Virtual Patching for Websites with Sucuri CloudProxy

All software has bugs, and some bugs can lead to security vulnerabilities. Vulnerabilities can be extremely dangerous when your software is running over the web, allowing anyone to reach and try to attack it. That’s why patching and keeping web applications updated is so important.
Sucuri Cloud Proxy

The reality is there is no shortage of websites running outdated Joomla installs, or outdated WordPress, or name your favorite CMS. There are also plenty of websites running themes/templates with known vulnerabilities, or forgotten plugins that are being exploited in the wild. The #1 excuse for keeping these web applications outdated is that their websites will break.

We often hear things like “My theme was heavily modified, so I can’t update it”, or “I am afraid it will break some functionality if I update this plugin”, or “I modified core files so now I am stuck”, or even “My web developer left us and nobody knows how this piece of code works”.

If you are in this situation where you can’t update your web software (from CMS’s, to plugins, modules or themes), this CVE list will probably will scare you:

CVE-2012-6527 XSS Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

CVE-2012-5868 INFO WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator’s logout action, which makes it easier for remote attackers to discover valid session identifiers via a brute-force attack, or modify data via a replay attack.

CVE-2012-4448 CSRF Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action.

CVE-2012-4422 Bypass wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role.

CVE-2012-4421 Bypass The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature.

CVE-2012-4271 XSS Multiple cross-site scripting (XSS) vulnerabilities in bad-behavior-wordpress-admin.php in the Bad Behavior plugin before 2.0.47 and 2.2.x before 2.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) httpbl_key, (3) httpbl_maxage, (4) httpbl_threat, (5) reverse_proxy_addresses, or (6) reverse_proxy_header parameter.

CVE-2013-1455 Leak Joomla! 3.0.x through 3.0.2 allows attackers to obtain sensitive information via unspecified vectors related to an “Undefined variable.”

CVE-2013-1453 – SQL injection – plugins/system/highlight/highlight.php in Joomla! 3.0.x through 3.0.2 and 2.5.x through 2.5.8 allows attackers to unserialize arbitrary PHP objects to obtain sensitive information, delete arbitrary directories, conduct SQL injection attacks, and possibly have other impacts via the highlight parameter. Note: it was originally reported that this issue only allowed attackers to obtain sensitive information, but later analysis demonstrated that other attacks exist.

CVE-2012-5455 XSS Cross-site scripting (XSS) vulnerability in the language search component in Joomla! before 3.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a “typographical error.”

CVE-2012-2991 – The PayPal (aka MODULE_PAYMENT_PAYPAL_STANDARD) module before 1.1 in osCommerce Online Merchant before 2.3.4 allows remote attackers to set the payment recipient via a modified value of the merchant’s e-mail address, as demonstrated by setting the recipient to one’s self.

CVE-2012-2935 Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Shop/Application/Checkout/pages/main.php in OSCommerce Online Merchant 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the value_title parameter, a different vulnerability than CVE-2012-1059.

The scary thing is this is just a small number of the CVE’s released for WordPress, Joomla and osCommerce over the past few months.

Web site virtual patching

According to OWASP, virtual patching is defined as:

The term virtual patching was originally coined by Intrusion Prevention System (IPS) vendors a number of years ago. It is not a web application specific term, and may be applied to other protocols however currently it is more generally used as a term for Web Application Firewalls (WAF). It has been known by many different names including both External Patching and Just-in-time Patching. Whatever term you choose to use is irrelevant. What is important is that you understand exactly what a virtual patch is:

A security policy enforcement layer which prevents the exploitation of a known vulnerability.
The virtual patch works since the security enforcement layer analyzes transactions and intercepts attacks in transit, so malicious traffic never reaches the web application. The resulting impact of virtual patch is that, while the actual source code of the application itself has not been modified, the exploitation attempt does not succeed.

Virtual patching affords websites that are outdated (or with known vulnerabilities) to be protected from attacks by preventing exploitation of these vulnerabilities on the fly. This is usually done by either a firewall or intrusion detection system.

Sucuri CloudProxy – WAF+IDS

To assist our customers with proactive security measures we have created a Web Application Firewall (WAF) plus Intrusion Detection System (IDS) named Sucuri CloudProxy. It is an in-the-middle proxy that sits between your websites and the internet allowing us to filter and block attacks before they reach your websites.

CloudProxy, which is currently in open beta to our customers, will patch known vulnerabilities and also adds multiple layers of hardening/prevention, along with log analysis to prevent websites from being hacked, infected with malware, or reinfected.

Here are a few of the features you’ll find in CloudProxy:

  • Traffic Filtering – blocks malicious requests
  • Virtual Patching
  • WAF (Web application firewall) – Prevents SQL injections, XSS, RFI, etc
  • IDS/IPS (Intrusion Detection/Prevention System)
  • Extended Access Control (whitelisting of IP’s allowed to access administrative pages)
  • OSSEC HIDS Integration (Full log analysis and traffic monitoring)
  • Improved Performance and Caching
  • Fully Managed in the Cloud

If you have questions about virtual patching, or the Sucuri CloudProxy service, email us at info@sucuri.net and we can get you setup.

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid