Palo Alto, Forgery, Jen Miller Osborne discussed on The CyberWire
This type of vulnerability. Short circuit's log into centrally. Let's the attacker abuse trusted relationships between applications and the servers that are hosting. That's Jen Miller. Osborne she's deputy the director of threat. Intelligence for Unit Forty two at Palo Alto networks. The research were discussing today is titled Server Side Request. Forgery exposes data of Technology Technology Industrial and media organizations so an attacker king craft the the url at the server sending a request to the application in Bacon. Force it to look wherever they want within an environment basically so they're able to almost have basically have full access to internal environment especially cloud investments are especially dangerous for this because of the way they are structured with the Meta data. Api and essentially what this ends up allowing an attacker to do is ease internal resources sources which typically don't take requests from outside. The internal environment are now accessible because attackers able to already be in that internal environment mm-hmm and they can query those The internal things directly. It's almost like the the internal. API now becomes accessible from directly from the Internet. which is exactly what you don't want to have with any sort of? API at all. But that's what this is. Boehner ability allows to happen. Is that kind of connection between the attacker. The internal resources and the vulnerability is is because of A bug somewhere along the lines. Yup It's just a web application vulnerability and it's relatively common an in a number of API's because it's it's just taking advantage of trusted relationships which are common especially inside an environment where the architecture architecture wordy assuming that those internal devices were protected essentially and they were not things could not come at them from the Internet. So there's vulnerability allows that to be that seat that's protection to be removed. Basically now all of a sudden these internal devices someone can actually querying data from even though they're exploiting what is usually an advantage pige to speed things up within a network And they're abusing those trusted relationships for malicious purposes. So something those architect intending to be good for the system MM performance in the application performance but unfortunately it is also something that can be exploited by attackers which you see a lot of types of attacks rights. It's not supply chain attack but it's exploiting the same kind of thing. There are suing trust relationships where they can use them to get access to data they would normally get access to and and so this sort of thing is used for getting data out of a system as opposed to for example running code. Yes this is more more for taking data out whether able to query they can get code depending on how it is stored so they're accessing whatever is with the particular Taylor Meta data. API At that time which can be anything from network configurations credentials and even Source Code so it is possible depending on the Meta data that within a particular API that the attackers could get accompanies or some sort of application source code. They can get all the internal network configurations nations can get all sorts of credentials which basically gives them access to do whatever they want they know the network looks like and they know how legitimate credentials. So it's a nightmare nightmare scenario for any any defender. Now one of the things you outlined in the research here is that there's an issue with URL's not being properly sanitized. Can you walk us through. What's going on there again? It's a bit of abusing the The trust relationships so the the systems are assuming that the that the requests that's going to be coming from this trusted 'em point is going to be valid valid basically. It's not going to be malicious. But the problem is when an attacker gets in they are then able to abuse at trust relationship and redirect direct the response so clearing for state are looking for some sort of internal data like never configuration Credentials instead of that that reply being set back to the actual server that made it internally which is what the system thinks this happening the attackers actually able to redirect it to go to wherever they want basically they can redirect that data from its intended internal where should have gone the redirected to something they're controlling instead and that's how they'll get access access to the data you can see there's it's actually easier to see visually we haven't example in the blog. We can see where they add the reader to it. So how prevalent is this in the scanning that you did helbig assure we're talking about here. So we found seven thousand instances that seemed to be exposed and vulnerable to this we did not go any further than scanning them to double check. That was unfortunate. I mean seven thousand is a lot and they were spread across a number number of different public clouds and there are patches available. Yes this is something that could be taken care of it actually. It's not even so much of a patch. It's it's the shifting by the cloud providers themselves to not allow the sort of http. You are L.. Redirect in that particular instance. But there's also a separate Apache itself but I guess the one of the lessons here's that There's a lot of systems systems go unpunished. For a variety of reasons and their systems that sometimes get set off a better than forgotten about or not properly maintained and they just kind of sit it on the Internet for a long period of time and in some cases the organizations don't even have them listed as assets anymore. which is one of the reasons we try to do? This vis sorts of research and then went if we can actually identify people we let them know so they can remediate it if nothing else we try to make sure we can get the data out there just so hopefully this People that may not have patched it instance in a while to kind of go take a look and see what's going on and see if they need to upgrade one of the things for this we noted as you're actually isn't vulnerable to this because it blocks S S R F requests and. We're seeing more of the cloud providers also moving to that same protection. They're not allowing that to happen environment at all. So let me just get really basic with you here in in walk through it together. I mean if I was was a bad guy out there trying to take advantage of this and I'm doing my own scans and I'm finding systems that are potentially vulnerable. You know assistant pops up. That is vulnerable. I think it's interesting. I'd like to get inside What do I do next to Holloway? Execute my my evil plans. You need to start trying to send crafted did you are too vulnerable devices to see if they work. It's relatives it's one of those things where it's relatively automated in a sense. Where word has a specific pattern? So if identified that it's vulnerable than they can actually start trying to exploit that vulnerability which is not particularly difficult to exploit unfortunately so in terms of protecting yourself against this. What are your recommendations upgrade? If you're on one of the cloud providers in that shifted this and apply a patch this is really one where S R F just needs to not be allowed in those environments events. And if you are going to allow this sort of vulnerability you really need you. Make sure you have other protections in place to keep this from being exploited as we noted before once the attackers have this sort of access. They basically premature on your network and and they would be presumably running under the radar here. It wouldn't it. Wouldn't I guess they wouldn't be calling a lot of attention to themselves honestly depend on the attacker. Some of them can be surprisingly noisy once they get inside it systems because they're assuming there's not going to be a lot of logging or things on an endpoint for detection. I see. Yeah one of the interesting things. He's not I noted in your research here in terms of your list of remediation and best practices. Was this idea of having a zero trust network which you kind of touched on earlier. That one of the reasons that this works is that there's this sense that once something's going on within you know within the castle walls inside the moat that it's it's it's generally early trusted but if you have zero trust network that might be a way to help prevent this. Yes and that's something we as a company have been pushing for a number of years. Is that drew. Trust where realistically in This Day and age you can't assume any of the devices on your network are not compromised is so you need to kind of operate in the sort of mindset where you assume at any point in time that something can be compromised so you have the extra protections in place where you don't we're gonNA millions like this can't work because none of the systems are trusted. You can't exploit any sort of trust relationship now one of the things that you point out in your research here in fact in in the title You suggest that they're going after some specific industries technology industrial media organizations What in particular makes them vulnerable to? This is just how they were set up in this particular case. I don't know if it's whether the attackers were targetting that or that's just who happened to the vulnerable to this particular vulnerability if that makes us. Yeah so if you're you're in a particular type of business there's a particular way that you're likely to set up things things and that aligns with this vulnerability I suppose. Yeah this was more just it just kind of happenstance more so than than any targeting. So what are the take homes here. What do you want people to To take away from this research that you're sharing. They need to go check their cloud. Instances soon see if they are vulnerable to this And even keep in mind. Just's the problems that trusted relationships within a network can bring and uh-huh maybe reconsidered their protection strategy or at least maybe they'll have more informed position on how they should make that decision if they need to do any architect eating hopefully people that have these instances where they haven't patched in a while we'll go and check their own and then they'll go co-patron upgraded found to be vulnerable to it. Yeah we're really just hoping by getting this out there that we can help with protections because it is essentially Ashley that's Jen Miller Osborne from Palo Alto networks unit forty to the research we were discussing today is titled Server Side Died Request. Forgery exposes data of Technology Industrial and media organizations. We'll have a link in the show notes thanks to juniper networks for sponsoring our show you can learn more at juniper dot net slash security or connect with them on twitter or facebook and thanks to unveil for their sponsorship. You can find out how they're closing the last gap and data security at N Vail Dot Com the cyber rewire research Saturday as proudly produced in Maryland out of the startup studios of data tribe. Where they're co- building the next generation of cybersecurity teams and technology are amazing? Cyber wire team is Elliott Peltzman Karoo precaut- Stefan Missouri. Kelsey bond. Tim No Dr Joe. Kerrigan Herald -Tario Ben Yellen win. Nick Valenki Bennett. Mo- Chris Russell John Patrick Jennifer Ivan Heater. Kilby and I'm Dave Bittner. Thanks for listening.