially anomalous activity.
“Any complex software contains flaws,” Gielen stated. “Don’t build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities.”
“Once followed, these recommendations help to prevent breaches such as unfortunately experienced by Equifax,” he added.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
