BI.Zone Web Application Firewall (WAF)

White Paper: Firewall

BI.ZONE Web Application Firewall (WAF) is an expert-driven service for protecting web applications and APIs. Blocks application-level cyber attacks, counteracts botnet activity, and detects and closes vulnerabilities in web applications. As part of the service, the BI.Zone team takes on a full cycle of expert support, including working with security mechanisms, infrastructure monitoring and incident response.

2024

Vulnerability Prevention in WPML WordPress Plugin

BI. ZONE WAF prevent the exploitation of a critical vulnerability in the WordPress plugin. BI.Zone announced this on September 6, 2024.

The service protects users from threats associated with the exploitation of a critical vulnerability in the WPML WordPress plugin. It enables attackers to carry out attacks with the introduction of malicious code.

The vulnerability in WPML became known on August 21, 2024. It is related to the WordPress shortcode integration component and affects product versions up to and including 4.6.12. On the CVSS scale, the CVE-2024-6386 vulnerability was rated 9.9 out of 10 points.

The WPML plugin is used to create multi-language WordPress sites, it is installed on more than 1.5 million resources.

The CVE-2024-6386 vulnerability allows attackers to achieve remote code execution through server-side template injection (SSTI) and, as a result, gain complete control over the compromised system.

An example of exploiting a vulnerability (PoC) has already appeared on the network, which allows an attack to be carried out with an unsafe application configuration if it is running in debug mode. However, BI.ZONE experts, as part of their own vulnerability study, have developed an approach that allows you to implement an operation scenario even with a standard application configuration. Thanks to the described techniques, BI. ZONE WAF created a filtering rule that detects and blocks attempts to exploit the vulnerability.

The plugin developers fixed the vulnerability in version 4.6.13. If the company for some reason is not ready to switch to the new version as soon as possible, BI. ZONE WAF will help in protecting against CVE-2024-6386 attacks. The service provides tiered protection for web applications and APIs, blocking attempts to exploit known vulnerabilities and counteracting botnet activity.

Vulnerability Protection JS Help Desk Plugin for WordPress

BI. ZONE WAF protect against a vulnerability in WordPress. BI.Zone announced this on August 30, 2024.

The service protects users from a vulnerability in the JS Help Desk plugin, which can be exploited by attackers to gain control over the target system.

The vulnerability CVE-2024-7094 became known on August 12, 2024.

The vulnerability affects all versions of the plugin up to 2.8.6 inclusive, on the CVSS scale it received a rating of 9.8 out of 10 points.

CVE-2024-7094 allows you to implement attacks using PHP injections that lead to remote code execution. Thus, an attacker can gain full control over the compromised system and access to confidential information.

The network already has examples of exploiting the vulnerability (PoC). Although BI. ZONE WAF specialists have not yet recorded illegitimate activity using this vulnerability, it is possible that the number of attacks on the application may increase.

This vulnerability was partially fixed by the developers in version 2.8.6 and completely closed in version 2.8.7. If the company, for some reason, is not ready to switch to the latest version as soon as possible, BI. ZONE WAF will help protect against CVE-2024-7094 attacks. Experts have developed a filtering rule that detects illegitimate data transmitted in a vulnerable form.

BI. ZONE WAF provide tiered protection for web applications and APIs, blocking attempts to exploit known vulnerabilities and counteracting botnet activity.

Vulnerability detection in PHP-CGI

It became known about the critical vulnerability of CVE-2024-4577 in PHP-CGI - an interface that allows you to execute PHP code in a web application and operate the site. BI.ZONE specialists quickly developed rules to prevent the exploitation of the vulnerability by cybercriminals. The company announced this on June 7, 2024.

The detected error allows an attacker to bypass protection against the CVE-2012-1823 vulnerability using certain linguistic encodings and execute arbitrary PHP program code in the language of the web application server.

BI. ZONE WAF specialists and the BI.ZONE security analysis team quickly developed blocking rules that help identify methods for bypassing CVE-2012-1823 protection in different encodings in an HTTP request. This allows you to detect the attack technique and prevent abnormal activity.

The discovered vulnerability spreads up to versions 8.1.29, 8.2.20, 8.3.8 on Windows. Researchers have already checked and confirmed the correctness of the vulnerability in versions of Windows with the following localizations: Traditional Chinese (Code Page 950), Simplified Chinese (Code Page 936), Japanese (Code Page 932).

Шаблон:Quote 'author = said Dmitry Tsarev, Head of Cloud Cybersecurity Solutions Department BI.ZONE.

The CVSS score has not yet received the discovered vulnerability. But due to the widespread use of PHP in the web ecosystem, researchers' estimates for June 2024 range from 9.8 to 10.

