Imperva SecureSphere Web Application Firewall and Database Firewall Bypass Vulnerability Apr 13 2010 08:18PM
Clear Skies Security (smiles clearskies net)
CSS10-01: Imperva SecureSphere Web Application Firewall and Database Firewall Bypass Vulnerability
April 5, 2010

BACKGROUND
==========
The Imperva SecureSphere Web Application Firewall protects web
applications and sensitive data against sophisticated attacks and
brute force attacks, stops online identity theft, and prevents data
leaks from applications. The Imperva SecureSphere Database Firewall
monitors and proactively protects databases from internal abuse,
database attacks, and unauthorized activity. (Source:
http://www.imperva.com/products/securesphere-data-security-suite.html)

SUMMARY
=======
Imperva SecureSphere Web Application Firewall and Database Firewall
products can be bypassed by appending specially crafted data to
requests. Protection provided by the Imperva device against attacks
such as SQL injection and Cross-Site Scripting is negated, allowing
unfiltered requests through to protected applications.

SEVERITY RATING
===============
Rating: High Risk - CVSS 7.8 (AV:N/AC:L/Au:N/C:N/I:C/A:N)
Impact: Bypass security control
Where: Remote

THREAT EVALUATION
=================
An attacker can use this flaw to bypass firewall protections. Anyone
with the ability to interact with protected web applications and
databases can exploit this vulnerability. Only minimal skill is
required and the bypass can be incorporated into existing exploitation
frameworks and security testing tools. Exploitation of this issue does
not permanently affect the device; each evasion request must contain
the bypass payload.

IDENTIFYING VULNERABLE INSTALLATIONS
====================================
Administrators can identify the current version in use by going to the
Licensing menu in the administration console. Versions less than those
identified in the Solutions section below are vulnerable.

DETECTING EXPLOITATION
======================
The Imperva device provides no indication when this vulnerability is
exploited. If other controls are in place such as network traffic
monitors, IDS/IPS, or web filters, these should be configured to alert
on payloads containing attack patterns.

AFFECTED SOFTWARE
=================
This vulnerability affects SecureSphere G-series and Database
Firewalls running versions the Web Application and Database Firewall
product prior to March 9, 2010. This includes all versions of
SecureSphere from 5.0 through 7.0.

SOLUTION
========
The vendor has released patches for affected versions to address this
issue. Customers are strongly encouraged to apply the update as soon
as possible. Refer to
http://www.imperva.com/resources/adc/adc_advisories_response_clearskies.
html
for upgrade instructions. No reliable workaround is available.

The vendor has provided the following version and patch data:

Version Patch Number
7.0.0.7078 Patch 11
7.0.0.7061 Patch 11
6.2.0.6463 Patch 24
6.2.0.6442 Patch 24
6.0.6.6302 Patch 30
6.0.6.6274 Patch 30
6.0.5.6238 Patch 30
6.0.5.6230 Patch 30
6.0.4.6128 Patch 30
5.0.0.5082 Patch 30
6.0.4.6128 on XOS 8.0/5 ssgw-6128-CBI10
7.0.0.7078 on XOS 8.5.3 ssgw-7.0.0.7267-CBI28

VULNERABILITY ID
================
CVE-2010-1329

TIME TABLE
==========
2009-08-31 - Vendor notified.
2010-03-09 - Vendor released patched firmware.
2010-04-05 - Public notification

REFERENCES
==========
http://www.clearskies.net/documents/css-advisory-css1001-imperva.php
http://www.imperva.com/resources/adc/adc_advisories_response_clearskies.
html

CREDITS
=======
Scott Miles and Greag Johnson, Clear Skies Security, identified this
flaw.

Clear Skies would like to thank Mike Sanders and Accuvant Labs for
their assistance in clarifying and working with the vendor to correct
this issue.

LEGAL NOTICES
=============
Disclaimer: The information in the advisory is believed to be
accurate at the time of publishing and is subject to change without
notice. Use of the information constitutes acceptance for use in an
AS IS condition. There are no warranties with regard to this
information. The author is not liable for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on,
this information.

Copyright 2010 Clear Skies Security, LLC.
Permission is granted for the redistribution of this alert
electronically. To reprint this alert, in whole or in part, in any
other medium other than electronically, please e-mail info (at)
clearskies (dot) net for permission.

