CVE-2017-5638, Vulnerability Reporter Notebook

TL;DR Manage Balance Sheet Risk with ISO 29147. InfoSec Industry is Broken.
Vulnerability Reporters Notebook
In the News is the Equifax Breach. Personally Identifying Information (PII) is a Public Interest Story when all Consumers are impacted. This commentary is based on my own Research which is Public Domain for annualcreditreport.com and experian.in.

CVE-2017-5638 Discussion & Analysis

On March 7, 2017 there was a Vulnerability Announcement further described as CVE-2017-5638 and S2-045 detailed in News Headlines as the Apache Struts Bug. My search of 1MM Websites indicated there were thousands of Hosts running a Vulnerable Version of Struts as of March 7, 2017.

The Credit Reporting Agencies showed as Vulnerable to CVE-2017-5638. A smaller sample of compromised Hosts indicated filenames like shell.asp and cmd.php were already in the DocumentRoot of many Websites which are Command Injection Tools used by malicious Actors.


Analysis performed on Friday, March 10, 2017 indicated that many Online Health Portals, Credit Reporting Agencies and their Partners used Apache Struts in public-facing Operations and Support Systems (OSS) had not Patched the Apache Struts Bug.

Obtain a Credit Report

The Federal Government publishes a URL that all major Search Engines provide as a Landing Page for Consumers to obtain their Credit Report.

The FTC Landing Page includes a single Link to www.annualcreditreport.com and directs the Public to “Order online from annualcreditreport.com, the only authorized website for free credit reports”.


The Website is run by the Big 3 Credit Reporting Agencies and operated by a 3rd party. The FTC is implicitly stating the Public should trust www.annualcreditreport.com.

A reasonable person would expect the Security Profile of a critical Public Interest would we well fortified and defended.

Security Profile: annualcreditreport.com and consumer.experian.in

On March 10, 2017 at 4pm Eastern, the Risk and Behavior Profile of annualcreditreport.com and consumer.experian.in indicates no use of WAF/IPS/IDS, limited operator interaction on the Console and default Command Line Tools available. These Websites were vulnerable to CVE-2017-5638 at the close of business on Friday, March 10, 2017 at 4pm Eastern time which was 72+ hours following the Bug Announcement.

Governance, Risk & Compliance: Failure to Protect PII

The Board of Directors failed to provide Governance, Risk and Compliance (GRC) oversight of Management for the safeguarding of Personally Identifying Information. The basic principles of Operational Security were ignored by these Organizations as a normal course of their business operations.


This is a systemic problem that should be addressed by the FTC via Regulation, not market forces.


FTC v. Wyndham Worldwide Corp., 799 F. 3d 236 (3d Cir. 2015), {Third Circuit} affirmed that the FTC has authority to regulate cybersecurity. The FTC should move forward with additional Regulatory Oversight of the Credit Reporting Agencies because they are a critical Public Interest.

These Boards, Managements and Consultants are the least qualified people to render a judgement on Risks and Behaviors that impact of the Cost of Credit to Consumers.

Failure to Manage Existential Risk

ISO/IEC 29147:2014 is applicable to vendors who respond to external reports of vulnerabilities in their products or online services.

March 2017 – None of the Credit Reporting Agencies were following ISO/IEC 29147. None offer a Coordinated Vulnerability Disclosure (CVD) or Bug Bounty Program (BB). Any Company without a CVD or BB has Existential Risk to the Balance Sheet Risk in the form of Full Disclosure.
The Credit Agency Boards, Management and Consultants failed to configure Resources and Receptors that would have been passively listening for Vulnerability Reports.

CVE-2017-5638 exposed that the Boards, Executives, Consultants and Vendors at the Credit Agencies have been flying blind, unaware of embedded Risk in their Information Technology Platforms.

Managing those Existential Risks falls on the Chief Financial and Risk Officers whom are advised to develop resources with respect to CVD, BB or Runtime Application Security & Patching Solutions (RASP).

ISO/IEC 29147 for Managing Balance Sheet Risk

HackerOne and BugCrowd can facilitate communications with the Bug Bounty Community. Luta Security can help get you get ready to receive Vulnerability Reports. Those boutiques are at the center of the Best Practices Envelope for the Vulnerability Reporting and Disclosure Process.


