Trustwave ModSecurity up to 2.7.0 Multipart Request Parser POST Request access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.6 | $0-$5k | 0.00 |
A vulnerability, which was classified as critical, was found in Trustwave ModSecurity. Affected is an unknown functionality of the component Multipart Request Parser. The manipulation with the input value Content-Disposition: form-data; name="id"[\r][\r][\n] leads to a access control vulnerability. CWE is classifying the issue as CWE-264. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data.
The bug was discovered 10/12/2012. The weakness was presented 10/15/2012 by Bernhard Mueller with SEC Consult Vulnerability Lab as SA-20121017-0 as not defined mailinglist post (Full-Disclosure). The advisory is available at archives.neohapsis.com. The public release was coordinated in cooperation with the vendor. This vulnerability is traded as CVE-2012-4528 since 08/21/2012. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details and a public exploit are known. This vulnerability is assigned to T1068 by the MITRE ATT&CK project.
A public exploit has been developed by Bernhard Mueller in PHP and been published 2 days after the advisory. The exploit is shared for download at archives.neohapsis.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 4 days. During that time the estimated underground price was around $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 67126 (ModSecurity < 2.7.0 Multipart Request Parsing Filter Bypass), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Firewalls. The commercial vulnerability scanner Qualys is able to test this issue with plugin 166401 (OpenSuSE Security Update for apache2-mod_security2 (openSUSE-SU-2013:1342-1)).
Upgrading to version 2.7.0 eliminates this vulnerability. The upgrade is hosted for download at modsecurity.org. It is possible to mitigate the problem by applying the configuration setting IQ %{MULTIPART_INVALID_PART}, \.It is possible to mitigate the weakness by firewalling Web Server Port. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the vulnerability database at Tenable (67126). See 8160, 8314, 8904 and 61374 for similar entries.
Product
Vendor
Name
Version
- 2.0.0
- 2.0.1
- 2.0.2
- 2.0.3
- 2.0.4
- 2.1.0
- 2.1.1
- 2.1.2
- 2.1.3
- 2.1.4
- 2.1.5
- 2.1.6
- 2.5.0
- 2.5.1
- 2.5.2
- 2.5.3
- 2.5.4
- 2.5.5
- 2.5.6
- 2.5.7
- 2.5.8
- 2.5.9
- 2.5.10
- 2.5.11
- 2.5.12
- 2.5.13
- 2.6.0
- 2.6.1
- 2.6.2
- 2.6.3
- 2.6.4
- 2.6.5
- 2.6.7
- 2.6.8
- 2.7.0
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 6.6
VulDB Base Score: 7.3
VulDB Temp Score: 6.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-264
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: Bernhard Mueller
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 67126
Nessus Name: ModSecurity < 2.7.0 Multipart Request Parsing Filter Bypass
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 864904
OpenVAS Name: Fedora Update for mod_security_crs FEDORA-2012-18315
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Upgrade: ModSecurity 2.7.0
Config: IQ %{MULTIPART_INVALID_PART}, \
Firewalling: 🔍
Timeline
08/21/2012 🔍10/11/2012 🔍
10/12/2012 🔍
10/15/2012 🔍
10/15/2012 🔍
10/17/2012 🔍
10/17/2012 🔍
10/17/2012 🔍
10/18/2012 🔍
10/19/2012 🔍
10/20/2012 🔍
12/10/2012 🔍
12/28/2012 🔍
07/02/2013 🔍
04/18/2021 🔍
Sources
Advisory: SA-20121017-0Researcher: Bernhard Mueller
Organization: SEC Consult Vulnerability Lab
Status: Not defined
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2012-4528 (🔍)
Vulnerability Center: 37575 - ModSecurity 2.6.8 Remote Security Bypass Vulnerability, Medium
SecurityFocus: 56096 - ModSecurity POST Parameters Security Bypass Vulnerability
Secunia: 49853 - ModSecurity Multipart Message Parsing Security Bypass Vulnerability, Moderately Critical
OSVDB: 86408
scip Labs: https://www.scip.ch/en/?labs.20130913
See also: 🔍
Entry
Created: 10/20/2012 21:06Updated: 04/18/2021 15:21
Changes: 10/20/2012 21:06 (97), 04/22/2017 12:56 (5), 04/18/2021 15:21 (3)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.