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?G0?Ý0?Å q?ûæ_¬M?tq4¢§0
 *?H?÷
0{1 0 UGB10U Greater Manchester10U Salford10U
Comodo CA Limited1!0U AAA Certificate Services0
040101000000Z
281231235959Z0®1 0 UUS1 0 UUT10USalt Lake City10U
The USERTRUST Network1!0U http://www.usertrust.com1604U-UTN-USERFirst-Clien
t Authentication and Email0?"0
 *?H?÷
?0?
?²9?¤ò}«A;bF7®ÍÁ`u¼9eùJG¢¹ÌHÌj?ÕM5¹¤BåÎIâ?/|Ò1ÇN´?d.)Õ¢dÄ?½?Q5y¤
Nh{z¤?¨ò?ò?Ìɤ2?» O0½?  ?ån¢Fúx¼¢o«Y^¥/ÏÊÚmª/묡³jª·.g5?yái?âæFÍ ¥ê¾ Îv:z?êüÚ'[=s"æHaÆ
Lói±¨.¶Ô1 ,¼???¤¥×?CüZ¯q×YÚº?
¯úóáÂð¤Åg?ÖÖT:Þ
¤ºw³eÈýÓtbªÊh?¡?~õGeËøMW(tÒ4ÿ0¶îöb0?,ë£?'0?#0U#0? 
#>?ñìâ¯)ï?¥Ð0¤´0U??g}ĝ&pK´PH|Þ=®n}0Uÿ0U
ÿ0ÿ0U%0++0U 
00U 0{Ut0r08 6 4?2http://crl.comodoca.com/AAACertificateServices.crl06 
4 2?0http://crl.comodo.net/AAACertificateServices.crl0 `?H?øB0
 *?H?÷
??Ë<¸~¥ Ä¿ ÂÇv?9<?ƪO Éà«?]?Tàe;óm|7,%T_?!ü7??ÜOÏTklE`Ç-ù?QLùfÊ< ??¦ÈðâéÔJùì?VÉÝv?Ã?Oló
atG©Æ@W?¼e"Å'gOWÛdZٍº?/ô®?iíéôÏ)ØàJ? /?LQ»FÄ?7N ã 1hÇ?Ä?è~¼2h??DØ*Q`M?ët:ßC2È9V?:RÓA¤Côíï3'Û9àN&ÉØõ9â?¸?]·)&Aê³?®?
üwuÊèʵþâeJc>DÄÐÃ^?s©?¯0?/0? ~ñØK?¹ZÔÏöò¸ ôòå0
 *?H?÷
0®1 0 UUS1 0 UUT10USalt Lake City10U
The USERTRUST Network1!0U http://www.usertrust.com1604U-UTN-USERFirst-Clien
t Authentication and Email0
100315000000Z
110315235959Z0Ü1503U ,Comodo Trust Network - PERSONA NOT VALIDATED1F0DU =Terms and Conditions of use: http://www.comodo.net/repository10U (c)2003 Comodo Limited10U Scott Miles1$0" *?H?÷
 smiles (at) clearskies (dot) net0 [email concealed]?"0
 *?H?÷
?0?
?ÞÌ6^[òôgøX k?Bý¾roHù®Jèü?É,#íçÎ??¹ÅYf÷5?Llº?Ï ë0±&Ï@0M¢R]?´üò\¦WµøQæÜ7v???Rkà?wÁ??VÞ«?ð$?ê_ ,sp?oH?ñ?ü¿Ì1?Å?0¢^@!?¶³m?wÝ?-ÌÑêû @òí3Rkã²z?P3.Y¾ÞnëV×<1 Ц®ò¼246??!*?+¼p?£ÜO>?mä?̨@µ5MjlJ?.ÀÖ¬Wß¼??|r½õ?óU¦Õ??my%÷Á ÛnëÓ±±7rÚac£?0?0U#0???g}ĝ&pK´PH|Þ=®n}0U,»H
?®U¥?ÆÿVÈv£j&¿L0Uÿ 0 Uÿ00 U%0+ +²10 `?H?øB 0FU ?0=0; +²10+0)+https://secure.comodo.net/CPS0¥U0?0
L J H?Fhttp://crl.comodoca.com/UTN-USERFirst-ClientAuthenticationandEmai
l.crl0J H F?Dhttp://crl.comodo.net/UTN-USERFirst-ClientAuthenticationand
Email.crl0l+`0^06+0?*http://crt.comodoca.com/UTNAAACli
entCA.crt0$+0?http://ocsp.comodoca.com0 U0smiles (at) clearskies (dot) net0 [email concealed]
 *?H?÷
?uã+ÒÏ:
û$Ò?Ìö°? ­Rùr?w?r¾ð?é&ÇV@oºZÏ?aÝÝת2©4]} ·ÇF±¢¹)@v?Nsbõ_-"ÝôRXýg5
}??´]@C?6W¥:KD]{\.?w+®ÛºìoáÙ¸u¬õ?Í03ëZÆ?oÉ[íJùï?DºEÇ"?¸AÁ~ »%x½ÿÉ ¸åºØpÛíG0%?õ/Mý[]#?ùX_Õe??FOú5ßɽ§'6Ã&f7SĽ´¾à?
