OSMOSIS Open Source Monitoring Security Issues HACKITO ERGO SUM 2014 / April 2014 / Paris
AGENDA § Who are we? § Open Source Monitoring Software § Results § Demonstration § Responses § Mitigations and conclusion – Public – Deutsche Telekom AG / OSMOSIS 4/25/14 2
DEUTSCHE TELEKOM PROFILE COSTUMERS & MARKETS FACTS & FIGURES Customers Markets Telekom in figures Employees & responsibility § Presence in 50 countries § Revenue € 58.7 bn § Employees worldwide: § >141 m mobile customers 235, 000 § Deutschland, Europa, USA: § Adjusted Ebitda § >32 m fixed-line customers/ using our own infrastructur € 18.7 bn § 9 ,000 trainees und cooperative >17 m broadband customers degree students in Germany § T-Systems: § Free cash flow § rd. 3 m (IP) TV customers globale presence & alliances via € 6.4 bn § Pioneer of social issues § About 2 m workstation systems partners (pomotion of woman, data § Among the top100 marketed privacy, climate protection etc.) companies worldwide (#75 in 2012 Fortune500 list) Source: DT annual report to shareholders 2012/TMUS annual report to shareholders 2012 – Public – Deutsche Telekom AG / OSMOSIS 4/25/14 3
DEUTSCHE TELEKOM GROUP INFORMATION SECURITY Security requirements § Security levels Privacy & Security Assessment (PSA) § Deutsche Telekom Cyber Emergency Response Team (CERT) § Consulting Implementation of measures § Technology § Security strategies Testing § Innovation Abuse-Handling § Security requirements Standards Incident management Intelligente Netzlösungen – Public – Deutsche Telekom AG / OSMOSIS 4/25/14 4
OPEN SOURCE MONITORING SOFTWARE OVERVIEW SUMMARY Critical function in a corporate network § Lets you know how well the network is running § End-to-end monitoring for services up to detailed hardware view § JOINT FUNCTIONS IN THIS CASE Web based solution § Agent based § OUT OF SCOPE No IDS / IPS § No commercial solutions § No security monitoring § – Public – Deutsche Telekom AG / OSMOSIS 4/25/14 5
OPEN SOURCE MONITORING SOFTWARE THREATS § Ubiquitous component in network environments § Centralized access to multiple networks § Usually position deep in the internal network (as in: semi-trusted network) § Used in nearly each environment (from small business, over mid range up to enterprises) § MTAACA (machine that acts as client attack) and CTAMTAACA (clients that access machines that act as clients attack) – Public – Deutsche Telekom AG / OSMOSIS 4/25/14 6
OPEN SOURCE MONITORING SOFTWARE RISKS § A more valuable target than perimetric systems § Input data parsing (logfiles, SNMP, traps, ...) § Web GUIs (OWASP Top 10 anyone?) § Some have home-brew agents – on EVERY system § Potential access to a lot of components in the perimeter and internal network – Public – Deutsche Telekom AG / OSMOSIS 4/25/14 7
OPEN SOURCE MONITORING SOFTWARE HOW IS IT IMPLEMENTED TYPICALLY? K S C E C H N W O SNMP – Public – Deutsche Telekom AG / OSMOSIS 4/25/14 8
OPEN SOURCE MONITORING SOFTWARE WHAT WE COVERED § This is not an academic talk - we are talking about actual experience § Open Source tools are easy to audit (kinda) § Everyone has the chance to audit their own solution § Focus on market leading / industry standard software – Public – Deutsche Telekom AG / OSMOSIS 4/25/14 9
OPEN SOURCE MONITORING SOFTWARE WHAT WE DID NOT COVER § No commercial / closed source solutions § Architectural software flaws § Critical “features” which should be disabled anyways e.g. nrpe.cfg dont_blame_nrpe § No additional plugins, features , add-ons § Not the (home brewed) agents itself – Public – Deutsche Telekom AG / OSMOSIS 4/25/14 10
OPEN SOURCE MONITORING SOFTWARE TOOLS WE COVERED CACTI § “… network graphing solution …”; “… frontend is completely PHP driven …” src: http://www.cacti.net NAGIOS § “Nagios Is The Industry Standard In IT Infrastructure Monitoring” src: http://www.nagios.org/ CHECK_MK (NAGIOS ADD-ON) § “Check_MK is a comprehensive add-on for the famous Open Source monitoring software Nagios …” src: https://mathias-kettner.com/check_mk_introduction.html ICINGA § “Icinga is an enterprise grade open source monitoring system …” src: https://www.icinga.org/ – Public – Deutsche Telekom AG / OSMOSIS 4/25/14 11
