Cisco's 6 Unpatched Internal Servers Supporting Virtual Networking Service Compromised

Cisco | June 01, 2020

  • Cisco gave no details on exactly what, if any, damage was done as a result of the attacks, but said a "limited set of customers" was impacted.

  • Despite this warning, Cisco placed six servers in service on May 7 that were not patched against these vulnerabilities, and the servers were immediately attacked.

  • The vulnerabilities in SaltStack were originally uncovered by security firm F-Secure.


Six internal servers that Cisco uses to support its virtual networking service were compromised earlier this month after the company failed to patch two SaltStack zero day vulnerabilities, according to a security advisory sent to customers this week.

Cisco gave no details on exactly what, if any, damage was done as a result of the attacks, but said a "limited set of customers" was impacted. If exploited, these zero-day vulnerabilities potentially could have allowed an attacker to gain full remote code execution within the servers.

In its Thursday advisory, Cisco states that on April 29, the Salt Open Core team informed those using the SaltStack open-source configuration management and orchestration tool about two critical-rated vulnerabilities, an authentication bypass flaw, CVE-2020-11651, and a directory traversal problem, CVE-2020-11652.

Read More: Virtualized Desktop Infrastructure and Storage Solutions Driving Intel's Optane Memory & Storage Sales

Despite this warning, Cisco placed six servers in service on May 7 that were not patched against these vulnerabilities, and the servers were immediately attacked, the company acknowledges.

"A software component of the Cisco Virtual Internet Routing Lab service was affected by a third-party software vulnerability that was disclosed in late April. Cisco applied the patch in May, and a limited set of customers were impacted by exploitation attempts of the vulnerability," a company spokesperson tells Information Security Media Group.

SaltStack Vulnerabilities

The vulnerabilities in SaltStack were originally uncovered by security firm F-Secure, which describes them as allowing an attacker "to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the 'master' server file system and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it."

SaltStack published its own advisory on April 20 and patched the vulnerabilities the following week with the release of versions 2019.2.4 and 3000.2, Alex Peay, a senior vice president at SaltStack, tells ISMG.

Cisco's six servers that were compromised are used to support Internet Routing Lab Personal Edition, or VIRL-PE, and Modeling Labs Corporate Edition, or CML, a platform that enables engineers to emulate various Cisco operating systems, including IOS, IOS XR, and NX-OS, Cisco says in the advisory. The servers are:

• us-1.virl.info

• us-2.virl.info

• us-3.virl.info

• us-4.virl.info

• vsm-us-1.virl.info

• vsm-us-2.virl.info

The exploitability of the vulnerabilities in the six servers depends upon how the products that the servers' support are enabled. The company advises those using Cisco CML and Cisco VIRL-PE software releases 1.5 and 1.6, which have the salt-master service reachable on TCP ports 4505 and 4506, to inspect the software for compromise, re-image it and then patch it with the latest update.

F-Secure described the unpatched vulnerabilities as particularly easy to exploit.

"We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours," F-Secure says.

Attackers Looked for Easy Exploits

Peay of SaltStack added that exploits immediately began to show up after the patches were released and publicized as malicious actors attempted to take advantage of the zero-day vulnerabilities before companies were able to install patches.

Scott Caveza, research engineering manager at the security firm Tenable, offers a quick rundown of how threat actors use patch information to crack a system.

 

Attackers will often review the code and look at what changes have been made in a patch or release update to determine how the fix was applied. Then working backwards, they can use this information to develop a working exploit and begin scanning and probing for targets across the internet,

Scott Caveza, research engineering manager at the security firm Tenable.



SaltStack went to great lengths to communicate the problem to its users and offer tools so mitigation efforts were conducted properly, Peay says. This included direct assistance for those lacking skills handling SaltStack along with a service that would scan to validate that the patches were properly applied, he adds.

Some security experts question why Cisco did not immediately patch its servers when it was notified of the zero day vulnerabilities.

 

There are management tools that can help with the automation of checking, but even that requires someone setting it up to check for a version of software on a set of servers, so in the end it's the IT person who has to do the work,

Jayant Shukla, CTO and co-founder of K2 Cyber Security.



Caveza of Tenable notes identifying systems that need a patch involves IT staff checking the version of SaltStack and verifying that versions 2019.2.4, 3000.2 or later have been applied. He points out that plugins are available to assist with this task.

Read More: How Virtualization Helps Businesses Overcome Cloud Migration Problems

About Cisco

Cisco enables people to make powerful connections--whether in business, education, philanthropy, or creativity. Cisco hardware, software, and service offerings are used to create the Internet solutions that make networks possible--providing easy access to information anywhere, at any time.

Spotlight

Find out how KVM and container virtualization differs and how each can be used to create a flexible virtualization solution for any business environment.

