Check Point vulnerability research
-
Upload
moti-sagey- -
Category
Internet
-
view
4.798 -
download
2
Transcript of Check Point vulnerability research
©2015 Check Point Software Technologies Ltd. 1©2015 Check Point Software Technologies Ltd. [Protected] Non-confidential content
CHECK POINT VULNERABILITY RESEARCH VULNERABILITIESDISCLOSED AND PUBLISHED
Moti Sagey – Head of Competitive intelligence [email protected] Shahar Tal – Group Manager vulnerability research [email protected] Oded Vanunu - Group Manager Security Research & Penetration [email protected]
©2015 Check Point Software Technologies Ltd. 2[Protected] Non-confidential content
Check Point Security Vulnerability Research
• Performs regular assessments of common software, devices and Internet platforms, affecting the security of enterprise and home users.
4̶We try to find problems before the bad guys do.4̶Quite literally, “We Secure the Future”…
• Reports findings to vendors prior to public disclosure, pushing towards a more secure eco-system.
• Devise mitigations, detecting and preventing new attacks, to incorporate into current and future CP products.
• Share knowledge with the community in infosec conferences worldwide, educate customers, partners and public in various events.
Over 40 Responsible Disclosures CVE’s since 2014
[Protected] Non-confidential content©2015 Check Point Software Technologies Ltd.
SOME SIGNIFICANT BIG IMPACT FINDINGS
01
©2015 Check Point Software Technologies Ltd. 4[Protected] Non-confidential content
WordPress• The most popular web platform in the world, powering
20-25% of the top 1 million web sites
• Privilege Escalation (CVE-2015-5623)̶4 A series of vulnerabilities that ultimately allow a
‘subscriber’ user to effectively create, edit and delete posts, reflecting to the WP database, acting as author/editor of these posts.
• SQL Injection (CVE-2015-2213)̶4 A contributing user with the ability to edit posts can
carefully plant a string in a way that will later be injected into an SQL statement.
• Persistent XSS (CVE-2015-5714)̶4 A contributing user is able to bypass HTML filtering
and inject JavaScript tags into any editable post.
• More info here
©2015 Check Point Software Technologies Ltd. 5[Protected] Non-confidential content
Facebook WhatsApp “MalicousCard”
• WhatsApp with 900 million active users a month (200M are estimated to use the WhatsApp Web )
• Check Point security researchers discovered significant vulnerabilities which exploit the WhatsApp Web logic and allow attackers to trick victims into executing arbitrary code on their machines in a new and sophisticated way
• More info here
©2015 Check Point Software Technologies Ltd. 6[Protected] Non-confidential content
Certifi-gate
• A set of Android vulnerabilities, including poorly-designed authentication methods between remote support apps and the plugins they rely on to function
• Check Point Mobile Security Researchers poked at several popular mRSTs and discovered critical findings, allowing complete device compromise via rogue apps
• More info here
©2015 Check Point Software Technologies Ltd. 7[Protected] Non-confidential content
Misfortune Cookie
• Allows complete remote compromise of 12 millionrouters over the public IPv4 WAN
• CVE-2014-9222 - AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the "Misfortune Cookie" vulnerability.
• More info here
©2015 Check Point Software Technologies Ltd. 8[Protected] Non-confidential content
eBay/Magento RCE
• The most popular e-Commerce platform running 30% of online shops (ebay, adidas..)
