AOH :: HP Unsorted I :: BX6125.HTM

Imperva SecureSphere Web Application Firewall and Database Firewall Bypass Vulnerability



Imperva SecureSphere Web Application Firewall and Database Firewall Bypass Vulnerability
Imperva SecureSphere Web Application Firewall and Database Firewall Bypass Vulnerability



This is a cryptographically signed message in MIME format.

--------------ms040806000209030805000201
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

CSS10-01: Imperva SecureSphere Web Application Firewall and Database Firewall Bypass Vulnerability
April 5, 2010

BACKGROUND
=========The Imperva SecureSphere Web Application Firewall protects web 
applications and sensitive data against sophisticated attacks and 
brute force attacks, stops online identity theft, and prevents data 
leaks from applications. The Imperva SecureSphere Database Firewall 
monitors and proactively protects databases from internal abuse, 
database attacks, and unauthorized activity.  (Source: 
http://www.imperva.com/products/securesphere-data-security-suite.html) 

SUMMARY
======Imperva SecureSphere Web Application Firewall and Database Firewall 
products can be bypassed by appending specially crafted data to 
requests. Protection provided by the Imperva device against attacks 
such as SQL injection and Cross-Site Scripting is negated, allowing 
unfiltered requests through to protected applications.

SEVERITY RATING
==============Rating: High Risk - CVSS 7.8 (AV:N/AC:L/Au:N/C:N/I:C/A:N) 
Impact: Bypass security control
Where:  Remote

THREAT EVALUATION
================An attacker can use this flaw to bypass firewall protections. Anyone 
with the ability to interact with protected web applications and 
databases can exploit this vulnerability. Only minimal skill is 
required and the bypass can be incorporated into existing exploitation 
frameworks and security testing tools. Exploitation of this issue does 
not permanently affect the device; each evasion request must contain 
the bypass payload.

IDENTIFYING VULNERABLE INSTALLATIONS
===================================Administrators can identify the current version in use by going to the 
Licensing menu in the administration console. Versions less than those 
identified in the Solutions section below are vulnerable.

DETECTING EXPLOITATION
=====================The Imperva device provides no indication when this vulnerability is 
exploited. If other controls are in place such as network traffic 
monitors, IDS/IPS, or web filters, these should be configured to alert 
on payloads containing attack patterns.

AFFECTED SOFTWARE
================This vulnerability affects SecureSphere G-series and Database 
Firewalls running versions the Web Application and Database Firewall 
product prior to March 9, 2010. This includes all versions of 
SecureSphere from 5.0 through 7.0.

SOLUTION
=======The vendor has released patches for affected versions to address this 
issue. Customers are strongly encouraged to apply the update as soon 
as possible. Refer to 
http://www.imperva.com/resources/adc/adc_advisories_response_clearskies.html 
for upgrade instructions. No reliable workaround is available.

The vendor has provided the following version and patch data:

Version                  Patch Number
7.0.0.7078               Patch 11
7.0.0.7061               Patch 11
6.2.0.6463               Patch 24
6.2.0.6442               Patch 24
6.0.6.6302               Patch 30
6.0.6.6274               Patch 30
6.0.5.6238               Patch 30
6.0.5.6230               Patch 30
6.0.4.6128               Patch 30
5.0.0.5082               Patch 30
6.0.4.6128 on XOS 8.0/5  ssgw-6128-CBI10
7.0.0.7078 on XOS 8.5.3  ssgw-7.0.0.7267-CBI28
 
VULNERABILITY ID
===============CVE-2010-1329 

TIME TABLE
=========2009-08-31 - Vendor notified.
2010-03-09 - Vendor released patched firmware.
2010-04-05 - Public notification

REFERENCES
=========http://www.clearskies.net/documents/css-advisory-css1001-imperva.php 
http://www.imperva.com/resources/adc/adc_advisories_response_clearskies.html 

CREDITS
======Scott Miles and Greag Johnson, Clear Skies Security, identified this 
flaw. 

Clear Skies would like to thank Mike Sanders and Accuvant Labs for 
their assistance in clarifying and working with the vendor to correct 
this issue.

