©2015 Check Point Software Technologies Ltd. 1©2015 Check Point Software Technologies Ltd. [Protected] Non-confidential content

CHECK POINT VULNERABILITY RESEARCH VULNERABILITIESDISCLOSED AND PUBLISHED

Moti Sagey – Head of Competitive intelligence moti@checkpoint.com Shahar Tal – Group Manager vulnerability research shahartal@checkpoint.com Oded Vanunu - Group Manager Security Research & Penetration ovanunu@checkpoint.com

©2015 Check Point Software Technologies Ltd. 2[Protected] Non-confidential content

Check Point Security Vulnerability Research

• Performs regular assessments of common software, devices and Internet platforms, affecting the security of enterprise and home users.

4̶We try to find problems before the bad guys do.4̶Quite literally, “We Secure the Future”…

• Reports findings to vendors prior to public disclosure, pushing towards a more secure eco-system.

• Devise mitigations, detecting and preventing new attacks, to incorporate into current and future CP products.

• Share knowledge with the community in infosec conferences worldwide, educate customers, partners and public in various events.

Over 40 Responsible Disclosures CVE’s since 2014

[Protected] Non-confidential content©2015 Check Point Software Technologies Ltd.

SOME SIGNIFICANT BIG IMPACT FINDINGS

01

©2015 Check Point Software Technologies Ltd. 4[Protected] Non-confidential content

WordPress• The most popular web platform in the world, powering

20-25% of the top 1 million web sites

• Privilege Escalation (CVE-2015-5623)̶4 A series of vulnerabilities that ultimately allow a

‘subscriber’ user to effectively create, edit and delete posts, reflecting to the WP database, acting as author/editor of these posts.

• SQL Injection (CVE-2015-2213)̶4 A contributing user with the ability to edit posts can

carefully plant a string in a way that will later be injected into an SQL statement.

• Persistent XSS (CVE-2015-5714)̶4 A contributing user is able to bypass HTML filtering

and inject JavaScript tags into any editable post.

• More info here

©2015 Check Point Software Technologies Ltd. 5[Protected] Non-confidential content

Facebook WhatsApp “MalicousCard”

• WhatsApp with 900 million active users a month (200M are estimated to use the WhatsApp Web )

• Check Point security researchers discovered significant vulnerabilities which exploit the WhatsApp Web logic and allow attackers to trick victims into executing arbitrary code on their machines in a new and sophisticated way

• More info here

©2015 Check Point Software Technologies Ltd. 6[Protected] Non-confidential content

Certifi-gate

• A set of Android vulnerabilities, including poorly-designed authentication methods between remote support apps and the plugins they rely on to function

• Check Point Mobile Security Researchers poked at several popular mRSTs and discovered critical findings, allowing complete device compromise via rogue apps

• More info here

©2015 Check Point Software Technologies Ltd. 7[Protected] Non-confidential content

Misfortune Cookie

• Allows complete remote compromise of 12 millionrouters over the public IPv4 WAN

• CVE-2014-9222 - AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the "Misfortune Cookie" vulnerability.

• More info here

©2015 Check Point Software Technologies Ltd. 8[Protected] Non-confidential content

eBay/Magento RCE

• The most popular e-Commerce platform running 30% of online shops (ebay, adidas..)

• CVE-2015-1397 - SQL injection vulnerability

• CVE-2015-1398 - Multiple directory traversal vulnerabilities

• CVE-2015-1399 - PHP remote file inclusion vulnerability

• More info here

©2015 Check Point Software Technologies Ltd. 9

eBay/Magento Case Study

Discovery& Report

Jan 15 Feb 1 Apr 22

Publication

97 daysuntil Magento publically disclosed the issue

IPS signatures released(Check Point only)

• Check Point customers received protection 81 days before the rest of the world even knew about it

©2015 Check Point Software Technologies Ltd. 10[Protected] Non-confidential content

Wikipedia MediaWiki RCE

• Powers Wikipedia, as well as enterprise wiki sites

• CVE-2014-1610 - MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell

• More info here

©2015 Check Point Software Technologies Ltd. 11[Protected] Non-confidential content