Vulnerability Reporters will inundate CVD and BB Programs with Vulnerability Reports 7x24x365 as described by HackerOne generating Signal and Noise.

From my own experience reporting Bugs for fun and profit I know that any Vulnerability in government Websites (.gov) can be Reported to CERT using the Vulnerability Reporting Form.


Reporting Bugs to Google, Microsoft, Apple and other Companies occurs 7x24x365. These Organization follow ISO/IEC 29147 and other widely recognized processes to received, confirm, triage and respond to external, 3rd party reports of Software and Hardware Vulnerabilities. These Organizations, their Boards, Employees and Vendors are my definition of Best Practices.


Reporting Bugs to any other Company are problematic: There is no defined path to resolution. At best there could be an ARIN or RADB Handle to reach out and provide Notification. Worst Case is Full Disclosure. I follow the Microsoft Coordinated Vulnerability Disclosure Policy.

However: Full Disclosure may be used when a Vendor is unresponsive, slow to respond, stonewalling or not acting in the best interests of the community.

Follow ISO/IEC 29147 Manage Balance Sheet Risk

Use a WAF/IDS/IPS

As the business day came to a close on Friday, March 10, 2017 at 4pm Eastern time, nearly 72 hours following the Announcement there were many Websites that hadn’t Patched for the Apache Struts Bug. Those Websites probably lacked any advanced packet or content filter capabilities.


The WAF/IDS/IPS is one of the most important Mitigation Tools available to Defenders.

Confirm your Organization has implemented Packet & Content Filtering.

InfoSec Industry is Broken

The InfoSec Industry should work on mitigating their exposure and their Clients in the first 240 hours after major Bug announcements, not promoting SEO Campaigns.


Alerting an Organization to the Apache Struts Bug should have received priority as the business day came to a close on March 10, 2017 at 4pm Eastern. At that point in time, at least 72 hours had elapsed since the Public Announcement. News Outlets also alerted the Public of the Apache Struts Bug.


The picture below is of symantechelp.com on March 10, 2017 near the close of business. The right side of the picture shows the Command Injection Shells already uploaded to the Website.
Picture showing WebRoot of symantechelp.com vulnerable to Apache Struts Exploit
CVE-2017-5638: Injected Command Shells in WebSite DocumentRoot of symantechelp.com on March 10, 2012
Dear: If you can’t find and remove Exploit Shells in your own Website 72+ hours after Announcement, you won’t find and remove those same Command Injection Shells on the Client Sites either.

CVE-2017-5638 was also targeted for SEO Campaigns by Qualys. Here are a few URL’s that got my attention:



SEO Campaign: 3 distinct URL’s pointing at 2 Hostnames for 1 Bug linking to 2 Qualys Solutions.


Cutting through the marketing hype, at the same time Qualys was creating an SEO Campaign (March 8-14, 2017), their Client (Experian) was exposed to the Apache Struts Bug.


Proof: /etc/passwd file contains the Name and Project ID of the Scan Vendor for the consumer.experian.in Server.
/etc/password file of consumer.experian.in
CVE-2017-5638 in consumer.experian.in with Qualys as the Scan Vendor of Record

Dear: When in /etc/passwd, your are Responsible to Patch a Bug quickly after Announcement.

Court of Public Opinion

The Public Domain data set I’ve Published on xss.cx shows poor judgement of those Credit Reporting Agencies with respect to how they handle Operational Security in day-to-day, normal course of business operations. Read in the context of a Credit Score, the Reports detail Major Derogatory Remarks with a low Credit Score.


The Board of Directors, Management and Consultants at Equifax and Experian should be viewed in the context of people with chronic, untreated behavior disorders requiring long-term counseling specific to the Care and Duty Required when Handling the Personally Identifying Information of the Public.

Related News Articles: Netsparker Blog

Research indicates the same Consultants and Vendors involved in Breach after Breach… the subject of further Articles on this Blog.

End of ‘Our InfoSec Industry is Broken’ – Part 1

Published into the Public Domain on September 25, 2017
Permission Granted to Reprint, Copy and Link with Attribution