the emperor has no clothes
play

The Emperor Has No Clothes: Insecurities in Security Infrastructure - PowerPoint PPT Presentation

Aug 26, 2022 •206 likes •664 views

The Emperor Has No Clothes: Insecurities in Security Infrastructure Ben Feinstein, CISSP GCFA Director of Research Jeff Jarmoc, GPEN GCFW Firewall Engineer Dan King Security Engineer Black Hat USA 2010 Las Vegas, Nevada USA Wednesday, July

  1. The Emperor Has No Clothes: Insecurities in Security Infrastructure Ben Feinstein, CISSP GCFA Director of Research Jeff Jarmoc, GPEN GCFW Firewall Engineer Dan King Security Engineer Black Hat USA 2010 Las Vegas, Nevada USA Wednesday, July 28 th , 2010

  2. Introductions

  3. Why Security Infrastructure? • “Controls”, in the Regulatory / Compliance sense • Separation of Physical / Logical Zones of Trust • Active and passive defenses • Monitoring / Collection 3

  4. Impact of Successful Attack? • Impact can be varied, and severe • Attacker control of Device Policy / Device Config – Squelch alerts of the intrusion, “drop the shields” – Open up a backdoor channel • Attacker gains access to credentials, crypto or VPN keys – Eavesdropping – Pivot onto other systems in environment • Denial of Service 4

  5. Cisco ASA Vulnerabilities: ACL Bypass Jeff Jarmoc, GPEN GCFW Firewall Engineer

  6. Cisco Adpative Security Appliance (ASA) • Stateful Inspection Firewall • IPSEC VPN Termination • SSL VPN Termination • Via add-on modules – Intrusion Prevention (IPS) – Content Security 6

  7. Cisco ASA - Configuring Firewall Access Control • Two methods of evaluating actions for traffic • When ACLs are bound; – Evaluate traffic against each entry, top down. – The action of the first matching rule is taken. – If no rule matches, the traffic is denied (Default Deny) • When no ACLs are bound; – Traffic coming in to an interface is allowed if it’s egress interface has a lower security level. 7

  8. Cisco ASA - Configuring Firewall Access Control • Required Steps – Name each interface • nameif command – Configure a Security level • security-level command – Assign an IP address to each interface • IP address command • Optional steps – Create an Access-Control List • access-list command – Apply the ACLs to interfaces • access-group command 8

  9. Cisco ASA - Example Configuration Snippet interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.1.222 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 ! interface Ethernet0/2 nameif dmz security-level 50 ip address 10.10.20.1 255.255.255.0 ! access-list outside_acl extended deny ip any any access-list inside_acl extended permit tcp 10.10.10.0 255.255.255.0 any eq www access-list inside_acl extended permit tcp 10.10.10.0 255.255.255.0 any eq https access-list inside_acl extended permit udp any host 10.10.20.53 eq domain access-list dmz_acl extended permit tcp host 10.10.20.25 any eq smtp access-list dmz_acl extended permit udp host 10.10.20.53 any eq domain ! access-group outside_acl in interface outside access-group inside_acl in interface inside access-group dmz_acl in interface dmz 9

  10. Cisco ASA - ACL Bypass • What if these are reversed? – access-group inside_acl in interface inside – access-list inside_acl extended permit tcp 10.10.10.0 255.255.255.0 any eq www – access-list inside_acl extended permit tcp 10.10.10.0 255.255.255.0 any eq https – access-list inside_acl extended permit udp 10.10.10.0 255.255.255.0 any eq domain • Newer versions of ASA give an error. – ERROR: Access-group inside_acl does not exist. • Some past version(s) would accept this and the device would operate as intended. • Upon upgrade to a version affected by bug CSCsq91277 trouble occurs. • Default Deny behavior changes to Security Level. Default Deny is bypassed! 10

