• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • A10 ACOS Web Application Firewall (WAF) mishandles the configured rules for blocking SQL injection attacks


    CVEID: CVE-2018-15904

    Affected Product: A10 ACOS Web Application Firewall (WAF)

    Affected releases: 2.7.1 and 2.7.2 before 2.7.2-P12, 4.1.0 before 4.1.0-P11, 4.1.1 before 4.1.1-P8, and 4.1.2 before 4.1.2-P4

    Executive Summary
    A critical vulnerability was discovered in several releases of A10 ACOS operating system in branches 2.7 and 4.1.
    A remote attacker could send specially-crafted HTTP requests, which could be passed through by the ACOS Web Application Firewall (WAF) rather than being dropped per configured rules. This could allow a remote attacker to conduct web application layer attacks (such as SQL injection or XSS) on targeted systems.

    Remediation: Upgrade according to indication from the vendor



    23/11/2017 – Initial vendor contact
    29/11/2017 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure

    26/02/2018 – Vendor confirmed the fix being targeted for ACOS 4.1.0-P11, 4.1.1-P8 & 4.1.2-P4
    18/7/2018 – Vendor published advisory
    27/8/2018 – MITRE assigned CVE 2018-15904

    Discovered by:  Quantum Leap Pentesting team
    Reported by: Reporter: Luca Profico <l.profico@quantumleap.it>