search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.09k stars 1.11k forks source link

incorrectly reporting FAILED test for CKV_AWS_192 #2101

Closed daniel-intenthq closed 2 years ago

daniel-intenthq commented 2 years ago

Describe the bug Chekov scan shows code fais CKV_AWS_192 even though AWS waf managed rule AWSManagedRulesKnownBadInputsRuleSet was added.

To Reproduce Steps to reproduce the behavior:

  1. create test file waf.tf:

    resource "aws_wafv2_web_acl" "waf" {
name        = "waf"
description = "test checkov"
scope       = "REGIONAL"

rule {
name     = "AWSManagedRulesKnownBadInputsRuleSet"
priority = 200

override_action {
  count {}
}

statement {
  managed_rule_group_statement {
    name        = "AWSManagedRulesKnownBadInputsRuleSet"
    vendor_name = "AWS"
  }
}

visibility_config {
  cloudwatch_metrics_enabled = false
  metric_name                = "AWSManagedRulesKnownBadInputsRuleSet"
  sampled_requests_enabled   = false
}
}

visibility_config {
cloudwatch_metrics_enabled = false
metric_name                = "main-rule"
sampled_requests_enabled   = false
}
}
  2. Run cli command 'chekov -f waf.tf`
  3. See error 
    Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"

Expected behavior Given that the waf rule set now includes the aws managed rule AWSManagedRulesKnownBadInputsRuleSet it covers CVE-2021-44228 so a PASS should be the correct result.

References Short document from aws regarding CVE-2021-44228 https://aws.amazon.com/security/security-bulletins/AWS-2021-005/ explaining the ruleset AWSManagedRulesKnownBadInputsRuleSet cover log4jshell Chekov script that validates waf rules: https://github.com/bridgecrewio/checkov/blob/8bda168af02d780e2b1290feb7f992ae0bf26296/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py Appears to look for this rule. Not sure the last verification is correct: https://github.com/bridgecrewio/checkov/blob/8bda168af02d780e2b1290feb7f992ae0bf26296/checkov/cloudformation/checks/resource/aws/WAFACLCVE202144228.py#L47 as using aws ruleset is only possible with override_action which can take result of count or none. At the very least count should not fail.

Desktop (please complete the following information):

gruebel commented 2 years ago

Hi @daniel-intenthq thanks for creating the issue and trying to mitigate this critical vulnerability. Using count is actually not preferred, because this will result in the whole group to default to just count. You can read here more https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-rule-group-override-options.html#web-acl-rule-group-override-options-rule-group

The first rule in the rule group that matches a web request and that has a terminating rule action causes AWS WAF to stop evaluating the rule group and return the terminating action result to the web ACL evaluation level. At thist point, in the web ACL evaluation, this override takes effect. AWS WAF overrides the terminating action so that the result of the rule group evaluation is only a count action. AWS WAF then continues processing the rest of the rules in the web ACL.

So if you change your override_action config to 

    override_action {
      none {}
    }

then you are all set 💪

daniel-intenthq commented 2 years ago

hi @gruebel thank you for the prompt explanation. I've adjusted as such and test passes but more importantly it makes sense. I've now used this in a larger acl with another complex rule and it's still valid so check appears to be working as expected.

Going to close the issue.

hajdukd commented 2 years ago

There must be some regression, coz adding this:

  rule {
    name     = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
    priority = 200
    override_action {
      none {}
    }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesKnownBadInputsRuleSet"
        vendor_name = "AWS"
      }
    }
    visibility_config {
      cloudwatch_metrics_enabled = var.web_acl_cloudwatch.metrics_enabled
      metric_name                = "${var.namespace}-${var.stage}-AWSManaged"
      sampled_requests_enabled   = var.web_acl_cloudwatch.sampled_requests_enabled
    }
  }

Does not resolve the warning:

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell" FAILED for resource: aws_wafv2_web_acl.web_acl File: /main.tf:105-167

ganeshthorave commented 1 year ago

yes similar issue but mine is with azure

ganeshthorave commented 1 year ago

_| |_ | | ____ __ Check: CKV_AZURE_122: "Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes" PASSED for resource: azurerm_web_application_firewall_policy.WAF File: \main.tf:1-56 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-application-gateway-uses-waf-in-detection-or-prevention-modes.html Check: CKV_AZURE_135: "Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell" FAILED for resource: azurerm_web_application_firewall_policy.WAF File: \main.tf:1-56 Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-application-gateway-waf-prevents-message-lookup-in-log4j2.html Code lines for this resource are too many. Please use IDE of your choice to review the file.

already enabled 3.2 owasp version