Exploring Commonly-Used Yet Vulnerable Components
In this article, we will explore some technologies that are commonly used today despite being known to be vulnerable. We’ll discuss why these technologies are considered vulnerable, and if available, which of their alternatives can best be used as secure replacements.
It is estimated that today, over 80% of the software in use has some implementation of open-source or third-party software. Hackers find open-source components attractive for attacks due to the security loopholes that many of them have. In fact, OWASP classified the use of components with known vulnerabilities as one of their Top 10 vulnerabilities in 2017.
What Are the Most Common Vulnerable Protocols and Components?
Due to the large number of vulnerable components and protocols being used today, we have divided this section to two parts to discuss each category separately. We not only will look at the affected versions but also talk about the available patches, secure and stable versions and alternatives.
Commonly-Known Vulnerable Components
Components discussed here will largely be open-source and are being used to either manage or develop other software products. Most organizations tend to shy away from open-source software due to the impression that paid products offer much more security as compared to open-source alternatives. We’ll reserve this argument for another article. For now, let’s look at some components.
- JBoss Application Server: JBoss is one of the many Java Web Containers available today. It is both open-source and cross-platform. In 2017, it was discovered that a vulnerability could lead to attackers achieving remote code execution and result in attackers gaining full control of the server. This vulnerability affected JBoss Application Server 4.0 and prior. In order for you to protect yourself from this vulnerability, it is recommended that you upgrade to JBoss EAP 7. JBoss Application Server is not supported anymore.
- Apache Struts: Apache Struts is an open-source framework that can be used to develop Web applications. Attackers are able to exploit outdated versions of this framework to run malicious code on the server. They are able to achieve this by injecting a custom namespace parameter via HTTP request, which is improperly validated by the Struts framework. Apache suggests that you upgrade your version of Apache Struts to 2.3.35 or 2.5.17 in order to fix the vulnerability.
- Adobe Flash Player: Adobe Flash Player is used to view multimedia content developed on the Adobe Flash platform. Multimedia may be rich application content, video and audio and games. The latest vulnerability affecting Adobe Flash Player is CVE-2018-15982. This issue is a use-after-free bug that allows attackers to perform arbitrary code execution on targets. This simply means that attackers can run malicious code on targets. According to Adobe, upgrading your version of Flash Player to 188.8.131.52 will be able to fix this issue.
- Adobe ColdFusion: Adobe ColdFusion is one of the numerous Web application development platforms. A recent vulnerability dubbed CVE-2018-15961 was found to be able to allow attackers to upload files with no restrictions, allowing them to be able to control the server using Web shells. The vulnerability was found to affect ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier) and ColdFusion 2018 (July 12 release). The best way to protect yourself from attacks is by applying the latest ColdFusion patches as soon as possible.
- OpenEMR v5: OpenEMR is an open-source software solution that is used in hospitals to manage patient records. Versions of OpenEMR prior to 184.108.40.206 have been found to be susceptible to multiple vulnerabilities, including SQL injection and bugs that could lead to unauthenticated information disclosure and remote code execution. Attackers would thus be able to access patient records, compromise database records, escalate privileges and even execute server system commands. In order to protect yourself from attacks, apply the latest OpenEMR patches.
- DotCMS v3.6: DotCMS is a CMS written in Java and is open-source. It is used to manage content and content driven websites and applications. This CMS application is vulnerable to multiple vulnerabilities, depending on the version you are considering. For instance, version 4.1.1 is known to be vulnerable to a shell upload vulnerability which can allow attackers to upload a Web shell, thus controlling the entire site or Web server. Version 3.6.1 is vulnerable to a blind Boolean SQL injection, which can allow attackers to access sensitive database information (as described here). It is recommended that the latest version of DotCMS be used and the latest patches applied. Check to see the version you are using and perform the necessary upgrade.
There are still many vulnerable components that are being widely and actively used today: for example some versions of Zeebuddy and Clipshare. You can always check to ensure that your version is the most recent and that the component provider has you slated to receive the latest upgrades and updates whenever they are made available.
Commonly-Known Vulnerable Protocols and Hashing Functions
Network communication has always heavily relied on protocols and proper hashing functions, but what risks are you exposed to when you hold onto outdated versions for too long? And which of these are commonly used despite being affected? Let’s discuss them below.
- Simple Network Management Protocol (SNMP): SNMP is a network management protocol which is widely used during the configuring of network devices and querying data off of them. Network devices that implement SNMP include switches, printers, routers, servers and more. SNMP has been known to be vulnerable to reflection and amplification attacks for quite some time now. These attacks allow for huge amounts of traffic to be sent, targeting these devices from multiple sources on the Internet. This causes a denial of service, which in turn can negatively impact organizations.
Organizations can protect themselves from these attacks by implementing solutions such as Imperva Incapsula DDoS protection in order to scatter DDoS traffic and perform packet inspection.