Ë'* ?J?ißr )]ô8?£FÁ¬_@?VJ3"?ø¥³
{Éø??Þû/«Q0?/0? ~ñØK?¹ZÔÏöò¸ ôòå0
 *?H?÷
0®1 0 UUS1 0 UUT10USalt Lake City10U
The USERTRUST Network1!0U http://www.usertrust.com1604U-UTN-USERFirst-Clien
t Authentication and Email0
100315000000Z
110315235959Z0Ü1503U ,Comodo Trust Network - PERSONA NOT VALIDATED1F0DU =Terms and Conditions of use: http://www.comodo.net/repository10U (c)2003 Comodo Limited10U Scott Miles1$0" *?H?÷
 smiles (at) clearskies (dot) net0 [email concealed]?"0
 *?H?÷
?0?
?ÞÌ6^[òôgøX k?Bý¾roHù®Jèü?É,#íçÎ??¹ÅYf÷5?Llº?Ï ë0±&Ï@0M¢R]?´üò\¦WµøQæÜ7v???Rkà?wÁ??VÞ«?ð$?ê_ ,sp?oH?ñ?ü¿Ì1?Å?0¢^@!?¶³m?wÝ?-ÌÑêû @òí3Rkã²z?P3.Y¾ÞnëV×<1 Ц®ò¼246??!*?+¼p?£ÜO>?mä?̨@µ5MjlJ?.ÀÖ¬Wß¼??|r½õ?óU¦Õ??my%÷Á ÛnëÓ±±7rÚac£?0?0U#0???g}ĝ&pK´PH|Þ=®n}0U,»H
?®U¥?ÆÿVÈv£j&¿L0Uÿ 0 Uÿ00 U%0+ +²10 `?H?øB 0FU ?0=0; +²10+0)+https://secure.comodo.net/CPS0¥U0?0
L J H?Fhttp://crl.comodoca.com/UTN-USERFirst-ClientAuthenticationandEmai
l.crl0J H F?Dhttp://crl.comodo.net/UTN-USERFirst-ClientAuthenticationand
Email.crl0l+`0^06+0?*http://crt.comodoca.com/UTNAAACli
entCA.crt0$+0?http://ocsp.comodoca.com0 U0smiles (at) clearskies (dot) net0 [email concealed]
 *?H?÷
?uã+ÒÏ:
û$Ò?Ìö°? ­Rùr?w?r¾ð?é&ÇV@oºZÏ?aÝÝת2©4]} ·ÇF±¢¹)@v?Nsbõ_-"ÝôRXýg5
}??´]@C?6W¥:KD]{\.?w+®ÛºìoáÙ¸u¬õ?Í03ëZÆ?oÉ[íJùï?DºEÇ"?¸AÁ~ »%x½ÿÉ ¸åºØpÛíG0%?õ/Mý[]#?ùX_Õe??FOú5ßɽ§'6Ã&f7SĽ´¾à?
Ë'* ?J?ißr )]ô8?£FÁ¬_@?VJ3"?ø¥³
{Éø??Þû/«Q1?]0?Y0Ã0®1 0 UUS1 0 UUT10USalt Lake City10U
The USERTRUST Network1!0U http://www.usertrust.com1604U-UTN-USERFirst-Clien
t Authentication and Email~ñØK?¹ZÔÏöò¸ ôòå0 + ?n0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
100413201847Z0# *?H?÷
 1?û???¹,ÓùÀ~Ö§L¶hÞé0_ *?H?÷
 1R0P0  `?He0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0Ô +?71Æ0Ã0®1 0 UUS1 0 UUT10USalt Lake City10U
The USERTRUST Network1!0U http://www.usertrust.com1604U-UTN-USERFirst-Clien
t Authentication and Email~ñØK?¹ZÔÏöò¸ ôòå0Ö *?H?÷
  1Æ Ã0®1 0 UUS1 0 UUT10USalt Lake City10U
The USERTRUST Network1!0U http://www.usertrust.com1604U-UTN-USERFirst-Clien
t Authentication and Email~ñØK?¹ZÔÏöò¸ ôòå0
 *?H?÷
?dìâ7qF(EXò?IRçÝ­é·1Rú¡Èå²jsá¿u?úKzAÝ?áÖL·Ì?Ts?¬AAF£ µ?Evê«´:ÏAûFÊEQ
Ìaj?Ôà`E,Í?4MiÍ?¼I«ú²*;ôbÈÓáÀ?÷]?S­Þ??1î*? ôéx ?{Ä"¦B?ÃecËphv?`iY'ôÆhL !ËéÁÍ6k%|~8Z?H ôï?µ?vìÛBB ?5?¡+8Ç, £ìi;ÚºõsbrjvÒ\ínf÷ãeH,.±3à´:>ï?ÞèrÉ Ô??v)ÍþCyÄôf\à9£?ø¦

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus