Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/12/2014
05:40 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Security Holes Exposed In Trend Micro, Websense, Open Source DLP

Researchers Zach Lanier and Kelly Lum at Black Hat USA took the wraps off results of their security testing of popular data loss prevention software.

BLACK HAT USA — LAS VEGAS — A pair of researchers here last week named names of the data loss prevention (DLP) products in which they found security vulnerabilities.

Zach Lanier, senior security researcher at Duo Security, and Kelly Lum, security engineer with Tumblr, revealed details on the cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities they discovered in four commercial DLP products and one open-source tool they investigated. The pair had provided a sneak-peak of their presentation, "Stay Out of the Kitchen: A DLP Security Bake-off," to Dark Reading prior to the conference, but stopped short of divulging the vendor and product names.

At the heart of most of the bugs were the web-based interfaces of the products, namely the administrative panels. "Most of the flaws were in web admin interfaces," Lanier told Dark Reading.

The researchers were unable to pinpoint any major issues with HP's Keyview document parsing/filtering engine used by many DLP and big data products. "Keyview has some really interesting idiosyncrasies and some complex code that might have bugs... We really didn't find a whole lot," he says, but the pair plans to dig further into Keyview in subsequent research.

Overall, they found there was little or no hardening of Linux appliances, with many services running as root, and no exploit mitigation defenses in the software. "We found the occasional bug inheritance, such as Heartbleed," Lanier says.

They tested a sampling of DLP products, mainly ones they could get with free, temporary software licenses -- Trend Micro's DLP Management Appliance 5.6 and its DLP Endpoint Agent 5.6; Sophos Astaro UTM Appliance 9.201, its Enterprise Console 5.2.1r2 and its Endpoint Security; Websense Triton Management Server 7.8.3, its Data Protector Endpoint Agent 7.8.3, and its Data Security Protector Appliance 7.8.3; and the open source OpenDLP 0.5.1.

Lanier and Lum did not find any specific bypass vulnerabilities in the DLP software they tested, but they did find flaws that would allow an attacker to reconfigure or change the behavior of the DLP system so that it no longer monitors data leaks, for example.

While the Sophos products came up clean in their testing, the researchers found bugs in Trend Micro, Websense, and OpenDLP's software.

They found multiple cross-site scripting (XSS) flaws in the Trend Micro management console as well as a cross-site request forgery (CSRF) bug. "There was a lot of cross-site scripting in this," said Lum. "But the CSRF was concerning to me," she said, because an attacker could turn off or change the DLP filter with an exploit.

Trend Micro is investigating the researchers' report, according to Jonn Perez, director of global technical support operations at Trend Micro. "Trend Micro takes any report of a product vulnerability very seriously... Our development team is currently in the process of validating this claim," Perez said in a statement. "If we determine that a fix is necessary, it will be treated as an immediate priority as part of our product vulnerability response process."

Lanier and Lum also found remote code execution and privilege escalation flaws in Websense's Protector and Endpoint software. The bugs could allow a nefarious or unauthorized local admin on a TRITON server to replace files with "custom pickled objects," the researchers say.

Websense also is investigating the findings, and said in a statement that the company is awaiting an official vulnerability report:

"While we still do not yet have complete details of the presentation, based on conversations with the researcher we understand that he has identified a medium risk vulnerability in Websense data security services. 

The researcher has verified that the particular process demonstrated in his session relies on a privileged insider with access to the local network and with administrative rights to both the server and the management console. The researcher also indicated that remote exploitation of this vulnerability is not possible.

We are currently awaiting the official vulnerability report from the researcher. However, based on our current knowledge, prior to the presentation Websense reached out to our affected customer base and provided them with best practices for mitigating the risk of the vulnerability. In addition to the mitigation tips we have shared, Websense will provide a fix for these vulnerabilities before the end of August. We will make also make other adjustments in our future releases and vulnerability testing process."

OpenDLP, meanwhile, has a CSRF flaw, the researchers found.

Lanier and Lum warn that the bugs they found could allow an attacker to disable or alter DLP policies, or even remove a document out of quarantine, and siphon its contents, for example.

Lanier was a guest on Dark Reading Radio last month for the "Data Loss Prevention (DLP) FAIL" episode, where he discussed the flaws he and Lum found as well as concerns about DLP security issues. The archive is available here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/13/2014 | 5:05:07 PM
More to come
One thing Zach and Kelly said was that this research is only the beginning. They plan to drill down further on DLP vulns, so consider this phase one.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
8/13/2014 | 5:22:58 PM
Grrrrr
It's always frustrating to hear that security controls are, themselves, insecure. It's also frustrating to hear that the Web-facing side is the problem. Lately the security world has been talking alot about passwords (and rightly so) but now that so much sensitive activity happens online, I'd like companies to get more serious about Web apps' security.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/14/2014 | 8:43:36 AM
Re: Grrrrr
What's so baffling is that these are SECURITY companies. Sure, they have software dev of their own, but it's discouraging if they're not practicting what they preach. No one expects software to be perfectly clean and free of all bugs, but you would think they would regularly vet the stuff. <sigh>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/14/2014 | 11:24:46 AM
Re: Grrrrr
It really is a  major embarassment for these companies. I hope the researchers make these security "bakeoffs" a regular event. Maybe that will keep the vendors on their toes.
MonicaL812
50%
50%
MonicaL812,
User Rank: Apprentice
9/29/2014 | 8:16:49 AM
The Insider Threat
You can blame the vendors all you want, but if you read carefully, it's requires a rogue local admin to take advantage of a vulnerability.  What you should really be amazed with is the poor background check of employees.  Too often, organizations hire loose-cannons, who would are and always have been known as "the greatest threat".  Organizations need to focus on their personnel just as much, and need to vet out those who are likely to hold a grudge for whatever personal reason.

 
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23351
PUBLISHED: 2021-03-08
The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable to Denial of Service (DoS) via the parseVersion1() function. The reader in this package is a default bufio.Reader wrapping a net.Conn. It will read from the connection until it finds a newline. Since no limits are implemented in ...
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...