1
(In)Security in Security Products Who do you turn to when your security product becomes a gateway for
attackers?
2
About the report
• Security Products are present in most of the systems and theoretically can become a “high pay-off” target for hackers after the OS, Browsers etc.
• At iViZ we wanted to study how secure are the security products
• iViZ used databases such as the Common Vulnerability Enumeration (CVE), Common Product Enumeration (CPE) and Nation Vulnerability Database (NVD) for the Analysis
www.ivizsecurity.com
3
How are security vendors doing in terms of protecting their own products?
According to our “(In)Security in Security Products” report,
• More recently, hackers have claimed to be in possession of the source code for Symantec's PC anywhere tool and Norton antivirus.
www.ivizsecurity.com
4
• Man in the Middle (MITM) vulnerability in Symantec Backup Exec 12.1
• Remote Code Execution via buffer overflows vulnerability in Symantec Veritas Enterprise Administrator products
• Encryption bypass of major disk encryption software’s including Microsoft Bit locker, True Crypt and MacAfee Safe Boot Device
• Remote code execution vulnerabilities in various anti-virus products including AVG, F-Secure, Sophos and ClaimAV etc
For Details: http://www.ivizsecurity.com/security-advisory1.html
Vulnerabilities in Security Products
www.ivizsecurity.com
6
Security Product Vulnerability Trends
1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 20110
50
100
150
200
250
300
Vulnerability Trend in Security Products
1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 20110
1000
2000
3000
4000
5000
6000
7000
Vulnerability Trend in All Products
www.ivizsecurity.com
7
Most Vulnerable Security Product Categories
Others
Anti-Virus
Firewall
IDS/IPS
VPN
0 100 200 300 400 500 600 700
Figure 2
www.ivizsecurity.com
8
Vulnerabilities by Security Products
McAfee Anti Virus
Symentec Norton Internet Security
Checkpoint Firewall-1
Norton AntriVirus
Norton Personal Firewall
AVG AntiVirus
Trend Micro Officescan
ClamAV Anti-virus
Kaspersky Anti-virus
Cisco Adaptivesecurity Appliance
Sophos Anti-virus
Cisco PIX Firewall
F-Secure Anti-virus
0 10 20 30 40 50 60 70 80
Vulnerabilities in Security Products
www.ivizsecurity.com
9
Vulnerabilities by Security Companies
CA
Checkpoint
ISS
McAfee
Symantec
Trend Micro
Cisco
Kaspersky Lab
ClamAV
0 200 400 600 800 1000 1200
Vulnerabilities by Vendors
www.ivizsecurity.com
10
Vulnerabilities in Security Products
McAfee Anti Virus
Symentec Norton Internet Security
Checkpoint Firewall-1
Norton AntriVirus
Norton Personal Firewall
AVG AntiVirus
Trend Micro Officescan
ClamAV Anti-virus
Kaspersky Anti-virus
Cisco Adaptivesecurity Appliance
Sophos Anti-virus
Cisco PIX Firewall
F-Secure Anti-virus
0 10 20 30 40 50 60 70 80
Vulnerabilities in Security Products
Figure 6: Shows number of vulnerabilities found in some of the major security products existing today. X axis display number of vulnerabilities and Y axis display some of the major security products. Total vulnerabilities against each security product are calculated by considering all the versions of the products and their individual vulnerabilities discovered over the past years.
www.ivizsecurity.com
11
Type of Vulnerabilities in Security Products “vs” General Products
15%
15%
14%9%8%
7%6%6%5%4%
3%2%1%1% 1% 1% 1% 1% 0%
SQL Injection XSSBuffer Errors Access ControlInput Validation Code InjectionResource Management Errors
Path Traversal
Information Leak Numeric ErrorsAuthentication Issues CSRFCryptographic Issues Link FollowingCredentials Management ConfigurationRace Conditions Format String Vulner-
abilityOS Command Injections
All Products
2%10%
19%
11%19%4%
13%4%3%5%5%1% 2% 2%1%1% 0% 0%
SQL Injection XSSBuffer Errors Access ControlInput Validation Code InjectionResource Management Errors
Path Traversal
Information Leak Numeric ErrorsAuthentication Issues CSRFCryptographic Issues Link FollowingCredentials Management ConfigurationRace Conditions Format String Vulnerabil-
ityOS Command Injections
Security Products
www.ivizsecurity.com
12
Conclusion
The two largest threats to security product vendors/developers are :-
• The Black 0-Day Market• Cyber Warfare
Vulnerabilities are as common in security products as they are in non – security products. As per the Global Risk 2012 report, the cost of each cyber crime is 5.9 million USD and likely to grow. There is no foolproof solution to mitigate Cyber Warfare Attacks, but we can take suitable measures to ensure security is itself more secure in the future.
www.ivizsecurity.com
13
Some thoughts..
• Security companies do not necessarily produce secure software
• Security products can itself serve as a door for a hacker
• Security Products are “High Pay-off” targets since they are present in most systems
• APT and Cyber-warfare makes “Security Products” as the next choice
www.ivizsecurity.com
14
• Are you sure if your web-application is Secure?
• Check out our Cloud based Penetration Testing solution with “Zero False Positive Guarantee” : www.ivizsecurity.com
Thank you
Bikash BaraiCEO, Co – founder of iViZ
Blog: http://bikashbarai.blogspot.in Linkedin: http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1
Top Related