Cybersecurity and software supply options supplier Radware has clarified that the vulnerabilities disclosed final week had been addressed again in 2023.
An advisory printed on Might 7 by the CERT Coordination Heart (CERT/CC) at Carnegie Mellon College revealed that the Radware Cloud Internet Utility Firewall (WAF) was weak to a few filter bypass strategies that might enable risk actors to conduct assaults with out being blocked by the firewall.
The advisory describes CVE-2024-56523 and CVE-2024-56524, which may have been exploited to bypass the Radware Cloud WAF utilizing specifically crafted HTTP requests.
One technique concerned including random knowledge within the request physique with an HTTP GET technique. The second technique concerned including a particular character to the request, which brought about the firewall to fail to filter the request and allowed numerous sorts of payloads to cross by to the underlying net software.
Researcher Oriol Gegundez has been credited for reporting these points to the seller.
CERT/CC indicated that the vulnerabilities have been fastened, however famous that “Radware had not acknowledged the reporter’s findings once they had been initially disclosed”. As well as, CERT/CC stated it had not obtained any assertion from the seller.
Radware additionally didn’t reply to SecurityWeek’s request for clarifications when contacted final week.
On Sunday, two days after SecurityWeek coated the vulnerabilities, Radware reached out to make clear that each points talked about within the CERT/CC advisory had been addressed by its R&D staff shortly after they had been reported to the corporate in 2023. Commercial. Scroll to proceed studying.
“One difficulty was instantly resolved upon notification, because it didn’t affect prospects’ resolution configuration,” Radware defined. “Decision of the second difficulty included releasing and making use of a signature globally to all Radware prospects and cloud purposes. As well as, we supplied corresponding configuration tips which weren’t enforced globally because of required enter from particular person prospects. For that motive, the configuration replace has been made obtainable to prospects upon request.”
“We respect the accountable disclosure from the reporter and are dedicated to evolving the safety of our options,” the corporate stated.
Associated: RSA Convention 2025 Announcement Abstract
Associated: macOS Sequoia Replace Fixes Safety Software program Compatibility Points
Associated: ESET Vulnerability Exploited for Stealthy Malware Execution
