Security Advisory
Issue Identification
Zafran’s Research Team has discovered a critical misconfiguration vulnerability in web application firewalls (WAF) that also serve as content delivery networks (CDNs). This flaw allows threat actors to bypass WAF protections, leaving web applications and load balancers vulnerable to direct attacks, including distributed denial-of-service (DDoS) attacks and exploitation of other vulnerabilities.
Root Cause
The vulnerability stems from an architectural weakness where web applications fail to properly validate incoming traffic originating from CDN/WAF providers. This improper validation can lead to the bypass of WAF protections, exposing applications to potential threats.
Action Required
Customers are strongly encouraged to implement these configurations without delay to protect their web applications from the identified vulnerabilities and potential attacks.
How Barracuda WAF-as-a-Service Addresses the Issue
IP Restriction
Purpose: Ensures that backend servers only accept traffic from authorized IP ranges.
Implementation: Configure backend servers to accept traffic solely from Barracuda WAF-as-a-Service IP ranges.
Resource: Restricting Direct Traffic.
Client Certificate Authentication
Purpose: Guarantees that only authenticated traffic can access backend systems, enhancing security.
Implementation: Enable client certificate-based authentication between the WAF-as-a-Service and backend servers.
Resource: Client Certificate-Based Authentication.
Pre-Shared Secret in a Custom HTTP Header
Purpose: Adds an additional layer of security by embedding a dynamic pre-shared secret token in HTTP headers, which must be validated on the server side.
Implementation: Use the request rewrite mechanism in Barracuda WAF-as-a-Service to insert custom headers with dynamic pre-shared secret tokens.
Resource: API documentation for creating custom header rules with dynamic values.
If you have queries or need assistance, contact Barracuda Networks Technical Support.