Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0570 modsecurity-crs security update 31 January 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: modsecurity-crs Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-39958 CVE-2022-39957 CVE-2022-39956 CVE-2022-39955 CVE-2022-29956 CVE-2021-35368 CVE-2020-22669 CVE-2018-16384 Original Bulletin: https://lists.debian.org/debian-lts-announce/2023/01/msg00033.html Comment: CVSS (Max): 9.8* CVE-2022-39956 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * Not all CVSS available when published - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3293-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost January 30, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : modsecurity-crs Version : 3.2.3-0+deb10u3 CVE ID : CVE-2018-16384 CVE-2020-22669 CVE-2021-35368 CVE-2022-39955 CVE-2022-39956 CVE-2022-39957 CVE-2022-39958 Debian Bug : 924352 992000 1021137 Multiple issues were found in modsecurity-crs, a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls, which allows remote attackers to bypass the web applications firewall. If you are using modsecurity-crs with apache2 / libapache2-modsecurity, please make sure to review your modsecurity configuration, usually /etc/modsecurity/modsecurity.conf, against the updated recommended configration, available in /etc/modsecurity/modsecurity.conf-recommended: Some of the changes to the recommended rules are required to avoid WAF bypasses in certain circumstances. Please note that CVE-2022-39956 requires an updated modsecurity-apache packge, which has been previously uploaded to buster-security, see Debian LTS Advisory DLA-3283-1 for details. If you are using some other solution in connection with the modsecurity-ruleset, for example one that it is using libmodsecurity3, your solution might error out with an error message like "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS". In this case you can disable the mitigation for CVE-2022-29956 by removing the rule file REQUEST-922-MULTIPART-ATTACK.conf. However, be aware that this will disable the protection and could allow attackers to bypass your Web Application Firewall. There is no package in Debian which depends on libmodsecurity3, so if you are only using software which is available from Debian, you are not affected by this limitation. Kudos to @airween for the support and help while perparing the update. CVE-2018-16384 A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as "if") and b is the SQL statement to be executed. CVE-2020-22669 Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications. CVE-2022-39955 The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively. CVE-2022-39956 The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8). CVE-2022-39957 The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively. CVE-2022-39958 The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher. For Debian 10 buster, these problems have been fixed in version 3.2.3-0+deb10u3. We recommend that you upgrade your modsecurity-crs packages. For the detailed security status of modsecurity-crs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/modsecurity-crs Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmPYDeoACgkQkWT6HRe9 XTbzGw//TBCtUIaxo7Gdi1t9cfP/+/ZtQIRNR1WFZr1RnYpQemf+aGL3pB1hBjq5 c9cjnn8MZhNZ/x2WoroHULVpmbdCabfjXIvGlkw/W0EjSOeF9h3v73oPvo+vvmQI USUPQOQWk0Vz0mMsb/wryRMXXTG0bnVwenzpVNdOP6bAWGiS2RbDoSawFTeYrXVm JNz++IFBt11SGcVBJmME6xW2up0ISicg8h4UyEjRY3XPT5eVNjUL/J9jnZ9eK+wM Jv1PUyaasL8nabGefSS2DmyAH7CVy/TcdDlzIBpN99hEfMO29bMu9xvAwE9f34Rp zYW4p6oTFMajOu/7p0vJwoSXirLOBxBLkzU8aT5Gd6ZGFGox3WJE0dx0IvPVmBi3 mkdmc9ObTn/xSixL2cbdoV39nFSKdRVEmSZnOShxGPD/xKp0/GZgvZSqQJ26Nwqu Ry9yOBOkW/WPiTY279SdW+uVG8diTxYZqJy3d5g2/RSY7u3Irvv0F8Y7kpOj3mTR bU3RLicV728kUGiyyhpu2SVPHxTC9ABu1J9udVQwX6tBizyEWMdNwiN6iJLEzRHr pMpZXFWk2E9MFqzx48k+oX/OLLxkO8BDF050lNFHZO27VUpFMAR31Yo69Hn2jiOw 1k3T13wxBmGEUPpvsvJcROq5/MwjsSGYfx6xO9kczQF+Rk3kEzk= =uHA3 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9ihwskNZI30y1K9AQh7PA/9HPRs7RA1KIIhVveW2jyBn6HDW+ltWZrI 65vpB+C7HkFJU4moClwQwb6iJytx4JjFfG1cU25SW5gGO8MZ7Xy+hO/RX8Ul3d3l WQBHsqReL55qlqXOTiGJbMsDRsubczO+SBEH6IRRvVu30qzFYa4e65kKBw3wsLQ+ YmG83WeHjWgn90q7k7VtAcb7f/nZZn9hZKOYwCzOFHTRVtvlSVpLT8XSjguIJUPA cOmn8r4fSZFPwNMGGnk7FEBzURVdDyC53ekcctGqC10yuHx8Ei6NagcYEwA5NEIr tfjxU/5z0rKxy1UrUTCNHctf4ZL7yhElz6iXDLH48DJZhD2R9JzYYsP0PGA0Yhdo fFhYxmrD0fgcUA+qDBhxzVWnQRxto/2HjwPcQTDKphrzJCVGN6n7rmjDZAIa+FhS +65HVB1gDVUgOsaGnVVoLdaEG4OVvqQtvplGze2hBp0BUX6UGO9/utfxMmsdHrpA XYbe0xKpIPjEWbaXK/lAxZOnpl90oVSUqiRM5UQWsWaFWuwk9HBbAArWPhymX2Ym eQbzFq4Xp3EBEZHoVb1aXuGTsQb5nmtDdsrpq/XWmbd41uYdCM2vJNAIjFmJ0Syr JjBZt6I7oZ0iHOzyf5Wyns1LjTp+CxZgHbFUxpqZzPd6q6c/M/bH9GjRkVQfld1w DRnIQaTmKsE= =Nua4 -----END PGP SIGNATURE-----