What Are Misconfiguration Attacks?
Security misconfiguration vulnerabilities take place when an application component is vulnerable to attack as a result of insecure configuration option or misconfiguration.
Misconfiguration vulnerabilities are configuration weaknesses that might exist in software subsystems or components. For instance, web server software might ship with default user accounts that a cybercriminal could utilize to access the system, or the software might have a known set of standard configuration files or directories, which a cybercriminal could exploit.
Furthermore, software might have vulnerable services enabled, such as remote administration operations. Misconfiguration vulnerabilities cause your application to be vulnerable to attacks that target any component of the application stack.
For instance, the following types of attacks could exploit misconfiguration vulnerabilities:
- Code injection
- Credential stuffing/brute force
- Buffer overflow
- Cross-site scripting (XSS)
- Command injection
- Forceful browsing
In this article:
- Examples of Real-Life Misconfiguration Attacks
- Common Mistakes That Lead to Security Misconfiguration
- How Can I Prevent Security Misconfigurations?
- Misconfiguration Attack Mitigation with Bright
5 Examples of Real-Life Misconfiguration Attacks
Here are some examples of misconfiguration attacks that occurred in the real world, and lessons you can learn from them to improve your organization’s security.
1. NASA Exposed Via Default Authorization Misconfiguration
A security researcher discovered a security misconfiguration in the collaboration tool-JIRA. This single misconfiguration made many Fortune 500 companies (and NASA) vulnerable to a release of personal and corporate data. An authorization misconfiguration in the Global Permissions setting of Jira caused this data disclosure.
When the dashboards and filters for the projects or issues were developed in JIRA, then by default the visibility settings were “All users” and “Everyone”. Rather than sharing roadmap tasks and the like within the organization, it shared them with the public.
Lesson learned: Look at the file sharing configurations in each SaaS to make sure confidential data is not revealed publicly.
2. Amazon S3 Misconfiguration Attacks
Here are several organizations that experiences an attack on their Amazon S3 storage due to misconfigurations:
|Australian Broadcasting Corporation
|Hashed passwords, internal resources, and keys were leaked.
|United States Army Intelligence and Security Command
|Several files, including Oracle Virtual Appliance (.ova). volumes with portions marked top secret.
|Authentication information, which included certificates, plaintext passwords, keys, and sensitive customer information.
Lesson learned: Many organizations rely on the data storage technology of Amazon S3, including military and government agencies. However, past security events indicate that this is a pervasive problem, and S3 authorization should be carefully monitored.
3. Citrix Attacked with Insecure Legacy Protocols
A majority of Microsoft Office 365 and G Suite tenants have been the target of IMAP-based password-spraying attacks. The cybercriminals target the insecure, legacy IMAP protocol to get past MFA settings and expose cloud-based accounts, giving access to SaaS applications.
Citrix, which specializes in federated architectures, was the target of such an attack. The FBI proposed that cyber criminals achieved a foothold by password spraying and then were able to bypass other layers of security.
The utilization of legacy protocols including IMAP and POP makes it hard for system administrators to establish and activate MFA. Shared mailboxes and service accounts can be especially vulnerable, and it can be difficult to use MFA to protect G Suite cloud and Office 365 accounts that use IMAP.
Lesson learned: Make sure that MFA is activated for every user in every application, including super administrators.
4. Mirai (未来)
Mirai is a type of malware that infects network devices. After devices are infected they can be remotely controlled by the operator, which uses them as bots that extend the power of a botnet. Mirai targeted mainly IoT devices, and managed to execute several high profile attacks even after it was discovered in August 2016. Eventually, the creator released the code as open source (Anna-senpai), and the technique has since been used in other malware projects.
Mirai managed to infect and run on CCTV cameras, home routers, and DVRs. It succeeded by trying commonly used passwords. This simple method enabled the mirai botnet to produce 280 Gbps and 130 Mpps in DDoS capability and attack the DNS provider Dyn. Mirai also rendered several notable sites inaccessible, including GitHub, Reddit, Airbnb, Netflix, and Twitter.
Lesson leaned: Weak and default passwords are a common security misconfiguration. Threat actors actively look for systems and devices to attack, making use of lists of commonly used passwords and bots that can quickly input a large number of passwords.
5. Consent Phishing with OAuth in Office 365
Consent phishing is an attractive exploit for attackers, who take advantage of the common OAuth actions performed by users. OAuth is prone to implementation mistakes. When a victim clicks on the misleading OAuth application, they permit the installation of any amount of malicious activities.
