CVE-2024-56523
📋 TL;DR
This vulnerability allows remote attackers to bypass Radware Cloud WAF filters by sending HTTP GET requests with random data in the request body. Attackers can evade security controls to potentially access protected resources. Organizations using affected Radware Cloud WAF versions are impacted.
💻 Affected Systems
- Radware Cloud Web Application Firewall
📦 What is this software?
Cloud Waf by Radware
⚠️ Risk & Real-World Impact
Worst Case
Complete firewall bypass allowing attackers to directly attack backend applications, potentially leading to data breaches, unauthorized access, or service disruption.
Likely Case
Attackers evade specific WAF rules to exploit known vulnerabilities in protected web applications, leading to data exposure or system compromise.
If Mitigated
Limited impact with proper defense-in-depth controls, where backend applications have their own security measures and monitoring detects anomalous requests.
🎯 Exploit Status
Simple HTTP request manipulation required. No authentication needed as it targets the WAF itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025-05-07 or later
Vendor Advisory: https://radware.com/solutions/cloud-security/
Restart Required: No
Instructions:
1. Log into Radware Cloud WAF management console. 2. Check current version. 3. If before 2025-05-07, contact Radware support for update. 4. Apply the update through the cloud management interface.
🔧 Temporary Workarounds
Block HTTP GET with body
allConfigure WAF rules to reject or block HTTP GET requests containing request bodies
Configure custom WAF rule: IF request.method = GET AND request.body_exists = TRUE THEN block
Strict content-type validation
allEnforce that GET requests must not have content-type headers typically used with request bodies
Configure rule: IF request.method = GET AND (content-type = application/x-www-form-urlencoded OR content-type = multipart/form-data OR content-type = application/json) THEN block
🧯 If You Can't Patch
- Implement additional network filtering to block HTTP GET requests with request bodies at load balancer or proxy level
- Enable enhanced logging and monitoring for GET requests with body content and implement alerting
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request with random data in body to protected endpoint and check if WAF blocks expected malicious payloadsCheck Version:
Check version in Radware Cloud WAF management console under System InformationVerify Fix Applied:
After update, test with same GET request with body - WAF should properly process or block based on configured rules📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests with request body content
- WAF rule bypass events
- Unusual GET request patterns with body data
Network Indicators:
- HTTP GET requests with Content-Length > 0
- GET requests with body payloads
- Multiple GET requests with varying body content
SIEM Query:
http.method:GET AND http.request_body:* AND NOT (http.response_code:400 OR http.response_code:411)