Security applications are not secure:Research

You think that the anti-virus and other security products installed in your computer can keep you secure,then a new report would definitely make you think otherwise.A newly published report states that the security applications are more vulnerable and are poorly maintained Linux installed with insecure Web applications. Ben Williams presented his findings at the Black Hat Europe 2013 security conference in Amsterdam titled “Ironic Exploitation of Security Products”.

Products assessed included;Firewalls and Multifuncti on Gateways, Antispam and Antivirus filtering for Email,and Remote Access Gateways.These products include Symantec, Sophos, Trend Micro, Cisco, Barracuda, McAfee and Citrix.


a)Common Issues:-

The research revealed that almost all Security Appliance products in the sample were vulnerable to:

  • Cross Site Scripting (XSS) where either session hijacking or password theft was possible
  • Automated password attacks for SSH or the Web UI due to lack of protection against brute force attack
  • A lack of hardening of the underlying operating system
  • Unauthenticated detailed version disclosure –   A low severity issue, but useful for an attacker trying to enumerate the system and its potential flaws ,but also could be used by vulnerability scanners to detect vulnerable systems.

The majority of Security Appliances were vulnerable to

  • Cross Site Request Forgery (CSRF)of administrative functions
  •  OS command injection in the Web-UI, giving access to the underlying operating system Privilege escalation (either in the UI or underlying operating system)

Most tested appliances were actually poorly maintained Linux systems with outdated kernel versions, old and unnecessary packages installed, and other poor configurations, Williams said. Their file systems were not “hardened” either, as there was no integrity checking, no SELinux or AppArmour kernel security features, and it was rare to find non-writeable or non-executable file systems.

A big problem is that companies often believe that because these appliances are security products created by security vendors, they are inherently secure, which is definitely a mistake, Williams said.

The fact that such vulnerabilities exist in security products is ironic, Williams said. However, the situation with non-security products is probably worse, he said.

It’s unlikely that such vulnerabilities will be exploited in mass attacks, but they could be used in targeted attacks against specific companies that use the vulnerable products, for example by state-sponsored attackers with industrial espionage goals, the researcher said.

Williams said he reported the vulnerabilities he discovered to the affected vendors. Their responses varied, but in general the big vendors did the best job of handling the reports, fixing the flaws and sharing the information with their customers, he said.

Must read paper for security professionals and students alike.