8000 CRS 3.0 Blocking cf_clearence cookie from cloudflare · Issue #3985 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
8000

CRS 3.0 Blocking cf_clearence cookie from cloudflare #3985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
LaqueP opened this issue Jan 23, 2025 · 3 comments · Fixed by #3735
Closed

CRS 3.0 Blocking cf_clearence cookie from cloudflare #3985

LaqueP opened this issue Jan 23, 2025 · 3 comments · Fixed by #3735
Labels
➖ False Negative - Evasion v4 unix rce One of the many reports on FPs with the new unix rce rules in v4

Comments

@LaqueP
Copy link
LaqueP commented Jan 23, 2025
edited
Loading

Description

We use the cloudflare proxy, one of the default cloduflare cookies is cf_clearence, the cookie some times use the work gZip and modsecurity rule 932260 block the users:

Log Analysis
Rule triggered: 932260

This rule belongs to the OWASP CRS (Core Rule Set) rule set and is designed to detect attempts to execute Unix commands via parameters or cookies.
A match was found in the REQUEST_COOKIES value, in particular within the cf_clearance cookie.
Matching data:

ModSecurity found "Matched Data: gZIp" within a longer cf_clearance cookie value.
The cf_clearance cookie is generated by Cloudflare to manage security challenges such as DDoS and bot protection. This suggests that the matching data is not malicious, but part of a legitimate identifier.
Message:

The message "Remote Command Execution: Direct Unix Command Execution" suggests that the match might be related to common Unix command patterns (such as gzip, sh, bash, etc.), but here it seems to have been triggered due to an identifier containing strings similar to these patterns.
Severity: "CRITICAL"

Although the rule flags it as critical, matches within automatically generated cookies (such as those from Cloudflare) are often false positives.
Conclusion: Is this a false positive?
Yes, it is very likely a false positive, since:

The match occurs within a legitimate cookie (cf_clearance), automatically generated by Cloudflare.
There is no evidence that the data contains malicious commands or attempts to execute anything on the server.
This type of false positive is common when OWASP CRS rules are set to high paranoia levels.

-->

How to reproduce the misbehavior (-> curl call)

It is easiest for us, if you submit a curl request that triggers your problem.
If you can not do this, then please skip this section but be sure to fill out
the next one in detail.

Please test your curl call against the CRS Sandbox before submitting.
https://coreruleset.org/docs/development/sandbox/
-->