- Simple Mail Transfer Protocol (SMTP): SMTP is one of the staple protocols in existence today. That means that it has been around since the early days of the Internet. It was invented to be the channel by which mail was to be transmitted on the Internet. Since it was not designed with security in mind, it still suffers from attacks such as account enumeration, SMTP relay attacks, email header disclosures and malicious emails containing malware. However, multiple fixes have been put in place to help protect against attacks. These fixes include disabling the VRFY and EXPN commands and enforcing authentication on your email server to protect against SMTP relay attacks.
- MD5: This is a very well-known and commonly-used cryptographic hash function, designed in 1992 and still widely used today. It was discovered that MD5 was susceptible to collisions, where two distinct messages hash to the same value. Ideally, in any cryptographic hash function it should not be computationally feasible to have similar hashes for more than one message, and MD5 fails at this point. Software developers have now realized this weakness and are no longer using MD5 as a security feature, but instead for basic functionality such as determining the partition of a particular key in a partitioned database. Other hashing functions that are vulnerable to collisions include RIPEMD, SHA-0, SHA-1 and HAVAL. A possible attack would be where attackers create a malicious program whose hash matches that of a non-malicious program, thereby being able to bypass anti-malware solutions that rely only on signature-based detection. MD5 or any protocols affected by collisions are not available for security checks.
- OpenSSL: OpenSSL is a cryptographic software library that can be applied on software and network communications to protect data being transmitted from eavesdropping. It comprises of an open source implementation of the TLS and SSL protocols. This software library is not new to vulnerabilities and is affected by quite a number which include:
- Timing attacks on RSA keys — (CAN-2003-0147)
- Denial of Service ASN.1 parsing
- OCSP stapling vulnerability — (CVE-2011-0014)
- ASN.1 BIO vulnerability — (CVE-2012-2110)
- SSL, TLS and DTLS Plaintext Recovery Attack — (CVE-2013-0169)
- Predictable Private Keys (Debian-specific)
- CSS Injection Vulnerability — (CVE-2014-0224)
- ClientHello sigalgs Denial-of-Service — (CVE-2015-0291)
- Key Recovery Attack on Diffie Hellman small subgroups — (CVE-2016-0701)
There are many vulnerable protocols that we have not covered and are still in use. Some examples include SMB, WPA, HTTP ,FTP v2, BGP, DNS, RDP and many more. It is important that you are aware of the protocols that your organization exposes within your network and the Internet and their security status.
What Secure Alternatives Are Available for Use?
Most of the components and protocols discussed above have secure alternatives available that can be resorted to if you do not want to (or are unable to) perform necessary upgrades. Let’s briefly discuss these.
- JBoss Alternatives: There are multiple alternatives that you can consider in place of JBoss Application Server. They include Apache Tomcat, Jetty, glassfish, Oracle WebLogic, WebSphere Application Server and Apache Geronimo. Multiple others also exist, as documented here.
- Adobe Flash Player Alternatives: Two of the most notable alternatives are Lightspark and GNU Gnash. Lightspark implements about 60% of the Flash APIs and is currently supported on many websites. GNU Gnash still doesn’t support the latest flash files, though it features as an alternative.
- OpenEMR Alternatives: The most common alternatives to OpenEMR include GNUHealth, OpenMRS, drchrono and CureMD. It is worth noting that there are multiple other solutions out there as well. If you are interested in an extensive list, see here.
What Should You Do to Prevent Attacks on These Components?
Even though OWASP discourages the use of open-source software components, removing these from software might significantly limit the intended software capabilities. There are two main things an organization can do in order to remain secure. These are:
- Preparing a Security Policy Within the Organization: A security policy is beneficial in the organization since it outlines what needs to be done in the event an incident is identified. The policy might also require that an inventory is made of client-side and server-side components, such as frameworks, libraries and their respective dependencies. The policy will also often provide guidelines that can be followed to ensure security is maintained. For instance, it can be deemed mandatory to maintain an updated inventory of vulnerabilities through monitoring sources such as CVE and NVD. The policy can also define detection methods — for instance, outlining automated tools to make detection of vulnerabilities faster.
- Determining All Affected Components: Components should only be obtained from trusted sources, and their maintenance frequency should be checked. Organizations might consider deploying a virtual patch system that monitors for available patches. By determining affected components, one can decide whether or not to remove unused components and unnecessary features.
In this article, we have discussed a few vulnerable components as well as protocols in use today. We have also seen the vulnerable points within the software and how attackers can leverage these in order to conduct a successful attack. We also briefly discussed a few alternatives that can be considered as secure replacements to affected software components.
In conclusion, it is recommended that organizations have a clear plan in place that allows them to detect and mitigate vulnerable components. Mitigation might include applying patches or configuration changes.
- OWASP Top 10 — 2017, OWASP
- A Vulnerability in JBoss Application Server Could Allow For Remote Code Execution, CIS
- OpenEMR security flaws could have exposed millions of patient records, ZDNet
- Xiaoyun Wang, Hongbo Yu, “How to Break MD5 and Other Hash Functions“
- What You Need to Know: Apache Struts Vulnerability, Akamai
- Adobe Patches Zero-Day Vulnerability in Flash Player, Threatpost
- Recently-Patched Adobe ColdFusion Flaw Exploited By APT, Threatpost