  11. Cisco ASA - ACL Bypass - Identifying • Two ways to confirm misbehavior – Comparing Syslog output (at level 6 - informational) to configuration. Feb 13 2009 14:50:21 demoasa : %ASA-6-302013: Built outbound TCP connection 451649364 for outside:a.b.c.d/3389 (a.b.c.d/3389) to inside:10.1.1.100/1469 (192.168.1.222/24278) Feb 13 2009 14:50:21 demoasa : %ASA-6-305011: Built dynamic TCP translation from inside:10.1.1.100/1470 to outside:192.168.1.222/7792 Feb 13 2009 14:50:21 demoasa : %ASA-6-302013: Built outbound TCP connection 451649365 for outside:a.b.c.d/3389 (a.b.c.d/3389) to inside:10.1.1.100/1470 (192.168.1.222/7792) Feb 13 2009 14:50:21 demoasa : %ASA-6-305011: Built dynamic TCP translation from inside:10.1.1.100/1471 to outside:192.168.1.222/52312 Feb 13 2009 14:50:21 demoasa : %ASA-6-302013: Built outbound TCP connection 451649401 for outside:a.b.c.d/3389 (a.b.c.d/3389) to inside:10.1.1.100/1471 (192.168.1.222/52312) Feb 13 2009 14:50:22 demoasa : %ASA-6-305011: Built dynamic TCP translation from inside:10.1.1.100/1472 to outside:192.168.1.222/37014 11

  12. Cisco ASA - ACL Bypass - Identifying • Two ways to confirm misbehavior – Testing with packet-tracer packet-tracer input inside tcp 10.1.1.100 1486 a.b.c.d 9000 ... Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x1a09d350, priority=1, domain=permit, deny=false hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 12

  13. Cisco ASA - ACL Bypass - Mitigation • Upgrade to a patched version – 7.0(8)1 and later – 7.1(2)74 and later – 7.2(4)9 and later – 8.0(4)5 and later • Add an explicit deny to all ACL • Cannot be remotely triggered. • Cannot be triggered at will • More of a security-impacting bug than a true vulnerability, but still very important. • See Cisco advisory cisco-sa-20090408-asa for more details 13

  14. Cisco ASA Vulnerabilities: ASDM Administrative Command Injection Jeff Jarmoc, GPEN GCFW Firewall Engineer

  15. What is ASDM? • Adaptive Security Device Manager • JAVA GUI for configuring and administrating ASA • Launch from Browser or Install • Uses HTTPS • Requires JRE 15

  16. ASDM - Dissecting Communications 16

  17. ASDM - Dissecting Communications Path Purpose Security /admin/ Root of ASA management interface. Anonymous /admin/public/ Stores .jar, .jnlp and other supporting files. Anonymous /admin/exec/ Root of commands to be executed. Commands Auth Required are passed as HTTP encoded paths. /admin/config/ Returns the current running-config. Auth Required /admin/capture/ Stores any captures configured. Appending Auth Required /pcap/ to request returns them in .pcap form. Some examples of commonly used URLs: To get the version of a device, connect to: https://a.b.c.d/admin/exec/sh+ver/ To download a pcap of a capture name ‘test’: https://a.b.c.d/admin/capture/test/pcap/ To view the current time and an access list called ‘inside’: https://a.b.c.d/admin/exec/sh+clock/sh+access-list+inside/ 17

  18. ASDM - Credential Interception • HTTP Basic-Auth, credentials are Base64 encoded – YWRtaW46c3VwZXJzZWNyZXQ= – admin:supersecret • By using an SSL/TLS interception proxy, credential secrecy is compromised. – Requires re-writing certificate, which can be easily detected – Many sysadmins still using self-signed certificates – Certificate warnings may therefore not carry much weight. 18

  19. ASDM - Cross-Site Request Forgery • Lack of nonce value or randomization of command URIs • No Hashing of URIs (as with Digest Auth) • In short, nothing protecting URL integrity • Requires client browser cache credentials – Clients typically only hit authenticated URLs through Java – Can’t easily inject a request into the Java process • If Admin users Browser to access ASA, Credentials are cached for the duration of that session. – No log out mechanism – No age-out or time out 19

