Researcher uncovers RCE and undocumented backdoor risks

Multiple vulnerabilities in the WAPPLES web application firewall (WAF) created a means to commandeer vulnerable devices and run arbitrary commands, a researcher warns.

Another set of flaws in the technology created a means to access the device with privileges through a “backdoor account”, according to security researcher Konstantin Burov.

More specifically, the Kazakhstan-based security researcher uncovered vulnerabilities in WAPPLES from version 4.0 to 6.0 that allowed a remote attacker to execute arbitrary code or obtain confidential information using predefined credentials, among other exploits.

Burov also discovered that it was possible to escalate user privileges to root in versions 5.0 and 6.0 of the technology.


Catch up on the latest security research and analysis


WAPPLES, from Penta Security Systems, is shipped as either a hardware appliance or a virtual machine. In either scenario, the technology is designed to protect what might otherwise be vulnerable websites or applications against potential attack.

The technology is most widely used in Japan and South Korea, according to Shodan-based searches run by Burov.

The vulnerabilities – tracked as CVE-2022-24706, CVE-2022-31322, CVE-2022-35413, CVE-2022-31324, and CVE-2022-35582 – are documented in a technical blog post.

The most severe, remote code execution (RCE) risk – tracked as CVE-2022–24706 (currently undergoing reanalysis) – arises from reliance on a vulnerable third-party component.

“WAPPLES uses a vulnerable CouchDB version in default configuration that leads to remote OS command execution,” Burov explains. “To exploit this vulnerability the attacker must have access to the management interface.”

Burov warned: “An attacker could gain unprivileged access to a system as a ‘couchdb’ user, then escalate privileges using the other vulnerabilities.”

Penta-thlon

Separately, Burov discovered that the “operating system that WAPPLES runs on has a built-in non-privileged user ‘penta’ with a predefined password.

“The password is revealed in the system script and differs for different versions of the product,” according to the researcher.

The practical upshot of this unclosed backdoor (tracked as CVE-2022–35582) is that even moderately skilled attackers might well be able to get hold of device credentials and thereby gain uncontrolled access to the device.

Hardcoded credentials for the web-API of some recent version of WAPPLES were also exposed, Burov discovered. Flaws in WAPPLES undermined the protection it might otherwise be able to offer.


YOU MAY ALSO LIKE Vendor disputes seriousness of firewall plugin RCE flaw


Burov, a security engineer and pen tester, told The Daily Swig that he carried out security research in his spare time.

“My colleagues showed me this product, and I almost immediately found the classic bug of command injection in CLI,” he explained. “And I decided to look under the hood, because I was sure there were more serious bugs.

“I can’t confirm that the issue has been fixed by the vendor as I do not currently have access to the WAPPLES appliance. All I have is vendor assurances.”

After failing to get a response from Penta Security, Burov reached out to Cloudbric Corp, a partner of Penta Security, who told him that the issues had been resolved.

The Daily Swig also approached Penta Security and Cloubric for comment. No word back as yet, but we’ll update this story as soon as more information comes to hand.

Burov said his research findings offered lessons for other software developers.

“If you are incorporating other technologies into your product, you should know it as if it were your own product – e.g in the CouchDB manual, it was described that the default value of Erlang Cookie needs to be changed,” he explained. “I also recommend to study the reference ‘OWASP Secure Coding Practices’.”


RELATED Vulnerability in Xalan-J could allow arbitrary code execution