LEGAL NOTICES
============Disclaimer: The information in the advisory is believed to be 
accurate at the time of publishing and is subject to change without 
notice. Use of the information constitutes acceptance for use in an 
AS IS condition. There are no warranties with regard to this 
information. The author is not liable for any direct, indirect, or 
consequential loss or damage arising from use of, or reliance on, 
this information.

Copyright 2010 Clear Skies Security, LLC.
Permission is granted for the redistribution of this alert 
electronically. To reprint this alert, in whole or in part, in any 
other medium other than electronically, please e-mail info (at) 
clearskies (dot) net for permission.



--------------ms040806000209030805000201
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIRRzCC
BN0wggPFoAMCAQICEHGS++YZX6xNEoV0cTSiGKcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UE
BhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEa
MBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBT
ZXJ2aWNlczAeFw0wNDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTlaMIGuMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUg
VVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2
MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWls
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3BYHW8OWX5
ShpHornMSMxqmNVNNRm5pELlzkniii8efNIxB8dOtINknS4p1aJkxIW9hVE1eaROaJB7HHqk
kqgX8pgV8pPMyaQylbsMTzC9mKALi+VuG6JG+ni8om+rWV6lL8/K2m2qL+usobNqqrcuZzWL
eeEeaYji5kbNoKXqvgvOdjp6Dpvq/NonWz1zHyLmSGHGTPNpsaguG7bUMSAsvIKKjqQOpdeJ
Q/wWWq8dcdcRWdq6hw2v+vPhwvCkxWeM1tZUOt4KpLoDd7NlyP0e03RiqhjKaJMeoYV+9Udl
y/hNVyh00jT/MLbu9mIwFIws6wIDAQABo4IBJzCCASMwHwYDVR0jBBgwFoAUoBEKIz6W8Qfs
4q8p74Klf9AwpLQwHQYDVR0OBBYEFImCZ33EnSZwAEu0UEh83j2uBG59MA4GA1UdDwEB/wQE
AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAR
BgNVHSAECjAIMAYGBFUdIAAwewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9j
YS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDARBglghkgBhvhCAQEEBAMCAQYw
DQYJKoZIhvcNAQEFBQADggEBAJ2Vyzy4fqUJxB6/C8LHdo45PJTGEKpPDMngq4RdiVTgZTvz
bRx8NywlVF+WIfw3hJGdFdwUT4HPVB1rbEVgxy35l1FM+WbKPKCCjKbI8OLp1Er57D9Wyd12
jMOCAU9sAPMeGmF0BEcDqcZAV5G8ZSLFJ2dPV9tkWtmNH7qGL/QGrpxp7en0zykX2OBKnxog
L5dMUbtGB8SKN04g4wkxaMeexIud6H4RvDJoEJYRmETYKlFgTYjrdDrfQwYyyDlWjDoRUtNB
pEMD9O3vMyfbOeAUTibJ2PU54om4k123KSZB6rObroP8d3XK6Mq1/uJlSmM+RMTQw16Hc6mY
HK9/FX8wggYvMIIFF6ADAgECAhB+8dhLP7la1M/28rgg9PLlMA0GCSqGSIb3DQEBBQUAMIGu
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4w
HAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNl
cnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRp
b24gYW5kIEVtYWlsMB4XDTEwMDMxNTAwMDAwMFoXDTExMDMxNTIzNTk1OVowgdwxNTAzBgNV
BAsTLENvbW9kbyBUcnVzdCBOZXR3b3JrIC0gUEVSU09OQSBOT1QgVkFMSURBVEVEMUYwRAYD
