Cisco's 6 Unpatched Internal Servers Supporting Virtual Networking Service Compromised

Cisco | June 01, 2020

  • Cisco gave no details on exactly what, if any, damage was done as a result of the attacks, but said a "limited set of customers" was impacted.

  • Despite this warning, Cisco placed six servers in service on May 7 that were not patched against these vulnerabilities, and the servers were immediately attacked.

  • The vulnerabilities in SaltStack were originally uncovered by security firm F-Secure.


Six internal servers that Cisco uses to support its virtual networking service were compromised earlier this month after the company failed to patch two SaltStack zero day vulnerabilities, according to a security advisory sent to customers this week.

Cisco gave no details on exactly what, if any, damage was done as a result of the attacks, but said a "limited set of customers" was impacted. If exploited, these zero-day vulnerabilities potentially could have allowed an attacker to gain full remote code execution within the servers.

In its Thursday advisory, Cisco states that on April 29, the Salt Open Core team informed those using the SaltStack open-source configuration management and orchestration tool about two critical-rated vulnerabilities, an authentication bypass flaw, CVE-2020-11651, and a directory traversal problem, CVE-2020-11652.

Read More: Virtualized Desktop Infrastructure and Storage Solutions Driving Intel's Optane Memory & Storage Sales

Despite this warning, Cisco placed six servers in service on May 7 that were not patched against these vulnerabilities, and the servers were immediately attacked, the company acknowledges.

"A software component of the Cisco Virtual Internet Routing Lab service was affected by a third-party software vulnerability that was disclosed in late April. Cisco applied the patch in May, and a limited set of customers were impacted by exploitation attempts of the vulnerability," a company spokesperson tells Information Security Media Group.

SaltStack Vulnerabilities

The vulnerabilities in SaltStack were originally uncovered by security firm F-Secure, which describes them as allowing an attacker "to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the 'master' server file system and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it."

SaltStack published its own advisory on April 20 and patched the vulnerabilities the following week with the release of versions 2019.2.4 and 3000.2, Alex Peay, a senior vice president at SaltStack, tells ISMG.

Cisco's six servers that were compromised are used to support Internet Routing Lab Personal Edition, or VIRL-PE, and Modeling Labs Corporate Edition, or CML, a platform that enables engineers to emulate various Cisco operating systems, including IOS, IOS XR, and NX-OS, Cisco says in the advisory. The servers are:

• us-1.virl.info

• us-2.virl.info

• us-3.virl.info

• us-4.virl.info

• vsm-us-1.virl.info

• vsm-us-2.virl.info

The exploitability of the vulnerabilities in the six servers depends upon how the products that the servers' support are enabled. The company advises those using Cisco CML and Cisco VIRL-PE software releases 1.5 and 1.6, which have the salt-master service reachable on TCP ports 4505 and 4506, to inspect the software for compromise, re-image it and then patch it with the latest update.

F-Secure described the unpatched vulnerabilities as particularly easy to exploit.

"We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours," F-Secure says.

Attackers Looked for Easy Exploits

Peay of SaltStack added that exploits immediately began to show up after the patches were released and publicized as malicious actors attempted to take advantage of the zero-day vulnerabilities before companies were able to install patches.

Scott Caveza, research engineering manager at the security firm Tenable, offers a quick rundown of how threat actors use patch information to crack a system.

 

Attackers will often review the code and look at what changes have been made in a patch or release update to determine how the fix was applied. Then working backwards, they can use this information to develop a working exploit and begin scanning and probing for targets across the internet,

Scott Caveza, research engineering manager at the security firm Tenable.



SaltStack went to great lengths to communicate the problem to its users and offer tools so mitigation efforts were conducted properly, Peay says. This included direct assistance for those lacking skills handling SaltStack along with a service that would scan to validate that the patches were properly applied, he adds.

Some security experts question why Cisco did not immediately patch its servers when it was notified of the zero day vulnerabilities.

 

There are management tools that can help with the automation of checking, but even that requires someone setting it up to check for a version of software on a set of servers, so in the end it's the IT person who has to do the work,

Jayant Shukla, CTO and co-founder of K2 Cyber Security.



Caveza of Tenable notes identifying systems that need a patch involves IT staff checking the version of SaltStack and verifying that versions 2019.2.4, 3000.2 or later have been applied. He points out that plugins are available to assist with this task.

Read More: How Virtualization Helps Businesses Overcome Cloud Migration Problems

About Cisco

Cisco enables people to make powerful connections--whether in business, education, philanthropy, or creativity. Cisco hardware, software, and service offerings are used to create the Internet solutions that make networks possible--providing easy access to information anywhere, at any time.

