CVE-2017-14705 in WAF
Summary
by MITRE
DenyAll WAF before 6.4.1 allows unauthenticated remote command execution via TCP port 3001 because shell metacharacters can be inserted into the type parameter to the tailDateFile function in /webservices/stream/tail.php. An iToken authentication parameter is required but can be obtained by exploiting CVE-2017-14706. This affects DenyAll i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x before 6.4.1, with On Premises or AWS/Azure cloud deployments.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/30/2022
The CVE-2017-14705 vulnerability represents a critical remote code execution flaw in DenyAll Web Application Firewall products that affects multiple versions from 5.5.0 through 6.4.1. This vulnerability operates through a sophisticated attack chain that combines multiple exploitation techniques to achieve unauthorized system access. The flaw exists within the web services component of the firewall system, specifically in the tailDateFile function located at /webservices/stream/tail.php. The vulnerability manifests when shell metacharacters are injected into the type parameter, allowing attackers to execute arbitrary commands on the underlying system with the privileges of the web server process.
The technical implementation of this vulnerability leverages a classic command injection vector through the web service interface. The tailDateFile function processes user input without proper sanitization or validation of the type parameter, creating an environment where attackers can inject malicious shell commands. This type of vulnerability maps directly to CWE-77 which describes improper neutralization of special elements used in a command, and CWE-94 which covers execution of arbitrary code/commands. The attack requires minimal authentication initially since the iToken parameter can be obtained through the exploitation of CVE-2017-14706, which likely represents a separate authentication bypass or information disclosure vulnerability that allows attackers to retrieve valid tokens.
The operational impact of this vulnerability is severe as it enables complete system compromise without requiring authenticated access to the firewall management interface. Attackers can execute commands with the privileges of the web server process, potentially leading to full system takeover, data exfiltration, or use of the compromised system as a pivot point for further attacks within the network. The vulnerability affects both on-premises deployments and cloud environments running AWS or Azure infrastructure, making it particularly dangerous for organizations with hybrid deployments. This represents a significant risk to network security posture since firewalls are typically considered trusted components within network infrastructure, and compromising them can lead to complete network infiltration.
The attack chain demonstrates sophisticated exploitation techniques that align with ATT&CK framework tactics including T1059 for command and scripting interpreter and T1078 for valid accounts. The vulnerability affects multiple product versions including i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x before 6.4.1, indicating this was likely a widespread issue across the product line. Organizations should implement immediate mitigations including patching to version 6.4.1 or later, network segmentation to isolate the affected web services, and monitoring for suspicious activity on TCP port 3001. Additionally, organizations should consider implementing web application firewalls or intrusion detection systems to detect and block malicious command injection attempts, as well as conducting comprehensive security assessments to identify other potential vulnerabilities in their DenyAll deployments.