BLACK HAT USA — LAS VEGAS — A pair of researchers here last week named names of the data loss prevention (DLP) products in which they found security vulnerabilities.
Zach Lanier, senior security researcher at Duo Security, and Kelly Lum, security engineer with Tumblr, revealed details on the cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities they discovered in four commercial DLP products and one open-source tool they investigated. The pair had provided a sneak-peak of their presentation, "Stay Out of the Kitchen: A DLP Security Bake-off," to Dark Reading prior to the conference, but stopped short of divulging the vendor and product names.
At the heart of most of the bugs were the web-based interfaces of the products, namely the administrative panels. "Most of the flaws were in web admin interfaces," Lanier told Dark Reading.
The researchers were unable to pinpoint any major issues with HP's Keyview document parsing/filtering engine used by many DLP and big data products. "Keyview has some really interesting idiosyncrasies and some complex code that might have bugs... We really didn't find a whole lot," he says, but the pair plans to dig further into Keyview in subsequent research.
Overall, they found there was little or no hardening of Linux appliances, with many services running as root, and no exploit mitigation defenses in the software. "We found the occasional bug inheritance, such as Heartbleed," Lanier says.
They tested a sampling of DLP products, mainly ones they could get with free, temporary software licenses -- Trend Micro's DLP Management Appliance 5.6 and its DLP Endpoint Agent 5.6; Sophos Astaro UTM Appliance 9.201, its Enterprise Console 5.2.1r2 and its Endpoint Security; Websense Triton Management Server 7.8.3, its Data Protector Endpoint Agent 7.8.3, and its Data Security Protector Appliance 7.8.3; and the open source OpenDLP 0.5.1.
Lanier and Lum did not find any specific bypass vulnerabilities in the DLP software they tested, but they did find flaws that would allow an attacker to reconfigure or change the behavior of the DLP system so that it no longer monitors data leaks, for example.
While the Sophos products came up clean in their testing, the researchers found bugs in Trend Micro, Websense, and OpenDLP's software.
They found multiple cross-site scripting (XSS) flaws in the Trend Micro management console as well as a cross-site request forgery (CSRF) bug. "There was a lot of cross-site scripting in this," said Lum. "But the CSRF was concerning to me," she said, because an attacker could turn off or change the DLP filter with an exploit.
Trend Micro is investigating the researchers' report, according to Jonn Perez, director of global technical support operations at Trend Micro. "Trend Micro takes any report of a product vulnerability very seriously... Our development team is currently in the process of validating this claim," Perez said in a statement. "If we determine that a fix is necessary, it will be treated as an immediate priority as part of our product vulnerability response process."
Lanier and Lum also found remote code execution and privilege escalation flaws in Websense's Protector and Endpoint software. The bugs could allow a nefarious or unauthorized local admin on a TRITON server to replace files with "custom pickled objects," the researchers say.
Websense also is investigating the findings, and said in a statement that the company is awaiting an official vulnerability report:
"While we still do not yet have complete details of the presentation, based on conversations with the researcher we understand that he has identified a medium risk vulnerability in Websense data security services.
The researcher has verified that the particular process demonstrated in his session relies on a privileged insider with access to the local network and with administrative rights to both the server and the management console. The researcher also indicated that remote exploitation of this vulnerability is not possible.
We are currently awaiting the official vulnerability report from the researcher. However, based on our current knowledge, prior to the presentation Websense reached out to our affected customer base and provided them with best practices for mitigating the risk of the vulnerability. In addition to the mitigation tips we have shared, Websense will provide a fix for these vulnerabilities before the end of August. We will make also make other adjustments in our future releases and vulnerability testing process."
OpenDLP, meanwhile, has a CSRF flaw, the researchers found.
Lanier and Lum warn that the bugs they found could allow an attacker to disable or alter DLP policies, or even remove a document out of quarantine, and siphon its contents, for example.
Lanier was a guest on Dark Reading Radio last month for the "Data Loss Prevention (DLP) FAIL" episode, where he discussed the flaws he and Lum found as well as concerns about DLP security issues. The archive is available here.