VQQLEz1UZXJtcyBhbmQgQ29uZGl0aW9ucyBvZiB1c2U6IGh0dHA6Ly93d3cuY29tb2RvLm5l
dC9yZXBvc2l0b3J5MR8wHQYDVQQLExYoYykyMDAzIENvbW9kbyBMaW1pdGVkMRQwEgYDVQQD
EwtTY290dCBNaWxlczEkMCIGCSqGSIb3DQEJARYVc21pbGVzQGNsZWFyc2tpZXMubmV0MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3sw2Xlvy9Gf4WAlrg0L9vnJvSPmuSuj8
B5rJLCPt584TloW5xVlm9zWITGy6nM8M6xEwsSbPFUAwTaJSXYC0/PJcple1+FHm3Dd2joaV
UmvgmncRwZyAVt6ri/CQJJbqXwYgLHNwi29IlPEai/y/zDEIghnFkwQwol5AIZF/trNtkneQ
3YYtzBfR6vsSCUAa8u0zUmt/47J6jhdQMxUuEFm+3gFu61bXPDEJ0Kau8rwyNDablyEqhysU
vBRwHpkWo9xPPoltEOQZjswIqEC1NU1qbEqSLsDWrFffvBKbiHxyvfWG81Wm1YgWlwFteSXD
t8EJ227r07GxNxUSctphYwIDAQABo4ICFzCCAhMwHwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQ
SHzePa4Ebn0wHQYDVR0OBBYEFBAsu0iZrlWlnsb/Vsh2o2omvxZMMA4GA1UdDwEB/wQEAwIF
oDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglg
hkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcC
ARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwgaUGA1UdHwSBnTCBmjBMoEqgSIZG
aHR0cDovL2NybC5jb21vZG9jYS5jb20vVVROLVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNh
dGlvbmFuZEVtYWlsLmNybDBKoEigRoZEaHR0cDovL2NybC5jb21vZG8ubmV0L1VUTi1VU0VS
Rmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFpbC5jcmwwbAYIKwYBBQUHAQEEYDBe
MDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9VVE5BQUFDbGllbnRDQS5j
cnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAgBgNVHREEGTAXgRVz
bWlsZXNAY2xlYXJza2llcy5uZXQwDQYJKoZIhvcNAQEFBQADggEBAHXjK9LPOg0I+yTShgfM
9rCeIK1S+XKRdxCFcr7wggHpJsdWBEBvArpaz5ph3d3XqjKpGTRdfQy3x0axorkUKUB2nE5z
Yhn1Xy0i3fRSA1j9ZzUIHgp9jpe0XUBDkjZXpTpLRF17XC6SdysUrtseuuxv4dm4dRwerPWZ
Gs0wDzPrWsaIb8lb7Ur5755/RLpFG8cijLhBwX4JuyV4vf/JIAu45brYcNvtRzAlh/UvTf1b
XYEjlflYX9Vll5pGT/o138m9HacnNsMmZjdTxL20vuCCCssnKguMSoVp3wByoCldG/Q4haNG
waxfQI5WSjMihhD4pbMNe8n4n5CX3vsvq1EwggYvMIIFF6ADAgECAhB+8dhLP7la1M/28rgg
9PLlMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNV
BAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAf
BgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJz
dC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsMB4XDTEwMDMxNTAwMDAwMFoXDTEx
MDMxNTIzNTk1OVowgdwxNTAzBgNVBAsTLENvbW9kbyBUcnVzdCBOZXR3b3JrIC0gUEVSU09O
QSBOT1QgVkFMSURBVEVEMUYwRAYDVQQLEz1UZXJtcyBhbmQgQ29uZGl0aW9ucyBvZiB1c2U6
IGh0dHA6Ly93d3cuY29tb2RvLm5ldC9yZXBvc2l0b3J5MR8wHQYDVQQLExYoYykyMDAzIENv
bW9kbyBMaW1pdGVkMRQwEgYDVQQDEwtTY290dCBNaWxlczEkMCIGCSqGSIb3DQEJARYVc21p
bGVzQGNsZWFyc2tpZXMubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3sw2
Xlvy9Gf4WAlrg0L9vnJvSPmuSuj8B5rJLCPt584TloW5xVlm9zWITGy6nM8M6xEwsSbPFUAw
TaJSXYC0/PJcple1+FHm3Dd2joaVUmvgmncRwZyAVt6ri/CQJJbqXwYgLHNwi29IlPEai/y/
zDEIghnFkwQwol5AIZF/trNtkneQ3YYtzBfR6vsSCUAa8u0zUmt/47J6jhdQMxUuEFm+3gFu
61bXPDEJ0Kau8rwyNDablyEqhysUvBRwHpkWo9xPPoltEOQZjswIqEC1NU1qbEqSLsDWrFff