Spotlight

One of the amazing blessings of getting to work at an agency is we get to see over 50 different companies and the challenges that they face. In today’s video, we’re going to talk about the biggest B2B marketing challenges that we see every day as an agency.

Spotlight

One of the amazing blessings of getting to work at an agency is we get to see over 50 different companies and the challenges that they face. In today’s video, we’re going to talk about the biggest B2B marketing challenges that we see every day as an agency.

Related News

VIRTUAL DESKTOP TOOLS

Trellix Finds Business Services Top Target of Ransomware Attacks

Trellix | July 19, 2022

Trellix, the cybersecurity company delivering the future of extended detection and response (XDR), today released The Threat Report: Summer 2022, analyzing cybersecurity trends and attack methods from the first quarter of 2022. The report features research from Trellix Threat Labs into connected healthcare and access control systems. It also includes analysis of email security trends and details the evolution of Russian cybercrime related to the conflict in Ukraine where new malware or methods have yet to be observed. Key findings: Increased Threats to Business Services: Companies providing IT, finance and other types of consulting and contract services were targeted by adversarial actors more often, demonstrating cybercriminals desire to disrupt multiple companies with one attack. Business services accounted for 64% of total U.S. ransomware detections and was the second most targeted sector behind telecom across global ransomware detections, malware detections, and nation-state backed attacks in Q1 2022. Ransomware Evolution: Following the January arrests of members of the REvil ransomware gang, payouts to attackers declined. Trellix also observed ransomware groups building lockers targeting virtualization services with varied success. Leaked chats from the quarter’s second most active ransomware gang, Conti, which publicly expressed allegiance to the Russian administration, seem to confirm the government is directing cybercriminal enterprises. Email Security Trends: Telemetry analysis revealed phishing URLs and malicious document trends in email security. Most malicious emails detected contained a phishing URL used to steal credentials or lure victims to download malware. Trellix also identified emails with malicious documents and executables like infostealers and trojans attached. “With the merging of our digital and physical worlds, cyberattacks cause more chaos in our daily lives, Adversaries know they are being watched closely; the absence of new tactics observed in the wild during the war in Ukraine tells us tools are being held back. Global threat actors have novel cyber artillery ready to deploy in case of escalation and organizations need to remain vigilant.” -Christiaan Beek, Lead Scientist and Senior Principal Engineer, Trellix. The Threat Report: Summer 2022 leverages proprietary data from Trellix’s network of over one billion sensors, open-source intelligence and Trellix Threat Labs investigations into prevalent threats like ransomware and nation-state activity. Telemetry related to detection of threats is used for the purposes of this report. A detection is when a file, URL, IP-address, suspicious email, network behavior or other indicator is detected and reported via the Trellix XDR ecosystem. Additional Resources Trellix Threat Center Trellix Threat Labs Blog The Threat Report: Summer 2022 About Trellix- Trellix is a global company redefining the future of cybersecurity and soulful work. The company’s open and native extended detection and response (XDR) platform helps organizations confronted by today’s most advanced threats gain confidence in the protection and resilience of their operations. Trellix, along with an extensive partner ecosystem, accelerates technology innovation through machine learning and automation to empower over 40,000 business and government customers with living security.

