John Pescatore – SANS Director of Emerging Security Trends
Driving Security Priority into Work from Home Product Vendors
This week’s Drilldown looks at two items (included below) from NewsBites Issue 59 and Issue 60,which focused on vulnerabilities in commercial products often used in work-from-home scenarios and vendors’ lack of attention to, and support for, security in their products.
The first item described Netgear’s decision not to release patches for 45 of its routers that have critical remote code execution vulnerabilities. Netgear stated that those 45 products are “outside the security support period.”
The second item detailed an FBI warning for out-of-the-box insecure configurations of products using Constrained Application Protocol (CoAP), Web Services Dynamic Discovery (WS-DD), Apple Remote Management Service (ARMS) and Jenkins web-based automation software.
What this translates to is a high level of risk overall and particularly with today’s (and the future’s) increased level of work from home. Remote code execution on employee home internet routers would be an obvious disaster. The FBI warning focused on DDoS exploitation of insecure configurations. Work from home can be completely disrupted by DDoS attacks that disable inbound or outbound internet connectivity.
If you look back to the start of business use of the internet in the early 2000s, Microsoft only sporadically released patches for known vulnerabilities in Windows, and very few hardware and software vendors took a “secure out-of-the-box” approach. It took pressure from buyers to get Microsoft (and other software vendors) to move to more secure out-of-the-box configurations and support efforts such as the Center for Internet Security (CIS) Benchmarks.
We are now reliving this scenario with groups of vendors that want to sell to enterprises, but haven’t made the investment in secure design and fast and guaranteed patching processes that enterprises need. Buying power works. Buyers must apply pressure to sellers, essentially “voting” with procurement funds.
If we continue to buy junk, those vendors will happily continue to sell us junk. Security managers should work with procurement to remove from procurement lists vendors who are not providing enterprise levels or security, or to at least assure security evaluation criteria are highly weighted. This should include any ISP contracts where routers are provided to small office, home office and branch office environments. Employees should be given guidance on required patches or mitigation approaches and provided with lists of recommended home equipment to choose when they do have choice.
Netgear Will Not Release Patches for 45 Devices Vulnerable to RCE Flaw
(July 30, 2020)
A remote code execution vulnerability affecting Netgear home routers was disclosed in June. Netgear will not release fixes for 45 of the affected router models, identifying them as "outside the security support period." Proof-of-concept exploit code for the stack buffer overflow vulnerability has been released.
[Pescatore] Obviously, with high levels of work from home, use of the unpatchable devices is a concern. The CERT alert has a link to a nice spreadsheet with all the Netgear model numbers that won't be supported with patches. Netgear's response to this issue is a good reason to remove them from procurement lists for any corporate buys, and it is worth looking at what user devices are supplied with any ISP services you are using for small office/home office connectivity, as well. The consumer issue is really something that is going to need legislation to drive required support periods, or at least up-front declaration of guaranteed support periods.
[Ullrich] If you are sick of vendors forcing you to buy new devices versus offering to fix defective devices they sold you: Consider one of the very capable, and by no means difficult to use, open source alternatives that use commodity hardware. My favorite, OPNsense, released an update this week that yet again improves security and offers features that you will have a hard time finding in many expensive enterprise solutions. Other alternatives are pfSense and IPFire; or, for older/less-capable hardware, good-old OpenWrt. Lots of other options depending on what you need. Some of these even offer paid supported versions.
[Murray] "Useful life" ends with the publication of vulnerabilities in unsupported products. Fortunately, the cost of the replacement will be a fraction of the cost of the original and the value higher.
FBI Warning on New DDoS Attack Vectors
(July 27, 2020)
Last week, the FBI issued a Private Industry Notification warning of several new network protocols and a web application that are being abused to conduct DDoS attacks. They are CoAP, WS-DD, ARMS and Jenkins web-based automation software.
[Pescatore] In the 2020 "SANS Top New Attacks and Threats Report," SANS Fellow Ed Skoudis detailed "living off the land" attacks and what to do about them for near-term mitigation. Longer term, pressure needs to be applied to vendors to provide out-of-the-box configurations that have potentially dangerous services off by default. The report can be downloaded at www.sans.org/reading-room/whitepapers/analyst/top-attacks-threat-report-39520
Read more in:
ZDNet: FBI warns of new DDoS attack vectors: CoAP, WS-DD, ARMS, and Jenkins
RackCDN: Private Industry Notification | Cyber Actors Exploiting Built-In Network Protocols to Carry Out Larger, More Destructive Distributed Denial of Service Attacks (PDF)