Severe flaw Identified in OWASP ModSecurity Core Rule Set – E Hacking News
The developers of the OWASP Foundation have admitted the breach in the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set (CRS) project that could allow threat actors to bypass security protections offered by the in-built CRS web application firewall (WAF).
The flaw – tracked as CVE-2021-35368 has the ability to bypass CRS without being inspected, due to a combination of two bugs in the CRS Drupal rule exclusion package. The flaw has not only affected the CRS Drupal rule exclusion package but is present in every CRS installation that includes these rule exclusions – regardless of whether they are enabled or not.
“If the backend is broken and configured with the correct trailing pathname information setting… then anything is possible. If the backend looks into the trailing path info as it should, then you are on the safe side. The vulnerability has been around for several years. When we did the early rule exclusion packages in 2016 and 2017, we were not really used to the rule-writing techniques that we had to employ,” Christian Folini, co-lead of the volunteer-led Core Rule Set project explained.
Andrew Howe from Loadbalancer.org identified the vulnerability in the ModSecurity engine last year, Folini said. Howe reported the two flaws in the CRS in June. All known CRS installations that offer the predefined CRS rule exclusion packages are affected. This also applies to end-of-life CRS versions 3.0.x, 3.1.0, 3.1.1, as well as the currently supported versions 3.2.0 and 3.3.0.
Folini pinpointed on a lack of financial support as a key barrier in running a volunteer-led project such as CRS. “Open source is not inherently more secure than closed source – it just means that people can look at the code. Yet the security advantage can only play out when people actually do look at the code, like Andrew Howe did,” he explained.
“If we have these reviews, then the inherent transparency of an open-source project will bring an advantage over traditional software, namely in the security domain where users really want to see what is going deep down in their software.”
“Open-source projects also tend to be more open about their shortcomings so they are often able to build up more trust and confidence with their user base. A commercial project is often tempted to avoid bad press by keeping a problem under the rug, or hiding a fix in the changelog,” Folini concluded.