Mitigating CVE 2021 44228 on Imperva

Since Dec 12, the security world is fightig a massive security vulnerability known under CVE-2021-44228. In this article I want to provide some details on how to mitigate it on Imperva on-premise WAFs as I have seen some misconfigurations on customer’s systems

There are 2 ways you can protect your Web-Applications against this with Imperva WAF. Either with „Imperva Threat Intelligence Emergency Feed“ or if you do not have a subscription for that, via manual policies. I will outline both ways.

Mitigation with Threat Radar Emergency Feeds

I am recommending to use the TR Emergency Feeds, as you will get new signatures automatically from Imperva!

If you already bought  emergency feeds, make sure they are active and enabled. Check under Main / Threat Intellicence / Dashboard.

In case they are inactive, you can enable those by right-clicking on the services.

If you do not have a subscription for it, you might be able to activate an emergency license for a couple of days (there is a button on the top-right side to do so). This is a one-time free activation and you can expect calls from Imperva Sales in the next days!

Now click on Emergency Feed / Emergency – Blocking General requests. On the right side, click the „Manage“-Tab.

Here you see one dictionary and two policies.

Check both policies by clicking the pencil-icon (on the right side)

On the Match-criteria tab, check that the policy is on Block, Severity High and that the policy is enabled and enable „one alert per session“ to have a detailed logging about it.

 

On the apply-to tab make sure you selected all sites you want to protect. It’s possible that this screen takes some time to load, so please be patient.

Save the policy.

Make sure you perform the same steps on both policies!!!

There is nothing to do on the signature. Just check if you see signatures with the term „CVE-2021-44228“ in the list, those came automatically from Imperva!

That should work now. If you want to check, please see „how to check“

Manual mitigation

First you need to create a custom dictionary under Main / Setup / Signatures. Click the +Icon and create a manual Dictionary, configure as follows

I cannot post the text in clear text, as it might create problems… This section \/\/ is not „W“, its backslash, forwardslash, backslash, forwardslash!

It’s important to type it exactly as shown here!

For performance reason, the WAF first search only for the occurence of ${ (in „part“). If there is a match, the whole regex as specified after that will be executed.

Save this signature

Now go to Main / Policies / Security and create 2 new policies:

One is a WebApplication Signatures Policy, the other one is a Web Service Custom.

Lets start with the Signatures Policy. Click on the green + Icon and select Web Application Policy and give it a name like „CVE-2021-44882 SigPol“
Select „From Scratch“ and Type „Web Application Signatures“ and click „create“

Under Dictionary Name, click the green + again and add the dictionary you’ve just created

It should look like this:

Leave it on enabled, no alert, no action.

Next is to create a „WebService Custom“ policy, in the policies screen click the green + icon again, select Web Service rule.

Assign a descriptive name and select „From Scratch“, type „Web Service Custom“

In the details of the new policy on the right side, under Available Match criteria“ search for „Signatures“ and move it up with the green Up-arrow.

Show the details by clicking +

Leave „Operation“ set to „at least one“

Select „User defined Signatures“

Select the signature you created and move it with the green right-pointing arrow to the „Selected“-List

„Policy Rules“ click + and select the dictionary you’ve created before.

Testing the setup

To test if it works, you can try to access the WAF protected website with this URL. I will post it as a picture, otherwise it might get blocked by systems that already detect this vulnerability.

 

Replace „yourdomain.de“ by your domain name. The actual attack string starts with the „$“ and ends with „}“

Check the Imperva Alert Log, you should see an Alert after some time. This one was generated by Threat Radar Emergency Patterns:

And this is an alert coming from custom policies, hand-crafted:

Summary

This is just a first attempt to try to block this. It is likely that attacks will be formed that will not be detected by the current regex, as there are lots of ways to obfuscate the attack. So the best way to protect is:

  • check if you have software that is vulnerable
  • check if there are updates available for your software und update the systems
  • Use Imperva Threat Radar Emergency Feeds, so you get new signatures automatically

For more details about this vulnerability, I recommend this comprehensive article from Heise:

https://www.heise.de/ratgeber/Schutz-vor-schwerwiegender-Log4j-Luecke-was-jetzt-hilft-und-was-nicht-6292961.html

Update Dec 15, 2021

Imperva has release new ADC Content that contains these patterns. So even if you do not have the emergency subscription, you should get the updated via ADC Content. Please check the Version (Admin / ADC)

Update Dec 21, 2021

Imperva has released additional information here:

https://docs.imperva.com/howto/9111b8a5/

Please follow these instructions!