Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Clear Skies Security (smilesclearskies.net)
Date: Tue Apr 13 2010 - 15:18:47 CDT
CSS10-01: Imperva SecureSphere Web Application Firewall and Database Firewall Bypass Vulnerability
April 5, 2010
The Imperva SecureSphere Web Application Firewall protects web
applications and sensitive data against sophisticated attacks and
brute force attacks, stops online identity theft, and prevents data
leaks from applications. The Imperva SecureSphere Database Firewall
monitors and proactively protects databases from internal abuse,
database attacks, and unauthorized activity. (Source:
Imperva SecureSphere Web Application Firewall and Database Firewall
products can be bypassed by appending specially crafted data to
requests. Protection provided by the Imperva device against attacks
such as SQL injection and Cross-Site Scripting is negated, allowing
unfiltered requests through to protected applications.
Rating: High Risk - CVSS 7.8 (AV:N/AC:L/Au:N/C:N/I:C/A:N)
Impact: Bypass security control
An attacker can use this flaw to bypass firewall protections. Anyone
with the ability to interact with protected web applications and
databases can exploit this vulnerability. Only minimal skill is
required and the bypass can be incorporated into existing exploitation
frameworks and security testing tools. Exploitation of this issue does
not permanently affect the device; each evasion request must contain
the bypass payload.
IDENTIFYING VULNERABLE INSTALLATIONS
Administrators can identify the current version in use by going to the
Licensing menu in the administration console. Versions less than those
identified in the Solutions section below are vulnerable.
The Imperva device provides no indication when this vulnerability is
exploited. If other controls are in place such as network traffic
monitors, IDS/IPS, or web filters, these should be configured to alert
on payloads containing attack patterns.
This vulnerability affects SecureSphere G-series and Database
Firewalls running versions the Web Application and Database Firewall
product prior to March 9, 2010. This includes all versions of
SecureSphere from 5.0 through 7.0.
The vendor has released patches for affected versions to address this
issue. Customers are strongly encouraged to apply the update as soon
as possible. Refer to
for upgrade instructions. No reliable workaround is available.
The vendor has provided the following version and patch data:
Version Patch Number
184.108.40.20678 Patch 11
220.127.116.1161 Patch 11
18.104.22.16863 Patch 24
22.214.171.12442 Patch 24
126.96.36.19902 Patch 30
188.8.131.5274 Patch 30
184.108.40.20638 Patch 30
220.127.116.1130 Patch 30
18.104.22.16828 Patch 30
22.214.171.12482 Patch 30
126.96.36.19928 on XOS 8.0/5 ssgw-6128-CBI10
188.8.131.5278 on XOS 8.5.3 ssgw-184.108.40.20667-CBI28
2009-08-31 - Vendor notified.
2010-03-09 - Vendor released patched firmware.
2010-04-05 - Public notification
Scott Miles and Greag Johnson, Clear Skies Security, identified this
Clear Skies would like to thank Mike Sanders and Accuvant Labs for
their assistance in clarifying and working with the vendor to correct
Disclaimer: The information in the advisory is believed to be
accurate at the time of publishing and is subject to change without
notice. Use of the information constitutes acceptance for use in an
AS IS condition. There are no warranties with regard to this
information. The author is not liable for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on,
Copyright 2010 Clear Skies Security, LLC.
Permission is granted for the redistribution of this alert
electronically. To reprint this alert, in whole or in part, in any
other medium other than electronically, please e-mail info (at)
clearskies (dot) net for permission.
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature