On September 19th 2017, a remote command execute (RCE) vulnerability affecting DenyAll Web Application Firewall has been reported by the pentester Mehmet Ince on his website, read the article. This vulnerability allows remote code execution (RCE) through the administration interface of the WAF, with no authentication required. To prevent this attack, we strongly recommend that the administration interface (running on port 3001/tcp) is restricted to administrators only (by source IP firewalling or admin VLAN segregation).
Details of the vulnerability
The vulnerability allows attackers to remotely execute Shell commands through the PHP API running on the administration interface (port 3001/tcp) of the WAF.
Mehmet Ince found this vulnerability by instantiating DenyAll WAF v6.3 on AWS, accessing the code of this PHP API through the file system and identifying a combination of two issues (authentication token bypass and parameter injection). More details are provided in his blog post.
Which DenyAll products are impacted by this disclosure?
This vulnerability affects all current versions of i-Suite and DenyAll WAF, either they are installed on premise or in AWS/Azure clouds:
- i-Suite LTS version 5.5 (5.5.0 to 5.5.12)
- i-Suite 5.6
- DenyAll WAF 5.7
- DenyAll WAF 6.0 to 6.4.0.
Fixing the vulnerability
Security hotfixes (RSE) are being released and available on our customer support portal (https://my.denyall.com) for the following version: 6.4.0, 6.3.0, 5.5.4, 5.5.10, 5.5.12 and 5.5.6.
For LTS 5.5.x version: Tech support > Download > Choose i-Suite & DenyAll WAF Products > SECURITYRITY UPDATES FOR LTS I-SUITE & LVS DENYALL WAF > Vulnerability patches (RSE)
This vulnerability will also be fixed in version 6.4.1 that will soon be released (replacing 6.4.0).
Finally, the future version 6.5.0 will benefit from substantial security improvements, including code obfuscation of all sensitive PHP classes as well as encapsulation of command execution (shell exec).
We also strongly recommend that the administration interface (port 3001/tcp) is restricted to administrators only. This can be performed by limiting access to this port to the source IP of the administrator device (firewall rule) or – even better – by assigning one network interface for management and other network interfaces for traffic so the management interface can be on an admin VLAN. For any further details, we invite you to contact the DenyAll Support Team.