Equifax Pwnage Was Due To Failure To Apply A Security Patch To Their Website

Equifax has apparently admitted that a failure to install a patch on its website led to the biggest data breach in the history of the universe. Here’s what they posted on their www.equifaxsecurity2017.com/ site:

Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

Now, here’s why this is a #fail. CVE-2017-5638 was reported on March 10 2017 as per this NIST notification. The key part of this notification is this:

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.

So, what that means is that Equifax had to be running a version of Apache Struts that was earlier than either 2.3.32 or Which implies if they upgraded to either of those versions, they would have been fine. But it appears that this did not happen. What’s worse is that according to Equifax, they were pwned in “mid May 2017”  and figured it out in July 2017. So if we work back from “mid May 2017” to the time that the security issue was discovered, Equifax had nine to ten weeks to install an updated version of Apache Struts. But they didn’t, and now we have pwnage on a scale that has never been seen before.

Clearly this is another data point that shows that Equifax dropped the ball here. And to be frank, it’s as bad as having a public facing database with a username of admin and password of admin. Hopefully, everyone from politicians to the average consumer is paying attention so that this company can get the punishment that it deserves.


2 Responses to “Equifax Pwnage Was Due To Failure To Apply A Security Patch To Their Website”

  1. […] very hard to remove it.  But let me get to the key point. On top of having shoddy IT practices and not patching their infrastructure in a timely manner, this failure to have someone who actually knows what they are doing in terms of securing the […]

  2. […] he “retired”. Examples of this #EpicFail include hiring a CSO with no IT experience or not applying a patch for Apache Srtuts for months, or having a publicly accessible database with username of admin and the password of (you guessed […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: