Are Partial Vulnerability Disclosures a NetGain or NetLoss?

Late November 2017, a member of our research team at Risk Based Security decided to perform an audit of an IT monitoring solution, NetGain Enterprise Manager, provided by Singapore-based NetGain Systems. The company describes itself as a “pioneer in the IT monitoring and protection business” and has more than 500 customers primarily in Asia and Australia. According to the vendor’s website, customers include major organizations like MetLife, IBM, Toyota, AIG, China Mobile, Panasonic, Standard Chartered, and TDK.

When researching the product in our VulnDB vulnerability intelligence solution, we found that at the time of us beginning the audit only three vulnerabilities had ever been disclosed for it – all in early or mid 2017. However, we also noticed that the Zero Day Initiative had 23 upcoming vulnerability reports (these have now all been published) for a unnamed product from this vendor. Based on the vendor’s solutions listed on their website, it seemed very likely that these outstanding issues would also be for NetGain Enterprise Manager.

ZDI Sniping – Are Partial Disclosures A Problem?

While we have historically been a fans of ZDI’s upcoming advisories list, a small part of this security audit became a test to see if it might be problematic when programs like ZDI do these types of partial disclosures ahead of time.

It should be noted that the pre-disclosure information is limited to the vulnerability researcher’s identity, the vendor, a CVSSv2 score and vector string, and the fact that the product and vulnerability impact is interesting enough for ZDI to pay for it. Here is an example snapshot from the ZDI website on March 23, 2018 for upcoming advisories in Advantech and Cisco products.

While the information published is still very limited, could even this level of details – at least in certain cases – be adequate to allow third parties to discover the same vulnerabilities?

We’d be surprised if ZDI didn’t already consider this when creating their upcoming vulnerability reports page. We also believe that it is highly unlikely for there to be sufficient information for a third party to rediscover the issues on their own, if the vulnerabilities are in a product from a major vendor with a lot of products. This is most likely also true for vendors with only a few products that have very large codebases. The information may give a few pointers at best, but it could potentially be everything needed when it comes to smaller vendors like NetGain with only one or a few products of limited size.

Many researchers do have specific expertise and a comfort zone when it comes to finding particular vulnerability types. This makes it easier for third parties to narrow down what to look for. Therefore, the question is raised: Is it possible for someone to engage in a bit of “ZDI sniping” to uncover vulnerabilities ahead of ZDI disclosures? If so, it would provide a window of opportunity for malicious third parties to (re)discover new vulnerabilities and even exploit these ahead of vendor fixes and ZDI’s public disclosure.

In this case, looking for various path traversal vulnerabilities in NetGain Enterprise Manager was at the top of our list based on the credited researcher. We quickly found one that indeed matched one of the issues eventually published by ZDI. By the time we contacted the vendor on November 30, 2017 to disclose our initial findings, an updated version was released and shortly after followed by the ZDI disclosures on December 13, 2017. We had discovered 14 vulnerabilities at the time. Three of them were indeed the same as the ones coordinated by ZDI. Furthermore, 13 out of the 23 vulnerabilities reported via ZDI were path traversal vulnerabilities as suspected.

A proper conclusion would require broader and more in-depth testing across numerous products. However, we could at least confirm that in the case of NetGain, we had everything we needed to rediscover some of the same vulnerabilities, even if we didn’t have as much time to spend on it as hoped due to the vendor releasing a new version followed by ZDI’s disclosures shortly after starting our audit.

Incomplete Fixes And More Unpatched Vulnerabilities

After the new NetGain Systems Enterprise Manager version was released, we shifted our focus to testing that version. We decided to first check if the vulnerabilities, which we had already discovered and that were matching the ZDI disclosures, were properly fixed. Two out of the three were not fixed. The third issue could not be reproduced in the latest version, as the affected functionality was removed from the interface. The initial results were not very promising and a big concern about the vendor’s ability to properly deal with security issues, as the vulnerabilities were pretty basic: One path traversal and one command injection. The remaining vulnerabilities that we discovered included local privilege escalation, XSS, CSRF, information disclosure, and unauthenticated, remote access to a sensitive API. These issues were also not fixed.

While NetGain did send us an acknowledgement of having received our vulnerability report, we never heard from them again when following up about the insufficient fixes or asking for status updates. Having reached the initially set deadline of 90 days and considering the lack of communication from the vendor, we pushed alerts to our VulnDB clients on March 1st, 2018. We published a report with details on the remaining vulnerabilities on March 22nd, 2018.

Again, it should be noted that all these vulnerabilities are currently unpatched. The vendor failed to address them in a timely manner and was not responsive. Based on several reasons including poor communication, failure to address the vulnerabilities in a timely manner, the amount and types of vulnerabilities discovered in the product, and failures to properly fix some vulnerabilities, we are not impressed with this vendor’s security processes and product incident response.

“We found this product to be riddled with many basic vulnerabilities, and it has an incredibly low code maturity. It is clear that the vendor does not have a proper secure development lifecycle in place,” comments Carsten Eiram, Chief Research Officer of Risk Based Security. “Considering the significant number of vulnerabilities that my research team member, Sven Krewitt, discovered, and that these are still unpatched, anyone using this product should be extremely careful. Even if the vendor fixes these, we cannot rule out that many other vulnerabilities still exist, as our audit was in no way exhaustive. We do not take this lightly, but advise any organizations using this product to consider it highly insecure and ensure that it is only accessible within a fully trusted network segment to reduce risk.”

Regretfully, vendors with limited product security understanding and poor incident response processes is something we encounter more frequently when finding vulnerabilities in products from Asian vendors compared to EU and USA. When installing products in your IT infrastructure, we always recommend not only checking up on the product’s capabilities, but also it’s security code maturity.

When looking at NetGain Systems Enterprise Manager’s Code Maturity Rating in VulnDB, we see that it is very poor.

Furthermore, we recommend organizations assess how well a given vendor deals with vulnerability disclosures in their own products. This includes checking if they have a security page and a published way for researchers to coordinate vulnerabilities with them as well as their response times, which is also captured by VulnDB with our VTEM metrics.

If you’re installing a product and unsure of its security state and the vendor’s security awareness, a vulnerability intelligence solution like VulnDB can help answer many of your questions.