OSMOSIS. Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris

Similar documents
ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Thick Client Application Security

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Penetration Testing Report Client: Business Solutions June 15 th 2015

What is Web Security? Motivation

Web application security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Magento Security and Vulnerabilities. Roman Stepanov

locuz.com Professional Services Security Audit Services

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

Nixu SNS Security White Paper May 2007 Version 1.2

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

A Decision Maker s Guide to Securing an IT Infrastructure

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Cloud Security:Threats & Mitgations

USM IT Security Council Guide for Security Event Logging. Version 1.1

Pentests more than just using the proper tools

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Pentests more than just using the proper tools

Columbia University Web Security Standards and Practices. Objective and Scope

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

How to complete the Secure Internet Site Declaration (SISD) form

8070.S000 Application Security

Overview Commitment to Energy and Utilities Robert Held Sr. Systems Engineer Strategic Energy August 2015

Secure Web Applications. The front line defense

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Hacking the WordpressEcosystem

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Adobe Systems Incorporated

Oracle Security Auditing

Oracle Security Auditing

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Need for Database Security. Whitepaper

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Society for Information Management

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Stephen Coty Director, Threat Research

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

Reducing Application Vulnerabilities by Security Engineering

05.0 Application Development

Where every interaction matters.

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Nessus scanning on Windows Domain

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Pen Testing Methodology Gueststealer TomCat Zero Day Directory Traversal VASTO

Client logo placeholder XXX REPORT. Page 1 of 37

Virtualization System Security

Vulnerability Assessment and Penetration Testing

WordPress Security Scan Configuration

ensuring security the way how we do it

How To Manage Web Content Management System (Wcm)

Panda Perimeter Management Console. Guide for Partners

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Securing OS Legacy Systems Alexander Rau

CYBERTRON NETWORK SOLUTIONS

Cyber Security Scan Report

Smart (and safe) Lighting:

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

Web Application Vulnerability Testing with Nessus

Sitefinity Security and Best Practices

Security Testing and Vulnerability Management Process. e-governance

Database Security Guide

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

SANDCAT THE WEB APPLICATION SECURITY ASSESSMENT SUITE WHAT IS SANDCAT? MAIN COMPONENTS. Web Application Security

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

CMPT 471 Networking II

Common Security Vulnerabilities in Online Payment Systems

Juniper Networks Secure

HIPAA Compliance Use Case

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Patch and Vulnerability Management Program

Windows Remote Access

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

AN OVERVIEW OF VULNERABILITY SCANNERS

Offensive Security. Advanced Web Attacks and Exploitation. Mati Aharoni Devon Kearns. v. 1.0

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Hardening Joomla! (MNI)

Cyber Exploits: Improving Defenses Against Penetration Attempts

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Transcription:

OSMOSIS Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris

AGENDA Who are we? Open Source Monitoring Software Results Demonstration Responses Mitigations and conclusion 4/25/14 2

DEUTSCHE TELEKOM PROFILE COSTUMERS & MARKETS FACTS & FIGURES Customers >141 m mobile customers >32 m fixed-line customers/ >17 m broadband customers rd. 3 m (IP) TV customers About 2 m workstation systems marketed Markets Presence in 50 countries Deutschland, Europa, USA: using our own infrastructur T-Systems: globale presence & alliances via partners Source: DT annual report to shareholders 2012/TMUS annual report to shareholders 2012 Telekom in figures Revenue 58.7 bn Adjusted Ebitda 18.7 bn Free cash flow 6.4 bn Among the top100 companies worldwide (#75 in 2012 Fortune500 list) Employees & responsibility Employees worldwide: 235, 000 9,000 trainees und cooperative degree students in Germany Pioneer of social issues (pomotion of woman, data privacy, climate protection etc.) 4/25/14 3

DEUTSCHE TELEKOM GROUP INFORMATION SECURITY Security levels Security strategies Standards Consulting Innovation Security requirements Security requirements Privacy & Security Assessment (PSA) Deutsche Telekom Cyber Emergency Response Team (CERT) Implementation of measures Technology Testing Abuse-Handling Incident management Intelligente Netzlösungen 4/25/14 4

