Top 10 system security flaws that cyber hackers love
Recently, Vonahi Security, an automated network security penetration testing platform, released the 2024 "Major Findings in Penetration Testing Activities" report. Based on the research and analysis of nearly 10,000 automated network penetration testing activities organized by more than 1,000 companies, researchers summarized the top 10 security weaknesses that are most easily exploited in the current enterprise network system during penetration testing. Although these weaknesses are caused by different security vulnerabilities, they have many similarities. Configuration defects and insufficient patch management are still the main causes of many major threat risks.
1. MDNS spoofing
MDNS is a DNS name resolution protocol for small networks that does not require a local DNS server. It sends queries to the local subnet, allowing any system to respond with the requested IP address. Through a large number of penetration testing activities, it was found that the MDNS protocol can be easily exploited by attackers to forge responses using their own system's IP address.
Protection suggestions:
The most effective way to prevent MDNS spoofing is to disable it if it is not being used, which can be achieved by disabling the Apple Bonjour or avahi-daemon services.
2. NBNS spoofing
NBNS (NetBIOS Name Service) is a protocol used to resolve DNS names in internal networks when the DNS server is unavailable. It can be queried via network broadcast, and any system can respond with the requested IP address. The NBNS protocol is also often exploited by attackers who will use their own system's IP address to make illegal responses.
Protection suggestions:
The following strategies can prevent or reduce the impact of NBNS spoofing attacks:
- Configure the UseDnsOnlyForNameResolutions registry key to prevent the system from using NBNS queries (NetBIOS over TCP/IP configuration parameter) by setting the registry key DWORD to 1.
- Disable the NetBIOS service for all Windows hosts in the internal network. This can be done via DHCP options, network adapter settings, or registry keys.
3. LLMNR Spoofing
Starting from Windows Vista, Windows operating system began to support a new name resolution protocol - LLMNR (Link-Local Multicast Name Resolution), which is mainly used for name resolution in LAN. LLMNR can well support IPv4 and IPv6, so it is a name resolution method second only to DNS in the Windows name resolution order. More importantly, LLMNR is also implemented in Linux operating system. Through penetration testing, it was found that LLMNR can be easily exploited by attackers, who can use the IP address of their own system to make illegal responses.
Protection suggestions:
An effective way to prevent LLMNR spoofing is to configure the Multicast Name Resolution registry key to prevent the system from using LLMNR queries.
- Use Group Policy: Computer Configuration\Administrative Templates\Network\DNS Client \Turn off Multicast Name Resolution=Enabled (To manage Windows 2003 DC, use the Windows 7 version of Remote Server Administration Tools).
- Use the registry key that is only available for Windows Vista/7/10 Home Edition: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Windows NT\DNSClient \EnableMulticast.
4.IPV6 DNS Spoofing
IPv6 DNS spoofing occurs when an unauthorized DHCPv6 server is deployed on the network. Since Windows systems prefer IPv6 over IPv4, IPv6-enabled clients will use a DHCPv6 server if available. During the attack, IPv6 DNS servers are maliciously assigned to these clients while keeping their IPv4 configuration. This allows an attacker to intercept DNS requests by reconfiguring the clients to use the attacker's system as the DNS server.
Protection suggestions:
If it is not required for business, IPv6 should be disabled. Since disabling IPv6 may cause network service interruption, it is strongly recommended to test this configuration before large-scale deployment. If IPv6 is required, DHCPv6 protection mechanism should be implemented on the network switch. In fact, DHCPv6 protection mechanism ensures that only a list of authorized DHCP servers are allowed to assign leases to clients.
5. Old Windows operating system
Old Windows operating systems do not receive maintenance and security updates from manufacturers, so the security vulnerabilities in them are easily exploited by attackers. In a large number of penetration tests, it was found that old Windows operating systems are easily targeted by attackers, who can exploit their weaknesses to attack other systems and resources in the network.
Protection suggestions:
Organizations should promptly review outdated Windows versions, take targeted protection measures, and, if possible, replace them with the latest operating system versions supported by the manufacturer as soon as possible.
6. IPMI Bypass Authentication
IPMI is the Intelligent Platform Management Interface. Users can use IPMI to monitor the physical characteristics of the server, such as temperature, voltage, fan working status, power supply, and chassis intrusion. A major feature of IPMI is that it is independent of the CPU, BIOS, and OS, so users can monitor the server as long as the power is turned on, whether the server is turned on or off. However, by bypassing the authentication method, attackers can use IPMI to bypass the server's authentication link and extract the password hash. Especially when the password is a default password or a weak password, the attacker can obtain the plaintext password and access it remotely.
Protection suggestions:
Currently, there is no targeted patch for IPMI bypass authentication, and organizations are advised to perform one or more of the following actions.
- Limit IPMI access to a limited number of systems, those that must be accessed for management purposes.
- If the business does not require the IPMI service, you should disable the service immediately.
- Change the default administrator password to a strong, complex password.
- The service uses only secure protocols, such as HTTPS and SSH, to limit the chances of an attacker successfully gaining access to your passwords in a man-in-the-middle attack.
7.Windows RCE(BlueKeep)
BlueKeep (CVE-2019-0708) is a high-risk security vulnerability discovered in 2019 that has widely affected millions of computer devices. However, in recent penetration testing activities, researchers still found that there are still a large number of systems with BlueKeep security flaws in many companies. Due to the lack of available tools and codes, this Windows security flaw can cause serious damage to user systems, allowing attackers to fully control the affected system.
Protection suggestions:
Because this security flaw is frequently exploited and can lead to abuse, it should be fixed immediately. The fix is simple, and simply deploying a security update on the affected systems will effectively protect against this vulnerability. However, organizations should evaluate their existing patch management processes to find out why relevant security updates were missed.
8. Local Administrator Password Reuse
During an internal penetration test, researchers discovered that many systems shared the same local administrator password. If an attacker compromised a local administrator account, they could gain access to multiple systems, greatly increasing the risk of a widespread attack within the organization.
Protection suggestions:
Use a password management solution such as Microsoft LDAPS to ensure that local administrator passwords are not consistent across multiple systems and are updated on a regular basis.
9.Windows RCE(EternalBlue)
As with the BlueKeep security vulnerability, during the penetration test, researchers discovered a large number of systems vulnerable to the EternalBlue exploit, a vulnerability discovered in 2017 that was once very widespread and could allow attackers to take full control of the affected systems.
Protection suggestions:
Deployment of security updates on affected systems is sufficient. However, organizations should evaluate existing patch management programs to determine why security updates are not being applied in a timely manner.
10. Dell EMC IDRAC 7/8 CGI Injection
iDRAC is a piece of hardware located on the server motherboard that allows system administrators to update and manage Dell systems even when the server is turned off. iDRAC also provides a web interface and a command line interface that allow administrators to perform remote management tasks. Almost all current Dell servers have an iDRAC option. Penetration testers have discovered that Dell EMC iDRAC7/iDRAC8 versions prior to 2.52.52.52 are vulnerable to the CVE-2018-1207 command injection vulnerability. This allows an unauthenticated attacker to execute commands with root privileges, giving them full control over the iDRAC device.
Protection suggestions:
Update the firmware to the latest version as soon as possible.
Reference link: https://thehackernews.com/2024/06/top-10-critical-pentest-findings-2024.html