iViZ Security conducted research on vulnerabilities in security products and found that: 1) Vulnerabilities in security products are increasing at 37.29% annually and anti-virus products account for 49% of vulnerabilities. 2) The top 3 most vulnerable vendors are McAfee, Cisco, and Symantec, while the top 3 most vulnerable products are Rising-Global's antivirus, Cisco's adaptive security appliance, and Ikarus virus utilities. 3) Access control issues and input validation problems are the most common weaknesses in security products.

1. © iViZ Security Inc
1May 2013
Bikash Barai, Co-Founder & CEO
Why Current Security Solutions Fail?

2. © iViZ Security Inc
2May 2013
Introduction
• About iViZ
– Cloud based Application Penetration Testing
– Zero False Positive Guarantee
– Business Logic Testing with 100% WASC coverage
– 400+ customers. IDG Ventures Funded.
– Gartner Hype Cycle mention
• About myself
– Co-founder and CEO of iViZ
– Worked in areas of AI, Anti-spam filters, Multi stage attack
simulation etc
– Love AI, Security, Entrepreneurship, Magic /Mind Reading

3. © iViZ Security Inc
3May 2013
Vulnerabilities in Security Products

4. © iViZ Security Inc
4May 2013
Symantec Email Appliance(9.5.x)
Description Rating
Out-of-band stored-XSS - delivered by email Critical
XSS (both reflective and stored) with session-hijacking High
Easy CSRF to add a backdoor-administrator (for example) High
SSH with backdoor user account + privilege escalation to root High
Ability for an authenticated attacker to modify the Web-
application
High
Arbitrary file download was possible with a crafted URL Medium
Unauthenticated detailed version disclosure Low
Credits: Brian Smith

5. © iViZ Security Inc
5May 2013
Trend Email Appliance(8.2.0.X)
Description Rating
Out-of-band stored-XSS in user-portal - delivered via email Critical
XSS (both reflective and stored) with session-hijacking High
Easy CSRF to add a backdoor-administrator (for example) High
Root shell via patch-upload feature (authenticated) High
Blind LDAP-injection in user-portal login-screen High
Directory traversal (authenticated) Medium
Unauthenticated access to AdminUI logs Low
Unauthenticated version disclosure Low
Credits: Brian Smith

6. © iViZ Security Inc
6May 2013
Microsoft Auto-update Hijacking
• MD5 collision attack to generate a counterfeit
copy of a Microsoft Terminal Server Licensing
Service certificate.
• Used the counterfeit certificate to sign code
such that malware appeared like genuine
Microsoft code and hence remained
undetected.

7. © iViZ Security Inc
7May 2013
Preboot Authentication Attacks
• iViZ identified flaws in numerous BIOS’s and pre-
boot authentication and disk encryption software
– Bitlocker, TrueCrypt, Mcaffee Safeboot, DriveCryptor,
Diskcryptor, LILO, GRUB, HP Bios, Intel/Lenevo BIOS
found to be vulnerable.
• Flaws resulted in disclosure of plaintext pre-boot
authentication passwords.
• In some cases, an attacked could bypass pre-boot
authentication.

8. © iViZ Security Inc
8May 2013
Vulnerabilities in Anti-Virus
• Discovered by iViZ Security
• Antivirus products process different types of
files having different file-formats.
• We found flaws in handling malformed
compressed, packed and binary files in AVG,
Sophos, Avast etc
• Some of the file formats for which we found
flaws in AV products are
– ISO, RPM, ELF, PE, UPX, LZH

9. © iViZ Security Inc
9May 2013
More Vulnerabilities in AV products
• Detection Bypass
– CVE-2012-1461: The Gzip file parser in AVG Anti-
Virus, Bitdefender, F-Secure , Fortinet antiviruses,
allows remote attackers to bypass malware
detection via a .tar.gz file
• Denial of Service (DoS)
– CVE-2012-4014: Unspecified vulnerability in
McAfee Email Anti-virus (formerly WebShield
SMTP) allows remote attackers to cause a denial
of service via unknown vectors.

10. © iViZ Security Inc
10May 2013
Vulnerabilities in VPN products
• Remote Code Execution
– CVE-2012-2493: Cisco AnyConnect Secure
Mobility Client 2.x does not properly validate
binaries that are received by the downloader
process, which allows remote attackers to execute
arbitrary code.
– CVE-2012-0646: Format string vulnerability in
VPN in Apple iOS before 5.1 allows remote
attackers to execute arbitrary code via a crafted
racoon configuration file.

11. © iViZ Security Inc
11May 2013
Report Findings

12. © iViZ Security Inc
12May 2013
About the Report/Study
• iViZ used databases such as the Common
Vulnerability Enumeration (CVE), Common
Product Enumeration (CPE) and National
Vulnerability Database (NVD) for the Analysis

13. © iViZ Security Inc
13May 2013
Key Findings
• Vulnerabilities increasing at CAGR of 37.29% over the last 3 Years.
• Anti-Virus accounts for 49% of the vulnerabilities, next Firewall (24%)
• Top 3 Security vendors with maximum vulnerabilities: McAfee, Cisco
followed by Symantec.
• Top 3 Security products with maximum vulnerabilities: Rising-Global’s
Antivirus , Cisco’s Adaptive Security Appliance and Ikarus Virus Utilities.
• Access Control is the most prominent weakness in Security Products
followed by Input Validation.
• SQL Injection is the least found vulnerability among Security products

14. © iViZ Security Inc
14May 2013
Vulnerability Trends
In All Products In Security Products

15. © iViZ Security Inc
15May 2013
Vulnerability by Product Types in 2012

16. © iViZ Security Inc
16May 2013
Vulnerabilities by Vendors

17. © iViZ Security Inc
17May 2013

18. © iViZ Security Inc
18May 2013
Comparative Analysis

19. © iViZ Security Inc
19May 2013
5 Predictions..
• We predict an increase in attacks on security
products, companies or solutions
• APT and Cyber-warfare makes “Security
Products” as the next choice
• Majority of vulnerabilities discovered will not
become public and shall remain in the hands of
APT actors
• Security Products are “High Pay-off” targets since
they are present in most systems
• More vulnerabilities would be sold in Zero Day –
Black Market

20. © iViZ Security Inc
20May 2013
What should we do to protect us?
• Test and Don’t Trust (blindly): Conduct proper
due diligence of the security product
• Ask for audit reports
• Patch security products like any other product
• Treat security tools in similar manner as other
tools during threat modeling
• Have proper detection and monitoring
solutions and multi-layer defense

21. © iViZ Security Inc
21May 2013
Thank You
bikash@ivizsecurity.com
Blog: http://blog.ivizsecurity.com/
Linkedin:
http://www.linkedin.com/pub/bikash-barai/0/7a4/669
Twitter: https://twitter.com/bikashbarai1
DISCLAIMER
We have used well known vulnerability standards and database like Common Vulnerability Enumeration (CVE), Common Product Enumeration
(CPE) and Nation Vulnerability Database (NVD). One of the major challenges we faced was in classifying the products into security and non-
security products, as the current product standard (CPE) does not support it. We solved this challenge by considering that security products have
certain keywords like, ‘ ID‘virus’, ‘firewall‘, ‘IPS‘, ‘scan’ etc. Hence there are chances of some date being missed and the report should be
considered as indicative. iViZ disclaims all warranties, expressed or implied, with respect to this research for any particular purpose.