Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/12/2014
05:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Security Holes Exposed In Trend Micro, Websense, Open Source DLP

Researchers Zach Lanier and Kelly Lum at Black Hat USA took the wraps off results of their security testing of popular data loss prevention software.

BLACK HAT USA — LAS VEGAS — A pair of researchers here last week named names of the data loss prevention (DLP) products in which they found security vulnerabilities.

Zach Lanier, senior security researcher at Duo Security, and Kelly Lum, security engineer with Tumblr, revealed details on the cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities they discovered in four commercial DLP products and one open-source tool they investigated. The pair had provided a sneak-peak of their presentation, "Stay Out of the Kitchen: A DLP Security Bake-off," to Dark Reading prior to the conference, but stopped short of divulging the vendor and product names.

At the heart of most of the bugs were the web-based interfaces of the products, namely the administrative panels. "Most of the flaws were in web admin interfaces," Lanier told Dark Reading.

The researchers were unable to pinpoint any major issues with HP's Keyview document parsing/filtering engine used by many DLP and big data products. "Keyview has some really interesting idiosyncrasies and some complex code that might have bugs... We really didn't find a whole lot," he says, but the pair plans to dig further into Keyview in subsequent research.

Overall, they found there was little or no hardening of Linux appliances, with many services running as root, and no exploit mitigation defenses in the software. "We found the occasional bug inheritance, such as Heartbleed," Lanier says.

They tested a sampling of DLP products, mainly ones they could get with free, temporary software licenses -- Trend Micro's DLP Management Appliance 5.6 and its DLP Endpoint Agent 5.6; Sophos Astaro UTM Appliance 9.201, its Enterprise Console 5.2.1r2 and its Endpoint Security; Websense Triton Management Server 7.8.3, its Data Protector Endpoint Agent 7.8.3, and its Data Security Protector Appliance 7.8.3; and the open source OpenDLP 0.5.1.

Lanier and Lum did not find any specific bypass vulnerabilities in the DLP software they tested, but they did find flaws that would allow an attacker to reconfigure or change the behavior of the DLP system so that it no longer monitors data leaks, for example.

While the Sophos products came up clean in their testing, the researchers found bugs in Trend Micro, Websense, and OpenDLP's software.

They found multiple cross-site scripting (XSS) flaws in the Trend Micro management console as well as a cross-site request forgery (CSRF) bug. "There was a lot of cross-site scripting in this," said Lum. "But the CSRF was concerning to me," she said, because an attacker could turn off or change the DLP filter with an exploit.

Trend Micro is investigating the researchers' report, according to Jonn Perez, director of global technical support operations at Trend Micro. "Trend Micro takes any report of a product vulnerability very seriously... Our development team is currently in the process of validating this claim," Perez said in a statement. "If we determine that a fix is necessary, it will be treated as an immediate priority as part of our product vulnerability response process."

Lanier and Lum also found remote code execution and privilege escalation flaws in Websense's Protector and Endpoint software. The bugs could allow a nefarious or unauthorized local admin on a TRITON server to replace files with "custom pickled objects," the researchers say.

Websense also is investigating the findings, and said in a statement that the company is awaiting an official vulnerability report:

"While we still do not yet have complete details of the presentation, based on conversations with the researcher we understand that he has identified a medium risk vulnerability in Websense data security services. 

The researcher has verified that the particular process demonstrated in his session relies on a privileged insider with access to the local network and with administrative rights to both the server and the management console. The researcher also indicated that remote exploitation of this vulnerability is not possible.

We are currently awaiting the official vulnerability report from the researcher. However, based on our current knowledge, prior to the presentation Websense reached out to our affected customer base and provided them with best practices for mitigating the risk of the vulnerability. In addition to the mitigation tips we have shared, Websense will provide a fix for these vulnerabilities before the end of August. We will make also make other adjustments in our future releases and vulnerability testing process."

OpenDLP, meanwhile, has a CSRF flaw, the researchers found.

Lanier and Lum warn that the bugs they found could allow an attacker to disable or alter DLP policies, or even remove a document out of quarantine, and siphon its contents, for example.

Lanier was a guest on Dark Reading Radio last month for the "Data Loss Prevention (DLP) FAIL" episode, where he discussed the flaws he and Lum found as well as concerns about DLP security issues. The archive is available here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MonicaL812
50%
50%
MonicaL812,
User Rank: Apprentice
9/29/2014 | 8:16:49 AM
The Insider Threat
You can blame the vendors all you want, but if you read carefully, it's requires a rogue local admin to take advantage of a vulnerability.  What you should really be amazed with is the poor background check of employees.  Too often, organizations hire loose-cannons, who would are and always have been known as "the greatest threat".  Organizations need to focus on their personnel just as much, and need to vet out those who are likely to hold a grudge for whatever personal reason.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/14/2014 | 11:24:46 AM
Re: Grrrrr
It really is a  major embarassment for these companies. I hope the researchers make these security "bakeoffs" a regular event. Maybe that will keep the vendors on their toes.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/14/2014 | 8:43:36 AM
Re: Grrrrr
What's so baffling is that these are SECURITY companies. Sure, they have software dev of their own, but it's discouraging if they're not practicting what they preach. No one expects software to be perfectly clean and free of all bugs, but you would think they would regularly vet the stuff. <sigh>
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
8/13/2014 | 5:22:58 PM
Grrrrr
It's always frustrating to hear that security controls are, themselves, insecure. It's also frustrating to hear that the Web-facing side is the problem. Lately the security world has been talking alot about passwords (and rightly so) but now that so much sensitive activity happens online, I'd like companies to get more serious about Web apps' security.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/13/2014 | 5:05:07 PM
More to come
One thing Zach and Kelly said was that this research is only the beginning. They plan to drill down further on DLP vulns, so consider this phase one.
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14540
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVE-2019-16332
PUBLISHED: 2019-09-15
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
CVE-2019-16333
PUBLISHED: 2019-09-15
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
CVE-2019-16334
PUBLISHED: 2019-09-15
In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -&gt; Add New Category -&gt; Name field. NOTE: this may overlap CVE-2017-16636.
CVE-2019-16335
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.