begood Posted April 12, 2010 Report Posted April 12, 2010 Researchers from Clear Skies Security have identified a flaw that negates the protection provided by certain Imperva Web Application Firewalls (WAF). This attack essentially bypasses security controls provided by the Imperva device and allows malicious requests to pass through the device unfiltered, allowing for potential application exploitation remotely over the Internet.The Imperva SecureSphere Web Application Firewall is designed to protect web applications against sophisticated online attacks. Using the flaw uncovered by Clear Skies Security, however, Imperva security protections can be bypassed by appending specially crafted data to web requests. When the Imperva device processes the attack code it creates an overflow condition, allowing the malicious payload to pass through unfiltered and directly attack the application. “What makes this attack so dangerous is that automated vulnerability scanners would not have identified this issue, which might give a company a false sense of security,” said Scott Miles, Principal Consultant from Clear Skies Security and one of the original developers of the first automated scanner, Internet Security Scanner. To further complicate things, affected Imperva devices provide no indication when this vulnerability is exploited, so Clear Skies Security highly recommends that other controls within the environment alert on similar malicious activity as a secondary warning mechanism.“Only minimal skill is required by an attacker to make the attack work, which will allow this technique to be easily incorporated into existing exploitation frameworks,” said Gunter Ollman, VP of Research at Damballa, a network security company that detects and terminates botnets and advanced persistent threats. “Criminal botnet operators will likely pounce upon this weakness and target the formally shielded applications – exploiting and then co-opting them to propagate new attacks.”“It is quite rare to find vulnerabilities in security software,” said Brad MacKenzie CEO for Clear Skies Security. “We hope that organizations understand the importance of incorporating manual security testing that leverages the same techniques a hacker would when conducting their security testing and not solely relying on automated scanners.”Clear Skies Security has worked closely with Imperva since identifying this issue, and Imperva reacted responsibly to ensure that their customers are protected. Patches are now available for the affected versions to address this vulnerability. Existing customers are strongly encouraged to apply the update as soon as possible.More information on the vulnerability can be found at:http://clearskies.net/documents/css-advisory-css1001-imperva.pdfCVE - CVE-2010-1329 (under review)Imperva - Altogether BetterA Rare Find: New Exploit in Firewall puts Applications at Risk Quote
