The document discusses security vulnerabilities that have been found in security products. It notes that security products are high-value targets for hackers as they are present on most systems. It then summarizes several past attacks on major security companies and products that have allowed compromise, including the RSA SecurID token theft and vulnerabilities in antivirus software. The document analyzes trends in vulnerabilities found across security product categories and vendors.
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Vulnerability in Security Products
1. (In)Security in Security Products
Who do you turn to when your
security product becomes a gateway
for attackers?
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
2. Introduction
• About iViZ
– Cloud based Penetration Testing
– Zero False Positive Guarantee
– Business Logic Testing with 100% WASC coverage
– 300+ customers. IDG Ventures Funded.
– Gartner Hype Cycle mention
• About my self
– Co-founder and CEO of iViZ
– Worked in areas of AI, Anti-spam filters, Multi stage attack
simulation etc
– Love AI, Security, Entrepreneurship, Magic /Mind Reading
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
2
3. About the Report/Study
• Security Products are present in most of the systems
and theoretically can become a “high pay-off” target
for hackers after the OS, Browsers etc
• At iViZ we wanted to study how secure are the security
products
• iViZ used databases such as the Common Vulnerability
Enumeration (CVE), Common Product Enumeration
(CPE) and National Vulnerability Database (NVD) for
the Analysis
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
3
4. A few attacks on Security Companies
RSA SecureID
tokens stolen
VeriSign Hacked
into repeatedly, Lockheed Martin
top suffers network
management intrusion
not aware
Unfolding
of Events
L-3
Hackers claim to Communication
have Norton reveals having
Source code suffered
intrusions
Comodo
compromised,
Fraudulent SSL
certificates
issued
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
4
6. RSA SecuID Token Compromise
• RSA compromised in March, 2011 and confidential data
was exfiltrated
– Most likely Algorithms and PRNG seeds were stolen.
• Initially, RSA maintained that breach has no impact on
security of RSA products.
• Defense contractor Lockheed Martin compromised in
June, 2011 using data from RSA attack.
• RSA finally acknowledged the attack and replaced all
SecurID tokens (40 million) with new ones.
• Defense contractors Northrop Grumman and L-3
Communications also rumored to have been attacked.
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
6
7. Debian OpenSSL Weak Keys
• Vulnerability caused due to removal of 2 lines in
code. These lines were removed as "suggested"
by two security tools (Valgrind and Purify) used to
find vulnerabilities in the software distributed by
Debian
• Resulted in a Predictable random number
generator.
• Hence any private key generated was predictable.
(entropy ~ 2^15)
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
7
8. More Recent Attacks on SSL/TLS
• BEAST (Browser Exploit Against SSL/TLS) Attack
(2011)
– a block-wise chosen-plaintext attack against the AES
encryption algorithm that's used in TLS/SSL
• CRIME (Compression Ratio Info-leak Made Easy)
Attack (2012)
– works by leveraging a property of compression
functions, and noting how the length of the
compressed data changes.
– Can be used to obtain sensitive information like
session-cookies in encrypted SSL traffic
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
8
9. Flame hijacked Microsoft Auto-update
• Flame discovered in 2012, was operating
undetected since at least 2010.
• Used a MD5 collision attack (demonstrated in
2008) to generate a counterfeit copy of a
Microsoft Terminal Server Licensing Service
certificate.
• Used the counterfeit certificate to sign code such
that malware appeared like genuine Microsoft
code and hence remained undetected.
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
9
10. MITM-Symantec BackupExec by iViZ
• Man in the middle attack on NDMP protocol
• NDMP is an open standard protocol that
allows data transfers between various storage
devices connected over a network.
• An attacker looking for confidential
information need to target all the machines in
the network, the backup server is a one-stop
point where all the critical data usually
resides.
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
10
11. Preboot Authentication Attack by iViZ
• iViZ identified flaws in numerous BIOSes and pre-
boot authentication and disk encryption software
– Bitlocker, TrueCrypt, Mcaffee Safeboot, DriveCryptor,
Diskcryptor, LILO, GRUB, HP Bios, Intel/Lenevo BIOS
found to be vulnerable.
