Cross-site scripting and SQL injection attacks are well-known threats for public-facing Web applications, but internal systems can be attacked as well. For example, about half of network management systems studied had these vulnerabilities, according to a report released today.
It all comes down to input validation, or lack of it, said Deral Heiland, research lead at Boston-based Rapid7, Inc. and one of the authors of the report.
Network management systems are in regular communication with the devices on a company’s network. But, because the communications are machine-to-machine people sometimes forget that the inputs still need to be checked to make sure there’s nothing weird or malicious in there.
“We’re very experienced with ecommerce sites and people putting in bad data,” said Heiland. “With a machine-to-machine protocol, would there be less protection, less filtering, with the applications assuming that all the data was trusted?”
Heiland’s team found 13 different vulnerabilities with nine different network management systems vendors, which was about half of all vendors studied.
Getting access to a network management system gives an attacker a current map of the company’s environment, without risking detection by running their own scans.
To take advantage of one of these vulnerabilities, an attacker could physically enter an organization’s facility and connect a small device, such as a Raspberri Pi, to the network.
Or an attacker who already has access to a networked device through some other kind of attack could use this vulnerability to escalate their privileges, Heiland said.
The products were Spiceworks Desktop, Ipswitch WhatsUp Gold, Castle Rock SNMPc, ManageEngine OpUtils, CloudView NMS, Opmantek NMIS, Opsview Monitor, Netikus EventSentry, and Opmantek NMIS.
All nine vendors have been notified and have released patches to their products, said Heiland.
However, Rapid7 did not test every single networking management system on the market.
“Obviously, there isn’t enough time to do that,” he said.
However, enterprises can do their own testing to determine whether their system is vulnerable.
The research report includes a methodology section that explains how Rapid7 did the tests.
The step that took the most time was figuring out how to get the product up and running in the first place, Heiland said, sometimes taking several days. Companies that already know their network management system products and how they work should have an easier time, he said.
He recommended doing the tests in a testing environment rather than on the production system.
“Once you have it labbed up, it takes about 30 minutes to bring up all the tools on a Linux box and within and hour or two you could test the product,” he said.
But the bigger lesson here is that of importance of patch management for internal systems, he said.
“We don’t always pay a lot of attention to some of these products that we have on the network, and this is a prime example,” he said. “It would be common to see one of these products get installed on a network and not get patched for six months or a year — or never get patched, in some cases.”