OPEN SOURCE MONITORING SOFTWARE OVERVIEW SUMMARY Critical function in a corporate network Lets you know how well the network is running End-to-end monitoring for services up to detailed hardware view JOINT FUNCTIONS IN THIS CASE Web based solution Agent based OUT OF SCOPE No IDS / IPS No commercial solutions No security monitoring 4/25/14 5

OPEN SOURCE MONITORING SOFTWARE THREATS Ubiquitous component in network environments Centralized access to multiple networks Usually position deep in the internal network (as in: semi-trusted network) Used in nearly each environment (from small business, over mid range up to enterprises) MTAACA (machine that acts as client attack) and CTAMTAACA (clients that access machines that act as clients attack) 4/25/14 6

OPEN SOURCE MONITORING SOFTWARE RISKS A more valuable target than perimetric systems Input data parsing (logfiles, SNMP, traps,...) Web GUIs (OWASP Top 10 anyone?) Some have home-brew agents on EVERY system Potential access to a lot of components in the perimeter and internal network 4/25/14 7

OPEN SOURCE MONITORING SOFTWARE HOW IS IT IMPLEMENTED TYPICALLY? OWN CHECKS SNMP 4/25/14 8

OPEN SOURCE MONITORING SOFTWARE WHAT WE COVERED This is not an academic talk - we are talking about actual experience Open Source tools are easy to audit (kinda) Everyone has the chance to audit their own solution Focus on market leading / industry standard software 4/25/14 9

OPEN SOURCE MONITORING SOFTWARE WHAT WE DID NOT COVER No commercial / closed source solutions Architectural software flaws Critical features which should be disabled anyways e.g. nrpe.cfg dont_blame_nrpe No additional plugins, features, add-ons Not the (home brewed) agents itself 4/25/14 10

OPEN SOURCE MONITORING SOFTWARE TOOLS WE COVERED CACTI network graphing solution ; frontend is completely PHP driven src: http://www.cacti.net NAGIOS Nagios Is The Industry Standard In IT Infrastructure Monitoring src: http://www.nagios.org/ CHECK_MK (NAGIOS ADD-ON) Check_MK is a comprehensive add-on for the famous Open Source monitoring software Nagios src: https://mathias-kettner.com/check_mk_introduction.html ICINGA Icinga is an enterprise grade open source monitoring system src: https://www.icinga.org/ 4/25/14 11

OPEN SOURCE MONITORING SOFTWARE PUBLICLY KNOWN INCIDENTS CVE2012-096 Remote Buffer Overflow Nagios Hetzner (06/2013) 4/25/14 12

OPEN SOURCE MONITORING SOFTWARE OTHER INTERESTING INFORMATION Public Buffer Overflow in CACTI (since 10/2013) NRPE - Remote command exec (04/2014) 4/25/14 13

RESULTS OVERALL Critical issues were found in ALL audited solutions Memory corruption Buffer/Heap Overflows Off-by-one s CSRF XSS eval-processing untrusted input Remote Code Execution Arbitrary file access Many web based bugs, as all the solutions use web GUIs 4/25/14 14

RESULTS DETAILED VIEW (Cacti) Version 3.5.0b 1.9.1b 1.2.2p2 0.8.8a Number of Findings 1 2 7 3 CVSS 2 Score (highest finding) 4.9 AV:N/AC:M/Au::S/C:P/I:N/A:P 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C Criticality medium high high high Number of open findings 1* 0 1** 3 Announcement to vendor / developer 5th Dec. 2013 2nd Dec. 2013 8th Oct. 2013 15th Oct. 2013 Bug Fix Release 3.5.x*, 4.0.3 Public DTAG CERT Advisory Remarks DTC- A-20140324-004 * Bug fixes in the source code only available. No updates release available. 1.10.2, 1.9.4, 1.8.5 or latest release DTC- A-20140324-003 1.2.4p1, 1.2.5i2 or latest release DTC- A-20140324-002 ** exec of python code within WATO n/a DTC- A-20140324-001 Confidential Christian Sielaff / OSMOSIS 03.04.2014 15

DEMONSTRATION CAN WE GET A SHELL? 4/25/14 16

DEMONSTRATION NETWORK OVERVIEW Hacker Terminal Server Cacti / Check_MK Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 17

DEMONSTRATION CACTI Bugs: cross site request forgery command like exec Hacker Cacti Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 18

DEMONSTRATION CACTI Bugs: cross site request forgery command like exec Get executed on Cacti server if: Administrator clicks on a link or Visit a malicious web site Hacker Cacti Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 19

DEMONSTRATION CACTI Bugs: cross site request forgery command like exec Get executed on Cacti server if: Administrator clicks on a link, or Visit a malicious web site Pro: Get a shell Con: Need to know the Cacti URL Admins needs to access link or site with link to trigger exploit Outgoing connections my be restricted Admins needs to logged in Hacker Cacti Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 20

DEMONSTRATION CACTI Bugs: cross site request forgery command like exec Get executed on Cacti server if: Administrator clicks on a link, or Visit a malicious web site Pro: Get a shell Con: Need to know the Cacti URL Admins needs to access link or site with link to trigger exploit Outgoing connections my be restricted Admins needs to logged in not really let s brute force the Admin account J Hacker Cacti Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 21

DEMONSTRATION CHECK_MK Hacker Terminal Server Check_MK Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 22

DEMONSTRATION CHECK_MK Bugs: cross site request forgery command like exec cross site scripting Hacker Terminal Server Check_MK Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 23

DEMONSTRATION CHECK_MK Bugs: cross site request forgery command like exec cross site scripting What is the problem: Exploits a feature in WATO Uploads and exec a snapshot Snapshot contains plain python code Hacker Terminal Server Check_MK Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 24

DEMONSTRATION CHECK_MK Bugs: cross site request forgery command like exec cross site scripting What is the problem: Exploits a feature in WATO Uploads and exec a snapshot Snapshot contains plain python code Pro: Get a shell Con: Need to know the Check_MK URL Admins needs to access link or site with link to trigger exploit Outgoing connections my be restricted Admins needs to logged in Hacker Terminal Server Check_MK Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 25

DEMONSTRATION CHECK_MK Bugs: cross site request forgery command like exec cross site scripting What can we do better? Use the agent on a system Re-use existing connections Hacker Terminal Server Check_MK Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 26

DEMONSTRATION CHECK_MK Bugs: cross site request forgery command like exec cross site scripting What can we do better? Use the agent on a system Re-use existing connections Hacker Terminal Server Check_MK Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 27

DEMONSTRATION CHECK_MK Bugs: cross site request forgery command like exec cross site scripting What can we do better? Use the agent on a system Re-use existing connections Pro: Get a shell URL is no longer needed Administrator not need a link to click Triggers when the Administrator logs in Using existing connections Con: Need (privileged) access to a monitored system Hacker Terminal Server Check_MK Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 28

DEMONSTRATION CHECK_MK Bugs: cross site request forgery command like exec cross site scripting What can we do also? Just a simple SSH login? Hacker Terminal Server Check_MK Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 29

DEMONSTRATION CHECK_MK Bugs: cross site request forgery command like exec cross site scripting What can we do also? Just a simple SSH login? A XSS triggers a CSRF triggers an Hacker Terminal Server Check_MK Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 30

DEMONSTRATION CHECK_MK Bugs: cross site request forgery command like exec cross site scripting What can we do also? Just a simple SSH login? A XSS triggers a CSRF triggers an upload that triggers a shell J Hacker Terminal Server Check_MK Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 31

DEMONSTRATION CHECK_MK Bugs: cross site request forgery command like exec cross site scripting What can we do also? Just a simple SSH login? A XSS triggers a CSRF triggers an upload that triggers a shell J Pro: Get a shell URL is no longer needed Administrator not need a link to click Triggers when the Administrator logs in Con: Logwatch feature (default installation is fair) Outgoing connections my be restricted Hacker Terminal Server Check_MK Administrator Confidential Christian Sielaff / OSMOSIS 03.04.2014 32

DEMONSTRATION CAN WE GET A SHELL? YES J 4/25/14 33

RESPONSES CONTACT AND TIMELINES CONTACTING some developer without a contact option (expect a public mailing list is this a good idea in such case?) usually an Email contact is possible also with a privacy option Only Icinga provides an option for a private information sharing http://www.icinga.org/faq/how-to-report-a-bug/#securityissue TIMELINE approximately six days from first response to a bug fix release well done! up to 85 days to a bug fix release up to nothing until now L ADVISORIES post flaws to Bugtraq on 24 th of March get first responses regarding open findings 28 th / 31 st of March 4/25/14 34

RESPONSES FEEDBACK WHAT IS OWASP?" It s 2014, guys! THIS IS A FEATURE" Yes, and a backdoor! WHAT TOOLS DID YOU USE FOR SCANNING? Hint: None, we had the source code Duh! WHY SHOULD WE FIX WHAT YOU SEE AS A SECURITY PROBLEM? WE NEVER ASKED FOR THIS AUDIT! Approximately Right. Remember it s open source? Open as in: I audit this code as much as I want to? - As in: No response at all after issues were committed to developer. 4/25/14 35

RESPONSES DISCLOSURE SECURITY FIXES Change log or Release notes _never_ mentions security fixes explicitly No hints or information on the developer Web sites! CVE _Common_ never heard about that CREDITS What s that? BUT THERE ARE SOME PROFESSIONALS The Icinga Team has published bug fix releases (incl. back ports), ordered CVE numbers and assign the issues as Security issues. MANY THANKS AND WELL DONE! 4/25/14 36

MITIGATIONS BEST PRACTICES BEST PRACTICES Consider Icinga and Nagios Security Guidelines e.g. http://docs.icinga.org/latest/en/security.html Nothing similar available for Cacti and Check_MK GENERAL BASICS Patching and regular updates OS and middleware hardening Minimal rights on application level, but also on operating system level Remove critical features (e.g. WATO in Check_MK) Passwords 4/25/14 37

MITIGATIONS SEGREGATION ON NETWORK LEVEL Do not place such systems flat in your corporate network Consider segregation based on functions, e.g. own monitoring systems for dedicated services No internet for the admin workstations and monitoring system (incl. ICMP, DNS, NTP, ) ON APPLICATION LEVEL Segregate user and roles 4/25/14 38

MITIGATIONS ARCHITECTURE AGENT BASED MONITORING Needs privileged rights to get all information and listen to the network (often unauthenticated) Security of agents should be discussed separately e.g. http://www.securityfocus.com/archive/1/531063/30/0/threaded CHECK VIA SSH Must be secured carefully via SSHd configuration otherwise direct shell login SOLUTION Change the communication direction Based on Check_MK s agent, it s just a configuration no additional software needed 4/25/14 39

MITIGATIONS ARCHITECTURE HOW IT WORKS Run Check_MK agent locally and pipe output to a file 4/25/14 40

MITIGATIONS ARCHITECTURE HOW IT WORKS Run Check_MK agent locally and pipe output to a file Secure transfer, e.g. via SCP/SFTP 4/25/14 41

MITIGATIONS ARCHITECTURE HOW IT WORKS Run Check_MK agent locally and pipe output to a file Secure transfer, e.g. via SCP/SFTP Configure Check_MK Configuration & Check Engine to get information from a local file 4/25/14 42

MITIGATIONS ARCHITECTURE OWN CHECKS 4/25/14 43

CONCLUSION Take care about your used solutions incl. additional features, add-ons, plug ins, self written checks and architecture. When it named Open Source, it does not mean it is secure itself! In general Open Source Monitoring solutions are not more or less secure than commercial ones. Strong isolation of administrator workstations and your monitoring system as well. @Developer: Check OWASP regularly! 4/25/14 44

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information