Conflict Data Center & Server Vulnerability Protection

On May 27, 2024, it became known about a CVE-2024-21683 vulnerability in the Conflict Data Center & Server wiki system for storing corporate knowledge. BI. ZONE WAF experts quickly developed a rule to detect illegitimate activity and prevent exploitation of the vulnerability by attackers. BI.Zone announced this on May 27, 2024.

A detected error in the logic of Confluence allows an attacker to execute arbitrary program code and gain access to the web application server. This has a significant impact on the privacy, integrity and availability of wiki users' information. Information about the vulnerability appeared on May 21, and by May 23, at least three exploitation examples (PoC) were available.

BI. ZONE WAF specialists have developed a rule that detects the semantics of programming languages ​ ​ in user-transmitted data, for example Runtime.getRuntime ().exec () in Java. Abnormal requests are blocked to prevent an attacker from executing arbitrary program code on the Confluence server.

The error was rated at 8.3 points out of 10 on the CVSS scale. For an RCE attack on a vulnerable server, the attacker must be authenticated. However, as early as May 2024, five different attack vectors are known, where CVE-2024-21683 is used in conjunction with authentication bypass techniques.

{{quote 'author = said Dmitry Tsarev, Head of Cloud Cybersecurity Solutions Department BI.ZONE. | Confluence is one of the applications that attracts the attention of attackers. According to our data, it accounts for 21% of web attacks in the first third of 2024. Therefore, protection against a new vulnerability is important for maintaining the security of the wiki system. If the company does not have the ability to update Confluence Data Center & Server to the latest version, BI. ZONE WAF will allow you to reliably protect the wiki system from such attacks,}}

The vulnerability was fixed in LTS versions 8.5.9 and 7.19.22, as well as in Confluence Data Center 8.9.1. Earlier versions are vulnerable: 8.9.0; 8.8.0 to 8.8.1; 8.7.1 to 8.7.2; 8.6.0 to 8.6.2; 8.5.0 to 8.5.8 (LTS); 8.4.0 to 8.4.5; 8.3.0 to 8.3.4; 8.2.0 to 8.2.3; 8.1.0 to 8.1.4; 8.0.0 to 8.0.4; 7.20.0 to 7.20.3; from 7.19.0 to 7.19.21 (LTS).

Other BI.ZONE teams have also developed specialized rules: BI. ZONE TDR analysts - correlation rules that allow you to detect post-exploitation of a vulnerability; BI. ZONE CPT service security analysis specialists - rules for detecting CVE-2024-21683 within an active scan.

Protection against vulnerabilities in JetBrains TeamCity

The company BI.ZONE has updated the BI.ZONE WAF library of detection rules to protect users software JetBrains TeamCity from that vulnerabilities could be used by attackers to gain access to confidential ones. The to data developer announced this on March 12, 2024.

Two vulnerabilities in the tool for automating CI/CD processes and joint development of JetBrains TeamCity software became known at the end of February 2024. They are associated with the TeamCity On-Premises CI/CD web component and affect all product versions up to and including 2023.11.3. JetBrains TeamCity developers have already fixed the vulnerabilities in update 2023.11.4.

CVE-2024-27198 (BDU:2024-01792) - 9.8 out of 10 points on the CVSS scale

A critical vulnerability that allows an attacker to create a new user with administrator rights without going through authentication and authorization processes. Thanks to this, an attacker can gain full control over the environment.

CVE-2024-27199 - 7.3 out of 10 on CVSS

With this vulnerability, an attacker can use the path traversal technique to gain unauthorized access to certain TeamCity configuration files without authentication. Thus, an outsider without any authentication is able to learn about projects in development and their statuses, as well as obtain other critical information.

To avoid the risk of compromise, you need to install an update. If the organization, for some reason, is not ready to switch to the latest version of JetBrains TeamCity as soon as possible, BI. ZONE WAF will help protect against exploitation attacks. Protection rules control the transmitted parameters of HTTP requests. If anomalies are detected in the HTTP request, BI. ZONE WAF will block it automatically. Protection against vulnerability CVE-2024-27199 provides a classic rule for combating path traversal attacks.

In addition, BI.ZONE security analysts have developed rules for the BI. ZONE CPT service. They allow the scanner to identify vulnerable versions of TeamCity from customers.

Шаблон:Quote 'author = told Dmitry Tsarev, Head of Cloud Cybersecurity Solutions Department BI.ZONE.

BI. ZONE WAF provide tiered protection for web applications and APIs, counteracts botnet activity and identifies vulnerabilities. The service can be used to protect web applications of significant objects of critical information infrastructure, state information systems and personal data information systems.

