Hacking Appliances: Ironic exploits in security products presented at SOURCEDublin 2013

by Ben ,

Tags: Security

Summary : It is tempting to think of security appliances as somehow fortified; i.e. specially secured and hardened, or that these devices have undergone comprehensive security testing as part of a Secure Development Lifecycle. My research shows that this is mostly not the case, and rather basic and easily identified vulnerabilities were discovered in almost all security appliances I have tested.
This presentation discusses common vulnerabilities Found across various security appliances. I will show some interesting attack vectors where external attackers can exploit vulnerabilities in appliances to gain control over gateways, firewalls, email and web-filters, VPN solutions and access the internal network.
• I will discuss various exploits I have found for popular security appliance products from trusted vendors (I will have time to discuss 5 or 6 different products).
• There will be demonstrations of the exploits
• We will see common vulnerabilities, which affected multiple products
• I will explain scenarios in which these attacks can be performed, sometimes by external attackers with a minimum of effort
• I will discuss some mitigations