Earlier this month, Cisco, the network hardware, software, and telecommunications equipment giant publicly disclosed that a critical security vulnerability in a subset of several of its small-business VPN routers had been breached by a remote, unauthenticated cyber-attack. The hacker was able to overtake Cisco’s devices, leaving a jaw-dropping 8800 vulnerable systems open to compromise.
Access via WAN
After addressing the attack and rolling out a bunch of patches to derail the critical RCE security bug, it was clear that the main issue was access via the vendor’s Dual WAN gigabit VPN routers. Tracked as CVE-2021-1602, the bug was found to exist in the web-based management interface of Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers.
The bug could allow an unauthenticated, remote attacker
to execute arbitrary commands using root-level privileges,
on the underlying operating system.
In layman’s terms, the vulnerability was due to insufficient user input validation. A weak link that could be easily exploited by attackers sending crafted requests to the web-based management interface.
Cisco Packet Tracer for Windows Attack
Additionally, a vulnerability in the Cisco Packet Tracer for Windows (CVE-2021-1593) could also allow an authenticated, local attacker to perform a DLL injection attack on an affected device. For this to happen however, the attacker would need to have valid credentials on the Windows system.
When questioned on this particular security event, Cisco explained:
“This vulnerability is due to incorrect handling of directory paths at run time. An attacker could exploit this vulnerability by inserting a configuration file in a specific path on the system, which can cause a malicious DLL file to be loaded when the application starts. A successful exploit could allow an attacker with normal user privileges to execute arbitrary code on the affected system with the privileges of another user’s account.”
Cisco Network Services Orchestrator (NSO) & ConfD options for CLI Secure Shell (SSH) Server Attack
A further high-severity security issue was tracked as CVE-2021-1572. This affected both the Cisco Network Services Orchestrator (NSO) and ConfD options for the CLI Secure Shell (SSH) Server. It was discovered to be a privilege-escalation bug that could allow an authenticated, local attacker to execute arbitrary commands at the level of the account under which the service is running, which is commonly root.
To exploit this vulnerability, the attacker would need to have a valid account on an affected device.
According to Cisco:
“The vulnerability exists because the affected software incorrectly runs the SFTP user service at the privilege level of the account that was running when the built-in SSH server for CLI was enabled. An attacker with low-level privileges could exploit this vulnerability by authenticating to an affected device and issuing a series of commands at the SFTP interface.”
Any user who can authenticate to the built-in SSH server could exploit the bug, the vendor warned.
Cisco is fully aware that its products and services are particularly popular with hackers. It therefore advised all its users to update to the latest version of the affected products.
Breaking it all down
When you look closely at all the moving parts of this attack, it is clear to see that the attack was planned out according to the following three parameters:
- It focused on two main areas: DDOS & Privilege Root.
- It targeted the SMB market.
- Even someone with high privileges could cause damage to the operating system.
As in many other similar cases, here too, Cisco was forced to run a patch to address the vulnerability. But, a patch, is simply just that – a patch. It’s invariably only a matter of time until another, more sophisticated patch is required.
ZTNA could have prevented that entire scenario.
If the SMB organizations had ZTNA installed, the fear of internal vulnerability and its consequences could have been eliminated.
This is largely because:
“While both flaws exist due to improper validation of HTTP requests and can be exploited by sending specially crafted HTTP requests, CVE-2021-1610 can only be exploited by an authenticated attacker with root privileges,” according to Tenable. “Successful exploitation would grant an attacker the ability to gain arbitrary command execution on the vulnerable device’s operating system.”
ZTNA and VPN – better together
The main problem with only having VPN access without ZTNA is that these particularly intelligent hackers were able to bypass the system directly, via the VPN. With ZTNA, they would have had to go through an authentication first process, before gaining access. An extra lock and key if you like. With VPN only, the hackers were able to quickly bypass the system leaving the entire network exposed.
So how does ZTNA work exactly?
ZTNA works by separating the identification process from the access event, thereby distancing the VPN’s ‘weak spots’ from the organization. This means that even if a hacker succeeds in bypassing the VPN, he/she would still need to go through a multi-factor authentication (MFA) component, essentially stopping them in their tracks, before entry.
ZoneZero® Zero Trust Network Access (ZTNA) solution
ZoneZero®, Safe-T’s NextGen cloud, and on-premises ZTNA solutions ensure that all organizational access use cases, both incoming and outgoing, are fully secured, according to a “validate first, access later” protocol. No one is trusted by default from either inside or outside the network, and verification is required from every identity wishing to gain access to resources on the network or in the cloud. In short –
ZoneZero® helps organizations to adopt more effective security, based on a “never trust, always verify” principle.
The First-ever Zero Trust Access Orchestration Platform
Fully transparent and simple to deploy, Safe-T provides an innovative and unique network-centric ability to implement ZTNA within corporate networks. Working side-by-side and in conjunction with all access points (VPNs and firewalls), identity security solutions and application services, Safe-T’s ZTNA enables seamless integration across all legacy infrastructure and authentication services.
ZoneZero® addresses all remote access scenarios and requirements to support the following access scenarios:
Remote access users (non-VPN)
ZoneZero® enables organizations to implement ZTNA and provide secure and transparent access to any internal application, service, and data in parallel or in replacement of an existing VPN. Based on patented reverse-access technology, ZoneZero® is a clientless solution, eliminating the need to open incoming ports in an organization’s firewall for seamless, effective, and secure operations.
Powered by patented reverse-access technology, ZoneZero® uniquely enables ZTNA on existing VPN infrastructures through application-layer policy monitoring and enforcement, MFA integration to any application or service for continuous authentication with MFA, and true separation of the data plane and control plain – all on top of existing infrastructures.
Internal network users
ZoneZero® also operates as a ZTNA solution for internal users, providing identity-based segmentation and multi-factor authentication for any internal application for secure access control in addition to supporting both non-web protocols and legacy infrastructure. With ZoneZero®, organizations can easily integrate multi-factor authentication and continuous identity verification for all applications.
To get more insights on how ZTNA can help secure your network, contact us.