Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/30/2014
11:10 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Security Holes Found In Some DLP Products

Researchers to reveal key security flaws in commercial and open-source data loss prevention software at Black Hat USA next week.

It's a case of a security tool harboring security vulnerabilities: A pair of researchers has discovered multiple flaws in commercial and open-source data loss prevention (DLP) products.

Zach Lanier, senior security researcher at Duo Security, and Kelly Lum, security engineer with Tumblr, next week at Black Hat USA in Las Vegas will demonstrate the cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities they discovered in four commercial DLP products and one open-source tool they investigated. They plan to name names next week during their talk, "Stay Out of the Kitchen: A DLP Security Bake-Off," where they also will provide proof-of-concept attack examples.

Lanier and Lum -- who won't divulge full details until their talk next week -- say they really weren't surprised to find flaws in DLP systems that enterprises rely on to keep private and sensitive information from leaking outside the organization. "It was not a huge shock," Lum says. "But I was a little surprised that some of the vulnerabilities were very simple, which means they should be easily fixed. It's curious that they could have been easily avoided in the first place."

Many of the flaws were found in the web-based interfaces of the products, namely, the administrative panels. XSS and CSRF were the most common ones found there, they say.

"Some were endpoint and some were network-based… and some in how they do reporting," for example, says Lanier. "We also evaluated the document parsing pieces that classify and protect the data."

While Lanier and Lum did not find any specific bypass vulnerabilities in the DLP tools they tested, they did find flaws that would allow an attacker to reconfigure or change the behavior of the DLP system so that it no longer monitors data leaks, for example.

An attacker could shut down or reconfigure a DLP system via some of the bugs, Lanier says. "They could disable DLP policies and add new elements to the policies… or add new users."

Another scary option is that an attacker could take a document out of quarantine and siphon its contents,  he says.

"One of the DLP solutions used a Python scripting language to do a lot of the heavy lifting around the analysis engine and policy. There is an insecure module inside Python that could lead to arbitrary code execution," Lanier says. That would allow someone with access to the administrative server to spread malware to various endpoints that were managed by that server.

"Since all DLP processes run in privileged mode, they also [would allow] privileged [user] code execution. That was one of the big, non-web things we found" vulnerable, he says.

The researchers, as of this posting, were also still studying the third-party KeyView document parsing/filtering engine used by many DLP and big-data products. Lanier says they are looking for potential vulnerabilities as well as a possible inspection bypass issue, but nothing's concrete just yet.

Meanwhile, Lanier and Lum say their research shows that DLP vendors aren't properly vetting their software for flaws.

"This speaks to how important it is to start looking at these products with a more jaundiced eye. Lots of sensitive data -- credit card numbers, social security numbers" are at risk if the tools are not solid security-wise, Lum says.

Lanier will discuss the newly found vulnerabilities in commercial and open-source DLP software in today's 1:00 p.m. ET broadcast of Dark Reading Radio, "Data Loss Prevention (DLP) FAIL." Register here to tune in and ask him questions via the online chat.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/31/2014 | 12:21:33 PM
Re: Remediation
I agree. Unfortunaltely, you expect this from a 3rd party producing a product for its functionality. But when its functionality is security you would think that they would do their due diligence.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/31/2014 | 11:21:50 AM
Re: Remediation
I know it's impossible to write perfect code, but I still can't wrap my head around how a security company could not be more careful with its software. Even if 3rd party code was the source of the vulns, they should be testing every single element of the platform. Some of these bugs would have been found in about 5 minutes, according to the researchers.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/31/2014 | 8:13:17 AM
Remediation
I hope that when names are dropped, vendors really take the time to close the gaps in their software. Being allowed to reconfigure policies to your will is bad enough, but being able to execute malicious code under a privileged account is even worse. I will be interested to hear if these vulnerabilities are prevalent on a 3 tier system or are more likely to happen when organizations combine the tiers.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29040
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
CVE-2021-29041
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
CVE-2021-29047
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
CVE-2021-22668
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
CVE-2021-29039
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.