Imperva Web Application Firewall vulnerable to bypass of WAF rules
Take action: If you are using a Imperva SecureSphere WAF review the instructions in the Imperva portal and apply the controls. This is a security control system, so it should be trusted to protect you.
Learn More
Imperva has identified and addressed a critical vulnerability, tracked as CVE-2023-50969 (CVSS score 9.8), in its SecureSphere Web Application Firewall (WAF).
The flaw could enable attackers to bypass WAF defenses specifically designed to scrutinize POST data. This bypass capability exposes web applications protected by the SecureSphere WAF to potential exploits of existing vulnerabilities that the WAF would typically block.
The vulnerability (CVE-2023-50969) impacts all versions of Imperva SecureSphere WAF prior to the Application Defense Center (ADC) update, which was released on February 26, 2024. Imperva SecureSphere WAF version 14.7.0.40 is specifically mentioned, while Imperva Cloud WAF remains unaffected.
The vulnerability has a PoC via a PHP webshell, identified as which incorporates a form enabling the submission of arbitrary commands via a text input field. When this form is processed, the `system` function executes the submitted command on the server. This is a significant security concern as it potentially allows attackers to execute arbitrary code, upload malicious files, exfiltrate sensitive information, or deface the website due to inadequate input validation and sanitization.
Exploitation of this vulnerability is facilitated through manipulating HTTP requests, specifically by inserting multiple Content-Encoding headers. This technique deceives the WAF into misinterpreting the data, thereby allowing the execution of malicious commands that standard WAF rules would typically block.
Imperva has issued a remediation through an ADC rule update, detailed in a document accessible via the Imperva Support Portal (Imperva login required).