2023

Protection against vulnerability in WordPress

BI. ZONE WAF rules allow you to protect against attacks vulnerabilities CVE-2023-6063 exploitation in the WordPress WP Fastest Cache. The company BI.Zone announced this on November 22, 2023.

The vulnerability CVE-2023-6063 became known on November 13, 2023. It affects the WP Fastest Cache plugin, which allows you to save static files in the cache, which speeds up the loading of site pages. The threat was rated at 8.6 points out of 10 on the CVSS scale.

All versions of the WP Fastest Cache plugin up to 1.2.2 are affected by vulnerabilities. The developers have fixed the problem in the update, but all software versions up to 1.2.2 remain vulnerable. Installation statistics from WordPress.org show that the plugin is used by more than 1 million sites running the WordPress content management system (CMS). At the same time, vulnerable versions at the time of publication of the news are installed on more than half of the sites.

Exploitation of the vulnerability allows attackers to read the contents of site databases without authentication by injecting a SQL query into the Cookie HTTP header wordpress_logged_in parameter. WordPress Data Base can contain such information about users as F.I.O., email addresses, passwords, bank cards, phone numbers. Its compromise can lead to reputational and financial losses for the company. In addition, attackers can inject malicious code into the database, which can then be used to gain control over the management of the site.

Despite the fact that the developers of the WordPress plugin have already released an update in which the vulnerability has been fixed, not all companies are ready to quickly switch to the new version. To ensure the security of site databases, organizations can use superimposed security features. Thus, SQL injection detection mechanisms BI. ZONE WAF allow analyzing HTTP headers and their parameters, breaking all elements into tokens and performing a signature search for illegitimate metrics. Thanks to this, the new rules prevent the exploitation of the vulnerability without disrupting the operation of web applications, - said Dmitry Tsarev, head of the cloud cybersecurity solutions department at BI.ZONE.

Adding rules to protect against vulnerability CVE-2023-22515

BI.ZONE has updated the BI.ZONE Web Application Firewall (WAF) library of detection rules to protect Confluence users from a critical CVE-2023-22515 vulnerability (CVSS threat score - 10 points out of 10). Since the beginning of October, attackers have been actively exploiting this vulnerability for unauthorized access to corporate knowledge storage systems. The company announced this on October 19, 2023.

CVE-2023-22515 affects Confluence Server and Confluence Data Center solutions and applies to versions 8.0.0 through 8.5.1. An error in the logic of the web application allows cybercriminals to create Confluence administrator accounts and subsequently remotely execute code on the server.

The vulnerability does not affect Confluence Data Center and Server versions up to 8.0.0, so their users do not need to take additional measures to protect them.

As of October 2023, there are at least 5 PoC (proof of concept) implementations in the public domain to exploit this vulnerability.

{{quote 'author = said Dmitry Tsarev, Head of Cloud Cybersecurity Solutions Department BI.ZONE. | The BI. ZONE WAF teams and security analysis studies jointly emulated the exploitation of the CVE-2023-22515 vulnerability and prepared rules to protect against possible attacks. As of October 2023, at least two groups exploiting this vulnerability are known. Therefore, the rules will be relevant for organizations that, for some reason, cannot yet upgrade Confluence to protected versions 8.3.3, 8.4.3, 8.5.2 or later.}}

Basic BI. ZONE WAF rules for protection against vulnerability are available to all users. If necessary, BI.ZONE specialists also configure additional, more subtle rules that take into account the specifics of web applications of a particular company and their business logic.

Adding rules that protect 1C-Bitrix from vulnerabilities in the landing module

BI.ZONE researchers emulated the exploitation of a vulnerability in the 1C-Bitrix site content management system. After analyzing the exploit, experts developed rules for BI. ZONE WAF to protect against attacks exploiting a vulnerability in the landing module. The proposed solution does not disrupt the work of sites. BI.Zone announced this on October 11, 2023.

The critical vulnerability of the BDU:2023-05857 became known in September 2023. It affects the 1C-Bitrix site content management system (CMS) landing module, which is used in the Sites 24 designer. Exploitation of the vulnerability allows the attacker to execute OS commands on the vulnerable node, gain control over resources and penetrate the internal network. The threat received the highest rating on the CVSS scale - 10 points.

The 1C-Bitrix developers have fixed the vulnerability in the updated version of CMS (23.850.0). However, not all companies are ready to update in a short time after the release of patches.

If the organization for some reason has not switched to the updated version of 1C-Bitrix, BI. ZONE WAF will help protect against exploitation attacks. The developed rules allow BI. ZONE WAF to analyze query fields characteristic of such attacks and purposefully block malicious appeals without interfering with the operation of the site. Customers are offered a set of multiple rules so they can choose the option that best suits their business. To do this, contact the BI.ZONE WAF technical support.

