Headline
WAPPLES web application firewall faulted for multiple flaws
Researcher uncovers RCE and undocumented backdoor risks
John Leyden 15 September 2022 at 14:43 UTC
Updated: 15 September 2022 at 14:48 UTC
Researcher uncovers RCE and undocumented backdoor risks
Multiple vulnerabilities in the WAPPLES web application firewall (WAF) created a means to commandeer vulnerable devices and run arbitrary commands, a researcher warns.
Another set of flaws in the technology created a means to access the device with privileges through a “backdoor account”, according to security researcher Konstantin Burov.
More specifically, the Kazakhstan-based security researcher uncovered vulnerabilities in WAPPLES from version 4.0 to 6.0 that allowed a remote attacker to execute arbitrary code or obtain confidential information using predefined credentials, among other exploits.
Burov also discovered that it was possible to escalate user privileges to root in versions 5.0 and 6.0 of the technology.
Catch up on the latest security research and analysis
WAPPLES, from Penta Security Systems, is shipped as either a hardware appliance or a virtual machine. In either scenario, the technology is designed to protect what might otherwise be vulnerable websites or applications against potential attack.
The technology is most widely used in Japan and South Korea, according to Shodan-based searches run by Burov.
The vulnerabilities – tracked as CVE-2022-24706, CVE-2022-31322, CVE-2022-35413, CVE-2022-31324, and CVE-2022-35582 – are documented in a technical blog post.
The most severe, remote code execution (RCE) risk – tracked as CVE-2022–24706 (currently undergoing reanalysis) – arises from reliance on a vulnerable third-party component.
“WAPPLES uses a vulnerable CouchDB version in default configuration that leads to remote OS command execution,” Burov explains. “To exploit this vulnerability the attacker must have access to the management interface.”
Burov warned: “An attacker could gain unprivileged access to a system as a ‘couchdb’ user, then escalate privileges using the other vulnerabilities.”
Penta-thlon
Separately, Burov discovered that the “operating system that WAPPLES runs on has a built-in non-privileged user ‘penta’ with a predefined password.
“The password is revealed in the system script and differs for different versions of the product,” according to the researcher.
The practical upshot of this unclosed backdoor (tracked as CVE-2022–35582) is that even moderately skilled attackers might well be able to get hold of device credentials and thereby gain uncontrolled access to the device.
Hardcoded credentials for the web-API of some recent version of WAPPLES were also exposed, Burov discovered. Flaws in WAPPLES undermined the protection it might otherwise be able to offer.
YOU MAY ALSO LIKE Vendor disputes seriousness of firewall plugin RCE flaw
Burov, a security engineer and pen tester, told The Daily Swig that he carried out security research in his spare time.
“My colleagues showed me this product, and I almost immediately found the classic bug of command injection in CLI,” he explained. “And I decided to look under the hood, because I was sure there were more serious bugs.
“I can’t confirm that the issue has been fixed by the vendor as I do not currently have access to the WAPPLES appliance. All I have is vendor assurances.”
After failing to get a response from Penta Security, Burov reached out to Cloudbric Corp, a partner of Penta Security, who told him that the issues had been resolved.
The Daily Swig also approached Penta Security and Cloubric for comment. No word back as yet, but we’ll update this story as soon as more information comes to hand.
Burov said his research findings offered lessons for other software developers.
“If you are incorporating other technologies into your product, you should know it as if it were your own product – e.g in the CouchDB manual, it was described that the default value of Erlang Cookie needs to be changed,” he explained. “I also recommend to study the reference ‘OWASP Secure Coding Practices’.”
RELATED Vulnerability in Xalan-J could allow arbitrary code execution
Related news
In Apache CouchDB versions prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges.
Penta Security Systems Inc WAPPLES 4.0.*, 5.0.0.*, 5.0.12.* are vulnerable to Incorrect Access Control. The operating system that WAPPLES runs on has a built-in non-privileged user penta with a predefined password. The password for this user, as well as its existence, is not disclosed in the documentation. Knowing the credentials, attackers can use this feature to gain uncontrolled access to the device and therefore are considered an undocumented possibility for remote control.
Penta Security Systems Inc WAPPLES 4.0.*, 5.0.0.*, 5.0.12.* are vulnerable to Incorrect Access Control. The operating system that WAPPLES runs on has a built-in non-privileged user penta with a predefined password. The password for this user, as well as its existence, is not disclosed in the documentation. Knowing the credentials, attackers can use this feature to gain uncontrolled access to the device and therefore are considered an undocumented possibility for remote control.
Penta Security Systems Inc WAPPLES 4.0.*, 5.0.0.*, 5.0.12.* are vulnerable to Incorrect Access Control. The operating system that WAPPLES runs on has a built-in non-privileged user penta with a predefined password. The password for this user, as well as its existence, is not disclosed in the documentation. Knowing the credentials, attackers can use this feature to gain uncontrolled access to the device and therefore are considered an undocumented possibility for remote control.
WAPPLES through 6.0 has a hardcoded systemi account accessible via db/wp.no1 (as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file). A threat actor could use this account to access the system configuration and confidential information (such as SSL keys) via an HTTPS request to the /webapi/ URI on port 443 or 5001.
Penta Security Systems Inc WAPPLES 4.0.*, 5.0.0.*, 5.0.12.* are vulnerable to Incorrect Access Control. The operating system that WAPPLES runs on has a built-in non-privileged user penta with a predefined password. The password for this user, as well as its existence, is not disclosed in the documentation. Knowing the credentials, attackers can use this feature to gain uncontrolled access to the device and therefore are considered an undocumented possibility for remote control.
Penta Security Systems Inc WAPPLES 4.0.*, 5.0.0.*, 5.0.12.* are vulnerable to Incorrect Access Control. The operating system that WAPPLES runs on has a built-in non-privileged user penta with a predefined password. The password for this user, as well as its existence, is not disclosed in the documentation. Knowing the credentials, attackers can use this feature to gain uncontrolled access to the device and therefore are considered an undocumented possibility for remote control.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added 10 new actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including a high-severity security flaw affecting industrial automation software from Delta Electronics. The issue, tracked as CVE-2021-38406 (CVSS score: 7.8), impacts DOPSoft 2 versions 2.00.07 and prior. A successful
In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.