Difference between revisions of "Top 10 2014-I9 Insecure Software/Firmware Updates"

Latest revision as of 22:58, 29 June 2014

Threat Agents	Attack Vectors	Security Weakness		Technical Impacts	Business Impacts
Application Specific	Exploitability DIFFICULT	Prevalence COMMON	Detectability EASY	Impact SEVERE	Application / Business Specific
Consider anyone who has access to the device and/or the network the device resides on.	Attacker uses multiple vectors such as capturing update files via unencrypted connections, the update file itself is not encrypted or they are able to perform their own malicious update via DNS hijacking. Depending on method of update and device configuration, attack could come from the local network or the internet.	Insecure software/firmware updates are present when the updated files themselves and the network connection they are delivered on are not protected. Software/Firmware updates can also be insecure if they contain hardcoded sensitive data such as credentials. Security issues with software/firmware updates are relatively easy to discover by simply inspecting the network traffic during the update to check for encryption or using a hex editor to inspect the update file itself for interesting information.		Insecure software/firmware updates could lead to compromise of user data, control over the device and attacks against other devices.	Consider the business impact if data can be stolen or modified and devices taken control of for the purpose of attacking other devices. Could your customers be harmed? Could other users be harmed?

Are My Software/Firmware Updates Secure?

The simplest way to check for insecure software/firmware updates is to review the update file itself and also the communication method used to transmit those updates. The update file should also be reviewed for exposure of any sensitive data in human readable format by someone using a hex edit tool.

How Do I Secure My Software/Firmware Updates?

Securing software/firmware updates require:

Ensuring the update file is encrypted.
Ensuring the update file is transmitted via an encrypted connection.
Ensuring the update file does not contain sensitive data.
Ensuring the update is signed and verified before allowing the update to be uploaded and applied.

Example Attack Scenarios

Scenario #1: Update file is transmitted via HTTP.

http://www.xyz.com/update.bin

Scenario #2: Update file is unencrypted and human readable data can be viewed.

�v�ñ]��Ü��Qw�û]��ˇ3DP�Ö�∂]��ˇ3DPadmin.htmadvanced.htmalarms.htm

In the cases above, the attacker is able to either capture the update file or capture the file and view it's contents.

References

OWASP

External

@@ Line 2: / Line 2: @@
 {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013|language=en}}
-{{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=1|year=2013|language=en}}
+{{Top_10:SummaryTableTemplate|exploitability=3|prevalence=2|detectability=1|impact=1|year=2013|language=en}}
 {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
-      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the web interface including external users, internal users, and administrators.
+      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider anyone who has access to the device and/or the network the device resides on.
 </td>
-      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker uses weak default credentials, captures plain-text credentials or enumerates accounts to access the web interface. Depending on setup, attack could come from external or internal users.
+      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Attacker uses multiple vectors such as capturing update files via unencrypted connections, the update file itself is not encrypted or they are able to perform their own malicious update via DNS hijacking. Depending on method of update and device configuration, attack could come from the local network or the internet.
 </td>
-      <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>An insecure web interface is present when easy to guess or well known default credentials are used. Insecure web interfaces are prevalent as manufacturers strive to make interfaces easier for users to use and assume these interfaces will not be exposed to external users. They are often found in devices which have features that can only be accessed via the web interface. Issues with the web interface are easy to discover when examining the interface manually and frequently easy to discover via automated testing.
+      <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Insecure software/firmware updates are present when the updated files themselves and the network connection they are delivered on are not protected. Software/Firmware updates can also be insecure if they contain hardcoded sensitive data such as credentials. Security issues with software/firmware updates are relatively easy to discover by simply inspecting the network traffic during the update to check for encryption or using a hex editor to inspect the update file itself for interesting information.
 </td>
-      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Insecure web interfaces can result in data loss or corruption, lack of accountability, or denial of access and can lead to complete device takeover.
+      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Insecure software/firmware updates could lead to compromise of user data, control over the device and attacks against other devices.
 </td>
-      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business impact of compromised devices and in turn compromised customers. All data could be stolen, modified, or deleted.  Could your users be harmed?
+      <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2013}}>Consider the business impact if data can be stolen or modified and devices taken control of for the purpose of attacking other devices.  Could your customers be harmed? Could other users be harmed?
 </td>
 {{Top_10_2010:SummaryTableEndTemplate|year=2013}}
-{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=1|year=2013|language=en}}
+{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=Are My Software/Firmware Updates Secure?|position=firstLeft|year=2013|language=en}}
-The simplest way to find out if you have an insecure web interface is to review the initial setup process and determine if the username, password or both can be changed and if the password is required to be long and complex.
+The simplest way to check for insecure software/firmware updates is to review the update file itself and also the communication method used to transmit those updates. The update file should also be reviewed for exposure of any sensitive data in human readable format by someone using a hex edit tool.
-Attempting to set usernames to simple passwords such as "1234" is a fast and easy way to determine the security of the web interface. Manual testing can help a security analyst find instances where weak passwords are allowed, default credentials are not required to be changed or account enumeration is possible. Penetration testers can validate these issues by running enumerating usernames and conducting brute-force attacks against those usernames.
+{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Secure My Software/Firmware Updates?|position=right|year=2013|language=en}}
+Securing software/firmware updates require:
-Automated dynamic scanning which exercises the application will provide insight into whether these issues exist as well.
+# Ensuring the update file is encrypted.
-{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=1|year=2013|language=en}}
+# Ensuring the update file is transmitted via an encrypted connection.
-Ensuring a secure web interface requires:
+# Ensuring the update file does not contain sensitive data.
-# Default passwords and possibly usernames to be changed during initial setup.
+# Ensuring the update is signed and verified before allowing the update to be uploaded and applied.
-# Ensuring complex password construction.
-# Ensuring web interface is not susceptible to XSS, SQLi or CSRF.
-# Ensuring credentials are not exposed in internal or external network traffic.
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=1|year=2013|language=en}}
-'''Scenario #1:''' The web interface uses easily guessable default usernames and passwords.
+'''Scenario #1:''' Update file is transmitted via HTTP.
 {{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;">
-Username = Admin; Password = password
+<nowiki>http://www.xyz.com/update.bin</nowiki>
 </span>{{Top_10_2010:ExampleEndTemplate}}
-'''Scenario #2:''' Username and password in the clear over the network.
+'''Scenario #2:''' Update file is unencrypted and human readable data can be viewed.
 {{Top_10_2010:ExampleBeginTemplate|year=2013}}<span style="color:red;">
-POST /login.htm HTTP/1.1
+�v�ñ]��Ü��Qw�û]��ˇ3DP�Ö�∂]��ˇ3DPadmin.htmadvanced.htmalarms.htm
-...
-userid=admin&pass=pass
 </span>{{Top_10_2010:ExampleEndTemplate}}
-In the cases above, the attacker is able to either easily guess the username and password or is able to capture the username and password as it crosses the network.
+In the cases above, the attacker is able to either capture the update file or capture the file and view it's contents.

Difference between revisions of "Top 10 2014-I9 Insecure Software/Firmware Updates"

Latest revision as of 22:58, 29 June 2014

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools