Here’s a common scenario organizations increasingly face: Too many web apps with too many vulnerabilities and no chance for immediate remediation.
In the interim, the organization is left exposed to potentially devastating breaches, at a time when web apps have become one of cyber attackers’ favorite targets.
After speaking at Qualys’ recent webinar “Aligning Web Application Security with DevOps and IoT Trends,” Forrester’s Amy DeMartine granted us this Q&A, where she revisits and offers keen insights on issues including IoT security challenges and DevOps’ benefits for secure app dev. DeMartine, a Principal Analyst focused on security and risk professionals, also discusses “red teaming” for cloud products, and identifies signs you need a new automated security analysis tool.
First the bad news: Internet of Things (IoT) systems have created immense security holes. Now the good news: The problem can be fixed fairly easily.
That was the message from Jason Kent, Qualys’ Vice President of Web Application Security, during his recent webcast, “Aligning Web Application Security with DevOps and IoT Trends.”
“IoT doesn’t have to be scary. We have the knowledge on how to solve all these application security problems,” Kent said. “We just need to put focus on it.”
The effort to create awareness and shine a light on the issue of IoT security must be shared by IoT system manufacturers, application developers, and customers, including both businesses and consumers.
Today Microsoft released a security bulletin addressing a flaw in ASP.NET that was disclosed early morning yesterday at the Chaos Communication Congress (CCC) in Berlin. Microsoft tested and finished MS11-100 in record time, taking about 30 days for the process of integrating this new vulnerability with the fix that was already scheduled for January 2012. We consider Microsoft’s reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers work. We will be tracking how the other projects and vendors affected (PHP, Oracle, Phython, Ruby and others) are rolling out their patches.
The bulletin fixes the DoS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request. The default limit is 1000 which should be enough for normal web applications, but still low enough to neutralize the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update.
Overall the bulletin addresses four issues. CVE-2011-3416 is an ASP.Net Forms Authentication Bypass issue which is rated as critical. CVE-2011-3414 is the hash table collision DoS issue discussed above and is rated as important. CVE-2011-3417 is the ASP.NET Ticket Caching vulnerability which is also rated as important. And finally CVE-2011-3415 is the Insecure Redirect vulnerability which is rated as moderate. We recommend installing as soon as possible if you have web based infrastructure that uses ASP.NET.
Resources:
Today Microsoft published today Security Advisory 2501696 describing a vulnerability (CVE-2011-0096) in the MHTML handler present on all versions of Windows. The vulnerability allows the execution of an XSS attack from a webpage going through Internet Explorer.
The XSS attack can be used to run JavaScript code on the user’s Internet Explorer instance, which gives the attacker a way to get at information stored in the browser and a mechanism to trick users into installing unwanted code through social engineering.
The advisory 2501696 describes a work around that disables scripting inside the MHTML handler by setting the corresponding keys in the Windows registry. We expect the release of a FixIt to automate the application of the work around for security conscious end users.
The vulnerability was originally disclosed on the WooYun website The same site disclosed in December a vulnerability in the CSS handler of Internet Explorer "css.css" (CVE-2010-3971). The vulnerability has been acknowledged by Microsoft and Security Advisory 2488013 includes a workaround and a FixIt link to apply.
While the vulnerability is located in a Windows component Internet Explorer is the only known attacker vector. Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules.
Microsoft’s SRD blog has a detailed description of the attack and provides HTML files for local testing.
Micorosoft published an out-of-band patch MS10-070 for the ASP.NET issue made public 2 weeks ago the ekoparty conference in Buenos Aires.
MS10-070 updates the widely installed .NET Framework for all supported Windows platforms, from XP SP3 to Windows 7. This makes this update applicable to many machines, desktops and servers alike. However, the current known attack is applicable only machines that run a webserver with ASP.NET installed, so IT administrators should prioritize these machines. Desktops and servers that do not run a webserver can be updated at a later date, when convenient.
Microsoft rates the vulnerability as "important" as it only causes information leakage, but the effect of the attack is highly dependent on the web application running on the server. In the worst case scenario attackers can gain complete control of the server in question. The exact impact will have to be determined by the server and application engineers, we recommend patching this vulnerability on all Windows machine that run ASP.NET applications.