Other Significant Findings

• TR-069 Security ̶4 Vulnerabilities in multiple ACS products and deployments

• Bugzilla RCE (CVE-2014-1572)̶4 The most popular bug tracking platform

• Six Apart Movable Type̶4 CVE-2014-9057 - SQL injection vulnerability in the XML-RPC interface in

Movable Type

• Twiki̶4 CVE-2014-7237 - lib/TWiki/Sandbox.pm in TWiki 6.0.0 and earlier, when

running on Windows, allows remote attackers to bypass intended access restrictions and upload files with restricted names via a null byte

• osCommerce̶4 vulnerabilities can lead to a full system compromise, with an outside agent

gaining control over the osCommerce administration panel .These vulnerabilities affect over 260,000 online shops (read more here)

[Protected] Non-confidential content©2015 Check Point Software Technologies Ltd.

FINDINGS IN NETWORK SECURITY VENDORS

02

©2015 Check Point Software Technologies Ltd. 13[Protected] Non-confidential content

Cisco

• CVE-2014-2118 - Multiple cross-site scripting (XSS) vulnerabilities in Cisco Prime Security Manager (aka PRSM)

• CVE-2014-3364 - Multiple cross-site scripting (XSS) vulnerabilities in Cisco Prime Security Manager (aka PRSM)

• CVE-2015-0706 - Open redirect vulnerability in Cisco FireSIGHT System Software

• CVE-2015-0707 - Cross-site scripting (XSS) vulnerability in Cisco FireSIGHT System Software

• More info here

©2015 Check Point Software Technologies Ltd. 14[Protected] Non-confidential content

Palo Alto Networks

• CVE-2014-3763 - Cross-site scripting (XSS) vulnerability

• CVE-2014-3764 - Cross-site scripting (XSS) vulnerability

• CVE-2014-6850 - Cross-site request forgery (CSRF) vulnerability

• CVE-2014-6851 - Cross-site request forgery (CSRF) vulnerability

• CVE-2015-1873- Cross-site scripting (XSS) vulnerability

• More info here

©2015 Check Point Software Technologies Ltd. 15[Protected] Non-confidential content

Fortinet

• CVE-2014-2334 - Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer.

• CVE-2014-2335 - Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager

• CVE-2014-2336 - Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet

• More info here

©2015 Check Point Software Technologies Ltd. 16[Protected] Non-confidential content

Sourcefire

• CVE-2014-2011 - Sourcefire Defense Center cross-site request forgery (CSRF) vulnerability 

• CVE-2014-2012 - Sourcefire Defense Center Cross-Site Scripting (XSS) Vulnerability

• CVE-2014-2028 - Sourcefire Defense Center cross-site request forgery (CSRF) vulnerability 

• CVE-2014-2275 - Sourcefire Defense Center cross-site scripting (XSS) vulnerabilities 

• More info here

©2015 Check Point Software Technologies Ltd. 17[Protected] Non-confidential content

BlueCoat• CVE-2014-2724 - Stored XSS

• CVE-2014-2725 - No http only cookie

• CVE-2014-2726 - No secured cookie 

Mcafee• CVE-2014-2390 - Cross-site request

forgery (CSRF) vulnerability 

Zscaler• <no CVE> - Click Jacking 

More info here

[Protected] Non-confidential content©2015 Check Point Software Technologies Ltd.

TIME TO RESPOND TO CRITICAL INDUSTRY VULNERABILITIES

03

©2015 Check Point Software Technologies Ltd. 19

9 hoursCheck Point

22 hoursCheck Point

18 hoursCheck Point

PAN4 days

Fortinet5 days

PAN29 daysFortinet14 days

PAN56 daysFortinet10 days

30 hoursCheck Point

PAN10 daysFortinet9 days

Heartbleed Shellshock Poodle-TLS Venom

[Protected] Non-confidential content Full references :http://goo.gl/wzE50q

©2015 Check Point Software Technologies Ltd. 20[Protected] Non-confidential content©2015 Check Point Software Technologies Ltd.

THANK YOU

WE ARE HAPPY TO DISCUSS OUR RESEARCH, COLLABORATION OPPORTUNITIES,OR SPEAKING ENGAGEMENTS