  20. ASDM - Cross-Site Request Forgery • Cisco Actually recommends this action in limited cases! – Copying PCAPs off the sensor – Copying full configuration off sensor • PIX/ASA 7.x: Pre-shared Key Recovery – Pre-Shared keys are not exposed through `sh run` – Four processes are generated, all four have problem • Use “more system:running-config ” – Cisco now calls this a bug (CSCeh98117) and this no longer works past 8.3(1) (according to release notes) • Copy config via TFTP – Plaintext! • Copy config via FTP – Plaintext! • Copy config via HTTPS – Browser caches credentials, and CSRF is possible 20

  21. ASDM - TLS/SSL Renegotiation, Command injection • A Man-in-the-middle can ask both end points to renegotiate encryption, while transmitting plaintext. This plain-text is received into a buffer, which is prepended to the client’s request upon renegotiation. – CVE-2009-3555 – Discovered by Marsh Ray and Steve Dispensa of Phone Factor – Affects nearly all TLS/SSL implementations, not just Cisco. – A Man-in-the-Middle can therefore inject text into the TLS stream, without replacing the server’s certificate. – Data can not be decrypted, only injected. • Weak authentication mechanisms combine with lack of URI protection such that this vulnerability in integrity is enough to inject commands into a legitimate ASDM administrative session. 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Real clothes for Norways Emperor Paris, carbon budgets & 2C mitigation twitter :

Real clothes for Norways Emperor Paris, carbon budgets & 2C mitigation twitter :

Real clothes for Norways Emperor Paris, carbon budgets & 2C mitigation twitter : @KevinClimate web: www.cemus.uu.se Foto: Tina Rohdin Kevin Anderson Isak Stoddard Jesse Schrage Zennstrm Professor in Climate Change Leadership

565 views • 35 slides
David Teplow, Integra Technology Consul9ng 11/20/12 11/20/12 -

David Teplow, Integra Technology Consul9ng 11/20/12 11/20/12 -

David Teplow, Integra Technology Consul9ng 11/20/12 11/20/12 - The Database Emperor Has No Clothes 11/20/12 - The Database Emperor Has No Clothes

496 views • 20 slides
Reunification Therapy C.A. Childress, Psy.D. (2013) Within professional psychology, The Emperor

Reunification Therapy C.A. Childress, Psy.D. (2013) Within professional psychology, The Emperor

11/24/13 The Myth of Reunification Therapy C.A. Childress, Psy.D. (2013) Within professional psychology, The Emperor has No Clothes There are models for psychodynamic therapy (Kohut, Stolorow, Brandchaft, & Atwood), There are

453 views • 17 slides
Egypt for Medical Clothes - Medic Med Medic ic Facts cts Egypt for Medical clothes (Medic) is

Egypt for Medical Clothes - Medic Med Medic ic Facts cts Egypt for Medical clothes (Medic) is

Egypt for Medical Clothes - Medic Med Medic ic Facts cts Egypt for Medical clothes (Medic) is one of the pioneer companies in the Middle East specialized in manufacturing of medical clothes as sterile surgical Gowns, Sterile medical Drapes

420 views • 15 slides
Emperor Energy (ASX: EMP) London Presentation November 2017 Disclaimer Disclaimer This

Emperor Energy (ASX: EMP) London Presentation November 2017 Disclaimer Disclaimer This

Emperor Energy (ASX: EMP) London Presentation November 2017 Disclaimer Disclaimer This presentation is for the sole purpose of preliminary background information to enable recipients to review the business activities of Emperor Energy Limited

480 views • 19 slides
Why Columbus Wasnt Chinese Emperor Yongle 1403-24 Malacca With the virtue of a sage and

Why Columbus Wasnt Chinese Emperor Yongle 1403-24 Malacca With the virtue of a sage and

Why Columbus Wasnt Chinese Emperor Yongle 1403-24 Malacca With the virtue of a sage and placed in the seat of a sage, [my father, Emperor Hung- wu] had a controlling power over Heaven, Earth, and Man, thus harmonizing yin and yang and

409 views • 13 slides
Emperor Energy (ASX: EMP) Hong Kong Presentation April 2018 Disclaimer Disclaimer This

Emperor Energy (ASX: EMP) Hong Kong Presentation April 2018 Disclaimer Disclaimer This

Emperor Energy (ASX: EMP) Hong Kong Presentation April 2018 Disclaimer Disclaimer This presentation is for the sole purpose of preliminary background information to enable recipients to review the business activities of Emperor Energy Limited ABN

319 views • 20 slides
China *Army of the First Emperor of Qin, China, Qin Dynasty ca. 210 BCE *Army of the First

China *Army of the First Emperor of Qin, China, Qin Dynasty ca. 210 BCE *Army of the First

China *Army of the First Emperor of Qin, China, Qin Dynasty ca. 210 BCE *Army of the First Emperor of Qin, China, Qin Dynasty ca. 210 BCE Army of the First Emperor of Qin, China, Qin Dynasty ca. 210 BCE *Gu Kaizhi, Lady Feng and the Bear ,

368 views • 7 slides
Natural History Emperor Tamarin Saguinus imperator Live: Neo-tropical Primates, South America

Natural History Emperor Tamarin Saguinus imperator Live: Neo-tropical Primates, South America

A success story of Emperor Tamarin twins raised both by humans and their family By: Michelle Jordan and Jessica Grote Primate Keepers, Denver Zoo Natural History Emperor Tamarin Saguinus imperator Live: Neo-tropical Primates, South America

460 views • 20 slides
Emperor Energy (ASX: EMP) Energy Mines and Money Presentation June 2018 Disclaimer Disclaimer

Emperor Energy (ASX: EMP) Energy Mines and Money Presentation June 2018 Disclaimer Disclaimer

Emperor Energy (ASX: EMP) Energy Mines and Money Presentation June 2018 Disclaimer Disclaimer This presentation is for the sole purpose of preliminary background information to enable recipients to review the business activities of Emperor

354 views • 23 slides
CS5412: DANGERS OF CONSOLIDATION Lecture XXIII Ken Birman Are Clouds Inherently Dangerous? 2

CS5412: DANGERS OF CONSOLIDATION Lecture XXIII Ken Birman Are Clouds Inherently Dangerous? 2

1 CS5412: DANGERS OF CONSOLIDATION Lecture XXIII Ken Birman Are Clouds Inherently Dangerous? 2 Gene Spafford, famous for warning that the emperor has no clothes fears that moving critical information to the cloud could be a catastrophe

637 views • 40 slides
CS5412: DANGERS OF CONSOLIDATION Lecture XXIII Ken Birman Are Clouds Inherently Dangerous? 2

CS5412: DANGERS OF CONSOLIDATION Lecture XXIII Ken Birman Are Clouds Inherently Dangerous? 2

CS5412 Sping 2014 1 CS5412: DANGERS OF CONSOLIDATION Lecture XXIII Ken Birman Are Clouds Inherently Dangerous? 2 Gene Spafford, famous for warning that the emperor has no clothes fears that moving critical information to the cloud

623 views • 49 slides
CS5412: DANGERS OF CONSOLIDATION Lecture XXIII Ken Birman Are Clouds Inherently Dangerous? 2

CS5412: DANGERS OF CONSOLIDATION Lecture XXIII Ken Birman Are Clouds Inherently Dangerous? 2

CS5412 Sping 2015 1 CS5412: DANGERS OF CONSOLIDATION Lecture XXIII Ken Birman Are Clouds Inherently Dangerous? 2 Gene Spafford, famous for warning that the emperor has no clothes fears that moving critical information to the cloud

585 views • 57 slides
Winning the Climate-Change Battle system works Climate tells you what clothes to buy, but

Winning the Climate-Change Battle system works Climate tells you what clothes to buy, but

28/07/2016 1a. How the climate Winning the Climate-Change Battle system works Climate tells you what clothes to buy, but weather tells you what clothes to wear. Roy Thompson 1 28/07/2016 Earth's winds and The sun delivers more energy to

362 views • 34 slides
JAPAN ECONOMY 1 JAPAN Chief of the State Emperor AKIHITO MER DE LEST DE LEST

