Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/12/2014
05:40 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Security Holes Exposed In Trend Micro, Websense, Open Source DLP

Researchers Zach Lanier and Kelly Lum at Black Hat USA took the wraps off results of their security testing of popular data loss prevention software.

BLACK HAT USA — LAS VEGAS — A pair of researchers here last week named names of the data loss prevention (DLP) products in which they found security vulnerabilities.

Zach Lanier, senior security researcher at Duo Security, and Kelly Lum, security engineer with Tumblr, revealed details on the cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities they discovered in four commercial DLP products and one open-source tool they investigated. The pair had provided a sneak-peak of their presentation, "Stay Out of the Kitchen: A DLP Security Bake-off," to Dark Reading prior to the conference, but stopped short of divulging the vendor and product names.

At the heart of most of the bugs were the web-based interfaces of the products, namely the administrative panels. "Most of the flaws were in web admin interfaces," Lanier told Dark Reading.

The researchers were unable to pinpoint any major issues with HP's Keyview document parsing/filtering engine used by many DLP and big data products. "Keyview has some really interesting idiosyncrasies and some complex code that might have bugs... We really didn't find a whole lot," he says, but the pair plans to dig further into Keyview in subsequent research.

Overall, they found there was little or no hardening of Linux appliances, with many services running as root, and no exploit mitigation defenses in the software. "We found the occasional bug inheritance, such as Heartbleed," Lanier says.

They tested a sampling of DLP products, mainly ones they could get with free, temporary software licenses -- Trend Micro's DLP Management Appliance 5.6 and its DLP Endpoint Agent 5.6; Sophos Astaro UTM Appliance 9.201, its Enterprise Console 5.2.1r2 and its Endpoint Security; Websense Triton Management Server 7.8.3, its Data Protector Endpoint Agent 7.8.3, and its Data Security Protector Appliance 7.8.3; and the open source OpenDLP 0.5.1.

Lanier and Lum did not find any specific bypass vulnerabilities in the DLP software they tested, but they did find flaws that would allow an attacker to reconfigure or change the behavior of the DLP system so that it no longer monitors data leaks, for example.

While the Sophos products came up clean in their testing, the researchers found bugs in Trend Micro, Websense, and OpenDLP's software.

They found multiple cross-site scripting (XSS) flaws in the Trend Micro management console as well as a cross-site request forgery (CSRF) bug. "There was a lot of cross-site scripting in this," said Lum. "But the CSRF was concerning to me," she said, because an attacker could turn off or change the DLP filter with an exploit.

Trend Micro is investigating the researchers' report, according to Jonn Perez, director of global technical support operations at Trend Micro. "Trend Micro takes any report of a product vulnerability very seriously... Our development team is currently in the process of validating this claim," Perez said in a statement. "If we determine that a fix is necessary, it will be treated as an immediate priority as part of our product vulnerability response process."

Lanier and Lum also found remote code execution and privilege escalation flaws in Websense's Protector and Endpoint software. The bugs could allow a nefarious or unauthorized local admin on a TRITON server to replace files with "custom pickled objects," the researchers say.

Websense also is investigating the findings, and said in a statement that the company is awaiting an official vulnerability report:

"While we still do not yet have complete details of the presentation, based on conversations with the researcher we understand that he has identified a medium risk vulnerability in Websense data security services. 

The researcher has verified that the particular process demonstrated in his session relies on a privileged insider with access to the local network and with administrative rights to both the server and the management console. The researcher also indicated that remote exploitation of this vulnerability is not possible.

We are currently awaiting the official vulnerability report from the researcher. However, based on our current knowledge, prior to the presentation Websense reached out to our affected customer base and provided them with best practices for mitigating the risk of the vulnerability. In addition to the mitigation tips we have shared, Websense will provide a fix for these vulnerabilities before the end of August. We will make also make other adjustments in our future releases and vulnerability testing process."

OpenDLP, meanwhile, has a CSRF flaw, the researchers found.

Lanier and Lum warn that the bugs they found could allow an attacker to disable or alter DLP policies, or even remove a document out of quarantine, and siphon its contents, for example.

Lanier was a guest on Dark Reading Radio last month for the "Data Loss Prevention (DLP) FAIL" episode, where he discussed the flaws he and Lum found as well as concerns about DLP security issues. The archive is available here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/13/2014 | 5:05:07 PM
More to come
One thing Zach and Kelly said was that this research is only the beginning. They plan to drill down further on DLP vulns, so consider this phase one.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
8/13/2014 | 5:22:58 PM
Grrrrr
It's always frustrating to hear that security controls are, themselves, insecure. It's also frustrating to hear that the Web-facing side is the problem. Lately the security world has been talking alot about passwords (and rightly so) but now that so much sensitive activity happens online, I'd like companies to get more serious about Web apps' security.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/14/2014 | 8:43:36 AM
Re: Grrrrr
What's so baffling is that these are SECURITY companies. Sure, they have software dev of their own, but it's discouraging if they're not practicting what they preach. No one expects software to be perfectly clean and free of all bugs, but you would think they would regularly vet the stuff. <sigh>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/14/2014 | 11:24:46 AM
Re: Grrrrr
It really is a  major embarassment for these companies. I hope the researchers make these security "bakeoffs" a regular event. Maybe that will keep the vendors on their toes.
MonicaL812
50%
50%
MonicaL812,
User Rank: Apprentice
9/29/2014 | 8:16:49 AM
The Insider Threat
You can blame the vendors all you want, but if you read carefully, it's requires a rogue local admin to take advantage of a vulnerability.  What you should really be amazed with is the poor background check of employees.  Too often, organizations hire loose-cannons, who would are and always have been known as "the greatest threat".  Organizations need to focus on their personnel just as much, and need to vet out those who are likely to hold a grudge for whatever personal reason.

 
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
CVE-2021-3420
PUBLISHED: 2021-03-05
A flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.