Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Vulnerability in MX & GW appliances

    Posted 12-02-2022 08:35
    Edited by Jagadesh Kumar R 12-02-2022 08:35
    Dear everyone,

    The below mentioned vulnerability was recently discovered in MX and GW appliances version 13.6.0.51. 

    Missing content security policy
    No Cache-control and pragma HTTP header set
    HTML5: Cross Site Scripting Protection Not Set
    Web Server Misconfiguration: Insecure Content type setting
    Insecure Transport: HSTS Not Set
    Cross Frame Scripting

    If anyone overcome this vulnerability from pentesting team, looking for an update.


    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Jagadesh Kumar R
    Inormation Security Group, Assistant Manager
    The Karur Vysya Bank Limited
    Karur
    ------------------------------


  • 2.  RE: Vulnerability in MX & GW appliances

    Posted 12-07-2022 13:05
    Hi,

    Are these discovered within the appliance itself or the sites the on-prem appliance is protecting?

    I'm asking cause a GW doesn't have a GUI.

    ------------------------------
    Sarvesh Lad
    Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
    ------------------------------



  • 3.  RE: Vulnerability in MX & GW appliances

    Posted 12-07-2022 13:22
    Hello Sarvesh,

    Thanks for the update,

    These vulnerabilities are discovered in appliances.

    ------------------------------
    Jagadesh Kumar R
    Inormation Security Group, Assistant Manager
    The Karur Vysya Bank Limited
    Karur
    ------------------------------



  • 4.  RE: Vulnerability in MX & GW appliances

    Posted 12-07-2022 23:02
    Hello Jagadesh,

    Greetings!

    Please follow the below guide for addressing the above mentioned vulnerabilities,
    https://docs.imperva.com/bundle/v14.4-web-application-firewall-user-guide/page/69458.htm


    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------



  • 5.  RE: Vulnerability in MX & GW appliances

    Posted 15 days ago
    Hello Syed,

    The documentation you provided is in regards to remediate HSTS for sites behind the WAF based on my reading. How do you remediate HSTS for communication with the actual appliance?

    ------------------------------
    Spencer Nassau
    Security Engineer
    TREAS - OCC
    Washington DC
    ------------------------------



  • 6.  RE: Vulnerability in MX & GW appliances

    Posted 14 days ago
    FOR HSTS Specifically:

    Preface WARNING:

    Enabling HSTS will mean that the certificate should have the CN for the hostname that you are communicating it with.

    Meaning, if you issued a cert for mxserver.example.net from your own CA, you cannot visit the page with IP Address anymore.

    Same goes for gateway, if you have registered the GW with IP addresses instead of hostnames, it will likely cause GW to show up disconnected on MX after reboot. You can of course issue the CA cert with the IP address in the CN.

    Support for how to get the right certificate issued is out of scope for imperva but we can assist in uploading the certificate to the MX and GW.


    Steps to enable HSTS on MX and GW:

    You can enable HSTS by editing the file (make a backup before editing):

    /opt/SecureSphere/server/SecureSphere/jakarta-tomcat-secsph/conf/web.xml

    Default:

    <filter>

            <filter-name>httpHeaderSecurity</filter-name>

            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>

            <async-supported>true</async-supported>

        </filter>

     

     

    Should be:

    <filter>
            <filter-name>httpHeaderSecurity</filter-name>
            <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
            <async-supported>true</async-supported>
            <init-param>
                <param-name>hstsEnabled</param-name>
                <param-value>true</param-value>
            </init-param>
            <init-param>
                <param-name>hstsMaxAgeSeconds</param-name>
                <param-value>31536000</param-value>
            </init-param>
            <init-param>
                <param-name>hstsIncludeSubDomains</param-name>
                <param-value>true</param-value>
            </init-param>
        </filter>


    When you go to edit the file you can see more parameters you can configure that are relevant. If you are having issues, I strongly recommend opening a support ticket.

    Once done, reboot the appliance. You will need a reboot and not a service restart.

    ------------------------------
    Sarvesh Lad
    Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
    ------------------------------