When opportunity knocks, malicious actors are quick to answer. Sometimes they’re met with a locked door after vulnerabilities are patched and security holes sealed. On other occasions, they slip through corporate defenses to wreak havoc.
Attackers Cash In on Vulnerability Report
When a recent vulnerability report from security firm Rapid7 detailed 13 problems with popular network management systems (NMSs), researchers observed a sudden spike in activity on ports using the simple network management protocol (SNMP) as attackers went looking for possible weak spots, Softpedia reported.
On one hand, it’s a job well done. On the other, this hunt is worrisome. Does the need to report vulnerabilities outstrip the potential repercussions of attacker interest?
The Network Nuisance
According to Dark Reading, flaws were found in nine vendor products, including those from Spiceworks, Castle Rock, Opsview and Netikus. All vendors were notified and the vulnerabilities subsequently patched. Rapid7 noted that all the issues stemmed from a lack of machine-to-machine input oversight, in turn making the products susceptible to simple cross-site scripting (XSS) attacks.
It works like this: Cybercriminals hide malicious code in malformed SNMP packets, which are then executed inside the NMS tools, giving attackers a birds-eye view of network-attached components such as servers, routers, printers and firewalls. Once behind corporate lines, attackers can take their time zeroing in on high-value targets, such as payroll-processing PCs or human resources servers that may hold valuable employee data.
It’s no surprise that Rapid7’s disclosure of 13 key vulnerabilities had attackers scrambling to find potential loopholes in new patches or other weak spots that security researchers missed. As Softpedia noted, the Internet Storm Center (ISC) tracked a huge uptick in activity on port 161, which is used by SNMP on honeypot servers.
While there are no reports of any successful attacks on the newly patched NMS after the report dropped, it’s clear that cybercriminals aren’t just groping in the dark — they’re reading security news briefs to see where and when attacks will have the highest chance of success.
The Disclosure Dissonance
Ultimately, it comes down to a discussion of disclosure. Should independent researchers, companies and federal agencies immediately report their findings, even if they represent a potential threat? Common wisdom says to follow Rapid7’s path: Notify the vendors involved, develop a fix and then release the data.
But what if the vendor isn’t willing to talk or won’t acknowledge the problem? What if there’s a massive zero-day threat on the horizon but no developed method of defense?
As noted by Network World, for example, the National Security Agency (NSA) prefers to keep zero-day issues close to the chest, in part as back doors in case of emergency. But this opens up the avenue of extra-country exploitation: What if outside agencies are leveraging the same vulnerabilities that were never made public, and therefore never fixed?
The Rapid7 vulnerability report speaks to the need for preparation. It’s no longer sufficient to simply find problems and make them public or file a passive report with the product vendor. Security companies must now engage in both the discourse of security defense and be prepared, if necessary, to release flawed files if no resolution is forthcoming.
Put simply, it’s a balancing act. Disclose too early, and attackers have a head start. Disclose too late, and they’ve already been leveraging the vulnerabilities for months. Get it just right, however, and attackers run into honeypots while legitimate security professionals find ways to shore up critical systems.