Danger: Open Ports – Trojan is as Trojan does

Open ports are the doorways to your secure perimeter. Behind open ports, there are applications and services listening for inbound packets, waiting for connections from the outside, in order to perform their jobs. Security best practices imply the use of a firewall system that controls which ports are opened or closed on Internet-facing servers. Additionally, security best practices advise that ports should be open only on a “need-to-be” basis, dictated by the Internet communication needs of applications and services that run on the servers.

In typical scenarios, administrators open the ports they know are required, such as port 80 for a webserver, and maybe other ports for adjacent tasks, such as remote administration. At the same time, servers are shipped, by default, with a number of services that may not be needed, but the firewall is configured to allow traffic on the ports they use.

Since maintaining a very restrictive security configuration may become an administrative overhead, in most cases, along with the ports which need to be open, there are also open ports that “might be needed”. Also, applications and services being installed may modify firewall configuration to allow traffic on the ports they plan to use, so when installing an application, depending on how the installer is built, you may or may not notice that the configuration of the firewall has been changed.

The reality is, you do not know your open ports at a given time, and you do not usually notice applications or services configuring firewall exceptions automatically. Consequently, it is difficult to assess the security risk associated with open ports, and even more difficult to mitigate it. One of the first things that attackers do, as part of an attack, is run a port scanning of the target server. The results equip attackers with information on the open ports as well as the services and applications behind them. This is all the information they need in order to orchestrate their attack further.

Here are some ways in which attackers can take advantage of open ports in order to compromise the security of Internet-facing servers, and eventually penetrate the security perimeter as well.

Dangers of open ports

Dangers of open ports (click to enlarge)

1. Spreading malware infections through open ports

Malware uses Internet communications for a variety of purposes: malware distribution, calling home or taking commands as part of remote control activities. The security community has identified a list of ports commonly used by malware for such activities – so called Trojan ports – and administrators are constantly on the lookout for such ports being open, as their existence may indicate a malware infection.

However, some malware uses common ports that are also used by line of business applications, such as web servers, in which case it is difficult to say who is using the open port, without further investigation. With malware being perceived as one of the most important security threats, other similarly important risks introduced by open ports, are often overlooked.

2. Exploiting vulnerabilities in services and applications running on open ports

Open ports are used by applications and services and, as any piece of code, they may have vulnerabilities or bugs. The more applications and services run using open ports for Internet communication, the higher the risk of one of them having a vulnerability that can be exploited. A bug in one service reachable from the outside may cause it to crash. Such a crash may lead to execution of arbitrary code on the affected machine, exactly what the attacker needs in order to be successful. Additionally, exploiting application vulnerabilities may give the attacker access to data belonging to the application or the affected computer, as well as the opportunity to install malware, cause downtime or take control of the server.

For example, researchers recently identified bugs in Oracle’s Java SE that allow arbitrary execution of code, access to security sensitive data, unauthorized changes in security configurations, and so on.

3. Exploiting unsafe configurations in services and applications running on open ports

Some services or applications running on open ports may have poorly configured default settings or poorly configured running policies.  Such applications may be the target of dictionary attacks, and, with poorly configured password policies, for example, attackers can identify credentials used by legitimate users. Furthermore, attackers can use the credentials to log into such applications, steal data, access the system, cause downtime or take control of the computer.

One such case is the Microsoft SQL Server, which may be the victim of dictionary attacks or SQL injection. When exploited, either of these vulnerabilities may give the attacker not only access to the data belonging to SQL Server, but to the entire system as well, due to features of the SQL Server that enable system access (calling DLLs outside of the database via extended stored procedures). The default port used by Microsoft SQL Server is one of the most probed ports on the Internet, along with NetBIOS port and the HTTP default port.

4. Causing downtime of line of business applications by running denial of service attacks on open ports belonging to less robust services

Each open port may be the target of denial of service (DoS) attacks. While some applications and services have built-in protection mechanisms to withstand such attacks to a certain extent, (i.e. the web servers or database servers), others may not have such mechanisms in place, causing the entire server to go down when sufficient stress is put on them. So, having a robust implementation of a web server, with proper discard mechanisms for suspicious requests, may still not be enough, if on the same server, you are running a NTP service that crashes when certain stress is applied in terms of time synchronization operations that take place concurrently. The crash of the unused NTP service causes system instability and may bring down an entire server. Thus, an attacker can perform successful denial of service attacks on a web server, without even targeting port 80.

Open ports raise security concerns beyond the commonly known Trojans. While the firewall allows enforcement of secure port usage policies, it misses one important aspect: it does not tell you if your open ports are safe, or not. It cannot establish if you really need an open port, or not. It has no visibility (beyond a service /app identifier) into what services and applications use open ports, what is their up to date state or whether they are vulnerable to attacks. Manual monitoring of active connections and manual filtering of their state is cumbersome and counter-productive and most of the times, you cannot tell “good” from “bad” with your own eyes. Consequently, we cannot rely only on the firewalls, when it comes to securing an Internet-facing server.

The solution comes from network security applications that perform active port scanning and banner grabbing in order to determine open ports, and the applications / services behind them. Such solutions give instant visibility into the security of your server from the outsider’s perspective, by mimicking attacker’s behavior. Some solutions gather extended information about the applications and services behind open ports, and also point out potential vulnerabilities which may be exploited. The administrators using such solutions are one step ahead of the attackers, as they benefit from valuable insight into the security state of their servers, and are able to take proactive action against potential threats before they are exploited.

ShareShare on FacebookTweet about this on TwitterShare on Google+

Leave a Reply