Cisco's 6 Unpatched Internal Servers Supporting Virtual Networking Service Compromised

Cisco | June 01, 2020

  • Cisco gave no details on exactly what, if any, damage was done as a result of the attacks, but said a "limited set of customers" was impacted.

  • Despite this warning, Cisco placed six servers in service on May 7 that were not patched against these vulnerabilities, and the servers were immediately attacked.

  • The vulnerabilities in SaltStack were originally uncovered by security firm F-Secure.


Six internal servers that Cisco uses to support its virtual networking service were compromised earlier this month after the company failed to patch two SaltStack zero day vulnerabilities, according to a security advisory sent to customers this week.

Cisco gave no details on exactly what, if any, damage was done as a result of the attacks, but said a "limited set of customers" was impacted. If exploited, these zero-day vulnerabilities potentially could have allowed an attacker to gain full remote code execution within the servers.

In its Thursday advisory, Cisco states that on April 29, the Salt Open Core team informed those using the SaltStack open-source configuration management and orchestration tool about two critical-rated vulnerabilities, an authentication bypass flaw, CVE-2020-11651, and a directory traversal problem, CVE-2020-11652.

Read More: Virtualized Desktop Infrastructure and Storage Solutions Driving Intel's Optane Memory & Storage Sales

Despite this warning, Cisco placed six servers in service on May 7 that were not patched against these vulnerabilities, and the servers were immediately attacked, the company acknowledges.

"A software component of the Cisco Virtual Internet Routing Lab service was affected by a third-party software vulnerability that was disclosed in late April. Cisco applied the patch in May, and a limited set of customers were impacted by exploitation attempts of the vulnerability," a company spokesperson tells Information Security Media Group.

SaltStack Vulnerabilities

The vulnerabilities in SaltStack were originally uncovered by security firm F-Secure, which describes them as allowing an attacker "to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the 'master' server file system and steal the secret key used to authenticate to the master as root. The impact is full remote command execution as root on both the master and all minions that connect to it."

SaltStack published its own advisory on April 20 and patched the vulnerabilities the following week with the release of versions 2019.2.4 and 3000.2, Alex Peay, a senior vice president at SaltStack, tells ISMG.

Cisco's six servers that were compromised are used to support Internet Routing Lab Personal Edition, or VIRL-PE, and Modeling Labs Corporate Edition, or CML, a platform that enables engineers to emulate various Cisco operating systems, including IOS, IOS XR, and NX-OS, Cisco says in the advisory. The servers are:

• us-1.virl.info

• us-2.virl.info

• us-3.virl.info

• us-4.virl.info

• vsm-us-1.virl.info

• vsm-us-2.virl.info

The exploitability of the vulnerabilities in the six servers depends upon how the products that the servers' support are enabled. The company advises those using Cisco CML and Cisco VIRL-PE software releases 1.5 and 1.6, which have the salt-master service reachable on TCP ports 4505 and 4506, to inspect the software for compromise, re-image it and then patch it with the latest update.

F-Secure described the unpatched vulnerabilities as particularly easy to exploit.

"We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours," F-Secure says.

Attackers Looked for Easy Exploits

Peay of SaltStack added that exploits immediately began to show up after the patches were released and publicized as malicious actors attempted to take advantage of the zero-day vulnerabilities before companies were able to install patches.

Scott Caveza, research engineering manager at the security firm Tenable, offers a quick rundown of how threat actors use patch information to crack a system.

 

Attackers will often review the code and look at what changes have been made in a patch or release update to determine how the fix was applied. Then working backwards, they can use this information to develop a working exploit and begin scanning and probing for targets across the internet,

Scott Caveza, research engineering manager at the security firm Tenable.



SaltStack went to great lengths to communicate the problem to its users and offer tools so mitigation efforts were conducted properly, Peay says. This included direct assistance for those lacking skills handling SaltStack along with a service that would scan to validate that the patches were properly applied, he adds.

