Your SlideShare is downloading. ×
Vulnerability in Security Products
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Vulnerability in Security Products

599

Published on

Know the vulnerabilities in security products and the risks it exposes to us to and how to encounter it in the most effective manner. Know the secrets which are not revealed : …

Know the vulnerabilities in security products and the risks it exposes to us to and how to encounter it in the most effective manner. Know the secrets which are not revealed :
• How secure are security products?
• What are the vulnerabilities that security products bring into your environment?
• Which are the most vulnerable security products?
• Who are the security vendors with most published vulnerabilities?
• How to manage the risks?

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
599
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Interesting Points:Vulnerability life cycle involve three stages: Vulnerability Discovery, Vulnerability Disclosure, Patch Release and Patch Applied.For an organization, a vulnerability is not fixed until the patch is appliedVulnerability Disclosure may happen via various routes: Internal Disclosure: Internal Security Team or pentesters finds the vulnerability (Most Safe route)Public Disclosure: Accidental DisclosureWhite 0 Day Market: Zero Day Initiative, iDefence, Bug Bounties….As we go deeper, time to disclose the vulnerability, nd impact increases drastically. A zero day utilized in case of Cyber war fare has huge impact than an casual attacker utilizing the 0-day.
  • http://www.ivizsecurity.com/security-advisory-iviz-sr-11001.htmlhttp://www.slideshare.net/nibin012/attacking-backup-softwares
  • Antivirus software is one of the most complicated applications. It has to deal withhundreds of file types and formats:executables (exe, dll, msi, com, pif, cpl, elf, ocx, sys, scr, etc);documents (doc, xls, ppt, pdf, rtf, chm, hlp, etc);compressed archives (arj, arc, cab, tar, zip, rar, z, zoo, lha, lzh, ace, iso, etc);executable packers (upx, fsg, mew, nspack, wwpack, aspack, etc);media files (jpg, gif, swf, mp3, rm, wmv, avi, wmf, etc),Each of these formats can be quite complex. Hence, it is extremely difficult forantivirus software process all these format appropriately.
  • Most Evident Facts: 1. Vulnerabilities disclosures were at peak during 2007 2. Slow but steady decrease in public disclosure. 3. Security Products also follow similar vulnerability disclosure curve as any other productNot so obvious: 1. Bug bounties 2. Black 0 day market 3. The rise and rise of price of critical vulnerabilities 4. In summary, fixing the vulnerability before going to public is a host trend.
  • Most Evident Facts 1. Firewalls and Antivirusleads the show with most number of vulnerabilities.
  • Most Evident Facts 1. ClamAV and Norton Antivirus leads the show with most number of vulnerabilities discovered 2. Macfeeantivus has least number of public vulnerability disclosures 3. Mostly Firewalls and Antivirus leads the show with most vulnerabilitiesNot so Obvious facts: 1. ClamAV is the open source product, hence susceptible to sever scrutiny of security researchers
  • Most Evident:Cisco leads the show with most number of vulnerabilities followed by Symantec and CA.Kaspersky and ISS have least number public vulnerability disclosures.Not so obviousCisco, Symantec and CA has wide varieties of product offering (hundreds of products and their versions), as a result they have much larger attacj surface to defend.
  • Most Evident:Ultimately any security product is a piece of code, they have similar weaknesses.Input Validation and buffer overflows constitute 38% of all the possible weaknesses in security products. Input Validation, Buffer Overflows, Access Control, Cross Site Scripting , and Resource Management are most common weaknesses found in security products.SQL injection is less common in security products, as compared to All Products.Not so obvious Facts:1. Apart from security vulnerabilities, there are various antivirus and firewall bypassing techniques available utilizing cryptography, stenography etc
  • Transcript

