Vulnerabilities / Threats
10/5/2012
04:29 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Tech Insight: The Most Common Vulnerabilities Found By Penetration Tests

Professional pen testers share which holes they find the most in clients' networks

Headlines of hacked networks and successful attack campaigns, such as the recent Anonymous attack against the top 100 universities, regularly leave organizations wondering how the bad guys got in and why it seems so easy. What common mistakes are being made in these different organizations that are being attacked? What are some of the top vulnerabilities that are being exploited to get in?

We asked a variety of penetration testers -- some working in university and business environments, and others who are full-time security consultants performing penetration tests every week for clients of all types -- which main flaws they are typically able to exploit.

Nearly every pen tester we talked to had a similar list of vulnerabilities. At the top of every list was SQL injection, cross site scripting (XSS), or insecure websites, in general. Surprising? Not really. Often, the entry method of choice we hear about from Anonymous' exploits is through SQL injection. Once the Web server and underlying database server have been compromised, it's relatively easy to exploit those servers' trust relationships and stored passwords to hop to other juicy targets.

Christian von Kleist, senior security analyst at Include Security, said that Web servers are typically what he notices first during an external pen test. "Many of my pen-testing engagements have been successful only because I was able to exploit insecure Web applications on networks that were otherwise very secure," he says.

When von Kleist was asked why he thought Web applications are often full of vulnerabilities, he said it's the disconnect between those creating the software and those left to secure the network. "They work in isolation, with security having little involvement until it's too late and the [vulnerable] end result has already been deployed into production."

What else made the list? Exposed administration and management interfaces for application servers, network devices, and content management systems came up often, followed by information leaked by devices printers and videoconferencing systems; outdated and/or unsupported software, often with insecure default settings; and exposed Web services.

"We often find that administrative or management interfaces are available to an external attacker," says Kevin Johnson, senior security consultant at Secure Ideas. Some of the examples mentioned include Web-based management interfaces for JBoss, Tomcat, and ColdFusion, and administration services like SSH and SNMP.

Johnson stated that software packages are often installed that include ColdFusion or JBoss servers without realizing whose servers include admin consoles. "These admin consoles regularly have default credentials or vulnerabilities," Christian said

In addition to accidentally exposed management interfaces, pen testers are leveraging information leakage from Internet-facing network devices. Some of these exposures include printers and videoconferencing systems. With default credentials or no password set on the printers and videoconferencing systems, attackers can steal usernames, passwords, and internal IP addresses, and even launch attacks against internal systems.

Last year, HD Moore, CSO at Rapid7, demonstrated how videoconferencing systems could be easily identified through network scanning used to bug conference rooms. He found 5,000 systems sitting on the Internet waiting to automatically accept calls. On some of them, he was able to "listen into nearby conversations and record video of the surrounding environment -- even read e-mail from a laptop screen and passwords off of a sticky note that was 20 feet away," he said.

Secure Ideas' Johnson said that one of the worst things his team sees is the exposure of Web services or business and points.

"These services are often used by business partners or applications, such as mobile apps use by the marketing department," he said. "Since these endpoints are designed to be communicated with using client applications instead of directly by users, developers often feel that they require fewer controls since the application is 'trusted.'"

Why such a concern over exposed Web services? Johnson said lack of security controls make them a great entry point for a determined attacker. During their penetration tests, they can directly show the business impact an exploit once they've been compromised.

The big question, of course, is how should enterprises address these issues so they don't become another statistic or feather in the cap of a pen tester? In almost every case, knowing what's on the network is critical. Security teams should be performing regular network scans to identify new systems and services as soon as they come online.

A common area where enterprises fail is knowing what's externally accessible. Capabilities need to be in place so that the organization can scan all externally facing IP addresses for new hosts and services in addition to regular vulnerability scans that would detect most of the vulnerabilities discussed. Beyond the regular scans, security needs to be more involved in the development, purchase, and deployment of Web applications -- but we all know that's much easier said than done.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web