Installation of vendor’s patch does not always guarantee security
Experts from ERPScan Company, specialized in business applications security and SAP security, found out that even well-timed installation of vendor’s patch does not always guarantee security because the fixes are not always correct.
In 2011, three critical patches from the key software vendors like SAP, IBM and VMware actually did not fix or not completely fixed vulnerabilities that ERPScan or other researchers had found in their products. This allows potential attackers to continue exploiting the vulnerabilities, whereas all most scanners and auditors would say that the problem is no more because patch is installed.
On the BlackHat Europe conference held from March 14 to March 16, Alexey Sintsov, head of information security audit department in ERPScan Company, shared his experience in penetration testing and presented the results of a recently conducted research of Lotus Domino security.
His presentation told about lack of time and frequently desire for companies to dig into the details of existing vulnerabilities to exploit them, and how it often impairs the quality of their work.
In the demonstration, a private vulnerability in Lotus Domino was quite quickly disassembled, the resulting exploit used, the existing patch bypassed and a critical 0-day vulnerability found. The result was an attack on the Domino Controller service (the Lotus Domino administration service) which allows full server compromise.
Vulnerable services were also exposed which, one would suppose, should not be accessible from the Internet. Moreover, in the course of the research, services with the 0-day vulnerability and ever older vulnerabilities were found on the USA government servers (the .gov domain), on the servers of Russian universities and, curiously enough, even in the corporate network of IBM itself.
Thus, it can be concluded that penetration threats are quite easily actualized for pretty much any network; even governments and corporate giants are vulnerable to attacks from the Internet, such as those made by LulzSec and Anonymous.
Links to vulnerabilities:
- Vulnerability in IBM Lotus (ZDI)
- Vulnerability in VMware (Advisory,Vendor’s patch)
- Vulnerabilities in SAP (Advisory,
- New patch,
- Old patch); another one is still being patched again.
Alexey’s presentation can be found here.