Front Door WAF has essential rules disabled

ID

front_door_waf_policy_rules

Severity

low

Vendor

Azure

Resource

WAF

Tags

reachable

Description

Azure Front Door WAF should have WAF policy with essential rules enabled.

WAF provides some protection against application-layer attacks, and this rule enforces that application gateways enable a WAF with a proper mode.

To enable a Web Application Firewall on Front Door, you must create a WAF policy. This policy is where all the managed rules, custom rules, exclusions, and other customizations such as file upload limit exist.

A WAF policy consists of two types of security rules:

  • Custom rules.

  • Managed rule sets that are a collection of Azure-managed pre-configured set of rules. The Azure-managed Default Rule Set includes rules against the following threat categories:

    • Cross-site scripting

    • Java attacks

    • Local file inclusion

    • PHP injection attacks

    • Remote command execution

    • Remote file inclusion

    • Session fixation

    • SQL injection protection

    • Protocol attackers

Rules can be disabled on a rule-by-rule basis, or you can set specific actions by individual rule.

This detector could be configured to alert when certain essential rules are disabled, for example rule 944240 for JAVA that prevents attacks to applications with a vulnerable version of Apache Log4j 2 library.

See WAF Core Rule Sets for an introduction to Azure WAF CRS rules.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
      "apiVersion": "2019-10-01",
      "name": "bad", (1)
      "location": "Global",
      "properties": {
        "policySettings": {
          "enabledState": "Enabled",
          "mode": "Prevention"
        },
        "managedRules": {
          "managedRuleSets": [
            {
              "ruleSetType": "DefaultRuleSet",
              "ruleSetVersion": "1.0",
              "ruleGroupOverrides": [
                {
                  "ruleGroupName": "JAVA",
                  "rules": [
                    {
                      "ruleId": "944240",
                      "enabledState": "Disabled"
                    },
                    {
                      "ruleId": "920320",
                      "enabledState": "Disabled"
                    }
                  ]
                }
              ]
            }
          ]
        }
      }
    }
  ]
}
1 WAF policy with essential rules disabled.

Terraform

This configuration uses an old version that does not contain recent essential rules:

resource "azurerm_frontdoor_firewall_policy" "dsr_1_0" {
  name                = "example"
  resource_group_name = "example"

  managed_rule {
    type    = "Microsoft_DefaultRuleSet"
    version = "1.0" (1)
  }
}
1 This version does not have essential WAF rules.

This configuration does not prevent known RCE attacks, and in particular, Log4Shell:

resource "azurerm_frontdoor_firewall_policy" "log4shell_open" {
  name                = "example"
  resource_group_name = "example"

  managed_rule {
    type    = "Microsoft_DefaultRuleSet"
    version = "1.1"

    override {
      rule_group_name = "JAVA"

      rule {
        rule_id = "944240"
        enabled = true
        action  = "Allow" (1)
      }
    }
  }
}
1 The action for 944240 (RCE) rule should be Block or Redirect against Log4Shell attacks.

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
      "apiVersion": "2019-10-01",
      "name": "good", (1)
      "location": "Global",
      "properties": {
        "policySettings": {
          "enabledState": "Enabled",
          "mode": "Prevention"
        },
        "managedRules": {
          "managedRuleSets": [
            {
              "ruleSetType": "DefaultRuleSet",
              "ruleSetVersion": "1.0"
            }
          ]
        }
      }
    }
  ]
}
1 WAF policy with essential rules enabled.

Terraform

resource "azurerm_frontdoor_firewall_policy" "log4shell_blocked" {
  name                = "example"
  resource_group_name = "example"

  managed_rule {
    type    = "Microsoft_DefaultRuleSet"
    version = "1.1"

    override {
      rule_group_name = "JAVA"

      rule {
        rule_id = "944240"
        enabled = true
        action  = "Block" # FIXED
      }
    }
  }
}

Configuration

The detector has two properties:

  • versionsAllowed, map keyed by managed ruleset name (like Microsoft_DefaultRuleSet) and value a regex pattern expressing the versions allowed.

  • rulesToBeKept, map with the list of rules considered essential and that SHOULD NOT be disabled, keyed by the rules group.

Example for app_gateway_waf_policy_rules.yml configuration file:

properties:
  # The versions allowed for the WAF policy, keyed by managed rule-set name.
  versionsAllowed:
    # Example: Microsoft_DefaultRuleSet rule-set version 1.1 and later
    # have the minimum essential rules as of today
    Microsoft_DefaultRuleSet: '^[2-9]\.|^1\.[1-9]'

  # The essential rules that should NOT be disabled, keyed by group name.
  rulesToBeKept:
    # Example: rule for Log4Shell attack
    JAVA: [ '944240' ]