In BI.ZONE, the teams of offense and defense work together: security analysis researchers have developed an exploit to attack a vulnerable application, passing on information on vulnerability exploitation techniques to BI. ZONE WAF experts. Thanks to this, point protection rules were written that do not violate the operation of application logic. As of October 2023, there is no exploit in the public domain. On the one hand, this means that attackers cannot massively use it for attacks. On the other hand, those who need protection do not understand how to close the vulnerability. This misunderstanding and high degree of threat have led many companies to block access to the landing module in 1C-Bitrix by URL and lose some functionality. To prevent this, we recommend that you update your software and use additional security tools such as BI. ZONE WAF, "said Dmitry Tsarev, Head of Cloud Cybersecurity Solutions at BI.ZONE.

Obtaining the certificate of FSTEC of Russia

On February 3, 2023, the company BI.Zone announced that the BI. ZONE WAF service can now use the Russian information systems that require mandatory certifications Information Security Tools (IPS) in the system. FSTEC of Russia

Firewall BI. ZONE WAF are designed for multilevel protection web applications from. cyber attacks The development has been certified tested by FSTEC Russia and can now be used to protect critical systems.

BI. ZONE WAF allow you to block cyber attacks, counteract botnet activity and close vulnerabilities in web applications. The service is managed by a team of specialists who customize it for the features of the application and help in solving incidents.

The certificate confirms that the BI. ZONE WAF belong to firewalls of type "D," has the 4th class of protection and corresponds to the 4th level of trust. This means that the solution can be used to protect web applications of significant objects critical information infrastructures (CII) up to and including category 1. And also use it in those systems where the 1st class or level is required: securities state information systems (GIS),, automatic process control systems (APCS) information systems (). personal data ISDn Now BI. ZONE WAF can protect, for example, web resources, or storing biometric data owned by the federal authorities executive branch.

The number of cyber attacks on government, financial and other information systems has increased significantly. This, as well as the massive outflow of foreign vendors and the tightened requirements for the protection of personal data, forced market participants to revise the previously used means of protection. Firewall can be called a key element in the security of web resources. BI. ZONE WAF are a completely Russian solution of this class. The service can be used to counter cyber threats in data processing systems that require the mandatory presence of IPS certified by the FSTEC of Russia, commented Dmitry Tsarev, head of the cloud cybersecurity solutions department BI.ZONE.

2022: Blocking attacks on the web application of TransTeleCom clients

The WAF service based on BI.Zone solutions will allow TransTeleCom to identify and block attacks on customer web applications. BI.Zone announced this on April 21, 2022.

The solution provides tiered protection for web services and APIs, counteracts botnet activity, and identifies vulnerabilities in web applications. At the same time, its cloud implementation will allow customers to optimize costs. Firstly, you will not need to purchase and maintain equipment for the service: a fault-tolerant filtering network is deployed in the BI.ZONE cloud. Secondly, you will not have to look for resources to administer WAF - TransTeleCom together with BI.ZONE will be responsible for this.

The issue of application security for our customers is solved according to the service model, turnkey. The WAF Solution Management Technicians are ready to create an individual security profile based on customer requirements and will monitor and respond to 24/7 incidents. In addition, we can configure integration with DDoS protection, while providing 24/7 support, SLA assurance, and savings. It is the comprehensive approach to cybersecurity that can protect the critical Internet services of our customers, "said Alexey Zorin, Product Director of TransTeleCom.

WAF based on the development of BI.ZONE is a completely Russian solution that meets the high requirements for products of this class. It prevents all types of attacks, blocks attempts by attackers to steal confidential data, find passwords or change the content of the site. Able to protect web applications of TransTeleCom customers, even if they contain vulnerabilities - WAF will quickly detect them and will not allow attackers to use them, - said Rustem Khayretdinov, Growth Director of BI.ZONE.

The BI. ZONE WAF service is included in the register of domestic software.

2021

Launch together with MTS WAF Premium service

On November 15, 2021, the company MTS"," the Russian a company providing digital, media telecommunication and services, announced the launch provider CloudMTS , together with the company BI.Zone , of a comprehensive service for multi-level. Web Application Protection Cloudy MTS WAF Premium service provides comprehensive from, protection cyber attacks including analysis of potential vulnerabilities, monitoring and response to threats around the clock, support for system operation. The solution will allow the business to state structures to avoid manual configuration and, according to the company, save at least twice on sites to cyber defense and. mobile applications More. here

Inclusion in the register of Russian software

On April 23, 2021, the strategic digital risk management company BI.Zone announced the entry of a number of its products into the register of Russian software. BI.Zone WAF is also included in the Unified Register of Russian Programs for Electronic Computers and Databases. Read more here.