Jump to content
  • NetScaler WAF Signatures Update v114


    NetScaler Cyber Threat Intelligence

    NetScaler WAF Signatures Update v114

     

    NetScaler has new signatures available for its integrated Web App Firewall to help customers mitigate several CVEs, including CVE-2023-40044 Progress Software Patches Multiple Vulnerabilities in WS_FTP Server and CVE-2023-42793: Critical RCE Vulnerability in TeamCity On-Premises.

    CVE-2023-40044 is a critical vulnerability in Progress WS_FTP Server, a popular file transfer software. It is a .NET deserialization vulnerability that could allow an unauthenticated attacker to execute remote commands on the underlying WS_FTP Server operating system. In the case of CVE-2023-40044, the vulnerability is in the Ad Hoc Transfer module of WS_FTP Server. An attacker could exploit this vulnerability by sending a specially crafted POST request to a vulnerable WS_FTP Server. Successful exploitation would grant the attacker the ability to achieve remote command execution on the underlying operating system of the WS_FTP Server. This vulnerability is particularly dangerous because it can be exploited without any authentication. This means that an attacker does not need to have any existing credentials on the WS_FTP Server to exploit it.

    CVE-2023-42793 is a critical remote code execution (RCE) vulnerability in JetBrains TeamCity On-Premises. It allows an unauthenticated attacker with HTTP(S) access to a TeamCity server to execute arbitrary code on the server. The vulnerability is caused by a flaw in the way TeamCity authenticates users. An attacker can exploit this flaw by sending a specially crafted HTTP(S) request to the TeamCity server. If the request is successful, the attacker will be able to execute arbitrary code on the server.

    This vulnerability is very dangerous because it can be exploited without any authentication. This means that an attacker does not need to have any existing credentials on the TeamCity server in order to exploit it. JetBrains has released a patch for CVE-2023-42793 for all affected versions of TeamCity On-Premises. 

     Signatures included in v114:

    Signature rule

    CVE ID

    Description

    998601

    CVE-2023-42793

    WEB-MISC JetBrains TeamCity Prior to 2023.05.4 - Authentication Bypass Vulnerability (CVE-2023-42793)

    998602

    CVE-2023-40931

    WEB-MISC NagiosXI Prior to 5.11.2 - SQL Injection Vulnerability (CVE-2023-40931)

    998603

    CVE-2023-40044

    WEB-MISC Progress WS_FTP Server - Deserialization of Untrusted Data Vulnerability (CVE-2023-40044)

    998604

    CVE-2023-39362

    WEB-MISC Cacti Prior To 1.2.25 - OS Command Injection Vulnerability (CVE-2023-39362)

    998605

    CVE-2023-39361

    WEB-MISC Cacti Prior to 1.2.25 - SQL Injection Vulnerability (CVE-2023-39361)

    998606

    CVE-2023-39359

    WEB-MISC Cacti Prior to 1.2.25 - SQL Injection Vulnerability (CVE-2023-39359)

    998607

    CVE-2023-39358

    WEB-MISC Cacti Prior to 1.2.25 - SQL Injection Vulnerability via reports_admin (CVE-2023-39358)

    998608

    CVE-2023-39358

    WEB-MISC Cacti Prior to 1.2.25 - SQL Injection Vulnerability via reports_user (CVE-2023-39358)

    998609

    CVE-2023-35813

    WEB-MISC Sitecore Through 10.3 - Remote Code Execution Vulnerability (CVE-2023-35813)

    998610

    CVE-2023-20890

    WEB-MISC VMware Aria Operations for Networks - Path Traversal Vulnerability Via infra API (CVE-2023-20890)

    998611

    CVE-2023-20890

    WEB-MISC VMware Aria Operations for Networks - Path Traversal Vulnerability Via data-sources API (CVE-2023-20890)

    998612

    CVE-2022-43719

    WEB-MISC Apache Superset Multiple Versions - CSRF Vulnerability (CVE-2022-43719)

    998613

    CVE-2022-40881

    WEB-MISC Contec SolarView Compact Prior to 7.21 - OS Command Injection Vulnerability (CVE-2022-40881)

     

    NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.

     

    If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 114 or later and then follow these steps.

    1. Search your signatures for <number>
    2. Select the results with ID 
    3. Choose “Enable Rules” and click OK

     

    NetScaler WAF Best Practices

    NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.

    Handling false positives

    If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.

     

    Modifications to NetScaler Web App Firewall Policy:

    add policy patset exception_list

    # (Example: bind policy patset exception_list “/exception_url”) 

    Prepend the existing WAF policy with:

    HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT

    # (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^

    NOTE: Any endpoint covered by the exception_list may expose those assets to risks 

    Additional Information

    NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.

    Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.

    Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF. 

     

     

     

     

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...