Jump to content
  • NetScaler WAF mitigates risk from MOVEit SQLi vulnerability 


    NetScaler Cyber Threat Intelligence

    NetScaler WAF mitigates risk from MOVEit SQLi vulnerability 

     

     

    NetScaler has new signatures available for its integrated Web App Firewall to help customers mitigate the recent authentication bypass vulnerability in multiple versions of MOVEit Transfer’s database (versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1)). The vulnerability CVE-2023-34362 affects all versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions, including older unsupported versions. 

    The new signatures protect customers from the recent CVE-2023-34362 vulnerability found in versions of Progress Software's MOVEit Transfer's database that encompasses multiple attack vectors privilege escalation, SQLi injection, Remote Code Execution.  

    The vulnerability is classed as critical. Customers should apply the latest NetScaler WAF signature file to help mitigate exploitation of this vulnerability in their environments.You can download the signatures and apply them immediately.  

     

    Mitigating CVE-2023-34362

    The NIST database has details about the vulnerability:

     

    In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

     

     

     

    The vendor (Progress Software) recommends that users of MOVEit Transfer immediately adhere to their published mitigation measures and apply the appropriate patch to the software in order to prevent exploitation of this SQLi vulnerability. 

    NetScaler customers can quickly implement the  following recommendations to help reduce risk and lower exposure associated with this vulnerability. If you are using any of the affected MOVEit Transfer  versions, NetScaler strongly recommends that you download the version 106 or later of the signature file and apply it to your NetScaler Web App Firewall deployments as an additional layer of protection for your applications.  Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: software versions 11.1 and 12.0 are end of life and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.

     

     

     

     

    Signature rule

     

    CVE ID

     

    Description

     

    998690

     

    CVE-2023-34362

     

    WEB-MISC Progress MOVEit Transfer Multiple Versions - SQL Injection Vulnerability (CVE-2023-34362)

     

     

     

    If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 106 or later and then follow these steps.

     

    1. Search your signatures for CVE-2023-34362 LogString
    2. Select the results with ID 
    3. Choose “Enable Rules” and click OK

    NetScaler WAF Best Practices

    NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.

     

    Handling false positives

     

    If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.

     

     

     

    Modifications to NetScaler Web App Firewall Policy:

     

    add policy patset exception_list
    
    
    
    # (Example: bind policy patset exception_list “/exception_url”) 

     

    Prepend the existing WAF policy with:

     

    HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT
    
    
    
    # (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^

     

    NOTE: Any endpoint covered by the exception_list may expose those assets to risks from CVE-2023-34362.

     

    Additional Information

     

    NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.

     

    Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.

     

    Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF. 

     

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...