Vulnerability in Security Products

Views:
 
     
 

Presentation Description

Know the vulnerabilities in security products and the risks it exposes to us to and how to encounter it in the most effective manner. Know the secrets which are not revealed : • How secure are security products? • What are the vulnerabilities that security products bring into your environment? • Which are the most vulnerable security products? • Who are the security vendors with most published vulnerabilities? • How to manage the risks?

Comments

Presentation Transcript

(In)Security in Security Products:

(In)Security in Security Products Who do you turn to when your security product becomes a gateway for attackers?

Introduction:

Introduction About iViZ Cloud based Penetration Testing Zero False Positive Guarantee Business Logic Testing with 100% WASC coverage 300+ customers. IDG Ventures Funded. Gartner Hype Cycle mention About my self Co-founder and CEO of iViZ Worked in areas of AI, Anti-spam filters, Multi stage attack simulation etc Love AI, Security, Entrepreneurship, Magic /Mind Reading 2

About the Report/Study:

About the Report/Study Security Products are present in most of the systems and theoretically can become a “high pay-off” target for hackers after the OS, Browsers etc At iViZ we wanted to study how secure are the security products iViZ used databases such as the Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and National Vulnerability Database (NVD) for the Analysis 3

A few attacks on Security Companies :

A few attacks on Security Companies 4

Vulnerability Disclosure Routes:

Vulnerability Disclosure Routes

RSA SecuID Token Compromise :

RSA SecuID Token Compromise RSA compromised in March, 2011 and confidential data was exfiltrated Most likely Algorithms and PRNG seeds were stolen. Initially, RSA maintained that breach has no impact on security of RSA products. Defense contractor Lockheed Martin compromised in June, 2011 using data from RSA attack. RSA finally acknowledged the attack and replaced all SecurID tokens (40 million) with new ones. Defense contractors Northrop Grumman and L-3 Communications also rumored to have been attacked. 6

Debian OpenSSL Weak Keys:

Debian OpenSSL Weak Keys Vulnerability caused due to removal of 2 lines in code. These lines were removed as "suggested" by two security tools ( Valgrind and Purify ) used to find vulnerabilities in the software distributed by Debian Resulted in a Predictable random number generator. Hence any private key generated was predictable. (entropy ~ 2^15) 7

More Recent Attacks on SSL/TLS:

More Recent Attacks on SSL/TLS BEAST (Browser Exploit Against SSL/TLS) Attack (2011) a block-wise chosen-plaintext attack against the AES encryption algorithm that's used in TLS/SSL CRIME (Compression Ratio Info-leak Made Easy) Attack (2012) works by leveraging a property of compression functions, and noting how the length of the compressed data changes. Can be used to obtain sensitive information like session-cookies in encrypted SSL traffic 8

Flame hijacked Microsoft Auto-update:

Flame hijacked Microsoft Auto-update Flame discovered in 2012, was operating undetected since at least 2010. Used a MD5 collision attack (demonstrated in 2008) to generate a counterfeit copy of a Microsoft Terminal Server Licensing Service certificate. Used the counterfeit certificate to sign code such that malware appeared like genuine Microsoft code and hence remained undetected. 9

MITM-Symantec BackupExec by iViZ:

MITM-Symantec BackupExec by iViZ Man in the middle attack on NDMP protocol NDMP is an open standard protocol that allows data transfers between various storage devices connected over a network. An attacker looking for confidential information need to target all the machines in the network, the backup server is a one-stop point where all the critical data usually resides. 10

Preboot Authentication Attack by iViZ:

Preboot Authentication Attack by iViZ iViZ identified flaws in numerous BIOSes and pre-boot authentication and disk encryption software Bitlocker , TrueCrypt , Mcaffee Safeboot , DriveCryptor , Diskcryptor , LILO, GRUB, HP Bios, Intel/ Lenevo BIOS found to be vulnerable. Flaws resulted in disclosure of plaintext pre-boot authentication passwords. In some cases, an attacked could bypass pre-boot authentication. 11

Anti-virus attacks by iViZ:

