Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

12/1/2013
11:20 AM
50%
50%

5 Protocols That Should Be Closely Watched

Attackers frequently scan for open SSH, FTP, and RDP ports, but companies need to watch out for attacks against less common protocols as well

For decades, opportunistic attackers have scanned the Internet for open ports through which they can compromise vulnerable applications.

Such scanning has only gotten easier: The Shodan search engine regularly scans the Internet and stores the results for anyone to search; researchers from the University of Michigan have refined techniques to allow for fast, comprehensive scans of a single port across the Internet; and programs, such as NMap, allow anyone to scan for open, and potentially vulnerable, ports.

While the most commonly attacked ports are those used by Secure Shell (SSH), the file transfer protocol (FTP), the remote desktop protocol (RDP), and Web servers (HTTP), companies need to monitor network activity aimed at less common protocols and ports, say security experts. Attackers will likely increasingly look for vulnerabilities in less common ports, says HD Moore, chief research officer for vulnerability-management firm Rapid7, which has made a name for itself scanning the Internet for just those ports.

"This stuff is not in the top bucket, in terms of priority, but it tends to bite people because they are not keeping an eye on it," he says.

Companies should not just monitor for malicious activity using these protocols, but proactively take an inventory of the applications inside their own networks and connected to the Internet that expose firms to potential opportunistic attacks, says Johannes Ullrich, dean of research for the SANS Technology Institute. The SANS Institute's DShield project collects data from contributors to analyze the ports in which attackers are most interested.

"Companies need not just detect the attacks coming in, but to inventory all the devices that have in their network looking at traffic on these ports," he says. "It sort of comes down to inventory control on the network."

For companies looking for a place to start, Ullrich and Moore suggest five protocols where companies can check for weaknesses.

Intelligent Platform Management Interface (IPMI)
Over the past year, security researcher Dan Farmer has investigated weaknesses in the Intelligent Platform Management Interface (IPMI) protocol. Many companies use servers that can be monitored and managed through a baseboard management controller, an embedded device that communicates using IPMI. Farmer found that the IPMI standard and various implementations have a number of security flaws.

['Project Sonar' community project launched for sharing Internet-scanning data, tools, and analysis. See Researchers Unite To #ScanAllTheThings.]

Rapid7 investigated SuperMicro's specific implementation, finding that the company's baseboard management controller used default passwords and was vulnerable to a number of universal plug-and-play issues.

"IPMI is used a lot by businesses, and they don't really understand what all the risks are," Moore says. "It is really difficult to have an IPMI installation that is not vulnerable."

Moore and other security experts recommend managing devices that use the IPMI protocol behind virtual private networks, firewalls, and other security, always assuming the devices are in a hostile network.

Embedded Web Servers
A variety of devices are vulnerable not because of the native protocols that they use, but because of the lightweight Web servers embedded in the devices to provide a management interface. From printers and baseboard management controllers to routers and PBXes, companies host a wide array of devices that likely have vulnerable Web interfaces to manage the technology.

"These undocumented, undisclosed, and unmonitored Web interfaces are a bigger deal than most people realize," Moore said. "They are really common, but they are not something that people normally keep track of."

Ullrich agrees, saying that DShield data shows that companies are seeing opportunistic scans for the devices.

"All the miscellaneous devices -- routers, switches -- sometimes have a management interface on an uncommon port, but you see a decent amount of scanning activity for these," he says.

Videoconferencing
Last year, Moore scanned the Internet for signs of videoconferencing systems connected directly to the Internet and set to auto answer, estimating that some 150,000 devices were vulnerable to an attacker directly calling into the conferencing system.

"Most folks did not do any sort of security on the videoconferencing side, and many of them had really horrible security on the Web management interface," Moore says.

Companies should scan their public Internet space on port 1720, typically used by the H.323 messaging protocol, using a "status enquiry" to nonintrusively check for potential vulnerable systems, according to Rapid7.

SQL Servers
Databases are frequent targets of attacks. Many attackers scan for open Microsoft SQL Server and MySQL ports, but rather than attempting to compromise such systems with exploits, they instead attempt to brute-force the password protecting the databases, says the SANS Institute's Ullrich.

"They typically don't search for a vulnerability there, but for a weak password," he says. "They scan for the databases and then try to connect by guessing passwords."

Companies should track down any database accessible from the Internet and ensure that adequate steps are taken to secure access to the servers.

Simple Network Management Protocol (SNMP)
The DShield project sees some scanning for the Simple Network Management Protocol (SNMP), but Ullrich sees the protocol as mainly an overlooked risk.

Moore, however, sees SNMP as an engine for future attacks. Because many companies do not pay attention to SNMP, the protocol could be used as a vector for compromise and as a method of amplification for distributed denial-of-service attacks, Moore says.

"SNMP tends to get short shrift in terms of security exposure, not to mention it can be used for amplification attacks," Moore says. Amplification attacks typically use the DNS system, which can be made to respond to a single request with a multitude of packets. The SNMP protocol has similar characteristics, he says.

Companies should filter inbound malformed packets to prevent their systems from being used in a distributed denial-of-service attack and to block all outbound SNMP packets.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.