SSRF attacks in the limelight at ERPScan’s press conference in China
Palo Alto, CA – September 17, 2012 The participation of Alexander Polyakov, ERPScan CTO, in RSA China 2012< was met by eager interest of the audience and a blaze of publicity in Chinese press.
After his speech, Alexander answered the questions of reporters from Chinabyte, Computer Security Magazine, ZOL and other Internet media about his presentation called “SSRF: The New Threat for Business Critical Applications” in Century City International Convention Center in Chengdu. The original Chinese version of the interview can be found, for example, here.
Reporter: Could you briefly introduce the attack characteristics and hazards of SSRF (Server Side Request Forgery, not to be confused with CSRF), a newly discovered high-risk vulnerability? How to prevent such vulnerabilities in reality?
A.P.: Imagine that you have 2 systems (system A and system B) that trust each other (that is, the connection is not blocked by a firewall) because some kind of data must be transferred from one system to another. System A is, for instance, the corporate portal, which can usually be accessed from an insecure network like the Internet. The other system can be ERP which can’t be accessed directly from the Internet but trusts the corporate portal. This is the typical scheme of a company. The idea of an SSRF attack is to find some kind of vulnerable service in system A which can resend malicious requests into internal network and thus target system B. That’s how a cybercriminal can bypass firewalls and IDS systems and exploit secured systems.
Reporter: What is the biggest difference between SSRF and XXE tunneling and the traditional attacks?
A.P: Traditional attacks target the victim system directly and can be easily found by IDS systems or prevented by firewalls. SSRF is an example of more complex attacks which are harder to detect because the attack is executed through an intermediary rather than directly, and the exploit is transformed.
Reporter: What is the entry point for enterprises to respond to the SSRF and XXE tunneling threats?
A.P.: The area of this attack is much bigger than I have covered in my presentation because I just found a few examples of such attacks, and they are specific for SAP. However, I continue researching the matter, and I will show some results at the POC technical conference in Seoul. Other examples can appear later. There already are some researches aimed at other systems, conducted by our colleagues from other companies.
Speaking about SSRF in common, such kind of attacks can be prevented, like other threats, by regular patching and penetration testing of services by highly skilled professionals in application security. As for the example of SSRF attack called XXE tunneling, all XML interfaces must be secured from unauthorized access and the XML External Entity option must be disabled.
Reporter: How to use the existing security devices or measures to defend a system from the SSRF and XXE tunneling attacks?
A.P.: The main problem is that, unfortunately, most typical devices can’t prevent this type of attacks. The best way is to implement software patches in time and not to think that if the system is secured by firewall it is enough. Speaking about business-critical applications like SAP, we have collaborated closely with the vendor and closed some architecture vulnerabilities which allowed conducting such attacks, but it does not mean that new ones will not appear. Companies need to use continuous monitoring systems and vulnerability assessment systems which will identify vulnerabilities and give recommendations. The systems that can expose 0-day vulnerabilities should be preferred.
Reporter: What are the vector incentives for SSRF and XXE tunneling attacks?
A.P.: Business-critical systems are affected by espionage, sabotage, and fraud actions. Using SSRF, it is possible to inflict any of the listed threats depending on the type of vulnerability. For XXE tunneling, the simplest attack, which can be executed even if the system is patched, is to sabotage the system by Denial of Service attack. The vulnerable service will multiply your requests so that one special packet will make the external portal resend 1000 or more requests to the business application so it will crash.
Reporter: How does ERPScan Security Scanner respond to the SSRF and XXE tunneling threats?
A.P.: Our Scanner is a continuous monitoring solution which can identify vulnerabilities, misconfigurations, and a lot of other issues including SoD. We also have a research lab which exposes 0-day issues like SSRF and we implement checks for those issues even before official patches appear (SAP usually patches their vulnerabilities within 6 to 18 months) and give recommendations on how to prevent them. So our clients can defend themselves from such threats in advance.
Reporter: It’s disclosed in the security risk report that the attacks against the customized application vulnerability increased a lot. What do you think about it?
A.P.: This is exactly what we have been talking about for several years. Attacks against custom applications and especially against business-critical applications like ERP systems, banking and processing systems, CRMs, corporate portals and other systems will increase. The main reason is that it is harder and harder to attack operation systems like Windows with their latest defense mechanisms, and even if you have an exploit for Windows, the server which you attack may not store any valuable data. So why waste time on this instead of finding vulnerabilities in custom applications, which have a lot of vulnerabilities because nobody looks at them with respect to security? Moreover, an attack on these applications will give cybercriminals real profit because these systems store valuable data.
Reporter: Currently there is a trend that the vulnerabilities against the commercial software have been reduced. But actually there are new attacks against the existing vulnerabilities. What should enterprises pay attention to in responding to such attacks?
A.P.: I am not sure that this is correct. The number of vulnerabilities in popular software is reduced, but the number of vulnerabilities in business software, which has not been available for mass market, is growing exponentially. For example, in 2001–2006 SAP closed about 100 vulnerabilities in their products but from 2007 to 2012, about 2000 vulnerabilities were closed. Currently, the best path for enterprises is to pay attention to business critical systems right now, before they become targets for cybercrime. Business critical systems must at least be assessed by application security experts and ideally monitored by automated solutions. Corporate espionage and sabotage are not less likely than cyberconflicts and attacks on industrial systems like SCADA.
Reporter: You pointed out the serious vulnerability of NetWeaver in the Black Hat Conference last year. What about its severity? And about its consequences?
A.P.: Ohh, it is an old story, but we still find vulnerable systems of our clients during security assessments. The vulnerability was found in the J2EE engine of SAP NetWeaver and it allows anybody from the Internet to create a user in SAP Portal system and assign the Administrator rights to that user.
The most interesting thing in this story is that SAP Portal systems can be easily found in the Internet by Google search. We have also made a research where we scanned all SAP servers in the Internet to see if they had this vulnerability and there are still a lot of them. The consequences, thank God, are not so bad granted that there were no actual attacks and SAP closed the vulnerability in time.
Reporter: Is SSRF a new threat against the business-critical applications? If so, then this new threat is occasional or prevailing? What are the reasons?
A.P.: Sure it is a new threat because people used not to patch critical systems and just put them under a firewall before. Now, this kind of defense can be bypassed by SSRF. But you are right: SSRF attacks currently need special circumstances, but it is just a matter of time for hackers to go from disclosing the PoC to building an easy-to-use exploit, as it is with any new type of attack. I saw a lot of feedback after my BlackHat presentation including special tools to execute SSRF attacks, like a proxy to direct any request through the vulnerable service.
Reporter: Do you have any suggestions for enterprises to cope with advanced network security threats?
A.P.: Just be proactive. Security is a process and the earlier you know about new issues and threats the more likely it is that you will be secure.
More details about SSRF attacks can be found in the “SSRF vs. Business-critical applications” whitepaper by Alexander Polyakov and ERPScan research group.