Installation of Vendor's Patch Does Not Guarantee Security

Monday, March 26, 2012

Alexander Polyakov


Experts from ERPScan Company, specializing in business applications security and SAP security, discovered that even a well-timed installation of vendor’s patch does not always guarantee security because the fixes are not always correct.

In 2011, three critical patches from the key software vendors like SAP, IBM and VMware actually did not fix or not completely fix vulnerabilities that ERPScan or other researchers had found in their products.

This would allow potential attackers to continue exploiting the vulnerabilities, whereas most scanners and auditors would say that the problem is no more because the patch wass installed.

At the BlackHat Europe conference held from March 14 to March 16, Alexey Sintsov, head of information security audit department in ERPScan, shared his experience in penetration testing and presented the results of a recently conducted research on Lotus Domino security.

His presentation talked about the lack of time, and frequently the desire, for companies to dig into the details of existing vulnerabilities to exploit them, and how it often impairs the quality of their work.

In the demonstration, an unknown vulnerability in Lotus Domino was quite quickly disassembled, and the resulting exploit employed, demonstrating that the existing patch could be bypassed and the critical 0-day vulnerability found.

The result was an attack on the Domino Controller service (the Lotus Domino administration service) which allowed for a full server compromise. Vulnerable services were also exposed, which one could suppose, should not be accessible from the Internet.

Moreover, in the course of the research, services with the 0-day vulnerability and even older vulnerabilities were found on US government servers (the .gov domain), on the servers of Russian universities and, curiously enough, even in the corporate network of IBM itself.

Thus, it can be concluded that penetration threats are quite easily actualized for pretty much any network, and even government and corporate giants are vulnerable to attacks from the Internet, such as those made by LulzSec and Anonymous.

Links to the vulnerabilities can be found here:

  •   Vulnerability in IBM Lotus (ZDI)

Alexey’s Black Hat Conference presentation can be found here.

Possibly Related Articles:
Information Security
Zero Day Research Vulnerabilities Network Security VMware SAP Black Hat Conference ERPScan exploit Lotus Domino patches
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.