Trustwave's SpiderLabs Security Advisory TWSL2011-001:
Vulnerabilities in Trustwave WebDefend Enterprise 

Published: 2011-06-17 Version: 1.1

Vendor: Trustwave (www.trustwave.com)
Product: Trustwave WebDefend Enterprise 
Version affected:  Versions Prior to 5.0 (Finding 1)
                   Versions Prior to 5.0 Patch 2 (7.01.907-4.4)
                   (Finding 2)

Product description:
Trustwave's WebDefend(R) Web application firewall appliance provides Web
applications with real-time, continuous security against attacks and data
loss, ensure they operate as intended and help them comply with industry
regulations such as the Payment Card Industry Data Security Standard (PCI
DSS).

Credit: Nathan Power

Finding 1: Static user-level credentials employed by application server
CVE: CVE-2011-0756 

A static username and password is present in versions of WebDefend
Enterprise prior to 5.0. 

WebDefend uses a thick client to communicate with the
application server. Once obtained, the static console username and
password, in addition to the private key, can be used to authenticate
against the appliance and gain access to the data through the remote
console GUI. The exposed user account has view-only access to security
event data. Access to the appliance's management port is
required in order to perform this action.


Finding 2: Static user-level credentials employed by database
CVE: CVE-2011-0756

A static username and password is present in the MySQL database for
versions of WebDefend prior to 5.0 Patch 2 (7.01.907-4.4). This user
account provides access to the event collection table, which includes
IP and URL information in addition to compressed data containing HTTP
requests and responses observed by the server. Access to the appliance's
management port is required in order to perform this action.


Remediation Steps:
Customers should upgrade to version 5.0 Patch 2 (7.01.907-4.4) in order to
remediate both vulnerabilities. The static credentials detailed in Finding
1 do not exist in any release of WebDefend version 5.0.


Communication Timeline:
10/31/10 - Vendor notified of vulnerabilities
11/4/10  - Complete workaround provided through support channel for both
           findings
11/15/10 - Version 5.0 released, Finding 1 addressed
2/15/11  - Advisory released
6/17/11  - Version 5.0 Patch 2 (7.01.907-4.4) released, Finding 2 addressed,
           Advisory updated


About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.