Spotlight

Find out how KVM and container virtualization differs and how each can be used to create a flexible virtualization solution for any business environment.

Related News

VIRTUAL DESKTOP TOOLS, VIRTUAL SERVER MANAGEMENT

Keeper Security Debuts Sleek New User Interface for a Friendlier, More Intuitive Experience

prnewswire | April 12, 2023

Keeper Security, the leading provider of zero-trust and zero-knowledge cybersecurity software protecting passwords, privileged access, secrets and remote connections, today announces a series of significant new User Interface (UI) updates to its password management platform for a friendlier and more intuitive experience. Keeper's upgraded user interface offers clearer distinctions between elements, as well as enhanced clarity and searchability, to improve the user experience and make it even easier to take advantage of Keeper's powerful features. "Our customers' satisfaction with their user experience is a priority for us. We are fanatical about creating solutions that are as user-friendly as they are secure" said Keeper CEO and Co-Founder, Darren Guccione. "At Keeper, our design and product teams are constantly working to modernize Keeper's cybersecurity products which ultimately unifies ease-of-use and world-class security." Keeper customers can expect an updated experience with this overhaul of the vault's user interface – offering a fresh, updated look with modern styling for a welcoming and streamlined appeal. Highlights to the updated UI include: Friendlier Interface: Keeper's streamlined UI will reduce grid lines and introduce cleaner colors and adjustable panes. Streamlined Usability: More efficient user workflows will reduce the number of clicks necessary to complete a task. Accessibility and Inclusion: Upgraded UI will provide colors, contrast and font/icon sizes compliant with Web Content Accessibility Guidelines (WCAG) standards. Advanced Search: New, easy-to-use filters will enable users to search their Keeper Vaults with the utmost flexibility. Onboarding: The new onboarding wizard provides a more welcoming guided experience to setting up a user's vault. Lost Records: Keeper will now show the shared folder name and record contents of all records that are deleted out of shared folders. When customers log into Keeper, they will immediately notice a refreshed Web and Desktop Vault featuring the new, modern UI. Animated record and folder details are displayed for better clarity, legibility and modern style, and users will be able to customize their individual colors. Users can now enjoy improved vault organization with modern interface elements such as modals, popups and dialogs – all improved to be equally functional and stylish. The interface will also display avatars with initials to allow teammates to quickly identify contacts when sharing records and folders. As Keeper expands into larger markets, the number of folders and records in enterprise vaults has increased exponentially, with some customers having tens of thousands of record counts. To address this, Keeper will now offer advanced search capabilities to quickly pinpoint data in the vault. This search function will allow users to specify one or more search operators that can be used in combination to locate folders and records – while also allowing for granular searches that include specific values in specific record fields. Meanwhile, the brand new Keeper Quick Search feature will show recently viewed items and provide lightning fast results. Also coming soon for Keeper's users is a new fixed-sized browser extension, which will stay consistent from screen to screen, and replicate the Web Vault improvements on mobile devices. The browser extension provides a more spacious design, easier identification of key fields, useful settings and features with easy-to-find logos, and simple navigation with new layouts. For mobile apps, the new UI will feature friendly elements that are easier to read and navigate on smaller screens. For iOS, Keeper users will benefit from performance improvements, faster speeds and enhanced search results to easily find folders and their contents – even with tens of thousands of records. Android users will see cleaner themes with a new default Light Mode and revamped user-selected themes to match Keeper's UI enhancements. Additional features include a navigation bar for quick access to important screens on the app and frictionless Multi-Factor Authentication (MFA) login. Keeper is taking an incremental approach to improving the user experience, continuously enhancing the look, feel and usability of its applications, while staying mindful of the importance of familiarity, consistency and the world-class functionality and security that Keeper users are accustomed to. About Keeper Security Keeper Security is transforming the way people and organizations around the world secure their passwords, secrets and confidential information. Keeper's easy-to-use cybersecurity platform is built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance. Trusted by millions of individuals and thousands of organizations globally, Keeper is the leader for best-in-class password management, secrets management, privileged access, secure remote access and encrypted messaging.

Read More

VIRTUAL DESKTOP TOOLS, SERVER VIRTUALIZATION

Lightbits Bolsters Cloud-First Strategy by Joining the Microsoft for Startups Founders Hub

