Failure to patch two-month-old bug led to massive Equifax breach

The Equifax breach that exposed sensitive data for as many as 143 million US consumers was accomplished by exploiting a Web application vulnerability that had been patched more than two months earlier, officials with the credit reporting service said Thursday.

"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted," company officials wrote in an update posted online. "We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement."

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on Web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.

Thursday's disclosure strongly suggests that Equifax failed to update its Web applications, despite demonstrable proof that the bug gave real-world attackers an easy way to take control of sensitive sites. An Equifax representative didn't immediately respond to an e-mail seeking comment on this possibility.

As Ars warned in March, patching the security hole was labor intensive and difficult, in part because it involved downloading an updated version of Struts and then using it to rebuild all apps that used older, buggy Struts versions. Some websites may depend on dozens or even hundreds of such apps, which may be scattered across dozens of servers on multiple continents. Once rebuilt, the apps must be extensively tested before going into production to ensure they don't break key functions on the site.

Equifax's update confirms a report published last week by a firm called Baird Equity Research. It provided no source for the claim that Equifax was breached through an unidentified Apache Struts vulnerability. Two days later, the Apache Software Foundation issued a statement saying it didn't know one way or the other if a Struts vulnerability was involved. CVE-2017-5638 is separate from CVE-2017-9805, an Apache Struts vulnerability that was patched last week.

Apache Struts is a framework for developing Java-based apps that run both front-end and back-end Web servers. It is relied on heavily by banks, government agencies, large Internet companies, and Fortune 500 companies. Experian, one of the three big credit reporting services, and annualcreditreport.com, which provides free credit reports, both reportedly rely on Apache Struts as well.

Up to now, Equifax has said only that criminals exploited an unspecified application vulnerability on its US site to gain access to certain files. Now, we know that the flaw was in Apache Struts and had been fixed months before the breach occurred.