• Flaws resulted in disclosure of plaintext pre-boot
authentication passwords.
• In some cases, an attacked could bypass pre-boot
authentication.
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
11
12. Anti-virus attacks by iViZ
• Antivirus process different types of files having
different file-formats.
• We found flaws in handling malformed
compressed, packed and binary files in
different AV products
• Some of the file formats for which we found
flaws in AV products are
– ISO, RPM, ELF, PE, UPX, LZH
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
12
13. Analysis of Vulnerabilities in Anti virus
• Remote Code Execution
– CVE-2010-0108: Buffer overflow in the
cliproxy.objects.1 ActiveX control in the Symantec
Client Proxy (CLIproxy.dll) allow remote code
execution
– CVE-2010-3499: F-Secure Anti-Virus does not
properly interact with the processing of http:// URLs
by the Microsoft Help and Support Center, which
makes it easier for remote attackers to execute
arbitrary code via malware that is correctly detected
by this product
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
13
14. Analysis of Vulnerabilities in Anti virus
• Detection Bypass
– CVE-2012-1461: The Gzip file parser in AVG Anti-
Virus, Bitdefender, F-Secure , Fortinet antiviruses,
allows remote attackers to bypass malware
detection via a .tar.gz file
• Denial of Service (DoS)
– CVE-2012-4014: Unspecified vulnerability in
McAfee Email Anti-virus (formerly WebShield
SMTP) allows remote attackers to cause a denial
of service via unknown vectors.
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
14
15. Analysis of Vulnerabilities in VPN
• Remote Code Execution
– CVE-2012-2493: Cisco AnyConnect Secure
Mobility Client 2.x does not properly validate
binaries that are received by the downloader
process, which allows remote attackers to execute
arbitrary code.
– CVE-2012-0646: Format string vulnerability in
VPN in Apple iOS before 5.1 allows remote
attackers to execute arbitrary code via a crafted
racoon configuration file.
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
15
16. Analysis of Vulnerabilities in VPN
• Authentication Bypass
– CVE-2009-1155: Cisco Adaptive Security
Appliances (ASA) 5500 Series and PIX Security
Appliances, allow remote attackers to bypass
authentication and establish a VPN session to an
ASA device
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
16
20. Vulnerabilities by Security Companies
Vulnerabilities by Vendors
ClamAV
Kaspersky Lab
Cisco
Trend Micro
Symantec
McAfee
ISS
Checkpoint
CA
0 200 400 600 800 1000 1200
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
20
21. Vulnerabilities in Security Products
Vulnerabilities in Security Products
F-Secure Anti-virus
Figure 6: Shows
Cisco PIX Firewall number of
vulnerabilities found in
Sophos Anti-virus some of the major
Cisco Adaptivesecurity Appliance security products
existing today. X axis
Kaspersky Anti-virus display number of
vulnerabilities and Y
ClamAV Anti-virus
axis display some of the
Trend Micro Officescan major security products.
Total vulnerabilities
AVG AntiVirus against each security
product are calculated
Norton Personal Firewall
by considering all the
Norton AntriVirus versions of the products
and their individual
Checkpoint Firewall-1 vulnerabilities
Symentec Norton Internet Security
discovered over the
past years.
McAfee Anti Virus
0 10 20 30 40 50 60 70 80
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
21
22. Type of Vulnerabilities in Security Products “vs”
General Products
All Products Security Products
0%
1%
SQL Injection SQL Injection
1% 1% 0%
1%
1% 1% 2%
1% XSS 2% XSS
1% 0% 2% 0%
3% 2% 1%
4% Buffer Errors Buffer Errors
15% 10%
5%
3% 5%
5% Access Control Access Control
4% 19%
6% 15% Input Validation Input Validation
6% 13%
Code Injection Code Injection
7% 14% 11%
Resource Resource
8% Management Errors 4% Management Errors
9% 19%
Path Traversal Path Traversal
Information Leak Information Leak
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
22
23. Analysis of Vulnerabilities in security
product companies
• Some of the product companies, like Cisco, Symantec
etc have more public vulnerability disclosures than
others. Some of the reasons are:
– Larger attack surface (more products and their versions)
– Popularity Index
• Latest trends like Bug Bounties and 0-Day Market leads
to lesser public vulnerability disclosures (companies
like Kaspersky and ISS)
• Advancement and awareness of Secure SDLC also leads
to lesser trivial bugs in latest security products.