Logs

{
"transaction": {
"unique_id": "wO@5i3iTVbwxCY6m@DA1HQIC",
"time_stamp": "Wed Jan 22 11:01:33 2025",
"client_ip": "2001:818:db6c:c400:7548:4439:1b36:5ec8",
"client_port": 51066,
"host_ip": "82.223.9.93:443",
"host_port": 0,
"request": {
"method": "GET",
"http_version": "HTTP/1.1",
"uri": "/pt/carrinho?action=show",
"headers": {
"host": "%%%%",
"cf-ray": "905eb40e898a03fa-LIS",
"x-forwarded-for": "2001:818:db6c:c400:7548:4439:1b36:5ec8",
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8",
"sec-fetch-dest": "document",
"accept-encoding": "gzip, br",
"cf-ipcountry": "PT",
"x-forwarded-proto": "https",
"referer": "%%%%",
"user-agent": "Mozilla/5.0 (iPhone; CPU iPhone OS 18_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/132.0.6834.78 Mobile/15E148 Safari/604.1",
"cf-visitor": "{"scheme":"https"}",
"accept-language": "pt-PT,pt;q=0.9",
"sec-fetch-mode": "navigate",
"cf-connecting-ip": "2001:818:db6c:c400:7548:4439:1b36:5ec8",
"priority": "u=0, i",
"sec-fetch-site": "cross-site",
"cdn-loop": "cloudflare; loops=1",
"cookie": "_ga=GA1.1.1534659716.1732878855; _ga_HZQ7LDT626=GS1.1.1737421008.73.0.1737421008.60.1.2109300929; _ga_KLEDLPJ1JM=GS1.1.1737421008.73.0.1737421008.60.0.0; _gcl_au=1.1.1054938630.1732878854.1894262729.1737421009.1737421008; cf_clearance=gZIpkI.MgVrk6YypHAhLQ2WlfpOXfUceXtrxuxKu154-1737421008-1.2.1.1-ZeiAaLmxs0Y2PD7CWtkoy5UMeY4qpnOmtHDlQgYaLyYhdH8Wgs6Kjo8tUCS_YmdxHkBVOnVG7M.9HCA5KUVUUaDwkbHDB8x6Y8OWHt6_Bet0tFtGfLCvfJlGdLY725awtA_cuNg3QJOoUT6bFgycFXvtRIqedl.9iCP9N6s1_G_Sfsy7XxyAVN.CoF5.o.PkFRAoqqd0M_RX9EB_0y91FsGNEYkPeuFIw32frHwoiceO.J_PDdFCsB1GHKtTsj_x39tj1TdvLEOfJBnJnbnn1073gbV811bbX127bdFWeok; PrestaShop-85b5473ccb53750cdc6085e3d5980778=def50200b0cf89032f3dbfac16b6d8d84d3d4750988378b9a2db614cfecbdf58148cece55140789be554e0932dcd22e2facd907cc3a23827d45e882ed80aec02ebe8ea0b1e0c271da8fcca396bed007af93571488a12b27316040ed0e9165979ec78de4a19f9328abcf5246144bd65a5fd16e20245f268d149efc7d57607bfb21b990d3cfbcc5f127d48eb4ad1ab886e0110dbce1f7efe822acc0be679d121232c45ec66d08f165fd1208b6f7182e56511bf7c873511e6943f3db1f6cfcb9916716ccdd6a3326dc13bf1b752cfb10b67d20a28c8c06ae2626ffe6e88af8b1de414d245bbe5d23cec651070cc43f9abeba5d962e7b7f1c0c521e69f566c017a87d54d6adee640107097889d0f3bde51b7597de35ca77006320c797206007e3038a637135c486a19954f91cffd750e80a8ce3255d70c4598e11a67c2353afa8c7d896af4262a6bd03d21b14cc992042b450bcff4a817caa691963db3df04d50cd36938b1d7d1c3c5b918bcf69efb36f9c0e23cb65a91de42ce12c7bc0baa01a3d0a34f723b19392474516ecfb747f7c300380467c220bb885d602a2e102cdcd445b2e7a8bfa783edea764693703c68b3e755cc77ad801230ecabf823609e31c061beaaaedeb5d615e4ec0621e14e542a18426fa6e9ab0719724c49241223fcb3894391528258e380c05b7688fdc0dd67900cbfe052c2b5a606748dd25b444b232b33b60dc3679dda93640c79a53608389d2d4197606087b0b819a639940aa01c36c830cfade88bd898e3ea82e0c5a89684dcad0e9f785b2b0254bca9c7750b542ef43261e2f9a3d225960d62560b4c31a4835bf513f65a1ae3c48fc3905eaf3d9208b8ca560cdfe633e867808add78755a87d816b9032df33d5e2d50b7476d133a4929cd06c49d265378eb5f9bb1946afcb65f5a66b53ad8e013df4bb1486a1d050077431176219e78cb736e1cd4e1dc45ea7b22e413e5ef9dc2ed957ce5733950de49592a4219863705c7463beda8eaccb8b6d31c3e321144f2fcf51a46de6e5fe2f5938344f1e06c000faed61ee7b6d2bf9b05822485859e845cdd43fedd5956b720c8dac294f6d68867199515850d16c8c44eea8d3e57b696cce4f0d4b24ea00bf91e9ef41c8823cb2148969b3936be401f181065b1b126020eb6629c484fbee2f7f518074b0b0741057cfae5711a4e4a95d433a9b484b6e2b3aa8af1b37c9ebba3f13da7b13a0bc6c6131d02c8bb3714bd0a01e9c7d5436f1c8073e4fce0eb90b59ff39b40f79d40f22f193ffa0c777853680d2129812f9073481f3ea27501b9602263869f05c15e33bb654594f8463583dfb4f077e8ab50da2b29f51de5104616ad816f6fe5827ecc97006959776058ec76a4a9d5879a6aae; __cmpcccx84673=aBQLc78HgBQAzADSAGwAcAKAABAAOABcADQAKAAYgA-ACCAIcAkYDiQIkgWBAswBaIEwQJvQUaAqWBVGAOsd9ZRSytXlJPMWe7egggA; __cmpconsentx84673=CQLbVYAQLbVYAAfKhCENBZFgAAAAAAAAAAigF5wAgEeALzAvOACAvMAA; PrestaShop-c8ce14239e43b834c60c5f0a993afef0=def5020063480b8063f9810bef3e6ec5ba1815d6cc12e91863b11e5273bcabadb852f2491206c3767c03bedb1bb3a560801b99d8d90d42f1424816cfe9ec63f6e477fec5a5c6fba156e4003a90ea48f527ef43081ff4e6a299986e1c80187c7d35841b60add290b06e07dfaffabeeb79852e13ac07ed148137a73e2cb1c8840cb1be0ca6d2652cbfaee2ca63e1a84b47effbfa1e4a825540ddff6f83649d7ccb096a1703fa8e0687c058b9c998ea435e032cd37194022a349c0921c3a3ab2107597476e9a114b782f046fb4e9476b2540e802b267eec56eae33717f9043b0198a2; PrestaShop-214e927193d7be86bf814c650ebf44a7=def5020009c70170669ceaa921d8caf43787a0594a2d0a4325b24c3b51e01623ed02e0b0d528c5b6bbba59deb1c3d1d4927f4e19552ea39c2605b85a4d2a04f1c2c2d4ad46ee866ccfe534f5483479e9e3946d38edf0b7e35a0bc6fc925999b697af055f4a4d28f6e97742811552ad1f0219bca01d7b7573c38c0c307ac2fbe8bac4234684cfd7a56218f0cb13d55545f60ced8451153af40dd4885b912942ab6d8c4718e6be4acd4b1f38252829860be6ca29687ea6f171e5c134d33187d89e71abac5a11b61d9cb0ff1cbcb92553f306d5d32d7785cfec5c; PHPSESSID=dmt21e6phpn31r481quvpbf4qv"
}
},
"response": {
"http_code": 406
},
"messages": [
{
"message": "Remote Command Execution: Direct Unix Command Execution",
"details": {
