A safety researcher went public along with his issues, however ModSec maintainers insist that default WAF settings are secure
ModSecurity 3 internet utility firewall (WAF) installations configured to disable Request Physique Entry might be bypassed, safety researchers warn.
The purported difficulty in ModSecurity rule units is restricted to ModSecurity 3 (not the sooner ModSecurity 2 model of the product) and doesn’t have an effect on WAF admins who give the engine entry to the request physique.
Nonetheless, for these affected the chance is substantial, in response to Christian Folini, a Swiss safety researcher and creator.
Ervin Hegedüs, the safety researcher who recognized the issue, reported the difficulty on the ModSecurity workforce on December 2.
Regardless of greater than three months of dialogue, the difficulty stays unresolved – an unsatisfactory state of affairs that prompted Folini to go public along with his issues via a technical blog post earlier this week.
Trustwave, the agency behind ModSecurity, denied that there was a vulnerability, describing the difficulty as a threat inherent solely to a specific superior configuration setting.
ModSecurity is a well-liked open source internet utility firewall (WAF) that’s designed to work via the applying of pre-set guidelines. The know-how is commonly paired with the Nginx internet server.
Safety directors can both create their very own customized guidelines or deploy present libraries, corresponding to these from the free-to-install OWASP ModSecurity Core Rule Set (CRS) venture.
Folini, CRS venture co-lead, informed The Each day Swig: “In case you run CRS or one the recognized industrial ModSecurity rule units on ModSecurity 3 and also you disable Request Physique Entry for the WAF, then you may have configured an entire WAF bypass. “It is because skipping request physique entry is applied as skipping the request physique section (= section 2) of rule processing in ModSecurity 3.”
The ModSecurity WAF engine is maintained by safety vendor Trustwave.
In response to queries from The Each day Swig, Trustwave provided an announcement denying there was any drawback with its know-how:
The problem outlined within the Core Rule Set weblog put up will not be a vulnerability. It references a complicated configuration setting, which by default is on and have to be disabled to create the habits talked about within the weblog.
This setting can be utilized to disable a good portion of the ModSecurity workflow and will solely be utilized by skilled customers, as indicated within the documentation.
This particular difficulty has been mentioned at size within the ModSecurity group boards, and in consequence, code adjustments have been developed to make it clearer that disabling these default settings can have undesired outcomes. These code adjustments shall be a part of model 3.1 of ModSecurity, which shall be accessible after testing of the whole launch by the open-source group has been finalized.
In response to CVE-2020-15598, we launched the next weblog put up again in September 2020: ModSecurity, Regular Expressions and Disputed CVE-2020-15598
Folini – who confirmed his issues stand regardless of Trustwave’s denial of any drawback – defined that the difficulty is tough to defend towards within the absence of a complete repair from ModSecurity/Trustwave.
“The ModSecurity builders haven’t supplied a repair for this drawback, regardless of being knowledgeable about it on December 2, in response to Folini.
Follini reckons that lower than a fifth of all world ModSecurity installations have been arrange with this ‘susceptible’ configuration.
Directors may disable Request Physique Entry for “efficiency causes at instances (buying and selling safety for efficiency, whereas retaining some safety), or they’re solely curious about sure varieties of guidelines”.
The safety researchers went on to counsel potential workarounds to handle the configuration-dependent safety difficulty in ModSecurity 3.
“Enabling Request Physique Entry is the very best method,” Folini stated. “But folks often disable it for a purpose, so this won’t be viable.”
Folini continued: “Shifting as many guidelines from section 2 to section 1 is one other various. We tried to do that for CRS, planning to launch that as v 3.3.1, but we had to surrender that plan as a result of many various detrimental negative effects it provoked and extra ModSecurity3 bugs that surfaced alongside the best way.”