Instant Protection with Virtual Patches

Description

Modern-day web development heavily relies on open-source libraries and frameworks to create the most advanced and highly available web applications. Some of these open-source packages are not always developed with security in mind. In other cases, they are not maintained as often as new web threats are discovered. This reality results in many vulnerabilities that might be exploited in the wild with no mitigations available.

While sometimes even the most famously used ones can be found vulnerable to an attack critical enough to swiftly amend seeing as dependencies might be inherited by dependencies or third-party vendors, leading to precious time being wasted on accurately mapping the vulnerable assets that need to be patched and monitored, the best example for such a case would be the infamous Apache Log4j vulnerabilities that recently hit the headlines. Virtual patches are able to mitigate is exploitations that were seen during the Russian-Ukraine cyber attacks such as the OctoberCMS exploitation.

Palo Alto Network’s Prisma Cloud WAAS research team constantly monitors web exploitations in the wild and creates virtual patches to allow immediate response to such emerging threats.

When the Log4Shell vulnerability was discovered the WAAS research team has released a rapid response and even shared the custom rule’s syntax to support the worldwide effort to mitigate this massively scaled vulnerability.

Virtual Patches or Core Application Firewall Protections?

Virtual Patches are unique custom rules that are designed to target specific known vulnerabilities as well as new emerging threats that can easily be added to existing WAAS policies.

Virtual Patches are a convenient way to patch vulnerable applications seamlessly whereas other solutions require software patching which involves accurate operation and downtime while not as rapidly remediated as simply applying a Virtual Patch.

The following Virtual Patches are introduced to mitigate vulnerabilities that are high of interest.

Double Free in Windows HTTP Protocol Remote Code Execution

Windows http.sys driver was found vulnerable to CVE-2022-21907 a vulnerability that can be triggered by an unauthenticated attacker by sending an HTTP request with an “Accept-Encoding” header that contains a malicious payload to trigger a double free memory corruption type of vulnerability.

Vulnerable Operating Systems (unpatched):

  • Windows Server 2022
  • Windows Server 2019
  • Windows 11
  • Windows 10

This vulnerability is triggered when unknown “Accept-Encoding” values are introduced to the http.sys HTTP protocol driver and will lead to a kernel crash resulting in a Denial-of-Service condition, although this vulnerability type can be leveraged to a complete Remote Code Execution with kernel privileges such capabilities were not yet demonstrated similarly to previous memory corruption vulnerabilities in the http.sys driver due to various techniques used to mitigate exploitation.

This HTTP Protocol module is used by IIS webservers, Windows Remote Management and Web Services for Devices.

ProxyLogon Exchange Attack Chain

It was discovered that Microsoft Exchange is vulnerable to Unauthenticated Remote Code Execution through an attack chain consisting of 4 vulnerabilities.

Exact vulnerable versions are:

  • Exchange Server 2019 < 15.02.0792.010
  • Exchange Server 2019 < 15.02.0721.013
  • Exchange Server 2016 < 15.01.2106.013
  • Exchange Server 2013 < 15.00.1497.012

CVE-2021-26855 - Server-Side Request Forgery (SSRF) vulnerability in Exchange on-premise server which allows a malicious actor to send arbitrary HTTP requests on behalf of the Exchange server.

CVE-2021-26857 - Insecure deserialization vulnerability in Unified Messaging service, exploiting this vulnerability allows a malicious actor to execute code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 - Post Authentication Arbitrary File Write vulnerability in Exchange. Chaining this with CVE-2021-26855 allows a malicious actor to write a file to any path on the server. Can also be exploited with an authenticated user of administrator permissions.

CVE-2021-27065 - Post Authentication Arbitrary File Write vulnerability in Exchange. Chaining this with CVE-2021-26855 allows a malicious actor to write a file to any path on the server. Can also be exploited with an authenticated user of administrator permissions.

Apache Struts Remote Code Execution via OGNL Evaluation

Apache Struts versions 2.0.0 - 2.5.25 can be vulnerable to remote code execution (CVE-2020-17530) when evaluating unsanitized user input in tag attributes potentially allowing double evaluation if a developer allowed forced OGNL evaluation by using %{code here} syntax.

