Jump to content
Welcome to our new Citrix community!
  • 0

WAF signature CVE-2021-31166 is blocking unexpectedly


Aaron Huang1709159575

Question

We recently found there are lots of signature blocking events about  RCE vulnerability(CVE-2021-31166) increasing.  

We suppose WAF is blocking incorrectly. Since there is no user feedback yet, it's not easy to tell what WAF exactly blocked.

 

We observed the logs found the blocked requests were with header "Accpet-Encoding:gzip,deflate,sdch".

I don't really understand the regular expression in the signature rule, but the string "sdch" seems to be blocked, doesn't it?

These kind of requests should be normal connections.

Please help confirm does WAF  signature is blocking correctly or not, thanks!

<SignatureRule id="999245" enabled="OFF" actions="block,log" category="web-iis" source="Citrix" type="" version="1" sourceid="999245" harmscore="">
      <PatternList>
        <RequestPatterns>
          <Pattern type="fastmatch">
            <Location area="HTTP_URL"></Location>
            <Match type="Literal">/</Match>
          </Pattern>
          <Pattern>
            <Location area="HTTP_HEADER">
              <HeaderName type="Literal">Accept-Encoding</HeaderName>
            </Location>
            <Match type="Expression">TEXT.CONTAINS(",").AND(TEXT.REGEX_MATCH(re/^(,{0,1}\s*(gzip|compress|deflate|br|identity|\*)(\s*;\s*q=[\d\.]+){0,1})+$/).NOT)</Match>
          </Pattern>
        </RequestPatterns>
      </PatternList>
      <LogString>WEB-IIS Microsoft HTTP Protocol Stack - Remote Code Execution Vulnerability (CVE-2021-31166)</LogString>
      <Reference>cve,2021-31166</Reference>
      <Reference>nvd,2021-31166</Reference>
      <Comment></Comment>
    </SignatureRule>

 

Link to comment

6 answers to this question

Recommended Posts

  • 0
On 1/10/2022 at 4:58 AM, Aaron Huang1709159575 said:

There seems to be no interface to modify WAF signature.

 

 

That's right. It would not make sense, as your modifications could potentially go away as soon as Citrix modifies this very signature.

 

I would either use a responder policy, or you could use a WAF-Policy with one of the blocking built in actions, or create a signature by yourself.

 

Cheers

 

Johannes Norz

CTA, CCI, CCE-N

https://blog.norz.at

  • Like 1
Link to comment
  • 1

Can you add "sdch" to the regex? You might have to duplicate the rule and disable the original.

 

The ^ at the beggining of the regex seems strange. Regex tester won't match it with that character.

 

I suspect your test string has a typo: Accept-Encoding:gzip,deflate,sdch instead of Accpet-Encoding:gzip,deflate,sdch

  • Like 1
Link to comment
  • 0

The string "Accpet-Encoding:gzip,deflate,sdch" was typed wrong, sorry for my mistake. 

 

I  also want to add "sdch" to the regex, but I have no idea how to modify it.

There seems to be no interface to modify WAF signature. 

 

The regex is from official signature though it's strange.

https://s3.amazonaws.com/NSAppFwSignatures/sigs/sig-r12.0b0v74s6.xml

I think the string was blocked because there is a NOT in the end of regex.

 

I use custom audit policy to collect request logs only with header name Accept-Encoding, since the regex only checks header name Accept-Encoding.

And all requests are with header name "Accept-Encoding:gzip,deflate,sdch" during the blocked events happened.

 

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...