NetScaler WAF Signatures – Automatic Protection against CVEs
What is a NetScaler WAF signature?
WAF signatures, put simply, are rules that help simplify the task of protecting websites and applications against known attacks. WAF Signatures are configurable and can be very specific. They represent a pattern that is a component of a known attack and help identify these attacks and protect against application vulnerabilities.
NetScaler has over 1300 built in signatures but there is also the facility for you to create your own signatures using templates.
What is a CVE (Common Vulnerability Exposure)?
A CVE is a database of publicly disclosed information regarding security flaws in computer operating systems, networks and applications. CVEs are assigned a unique CVE number by a CVE Numbering Authority (CNA) who are either the software providers themselves or a central authority such a CERT Coordination Centre.
NetScaler WAF Signature Alerts
NetScaler WAF generates and provides new signature rules when vulnerabilities are identified and announced. These new rules are made available for download on a central Amazon web site. When NetScaler WAF announces new signature updates you can download and apply these updates your appliance and by so doing protect your web sites and/or applications, against the announced CVE vulnerability.
On hearing of any CVE announcements that you may feel might affect your web sites and/or applications you can browse to the NetScaler WAF online documentation and there under the menu option “Signature Alerts” you can find a description of the signature update and the CVEs it addresses.
What is NetScaler WAF Auto Update?
Within the NetScaler WAF there is the setting Auto Update Signatures. This functionality allows the user to get the latest signatures to protect the web application against new vulnerabilities. The auto update feature provides better protection and more timely updates without having to manually remember to check for, and get, the latest updates. The signatures are auto updated on an hourly basis and do not require regular checks for the availability of the most recent update. Once you enable Signature Auto Update, the NetScaler appliance connects to the server hosting the signatures to check if a newer version is available.
On September 29th 2022, Microsoft announced two Zero day attack vulnerabilities relating to “on-premises” Exchange server. CVE-2022-41082 Microsoft Exchange Server – RCE Vulnerability and CVE-2022-41040 Server-Side Request Forgery (SSRF) vulnerability. By close of business (UK time) on 3rd October 2022 NetScaler WAF released Signature update version 93 and within that is signature rule 998871 which addresses these two specific CVE’s.
The NetScaler Web Application Firewall (WAF) protects against security breaches, data loss and possible unauthorised modifications and attacks to web site and applications. It does this by filtering both inbound and outbound traffic, using “rules” also known as signatures, to examine this traffic for evidence of malicious activity and should it see any such activity, block it. NetScaler WAF produces updates to the default signatures as and when CVEs (Common Vulnerability Exposure) are announced.
These updated signatures (signature alerts), when enabled, help mitigate against these CVEs. The updated signatures are stored in a central Amazon repository and the NetScaler WAF can be configured to automatically download the new signature alerts to your NetScaler WAF thus allowing you to enable the appropriate update. Resulting in timely updates to the NetScaler WAF and by definition timely protection against the know vulnerabilities.
On 6th October 2022 Microsoft issued an update to their mitigation for the above listed CVEs.
We recommend applying these updates from Microsoft and for the added security NetScaler has released the updated Signature version 94 for the NetScaler users that have NetScaler WAF signatures enabled.