[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4BC4D4CE.3030403@clearskies.net>
Date: Tue, 13 Apr 2010 16:32:14 -0400
From: Clear Skies Security <smiles@...arskies.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Imperva SecureSphere Web Application Firewall and
Database Firewall Bypass Vulnerability
CSS10-01: Imperva SecureSphere Web Application Firewall and Database
Firewall Bypass Vulnerability
April 5, 2010
BACKGROUND
==========
The Imperva SecureSphere Web Application Firewall protects web
applications and sensitive data against sophisticated attacks and
brute force attacks, stops online identity theft, and prevents data
leaks from applications. The Imperva SecureSphere Database Firewall
monitors and proactively protects databases from internal abuse,
database attacks, and unauthorized activity. (Source:
http://www.imperva.com/products/securesphere-data-security-suite.html)
SUMMARY
=======
Imperva SecureSphere Web Application Firewall and Database Firewall
products can be bypassed by appending specially crafted data to
requests. Protection provided by the Imperva device against attacks
such as SQL injection and Cross-Site Scripting is negated, allowing
unfiltered requests through to protected applications.
SEVERITY RATING
===============
Rating: High Risk - CVSS 7.8 (AV:N/AC:L/Au:N/C:N/I:C/A:N)
Impact: Bypass security control
Where: Remote
THREAT EVALUATION
=================
An attacker can use this flaw to bypass firewall protections. Anyone
with the ability to interact with protected web applications and
databases can exploit this vulnerability. Only minimal skill is
required and the bypass can be incorporated into existing exploitation
frameworks and security testing tools. Exploitation of this issue does
not permanently affect the device; each evasion request must contain
the bypass payload.
IDENTIFYING VULNERABLE INSTALLATIONS
====================================
Administrators can identify the current version in use by going to the
Licensing menu in the administration console. Versions less than those
identified in the Solutions section below are vulnerable.
DETECTING EXPLOITATION
======================
The Imperva device provides no indication when this vulnerability is
exploited. If other controls are in place such as network traffic
monitors, IDS/IPS, or web filters, these should be configured to alert
on payloads containing attack patterns.
AFFECTED SOFTWARE
=================
This vulnerability affects SecureSphere G-series and Database
Firewalls running versions the Web Application and Database Firewall
product prior to March 9, 2010. This includes all versions of
SecureSphere from 5.0 through 7.0.
SOLUTION
========
The vendor has released patches for affected versions to address this
issue. Customers are strongly encouraged to apply the update as soon
as possible. Refer to
http://www.imperva.com/resources/adc/adc_advisories_response_clearskies.html
for upgrade instructions. No reliable workaround is available.
The vendor has provided the following version and patch data:
Version Patch Number
7.0.0.7078 Patch 11
7.0.0.7061 Patch 11
6.2.0.6463 Patch 24
6.2.0.6442 Patch 24
6.0.6.6302 Patch 30
6.0.6.6274 Patch 30
6.0.5.6238 Patch 30
6.0.5.6230 Patch 30
6.0.4.6128 Patch 30
5.0.0.5082 Patch 30
6.0.4.6128 on XOS 8.0/5 ssgw-6128-CBI10
7.0.0.7078 on XOS 8.5.3 ssgw-7.0.0.7267-CBI28
VULNERABILITY ID
================
CVE-2010-1329
TIME TABLE
==========
2009-08-31 - Vendor notified.
2010-03-09 - Vendor released patched firmware.
2010-04-05 - Public notification
REFERENCES
==========
http://www.clearskies.net/documents/css-advisory-css1001-imperva.php
http://www.imperva.com/resources/adc/adc_advisories_response_clearskies.html
CREDITS
=======
Scott Miles and Greag Johnson, Clear Skies Security, identified this
flaw.
Clear Skies would like to thank Mike Sanders and Accuvant Labs for
their assistance in clarifying and working with the vendor to correct
this issue.
LEGAL NOTICES
=============
Disclaimer: The information in the advisory is believed to be
accurate at the time of publishing and is subject to change without
notice. Use of the information constitutes acceptance for use in an
AS IS condition. There are no warranties with regard to this
information. The author is not liable for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on,
this information.
Copyright 2010 Clear Skies Security, LLC.
Permission is granted for the redistribution of this alert
electronically. To reprint this alert, in whole or in part, in any
other medium other than electronically, please e-mail info (at)
clearskies (dot) net for permission.
Download attachment "smime.p7s" of type "application/pkcs7-signature" (5602 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists