Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:54 PM
Connect Directly

Hacking The Security Infrastructure

Researchers at Black Hat USA will demonstrate vulnerabilities, proof-of-concept attacks on popular firewalls, security management consoles

Security tools are some of the most trusted and critical devices in an organization -- and that's exactly what makes them so attractive to potential attackers. A trio of researchers who discovered vulnerabilities in Cisco firewalls and in Cisco and McAfee security management software will demonstrate proof-of-concept attacks against these products at the upcoming Black Hat USA conference.

"There's a good degree of trust in [security] devices. Once someone gains access to them, they can directly modify the security posture of the organization -- [including] opening additional access from the Internet to further compromise additional resources," says Jeff Jarmoc, firewall engineer at SecureWorks. "Both the firewall and IPS often act as choke points where traffic from a number of hosts passes through. Attackers may be able to intercept [traffic] and compromise credentials."

But organizations typically overlook the security of their security products. Despite the critical posture of a firewall, intrusion prevention system (IPS), or security management console, organizations rarely include them in their vulnerability and risk assessments, say Jarmoc and his colleagues Ben Feinstein, director of research, and Dan King, security engineer at SecureWorks, who will present their research at Black Hat in July.

"A lot of organizations' firewalls [and] IDS/IPSes are not typically considered in scope for standard security assessments or penetration tests," Feinstein says. "And a lot of times, central vulnerabilities [in them] or the ability of attackers to exploit them are not considered by enterprise risk management or threat models."

That can be a fatal oversight. Attackers need to gain access to the devices, which is one reason attacks on security infrastructures have not been widespread to date, the researchers say. Attacks on security tools are typically targeted and, in some cases, begin with a spear-phishing exploit against the security administrator, for instance.

In one of the PoCs the researchers will show, the attack begins with a spear-phishing email sent to a fictional admin of the Web-based McAfee Network Security Manager, a management appliance for McAfee IPS sensors.

The attack exploits two vulnerabilities discovered by King and that have since been patched by McAfee: an authentication bypass/session hijacking flaw and a cross-site scripting (XSS) bug. "I am able to leverage an XSS vulnerability within the McAfee Manager interface. From that, I can redirect using an embedded iFrame to my own personal Web server and steal the admin's logged-in session token," King says. "Then I'm able to log into the application there, with no passwords whatsoever."

The PoC basically uses the bugs to gain unauthorized access to the McAfee IPS management interface by stealing session cookies and hijacking the admin's session. After wresting control of the console, the attacker could then shut down all of the victim's network perimeter defenses -- namely the IPS infrastructure. That would give the attacker more unfettered access in and out of the victim's network in order to steal information or valuable intellectual property, for instance.

"This is a serious problem," King says.

SecureWorks' Jarmoc, meanwhile, will show attacks exploiting vulnerabilities he found in Cisco's Adaptive Security Appliance (ASA) and PIX firewalls, and in the Cisco Adaptive Security Device Manager (ASDM) console (all of which have been patched by the vendors).

Jarmoc will show logs and packet captures of one type of attack where an access control list (ACL) bug in ASA and PIX could let an attacker sneak traffic out of an organization, past the ACL function of the firewalls. "It doesn't affect traffic coming in," Jarmoc says. "But under certain circumstances when the bug is triggered, traffic leaving the enterprise can bypass the ACL and allowed out. There's the risk of it communicating to C&C [command and control] channels and phone-home [channels] for traffic data-exfiltration."

He will also demo a PoC attack against Cisco's ASDM that exploits a renegotiation vulnerability inherent in SSL/TLS, which affected many vendors' products. "It attacks the admin credentials of ASDM," he says. "[It will] inject commands into the authorized admin's session, which results in full admin control of the device."

This man-in-the-middle attack lets the attacker alter ASA firewall policies, for example.

"These devices have become so complex that the potential for these subtle bugs to creep in and severely impact policy enforcement [is greater]," Feinstein says.

And the more features they have, the more of an attack surface they have. To lock down the security infrastructure, SecureWorks researchers recommend that organizations monitor the devices for attacks and conduct vulnerability assessments and penetration tests on them. "They have to be monitored for attacks and intrusions like the gear they are supposed to be protecting," Feinstein says.

Security tools should also be considered in threat models, assessing the impact of their being compromised. "You need to consider that you're going to have to patch and maintain these and design the network so you can do this in a minimally invasive manner," Jarmoc says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions <...
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to to plant custom binaries and execute them with System permissions. Exploitation of this issue requires user interaction.
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Improper Access control vulnerability when handling symbolic links. An unauthenticated attacker could exploit this to elevate privileges in the context of the current user.
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to rewrite the file of the administrator, which may lead to elevated permissions. Exploitation of this issue requires user interaction.
PUBLISHED: 2021-04-16
SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.