• CVE-2015-1397 - SQL injection vulnerability
• CVE-2015-1398 - Multiple directory traversal vulnerabilities
• CVE-2015-1399 - PHP remote file inclusion vulnerability
• More info here
©2015 Check Point Software Technologies Ltd. 9
eBay/Magento Case Study
Discovery& Report
Jan 15 Feb 1 Apr 22
Publication
97 daysuntil Magento publically disclosed the issue
IPS signatures released(Check Point only)
• Check Point customers received protection 81 days before the rest of the world even knew about it
©2015 Check Point Software Technologies Ltd. 10[Protected] Non-confidential content
Wikipedia MediaWiki RCE
• Powers Wikipedia, as well as enterprise wiki sites
• CVE-2014-1610 - MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell
• More info here
©2015 Check Point Software Technologies Ltd. 11[Protected] Non-confidential content
Other Significant Findings
• TR-069 Security ̶4 Vulnerabilities in multiple ACS products and deployments
• Bugzilla RCE (CVE-2014-1572)̶4 The most popular bug tracking platform
• Six Apart Movable Type̶4 CVE-2014-9057 - SQL injection vulnerability in the XML-RPC interface in
Movable Type
• Twiki̶4 CVE-2014-7237 - lib/TWiki/Sandbox.pm in TWiki 6.0.0 and earlier, when
running on Windows, allows remote attackers to bypass intended access restrictions and upload files with restricted names via a null byte
• osCommerce̶4 vulnerabilities can lead to a full system compromise, with an outside agent
gaining control over the osCommerce administration panel .These vulnerabilities affect over 260,000 online shops (read more here)
[Protected] Non-confidential content©2015 Check Point Software Technologies Ltd.
FINDINGS IN NETWORK SECURITY VENDORS
02
©2015 Check Point Software Technologies Ltd. 13[Protected] Non-confidential content
Cisco
• CVE-2014-2118 - Multiple cross-site scripting (XSS) vulnerabilities in Cisco Prime Security Manager (aka PRSM)
• CVE-2014-3364 - Multiple cross-site scripting (XSS) vulnerabilities in Cisco Prime Security Manager (aka PRSM)
• CVE-2015-0706 - Open redirect vulnerability in Cisco FireSIGHT System Software
• CVE-2015-0707 - Cross-site scripting (XSS) vulnerability in Cisco FireSIGHT System Software
• More info here
©2015 Check Point Software Technologies Ltd. 14[Protected] Non-confidential content
Palo Alto Networks
• CVE-2014-3763 - Cross-site scripting (XSS) vulnerability
• CVE-2014-3764 - Cross-site scripting (XSS) vulnerability
• CVE-2014-6850 - Cross-site request forgery (CSRF) vulnerability
• CVE-2014-6851 - Cross-site request forgery (CSRF) vulnerability
• CVE-2015-1873- Cross-site scripting (XSS) vulnerability
• More info here
©2015 Check Point Software Technologies Ltd. 15[Protected] Non-confidential content
Fortinet
• CVE-2014-2334 - Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer.
• CVE-2014-2335 - Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager
• CVE-2014-2336 - Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet
• More info here
©2015 Check Point Software Technologies Ltd. 16[Protected] Non-confidential content
Sourcefire
• CVE-2014-2011 - Sourcefire Defense Center cross-site request forgery (CSRF) vulnerability
• CVE-2014-2012 - Sourcefire Defense Center Cross-Site Scripting (XSS) Vulnerability
• CVE-2014-2028 - Sourcefire Defense Center cross-site request forgery (CSRF) vulnerability
• CVE-2014-2275 - Sourcefire Defense Center cross-site scripting (XSS) vulnerabilities
• More info here
©2015 Check Point Software Technologies Ltd. 17[Protected] Non-confidential content
BlueCoat• CVE-2014-2724 - Stored XSS
• CVE-2014-2725 - No http only cookie
• CVE-2014-2726 - No secured cookie
Mcafee• CVE-2014-2390 - Cross-site request
forgery (CSRF) vulnerability
Zscaler• <no CVE> - Click Jacking
More info here
[Protected] Non-confidential content©2015 Check Point Software Technologies Ltd.
TIME TO RESPOND TO CRITICAL INDUSTRY VULNERABILITIES
03
©2015 Check Point Software Technologies Ltd. 19
9 hoursCheck Point
22 hoursCheck Point
18 hoursCheck Point
PAN4 days
Fortinet5 days
PAN29 daysFortinet14 days
PAN56 daysFortinet10 days
30 hoursCheck Point
PAN10 daysFortinet9 days
Heartbleed Shellshock Poodle-TLS Venom
[Protected] Non-confidential content Full references :http://goo.gl/wzE50q
©2015 Check Point Software Technologies Ltd. 20[Protected] Non-confidential content©2015 Check Point Software Technologies Ltd.
THANK YOU
WE ARE HAPPY TO DISCUSS OUR RESEARCH, COLLABORATION OPPORTUNITIES,OR SPEAKING ENGAGEMENTS