"match": "Matched Operator '@rx (?i)(?:^|b[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?u[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?s[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?y[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?b[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?o[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?x|c[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?o[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?m[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?m[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?a[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?n[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?d|e[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?(?:n[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?v|v[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?a[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?l)|[ls][\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?t[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?r[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?a[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?c[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?e|n[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?o[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?h[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?u[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?p|t[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?i[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?m[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?e(?:[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?o[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?u[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?t)?|w[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?a[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?t[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?c[\"'\)\[\x5c](?:(?:(?:\|\||&&)[\s\x0b])?\$[!#\(\\-0-9\?@_a-\{])?\x5c?h|[\n\r;=\{]|\|\|?|&&?|\$(?:\(\(?|[\[\{])|<(?:\(|<<)|>\(|\([\s\x0b]\))[\s\x0b](?:[\$\{]|(?:[\s\x0b]\(|!)[\s\x0b]|[0-9A-Z_a-z]+=(?:[^\\s\\x0b]|\$(?:.|.)|[<>].|'.'|\".\")[\s\x0b]+)[\s\x0b][\"'](?:[\"'-\+\--9\?A-\]_a-z\|]+/)?[\"'\x5c](?:a(?:ddgroup|nsible)|b(?:ase(?:32|64|nc)|lkid|sd(?:cat|iff|tar)|u(?:iltin|nzip2|sybox)|yobu|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:h(?:ef[\s\x0b&\)\-<>\|]|g(?:passwd|rp)|pass|sh)|lang\+\+|o(?:mm[\s\x0b&\)<>\|]|proc)|(?:ron|scli)[\s\x0b&\)<>\|])|d(?:iff[\s\x0b&\)<>\|]|mesg|oas)|e(?:2fsck|grep)|f(?:grep|iletest|tp(?:stats|who))|g(?:r(?:ep[\s\x0b&\)<>\|]|oupmod)|unzip|z(?:cat|exe|ip))|htop|l(?:ast(?:comm|log(?:in)?)|ess(?:echo|(?:fil|pip)e)|ftp(?:get)?|osetup|s(?:-F|b_release|cpu|mod|of|pci|usb)|wp-download|z(?:4c(?:at)?|c(?:at|mp)|diff|[ef]?grep|less|m(?:a(?:dec|info)?|ore)))|m(?:a(?:ilq|ster\.passwd)|k(?:fifo|nod|temp)|locate|ysql(?:admin|dump(?:slow)?|hotcopy|show))|n(?:c(?:\.(?:openbsd|traditional)|at)|et(?:(?:c|st)at|kit-ftp|plan)|ohup|ping|stat)|onintr|p(?:dksh|er(?:f[\s\x0b&\)<>\|]|l[\s\x0b&\)5<>\|])|(?:ft|gre)p|hp(?:-cgi|[57])|igz|k(?:exec|ill)|(?:op|se)d|rint(?:env|f[\s\x0b&\)<>\|])|tar(?:diff|grep)?|wd\.db|y(?:thon[23]|3?versions))|r(?:(?:bas|ealpat)h|m(?:dir[\s\x0b&\)<>\|]|user)|nano|sync)|s(?:diff|e(?:ndmail|t(?:env|sid))|ftp|(?:h\.distri|pwd\.d)b|ocat|td(?:err|in|out)|udo|ysctl)|t(?:ailf|c(?:p(?:ing|traceroute)|sh)|elnet|imeout[\s\x0b&\)<>\|]|raceroute6?)|u(?:n(?:ame|lz(?:4|ma)|(?:pig|x)z|rar|zstd)|ser(?:(?:ad|mo)d|del))|vi(?:gr|pw|sudo)|w(?:get|hoami)|x(?:args|z(?:c(?:at|mp)|d(?:ec|iff)|[ef]?grep|less|more))|z(?:c(?:at|mp)|diff|[ef]?grep|ip(?:c(?:loak|mp)|details|grep|info|(?:merg|not)e|split|tool)|less|more|run|std(?:(?:ca|m)t|grep|less)?))' against variable 'REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*'",
"ruleId": 932260,
"file": "/etc/modsecurity.d/REQUEST-932-APPLICATION-ATTACK-RCE.conf",
"lineNumber": 538,
"data": "gZIpkI.MgVrk6YypHAhLQ2WlfpOXfUceXtrxuxKu154-1737421008-1.2.1.1-ZeiAaLmxs0Y2PD7CWtkoy5UMeY4qpnOmtHDlQgYaLyYhdH8Wgs6Kjo8tUCS_YmdxHkBVOnVG7M.9HCA5KUVUUaDwkbHDB8x6Y8OWHt6_Bet0tFtGfLCvfJlGdLY725awtA_cuNg3QJOoUT6bFgycFXvtRIqedl.9iCP9N6s1_G_Sfsy7XxyAVN.CoF5.o.PkFRAoqqd0M_RX9EB_0y91FsGNEYkPeuFIw32frHwoiceO.J_PDdFCsB1GHKtTsj_x39tj1TdvLEOfJBnJnbnn1073gbV811bbX127bdFWeok",
"msg": "Remote Command Execution: Direct Unix Command Execution",
"logdata": "Matched Data: gZIp found within gZIpkI.MgVrk6YypHAhLQ2WlfpOXfUceXtrxuxKu154-1737421008-1.2.1.1-ZeiAaLmxs0Y2PD7CWtkoy5UMeY4qpnOmtHDlQgYaLyYhdH8Wgs6Kjo8tUCS_YmdxHkBVOnVG7M.9HCA5KUVUUaDwkbHDB8x6Y8OWHt6_Bet0tFtGfLCvfJlGdLY725awtA_cuNg3QJOoUT6bFgycFXvtRIqedl.9iCP9N6s1_G_Sfsy7XxyAVN.CoF5.o.PkFRAoqqd0M_RX9EB_0y91FsGNEYkPeuFIw32frHwoiceO.J_PDdFCsB1GHKtTsj_x39tj1TdvLEOfJBnJnbnn1073gbV811bbX127bdFWeok: gZIpkI.MgVrk6YypHAhLQ2WlfpOXfUceXtrxuxKu154-1737421008-1.2.1.1-ZeiAaLmxs0Y2PD7CWtkoy5UMeY4qpnOmtHDlQgYaLyYhdH8Wgs6Kj...",
"severity": "CRITICAL",
"tags": [
"application-multi",
"language-shell",
"platform-unix",
"attack-rce",
"paranoia-level/1",
"OWASP_CRS",
"capec/1000/152/248/88",
"PCI/6.5.2"
]
}
}
]
}
}

