A Closer Look at Patching

In this lesson, we'll take an up-close look at patching.

Patching is the broccoli and spinach and push-ups of security. It’s not glamorous. You won’t get to do a talk at a prestigious conference from it. You’ll never be finished, either. But it’s one of the fundamental practices you need in place to keep the bad guys out.

Patching is the ongoing practice of the following:

  1. Looking at what software you have in place
  2. Researching what vulnerabilities have been discovered in that software
  3. Upgrading the vulnerable software to secure versions
  4. Testing to make sure that the new versions work

This defense is a lot of work, but what’s nice about it is that we don’t have to become security experts overnight to implement it. We just need to be experts in our own systems.

Patching and the Equifax breach

One of the most widely discussed breaches of 2017 was the Equifax breach, in which hackers accessed the sensitive personal information of approximately 145.5 million Americans. We can learn a lot about the importance of patch management by looking at this breach. Equifax has shared a lot of information related to the breach in its September 15, 2017, press release, including a timeline. Equifax has determined that the cause of the breach was a vulnerability in Apache Struts. This vulnerability allowed attackers to run arbitrary commands on the vulnerable server with the privileges of the Apache process itself.

Joe asks: What Is a CVE?

CVE stands for common vulnerabilities and exposures. It is the closest thing the field has to a centralized repository of vulnerabilities. Many operating system vendors and large software vendors track their own security vulnerabilities in the public CVE list. But there is no requirement for anyone to use the CVE system. As you continue to search for vulnerabilities in your dependencies over time, you’ll start to develop an intuition for which vendors use CVE and which don’t. For more details about the CVE system as well as a searchable web interface, go to the CVE website at cve.mitre.org.

Timeline

Now let’s look at the timeline.

  • March 2, 2017—Struts development team released a patch to fix this issue.
  • March 7, 2017—Payload to exploit this vulnerability was added to Metasploit.
  • March 9, 2017—Dan Goodin wrote an article describing this vulnerability on Ars Technica.
  • March 10, 2017—This vulnerability was assigned CVE-ID CVE-2017- 5638.
  • May 13–July 30, 2017—Unauthorized access to Equifax servers.
  • July 29, 2017—Initial detection of the breach.
  • July 30, 2017—Affected website taken down for remediation.

Availability of attack on Metasploit

The first thing that jumps out is the five-day gap between the publication of a patch and the availability of an exploit in Metasploit. Metasploit is an extensible penetration testing framework with a large, ever-growing library of ready-to-use payloads. Once an exploit for a vulnerability is in Metasploit, it’s very easy to use. Attackers using the CVE-2017-5683 payload in Metasploit don’t need to know how to find vulnerabilities like this one or how to write code to exploit it. They just need a URL and an inkling that their target uses a vulnerable version of Struts. Ease of attack is particularly interesting here because of the complexity of this particular Struts vulnerability. It would have taken a lot of effort to discover it and learn how to exploit this.

Fortunately for us, Eric Rafaloff of Gotham Digital Science put together an excellent explanation of this vulnerability. Let me restate the impact of the availability of the Metasploit module: When the patch was released, you needed Rafaloff-esque skills to exploit this vulnerability.

Just five days later, all you needed was the ability to run Metasploit. That is a huge shift in the skill level needed to carry out this attack, which makes a huge increase in the risk of having an unpatched server exposed to the internet. All just five days after the patch was released. This provides a serious reminder that we need to stay current on patching.

Delay in patching

The second thing that jumps out is the delay in patching. Equifax was more than two months behind on patching at the time of the initial attack and more than four and a half months behind on patching when it finally shut down the affected site. That’s a long time to be out-of-date.

                                                 Q U I Z  

Get hands-on with 1200+ tech skills courses.