(In)security Appliances

IT management is a tough job with lots of moving parts. To deal with that reality, IT administrators use a lot of tools and automation to help keep an eye on all the devices they are responsible for, some custom, some off the shelf, and some big-box enterprisy stuff. What the sales rep won't tell you, though, is that every line of code you add to your network is more complexity. And as complexity increases, so does the risk of bugs. I made you a handy graph to illustrate what that looks like.

There are lots of statistics out there about bug density, all of which are flawed in some ways of course, but it really comes down to the more code you expose to the network, the higher the probability of there being an exploitable bug in that code. IT management tools and security appliances are no exception to that rule.

All of that is what makes vulnerabilities in these things possible (and even likely) but what makes them fun is they are often the custodians of some of the most important data on a network. An inventory management system will have... wait for it... a list of targets, probably with the name of the human associated with each of them which also gives you an idea of what kind of data they'll be holding. A patch/update management solution will most likely have a simple way to deploy executables (ostensibly to patch something) to lots of boxes all at once, an example of authenticated remote code execution by design on a massive scale. In other words, a thing you want to pwn.

This week we have another example of this class: Dell's KACE K1000 systems are intended to "[s]treamline IT asset management, secure network-connected devices, and service end-user systems more efficiently." Which all sounds to me like marketing-speak for pop boxes, steal data.

If you have any of these sorts of things in your network, it might be a good idea to make sure only IT staff can talk to it. Bob in finance doesn't need to see all that stuff.

If you are a pentester, anything that says "Administration" or "System Management" in its <title> tag is probably already a priority, so nothing I've said here is news to you.

New Modules

Exploit modules (3 new)

Get it

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.20...4.11.21

The bug image in my awesome graph is CC-By-SA MesserWoland.