For a demo of the worst-case scenario take a look the video of Juliano and Thai running their POET tool against a updated "DotNetNuke" installation. They are able to gain full control over the server in under 10 minutes.
For a great explanation of padding attacks take a look at Gotham Digital Security blog.
The previously recommended workarounds in the advisory continue to be valid and do not need to be backed out for the patch. The are best practice recommendations that minimize information leakage through side channels and should be considered for any web application in production.
References:
Microsoft announced that they will release an update tomorrow for ASP.NET. The update will address a vulnerability disclosed by Thai Duong and Juliano Rizzo at ekoparty a Latin American Security Conference. The critical vulnerability allows a remote attacker to extract information from web applications programmed under ASP.NET and in certain circumstances can be used to take control over the affected server.
The current advisory provides a workaround for the problem. It minimizes information leakage through the error reporting system and should be considered a best practice for web applications even without the current attack. Scott’s blog post provides great insight, as does the blog post from the DotNetNuke team on how to implement the workarounds in their environment.
We recommend installing the patch immediately, once it becomes available.It administrators should first focus on web servers that do not have the workarounds implemented.
References:
Update
Original
After last week’s patch Tuesday a few high profile vulnerabilities and patches have appeared this week:
Today we have a guest post from Qualys Security Research Engineer Michael Shema.
The Open Web Application Security Project (OWASP) has updated its Top 10 list of Web Application Security Risks for 2010. The new list reflects a better understanding of how web applications are most commonly being attacked – or at least the most common risks discovered by security professionals. It’s important for organizations to understand that the list is a risk-based selection of web app vulns. For example, security misconfigurations (A6) appeared in the 2004 version, was dropped in 2007, and re-appears now in 2010. Also, malicious file execution (A3 from the 2007 version) was dropped because the main culprit, poorly configured and written PHP apps, can benefit from improvements to the default PHP settings. However, this doesn’t mean those problems have gone away. If you haven’t upgraded your PHP installation, then your site is still highly vulnerable.
The list doesn’t explicitly call out a very important exploit against web applications: logic attacks — attacks against the site’s workflows. These types of attacks have a generic description, but tend to be very specific to each web site. They’re related to broken auth and session management (A3) in that they take advantage of poor controls over a user’s activity. Logic attacks target assumptions the site makes about a user’s click path or the sequence in which a workflow is expected to be completed. These attacks rarely rely on injection of malicious content or otherwise invalid input. Instead, they very often repeat steps that the web app didn’t expect to be repeated or perform actions out of their expected order. It’s these vulns that are gaining prominence with JavaScript-heavy apps that push a lot of logic to the browser without verifying actions on the server.
It’s still important for web site owners to keep track of the OWASP Top 10 in order to understand how threats evolve. CRSF didn’t appear on the list in 2004, but apps have been vulnerable to it since 2000 and earlier (it takes advantage of a fundamental nature of HTML and HTTP). It’s just that CSRF attacks weren’t well defined or widely understood before the list could be updated in 2007.
Also keep in mind the Top 10 list is primarily for web site owners to understand how to improve their site’s security and to know what types of attacks seem most prolific. Some of the items, like XSS and CSRF also target the web browser. As a visitor to a possibly insecure web site, it’s fortunately still possible to apply some defenses in the browser, whether simply keeping the browser and its plug-ins up to date or using a security plug-in like NoScript.
And while developers scour their sites for risks associated with this Top 10 list, web users need to be aware of the prevalence of malware. Malware isn’t actually an attack against the web site; the attacker needs to use some other vulnerability in order to sneak malicious code onto a web page. However, malware is still a significant concern for users how are trying to keep their personal information secure.
Today Tavis Ormandy published a 0-day vulnerability in Java. His post provides exploit information and a link to a webpage demonstrating the launch of calc.exe on WIndows. The vulnerability allows an attacker to execute remote code on the target machine and can be triggered by a user visiting a simple webpage. It is located in the Java Web Start component and is present on Java running on Windows Operating Systems. There is no patch or official work-around yet, but Tavis provides suggestions on how users can configure their system to defend themselves.
Rubén Santamarta provides additional technical information on the vulnerability and points out that Java on Linux is affected as well.
Our vulnerability research team has confirmed the existence of the vulnerability on Windows and we are releasing a detection under QID 117772 in QualysGuard. We will track the development around this vulnerability and keep you posted.
Reference: