Modsecurity 2.9.6 [Fix Security]

[ciao70]

Mod Security 2.9.6 security update released.

Is it possible to update Mod security from 2.9.3 to 2.9.6?

it is necessary in order to update CRS to 3.3.4

CRS Version 3.3.3 and 3.2.2 (covering several CVEs) – OWASP ModSecurity Core Rule Set

coreruleset.org

 

[ciao70]

This requires Modsecurity 2.9.6


CVE-2022-39956 – Content-Type or Content-Transfer-Encoding MIME header fields abuse
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

Important: The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an updated version with backports of the security fixes in these versions.
If you fail to update ModSecurity, the webserver/engine will refuse to start with the following error message: "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS".
You can disable/remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS without a fix to CVE-2022-39956, however we advise against this workaround.

Please note that we plan to move the rules in REQUEST-922-MULTIPART-ATTACK.conf to the 920 or 921 rule files in the future. The rules are kept separate for the time being to accommodate users who can't update ModSecurity or where the engine does not yet support the new variables/collections.

This vulnerability was discovered and reported by @terjanq (Jan Gora) during the Intigriti 1337UP0522 WAF Promotion Event.

 

[cPRex]

Hey there! Our team has explored the option of upgrading from 2.9.6 but currently that is on hold because Comodo is one of the most popular rulesets in use, but they don't have a set of rules for 2.9.4, 2.9.5, or 2.9.6. If we did perform that update, it would break the functionality for all the users that are currently using that ruleset.

Once we do release that update it would show up in the EasyApache changelogs at EasyApache 4 Change Log 2022 | cPanel & WHM Documentation so I'd keep an eye on that area for updates.

 

[sparek-3]

The Comodo WAF project is still alive?

There hasn't been an update to it in years.

Is this project dead? - Free Modsecurity rules - Comodo Web Application Firewall

No new rules since Christmas. Should we still rely on this project or not?

forums.comodo.com

 

[cPRex]

Unfortunately yes - even though it may be outdated, there are many users with this in place that we'd have to forcibly switch. I've spoken with the security team to see if I can get some more details on our plans for this and I'll post once I hear something.

 

[ciao70]

Unfortunately yes - even though it may be outdated, there are many users with this in place that we'd have to forcibly switch. I've spoken with the security team to see if I can get some more details on our plans for this and I'll post once I hear something.

Hi cPRex,

Modsecurity 2.9.6 it is also a security update, so anyone using a version earlier than 2.9.6 is vulnerable

The security update for CRS rules is a critical update and requires ModSecurity 2.9.6 to be able to update CRS to the latest version 3.2.3 or 3.3.4 otherwise CVE-2022-39956

NVD - CVE-2022-39956

nvd.nist.gov

(Base Score 9.8 Critical)


Important: The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an updated version with backports of the security fixes in these versions.
If you fail to update ModSecurity, the webserver/engine will refuse to start with the following error message: "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS".
You can disable/remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS without a fix to CVE-2022-39956, however we advise against this workaround.


Please note that we plan to move the rules in REQUEST-922-MULTIPART-ATTACK.conf to the 920 or 921 rule files in the future. The rules are kept separate for the time being to accommodate users who can't update ModSecurity or where the engine does not yet support the new variables/collections.

CRS Version 3.3.3 and 3.2.2 (covering several CVEs) – OWASP ModSecurity Core Rule Set

coreruleset.org

The rules of OWASP CRS are widely used and support unlike Comodo is active

Make sure that anyone can, upgrade to Modsecurity 2.9.6 otherwise in order to upgrade CRS to the latest version you will need to disable an important rule and be vulnerable to CVE-2022-39956

The problem is very urgent

Thanks

 

[cPRex]

I've reached out to our webserver team to see if I can get more details and I'll post an update once I hear back.

 

[ciao70]

I hope that we can make sure that we can also manually update to 2.9.6

This way Comodo users can continue to use modsecurity 2.9.3

 

[ciao70]

@cPRex

Obviously in addition to Modsecurity 2.9.6 you also need the possibility to update owasp crs to 3.3.4

Now is

ea-modsec2-rules-owasp-crs-3.3.2-4.7.1.cpanel.x86_64

 

[cPRex]

I did speak with the web server team and they are looking into this to see how we want to proceed. I'll be sure to post an update once I have one.

 

[cPRex]

This is also another consideration: End of Sale and Trustwave Support for ModSecurity Web Application Firewall

 

[ciao70]

Hi cPrex,

Yes we know

Q: Why is Trustwave ending support for ModSecurity?

A: Trustwave decided to end our support for ModSecurity to let the open-source community continue the project.


Right now we urgently need to update Modsecurity to 2.9.6 and OWASP CRS to 3.3.4

Thanks

 

[ciao70]

I did speak with the web server team and they are looking into this to see how we want to proceed. I'll be sure to post an update once I have one.

Hi cPRex,

You have news?

Thanks

 

[cPRex]

I havent heard anything yet from the team.

 

[ciao70]

Ok I am waiting

 

[ciao70]

I havent heard anything yet from the team.

Hi cPRex,

You have news

Thanks

 

[cPRex]

I do see our team is doing internal testing with this update, but I don't have anything official to report. I'll be sure to post something once I have an update to share.

 

[tyuuu]

i check my easyapache,it show 2.9.3-18.el8.cloudlinux ,is it secure ?

 

[cPRex]

@tyuuu - that is the correct version at this time.

@ciao70 - the task has been assigned to a development team, but I don't have any type of ETA on when the version update will happen.

 

[tyuuu]

Hi,

is it fine to keep 2.9.3 and owasp 3.2.2 ? or it is urgent and important to use 2.9.6 and 3.3.4 asap ?