About a year ago we released the CrowdSec Web Application Firewall (WAF) to the public — a powerful tool combining the classic benefits of a WAF with our unique crowd-powered and behavior-based approach.
In this article, I want to provide a bit more information on how the symbiotic relationship between the CrowdSec WAF and CTI feed delivers a significant step up in crowd-powered detection.
The CrowdSec Security Engine comes with many capabilities straight out of the box. By default, the Engine will tail any logs that you hand to it, discover and block exploits, and share them with the CrowdSec Network to form a collective shield around our herd.
However, log data is very limited in scope. There are exploits which do not show up in log data. This is why last year, we gave the Security Engine another major upgrade that now allows it to be used as a WAF with the addition of the AppSec Component.
How CrowdSec WAF works: The example of CVE-2021-3129
One example of an attack that cannot be detected from web server logs is CVE-2021-3129. This exploit targets an issue in Laravels debug mode which can be exploited by a smart payload injection in the request body.
Laravel is a framework that allows developers to create websites using PHP. During development it sometimes happens that developers make mistakes or create bugs in their code that would cause a website to fail. If Laravel is launched in debug mode the server will return a stack trace of the error that occurred instead of just responding with a dead page. This allows developers to get to the root cause of issues faster.
Debug modes like the one in Laravel are very common in web frameworks. Laravel takes their debug mode a step further and allows developers to administer quick fixes to their own code from within the debug webpage. It is this feature which provides the entrypoint for an attacker to exploit. By providing a well crafted JSON payload to the quick fix endpoint an attacker can achieve Remote Code Execution (RCE) on the webserver.
As the JSON payload is part of the http message body, it is not logged by the webserver. As a consequence of this, the Security Engine is unable to separate legitimate requests to the quick fix endpoint from exploitation attempts. To detect and prevent this exploit, we must rely on the Web Application Firewall instead.
Detecting CVE-2021-3129
The CrowdSec WAF allows you to define a simple rule to detect and prevent any attempts to exploit this vulnerability. To detect exploitation you can use the following rule:
rules:
- and:
- zones:
- URI
transform:
- lowercase
match:
type: endsWith
value: /_ignition/execute-solution
- zones:
- BODY_ARGS
variables:
- json.parameters.viewFile
match:
type: regex
value: "php://filter|phar://"
You can also find this rule on the CrowdSec Hub. The detection is split into two core parts:
- zones:
- URI
transform:
- lowercase
match:
type: endsWith
value: /_ignition/execute-solution
This first part restricts the detection to only consider requests that actually hit the quick fix endpoint. This endpoint is part of the ignition templating system used by Laravel. As this part of the rule only concerns the target endpoint, it could also be detected by the Security Engine within the logs of the webserver. However, this would cause innocent developers to trigger the same rule whenever they tried to use any of the quick fix capabilities of the web framework.
- zones:
- BODY_ARGS
variables:
- json.parameters.viewFile
match:
type: regex
value: "php://filter|phar://"
This second part detects the core of the exploit. It extracts the content of the body and looks for the php filter chain at the heart of the exploit. This part of the rule allows the WAF to distinguish between innocent developers and hackers with malicious intent.
The wisdom of the crowd
During this past month alone, the CrowdSec Network has discovered around 1000 IP addresses of malicious actors trying to exploit this specific behavior. As a result, these 1000 IPs are now enriched in our Threat Intelligence feed, allowing everyone in the network to benefit from advanced preemptive threat response.
However, this doesn’t mean that before the release of our WAF the CrowdSec Network was unaware of the threat posed by these IPs. In fact, the relationship between our existing detection capabilities and the WAF is much more symbiotic in nature. Almost all the IPs that are currently flagged for CVE-2021-3129 have been seen previously by our network for other exploit attempts.
This means that just as the Security Engine benefits from the new detection capabilities of WAF, the WAF benefits from all the previous detections made by the Security Engine. So, the CrowdSec WAF not only improves the threat intelligence we collect from attackers, it also improves the real protection experienced by users of the Security Engine.
If you also want to level up your protection, check out this step-by-step guide and set up the CrowdSec WAF today!
