Is Your Security Appliance Hackable?

In the late 90’s, businesses embraced the internet; they connected their networks and servers to the internet so their data can be accessed from anywhere around the world. This was a new era that gave businesses the opportunity to grow globally and reach new audiences. By doing so, their networks, servers and data were also put at risk. Since the beginning of the commercialized internet era, many businesses suffered data breaches and were attacked by hackers. Many of them lost millions of dollars and customers. Some of them even went bankrupt.

To help online businesses protect their networks, servers and data from hackers, IT security vendors developed a number of security solutions such as firewalls, remote access gateways and anti-spam / anti-virus email security filters. Just like in fairy tales, it seems that the internet was heading towards a happy ending. But what if the security appliances your business invested in are insecure? Most probably this does not sound right to you, and it never crossed your mind; security appliances are designed by specialized security experts backed by years of experience.

Cross-Site Scripting, CSRF attacks and easy to brute force web based login forms are web application vulnerabilities which are found in typical online websites. Not even in a million years would you expect that the administrator web interface of your security appliance is vulnerable to such attacks.

Is Your Security Appliance Hackable?

In 2011, Ben Williams released a whitepaper called Exploiting Security Gateways via their Web Interfaces. Ben Williams, a penetration tester for the NCC group reported over 100 proof-of-concept exploits over the previous 12 months to various vendors, most of which are exploits on security appliances.

This year, Ben Williams released another whitepaper called Hacking Appliances: Ironic exploits in security products. In the latest security whitepaper, Ben focused on a wider attack surface of security appliances and not just the web interface. The outcome of the research is worrying. Considering time for such research was limited, Ben still found out that:

• Basic, easily identified and common security vulnerabilities were discovered in almost all audited security appliances
• Almost all security appliances were vulnerable to Cross-Site Scripting and automated password attacks
• Most of the security appliances ran an outdated and unpatched Unix/Linux operating system
• Many of the operating systems used by tested security appliances are not hardened
• Most of the available entry points to such devices, such as web interfaces and other protocols (SSH etc) are not hardened

It seems that, after 2 years, most of the IT security vendors didn’t learn their lesson. Even though IT security vendors evangelise and do their best in raising awareness, most of them do not have a Secure Development Life-cycle in place for their own products; most of the security appliances they sell are vulnerable with “low hanging fruit” vulnerabilities. Some of the audited security appliances still had the same vulnerabilities which Ben Williams reported 2 years ago.

When you consider that security appliances are very expensive specialized products, one wouldn’t expect such an outcome from this type of research. IT security vendors invest a lot of money and time in research and development, yet the security of these devices is very weak. From most test cases, we can conclude that they could be the cause of your network or servers getting hacked.

In his latest whitepaper, Ben Williams documents around 24 security vulnerabilities found in 5 security devices, most of which are web application vulnerabilities. In this article, we will focus on 2 particular “low hanging fruit” web application vulnerabilities that could have been detected before the product was released, had the IT security vendors used a product such as Acunetix Web Vulnerability Scanner during their product development.

The rules are very simple; web vulnerability scanners should be used by everyone and not just website owners. Anything that has a web interface, including Security Appliances should be scanned with such web application security products.

By using a web vulnerability scanner such as Acunetix WVS throughout the product development lifecyle, IT security vendors ensure that vulnerabilities like the ones mentioned below will be discovered during the early stages of development and before the product is released. If these Security Appliances are properly secured, IT Security Vendors will earn more respect and more customers.

Weak login form in Sophos Email Appliance

The administrative web interface in Sophos Email Appliance does not have any sort of defense mechanism to protect it from password attacks. It has no account lockout policies, no brute-force protection, a minimum password length of 4 characters, no minimum password complexity requirements and no logging /alerting option.

These are the basics of security and it clearly shows that such IT security vendors do not have any sort security checking in place. By launching a web vulnerability scan using Acunetix WVS, the Sophos quality assurance department would have found that the administrator web interface login form of their security appliance is not secure.

Acunetix WVS tests web application login forms and alerts the user if they are prone to brute force attacks and if the credentials are easy to guess. Acunetix WVS also checks the script that checks if a user is authenticated in order to confirm that there are no vulnerabilities in the login redirect page. Going a step further, web applications QA teams can use the Acunetix WVS advanced penetration testing tools such as the HTTP Fuzzer and Authentication Tester to launch advanced security tests and ensure that the web based login form is properly secured.

Other web vulnerabilities were found in the Sophos Email appliance such as command injection via CSRF with privilege escalation root, Cross-Site Scripting with session-hijacking, unauthenticated product version disclosure and several others. All of these security issues could have been detected by the Sophos QA team had they included web vulnerability scans in their product development lifecycle.

Cross-Site Scripting in Symantec Email Appliance

Like with all other security appliances, Ben reported multiple security vulnerabilities in Symantec Email Appliance. By exploiting a combination of security vulnerabilities, Ben fully compromised the security appliance and gained access to both the administrative web interface and the underlying operating system. This means that an attacker is in a position to launch a man-in-the-middle attack and gain access to all the sensitive email traffic that passes through the corporate network.

The admin web interface Cross-Site Scripting vulnerability can be exploited by sending a maliciously crafted spam message that includes a JavaScript in the subject line. When exploited, the XSS can be used to trigger an Onsite Request Forgery (OSRF) when the administrators, as part of their normal daily duties, check the quarantined emails area. In the past, Ben Williams even found vulnerabilities where an SSH failed login attempt could be used to trigger a XSS web application vulnerability when the administrator checks the appliance security logs.

These types of attacks are easy to distribute and execute.  In this case Ben used the “Cross-Site Scripting in spam email attack” as the initial attack vector to exploit other vulnerabilities and gain access to the root shell of the security appliance. By gaining such access the attacker has access to the web UI of the security appliance AND to the vulnerable operating system. This is an ideal platform for an attacker to launch further attacks without getting noticed since the security appliance OS activity is not monitored by the appliance’s administrator.

IT Security Vendors should practice what they preach

Ben William’s research sheds light on a number of security issues, highlighting the importance for IT security vendors to practice what they preach. IT security vendors should implement Secure Development Lifecycle to ensure that the end product is all-round secure. As we have also seen in several other cases, web application vulnerabilities were always the culprit of many security breaches. Everyone, including IT Security Vendors should use web vulnerabilities scanners to ensure that their web applications are secure and that their devices are not the cause of businesses getting hacked.