Read More

VIRTUAL DESKTOP TOOLS

DNSFilter Provides a Better Secure Web Gateway with Guardian

DNSFilter | August 12, 2022

DNSFilter today announced the acquisition of Guardian, a leading Firewall + VPN technology platform. The acquisition allows DNSFilter to provide a robust Secure Web Gateway (SWG) that more effectively protects user information and secures organizations against web-based threats. “Secure Web Gateway plays a critical role in modern security strategies, enabling organizations to better secure access to the service edge, But the technology is tired – incumbents have not kept pace with the evolving threat landscape or customer needs around service and support. Combining best-in-class Domain Name System (DNS) layer security with Firewall + VPN presents a massive business opportunity and alleviates the pain points customers face with legacy SWG technology.” Ken Carnesi, CEO and Co-founder, DNSFilter Protective DNS is a key element of a SWG, as it is the primary barrier against malware, ransomware, and phishing websites, and is where policies for acceptable use are configured and managed. However, legacy providers rely on signatures and threat feed lists and struggle to identify new attack vectors. DNSFilter provides AI-powered security via DNS. 61% of threats identified by DNSFilter at any given time have not been identified by competitors, who lag behind an average of seven days. Guardian blocks unauthorized third parties from collecting end user information while adding an extra layer of security from hackers and unsecure websites with a powerful VPN – protecting passwords, search history, and other sensitive data. The Guardian Firewall + VPN is securely integrated into the privacy-preserving Brave browser's iPhone, iPad, and Android apps, stopping third-party tracking and blocking unwanted surveillance with protection at the network level on the entire device. Guardian’s technology provides the foundation for DNSFilter to disrupt the SWG market, adding full URL, file type, IP, and port filtering, along with VPN capabilities. DNSFilter’s predictive DNS protection further enhances the security of Guardian users, and Guardian’s highly efficient Secure Web Gateway software stack enables filtering of new internet traffic layers for DNSFilter customers beyond DNS. “We are thrilled to join DNSFilter, the category leader in DNS layer security and a like-minded team that shares our beliefs on privacy and delivering quality software to protect devices,” said Will Strafach, Guardian Founder and CEO. “Guardian and DNSFilter place a high priority on in-house security research to best protect our customers and remain steadfast in our mission to allow users to take back control of the personal data and information they share while using any device. Guardian solutions are a perfect complement to DNSFilter as the company broadens its platform offerings.” About Guardian Guardian is a research company founded on the belief that personal privacy and transparency into network-connected devices are fundamental consumer rights. Guardian is building the world’s most powerful data privacy tools to change the paradigm of your technology owning you, to you owning your technology. Guardian Firewall + VPN blocks attempts by apps on iPhones to track the location of, and take data from, unsuspecting users. Well known for its ability to reverse engineer almost any app and device, Guardian’s mission is to expose what’s happening under the hood, to protect people from the dangers lurking – often unknowingly – in the digitized world. For more information, go to https://guardianapp.com. About DNSFilter DNSFilter is redefining how organizations secure their largest threat vector: the Internet itself. With 70% of attacks involving the Domain Name System (DNS) layer, DNSFilter provides AI-powered security via DNS that uniquely identifies 61% more threats than competitors on an average of seven days earlier, including zero-day attacks. Over 15K organizations and managed service providers trust DNSFilter to protect millions of end users from phishing, malware, and advanced cyber threats.

Read More

SERVER VIRTUALIZATION

Companies Rethink Strategies for Enabling Hybrid Work

Citrix | August 05, 2022

Forced by the pandemic to provide employees with access to the systems and information they needed to work from home, IT organizations around the world turned to traditional technologies like Virtual Private Networks (VPN). And they worked. But as the world moves to hybrid work, 96 percent of IT leaders who participated in a recent global survey conducted by Gartner Peer Insights on behalf of Citrix Systems, Inc. (NASDAQ: CTXS), say they no longer cut it. And they’re rethinking their approach. A Seismic Change Hybrid models have radically changed where and how work gets done – and even who does it. Of the organizations who participated in the Citrix poll: 96 percent have a hybrid work policy or allow both fully remote and hybrid work 85 percent say their workforce is more geographically dispersed than it was two years ago 75 percent have seen an increase in the number of seasonal, contract, or freelance workers A Major Miss When it comes to supporting these changes, respondents say the solutions they put in place to enable remote work fall short in the following areas: Fail to protect against additional security risks posed by employees working from anywhere (96 percent) Create a digital divide between in-office and remote employees (63 percent) Don’t provide a consistent user experience (46 percent) Hinder efficient collaboration among distributed employees (46 percent) Don’t support bring-your-own-device initiatives (33 percent) Difficult to scale and manage (25 percent) A Strategic Shift And they are increasing their investments in technologies that allow them to provide a simpler, more consistent and secure experience for employees regardless of where they work, including: Virtual desktop infrastructure (VDI) (69 percent) Virtual apps and desktops (56 percent) Desktops as a Service (DaaS) (42 percent) Zero trust network access (34 percent) A Layered Approach VPN remains the most popular solution to support remote work. But as the Citrix research reveals, it’s not enough to enable safe and productive hybrid work on its own. According to the poll, 87 percent of respondents using VPN have implemented at least one other solution to close the gaps, including: VDI (69 percent) Virtual Apps and Desktops (49 percent) DaaS (39 percent) Desired Results And in doing so, they’re achieving their goal. When asked to identify the top three benefits their hybrid work solutions provide, participants in the Citrix poll said they: Provide layered protection for all devices on the network, including unmanaged and BYOD Create an equitable work experience by providing employees with consistent and reliable access to applications and data regardless of where they are working Provide layered protection and consistent security management for all applications “Hybrid work is the future of work, Innovative organizations recognize this and are reimagining the solutions used to support it so they can deliver it today.” Tim Minahan, Executive Vice President of Strategy, Citrix Citrix provides a complete digital workspace platform that companies of all sizes can use to enable secure work. With Citrix, employees can work where and how they prefer, and IT can be confident their information and devices remain safe. Click here to learn more about Citrix solutions and the value they can provide. About Citrix Citrix builds the secure, unified digital workspace technology that helps organizations unlock human potential and deliver a consistent workspace experience wherever work needs to get done. With Citrix, users get a seamless work experience and IT has a unified platform to secure, manage, and monitor diverse technologies in complex cloud environments.

Read More