From: Susan Orbuch (MKT-US)
Sent: Tuesday, August 03, 2010 8:03:56 AM
Subject: newsbank: Researchers uncover Cisco firewall vulnerabilities, McAfee Console flaws
Auto forwarded by a Rule
Researchers uncover Cisco firewall vulnerabilites, McAfee console flaws
By Robert Westervelt, News Director
LAS VEGAS -- A team of network security researchers at SecureWorks Inc. has uncovered flaws in Cisco Systems Inc.'s IOS-based routers and ASA series firewalls, and McAfee Inc.'s Network Security Manager console. These serious vulnerabilities, if unpatched, could leave entire enterprise networks open to attackers.
The researchers, Ben Feinstein, Jeff Jarmoc and Dan King of the Atlanta-based security firm, presented details on the vulnerabilities Wednesday at Black Hat 2010, and warned that enterprises need to better scrutinize security technologies before implementing them.
"It's pretty common for people to get a device and just use it in their infrastructure without a second thought that it might be insecure," said King, a SecureWorks network security engineer. "We need to include them in our PCI audits and get them in scope to make sure they're doing what they are supposed to be doing."
King demonstrated a cross-site scripting attack against the centralized management console of McAfee's Network Security Manager, a system that manages the sensors enterprises have deployed in the network as part of McAfee's intrusion prevention system (IPS). The vulnerability enables an attacker to execute remote code on a browser, steal a session cookie of an administrator and log in with no credentials. By using the technique, an attacker could gain full control of the McAfee IPS.
The vulnerability was reported to McAfee and has been patched, but King said similar vulnerabilities exist in other security products. Since enterprises don't often test their security systems prior to implementation, most bugs go unnoticed. King recommended that enterprises use a vulnerability scanner to pinpoint such problems in their appliances and other security devices. He also suggested using a port scanner to find open network ports.
"Throw everything you can at it to try to figure out whether these devices are up to snuff for your environment," King said.
SecureWorks' Jarmoc demonstrated several firewall vulnerabilities within Cisco's ASA Firewall, a widely used firewall that is deployed in SoHo environments as well as Fortune 500 companies. One flaw allows an attacker to bypass the access control list (ACL), which negates the firewall's security policy settings. Jarmoc also found issues with Cisco's Adaptive Security Device Manager (ASDM), a Java-based GUI used for administering the firewall. Weaknesses within the authentication mechanism enable several different techniques that can allow an attacker to gain administrator credentials and execute code.
"It's certainly clear that there's a lot of trust placed in these devices," Jarmoc said in an interview with SearchSecurity.com after the Black Hat session. "These security devices are supposed to help us increase security in our network, so when vulnerabilities are discovered in them, it can be particularly troublesome given the sensitive nature of what they do."
Jarmoc demonstrated what he called a simple method to compromise administrative credentials through a cross-site request forgery (CSRF) attack. In the attack, the browser caches the credentials used by the administrator to access the firewall. If the administrator visits a website that directs a malicious request toward the firewall, Jarmoc said, an attacker can then execute commands on the firewall. The Cisco vulnerabilities have been repaired, but if organizations have not applied the patches, he said, there's potential for a targeted attack.
"Despite these being security devices, it seems that they're just as prone to having trouble as any other piece of software," Jarmoc said.
Maintaining and evaluating the security of network firewalls and other network devices is not a high priority, Jarmoc said. Often, he said, the devices are managed by a network infrastructure team rather than a security team.
"The priority is on passing traffic and maintaining uptime," he said, "and not necessarily maintaining security and integrity."