Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.0570
modsecurity-crs security update
31 January 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: modsecurity-crs
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2022-39958 CVE-2022-39957 CVE-2022-39956
CVE-2022-39955 CVE-2022-29956 CVE-2021-35368
CVE-2020-22669 CVE-2018-16384
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html
Comment: CVSS (Max): 9.8* CVE-2022-39956 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* Not all CVSS available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3293-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
January 30, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : modsecurity-crs
Version : 3.2.3-0+deb10u3
CVE ID : CVE-2018-16384 CVE-2020-22669 CVE-2021-35368 CVE-2022-39955
CVE-2022-39956 CVE-2022-39957 CVE-2022-39958
Debian Bug : 924352 992000 1021137
Multiple issues were found in modsecurity-crs, a set of generic attack
detection rules for use with ModSecurity or compatible web application
firewalls, which allows remote attackers to bypass the web applications
firewall.
If you are using modsecurity-crs with apache2 / libapache2-modsecurity, please
make sure to review your modsecurity configuration, usually
/etc/modsecurity/modsecurity.conf, against the updated recommended
configration, available in /etc/modsecurity/modsecurity.conf-recommended:
Some of the changes to the recommended rules are required to avoid WAF bypasses
in certain circumstances.
Please note that CVE-2022-39956 requires an updated modsecurity-apache packge,
which has been previously uploaded to buster-security, see Debian LTS Advisory
DLA-3283-1 for details.
If you are using some other solution in connection with the
modsecurity-ruleset, for example one that it is using libmodsecurity3, your
solution might error out with an error message like "Error creating rule:
Unknown variable: MULTIPART_PART_HEADERS". In this case you can disable the
mitigation for CVE-2022-29956 by removing the rule file
REQUEST-922-MULTIPART-ATTACK.conf. However, be aware that this will disable
the protection and could allow attackers to bypass your Web Application
Firewall.
There is no package in Debian which depends on libmodsecurity3, so if you are
only using software which is available from Debian, you are not affected by
this limitation.
Kudos to @airween for the support and help while perparing the update.
CVE-2018-16384
A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule
Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special
function name (such as "if") and b is the SQL statement to be executed.
CVE-2020-22669
Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL
injection bypass vulnerability. Attackers can use the comment characters and
variable assignments in the SQL syntax to bypass Modsecurity WAF protection and
implement SQL injection attacks on Web applications.
CVE-2022-39955
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set
bypass by submitting a specially crafted HTTP Content-Type header field that
indicates multiple character encoding schemes. A vulnerable back-end can
potentially be exploited by declaring multiple Content-Type "charset" names and
therefore bypassing the configurable CRS Content-Type header "charset" allow
list. An encoded payload can bypass CRS detection this way and may then be
decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected,
as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and
users are advised to upgrade to 3.2.2 and 3.3.3 respectively.
CVE-2022-39956
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set
bypass for HTTP multipart requests by submitting a payload that uses a
character encoding scheme via the Content-Type or the deprecated
Content-Transfer-Encoding multipart MIME header fields that will not be decoded
and inspected by the web application firewall engine and the rule set. The
multipart payload will therefore bypass detection. A vulnerable backend that
supports these encoding schemes can potentially be exploited. The legacy CRS
versions 3.0.x and 3.1.x are affected, as well as the currently supported
versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2
and 3.3.3 respectively. The mitigation against these vulnerabilities depends on
the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).
CVE-2022-39957
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body
bypass. A client can issue an HTTP Accept header field containing an optional
"charset" parameter in order to receive the response in an encoded form.
Depending on the "charset", this response can not be decoded by the web
application firewall. A restricted resource, access to which would ordinarily
be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and
3.1.x are affected, as well as the currently supported versions 3.2.1 and
3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3
respectively.
CVE-2022-39958
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass
to sequentially exfiltrate small and undetectable sections of data by
repeatedly submitting an HTTP Range header field with a small byte range. A
restricted resource, access to which would ordinarily be detected, may be
exfiltrated from the backend, despite being protected by a web application
firewall that uses CRS. Short subsections of a restricted resource may bypass
pattern matching techniques and allow undetected access. The legacy CRS
versions 3.0.x and 3.1.x are affected, as well as the currently supported
versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2
and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.
