[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Imperva SecureSphere Web Application Firewall and Database Firewall Bypass Vulnerability



CSS10-01: Imperva SecureSphere Web Application Firewall and Database Firewall Bypass Vulnerability
April 5, 2010

BACKGROUND
==========
The Imperva SecureSphere Web Application Firewall protects web 
applications and sensitive data against sophisticated attacks and 
brute force attacks, stops online identity theft, and prevents data 
leaks from applications. The Imperva SecureSphere Database Firewall 
monitors and proactively protects databases from internal abuse, 
database attacks, and unauthorized activity.  (Source: 
http://www.imperva.com/products/securesphere-data-security-suite.html)

SUMMARY
=======
Imperva SecureSphere Web Application Firewall and Database Firewall 
products can be bypassed by appending specially crafted data to 
requests. Protection provided by the Imperva device against attacks 
such as SQL injection and Cross-Site Scripting is negated, allowing 
unfiltered requests through to protected applications.

SEVERITY RATING
===============
Rating: High Risk - CVSS 7.8 (AV:N/AC:L/Au:N/C:N/I:C/A:N) 
Impact: Bypass security control
Where:  Remote

THREAT EVALUATION
=================
An attacker can use this flaw to bypass firewall protections. Anyone 
with the ability to interact with protected web applications and 
databases can exploit this vulnerability. Only minimal skill is 
required and the bypass can be incorporated into existing exploitation 
frameworks and security testing tools. Exploitation of this issue does 
not permanently affect the device; each evasion request must contain 
the bypass payload.

IDENTIFYING VULNERABLE INSTALLATIONS
====================================
Administrators can identify the current version in use by going to the 
Licensing menu in the administration console. Versions less than those 
identified in the Solutions section below are vulnerable.

DETECTING EXPLOITATION
======================
The Imperva device provides no indication when this vulnerability is 
exploited. If other controls are in place such as network traffic 
monitors, IDS/IPS, or web filters, these should be configured to alert 
on payloads containing attack patterns.

AFFECTED SOFTWARE
=================
This vulnerability affects SecureSphere G-series and Database 
Firewalls running versions the Web Application and Database Firewall 
product prior to March 9, 2010. This includes all versions of 
SecureSphere from 5.0 through 7.0.

SOLUTION
========
The vendor has released patches for affected versions to address this 
issue. Customers are strongly encouraged to apply the update as soon 
as possible. Refer to 
http://www.imperva.com/resources/adc/adc_advisories_response_clearskies.html 
for upgrade instructions. No reliable workaround is available.

The vendor has provided the following version and patch data:

Version                  Patch Number
7.0.0.7078               Patch 11
7.0.0.7061               Patch 11
6.2.0.6463               Patch 24
6.2.0.6442               Patch 24
6.0.6.6302               Patch 30
6.0.6.6274               Patch 30
6.0.5.6238               Patch 30
6.0.5.6230               Patch 30
6.0.4.6128               Patch 30
5.0.0.5082               Patch 30
6.0.4.6128 on XOS 8.0/5  ssgw-6128-CBI10
7.0.0.7078 on XOS 8.5.3  ssgw-7.0.0.7267-CBI28
 
VULNERABILITY ID
================
CVE-2010-1329 

TIME TABLE
==========
2009-08-31 - Vendor notified.
2010-03-09 - Vendor released patched firmware.
2010-04-05 - Public notification

REFERENCES
==========
http://www.clearskies.net/documents/css-advisory-css1001-imperva.php
http://www.imperva.com/resources/adc/adc_advisories_response_clearskies.html 

CREDITS
=======
Scott Miles and Greag Johnson, Clear Skies Security, identified this 
flaw. 

Clear Skies would like to thank Mike Sanders and Accuvant Labs for 
their assistance in clarifying and working with the vendor to correct 
this issue.

LEGAL NOTICES
=============
Disclaimer: The information in the advisory is believed to be 
accurate at the time of publishing and is subject to change without 
notice. Use of the information constitutes acceptance for use in an 
AS IS condition. There are no warranties with regard to this 
information. The author is not liable for any direct, indirect, or 
consequential loss or damage arising from use of, or reliance on, 
this information.

Copyright 2010 Clear Skies Security, LLC.
Permission is granted for the redistribution of this alert 
electronically. To reprint this alert, in whole or in part, in any 
other medium other than electronically, please e-mail info (at) 
clearskies (dot) net for permission.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature