Your security infrastructure (firewalls, IDS/IPS devices, management consoles, etc.) holds a very sensitive position of trust. This equipment is relied upon to reliably perform security critical functions under potentially hostile conditions. These are highly valuable assets to an attacker, yet their value is sometimes not captured by conventional risk management. This presentation will explore several new vulnerabilities and weaknesses in these products, with the goal of offering useful recommendations and approaches for mitigating the risk.
This presentation explores a series of vulnerabilities and weaknesses in security infrastructure that we discovered and responsibly disclosed. We’re in the business of managing and monitoring this gear for our clients, so we have great familiarity with all aspects of its operation. We've found that security infrastructure appears to be just as prone to security vulnerabilities as other commercial software, if not more so.
Daniel King discovered McAfee Network Security Manager (the web-based management appliance for McAfee IPS sensors) was vulnerable to authentication bypass / session hijacking (CVE-2009-3565) and cross-site scripting (CVE-2009-3566) vulnerabilities. We’ll demonstrate a proof-of-concept attack scenario that blends these vulnerabilities to gain unauthorized access to the NSM web management interface through cookie stealing and hijacking an administrator’s session.
Jeff Jarmoc discovered an access-control list (ACL) bypass vulnerability in Cisco Adaptive Security Appliance (ASA) and Cisco PIX (CVE-2009-1160, Cisco Bug ID CSCsq91277). These devices would fail to apply the expected implicit deny behavior for packets that did not match any ACEs in an ACL.
The TLS renegotiation vulnerability publicly disclosed in November 2009 (CVE-2009-3555) impacted many products, including Cisco Adaptive Security Device Manager (ASDM) (Cisco Bug ID CSCtd00697). We will demonstrate a never before seen proof-of-concept attack that exploits the TLS authentication gap to achieve arbitrary command injection against the Cisco ASDM web-based management interface. A man-in-the-middle may arbitrarily manipulate the ASA policies managed by an ASDM by exploiting the TLS authentication gap. Cisco fixed this in a general deployment release on January 11, 2010 with version 8.2(2). If you haven’t patched before seeing this demo, you will want to afterward!
Using these vulnerabilities and weaknesses as illustrative examples, we will offer real-world recommendations for on how to better secure your organization’s security infrastructure. Some recommendations include ruling your security infrastructure as within scope during penetration testing and security assessment activities, including product security in your organization’s purchasing and product evaluation processes, and somewhat ironically, deployment of security products in the role of compensating controls for potential vulnerabilities in other parts of your organization’s security infrastructure.
SecureWorks Counter Threat Unit Ben Feinstein is Director of Research with the SecureWorks Counter Threat Unit(SM). He first became involved in information security in 2000, working on a DARPA / US Air Force contract. Ben is the author of RFC 4765 and RFC 4767. He has over a decade of experience designing and implementing security-related information systems. Ben's major areas of expertise include IDS/IPS, digital forensics and incident response, and secure messaging. In the past, he has presented at Black Hat USA, DEFCON, ToorCon, DeepSec, ACSAC, IETF meetings and others.
SecureWorks Jeff Jarmoc has over 10 years experience as a network and security infrastructure engineer for major financial services and healthcare companies. This background gives him a unique operational focus to security research and a holistic real world understanding of the challenges we as an industry face. In his role as a Security Engineer at SecureWorks, he's responsible for acting as subject matter expert on all operational aspects of infrastructure and network security. He's been credited with discovery of several vulnerabilities and bugs in major security appliances.
SecureWorks Dan King is a penetration tester with SecureWorks, where he is responsible for penetration, web application, and PCI compliance testing for both Fortune 500 and small-to-medium size businesses that operate in compliance sensitive industries. In addition, he performs vulnerability research, currently focusing on vulnerability discovery using fuzzing techniques, with several public disclosures to his credit. He enjoys exposing flaws in client-side document formats and likes nothing better than to break security products to expose threats. In previous roles, he served in a market leading Security Operations Center to provide IDS analysis and incident response services to a global base of monitored clients.