Some security experts question why Cisco did not immediately patch its servers when it was notified of the zero day vulnerabilities.

 

There are management tools that can help with the automation of checking, but even that requires someone setting it up to check for a version of software on a set of servers, so in the end it's the IT person who has to do the work,

Jayant Shukla, CTO and co-founder of K2 Cyber Security.



Caveza of Tenable notes identifying systems that need a patch involves IT staff checking the version of SaltStack and verifying that versions 2019.2.4, 3000.2 or later have been applied. He points out that plugins are available to assist with this task.

Read More: How Virtualization Helps Businesses Overcome Cloud Migration Problems

About Cisco

Cisco enables people to make powerful connections--whether in business, education, philanthropy, or creativity. Cisco hardware, software, and service offerings are used to create the Internet solutions that make networks possible--providing easy access to information anywhere, at any time.

Spotlight

We asked 1,200 cloud security decision-makers in 8 countries about their biggest challenges and priorities. This is what they had to share. As sensitive data is going to the cloud,there are new security considerations. With benefits such as greater agility, rapid innovation, and cost efficiency, cloud adoption is rapidly reaching a tipping point. As a result, security professionals are looking to raise C-level threat awareness, strengthen compliance, and invest in better protection.

Spotlight

We asked 1,200 cloud security decision-makers in 8 countries about their biggest challenges and priorities. This is what they had to share. As sensitive data is going to the cloud,there are new security considerations. With benefits such as greater agility, rapid innovation, and cost efficiency, cloud adoption is rapidly reaching a tipping point. As a result, security professionals are looking to raise C-level threat awareness, strengthen compliance, and invest in better protection.

Related News

VPN

Penguin Computing to Acquire Remote Access Software Assets from Colorado Code Craft

Penguin Solutions | November 17, 2022

Penguin Solutions, an SGH brand that provides HPC, AI, and IoT technologies for edge, core, and cloud, announced today that its Penguin Computing group has acquired all software and intellectual property assets of Colorado Code Craft and welcomed Colorado Code Craft employees to the Penguin Computing team. The company specializes in secure remote work and collaboration software solutions for high-performance and high-fidelity remote visualization, including remote 3D visualization for applications running in the cloud and virtual desktop infrastructure (VDI) for technical computing. Penguin and Colorado Code Craft have been working together since 2014, when they collaborated to deliver Penguin’s Scyld Cloud Workstation™ VDI platform as a remote visualization technology with the Penguin on Demand (POD) HPC cloud. The companies have continued the partnership since that time, expanding the product to include numerous follow-on software releases and capabilities. Recent enhancements include the addition of 60fps (frames per second) video refresh support and support for 4K video fidelity for demanding high-resolution workloads -- all delivered through a standard browser. “The data volumes and compute-intensive use cases for HPC and AI increasingly lead to situations where data scientists and researchers are operating from locations far from the data center or cloud, With the acquisition of Colorado Code Craft’s high-performance, browser-based remote display capabilities, we’re able to provide our customers with a secure way to deliver remote desktops and application streaming from any cloud or data center to any device, regardless of the network conditions. This agentless solution accelerates users’ work processes by enabling rapid access to in-place data on the HPC/AI cluster and operates without the need for application or user workstation modifications.” Thierry Pellegrino, president of Penguin Solutions Penguin’s Scyld Cloud Workstation software is based on Colorado Code Craft technology and continues to play a key role in Penguin on Demand (POD) offerings. The current user base is comprised of data scientists, researchers, and engineers across diverse markets such as: energy, engineering, infrastructure, manufacturing, monitoring and evaluation, oil & gas, and research. In addition, the software is also integrated with Penguin’s new Scyld Cloud Central™ platform – and will also be available for use on the Google Cloud Platform, POD, and by Penguin customers leveraging dedicated HPC/AI cluster environments within their data center or co-location facilities. “After a decade of developing remote visualization platforms and expanding innovative solutions for customers, we are very excited to become a part of Penguin Solutions,” said Thomas Ruge, founder of Colorado Code Craft. “Together we will expand our customer base with both enterprise customers and technology partners into industries such as media/entertainment and distributed design/engineering that rely on the seamless remote application experience that we can provide.” The definitive agreement was signed on November 7, 2022 and the financial terms of the transaction were not disclosed. Visit our website or Penguin Solutions’ booth #2400 at SC22 this week to learn more. Penguin Solutions, Penguin Computing, Colorado Code Craft, Scyld Cloud Central, and Scyld Cloud Workstation are trademarks or registered trademarks of Penguin Computing, Inc. All other trademarks and registered trademarks are the property of their respective owners. About Penguin Solutions The Penguin Solutions™ portfolio, which includes Penguin Computing™ and Penguin Edge™, accelerates customers’ digital transformation with the power of emerging technologies in HPC, AI, and IoT with solutions and services that span the continuum of edge, core, and cloud. By designing highly-advanced infrastructure, machines, and networked systems we enable the world’s most innovative enterprises and government institutions to build the autonomous future, drive discovery and amplify human potential. Penguin Solutions is an SGH Brand.

