The WAPPLES web application firewall is faulted for several flaws

John Leyden September 15, 2022 at 14:43 UTC

Updated: September 15, 2022 at 14:48 UTC

Researcher Discovers NCEs and Undocumented Backdoor Risks

Multiple vulnerabilities in WAPPLES Web Application Firewall (WAF) has created a way to commandeer vulnerable devices and execute arbitrary commands, a researcher warns.

Another set of flaws in the technology created a way to access the device with privileges through a “backdoor account”, according to security researcher Konstantin Burov.

Specifically, the Kazakhstan-based security researcher discovered vulnerabilities in WAPPLES from version 4.0 to 6.0 that allowed a remote attacker to execute arbitrary code or obtain confidential information using predefined credentials, among other exploits.

Burov also discovered that it was possible to increase user privileges to root in versions 5.0 and 6.0 of the technology.

Keep up to date with the latest security research and analysis

WAPPLES, from Penta Security Systems, is delivered as a hardware appliance or virtual machine. In either case, the technology is designed to protect what might otherwise be vulnerable websites or applications from potential attack.

The technology is most widely used in Japan and South Korea, according to Shodan-based research conducted by Burov.

The vulnerabilities – tracked as CVE-2022-24706, CVE-2022-31322, CVE-2022-35413, CVE-2022-31324 and CVE-2022-35582 – are documented in a technical blog post.

the most severe, remote code execution (RCE) – tracked as CVE-2022–24706 (currently under reanalysis) – stems from reliance on a vulnerable third-party component.

“WAPPLES uses a vulnerable version of CouchDB in the default configuration that leads to the execution of operating system commands remotely,” Burov explains. “To exploit this vulnerability, the attacker must have access to the management interface.”

Burov warned: “An attacker could gain unprivileged access to a system as user ‘couchdb’ and then escalate privileges using the other vulnerabilities.”

Pentathlon

Separately, Burov discovered that “the operating system on which WAPPLES runs has a built-in unprivileged user ‘penta’ with a predefined password.

“The password is revealed in the system script and differs between different versions of the product,” according to the researcher.

The practical result of this unclosed backdoor (tracked as CVE-2022–35582) is that even moderately skilled attackers may well be able to obtain the credentials of the device and thereby gain uncontrolled access to the device.

Hard-coded credentials for the Web API of some recent versions of WAPPLES were also exposed, Burov discovered. WAPPLES’ flaws undermined the protection it might otherwise offer.

YOU MIGHT ALSO LIKE Vendor Disputes Severity of Firewall Plugin RCE Flaw

Burov, security engineer and pen tester, said The daily sip that he was doing security research in his spare time.

“My colleagues showed me this product, and I almost immediately found the classic CLI command injection bug,” he explained. “And I decided to look under the hood, because I was sure there were more serious bugs.

“I cannot confirm that the issue has been resolved by the vendor as I currently do not have access to the WAPPLES appliance. All I have are assurances from the vendor.

After failing to get a response from Penta Security, Burov contacted Cloudbric Corp, a Penta Security partner, who told him the issues had been resolved.

The daily sip also approached Penta Security and Cloubric for comment. No response yet, but we’ll update this story as soon as more information becomes available.

Burov said his research results offer lessons for other software developers.

“If you integrate other technologies into your product, you should know it as if it were your own product – for example, in the CouchDB manual it was described that the default Erlang Cookie should change,” he explained. ‘I also recommend studying the benchmark’OWASP Secure Coding Practices‘.”

RELATED Vulnerability in Xalan-J could allow execution of arbitrary code


Source link

Comments are closed.