Login Sign Up

CVE-2017-14706

9.8 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

This vulnerability in DenyAll Web Application Firewall allows unauthenticated attackers to obtain authentication tokens by making a debug request to a specific endpoint. Successful exploitation could lead to remote code execution. Affected systems include DenyAll WAF versions before 6.4.1 and i-Suite versions 5.5.0 through 5.6.

💻 Affected Systems

Products:
  • DenyAll i-Suite LTS
  • DenyAll i-Suite
  • DenyAll Web Application Firewall
Versions: i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, WAF 5.7, WAF 6.x before 6.4.1
Operating Systems: All platforms running affected DenyAll software
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both On Premises and AWS/Azure cloud deployments. The vulnerable endpoint is accessible by default.

📦 What is this software?

I Suite by Denyall

View all CVEs affecting I Suite →

I Suite by Denyall

View all CVEs affecting I Suite →

I Suite by Denyall

View all CVEs affecting I Suite →

I Suite by Denyall

View all CVEs affecting I Suite →

I Suite by Denyall

View all CVEs affecting I Suite →

I Suite by Denyall

View all CVEs affecting I Suite →

Web Application Firewall by Denyall

View all CVEs affecting Web Application Firewall →

Web Application Firewall by Denyall

View all CVEs affecting Web Application Firewall →

Web Application Firewall by Denyall

View all CVEs affecting Web Application Firewall →

Web Application Firewall by Denyall

View all CVEs affecting Web Application Firewall →

Web Application Firewall by Denyall

View all CVEs affecting Web Application Firewall →

Web Application Firewall by Denyall

View all CVEs affecting Web Application Firewall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, allowing attackers to take full control of the WAF and potentially pivot to internal networks.

🟠

Likely Case

Authentication token theft leading to unauthorized access to the WAF management interface and potential configuration changes.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to vulnerable endpoints.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable without authentication and affects web-facing security devices.
🏢 Internal Only: MEDIUM - While still serious, internal-only deployments have reduced attack surface from external threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Metasploit module available. Exploitation requires only a single HTTP request to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.1 or later

Vendor Advisory: https://www.denyall.com/blog/advisories/advisory-unauthenticated-remote-code-execution-denyall-web-application-firewall/

Restart Required: Yes

Instructions:

1. Download DenyAll WAF version 6.4.1 or later from vendor portal. 2. Backup current configuration. 3. Apply the update following vendor documentation. 4. Restart the WAF service. 5. Verify the fix by checking version and testing the vulnerable endpoint.

🔧 Temporary Workarounds

Block vulnerable endpoint

all

Add WAF rule to block access to /webservices/download/index.php with typeOf=debug parameter

Add custom rule: DENY if PATH contains '/webservices/download/index.php' AND PARAM 'typeOf' equals 'debug'

Restrict access to management interface

all

Limit access to WAF management interface to trusted IP addresses only

Configure network ACLs to restrict access to WAF management IP/ports to authorized administrative networks

🧯 If You Can't Patch

  • Immediately implement network segmentation to isolate the WAF from critical internal systems
  • Enable detailed logging and monitoring for any access attempts to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to https://[WAF_IP]/webservices/download/index.php?typeOf=debug and check if response contains iToken field

Check Version:

Check WAF management interface or run: denyall-cli version

Verify Fix Applied:

After patching, repeat the vulnerable check - should return error or no iToken field

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /webservices/download/index.php with typeOf=debug parameter
  • Unusual authentication attempts following token extraction

Network Indicators:

  • HTTP GET requests with typeOf=debug parameter to WAF management interface
  • Subsequent connections using extracted authentication tokens

SIEM Query:

source="denyall_waf" AND (url="/webservices/download/index.php" AND params="typeOf=debug")

📊 Metadata

CVE ID: CVE-2017-14706
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: September 22, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-14706, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2019-1867 10.0

This vulnerability allows unauthenticated remote attackers to bypass authentication on Cisco Elastic...

Same vulnerability type (CWE-287)