VMware Networking Community
FTABoy
Contributor
Contributor
‎11-24-2021 02:30 AM

NSX-ALB WAF is not compatible with Arabic characters

hello everyone, i came with this issue: the WAF of NSX Advanced Load Balancer (Avi Vantage Version: 21.1.2 Build: 9124 - Controller patch version: 2p2)
is not compatible with Arabic Unicode character as input arguments for web applications.
for example if this 'get' query : http://somename.com/index.php?testparam=ذخیره و ادامه
is sent to the application(VS/WAF) , it gets corrupted like this: 0.J1G H '/'EG which it cause false positive alarms (sqli). the corruption is caused by these two function (t:utf8toUnicode,t:urlDecodeUni) which are used in rules/signature... as of my researches and tests , this issue originates from the default configuration of ModSecurity (SecUnicodeMapFile unicode.mapping parameter) which is set to use 20127 (US-ASCII) by default. to fix and workaround that issue we should be able to change it to 1256 (ANSI - Arabic). i should mention that there is "unicode.mapping" file for this purpose and it should be up to date. in conclusion i can't find anyplace in the AVI NSX-ALB web GUI (controller) to set this parameter for waf profile/policy. nor i was able to find the modsecurity config file in the Service Engines shell to modify manually. this issue cause the whole WAF solution to not be compatible with lot of other languages...

any suggestion might be helpful , thanks

--------------------------
Navid Hosseinzadeh
Labels (2)
Labels
Tags (4)
12 Replies
FTABoy
Contributor
Contributor
‎11-25-2021 03:18 AM

IMG_20211125_134631_280.jpg

IMG_20211125_134628_846.jpg

--------------------------
Navid Hosseinzadeh
0 Kudos
Christian_Avi
VMware Employee
VMware Employee
‎11-29-2021 05:13 AM

Hi.

Thanks for reporting this issue. And thank you for all the detailed information.

One ask though. Is this only happening with a specific browser or all browsers? We had seen that this might be triggered by Internet Explorer?

Have a great day.

Christian

Tags (1)
FTABoy
Contributor
Contributor
‎11-29-2021 06:13 AM

Hello Christian, Thank you for your attention to this topic/issue.  This is not a browser specific issue, I can reproduce same problem on chrome/Firefox/IE...

Also as it can be seen in the screenshot the user input parameter is sent correctly by the browser (url encoded) and is correctly visible(readable) in LB logs... But when it's get  passed to WAF engine it gets croupted as I described earlier. The input string turns to random character (can be seen in waf logs).

Best Regards

--------------------------
Navid Hosseinzadeh
Christian_Avi
VMware Employee
VMware Employee
‎11-29-2021 06:17 AM

Alright. I have asked the team to reproduce and examine why this fails. Not if there is a workaround I will let you know here. In case code changes are needed, then it should appear in the release notes and a notification here. Have a great day!

FTABoy
Contributor
Contributor
‎12-03-2021 09:27 PM

Hello christan, hope you are doing well.

i was just playing around with the AVI lab environment located at :

Spoiler
europe.academy.demoavi.us

which its controller version is : 20.1.3

same issue (Unicode compatibility) exists in that version too. i should note that this issue even exist with paranoia level one.

 

Spoiler

https://test-navid.academy.demoavi.us/?testparam=ذخیره  و ادامه

https://test-navid.academy.demoavi.us/?testparam=%D8%B0%D8%AE%DB%8C%D8%B1%D9%87%20%D9%88%20%D8%A7%D8%AF%D8%A7%D9%85%D9%87 


thanks for following up.

Capture3.JPGCapture2.JPGCapture.JPG

--------------------------
Navid Hosseinzadeh
Christian_Avi
VMware Employee
VMware Employee
‎12-06-2021 12:45 AM

Dear Navid.

We are currently investigating and fixing the issue. As written before I do not have a valid workaround today. We are trying to provide a fix in one of our next updates.

All the best

Christian

PS: You are right this is independent from Paranoia level, since it concerns the initial parsing instead of rules execution.

FTABoy
Contributor
Contributor
‎01-09-2022 11:49 PM

Dear Christian, Hello and happy new year.

Could you please tell us about the process that is going on for fixing this issue? Any estimate when will the new version get release? 

i would like to be able install the patch that fix this issue on ALB version 21.1.2 since i can't upgrade to 21.1.3 easily due to hardware requirement of NSX-T 3.2 ( according to vmware compatibility website , ALB 21.1.3 is only compatible with nsx-t 3.2)

best regards

Navid

--------------------------
Navid Hosseinzadeh
0 Kudos
Christian_Avi
VMware Employee
VMware Employee
‎01-17-2022 08:22 AM

Hey.

We are looking into a possible workaround for your problem. Would you be able to provide me with an Email I could provide some details to? Maybe via DM or something? Thanks

FTABoy
Contributor
Contributor
‎01-20-2022 09:50 PM

Hi Christian.

I have sent you my Email address in a private message to you here. please check your DM.

Finding a workaround is good news , hope it works.

Thank you for following up.

Regards

Navid

--------------------------
Navid Hosseinzadeh
0 Kudos
FTABoy
Contributor
Contributor
‎04-08-2022 10:13 PM

Hello Christian, can i know the bug ID number for this issue? (for ex:AV-129536)

 

--------------------------
Navid Hosseinzadeh
0 Kudos
Christian_Avi
VMware Employee
VMware Employee
‎04-12-2022 07:05 AM

Hey Navid. Here it is: AV-134481

FTABoy
Contributor
Contributor
‎07-30-2022 03:14 AM

Hello Christian, we have been waiting a long time for a new version release to fix this problem. any update and news regarding this bug AV-134481 ?

--------------------------
Navid Hosseinzadeh
Tags (1)
0 Kudos