Read More

VIRTUAL SERVER MANAGEMENT

Stratodesk Launches Managed Service Provider Partner Program for VDI, DaaS and Cloud Workspaces

Stratodesk | October 04, 2022

Stratodesk, the EUC endpoint OS innovator, today introduced its best-in-class Stratodesk Managed Service Provider (MSP) program for MSPs and system integrators. The new program enables partners to offer complete services to provision and manage endpoints for hybrid workplaces. The program makes it easy for our partners to deliver a more comprehensive cloud service because of their ability to deliver the most innovative endpoint OS. The MSP program, which includes Stratodesk software – Stratodesk NoTouch OS and Stratodesk NoTouch Center – offers optional multi-tenancy services, and a predictable cost model that includes all-in-one licensing. In addition, the program is dynamically scalable when license needs change and deploys in minutes over the internet. Organizations are actively looking to transition to the cloud but sometimes cost and complexity are major obstacles. Stratodesk MSP partners can now enable organizations to realize significant efficiencies in time to implement and related costs. Our joint customers can have an effective roadmap for their endpoints no matter where they are in their cloud journey, while allowing them to focus on their core business instead of IT. “Businesses across industries are increasingly looking toward managed service providers for pay-as-you go solutions that are cost-effective, scalable, and easy to consume. This IT consumption model is a major opportunity for partners, and our new program allows them to manage endpoint costs predictably, gives them flexibility to scale their business up and down as required, and drive additional recurring revenue, Based on direct input from partners, we’re giving service providers and integrators access to the Stratodesk NoTouch OS features and tools enabling them to take an enhanced cloud workspace offering to market.” Steve Thompson, Vice President of Global Channels at Stratodesk Stratodesk’s new program unlocks new and differentiated offerings and services with an attractive subscription model that opportunities and helps to scale the business of partner providers. The Stratodesk NoTouch OS helps the partner’s customers easily execute their virtual desktop and thin client strategy in the way that best fits their business, knowing they can manage their entire fleet of endpoints from one console with best-in-class support from the MSP and Stratodesk. Among the first MSP partners signed to the new program is Centre Technologies. Stratodesk MSP partners can scale easily based on growth or seasonality Stratodesk can deliver centrally managed endpoints in minutes to end-users physically located anywhere in the world through cloud or on-premises deployment models. Stratodesk’s flexible approach to workforce productivity lets IT teams transform new or existing laptops, thin clients, desktop computers and hybrid devices into secure enterprise edge and cloud workspaces. Stratodesk NoTouch allows IT teams to convert a broad range of x86-, x64- and ARM-based hardware quickly into modern machines with the latest software and security capabilities for end-users, while giving IT complete control over the asset. Additional benefits to partners include: Cloud-ready Stratodesk software enables regional expansion with no capital investments Ability to own and manage the customer relationship end-to-end Accelerated time-to-market Easily address seasonality demands and the need to expand user base periodically Reduce MSP management costs with a single easy-to-manage and deploy OS instead of a variety of legacy systems For more information, visit the Stratodesk Edge channel partner program web page, and inquire to become a partner today. Additional Stratodesk MSP resources include: Simplify Multi-Tenant Endpoint Management for MSPs and MSPs Use Stratodesk Software to Manage Multi-Tenant Deployments. About Stratodesk Founded in 2010, Stratodesk is the leading global EUC innovator of endpoint OS software. Stratodesk’s agile and customer-centric, Linux-based managed OS software, Stratodesk NoTouch, is defining end user computing with its freedom to transform any device into a cloud-ready and highly secure endpoint, enabling companies to cost-effectively manage their unified VDI endpoint deployments and secure digital perimeters. Stratodesk’s software works seamlessly across all x64, x86 and ARM/Raspberry Pi based hardware products, increases endpoint security, and simplifies user experience. Today, with nearly one million licenses deployed globally across multiple industries, Stratodesk prides itself on its authenticity and. dedication to delivering the most innovative software solution to its customers.

