"There's a good degree of trust in [security] devices. Once someone gains access to them, they can directly modify the security posture of the organization -- [including] opening additional access from the Internet to further compromise additional resources," says Jeff Jarmoc, firewall engineer at SecureWorks. "Both the firewall and IPS often act as choke points where traffic from a number of hosts passes through. Attackers may be able to intercept [traffic] and compromise credentials."
But organizations typically overlook the security of their security products. Despite the critical posture of a firewall, intrusion prevention system (IPS), or security management console, organizations rarely include them in their vulnerability and risk assessments, say Jarmoc and his colleagues Ben Feinstein, director of research, and Dan King, security engineer at SecureWorks, who will present their research at Black Hat in July.
"A lot of organizations' firewalls [and] IDS/IPSes are not typically considered in scope for standard security assessments or penetration tests," Feinstein says. "And a lot of times, central vulnerabilities [in them] or the ability of attackers to exploit them are not considered by enterprise risk management or threat models."
That can be a fatal oversight. Attackers need to gain access to the devices, which is one reason attacks on security infrastructures have not been widespread to date, the researchers say. Attacks on security tools are typically targeted and, in some cases, begin with a spear-phishing exploit against the security administrator, for instance.
In one of the PoCs the researchers will show, the attack begins with a spear-phishing email sent to a fictional admin of the Web-based McAfee Network Security Manager, a management appliance for McAfee IPS sensors.
The attack exploits two vulnerabilities discovered by King and that have since been patched by McAfee: an authentication bypass/session hijacking flaw and a cross-site scripting (XSS) bug. "I am able to leverage an XSS vulnerability within the McAfee Manager interface. From that, I can redirect using an embedded iFrame to my own personal Web server and steal the admin's logged-in session token," King says. "Then I'm able to log into the application there, with no passwords whatsoever."
The PoC basically uses the bugs to gain unauthorized access to the McAfee IPS management interface by stealing session cookies and hijacking the admin's session. After wresting control of the console, the attacker could then shut down all of the victim's network perimeter defenses -- namely the IPS infrastructure. That would give the attacker more unfettered access in and out of the victim's network in order to steal information or valuable intellectual property, for instance.
"This is a serious problem," King says.
SecureWorks' Jarmoc, meanwhile, will show attacks exploiting vulnerabilities he found in Cisco's Adaptive Security Appliance (ASA) and PIX firewalls, and in the Cisco Adaptive Security Device Manager (ASDM) console (all of which have been patched by the vendors).
Jarmoc will show logs and packet captures of one type of attack where an access control list (ACL) bug in ASA and PIX could let an attacker sneak traffic out of an organization, past the ACL function of the firewalls. "It doesn't affect traffic coming in," Jarmoc says. "But under certain circumstances when the bug is triggered, traffic leaving the enterprise can bypass the ACL and allowed out. There's the risk of it communicating to C&C [command and control] channels and phone-home [channels] for traffic data-exfiltration."
He will also demo a PoC attack against Cisco's ASDM that exploits a renegotiation vulnerability inherent in SSL/TLS, which affected many vendors' products. "It attacks the admin credentials of ASDM," he says. "[It will] inject commands into the authorized admin's session, which results in full admin control of the device."
This man-in-the-middle attack lets the attacker alter ASA firewall policies, for example.
"These devices have become so complex that the potential for these subtle bugs to creep in and severely impact policy enforcement [is greater]," Feinstein says.
And the more features they have, the more of an attack surface they have. To lock down the security infrastructure, SecureWorks researchers recommend that organizations monitor the devices for attacks and conduct vulnerability assessments and penetration tests on them. "They have to be monitored for attacks and intrusions like the gear they are supposed to be protecting," Feinstein says.
Security tools should also be considered in threat models, assessing the impact of their being compromised. "You need to consider that you're going to have to patch and maintain these and design the network so you can do this in a minimally invasive manner," Jarmoc says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.