When researching this vulnerability, it was discovered that some previous vulnerabilities shared the same exploitation pattern of OGNL evaluation.

Apache Struts 2.0.0 - 2.5.20 - RCE with %{...} and ${...} syntax, CVE-2019-0230.

Apache Struts 2.0.4 - 2.3.34, 2.5.0 - 2.5.16 - RCE with %{...} syntax within URL, CVE-2018-11776.

Apache Struts 2.3.5 - 2.3.31, 2.5.0 - 2.5.10 - RCE with %{...} and ${...} syntax in Content-Type, Content Disposition or Content-Length HTTP headers, CVE-2017-5638.

Apache Struts 2.0.0 - 2.3.28.1 - RCE with %{...} syntax, CVE-2016-4461.

Apache Struts 2.0.0 - 2.3.24.1 (except 2.3.20.3) - RCE with %{...} syntax, CVE-2016-0785.

Apache Struts 2.0.0 - 2.3.14.2 - RCE with %{...} and ${...} syntax, CVE-2013-2135, CVE-2013-2134.

The exploitation occurs when unsanitized raw user input undergoes forced OGNL evaluation allowing a malicious actor to modify system variables or execute arbitrary code.

The OGNL is an open-source Expressions Language for Java it can be used to get and set object properties and allows most of what you can do with Java.

Nginx Remote Code Execution via PHP-FPM

This Virtual Patch was deployed earlier.

NGINX running PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with PHP-FPM enabled can be vulnerable to remote code execution vulnerability CVE-2019-11043.

The vulnerability is introduced through a specific configuration in the regular expression used in fastcgi_split_path_info (/^.?\.php)(/.*)$;/) which will break if an encoded newline feed character (%0a) is introduced within the path URI, this will cause the path_info variable to be empty while unpatched versions assume that env_path_info will always contain a value.

It is possible to cause a buffer underflow to env_path_info in such a way as to cause the FPM module to write past allocated buffers into the space reserved for FCGI protocol data.

fastcgi_split_path_info is enabled on NGINX servers, so this vulnerability is particularly interesting within NGINX servers.

The commit that fixed the issue.

Drupalgeddon2 - Drupal CMS Remote Code Execution

All versions of Drupal 7.x < 7.58, 8.3.x < 8.3.9, 8.4.x < 8.4.6, 8.5.x < 8.5.1 are vulnerable to CVE-2018-7600, the vulnerability is found within Drupal Form APIs renderable arrays which can be used to render requests pages and by itself can be abused to execute malicious code.

Some API functions were determined to have the potential for RCE:

  • [#post_render]
  • [#pre_render]
  • [#access_callback]
  • [#lazy_builder]

These functions can be used to render an array with a value that will call the PHP exec function followed by values of OS-level commands to instruct to the called exec function.

Multiple tools were found that exploit this vulnerability using some of these functions.

Client-Side Template Injection

This Virtual Patch covers Template Injection While it is intended for Client-Side templating engines it should provide substantial coverage over some Server-Side templating engines as well and it is highly recommended to be used to cover web applications that use templating engines.

This Virtual Patch will cover vulnerabilities introduced by the templating engine when attempting to render unsanitized inputs which are improperly introduced to the templating engine, these vulnerabilities lead to severe consequences and might allow various attacks such as the more limited capabilities of Client-Side template injection will be limited mostly to the user, for example, Cross-Site Scripting (XSS) attacks.

With Server-Side template injections, the consequences are dire and will allow a malicious actor to achieve Remote Code Execution over the vulnerable application.

WordPress Denial-of-Service

WordPress at version 4.9.2 and below was found vulnerable to a Denial-of-Service vulnerability CVE-2018-6389.

The vulnerability is introduced through the vulnerable load-scripts.php and load-styles.php built-in scripts, these scripts are being used by WordPress admins to select and load multiple JavaScript files or styles bypassing the filenames into a “load” parameter with file names separated by commas with a single request.

The built-in scripts will then find the file names from the “load” parameter and perform multiple I/O actions to read the files and if they exist send their output back concatenated within one single response.

