RCE (Remote Code Execution) and unknown backdoor threats are discovered by researchers. A researcher issues a warning on many flaws in the WAPPLES web application firewall (WAF) that made it possible to seize control of susceptible devices and issue arbitrary commands.

Security researcher Konstantin Burov claims that another set of technical faults resulted in the creation of a “backdoor account. This could be used to get access to the device with privileges.

 More specifically, the security researcher from Kazakhstan found flaws in WAPPLES from version 4.0 to 6.0, among other exploits. Which allowed a remote attacker to execute arbitrary code or get private information using predetermined credentials.

Burov also found that in the 5.0 and 6.0 versions of the technology, it was able to elevate user rights to root.

Security Systems

Penta Security Systems’ WAPPLES is offered as a hardware appliance or a virtual computer for shipping. In either case, the technique is intended to fortify programmes or websites that could otherwise be exposed to assault.

 According to Burov’s Shodan-based searches, Japan and South Korea are the two countries that employ the technology the most.

 The vulnerabilities are described in a technical blog article and are tracked as CVE-2022-24706, CVE-2022-31322, CVE-2022-35413, CVE-2022-31324, and CVE-2022-35582.

The dependence on a weak third-party component leads to the most serious remote code execution (RCE) risk. The RCE is tracked as CVE-2022-24706 (currently undergoing reanalysis).

According to Burov, “WAPPLES uses a susceptible CouchDB version in its default setup, resulting in the execution of remote OS (Operating System) commands.” “The attacker must have access to the management interface in order to exploit this issue.”

 As a “couchdb” user, an attacker may acquire limited access to a system, according to Burov, who also cautioned: “Use the other vulnerabilities to escalate privileges.”

Pentathlon

Separately, Burov found that “WAPPLES’ operating system features a built-in non-privileged user named “penta” with a specified password.

 According to the researcher, “The password is revealed in the system script and differs for different versions of the product.”

The practical repercussion of this open backdoor is that even moderately competent attackers may be able to obtain device credentials. And consequently acquire unrestricted access to the device (recorded as CVE-2022-35582).

 Burov found that some recent versions of WAPPLES also have hardcoded credentials for the web-API exposed. WAPPLES’ shortcomings reduced any protection it may have otherwise been able to provide.

The Daily Swig interviewed Burov, a security engineer and pen tester, who claimed to conduct security research in his free time.

My coworkers showed me this product, and I almost instantly discovered the well-known command injection flaw in CLI (Command Line Interface), he said. “I then made the decision to check behind the hood since I knew there had to be more serious flaws.

Final Thoughts

“Since I don’t currently have access to the WAPPLES appliance, I can’t confirm that the vendor has fixed the problem. I just have vendor guarantees.

Burov contacted Cloudbric Corp, a partner of Penta Security, after not receiving a response from Penta Security, and they informed him that the problems had been fixed.

Penta Security and Cloubric were also contacted by The Daily Swig for comments. There hasn’t been a response yet, but we’ll update this story as soon as we learn more.

According to Burov, his study’s conclusions have implications for other software engineers.

According to him, “If you are integrating other technologies into your product, you should know it as if it were your own product – for example, in the CouchDB handbook, it was specified that the default value of Erlang Cookie needs to be altered.” Additionally, I advise reading the OWASP (Open Web Application Security Project) Secure Coding Practices guide.

Reference