Using Netenrich to fix open port misconfigurations

ASI

In computer networking, a port is a communication endpoint that allows your systems to communicate over the internet. Every IP address has two types – TCP and UDP ports. Any internet service requires a certain number of ports to be open to function. However, unattended, open ports invite a plethora of attacks and exploitations that you simply can’t afford.  

Dangers of open port misconfigurations

Security best practices advise ports be left open on a purely “need-to-be” basis. Ideally, your IT team should have full knowledge of all ports opened for continuous monitoring. In reality, your team may lose track of all the open ports across your infrastructure.

Open ports can be perfect attack points for gaining a foothold into your server. A simple port-scanning of a target server may tell attackers all they need to know about:

  • Open ports within the system
  • Services and applications running through these ports

Let’s look at some of the attacks that you can attract via unmonitored open ports. Following that, we will see how Netenrich’s ASI acts as an always-on open port check tool.

Initiating malware attacks 

Attackers use a list of  “trojan ports” to affect your system security and create a backdoor. These could be ports that are used for simple business applications such as web servers. 

Exploiting services and applications on open ports

The more applications and services run with open ports for Internet communication, the higher the risk of vulnerabilities getting exploited. Applications and services may have a host of bugs and vulnerabilities, and a bug in any one can lead to Remote Code Execution (RCE) and cause servers to become compromised.

Inviting RCE attacks through forgotten applications and services 

Applications and servers running on open ports may require constant updates to stay free from vulnerabilities. Unfortunately, people tend to download these applications and completely forget about them.

As ports run unattended in the background, they become more and more vulnerable to potential attacks. One of the most dangerous forms of these attacks is RCE, which can occur through misconfigurations in services such as Redis, Kibana, and Jenkins.

  • Redis: Unsecured Redis instances in the cloud can be abused to perform RCE attacks. Malicious files can be exploited to turn Redis instances into cryptocurrency mining bots that can use their “wormlike” spreading capability to infect other vulnerable instances. The truly scary part is that Redis users with instances that don’t bear Transport Layer Security (TLS) encryption, password protection, or both are vulnerable to having over 200 commands available once attackers gain access to their environment. Currently, Redis doesn’t have authentication set by default. Plus, even if the user sets a password, it should be strong enough to be resistant to brute-force attacks.
  • Kibana: Kibana is an open-source data visualization plugin and is part of the “ELK Stack” – a popular Elastic Stack.” GitHub currently has an exploit kit capable of triggering a vulnerability in Kibana to enable attackers to send a JavaScript code execution command and conduct RCE attacks. This critical flaw is tracked as CVE-2019-7609 and has been awarded a CVSS base score of 10.00 – the highest score on the vulnerability rating scale.
  • Jenkins: Jenkins has a known remote code execution vulnerability labeled CVE-2019-1003000. Jenkins has a Pipeline feature that is implemented in Groovy. This is how the exploit works – the user issues an unauthenticated GET request to provide Groovy Meta-Programming input. A savvy attacker can use the @Grab annotation to invoke Grape, the built-in JAR dependency management tool for Groovy, and have it download a jar and run it.

Causing downtime by running denial of service (DoS) attacks

While some of the programs and services may have a built-in protection mechanism to withstand potential DoS attacks, others will not. One issue is that employees may use some applications and services without going through IT. This can allow attackers to perform a successful denial of service attack on a web server, without even targeting port number 80.

DDoS amplification must also be considered here. Attackers use amplification or reflection attacks to use your infra to attack others. As you can imagine, such an attack can have devastating effects on your brand’s reputation.

The two most popular kinds of amplification attacks are:

  • NTP amplification: Network Time Protocol of NTP is the standard protocol for time synchronization in the IT industry. NTP is widely used by servers, mobile devices, endpoints, and network devices, irrespective of their vendor. NTP servers use 123 to talk to each other and NTP clients. In an NTP amplification, the attacker floods the target and redirects a large number of replies made to specific requests from the server (such as the one owned by your company) to the target. 
  •  DNS amplification: DNS amplification is a type of reflection attack that manipulates publically accessible domain name systems and floods a target with a large amount of UDP packets. An attacker can theoretically exploit a vulnerability in your DNS servers to turn initially small queries into much larger payloads and bring down a target’s servers.

How Netenrich fixes open port issues

Let’s look at how Netenrich organically resolves every single one of these issues.

Malware

Netenrich ASI detects the presence of malware/backdoor via banner grabbing. Banner grabbing allows us to get the banner information (name and version) of the different softwares involved.

Some examples of legitimate service and ports can be identified using banner grabbing are HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 respectively. DarkCommet, NetBus, njRat, and XtremeRAT trojan are examples of RAT that we identify using this same technique.

Services and Applications

Our platform grabs the name and version of software through banner grabbing and converts it to a Common Platform Enumeration (CPE).  Netenrich then sifts through popular National Vulnerability Databases (NVDs) and compares against Common Vulnerabilities and Exposures (CVE) feeds. When matches occur, Netenrich immediately sends a threat report featuring relevant context. 

For example, if ASI may detect that you’re using server version Exim 4.92. We can then flag threats and let you know if you are vulnerable to remote code execution (RCE) attacks. Speaking of which . . .

RCE Attacks

Netenrich’s ASI regularly investigates your attack surface to discover vulnerabilities in unmonitored services and applications. Our cross-platform analysts bring decades of experience working with a variety of clients and dealing with security vulnerabilities. They will examine the critical threats detected by our platform and provide their own recommendation and suggestion on how to remediate the issues.

Empower your organization to plug security gaps faster than the speed of bad.

DoS Attacks

ASI consistently goes through every nook and cranny of your overall attack surface. ASI instantly flags and prevents potential DDoS attacks to preserve brand reputation and network security.

INTERESTED?

Sign up for Attack Surface Intelligence (ASI).

TALK TO US

EXPLORE OTHER USE CASES

Remediate Code Repository Exposure

Monitoring Authenticated Services

Malware Traffic Analysis for Early Malware Detection