How to remediate – WaveMaker Studio Detection

1. Introduction

WaveMaker Studio Detection indicates a web development application is hosted on your server. WaveMaker Studio is used for building web applications and presents a potential attack surface if not properly secured. Successful exploitation could lead to information disclosure, modification of the application, or denial of service. This affects systems running WaveMaker Studio as part of their development process.

2. Technical Explanation

• Root cause: The presence of the WaveMaker Studio development environment on a publicly accessible server.
• Exploit mechanism: An attacker could access the studio interface, potentially modifying applications or gaining access to sensitive data used within them.
• Scope: Systems running WaveMaker Studio, particularly those with public internet connectivity.

3. Detection and Assessment

Confirming a system is vulnerable involves identifying if WaveMaker Studio is installed and accessible. A quick check can be done via the web browser, and thorough assessment requires examining application files.

• Quick checks: Access the server’s web interface in a browser. If WaveMaker Studio is present, you will see its login page or default welcome screen.
• Scanning: Nessus plugin ID 168249 may detect WaveMaker instances. This is an example only and results should be verified.
• Logs and evidence: Web server logs may show requests to the WaveMaker Studio application directory (e.g., /wavemaker/).

curl -I http://yourserver/wavemaker/

4. Solution / Remediation Steps

The primary solution is to restrict access to WaveMaker Studio or remove it if not required. These steps aim to reduce the attack surface.

4.1 Preparation

• Ensure you have access to restore from the snapshot if needed. A roll back plan involves restoring the previous snapshot.
• Changes should be made during a scheduled maintenance window with appropriate approval.

4.2 Implementation

1. Step 1: Restrict network access to WaveMaker Studio using firewall rules, allowing only trusted IP addresses or networks.
2. Step 2: If WaveMaker Studio is not required, uninstall the application from the server.

4.3 Config or Code Example

Before

# Firewall rule allowing access from any source
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

After

# Firewall rule restricting access to trusted IP address only
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

• Practice 1: Least privilege – restrict access to the WaveMaker Studio interface to only those who need it.
• Practice 2: Network segmentation – isolate the server hosting WaveMaker Studio from other critical systems.

4.5 Automation (Optional)

# Example Ansible playbook to restrict access via firewall
---
- hosts: webservers
  tasks:
    - name: Restrict WaveMaker Studio access
      iptables:
        chain: INPUT
        protocol: tcp
        destination_port: 8080
        jump: ACCEPT
        source: 192.168.1.0/24 # Replace with your trusted network
    - name: Drop all other access to WaveMaker Studio
      iptables:
        chain: INPUT
        protocol: tcp
        destination_port: 8080
        jump: DROP

5. Verification / Validation

Confirm the fix by checking firewall rules and attempting access from an untrusted source. A service smoke test should verify application functionality for authorised users.

• Post-fix check: `iptables -L INPUT` should show a rule restricting access to WaveMaker Studio’s port (e.g., 8080) to the allowed IP range.
• Re-test: Attempt to access WaveMaker Studio from an untrusted IP address; it should be blocked.
• Smoke test: Verify that authorised users can still log in and use the WaveMaker Studio interface as expected.
• Monitoring: Monitor web server logs for failed connection attempts to WaveMaker Studio’s port from unexpected sources.

iptables -L INPUT | grep 8080

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

• Baselines: Update security baselines to include restrictions on access to development environments like WaveMaker Studio.
• Pipelines: Integrate static code analysis (SAST) into your CI/CD pipeline to identify vulnerabilities in applications built with WaveMaker Studio.
• Asset and patch process: Regularly review the list of installed software, including development tools, and ensure they are up-to-date or removed if not needed.

7. Risks, Side Effects, and Roll Back

• Risk or side effect 1: Restricting access may block legitimate users; ensure correct IP addresses are allowed.
• Risk or side effect 2: Removing WaveMaker Studio will impact developers who rely on it.
• Roll back: Step 1: Remove the firewall rules added in step 1 of Implementation. Step 2: If uninstalled, restore WaveMaker Studio from the snapshot taken in Preparation.

8. References and Resources

• Vendor advisory or bulletin: http://www.wavemaker.com/product/