For Debian 10 buster, these problems have been fixed in version
3.2.3-0+deb10u3.
We recommend that you upgrade your modsecurity-crs packages.
For the detailed security status of modsecurity-crs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/modsecurity-crs
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmPYDeoACgkQkWT6HRe9
XTbzGw//TBCtUIaxo7Gdi1t9cfP/+/ZtQIRNR1WFZr1RnYpQemf+aGL3pB1hBjq5
c9cjnn8MZhNZ/x2WoroHULVpmbdCabfjXIvGlkw/W0EjSOeF9h3v73oPvo+vvmQI
USUPQOQWk0Vz0mMsb/wryRMXXTG0bnVwenzpVNdOP6bAWGiS2RbDoSawFTeYrXVm
JNz++IFBt11SGcVBJmME6xW2up0ISicg8h4UyEjRY3XPT5eVNjUL/J9jnZ9eK+wM
Jv1PUyaasL8nabGefSS2DmyAH7CVy/TcdDlzIBpN99hEfMO29bMu9xvAwE9f34Rp
zYW4p6oTFMajOu/7p0vJwoSXirLOBxBLkzU8aT5Gd6ZGFGox3WJE0dx0IvPVmBi3
mkdmc9ObTn/xSixL2cbdoV39nFSKdRVEmSZnOShxGPD/xKp0/GZgvZSqQJ26Nwqu
Ry9yOBOkW/WPiTY279SdW+uVG8diTxYZqJy3d5g2/RSY7u3Irvv0F8Y7kpOj3mTR
bU3RLicV728kUGiyyhpu2SVPHxTC9ABu1J9udVQwX6tBizyEWMdNwiN6iJLEzRHr
pMpZXFWk2E9MFqzx48k+oX/OLLxkO8BDF050lNFHZO27VUpFMAR31Yo69Hn2jiOw
1k3T13wxBmGEUPpvsvJcROq5/MwjsSGYfx6xO9kczQF+Rk3kEzk=
=uHA3
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY9ihwskNZI30y1K9AQh7PA/9HPRs7RA1KIIhVveW2jyBn6HDW+ltWZrI
65vpB+C7HkFJU4moClwQwb6iJytx4JjFfG1cU25SW5gGO8MZ7Xy+hO/RX8Ul3d3l
WQBHsqReL55qlqXOTiGJbMsDRsubczO+SBEH6IRRvVu30qzFYa4e65kKBw3wsLQ+
YmG83WeHjWgn90q7k7VtAcb7f/nZZn9hZKOYwCzOFHTRVtvlSVpLT8XSjguIJUPA
cOmn8r4fSZFPwNMGGnk7FEBzURVdDyC53ekcctGqC10yuHx8Ei6NagcYEwA5NEIr
tfjxU/5z0rKxy1UrUTCNHctf4ZL7yhElz6iXDLH48DJZhD2R9JzYYsP0PGA0Yhdo
fFhYxmrD0fgcUA+qDBhxzVWnQRxto/2HjwPcQTDKphrzJCVGN6n7rmjDZAIa+FhS
+65HVB1gDVUgOsaGnVVoLdaEG4OVvqQtvplGze2hBp0BUX6UGO9/utfxMmsdHrpA
XYbe0xKpIPjEWbaXK/lAxZOnpl90oVSUqiRM5UQWsWaFWuwk9HBbAArWPhymX2Ym
eQbzFq4Xp3EBEZHoVb1aXuGTsQb5nmtDdsrpq/XWmbd41uYdCM2vJNAIjFmJ0Syr
JjBZt6I7oZ0iHOzyf5Wyns1LjTp+CxZgHbFUxpqZzPd6q6c/M/bH9GjRkVQfld1w
DRnIQaTmKsE=
=Nua4
-----END PGP SIGNATURE-----