Anti-virus attacks by iViZ Antivirus process different types of files having different file-formats. We found flaws in handling malformed compressed, packed and binary files in different AV products Some of the file formats for which we found flaws in AV products are ISO, RPM, ELF, PE, UPX, LZH 12

Analysis of Vulnerabilities in Anti virus:

Analysis of Vulnerabilities in Anti virus Remote Code Execution CVE-2010-0108: Buffer overflow in the cliproxy.objects.1 ActiveX control in the Symantec Client Proxy (CLIproxy.dll) allow remote code execution CVE-2010-3499: F-Secure Anti-Virus does not properly interact with the processing of http:// URLs by the Microsoft Help and Support Center, which makes it easier for remote attackers to execute arbitrary code via malware that is correctly detected by this product 13

Analysis of Vulnerabilities in Anti virus:

Analysis of Vulnerabilities in Anti virus Detection Bypass CVE-2012-1461: The Gzip file parser in AVG Anti-Virus, Bitdefender , F-Secure , Fortinet antiviruses , allows remote attackers to bypass malware detection via a . tar.gz file Denial of Service ( DoS ) CVE-2012-4014: Unspecified vulnerability in McAfee Email Anti-virus (formerly WebShield SMTP) allows remote attackers to cause a denial of service via unknown vectors. 14

Analysis of Vulnerabilities in VPN:

Analysis of Vulnerabilities in VPN Remote Code Execution CVE-2012-2493: Cisco AnyConnect Secure Mobility Client 2.x does not properly validate binaries that are received by the downloader process, which allows remote attackers to execute arbitrary code. CVE-2012-0646: Format string vulnerability in VPN in Apple iOS before 5.1 allows remote attackers to execute arbitrary code via a crafted racoon configuration file. 15

Analysis of Vulnerabilities in VPN:

Analysis of Vulnerabilities in VPN Authentication Bypass CVE-2009-1155: Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances, allow remote attackers to bypass authentication and establish a VPN session to an ASA device 16

Security Product Vulnerability Trends:

Security Product Vulnerability Trends 17

Most Vulnerable Security Product Categories:

Most Vulnerable Security Product Categories 18

Vulnerabilities by Security Products:

Vulnerabilities by Security Products 19

Vulnerabilities by Security Companies:

Vulnerabilities by Security Companies 20

Vulnerabilities in Security Products:

Vulnerabilities in Security Products 21 Figure 6: Shows number of vulnerabilities found in some of the major security products existing today. X axis display number of vulnerabilities and Y axis display some of the major security products. Total vulnerabilities against each security product are calculated by considering all the versions of the products and their individual vulnerabilities discovered over the past years.

Type of Vulnerabilities in Security Products “vs” General Products:

Type of Vulnerabilities in Security Products “ vs ” General Products All Products Security Products 22

Analysis of Vulnerabilities in security product companies:

Analysis of Vulnerabilities in security product companies Some of the product companies, like Cisco, Symantec etc have more public vulnerability disclosures than others. Some of the reasons are: Larger attack surface (more products and their versions) Popularity Index Latest trends like Bug Bounties and 0-Day Market leads to lesser public vulnerability disclosures (companies like Kaspersky and ISS) Advancement and awareness of Secure SDLC also leads to lesser trivial bugs in latest security products. 23

Future of attacks on Security products:

Future of attacks on Security products Like the RSA SecurID , more security products would be target of APT style attacks. It is easier to compromise an entire network if an attacker could compromised the security systems in place. Security products would be (and is being) targeted by state sponsored or APT style attacks More vulnerabilities would be sold in Zero – Black Market 24

Some thoughts..:

Some thoughts.. Security companies do not necessarily produce secure software Security products can itself serve as a door for a hacker Security Products are “High Pay-off” targets since they are present in most systems APT and Cyber-warfare makes “Security Products” as the next choice 25

What should we do protect us?:

What should we do protect us? Conduct proper due diligence of the security product Ask for audit reports Patch security products like any other product Treat security tools in similar manner as other tools during threat modeling Have proper detection and monitoring solutions and multi-layer defense Test and Don’t Trust (blindly) 26

Thank You:

Thank You 27 bikash@ivizsecurity.com

authorStream Live Help