A10 acos web application firewall (waf) mishandles the configured rules for blocking sql injection attacks

CVEID: CVE-2018-15904

Affected Product: A10 ACOS Web Application Firewall (WAF)

Affected releases: 2.7.1 and 2.7.2 before 2.7.2-P12, 4.1.0 before 4.1.0-P11, 4.1.1 before 4.1.1-P8, and 4.1.2 before 4.1.2-P4

Executive Summary
A critical vulnerability was discovered in several releases of A10 ACOS operating system in branches 2.7 and 4.1.
A remote attacker could send specially-crafted HTTP requests, which could be passed through by the ACOS Web Application Firewall (WAF) rather than being dropped per configured rules. This could allow a remote attacker to conduct web application layer attacks (such as SQL injection or XSS) on targeted systems.

Remediation: Upgrade according to indication from the vendor

Timeline:

23/11/2017 – Initial vendor contact
29/11/2017 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure

26/02/2018 – Vendor confirmed the fix being targeted for ACOS 4.1.0-P11, 4.1.1-P8 & 4.1.2-P4
18/7/2018 – Vendor published advisory
27/8/2018 – MITRE assigned CVE 2018-15904

Discovered by:  Quantum Leap Pentesting team
Reported by: Reporter: Luca Profico <l.profico@quantumleap.it>

Reference:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-15904

https://www.a10networks.com/support/security-advisories/waf-sql-injection-attack-sqlia-vulnerability

https://www.a10networks.com/sites/default/files/security-advisories/WAF-SQL-Injection-Attack-SQLIA-Vulnerability.pdf