It’s a depressing fact that, sometimes, the very defences you put in place to protect your organisation can become the weakest point.
In a presentation at Black Hat Europe, Ben Williams, a pen-tester with NCC Group, showed that many security products have flaws that can be exploited by attackers. It’s actually the second such presentation he’s given. The first was at last year’s Black Hat Europe and focused on gateway devices. This time he turned his attention to products such as email appliances and web application firewalls.
As he pointed out, it’s tempting to think that security appliances are going to be heavily tested and ‘hardened’. In fact, he found that they typically consist of poorly configured Linux with out of date software and sloppy implementations. For example, one email gateway allowed you to SSH in but only using a private key (not via username/password). Obtaining the key was easy. He was surprised to find that replacing the default username with ‘root’ allowed him to get a shell as … well, yes, as root. The root account used the same key.
He discovered scores of exploits, which he’s responsibly reported to the vendors, most of whom (not all) have fixed the issues, albeit a little tardily at times. Some of the most common problems he found were: easy password attacks; XSS with session hijacking or password theft; non-hardened operating systems; and unauthorised information disclosure. The majority of devices also had Cross-Site Request Forgery (CSRF) vulnerabilities in the admin function; OS command injection flaws; and privilege escalation flaws.
And he found all this in his spare time. Much of the work he did was for his own curiosity. He explained that he was making no attempt to thoroughly audit the security of the appliances – he just went after potential vulnerabilities piqued his interest. And although most of the issues he’s found have been fixed, many more may be lurking within the devices.
Most of these weaknesses will involve a fairly high level of skills to exploit, but you wouldn’t necessarily need to be some kind of uber-hacker. Talking to Ben later, he told me that, when he gave his first Black Hat talk in 2012, he’d been a pen-tester for only six months (although he’d had nearly 15 years experience in IT). So these appliances would yield to someone mounting a focused and determined attack. In fact, they’d be trivial for your standard state-backed cyber-spy.
It’s a sorry state of affairs when your security appliances become the path by which a hacker gains control of your networks. Ben didn’t touch on solutions to this problem, but here’s a suggestion of my own.
How about an industry-standard certification for security products? This would be obtained not just by showing adherence to certain best practices when designing and implementing such products, but would also require auditing by independent analysts – a full pen-test of the product, in other words.
We demand pen-tests to show compliance in other areas – it doesn’t seem an unreasonable demand when it comes to the products that are supposed to be protecting us.