Thursday, July 21, 2011

Web Servers as an Attack Vector

For a long time in computer security, we have been focused on protecting workstations, and rightly so.  Viruses, worms, remote access Trojans, and other malware has targeted the end-user workstation, and unfortunately, the attacks continue to be quite successful.  A number of recent high-profile data leaks have occurred using workstations as the initial point of attack.

However, a point of attack in several other high-profile data leaks have involved attacks on web servers.  Citigroup, Barracuda, and now Pacific Northwest National Laboratory (PNNL) were attacked through web servers.  This makes me a bit nervous -- I do like to make sure a public-facing web server is hardened and running software that is fully-patched, but there are several techniques attackers can use to find and take advantage of any holes in the server.

One of the problems that I saw disclosed today, CVE 2011-2688, involves a SQL injection attack against the mod_authnz_external module, an Apache authentication module.  It is worrisome that a well-known attack is successful on this security-critical component that may be in use on many web servers.  Many other attacks, including parameter tampering,

Web servers and the web applications running under them are proving to be all too vulnerable.  With high-value data accessible in a web server, such as customer accounts at an online banking website, any exploitable vulnerability in the web server or web application can result in significant loss. As the events at PNNL illustrated, even a web server that may not be high-value can still be an entry point for an attacker into more valuable networks and systems.

It seems that web servers need backstops.  We need to be able to filter and/or monitor requests coming into a web server, and to filter and/or monitor data returned by a web server.  And, we need to be able to do this in the cloud with web servers that automatically scale.  Something to think about.

No comments:

Post a Comment