Exploiting Security Devices? Oh, the Irony
Enterprises spend millions every year on security appliances intended to secure their networks. Yet many of those devices are themselves not secure.
Security devices are supposed to protect us, but what happens when they don't?
In a Black Hat webcast this week, Ben Williams, consultant with NCC Group, detailed his investigation into security devices. Williams found that many of the network security gateway devices he tested had security shortcomings that could potentially enable an attacker to perform all manner of malicious activities on a vulnerable network.
"The ironic thing about these vulnerabilities is that they are well known types of issues and misconfigurations," Williams said. "There is an implicit trust with security appliances and people think they have been hardened, but that's not always the case."
Williams said many security appliances are simply poorly configured and maintained Linux systems with insecure Web applications. He found vulnerabilities in four out of five security gateway products from major vendors including Sophos, Trend Micro, Citrix and Symantec. Those vulnerabilities have all since been responsibly disclosed to the relevant vendors.
Williams found a vulnerability in a Sophos email appliance that one of his customers used to check for spam messages. The specific vulnerability has since been patched by Sophos. Williams explained that he used the Burp Suite Professional Edition Web application suite to perform a brute force password attack and was able to gain access in less than 30 minutes.
In general, Williams noted that password attacks against security appliances can be mounted using simple techniques. If users don't change the default password, for example, it can easily be found by an attacker searching through the security appliance's documentation.
In the cases that Williams tested, there were also instances where account lock-outs or brute force protections had not been enabled on the devices. So he could hammer the appliances all day with passwords until one worked. Adding further insult to injury, Williams found the password on the pre-patched Sophos appliance only needed to be four characters and did not require any special characters.
Using Burp Suite Williams was able to easily find XSS and OS command injection vulnerabilities across multiple vendor devices. The simple fact that he found so many common vulnerabilities using a commercially available tool means that many products simply didn't go undergo thorough security testing, he said.
From a mitigation perspective, patching is at the top of Williams' list. Many vendors do patch their security appliances, so it's important for users to stay up to date.
"Unless people apply patches to these devices the issues won't go away," he said.
He also suggests that customers should demand more from their security appliance vendors in making sure the devices are secure.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.
By Jeff Goldman
July 17, 2013
The research firm says the market will maintain a 25 percent CAGR from 2012 to 2017.