NetScaler AppFirewall Signature to Block CVE-2017-10271

Description

NetScaler does not have a built-in signature to protect applications from "Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability (CVE-2017-10271)" currently.

Environment

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Resolution

NetScaler does not have a built-in signature to protect applications from this CVE-2017-10271 currently.

The vulnerability stems from an unsafe XML deserialization using Java XMLDecoder in the CoordinatorPortType web service, which is part of the WLS Security component of WebLogic.

Based on python executable used to trigger this attack and pattern found, you can use the following custom signature to block CVE-2017-10271:

root@Primary# cat blog_profile | grep -A5 -B5  1000000
    <Reference>cve,2006-5478</Reference>
  </Signatures>
  <SignatureRule id="1000000" enabled="ON" actions="block,log" category="web-misc" source="" severity="" type="" version="1" sourceid="" harmscore=""><PatternList><RequestPatterns><Pattern><Location area="HTTP_URL"/><Match type="Literal">/wls-wsat/CoordinatorPortType</Match></Pattern><Pattern><Location area="HTTP_METHOD"/><Match type="Literal">POST</Match></Pattern><Pattern><Location area="HTTP_POST_BODY"/><Match type="Literal">java.beans.XMLDecoder</Match></Pattern></RequestPatterns></PatternList><LogString>Let's Protect you against CVE-2017-10271</LogString><Comment/></SignatureRule>
</Signatures>

User-added image

Testing this signature

puneets-MacBook-Pro:~ puneetseth$ curl -X POST "http://10.107.98.108/wls-wsat/CoordinatorPortType" -d @XMLDecoder -v3
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 10.107.98.108...
* TCP_NODELAY set
* Connected to 10.107.98.108 (10.107.98.108) port 80 (#0)
> POST /wls-wsat/CoordinatorPortType HTTP/1.1
> Host: 10.107.98.108
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Length: 739
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 739 out of 739 bytes
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Pragma: no-cache
< Content-Length: 674
< Cneonction: close
* HTTP/1.0 connection set to keep alive!
< Connection: Keep-Alive
< 
<html>
<head>
<title>Application Firewall Block Page</title>
</head>
<body>
<h1><B>Your request has been blocked by a security policy<B><BR></H1>
<H3>Access has been blocked - if you feel this is in error, please contact the site
administrators quoting the following: </H3> <UL>
<li>NS Transaction ID: 410008-PPE0
<li>AppFW Session ID: yDlRvWPdInFPzLxtFg8L5BnIoys0000
<li>Violation Category: APPFW_SIGNATURE_MATCH
<li>Violation Details: 10.150.16.22 410008-PPE0 yDlRvWPdInFPzLxtFg8L5BnIoys0000 csrfandcookie http://10.107.98.108/wls-wsat/CoordinatorPortType Signature violation rule ID 1000000: let's protect you against cve-2017-10271  &lt;blocked&gt; </UL>
</body>

Issue/Introduction

NetScaler does not have a built-in signature to protect applications from "Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability (CVE-2017-10271)" currently.

Welcome to "KB Articles"