The wp_scripts list is hard-coded and defined in the script-loader.php with all the possible js modules that can be loaded seeing as this is a generic list that should be available with most WordPress applications, it allowed malicious actors to attempt and load all of these JS files in a single request without brute-forcing or enumerating which modules are available to be loaded.

A single request would cause the server to read, load, concatenate and return all of these modules to the client in a single response.

Seeing as a small request will cause such load a malicious actor can then send multiple simultaneous requests and introduce a denial of service easily seeing as no authentication is needed to interact with “load-scripts.php”.

Windows HTTP Protocol Remote Code Execution

HTTP.sys the HTTP protocol processing module of Microsoft Internet Information Services was found to be vulnerable to an Integer Overflow vulnerability CVE-2015-1635 in Windows 7 SP1, Windows 2008 R2 SP1, Windows 8, Windows 8.1, Windows 2012, Windows 2012 R2.

It appears that other services besides IIS are also vulnerable to this vulnerability.

The vulnerability resides within the Range header which is used in an HTTP request to return a given range of bytes of a given resource, the header supplies the end position and start position of the range, later the length will be determined the following way: length = end position - start position + 1;

It appears that the HTTP.sys receives the range length as a 64-bit unsigned integer without error handling in cases of overflow.

Seeing as the maximum unsigned 64-bit value is 18446744073709551615 (0xFFFFFFFFFFFFFFFF) it is possible to supply the biggest 64-bit value as the range end position and start position is 0 and introduce a scenario where the integer will overflow after adding “1” to the value and the range length will be equal to 0 which will cause the range length to be invalid.

Although some checks are being made:

Range Start Position is 0xFFFFFFFFFFFFFFFF

Range Length is 0xFFFFFFFFFFFFFFFF

Start Position >= the requested web page length

End Position >= the requested web page length

It is possible to bypass these checks and cause a denial of service or information leakage, some reports state that it is possible to introduce remote code execution although no successful attempt has been published yet.

OctoberCMS User Hijacking via Weak Password Reset Mechanism

OctoberCMS at versions less than v1.1.5 was found vulnerable to an authentication bypass and account takeover vulnerability CVE-2021-32648.

This vulnerability is in particular high profile due to the ease of exploitation and evidence of exploitation in the wild seen during the Russian-Ukrainian conflict-related cyber-attacks which allegedly were executed by the infamous Conti group.

The vulnerability is introduced through a loose comparison introduced in the “checkResetPasswordCode” function on /Auth/Models/User.php on line 281 which was fixed with this commit.

PHP loose comparisons are prone to logic exploitations where otherwise unequal comparisons might be considered equal allowing an attacker to bypass certain condition checks.

In this case, the attacker forced a different content-type parser by supplying an “application/json” content-type header, where the attacker can set the “code” parameter to a boolean value of “true” and trick the application to introduce the boolean value into the “reset_password_code” parameter.

This parameter is later compared with “resetCode” parameter which is the user’s previously randomly generated reset code that is saved on the server.

These values are introduced to a loose comparison condition which will check if the user-provided reset password code equals to the code generated by the application, seeing as the attacker provided value is a “Boolean” type and the “resetCode” value is a “String” type according to this PHP type loose comparison result table this comparison will result in a “true” condition which will allow the attacker to change the user’s password without needing to know the randomly generated “resetCode” ultimately taking over the user without any privileges required.

Conclusions

Prisma Cloud's security research team is constantly on the lookout for newly discovered zero-days and other emerging threats, ensuring your web applications and APIs are always protected, even when they are vulnerable.

With Web Application and API Security’s (WAAS) Virtual Patches customers can swiftly and efficiently mitigate vulnerabilities in production for all web applications and APIs. This in return gives Information Security teams more time to identify the vulnerable applications in the organization and patch the vulnerabilities without exposing the organization to threats.

In addition, WAAS is able to enforce Custom Rules which allow detecting and preventing unique attacks based on custom signatures or regular expressions as demonstrated earlier.

To test out all the great functionality and more with Prisma Cloud, request a hands on demo.