JAPAN ECONOMY 1 JAPAN Chief of the State Emperor AKIHITO MER DE LEST DE LEST

JAPAN ECONOMY 1 JAPAN Chief of the State Emperor AKIHITO MER DE LEST DE LEST Political Regime Constitutional monarchy Capital Tokyo GDP/Cap $34,000 Osaka, Kobe, Nagoya, Main cities Fukuoka, Kitakyushu Source: CIA Fact book

487 views • 9 slides
Not Just Pretty Clothes: Fashions progressive operationalization as seen in Baudelaire and

Not Just Pretty Clothes: Fashions progressive operationalization as seen in Baudelaire and

Not Just Pretty Clothes: Fashions progressive operationalization as seen in Baudelaire and Benjamin A senior thesis for the Philosophy Department, with an addendum in fulfillment of the World Literature and Culture Studies Departments

219 views • 5 slides
12/15/2014 At that time the Roman emperor, Augustus, decreed that a census should be taken

12/15/2014 At that time the Roman emperor, Augustus, decreed that a census should be taken

12/15/2014 At that time the Roman emperor, Augustus, decreed that a census should be taken throughout the Roman Empire. This was the first census taken when Quirinius was governor of Syria. All returned to their own ancestral towns to register

289 views • 4 slides
How Segregated is Urban Consumption? Presentation at CFM-PER Geolocation Economics Conference

How Segregated is Urban Consumption? Presentation at CFM-PER Geolocation Economics Conference

How Segregated is Urban Consumption? Presentation at CFM-PER Geolocation Economics Conference Donald R. Davis Columbia University and NBER May 4, 2020 Davis (Columbia) Segregation of Consumption May 4, 2020 1 / 27 Journal of Political

730 views • 27 slides
Authentic Engagement High School PBIS Flannery and Kato, 2012 Implementation Model 1 2/4/2018

Authentic Engagement High School PBIS Flannery and Kato, 2012 Implementation Model 1 2/4/2018

2/4/2018 SWPBIS in the High School Classroom: Best Practices in Action! Jessica Swain-Bradway, Ph.D., Midwest PBIS Network www.midwestpbis.org Jessica.swainbradway@midwestpbis.org With Resources from www.PBIS.org and With contributions from

460 views • 20 slides
Automated reasoning for first-order logic Theory, Practice and Challenges Konstantin Korovin 1

Automated reasoning for first-order logic Theory, Practice and Challenges Konstantin Korovin 1

Automated reasoning for first-order logic Theory, Practice and Challenges Konstantin Korovin 1 The University of Manchester UK korovin@cs.man.ac.uk Part II 1 supported by a Royal Society University Fellowship Modular instantiation-based

1.72k views • 144 slides
for Adults Beliefs & Prayer SIGN IN AT THE WELCOME TABLE AND ENJOY THE FOOD RCIA Journey of

for Adults Beliefs & Prayer SIGN IN AT THE WELCOME TABLE AND ENJOY THE FOOD RCIA Journey of

Practices St. Jude Rite of Christian Initiation for Adults Beliefs & Prayer SIGN IN AT THE WELCOME TABLE AND ENJOY THE FOOD RCIA Journey of Faith Sacraments/Rites Practices This evenings meal is provided by: Beliefs & Prayer

813 views • 45 slides
Diabetes Treatment and Heart Failure From Preventing Harm to Increasing Survival Jonathan D

Diabetes Treatment and Heart Failure From Preventing Harm to Increasing Survival Jonathan D

Diabetes Treatment and Heart Failure From Preventing Harm to Increasing Survival Jonathan D Davis, MD, MPHS Director, Heart Failure Program Assistant Clinical Professor | Division of Cardiology Zuckerberg San Francisco General Hospital

599 views • 36 slides
The Computational Paradigm 2. Why did computing need to be an academic discipline? of

The Computational Paradigm 2. Why did computing need to be an academic discipline? of

This Talk 1. Computer science: Definition The Computational Paradigm 2. Why did computing need to be an academic discipline? of Science 3. What characterizes computing as a discipline? ECSS 2015 4. Is everything computing? Matti Tedre

637 views • 24 slides
Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell,

715 views • 34 slides

More recommend