On September 19th 2017, a remote command execute (RCE) vulnerability affecting DenyAll Web Application Firewall has been reported by the pentester Mehmet Ince on his website, read the article. This vulnerability allows remote code execution (RCE) through the administration interface of the WAF, with no authentication required. To prevent this attack, we strongly recommend that the administration interface (running on port 3001/tcp) is restricted to administrators only (by source IP firewalling or admin VLAN segregation).
Details of the vulnerability
The vulnerability allows attackers to remotely execute Shell commands through the PHP API running on the administration interface (port 3001/tcp) of the WAF.
Mehmet Ince found this vulnerability by instantiating DenyAll WAF v6.3 on AWS, accessing the code of this PHP API through the file system and identifying a combination of two issues (authentication token bypass and parameter injection). More details are provided in his blog post.
Which DenyAll products are impacted by this disclosure?
This vulnerability affects all current versions of i-Suite and DenyAll WAF, either they are installed on premise or in AWS/Azure clouds:
- i-Suite LTS version 5.5 (5.5.0 to 5.5.12)
- i-Suite 5.6
- DenyAll WAF 5.7
- DenyAll WAF 6.0 to 6.4.0.
Fixing the vulnerability
Security hotfixes (RSE) are being released and available on our customer support portal (https://my.denyall.com) for the following version: 6.4.0, 6.3.0, 5.5.4, 5.5.10, 5.5.12 and 5.5.6.