Read More

VIRTUAL DESKTOP STRATEGIES

SecureAuth Announces Arculix Universal Authentication Fabric™ to Strengthen Passwordless Continuous Authentication

Arculix | November 21, 2022

SecureAuth, a leader in access management and authentication, today announced its Arculix Universal Authentication Fabric to further strengthen the technology to enable organizations for passwordless continuous authentication. Arculix Universal Authentication Fabric is a technology framework that delivers authentication driven by AI/ML behavioral modeling, continuous risk scoring and eliminates logging in making passwords obsolete. For users, it’s a one-and-done event for accessing their relevant apps, VDI or SSO. For companies, it’s a robust authentication with continuous authentication in the background without any friction to the user. “Historically, a single source to define and administer policy and processes for all users has been absent, Fraud, credential stuffing and attacks will continue to evolve as bad actors thwart existing security approaches. SecureAuth’s Universal Authentication Fabric delivers the first risk-based analytics approach as a consolidated backbone for continuous, multi-factor, and passwordless authentication with the highest level of security as well as a frictionless experience for users.” Paul Trulove, CEO of SecureAuth Between authenticating to the workstation, an SSO portal or federated web apps, VDIs, VPN, and PAM solutions, the typical user authenticates 16 times a day using three different sets of username and password. This is simultaneously insecure and a poor user experience. With Arculix Universal Authentication Fabric, users can login once and securely access the applications needed to do their job. Arculix Universal Authentication Fabric allows users to attain a level of assurance needed to authenticate with its patented behavioral AI/ML risk analytics engine. To ensure there is no account takeover (ATO), it generates a score at the beginning of a user logging in that is used to grant access to web apps, servers and services without requiring another factor check. This removes the need for siloed systems to authenticate users. “SecureAuth’s Arculix Universal Authentication Fabric is the underlying element for the new 360-degree cybersecurity perimeter that every enterprise needs: Continuous, Holistic and Adaptive,” said Alfredo Estirado, CEO of Grupo TRC. “As a key partner of SecureAuth, we are excited to offer this to our customers across various geographies.” Key capabilities include expansion of passwordless features into endpoints, including access to persistent and non-persistent VDIs, in the same passwordless way a user authenticates to a standard machine. This enables a passwordless authentication journey whether in or out of the office. This Universal Authentication Fabric also supports our device trust support for seamless passwordless authentication for transient virtual desktops and physical desktops. About SecureAuth Corporation SecureAuth is a next-gen access management and authentication company that enables secure and passwordless continuous authentication experience for employees, partners and customers. With the only solution that can be deployed in cloud, hybrid and on-premises environments, SecureAuth manages and protects access to applications, systems and data at scale, anywhere in the world.

Read More