Cybersecurity specialists report the detection of a critical vulnerability in OWASP ModSecurity Core Rule Set (CRS), whose exploitation would allow threat actors to bypass security mechanisms in affected deployments, including web application firewalls (WAF). The flaw was tracked as CVE-2021-35368 and apparently remained several years without being updated.
The bug would allow malicious request body payloads to pass the rule set without being inspected, due to a combination of two bugs in the CRS Drupal rule exclusion packet. It is worth mentioning that the vulnerability is not limited to Drupal installations, but is present in all CRS installations that include these rule exclusions, regardless of whether they are enabled or not.
The report mentions that the risks to websites on Drupal depend on their configuration in ModSecurity: “If the backend is broken and configured with the correct final path name information configuration, any security risk is possible,” the experts say.
In this regard, Christian Folini, one of the people responsible for the Core Rule Set project, mentioned: “The fault has existed for years; when we made the first exclusion packages we were not used to using the techniques for drafting rules that we had to employ.”
The developer mentions that they also didn’t have coding guidelines, so no one reviewed that part of the code: “Failure is obvious; the important part now is to show that we learned our lesson, as well as to adopt a truly functional code development and review process in the future,” Folini says.
The flaw was reported by Andrew Howe of Loadbalancer.org, who took an in-depth look at ModSecurity when he joined the project last year. Howe reported the two errors at CRS in June. All known CRS installations that offer the predefined CRS rule exclusion packages are compromised, which applies to CRS versions 3.0.x, 3.1.0, 3.1.1 until the latest version that received updates, as well as to currently supported versions 3.2.0 and 3.3.0.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.