-->

Your Environment

  • CRS version (e.g., v3.0.13):
  • Paranoia level setting (e.g. PL1) :
  • ModSecurity version (e.g., 2.9.7):
  • Web Server and version or cloud provider / CDN (Litespeed 6.3 / Cloudflare):
  • Operating System and version: Almalinux 9

Confirmation

[ ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
@theseion
Copy link
Contributor

Thanks for the report @LaqueP. From your description it is not clear to me whether you host CRS yourself or whether you use a managed service that hosts CRS for you. If yo host it yourself, you will probably want to create a rule exclusion. I would simply ignore the Cloudflare cookie. The following is an example, which you will need to adapt to your situation:

SecRule &REQUEST_COOKIES_NAMES:cf_clearance "@gt 0" \
    "id:1000000,\
    ctl:ruleRemoveTargetById=932260;REQUEST_COOKIES:cf_clearance"

@LaqueP
Copy link
Author
LaqueP commented Jan 24, 2025

Thanks for your reply, yes we made an exclusion for that cookie, but maybe it can be included in future release cuz cloudflare is one of the most used proxies and this cookie is installed by default

@EsadCetiner
Copy link
Member

@LaqueP This is a known issue with the new UNIX rules in CRS 4, they do poorly on session cookies, base64 data, uuids and similar. For now you'll have to create a rule exclusion until #3735 is merged.

@EsadCetiner EsadCetiner mentioned this issue Jan 25, 2025
Merged
@EsadCetiner EsadCetiner added the v4 unix rce One of the many reports on FPs with the new unix rce rules in v4 label Jan 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
➖ False Negative - Evasion v4 unix rce One of the many reports on FPs with the new unix rce rules in v4
Projects
None yet
Milestone
No milestone
3 participants
@theseion @LaqueP @EsadCetiner
0