cbcvebase.
CVE-2017-14706
published 2017-09-22

CVE-2017-14706: DenyAll WAF before 6.4.1 allows unauthenticated remote attackers to obtain authentication information by making a typeOf=debug request to…

PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
28.24%
97.9th percentile
DenyAll WAF before 6.4.1 allows unauthenticated remote attackers to obtain authentication information by making a typeOf=debug request to /webservices/download/index.php, and then reading the iToken field in the reply. This affects DenyAll i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x before 6.4.1, with On Premises or AWS/Azure cloud deployments.

Affected

12 ranges
VendorProductVersion rangeFixed in
denyalli-suite
denyalli-suite
denyalli-suite
denyalli-suite
denyalli-suite
denyalli-suite
denyallweb_application_firewall
denyallweb_application_firewall
denyallweb_application_firewall
denyallweb_application_firewall
denyallweb_application_firewall
denyallweb_application_firewall

Detection & IOCsextracted from sources · hover to see the quote

port3001
path/webservices/stream/tail.php
  • Monitor HTTP requests to /webservices/stream/tail.php on port 3001 for shell metacharacters in the 'type' parameter, which indicates exploitation of the tailDateFile command injection vulnerability.
  • Detect unauthenticated requests to /webservices/stream/tail.php that include an 'iToken' parameter — this token may have been obtained by chaining CVE-2017-14706 prior to exploitation.
  • Alert on inbound TCP connections to port 3001 on DenyAll WAF hosts, particularly those originating from untrusted/external sources, as exploitation occurs over this non-standard port.
  • The Metasploit module 'exploits/linux/http/denyall_waf_exec' can be used to validate detection coverage; look for its characteristic HTTP request patterns against the tail.php endpoint.
  • ·Affected versions span a wide range; ensure version scoping is applied before deploying detections to avoid false positives on patched systems.
  • ·This CVE (CVE-2017-14705) is a two-stage exploit chain: CVE-2017-14706 must first be exploited to obtain a valid iToken before the RCE can be triggered. Detection strategies should account for both stages.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.