vBKbiHxyvfWG81Wm1YgWlwFteSXDt8EJ227r07GxNxUSctphYwIDAQABo4ICFzCCAhMwHwYD
VR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYDVR0OBBYEFBAsu0iZrlWlnsb/Vsh2
o2omvxZMMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUF
BwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7BgwrBgEE
AbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMw
gaUGA1UdHwSBnTCBmjBMoEqgSIZGaHR0cDovL2NybC5jb21vZG9jYS5jb20vVVROLVVTRVJG
aXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVtYWlsLmNybDBKoEigRoZEaHR0cDovL2Ny
bC5jb21vZG8ubmV0L1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFp
bC5jcmwwbAYIKwYBBQUHAQEEYDBeMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2Nh
LmNvbS9VVE5BQUFDbGllbnRDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9k
b2NhLmNvbTAgBgNVHREEGTAXgRVzbWlsZXNAY2xlYXJza2llcy5uZXQwDQYJKoZIhvcNAQEF
BQADggEBAHXjK9LPOg0I+yTShgfM9rCeIK1S+XKRdxCFcr7wggHpJsdWBEBvArpaz5ph3d3X
qjKpGTRdfQy3x0axorkUKUB2nE5zYhn1Xy0i3fRSA1j9ZzUIHgp9jpe0XUBDkjZXpTpLRF17
XC6SdysUrtseuuxv4dm4dRwerPWZGs0wDzPrWsaIb8lb7Ur5755/RLpFG8cijLhBwX4JuyV4
vf/JIAu45brYcNvtRzAlh/UvTf1bXYEjlflYX9Vll5pGT/o138m9HacnNsMmZjdTxL20vuCC
CssnKguMSoVp3wByoCldG/Q4haNGwaxfQI5WSjMihhD4pbMNe8n4n5CX3vsvq1ExggRdMIIE
WQIBATCBwzCBrjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExh
a2UgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRw
Oi8vd3d3LnVzZXJ0cnVzdC5jb20xNjA0BgNVBAMTLVVUTi1VU0VSRmlyc3QtQ2xpZW50IEF1
dGhlbnRpY2F0aW9uIGFuZCBFbWFpbAIQfvHYSz+5WtTP9vK4IPTy5TAJBgUrDgMCGgUAoIIC
bjAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMDA0MTMyMDE4
NDdaMCMGCSqGSIb3DQEJBDEWBBSXFvuGP44duSzT+cB+1qdMtmje6TBfBgkqhkiG9w0BCQ8x
UjBQMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN
AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgdQGCSsGAQQBgjcQBDGBxjCBwzCBrjEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwG
A1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0
cnVzdC5jb20xNjA0BgNVBAMTLVVUTi1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0aW9u
IGFuZCBFbWFpbAIQfvHYSz+5WtTP9vK4IPTy5TCB1gYLKoZIhvcNAQkQAgsxgcaggcMwga4x
CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkxHjAc
BgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDovL3d3dy51c2Vy
dHJ1c3QuY29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50aWNhdGlv
biBhbmQgRW1haWwCEH7x2Es/uVrUz/byuCD08uUwDQYJKoZIhvcNAQEBBQAEggEAZOziN3FG
KEVY8pxJUhLn3a2P6bcxUvqhyOWyanPhv3WV+kt6Qd2f4dZMt8yXVHOZrEFBRhqjCbUbhkV2
6qu0DjrPQftGykVRDcxhahOM1A/gYEUszYQ0TWnNlbxJq/qyKjv0YsjT4cCW912KUxWtEN6K
nDHuDiqRDPTpeAwEinsGxCKmQoDDZYFjy3Bodo4HYGlZJ/TGaEwJASHL6cHNBjYCayV8fhA4
WplIDgz074a1nnbs20JCID81gKErOMcsC6McHOxpO9q69XNiF3JqdtJc7W5m9+OBZUgTLC6x
MxvgtAI6Pu+L3uhyyQnUk5J2Kc3+Q3nE9GZc4DmjAp/4pgAAAAAAAA=--------------ms040806000209030805000201--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.