Overview
The recent Equifax breach is unfortunately a security risk all companies handling sensitive customer information face. Details of the recent breach have been made available here. The attack vector at issue here is a widely-known vulnerability in Apache Struts 2 framework, disclosed in early March and drew the attention of many Web Application Firewall (WAF) vendors, including Symantec – see here. The specific payload does not matter when using CVE-2017-5638 as the vector of attack, as there are several proof of concepts (POCs) available and there are likely thousands of ways to exploit this vulnerability. In our original blogpost, we use one of those POCs to showcase the strength of the Symantec WAF solution for blocking zero-day attacks.
What can other companies learn from this? All companies that handle payment card information are subject to PCI DSS compliance. Requirement 6.6 of the PCI DSS specifically provides two ways to comply: (1) conduct a web application vulnerability security assessment, and/or (2) deploy a WAF in front of the web application. Deploying a WAF is the most flexible, least risky, and the most efficient method to achieve PCI DSS 6.6 compliance since conducting a vulnerability security assessment may be more resource intensive. This WAF approach also gives web application developers time to fix, patch and validate changes before deploying updates to application servers while still maintaining security controls during this highly vulnerable time. According to an article by IT World Canada, deploying the fix for the Apache Struts vulnerability can take months due to the significant effort and risk of rewriting parts of the software required as part of the update. This is where a WAF solution provides significant value by preventing attacks during the time application developers are updating vulnerable web applications in a test environment prior to deployment of such updates.
Unfortunately many administrators run WAFs in monitor-only mode because of a common problems front-ending complex applications. Advanced features, such as a learning mode (Positive Security Model) can quickly make a WAF unmanageable if deployed in front of complex and continually changing web applications. WAF admins respond by switching the appliance into monitor-only mode or disabling security features. On the other hand, using a Negative Security Model approach is a reactive control and cannot protect against many zero-day attacks. We believe in a different approach. The Symantec WAF solution tackles these problems by leveraging a unique Content Nature Detection strategy that identifies attacks such as CVE-2017-5638 without requiring a signature update, virtual patch, or learning mode. This technique is less prone to false positives for identifying vulnerabilities, and in this example can provide zero-day attack protection without any configuration change on the WAF.
Configuration
We suggest the same mitigation techniques recommended in April’s blog:
Symantec WAF customers were already protected before the Struts vulnerability was found and described in our blog post here.
Existing ProxySG customers who are not running WAF controls can deploy a virtual patch in policy for immediate protection. For example:
; ProxySG 6.5.x
<proxy>
request.header.Content-Type.substring="%{(#" force_exception(invalid_request)
; ProxySG 6.6+
<proxy>
http.request.normalization.default("urlDecode:(path),urlDecode:(header),urlDecode:urlDecode:htmlEntityDecode:(arg_name,arg)")
<proxy>
http.request[header].substring="%{(#" force_exception(invalid_request)
Defense in depth
Even though the Symantec ProxySG WAF provides protection for this CVE, it is important to employ a defense-in-depth strategy and deploy multiple layers of security. If any specific layer is breached there are other layers providing complementary protection, making it extremely difficult for attackers. Symantec offers two additional layers of protection, providing a three-tier comprehensive defense in depth solution.
Symantec Cloud Data Protection Integration
The Symantec Cloud Data Protection (CDP) product integrates with the ProxySG WAF and is used to encrypt sensitive information that is typically stored in backend databases. Using a third-party Hardware Security Module (HSM) the encryption keys are stored securely, and are used to encrypt and decrypt the data in real-time as it is accessed from the database. Using the CDP Policy Builder, the Administrator can quickly and easily identify the fields that are sensitive in their custom web application and define an encryption policy for these fields. This additional layer of security provides protection in the event an attacker bypasses the network defense layer and lands an exploit on an internal system that has access to the database. The contents are encrypted and therefore unusable by the attacker.
Symantec Data Loss Prevention
Symantec also offers the leading DLP solution on the market and this is used for an additional layer of defense. Integrating DLP with the ProxySG WAF allows all data leaving the application to be scanned for violations and anomalies. If an attacker is somehow successful in breaching the WAF and exploiting the Cloud Data Protection encryption, they must also successfully extract the data and evade the DLP policy that is scanning all traffic leaving the application to succeed in an attack.
