CVE-2021-40438
95 views
Skip to first unread message
Elia Pinto
Dec 18, 2021, 12:24:57 AM12/18/21
to modsecurity-core...@owasp.org
Is it possible to make a rule for mod_security for cve-2021-40438 if mod_security operates in reverse proxy mode? Any idea how this could be a rule for CRS?
Thank you
references:
https://www.fastly.com/blog/apache-redux-preventing-server-side-request-forgery-via-cve-2021-40438
https://firzen.de/building-a-poc-for-cve-2021-40438
Ervin Hegedüs
Dec 18, 2021, 1:32:59 AM12/18/21
to Elia Pinto, modsecurity-core...@owasp.org
Hi Elia,
On Sat, Dec 18, 2021 at 06:24:43AM +0100, Elia Pinto wrote:
> Is it possible to make a rule for mod_security for cve-2021-40438 if
> mod_security operates in reverse proxy mode? Any idea how this could be a
> rule for CRS?
CRS has a really good tool: http://sandbox.coreruleset.org.
For more details you can read this article:
https://coreruleset.org/20211209/introducing-the-crs-sandbox/
I looked it up this vulnerability, and foud this:
https://firzen.de/building-a-poc-for-cve-2021-40438
My test and result were:
$ curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level: 4" "https://sandbox.coreruleset.org/?unix:testsocket|http://test/"
920273 PL4 Invalid character in request (outside of very strict set)
942432 PL4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 8)
980130 PL1 Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=3,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 0, 0, 0, 8
so looks like CRS (3.4/dev) protects the Apache, but only on PL4.
The triggered rules were:
920273: https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L1533-L1549
942432: https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L1554-L1573
Rules 949110 and 980130 triggered, because they check the
transaction anomly scores. The effective protection cames by
other two rules, what you are looking for IMHO.
If you've found any other attack types, please let me know.
Regards,
a.
On Sat, Dec 18, 2021 at 06:24:43AM +0100, Elia Pinto wrote:
> Is it possible to make a rule for mod_security for cve-2021-40438 if
> mod_security operates in reverse proxy mode? Any idea how this could be a
> rule for CRS?
For more details you can read this article:
https://coreruleset.org/20211209/introducing-the-crs-sandbox/
I looked it up this vulnerability, and foud this:
https://firzen.de/building-a-poc-for-cve-2021-40438
My test and result were:
$ curl -H "x-format-output: txt-matched-rules" -H "x-crs-paranoia-level: 4" "https://sandbox.coreruleset.org/?unix:testsocket|http://test/"
920273 PL4 Invalid character in request (outside of very strict set)
942432 PL4 Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (2)
949110 PL1 Inbound Anomaly Score Exceeded (Total Score: 8)
980130 PL1 Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=3,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 0, 0, 0, 8
so looks like CRS (3.4/dev) protects the Apache, but only on PL4.
The triggered rules were:
920273: https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L1533-L1549
942432: https://github.com/coreruleset/coreruleset/blob/v3.4/dev/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf#L1554-L1573
Rules 949110 and 980130 triggered, because they check the
transaction anomly scores. The effective protection cames by
other two rules, what you are looking for IMHO.
If you've found any other attack types, please let me know.
Regards,
a.
Christian Folini
Dec 18, 2021, 2:30:47 AM12/18/21
to Ervin Hegedüs, Elia Pinto, modsecurity-core...@owasp.org
Hey Elia,
Adding to this, let me suggest the following:
If a certain attack is only detected at a higher paranoia level, you would
have to run in this high PL to trigger the rule obviously. But that's really
hard and often too much work.
So a quick fix is to take the rule and duplicate it for you under a new
rule ID. You need to put it in your configuration before the CRS include.
That way you make sure it is always executed no matter the PL. Now ideally you
will also remove or edit the PL tag within the rule.
Best,
Christian
> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/20211218063254.bb6q2fhsqqvd72ih%40arxnet.hu.
Adding to this, let me suggest the following:
If a certain attack is only detected at a higher paranoia level, you would
have to run in this high PL to trigger the rule obviously. But that's really
hard and often too much work.
So a quick fix is to take the rule and duplicate it for you under a new
rule ID. You need to put it in your configuration before the CRS include.
That way you make sure it is always executed no matter the PL. Now ideally you
will also remove or edit the PL tag within the rule.
Best,
Christian
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/20211218063254.bb6q2fhsqqvd72ih%40arxnet.hu.
Reply all
Reply to author
Forward
0 new messages