A10 ACOS Web Application Firewall (WAF) mishandles the configured rules for blocking SQL injection attacks
Affected Product: A10 ACOS Web Application Firewall (WAF)
Affected releases: 2.7.1 and 2.7.2 before 2.7.2-P12, 4.1.0 before 4.1.0-P11, 4.1.1 before 4.1.1-P8, and 4.1.2 before 4.1.2-P4
A critical vulnerability was discovered in several releases of A10 ACOS operating system in branches 2.7 and 4.1.
A remote attacker could send specially-crafted HTTP requests, which could be passed through by the ACOS Web Application Firewall (WAF) rather than being dropped per configured rules. This could allow a remote attacker to conduct web application layer attacks (such as SQL injection or XSS) on targeted systems.
Remediation: Upgrade according to indication from the vendor
23/11/2017 – Initial vendor contact
29/11/2017 – Vendor acknowledged and agreed to further discuss the problem and to coordinate the disclosure
26/02/2018 – Vendor confirmed the fix being targeted for ACOS 4.1.0-P11, 4.1.1-P8 & 4.1.2-P4
18/7/2018 – Vendor published advisory
27/8/2018 – MITRE assigned CVE 2018-15904
Discovered by: Quantum Leap Pentesting team
Reported by: Reporter: Luca Profico <firstname.lastname@example.org>