    • 1. (In)Security in Security Products Who do you turn to when your security product becomes a gateway for attackers?iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
    • 2. Introduction• About iViZ – Cloud based Penetration Testing – Zero False Positive Guarantee – Business Logic Testing with 100% WASC coverage – 300+ customers. IDG Ventures Funded. – Gartner Hype Cycle mention• About my self – Co-founder and CEO of iViZ – Worked in areas of AI, Anti-spam filters, Multi stage attack simulation etc – Love AI, Security, Entrepreneurship, Magic /Mind Reading iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 2
    • 3. About the Report/Study• Security Products are present in most of the systems and theoretically can become a “high pay-off” target for hackers after the OS, Browsers etc• At iViZ we wanted to study how secure are the security products• iViZ used databases such as the Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and National Vulnerability Database (NVD) for the Analysis iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 3
    • 4. A few attacks on Security Companies RSA SecureID tokens stolen VeriSign Hacked into repeatedly, Lockheed Martin top suffers network management intrusion not aware Unfolding of Events L-3 Hackers claim to Communication have Norton reveals having Source code suffered intrusions Comodo compromised, Fraudulent SSL certificates issuediViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 4
    • 5. Vulnerability Disclosure RoutesiViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee)
    • 6. RSA SecuID Token Compromise• RSA compromised in March, 2011 and confidential data was exfiltrated – Most likely Algorithms and PRNG seeds were stolen.• Initially, RSA maintained that breach has no impact on security of RSA products.• Defense contractor Lockheed Martin compromised in June, 2011 using data from RSA attack.• RSA finally acknowledged the attack and replaced all SecurID tokens (40 million) with new ones.• Defense contractors Northrop Grumman and L-3 Communications also rumored to have been attacked. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 6
    • 7. Debian OpenSSL Weak Keys• Vulnerability caused due to removal of 2 lines in code. These lines were removed as "suggested" by two security tools (Valgrind and Purify) used to find vulnerabilities in the software distributed by Debian• Resulted in a Predictable random number generator.• Hence any private key generated was predictable. (entropy ~ 2^15) iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 7
    • 8. More Recent Attacks on SSL/TLS• BEAST (Browser Exploit Against SSL/TLS) Attack (2011) – a block-wise chosen-plaintext attack against the AES encryption algorithm thats used in TLS/SSL• CRIME (Compression Ratio Info-leak Made Easy) Attack (2012) – works by leveraging a property of compression functions, and noting how the length of the compressed data changes. – Can be used to obtain sensitive information like session-cookies in encrypted SSL traffic iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 8
    • 9. Flame hijacked Microsoft Auto-update• Flame discovered in 2012, was operating undetected since at least 2010.• Used a MD5 collision attack (demonstrated in 2008) to generate a counterfeit copy of a Microsoft Terminal Server Licensing Service certificate.• Used the counterfeit certificate to sign code such that malware appeared like genuine Microsoft code and hence remained undetected. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 9
    • 10. MITM-Symantec BackupExec by iViZ• Man in the middle attack on NDMP protocol• NDMP is an open standard protocol that allows data transfers between various storage devices connected over a network.• An attacker looking for confidential information need to target all the machines in the network, the backup server is a one-stop point where all the critical data usually resides. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 10
    • 11. Preboot Authentication Attack by iViZ• iViZ identified flaws in numerous BIOSes and pre- boot authentication and disk encryption software – Bitlocker, TrueCrypt, Mcaffee Safeboot, DriveCryptor, Diskcryptor, LILO, GRUB, HP Bios, Intel/Lenevo BIOS found to be vulnerable.• Flaws resulted in disclosure of plaintext pre-boot authentication passwords.• In some cases, an attacked could bypass pre-boot authentication. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 11
    • 12. Anti-virus attacks by iViZ• Antivirus process different types of files having different file-formats.• We found flaws in handling malformed compressed, packed and binary files in different AV products• Some of the file formats for which we found flaws in AV products are – ISO, RPM, ELF, PE, UPX, LZH iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 12
    • 13. Analysis of Vulnerabilities in Anti virus• Remote Code Execution – CVE-2010-0108: Buffer overflow in the cliproxy.objects.1 ActiveX control in the Symantec Client Proxy (CLIproxy.dll) allow remote code execution – CVE-2010-3499: F-Secure Anti-Virus does not properly interact with the processing of http:// URLs by the Microsoft Help and Support Center, which makes it easier for remote attackers to execute arbitrary code via malware that is correctly detected by this product iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 13
