hello everyone, i came with this issue: the WAF of NSX Advanced Load Balancer (Avi Vantage Version: 21.1.2 Build: 9124 - Controller patch version: 2p2)
is not compatible with Arabic Unicode character as input arguments for web applications.
for example if this 'get' query : http://somename.com/index.php?testparam=ذخیره و ادامه
is sent to the application(VS/WAF) , it gets corrupted like this: 0.J1G H '/'EG which it cause false positive alarms (sqli). the corruption is caused by these two function (t:utf8toUnicode,t:urlDecodeUni) which are used in rules/signature... as of my researches and tests , this issue originates from the default configuration of ModSecurity (SecUnicodeMapFile unicode.mapping parameter) which is set to use 20127 (US-ASCII) by default. to fix and workaround that issue we should be able to change it to 1256 (ANSI - Arabic). i should mention that there is "unicode.mapping" file for this purpose and it should be up to date. in conclusion i can't find anyplace in the AVI NSX-ALB web GUI (controller) to set this parameter for waf profile/policy. nor i was able to find the modsecurity config file in the Service Engines shell to modify manually. this issue cause the whole WAF solution to not be compatible with lot of other languages...
any suggestion might be helpful , thanks
Hi.
Thanks for reporting this issue. And thank you for all the detailed information.
One ask though. Is this only happening with a specific browser or all browsers? We had seen that this might be triggered by Internet Explorer?
Have a great day.
Christian
Hello Christian, Thank you for your attention to this topic/issue. This is not a browser specific issue, I can reproduce same problem on chrome/Firefox/IE...
Also as it can be seen in the screenshot the user input parameter is sent correctly by the browser (url encoded) and is correctly visible(readable) in LB logs... But when it's get passed to WAF engine it gets croupted as I described earlier. The input string turns to random character (can be seen in waf logs).
Best Regards
Alright. I have asked the team to reproduce and examine why this fails. Not if there is a workaround I will let you know here. In case code changes are needed, then it should appear in the release notes and a notification here. Have a great day!
Hello christan, hope you are doing well.
i was just playing around with the AVI lab environment located at :
which its controller version is : 20.1.3
same issue (Unicode compatibility) exists in that version too. i should note that this issue even exist with paranoia level one.
https://test-navid.academy.demoavi.us/?testparam=ذخیره و ادامه
https://test-navid.academy.demoavi.us/?testparam=%D8%B0%D8%AE%DB%8C%D8%B1%D9%87%20%D9%88%20%D8%A7%D8%AF%D8%A7%D9%85%D9%87
thanks for following up.
Dear Navid.
We are currently investigating and fixing the issue. As written before I do not have a valid workaround today. We are trying to provide a fix in one of our next updates.
All the best
Christian
PS: You are right this is independent from Paranoia level, since it concerns the initial parsing instead of rules execution.
Dear Christian, Hello and happy new year.
Could you please tell us about the process that is going on for fixing this issue? Any estimate when will the new version get release?
i would like to be able install the patch that fix this issue on ALB version 21.1.2 since i can't upgrade to 21.1.3 easily due to hardware requirement of NSX-T 3.2 ( according to vmware compatibility website , ALB 21.1.3 is only compatible with nsx-t 3.2)
best regards
Navid
Hey.
We are looking into a possible workaround for your problem. Would you be able to provide me with an Email I could provide some details to? Maybe via DM or something? Thanks
Hi Christian.
I have sent you my Email address in a private message to you here. please check your DM.
Finding a workaround is good news , hope it works.
Thank you for following up.
Regards
Navid
Hello Christian, can i know the bug ID number for this issue? (for ex:AV-129536)
Hey Navid. Here it is: AV-134481
Hello Christian, we have been waiting a long time for a new version release to fix this problem. any update and news regarding this bug AV-134481 ?