OPEN SOURCE MONITORING SOFTWARE PUBLICLY KNOWN INCIDENTS CVE2012-096 – Remote Buffer Overflow Nagios Hetzner (06/2013) – Public – Deutsche Telekom AG / OSMOSIS 4/25/14 12
OPEN SOURCE MONITORING SOFTWARE OTHER INTERESTING INFORMATION Public Buffer Overflow in CACTI (since 10/2013) NRPE - Remote command exec (04/2014) – Public – Deutsche Telekom AG / OSMOSIS 4/25/14 13
RESULTS OVERALL § Critical issues were found in ALL audited solutions … Memory corruption – Buffer/Heap Overflows § Off-by-one’s § CSRF § XSS § eval-processing untrusted input § Remote Code Execution § Arbitrary file access § § Many web based bugs, as all the solutions use web GUIs – Public – Deutsche Telekom AG / OSMOSIS 4/25/14 14
RESULTS DETAILED VIEW (Cacti) Version 3.5.0b 1.9.1b 1.2.2p2 0.8.8a Number of Findings 1 2 7 3 4.9 8.5 8.5 8.5 CVSS 2 Score (highest finding) AV:N/AC:M/Au::S/C:P/I:N/A:P AV:N/AC:M/Au:S/C:C/I:C/A:C AV:N/AC:M/Au:S/C:C/I:C/A:C AV:N/AC:M/Au:S/C:C/I:C/A:C Criticality medium high high high Number of open findings 1* 0 1** 3 Announcement to vendor / developer 5th Dec. 2013 2nd Dec. 2013 8th Oct. 2013 15th Oct. 2013 1.2.4p1, 1.10.2, 1.9.4, 1.2.5i2 or Bug Fix Release 3.5.x*, 4.0.3 1.8.5 or latest n/a release latest release DTC- DTC- DTC- DTC- Public DTAG CERT Advisory A-20140324-004 A-20140324-003 A-20140324-002 A-20140324-001 * Bug fixes in the ** exec of python source code only code within WATO Remarks available. No updates release available. – Confidential – Christian Sielaff / OSMOSIS 03.04.2014 15
DEMONSTRATION CAN WE GET A SHELL? – Public – Deutsche Telekom AG / OSMOSIS 4/25/14 16
DEMONSTRATION NETWORK OVERVIEW Cacti / Check_MK Hacker Terminal Server Administrator – Confidential – Christian Sielaff / OSMOSIS 03.04.2014 17
DEMONSTRATION CACTI Bugs: cross site request forgery § command like exec § Hacker Cacti Administrator – Confidential – Christian Sielaff / OSMOSIS 03.04.2014 18
DEMONSTRATION CACTI Bugs: cross site request forgery § command like exec § Get executed on Cacti server if: Administrator clicks on a link or § Visit a malicious web site § Hacker Cacti Administrator – Confidential – Christian Sielaff / OSMOSIS 03.04.2014 19
DEMONSTRATION CACTI Bugs: Pro: cross site request forgery Get a shell § § command like exec § Con: Need to know the Cacti URL § Get executed on Cacti server if: Admins needs to access link or site with link to Administrator clicks on a link, or § § trigger exploit Visit a malicious web site § Outgoing connections my be restricted § Admins needs to logged in § Hacker Cacti Administrator – Confidential – Christian Sielaff / OSMOSIS 03.04.2014 20
DEMONSTRATION CACTI Bugs: Pro: cross site request forgery Get a shell § § command like exec § Con: Need to know the Cacti URL § Get executed on Cacti server if: Admins needs to access link or site with link to Administrator clicks on a link, or § § trigger exploit Visit a malicious web site § Outgoing connections my be restricted § Admins needs to logged in … not really § let’s brute force the Admin ac account J Hacker Cacti Administrator – Confidential – Christian Sielaff / OSMOSIS 03.04.2014 21
DEMONSTRATION CHECK_MK Hacker Terminal Server Check_MK Administrator – Confidential – Christian Sielaff / OSMOSIS 03.04.2014 22
DEMONSTRATION CHECK_MK Bugs: cross site request forgery § command like exec § cross site scripting § Hacker Terminal Server Check_MK Administrator – Confidential – Christian Sielaff / OSMOSIS 03.04.2014 23
DEMONSTRATION CHECK_MK Bugs: cross site request forgery § command like exec § cross site scripting § What is the problem: Exploits a feature in WATO § Uploads and exec a snapshot § Snapshot contains plain python code § Hacker Terminal Server Check_MK Administrator – Confidential – Christian Sielaff / OSMOSIS 03.04.2014 24
Recommend
More recommend