Perimeter
2/5/2010
12:21 PM
50%
50%

New Flaws Pry Lid Off Cloud Frameworks

A new set of vulnerabilities came to light this week at Black Hat DC, and its appearance provides a good look at our bleak "next-gen" security future.

A new set of vulnerabilities came to light this week at Black Hat DC, and its appearance provides a good look at our bleak "next-gen" security future.Not that it's actually likely to cause much of a stir. These vulnerabilities, which were discovered by Trustwave's SpiderLabs, are the sort of thing I think could well be overlooked because the realm in which they occur is terra incognita for most security professionals. Unless you have a pretty solid programming background, this stuff is pretty hazy: The flaws are found in a development framework you've never heard of using tools that do things you didn't realize needed doing.

That's not to say that a nonprogrammer, particularly one who has seen a lot of software hacks come and go, can't get a pretty good handle on what's up with these glitches. They involve Web applications that store data reflecting the current state of a user's session from page to page, and makeg this data available to code running on the client side as variables within the code.

The problem is that an adversary who places himself midstream -- redirecting communications between client code and server back end -- can see this data. Since the data can be sensitive, including things like account numbers and passwords, this is, of course, a problem and not the world's most obvious sort of problem, either.

As the article I pointed to above has it: "This is a fairly complicated vulnerability," says David Byrne, senior security consultant with Trustwave's SpiderLabs. "View state is something most people have heard of, but they aren't familiar with its inner workings."

Byrne and I will have to agree to disagree on whether most people have heard of view state. In any case, the generic nature of the flaw is readily understood. But that's only part of the problem. What's really going on here is that we're working with implementations of a standard called Java Server Faces. It's a framework that aims to separate the user interface on the front end from the client logic underneath the user interface, as well as the server back end. It's a three-way split of sorts that's very popular among software architects.

If you're developing code, then this is the way to go because splitting things up this way means different teams can use different tools, work for different companies, and so on. It means you can replace one piece of the triad without breaking the other two (at least in theory).

Indeed, this is how you get the next generation of cloud computing because the more independent the client side piece gets, the more readily you can hook it to an API connecting it to services that are "out there," provisioned on-the-fly to match demand, and so on. This, of course, provides you with a ready-made attack face. This is precisely the sort of attack that Trustwave is bringing to our attention.

I'd hasten to say that the clear delineation this three-way model provides is also a terrific opportunity to get a good handle on security. For one thing, you can encrypt the transactions between client and cloud (and that's all you have to do, as a developer, to make the Trustwave vulnerability go away -- it's a default configuration issue). And you can demand proper authentication among entities. Potentially this sort of application can be built more securely than the standard Web application we see today.

It's just that right now few in the mainstream security community is addressing these issues. Time to bulk up on the Web 2.0 development know-how.

Robert Richardson is director of the Computer Security Institute. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.