    • 14. Analysis of Vulnerabilities in Anti virus• Detection Bypass – CVE-2012-1461: The Gzip file parser in AVG Anti- Virus, Bitdefender, F-Secure , Fortinet antiviruses, allows remote attackers to bypass malware detection via a .tar.gz file• Denial of Service (DoS) – CVE-2012-4014: Unspecified vulnerability in McAfee Email Anti-virus (formerly WebShield SMTP) allows remote attackers to cause a denial of service via unknown vectors. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 14
    • 15. Analysis of Vulnerabilities in VPN• Remote Code Execution – CVE-2012-2493: Cisco AnyConnect Secure Mobility Client 2.x does not properly validate binaries that are received by the downloader process, which allows remote attackers to execute arbitrary code. – CVE-2012-0646: Format string vulnerability in VPN in Apple iOS before 5.1 allows remote attackers to execute arbitrary code via a crafted racoon configuration file. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 15
    • 16. Analysis of Vulnerabilities in VPN• Authentication Bypass – CVE-2009-1155: Cisco Adaptive Security Appliances (ASA) 5500 Series and PIX Security Appliances, allow remote attackers to bypass authentication and establish a VPN session to an ASA device iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 16
    • 17. Security Product Vulnerability Trends Vulnerability Trend in Security Products 300 250 200 150 100 50 0 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Vulnerability Trend in All Products 7000 6000 5000 4000 3000 2000 1000 0 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 17
    • 18. Most Vulnerable Security Product Categories Figure 2 VPN IDS/IPS Firewall Anti-Virus Others 0 100 200 300 400 500 600 700iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 18
    • 19. Vulnerabilities by Security Products Vulnerabilities in Security Products F-Secure Anti-virus Cisco PIX Firewall Sophos Anti-virus Cisco Adaptivesecurity Appliance Kaspersky Anti-virus ClamAV Anti-virus Trend Micro Officescan AVG AntiVirus Norton Personal Firewall Norton AntriVirus Checkpoint Firewall-1 Symentec Norton Internet Security McAfee Anti Virus 0 10 20 30 40 50 60 70 80iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 19
    • 20. Vulnerabilities by Security Companies Vulnerabilities by Vendors ClamAV Kaspersky Lab Cisco Trend Micro Symantec McAfee ISS Checkpoint CA 0 200 400 600 800 1000 1200iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 20
    • 21. Vulnerabilities in Security Products Vulnerabilities in Security Products F-Secure Anti-virus Figure 6: Shows Cisco PIX Firewall number of vulnerabilities found in Sophos Anti-virus some of the major Cisco Adaptivesecurity Appliance security products existing today. X axis Kaspersky Anti-virus display number of vulnerabilities and Y ClamAV Anti-virus axis display some of the Trend Micro Officescan major security products. Total vulnerabilities AVG AntiVirus against each security product are calculated Norton Personal Firewall by considering all the Norton AntriVirus versions of the products and their individual Checkpoint Firewall-1 vulnerabilitiesSymentec Norton Internet Security discovered over the past years. McAfee Anti Virus 0 10 20 30 40 50 60 70 80 iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 21
    • 22. Type of Vulnerabilities in Security Products “vs” General Products All Products Security Products 0% 1% SQL Injection SQL Injection 1% 1% 0% 1% 1% 1% 2% 1% XSS 2% XSS 1% 0% 2% 0% 3% 2% 1% 4% Buffer Errors Buffer Errors 15% 10% 5% 3% 5% 5% Access Control Access Control 4% 19% 6% 15% Input Validation Input Validation 6% 13% Code Injection Code Injection 7% 14% 11% Resource Resource 8% Management Errors 4% Management Errors 9% 19% Path Traversal Path Traversal Information Leak Information LeakiViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 22
    • 23. Analysis of Vulnerabilities in security product companies• Some of the product companies, like Cisco, Symantec etc have more public vulnerability disclosures than others. Some of the reasons are: – Larger attack surface (more products and their versions) – Popularity Index• Latest trends like Bug Bounties and 0-Day Market leads to lesser public vulnerability disclosures (companies like Kaspersky and ISS)• Advancement and awareness of Secure SDLC also leads to lesser trivial bugs in latest security products. iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 23
    • 24. Future of attacks on Security products• Like the RSA SecurID, more security products would be target of APT style attacks.• It is easier to compromise an entire network if an attacker could compromised the security systems in place.• Security products would be (and is being) targeted by state sponsored or APT style attacks• More vulnerabilities would be sold in Zero – Black Market iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 24
    • 25. Some thoughts..• Security companies do not necessarily produce secure software• Security products can itself serve as a door for a hacker• Security Products are “High Pay-off” targets since they are present in most systems• APT and Cyber-warfare makes “Security Products” as the next choice iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 25
    • 26. What should we do protect us?• Conduct proper due diligence of the security product• Ask for audit reports• Patch security products like any other product• Treat security tools in similar manner as other tools during threat modeling• Have proper detection and monitoring solutions and multi-layer defense• Test and Don’t Trust (blindly) iViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 26
    • 27. Thank You bikash@ivizsecurity.comiViZ- Cloud based Application Penetration Testing (Zero False Positive Guarantee) 27

    ×