How to remediate – WaveMaker Studio Requires No Authentication

1. Introduction

WaveMaker Studio requires no authentication, meaning anyone can access and change web applications hosted on it. This is a serious issue because attackers could create malicious projects or modify existing ones without permission. Systems running WaveMaker Studio versions that do not enforce authentication are affected. A successful exploit could compromise the confidentiality, integrity, and availability of data within those applications.

2. Technical Explanation

The version of WaveMaker Studio detected does not require a username or password to access its interface. This allows an unauthenticated attacker to create, modify, and deploy projects hosted on the server. An attacker could upload malicious code, steal sensitive data, or disrupt service. No specific CVE is currently associated with this vulnerability.

• Exploit mechanism: an attacker connects directly to the WaveMaker Studio web interface and begins creating or modifying projects. For example, they could upload a script that steals database credentials.
• Scope: Affected versions of WaveMaker Studio are those where authentication is not enabled by default or has been incorrectly configured.

3. Detection and Assessment

Confirming whether your system is vulnerable involves checking the version of WaveMaker Studio and verifying if authentication is required to access project management features.

• Quick checks: Access the WaveMaker Studio interface in a web browser without logging in. If you can create or modify projects, it’s likely vulnerable.
• Scanning: Nessus plugin ID 16782 may identify this issue as an example only.
• Logs and evidence: Check application logs for any access attempts that do not require authentication. Specific log file locations vary depending on the WaveMaker Studio configuration.

curl -I http://your-wavemaker-studio-url/  #Check if a redirect to a login page occurs. If no redirect, it's likely vulnerable.

4. Solution / Remediation Steps

The following steps outline how to configure WaveMaker Studio to require authentication.

4.1 Preparation

• Ensure you have administrator access to the WaveMaker Studio configuration. A roll back plan involves restoring from the backup created in step 1.
• A change window is recommended for this task. Approval should come from the application owner or security team.

4.2 Implementation

1. Step 1: Open the WaveMaker Studio configuration file (typically a properties file).
2. Step 2: Locate the authentication settings.
3. Step 3: Enable authentication by setting the appropriate property to ‘true’.
4. Step 4: Configure an authentication provider such as LDAP or database-based authentication.
5. Step 5: Restart the WaveMaker Studio service.

4.3 Config or Code Example

Before

# authentication.enabled=false

After

authentication.enabled=true

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice.

• Practice 1: Least privilege – limit access to WaveMaker Studio configuration files to authorized personnel.
• Practice 2: Secure defaults – ensure new installations require strong authentication by default.

4.5 Automation (Optional)

If suitable, provide a small script or infrastructure code that applies the fix at scale.

# Example Ansible task to modify the properties file
- name: Enable WaveMaker Studio Authentication
  lineinfile:
    path: /opt/wavemaker/config.properties
    regexp: '^authentication.enabled=false$'
    line: 'authentication.enabled=true'
  notify: Restart WaveMaker Studio
# Add a handler to restart the service if needed.

5. Verification / Validation

• Post-fix check: Access the WaveMaker Studio interface in a web browser. You should be redirected to a login page.
• Re-test: Attempt to create or modify projects without logging in. The action should be blocked, and you should be prompted for credentials.
• Smoke test: Log in with valid credentials and verify that you can access and manage your projects as expected.
• Monitoring: Check application logs for failed login attempts. A high number of failures could indicate a brute-force attack.

curl -I http://your-wavemaker-studio-url/ #Should now redirect to the login page.

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type.

• Baselines: Update your security baseline to include a requirement for strong authentication in WaveMaker Studio configurations.
• Asset and patch process: Review WaveMaker Studio configurations regularly as part of your asset management process.

7. Risks, Side Effects, and Roll Back

List known risks or service impacts from the change.

• Risk or side effect 1: Incorrect authentication configuration could lock out users. Ensure you have a recovery mechanism in place.
• Risk or side effect 2: Changes to authentication providers may require updates to user directories or databases.

8. References and Resources

Link only to sources that match this exact vulnerability.

• Vendor advisory or bulletin: http://dev.wavemaker.com/forums/?q=node/2304
• NVD or CVE entry: No current NVD entry exists for this specific issue.
• Product or platform documentation relevant to the fix: http://dev.wavemaker.com/forums/?q=node/8418