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
23
24. Future of attacks on Security products
• Like the RSA SecurID, more security products
would be target of APT style attacks.
• It is easier to compromise an entire network if an
attacker could compromised the security systems
in place.
• Security products would be (and is being)
targeted by state sponsored or APT style attacks
• More vulnerabilities would be sold in Zero – Black
Market
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
24
25. Some thoughts..
• Security companies do not necessarily
produce secure software
• Security products can itself serve as a door for
a hacker
• Security Products are “High Pay-off” targets
since they are present in most systems
• APT and Cyber-warfare makes “Security
Products” as the next choice
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
25
26. What should we do protect us?
• Conduct proper due diligence of the security
product
• Ask for audit reports
• Patch security products like any other product
• Treat security tools in similar manner as other
tools during threat modeling
• Have proper detection and monitoring solutions
and multi-layer defense
• Test and Don’t Trust (blindly)
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
26
27. Thank You
bikash@ivizsecurity.com
iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
27
Notas del editor
Interesting Points:Vulnerability life cycle involve three stages: Vulnerability Discovery, Vulnerability Disclosure, Patch Release and Patch Applied.For an organization, a vulnerability is not fixed until the patch is appliedVulnerability Disclosure may happen via various routes: Internal Disclosure: Internal Security Team or pentesters finds the vulnerability (Most Safe route)Public Disclosure: Accidental DisclosureWhite 0 Day Market: Zero Day Initiative, iDefence, Bug Bounties….As we go deeper, time to disclose the vulnerability, nd impact increases drastically. A zero day utilized in case of Cyber war fare has huge impact than an casual attacker utilizing the 0-day.
Antivirus software is one of the most complicated applications. It has to deal withhundreds of file types and formats:executables (exe, dll, msi, com, pif, cpl, elf, ocx, sys, scr, etc);documents (doc, xls, ppt, pdf, rtf, chm, hlp, etc);compressed archives (arj, arc, cab, tar, zip, rar, z, zoo, lha, lzh, ace, iso, etc);executable packers (upx, fsg, mew, nspack, wwpack, aspack, etc);media files (jpg, gif, swf, mp3, rm, wmv, avi, wmf, etc),Each of these formats can be quite complex. Hence, it is extremely difficult forantivirus software process all these format appropriately.
Most Evident Facts: 1. Vulnerabilities disclosures were at peak during 2007 2. Slow but steady decrease in public disclosure. 3. Security Products also follow similar vulnerability disclosure curve as any other productNot so obvious: 1. Bug bounties 2. Black 0 day market 3. The rise and rise of price of critical vulnerabilities 4. In summary, fixing the vulnerability before going to public is a host trend.
Most Evident Facts 1. Firewalls and Antivirusleads the show with most number of vulnerabilities.
Most Evident Facts 1. ClamAV and Norton Antivirus leads the show with most number of vulnerabilities discovered 2. Macfeeantivus has least number of public vulnerability disclosures 3. Mostly Firewalls and Antivirus leads the show with most vulnerabilitiesNot so Obvious facts: 1. ClamAV is the open source product, hence susceptible to sever scrutiny of security researchers
Most Evident:Cisco leads the show with most number of vulnerabilities followed by Symantec and CA.Kaspersky and ISS have least number public vulnerability disclosures.Not so obviousCisco, Symantec and CA has wide varieties of product offering (hundreds of products and their versions), as a result they have much larger attacj surface to defend.
Most Evident:Ultimately any security product is a piece of code, they have similar weaknesses.Input Validation and buffer overflows constitute 38% of all the possible weaknesses in security products. Input Validation, Buffer Overflows, Access Control, Cross Site Scripting , and Resource Management are most common weaknesses found in security products.SQL injection is less common in security products, as compared to All Products.Not so obvious Facts:1. Apart from security vulnerabilities, there are various antivirus and firewall bypassing techniques available utilizing cryptography, stenography etc