ADVISORY: Unauthenticated Remote Code Execution on DenyAll Web Application Firewall

On September 19th 2017, a remote command execute (RCE) vulnerability affecting DenyAll Web Application Firewall has been reported by the pentester Mehmet Ince on his website, read the article. This vulnerability allows remote code execution (RCE) through the administration interface of the WAF, with no authentication required. To prevent this attack, we strongly recommend that the administration interface (running on port 3001/tcp) is restricted to administrators only (by source IP firewalling or admin VLAN segregation).

Details of the vulnerability

The vulnerability allows attackers to remotely execute Shell commands through the PHP API running on the administration interface (port 3001/tcp) of the WAF.

Mehmet Ince found this vulnerability by instantiating DenyAll WAF v6.3 on AWS, accessing the code of this PHP API through the file system and identifying a combination of two issues (authentication token bypass and parameter injection). More details are provided in his blog post.

Which DenyAll products are impacted by this disclosure?

This vulnerability affects all current versions of i-Suite and DenyAll WAF, either they are installed on premise or in AWS/Azure clouds:

  • i-Suite LTS version 5.5 (5.5.0 to 5.5.12)
  • i-Suite 5.6
  • DenyAll WAF 5.7
  • DenyAll WAF 6.0 to 6.4.0.

Fixing the vulnerability

Security hotfixes (RSE) are being released and available on our customer support portal (https://my.denyall.com) for the following version: 6.4.0, 6.3.0, 5.5.4, 5.5.10, 5.5.12 and 5.5.6.

This vulnerability will also be fixed in version 6.4.1 that will soon be released (replacing 6.4.0).

Finally, the future version 6.5.0 will benefit from substantial security improvements, including code obfuscation of all sensitive PHP classes as well as encapsulation of command execution (shell exec).

We also strongly recommend that the administration interface (port 3001/tcp) is restricted to administrators only. This can be performed by limiting access to this port to the source IP of the administrator device (firewall rule) or – even better – by assigning one network interface for management and other network interfaces for traffic so the management interface can be on an admin VLAN. For any further details, we invite you to contact the DenyAll Support Team.

Vincent Maury, Chief Technology Officer on LinkedinVincent Maury, Chief Technology Officer on Twitter
Vincent Maury, Chief Technology Officer
Vincent is our beloved Chief Technical Officer. He loves working in the security field and doing it the right way. Products and services he develops have a common #1 goal: Keeping it as simple as possible for users to secure their IT assets.