Microsoft tells users to keep an eye out for deceptive OAuth applications to stay clear of malicious attacks. Many remote employees have experienced such attacks when using Office 365.
Lesson learned: Put in place a security protocol to onboard new applications and restrict user permission by default for all applications.
Common Mistakes That Lead to Security Misconfiguration
Here are several common mistakes that lead to security misconfiguration:
- Failure to remove or disable unnecessary features—when you do not remove superfluous components, code samples or features, the application is left open to attack. Do not keep unnecessary ports open or unneeded services running. You should also make sure to delete accounts that are no longer needed.
- Using default accounts and passwords—devices and programs, including web applications and network devices, come with a set of default credentials that provide initial access to owners. After gaining access, owners must change their passwords. Otherwise, attackers can use lists of common default credentials to brute-force the system and gain unauthorized access.
- Defining error messages that reveal too much information—default server configurations should not provide too much information in error messages. For example, the error message should not provide detailed stack traces. This can expose sensitive information, like the used component versions, which attackers can use to search for exploitable flaws.
- Using old software versions and missing updates—outdated software can leave systems exposed to known vulnerabilities, which may have already been patched. To ensure patches are effective, they must be applied on time.
- Misconfigured upgrades—to be truly effective, upgrades must be properly configured. Whether the upgrade includes security patches or new functionality, it must be configured and enabled correctly. To avoid misconfiguration, review each update to see the exact change and adjust your configuration accordingly.
- Misconfigured cloud systems—cloud providers are responsible for securing the underlying infrastructure. You are responsible for securing your own cloud resources, including workloads and data. A misconfigured cloud-based operating system, for example, can expose your virtual machines (VMs) or containers to attacks.
Learn more in our detailed guide to directory traversal.
How Can I Prevent Security Misconfigurations?
There are several measures you can take to prevent misconfiguration attacks.
Education and Training
One of the most effective means of preventing security misconfiguration is training and educating your staff members about the latest security trends. This allows them to make smarter decisions and adhere to best practices.
Data exfiltration is a concern for many organizations. Sensitive or proprietary data in the hands of individuals with ill intent can lead to dramatic losses or embarrassment for an organization, both in relation to personnel and financially. Data can often be an organization’s most essential asset.
Utilizing data-at-rest encryption schemes might assist with the protection of files from data exfiltration. You can also apply appropriate access controls to directories and files. These measures offset the vulnerability of susceptible directories and files.
Conducting security scans on systems is an automated method of isolating vulnerabilities. Running such scans on a regular schedule, after creating architectural changes, is a significant step in improving the overall vulnerability.
If implementing custom-written code, you should also make use of a static code security scanner. This must come prior to implementing that code in the production environment.
Only provide users with access to information they absolutely require to do their jobs. You will need strong access controls, including a strong password and username, and establish two-factor authentication.
You should also compartmentalize data. Ensure that administrators hold unique accounts for when they are making use of their administrative rights as opposed to when they are behaving as a regular user of the system.
The use of outdated software remains one of the most prevalent security vulnerabilities. Many companies don’t appreciate the need to invest in the newest and latest. They may feel it is more cost-effective to continue making use of legacy software. However, using outdated software can actually place an organization at risk of losing assets—as well as the trust of their investors and customers.
Establishing a consistent patch schedule, and maintaining updated software, is essential to reducing an organization’s threat vectors.
To ensure you’ve covered all your configuration security requirements, implement a checklist that incorporates the different measures you want to put in place. Based on the recommendations of security experts, a checklist as follows may help prevent security misconfiguration:
- Create a patching schedule and encrypt your data
- Ensure software is up-to-date and disable default accounts
- Implement reliable access controls
- Give administration a routine process to so they don’t overlook items
- Establish security settings in development frameworks to safeguard value
- Undertake system audits periodically and launch security scanners
Related content: Read our guide to directory traversal attack.
Misconfiguration Attack Mitigation with Bright
Bright automates the detection of misconfiguration and hundreds of other vulnerabilities in your web apps and APIs. Easily start a scan in minutes and enjoy a false-positive free report with clear remediation guidelines for your developers. Thanks to Bright’s integration with ticketing tools, assign all the findings to team members and keep track of execution.
Try Bright for free – Register for a Bright account