businesswire | March 29, 2023

Lightbits®, the innovation leader in simple, flexible, and cost-efficient data platform solutions for any cloud, has announced that it has been accepted into the Microsoft for Startups Founders Hub, a program designed to enable organizations to ideate, develop, grow, and scale their offering on the Azure cloud platform by providing the necessary resources for every stage of their cloud-first journey. Microsoft Azure is a secure and compliant cloud platform trusted by organizations small and large, including 95% of Fortune 500 companies. As a member of the Microsoft for Startups Founders Hub, Lightbits will optimize its cloud solution so that organizations running on or planning to migrate their IO-intensive workloads to Azure can do so with the confidence that it’s on a scalable, efficient, and highly performant platform. The Lightbits Cloud Data Platform on Azure delivers agility, flexibility, high performance, and predictable and lower costs enabling migration of transactional and other latency-sensitive workloads to the cloud. The software-defined scalable architecture allows dynamic scaling of storage performance and capacity with consistently low latency and works within most orchestration environments such as Kubernetes, VMware or OpenStack. It offers the ability to provision high-performance persistent volumes to applications, protecting data from failures, while at the same time offering the rich data services enterprise IT organizations desire. Lightbits is easy to use, plugging directly into Azure Virtual Machines (VMs), and supports hybrid deployments offering the flexibility to port the license between on-premises storage servers and Azure storage-optimized VMs. “Prior to Lightbits, organizations supporting IO-intensive applications such as SQL and NoSQL databases had two options to achieve their performance requirements on Azure: use VMs with local NVMe devices or scale out the VMs and provision more cloud-native storage. Neither option was ideal since it lacked data protection at the storage level and significantly increased overall costs,” said Kam Eshghi, Co-Founder and CSO at Lightbits. “If performance, cost, scale, or data services were limiting factors for organizations migrating their storage-intensive workloads to Azure, Lightbits removes all of those constraints and offers a better cloud experience. I’m confident that our partnership-driven approach and involvement in the Founders Hub will result in a well-architected complete data platform for Azure.” About Lightbits Labs Lightbits Labs® (Lightbits), is remaking modern cloud infrastructure on a global scale and offers a Complete Data Platform for any cloud in VMware, Kubernetes, and OpenStack orchestration environments. It’s being used by Fortune 500 organizations because it enables organizations with a cloud-first strategy to move IO-intensive database, analytic, transactional, and streaming workloads to the cloud at their pace and on their terms. As trailblazers in this field, we deliver high performance and consistently low latency on the cloud equivalent to on-premises systems but with predictable and lower costs that cloud-native block storage solutions cannot provide.

Read More

CLOUD, VIRTUALIZED ENVIRONMENTS

ThinkData Works Supports Hybrid Cloud Environments With New Connections, Unlocks Virtualization From 40+ Data Sources

Businesswire | May 17, 2023

ThinkData Works Inc., a leading data catalog provider, is introducing new platform improvements that support data virtualization from more than 40 data sources. This enhancement increases the number of data source integrations available on the ThinkData Works Catalog Platform, including native support for Snowflake, BigQuery, and other cloud warehouses, as well as Oracle, SQL Servers, mongoDB and streaming data sources like Kafka and Kinesis. By supporting integration with these data sources, ThinkData Works enables out-of-the-box data fabric capabilities for organizations with hybrid cloud environments. According to recent research by Google, the majority of organizations deploy applications on multiple on-premises and cloud solutions, clearly indicating that hybrid-cloud and multi-cloud is a reality for modern business. ThinkData Works' new capabilities harmonize these environments through virtualization technology, allowing customers to deploy a data catalog that enables governance across an entire decentralized data ecosystem without requiring data asset migration. This approach ensures compliance and governance are maintained while creating visibility and streamlined data access across organizations without the need for custom connections to data sources. With an increasing number of companies repatriating data from cloud to on-premises, this feature addresses concerns around ballooning cloud costs and complex migrations. Teams can easily connect to data in a standard way no matter where it resides, even facilitating data migration to or from the cloud. "The idea that companies are migrating their data to a single cloud warehouse is a myth," said Bryan Smith, Co-founder and CEO of ThinkData Works. "These days it's much more likely that an average organization will have data stored in a number of different places, both cloud and on-premises, and they need a good way to manage, access, and report on this data quickly. We're excited to launch these new capabilities to our users, who know first hand how diverse a data environment can be." “Non-Invasive Data Governance is based on the idea that organizations can achieve appropriate levels of governance without a major lift-and-shift of their data," says Robert S. Seiner, President and Principal of KIK Consulting & Educational Services and the author of two books on Non-Invasive Data Governance. "By supporting data virtualization from essential data sources, ThinkData Works is helping companies with hybrid cloud environments put non-invasive data governance rules into practice." Prospective customers can experience the power of the ThinkData Works data catalog platform first-hand through a new Free Trial offering, now available for a limited time. About ThinkData Works ThinkData Works unlocks the value of data to grow your business. Connect seamlessly to any source, drive critical insights, and deliver data while retaining visibility and control. Founded in 2014, ThinkData Works offers flexible data connections, an intuitive catalog interface, and secure tools to deliver data where it needs to be — inside or outside your organization. Purpose-built to handle the complexities of data variety, their unified cloud platform cuts overhead, fuels innovation, and drives revenue growth.

Read More