At the end of the year we like to take some time to review the past years penetration testing reports to identify lessons learned, trends and even possible areas that we might be able focus on to benefit our customers. During this year’s review something really interesting caught our attention in the external network penetration test results.
In a large portion of our external network penetration tests that resulted in a compromise of the internal network from an external attackers perspective an external facing appliance was involved. These appliances spanned a wide range of functionality and provided services that included: load balancing, network optimization, VoIP services, remote access, and even core networking functions such as routing, switching and access control. This most likely isn’t surprising or really new to anyone that has been assessed from an external network attackers perspective, as these appliances make up the largest portion of the overall attack surface and probably second only to an organization’s web applications attack surface.
Configuration management and misconfigurations tend to be the main source of vulnerabilities identified in these appliances and this really hasn’t changed based off our penetration testing results. However, there is one source of vulnerabilities that trended to the second most common source of exploitable vulnerabilities in our reports, Patch Management!
We all know patch management is an issue and major concern for servers, workstations, mobile devices and even our applications, resulting in most of us focusing our attention to just these key areas. Appliances tend to be looked at very differently and are normally configured and deployed to meet a specific requirement or business objective. These appliances are then often forgotten and hardly ever show up in our patch management strategy and policies leading to a gapping hole in our security posture!
These seemingly simple functionality or service providing appliances have grown in complexity as vendors race to provide intuitive and easy to configure devices that meet your requirements. This in turn has lead to most of these appliances unintentionally increasing an attacker’s avenues of attack and likelihood an exploitable vulnerability exists.
What are some of the most common vulnerabilities seen by us for these appliances? Well they are the same vulnerabilities seen in most web application assessments such as: cross-site scripting, cross-site request forgery, insecure session tokens, and file inclusion vulnerabilities. This shouldn’t be very surprising either as most of these appliances have implemented their user interfaces using web applications.
What was and is most concerning to us is that a majority of the vulnerabilities exploited during our assessments in these appliances were vulnerabilities that had been patched by the vendor over 18 months prior to our assessment, on average. Sure we found our fair share of unknown vulnerabilities for which we disclosed to the customer and vendor of the appliance, but this is to be expected and well, almost acceptable. What should not be expected or acceptable is that these appliances are exposed to the external attacker with known vulnerabilities that can be easily exploited.
So what can be done to lessen the likelihood of falling victim to this issue?
- Ensure appliances are fully integrated in your patch management strategy and policies. This should include embracing similar metrics used to monitor, deploy and verify security patches for servers, workstations and applications; obviously easier said than done.
- Stop making it a norm or the unspoken standard to provide exemptions to security policies because the system is an “appliance”.
- Apply pressure to the appliance vendors to understand that if they want to continue providing a solution in your environment that being able to apply security patches and updates is just as important as the latest and greatest feature!
- Subscribe to and monitor vendor mailing lists and information feeds that provide security update and patch release information for the appliances in your technology environment.
- Ensure these appliances are included in the testing scope for security assessments being performed such as penetration testing and vulnerability assessments.