Modsecurity 2.9.6 [Fix Security]

ciao70

Well-Known Member
Nov 3, 2006
129
23
168
This requires Modsecurity 2.9.6


CVE-2022-39956 – Content-Type or Content-Transfer-Encoding MIME header fields abuse
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

Important: The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an updated version with backports of the security fixes in these versions.
If you fail to update ModSecurity, the webserver/engine will refuse to start with the following error message: "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS".
You can disable/remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS without a fix to CVE-2022-39956, however we advise against this workaround.

Please note that we plan to move the rules in REQUEST-922-MULTIPART-ATTACK.conf to the 920 or 921 rule files in the future. The rules are kept separate for the time being to accommodate users who can't update ModSecurity or where the engine does not yet support the new variables/collections.

This vulnerability was discovered and reported by @terjanq (Jan Gora) during the Intigriti 1337UP0522 WAF Promotion Event.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,499
1,971
363
cPanel Access Level
Root Administrator
Hey there! Our team has explored the option of upgrading from 2.9.6 but currently that is on hold because Comodo is one of the most popular rulesets in use, but they don't have a set of rules for 2.9.4, 2.9.5, or 2.9.6. If we did perform that update, it would break the functionality for all the users that are currently using that ruleset.

Once we do release that update it would show up in the EasyApache changelogs at EasyApache 4 Change Log 2022 | cPanel & WHM Documentation so I'd keep an eye on that area for updates.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,499
1,971
363
cPanel Access Level
Root Administrator
Unfortunately yes - even though it may be outdated, there are many users with this in place that we'd have to forcibly switch. I've spoken with the security team to see if I can get some more details on our plans for this and I'll post once I hear something.
 

ciao70

Well-Known Member
Nov 3, 2006
129
23
168
Unfortunately yes - even though it may be outdated, there are many users with this in place that we'd have to forcibly switch. I've spoken with the security team to see if I can get some more details on our plans for this and I'll post once I hear something.

Hi cPRex,

Modsecurity 2.9.6 it is also a security update, so anyone using a version earlier than 2.9.6 is vulnerable

The security update for CRS rules is a critical update and requires ModSecurity 2.9.6 to be able to update CRS to the latest version 3.2.3 or 3.3.4 otherwise CVE-2022-39956


(Base Score 9.8 Critical)


Important: The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an updated version with backports of the security fixes in these versions.
If you fail to update ModSecurity, the webserver/engine will refuse to start with the following error message: "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS".
You can disable/remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS without a fix to CVE-2022-39956, however we advise against this workaround.


Please note that we plan to move the rules in REQUEST-922-MULTIPART-ATTACK.conf to the 920 or 921 rule files in the future. The rules are kept separate for the time being to accommodate users who can't update ModSecurity or where the engine does not yet support the new variables/collections.



The rules of OWASP CRS are widely used and support unlike Comodo is active

Make sure that anyone can, upgrade to Modsecurity 2.9.6 otherwise in order to upgrade CRS to the latest version you will need to disable an important rule and be vulnerable to CVE-2022-39956

The problem is very urgent

Thanks
 

ciao70

Well-Known Member
Nov 3, 2006
129
23
168
I hope that we can make sure that we can also manually update to 2.9.6

This way Comodo users can continue to use modsecurity 2.9.3
 

ciao70

Well-Known Member
Nov 3, 2006
129
23
168
@cPRex

Obviously in addition to Modsecurity 2.9.6 you also need the possibility to update owasp crs to 3.3.4

Now is

ea-modsec2-rules-owasp-crs-3.3.2-4.7.1.cpanel.x86_64
 

ciao70

Well-Known Member
Nov 3, 2006
129
23
168
Hi cPrex,

Yes we know

Q: Why is Trustwave ending support for ModSecurity?

A: Trustwave decided to end our support for ModSecurity to let the open-source community continue the project.


Right now we urgently need to update Modsecurity to 2.9.6 and OWASP CRS to 3.3.4

Thanks
 

tyuuu

Well-Known Member
Oct 16, 2005
81
0
156
Hi,

is it fine to keep 2.9.3 and owasp 3.2.2 ? or it is urgent and important to use 2.9.6 and 3.3.4 asap ?