Research

Stop 3rd Party Security Vendor Backdoor Leaks Before They Bite

Written by Reflare Research Team | Sep 13, 2022 5:18:00 PM

Several major networking equipment providers were found to have backdoors in their firmware that exposed private keys and even allowed remote code execution. If you’re not yet worried, then you’re not paying attention.

First Published 20th January 2016  |  Latest Refresh 13th September 2022

If there's a backdoor, Tommy will find it. 

3 min read  |  Reflare Research Team

Who Are You Trusting?

Most companies rely on their security vendors implicitly. However, we continue to see more unreliable security defences in vendors we are supposed to trust to protect our data. Here we look at two systems' vulnerabilities that many relied on to keep data secure.

Context

In early 2016, Juniper Networks (NYSE: JNPR)  announced that it had discovered critical vulnerabilities in its implementation of the widely trusted OpenSSH. 

OpenSSH is an implementation of the secured SSH connection protocol used by most administrators to connect to their servers securely. It is widely trusted as the preferred way to manage servers remotely. OpenSSH was found to have a critical bug that allowed a server administrator to take a copy of a user’s private key and expose it for future use.

The Problem

To illustrate what makes this exploit dangerous, consider a house with a locked door. The house represents the server, and the lock represents OpenSSH. Your private key unlocks each house that you own, so you would use this key to open several doors. When you authenticate to a server, it should only verify that you are authenticated. It should never take a copy of your key, because this now gives anyone who controls that server access to other servers you own. Using the house and lock metaphor, opening the door to one house would allow an attacker to take a copy of your key and open the doors to other houses you own.  

Unfortunately, there is no patch if your private key is already exposed. You should patch your system and recreate private keys to ensure that hackers can no longer use the ones they hold.

Should multiple layers of protection become the norm?

The Repeating Trend Repeats

Only days after Juniper’s backdoor revelation, security vendor Fortinet (Nasdaq: FTNT) found its own issues. Fortinet’s FortiOS firewall system was also shown to have a backdoor that allowed remote authentication into servers using a hard-coded password. It is unknown if this backdoor was maliciously added to the firewall’s code, or if it was a critical error made by the software’s engineers. Whatever the reason, it remains imperative that you patch your systems immediately should you still be running FortiOS versions 4.3 to at least 5.0.7 or newer.

Too many organisations place excessive faith in third-party providers to take care of critical security matters while operators focus on running the business. Juniper and Fortinet’s shortfalls illustrate how crucial it is for organisations to create several layers of protection. Third-party security tools, even from the more prominent vendors, continue to periodically suffer from major flaws, which continue to affect everyone.

Should your system have just a single line of defence, and that defence is provided by a third party, call for added layers of protection to ensure reliability and resilience against current threats. Possible vulnerabilities in security vendors may be leaving you unknowingly exposed. Mindfully think through how much of your business-critical security you outsource and how you choose to mitigate the risk of a third-party vendor letting you down. Doing so will help you make better security decisions today and support the creation of a more resilient organisation tomorrow.

However, third-party vendor vulnerabilities are not the only exploits you need to stay on top of. The challenge now is to proactively identify other vulnerabilities that expose your systems and networks, and take preventative action before they become problematic. 

An Update

Looking back at our prognosis from 2016, the dire warning we gave almost sounds too weak. Over the years since, we have seen countless more breaches of third-party tools and appliances. 

The most glaring example is the solarwinds123 fiasco. To recapitulate, IT management software vendor SolarWinds shipped many of their tools with the default password "solarwinds123" set. When this became common knowledge, large numbers of SolarWinds software installations were attacked in short order. The unfortunate fact that customers do not change passwords has been long known in the industry. That is why most modern authentication mechanisms force the change of passwords rather than requesting it.

To be clear, the problem with "solarwinds123" is that such a laughably weak password existed in the first place. The problem is not that it was leaked, as the former CEO of SolarWinds seemed to believe when he blamed the entire incident on an intern.

These kinds of issues keep piling up, and we expect them to get worse over the coming years as tons and tons of infrastructure that was hastily thrown together to enable remote work during the pandemic is exposed to real-world threats. Every piece of third-party software used in your organisation is a potential threat, and should be treated as such.

To stay updated with the latest information on similar events, and learn how to mitigate specific IT security risks before they land in your lap, read our research briefs on the related topics below.