Share this
Stop 3rd Party Security Vendor Backdoor Leaks Before They Bite
by Reflare Research Team on Sep 13, 2022 6:18:00 PM
Several major networking equipment providers were found to have backdoors in their firmware that exposed private keys and even allowed remote code execution. If you’re not yet worried, then you’re not paying attention.
First Published 20th January 2016 | Latest Refresh 13th September 2022
If there's a backdoor, Tommy will find it.
3 min read | Reflare Research Team
Who Are You Trusting?
Most companies rely on their security vendors implicitly. However, we continue to see more unreliable security defences in vendors we are supposed to trust to protect our data. Here we look at two systems' vulnerabilities that many relied on to keep data secure.
Context
In early 2016, Juniper Networks (NYSE: JNPR) announced that it had discovered critical vulnerabilities in its implementation of the widely trusted OpenSSH.
OpenSSH is an implementation of the secured SSH connection protocol used by most administrators to connect to their servers securely. It is widely trusted as the preferred way to manage servers remotely. OpenSSH was found to have a critical bug that allowed a server administrator to take a copy of a user’s private key and expose it for future use.
The Problem
To illustrate what makes this exploit dangerous, consider a house with a locked door. The house represents the server, and the lock represents OpenSSH. Your private key unlocks each house that you own, so you would use this key to open several doors. When you authenticate to a server, it should only verify that you are authenticated. It should never take a copy of your key, because this now gives anyone who controls that server access to other servers you own. Using the house and lock metaphor, opening the door to one house would allow an attacker to take a copy of your key and open the doors to other houses you own.
Unfortunately, there is no patch if your private key is already exposed. You should patch your system and recreate private keys to ensure that hackers can no longer use the ones they hold.
Should multiple layers of protection become the norm?
The Repeating Trend Repeats
Only days after Juniper’s backdoor revelation, security vendor Fortinet (Nasdaq: FTNT) found its own issues. Fortinet’s FortiOS firewall system was also shown to have a backdoor that allowed remote authentication into servers using a hard-coded password. It is unknown if this backdoor was maliciously added to the firewall’s code, or if it was a critical error made by the software’s engineers. Whatever the reason, it remains imperative that you patch your systems immediately should you still be running FortiOS versions 4.3 to at least 5.0.7 or newer.
Too many organisations place excessive faith in third-party providers to take care of critical security matters while operators focus on running the business. Juniper and Fortinet’s shortfalls illustrate how crucial it is for organisations to create several layers of protection. Third-party security tools, even from the more prominent vendors, continue to periodically suffer from major flaws, which continue to affect everyone.
Should your system have just a single line of defence, and that defence is provided by a third party, call for added layers of protection to ensure reliability and resilience against current threats. Possible vulnerabilities in security vendors may be leaving you unknowingly exposed. Mindfully think through how much of your business-critical security you outsource and how you choose to mitigate the risk of a third-party vendor letting you down. Doing so will help you make better security decisions today and support the creation of a more resilient organisation tomorrow.
However, third-party vendor vulnerabilities are not the only exploits you need to stay on top of. The challenge now is to proactively identify other vulnerabilities that expose your systems and networks, and take preventative action before they become problematic.
An Update
Looking back at our prognosis from 2016, the dire warning we gave almost sounds too weak. Over the years since, we have seen countless more breaches of third-party tools and appliances.
The most glaring example is the solarwinds123 fiasco. To recapitulate, IT management software vendor SolarWinds shipped many of their tools with the default password "solarwinds123" set. When this became common knowledge, large numbers of SolarWinds software installations were attacked in short order. The unfortunate fact that customers do not change passwords has been long known in the industry. That is why most modern authentication mechanisms force the change of passwords rather than requesting it.
To be clear, the problem with "solarwinds123" is that such a laughably weak password existed in the first place. The problem is not that it was leaked, as the former CEO of SolarWinds seemed to believe when he blamed the entire incident on an intern.
These kinds of issues keep piling up, and we expect them to get worse over the coming years as tons and tons of infrastructure that was hastily thrown together to enable remote work during the pandemic is exposed to real-world threats. Every piece of third-party software used in your organisation is a potential threat, and should be treated as such.
To stay updated with the latest information on similar events, and learn how to mitigate specific IT security risks before they land in your lap, read our research briefs on the related topics below.
Share this
- December 2024 (1)
- November 2024 (1)
- October 2024 (1)
- September 2024 (1)
- August 2024 (1)
- July 2024 (1)
- June 2024 (1)
- April 2024 (2)
- February 2024 (1)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- June 2023 (2)
- May 2023 (2)
- April 2023 (3)
- March 2023 (4)
- February 2023 (3)
- January 2023 (5)
- December 2022 (1)
- November 2022 (2)
- October 2022 (1)
- September 2022 (11)
- August 2022 (5)
- July 2022 (1)
- May 2022 (3)
- April 2022 (1)
- February 2022 (4)
- January 2022 (3)
- December 2021 (2)
- November 2021 (3)
- October 2021 (2)
- September 2021 (1)
- August 2021 (1)
- June 2021 (1)
- May 2021 (14)
- February 2021 (1)
- October 2020 (1)
- September 2020 (1)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (2)
- March 2020 (1)
- February 2020 (1)
- January 2020 (3)
- December 2019 (1)
- November 2019 (2)
- October 2019 (3)
- September 2019 (5)
- August 2019 (2)
- July 2019 (3)
- June 2019 (3)
- May 2019 (2)
- April 2019 (3)
- March 2019 (2)
- February 2019 (3)
- January 2019 (1)
- December 2018 (3)
- November 2018 (5)
- October 2018 (4)
- September 2018 (3)
- August 2018 (3)
- July 2018 (4)
- June 2018 (4)
- May 2018 (2)
- April 2018 (4)
- March 2018 (5)
- February 2018 (3)
- January 2018 (3)
- December 2017 (2)
- November 2017 (4)
- October 2017 (3)
- September 2017 (5)
- August 2017 (3)
- July 2017 (3)
- June 2017 (4)
- May 2017 (4)
- April 2017 (2)
- March 2017 (4)
- February 2017 (2)
- January 2017 (1)
- December 2016 (1)
- November 2016 (4)
- October 2016 (2)
- September 2016 (4)
- August 2016 (5)
- July 2016 (3)
- June 2016 (5)
- May 2016 (3)
- April 2016 (4)
- March 2016 (5)
- February 2016 (4)