DeepSec 2013 Talk: Auditing Virtual Appliances – An Untapped Source Of 0-days
System administrators and information security researcher often have to deal with appliances. Almost every organisation and company has a couple of magical black boxes sitting around. Usually they are connected to the network, and they do important stuff (such as filtering things, checking content, and the like). In the old days testing these appliances for their security record was hard. You had to open it, do a lot of tedious reverse engineering in order to understand how it works, and then conduct your tests to do your analysis. Fortunately the future is here, and so is a new form factor: virtual appliances!
At DeepSec 2013 Stefan Viehböck of SEC Consult will talk about the advantages of having a virtual appliance to deconstruct. Virtual appliances aren’t very different from their embedded cousins, judged from the perspective of security. The advantages is that they are easier to access. That’s about it. You still have to deal with the reverse engineering and have to poke around in its innards. Stefan will give you a guided tour of analysing the security appliances from F5, Symantec, Sophos, and other vendors. He will discuss the process of evaluating the general system hardening posture up to finding exploitable vulnerabilities. Getting an unauthorised root shell on a security appliance is always something to consider. Your attacker most certainly will, and thus you should care too.
Due to their role these security appliances are located at crucial points of your infrastructure. They might see all your Internet traffic, thus having someone gaining root access is a worst case scenario. When it comes to incident response, shutting the appliance down isn’t always an option. True, you may have a fail-over configuration in place, but usually this means having two or more identical virtual appliances in place. Taking one down means that you have a spare with the same exact vulnerabilities. Great, isn’t it? So that’s not going to work for you. Either you have a second set of devices based on a different technology at hand (using a different vendor will probably be sufficient), or you make sure you have audited your expensive magical boxes.
We recommend this talk for penetration testers, anyone shepherding appliances, developers working for vendors who build (virtual) appliances, and people who are interested in finding fertile grounds for 0days.