Full compromise of Websense Data Security via vulnerability chaining
Data Loss Prevention putting your data at risk?
Organizations are under increasing pressure of (government) regulations, including SOX, PCI, HIPAA, and others. The increasing number of (insider) data breaches is also a great concern. Data Loss Prevention (DLP) software can monitor web and mail traffic (in some cases even encrypted traffic) in order to prevent sensitive data from leaking.
DLP software is presented as a ‘silver bullet’ to protect organizations from reputational damage, regulatory fines, and data breaches. Given the nature of these products, one might expect that security is a top priority for DLP software vendors.
We conducted a series of security tests on Websense TRITON v7.8.3 and Websense V-Series v7.7. The results were shocking as we found security vulnerabilities in Websense’s core software components. These components lack basic security controls such as input validation, authorization, and data protection (encryption).
Last week, Bluecoat (another DLP vendor) hit the news concerning security problems found in their ProxySG (Secure Web Gateway) product. It appears that these security vendors don’t have a secure development life cycle process in place.
Demo: compromise of Websense Data Security
In the following video we'll show how Websense Data Security can be compromised by a remote attacker. We used the following attack scenario:
1) Attacker creates an email that triggers a DLP email Policy (keywords han and blueprints).
2) The email contains a Cross-Site Scripting payload that exploits a Command Injection vulnerability. The injected command will be executed with elevated privileges.
3) The injected command will add a user named HAXPO. In the video it is demonstrated that this user was successfully created by abusing the command injection vulnerability.
The Command Injection vulnerability allows a remote attacker to perform a wide range of attacks including starting a reverse shell. In most cases this allows an attacker to gain remote access to the Websense appliance as it is common that the appliance resides on the outer network perimeter.
Visit us at our booth for demo's, crypto puzzles and code review Spot the Bug challenges with great prizes. Details will be released soon! Securify HAXPO
Overview of findings
In total we disclosed 8 security vulnerabilities affecting Websense Data Security. 5 additional vulnerabilities were reported to Websense that are not yet disclosed. The disclosed issues are listed below:
- Command injection vulnerability in network diagnostics tool of Websense Appliance Manager
- Websense Data Security DLP incident Forensics Preview is vulnerable to Cross-Site Scripting
- Websense Email Security vulnerable to persistent Cross-Site Scripting in audit log details view
- Multiple Cross-Site Scripting vulnerabilities in Websense Reporting
- Cross-Site Scripting vulnerability in Websense Explorer report scheduler
- Cross-Site Scripting vulnerability in Websense Data Security block page
- Missing access control on Websense Explorer web folder
- Source code disclosure of Websense Triton JSP files via double quote character