Consumers and businesses count on security appliances such as email gateways and united threat management systems (UTM) to protect them from external attacks, but many of these products are full of vulnerabilities, meaning that a device meant to mitigate a breach could instead be a point of entry. The irony of these products being susceptible to software security flaws was not lost on Ben Williams, a penetration tester at NCC Group, who recently presented research on flaws in security products during a talk at Black Hat Europe 2013 in Amsterdam.
In a white paper accompanying the presentation, Williams highlighted the fact that businesses often choose to use security appliances over software solutions because the vendor is responsible for the underlying OS and third-party applications, obviating the customer of patch management responsibilities. However, vendors' failure to address vulnerabilities can subsequently leave customers unprotected with little recourse. Compounding the threat of hardware vulnerabilities is the fact that these products have highly privileged system access, meaning that even minor exploits can potentially have escalated consequences.
Basic, easily identified, common security issues
Williams tested products from vendors that included Symantec, Sophos, Trend Micro, Cisco, Barracuda, McAfee and Citrix, finding that more than 80 percent had serious yet easily discovered vulnerabilities, according to IDG News Service. Among the most common issues were vulnerabilities in the products' web user interfaces, but Williams reported finding insecure design in areas that included SSH configuration, databases, maintenance scripts, file systems, patch-management processes and underlying operating system configurations.
Many of these devices claim to be built on "hardened Linux," but Williams contested this characterization, noting that many had unnecessary packages, limited monitoring and poorly configured file permissions. He found that most used old and sometimes unsupported Linux or FreeBSD operating systems that were missing security updates for the kernel and packages.
"There may be a temptation to think of security appliances as fortified; i.e. specially secured and hardened, or that these devices have undergone thorough and comprehensive security testing to eliminate insecurities as part of a secure development lifecycle," Williams wrote. "This research shows that this appears to be mostly not the case, and rather basic and easily identified and common security issues were discovered in almost all security appliances tested."
Preventing attacker access
While the threat of attacks has prompted the implementation of careful security precautions in modern web interfaces to take careful security precautions, the web UIs for many of the devices Williams studied trail far behind typical secured sites. Many were vulnerable to cross-site scripting errors, automated password attacks or other exploits.
Since the web UI is generally responsible for managing configurations in the underlying operating system, there is also a high prevalence of operating system command injection vulnerabilities, and attackers can quickly escalate privileges due to issues in the web UI or the underlying OS itself. For instance, while even an administrator on most email filtering appliances cannot view messages other than those marked as spam (due to confidentiality reasons), an attacker who gains root access could view all traffic and easily read or alter email content.
Further complicating the vulnerability problems is the fact that vendors generally use many of the same components for multiple products in their security appliance lines, meaning that issues affecting one product can affect many similar ones built on the same framework. As a result, vendors should take greater precaution in preventing errors during the development process, Williams said.
"Retrospective identification and remediation of vulnerabilities in applications can be a time consuming and costly exercise, with research proving that it is far easier to build a secure application than to fix an insecure one," he wrote.
He outlined some common recommended secure development lifecycle practices, including implementing security requirements, reviewing application design and writing safer code. Through the use of code review and automated source code analysis software, as well as testing, developers can secure programs before they are released. Additionally, processes to address security issues post-release should be implemented.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.