Researchers have notified operators of the world's biggest tech platforms of critical vulnerabilities in their wares and found some were barely motivated to fix the flaws, putting their major customers like the Australian Attorney-General's Department, the US Air Force, Deloitte and Raytheon at risk of compromise.
The research done by penetration testers 'Cartel' and Denis Andzakovic of Auckland outfit Security-Assessment.com and presented at Kiwicon 7 offered a somewhat tongue-in-cheek hypothesis that the most vulnerable software was that most often plugged as 'enterprise'.
"Could self-identifying as enterprise be indicative of your software's code quality? Or lack thereof in this case," Andzakovic said.
"We decided to test this and distil it down into a formal hypothesis: the number of times a vendor site used the term enterprise is directly proportional to the severity of outstanding bugs in their kit," Cartel said.
"It's (enterprise software) synonymous with bloat and bugs and above all, it's really, really expensive."
They said users of affected software named in their presentation should update their software or consider dumping it if the respective vendor had not released a patch.
Kiwicon 7 podcast: Enterprise enterprise enterprise segfault
Cartel contacted Kaseya in August about a dangerous arbitrary file upload vulnerability he discovered in version 6.3 of its high end management platform offering that was designed for managing servers and workstations.
"This happens because of a bunch of validation fails the most important of which is checking if the user is actually logged in."
The zero-day vulnerability was scheduled for fix four days after the presentation.
One vendor was called out for its woeful response to critical bug reports. After several weeks of emails and "ridiculous questions" between the company and the researcher pair, it issued a terse statement claiming it did not discuss vulnerabilities with any "outside companies" as a "policy to protect customers".
"I can't confirm whether these vulnerabilities have been fixed yet -- they haven't put out new software since so I have to assume this is some more unpatched zero day," Andzakovic said.
"If you are running this software -- my condolences."
The researchers found remote code execution and a stack overflow on the agent software.
Vulnerabilities were also found in the Solarwinds server application monitor. The bugs, which were quickly patched, including broken authorisation and access controls allowed attackers to post to the webserver as a guest, and another cross site scripting bug that could be used to attack all users or just focused on administrators.
Andzakovic demonstrated the attack with the 'Clippy' social engineering attack he and colleague Nick Freeman created last year. It showed how Microsoft's fabled and infuriating animated character could be deployed to con administrators into applying malicious updates that would grant control of their machines.
Cartel for the second year running found critical bugs in NCentral, the enterprise platform used to manage large numberer of servers workstations.
Details of the bugs were redacted because the company claimed the earliest time it could issue a patch was "next year", Cartel said. It allowed attackers to upload payloads that would run as root on target machines.
More detailed zero day bugs were dropped -- with vendor permission -- for the SMS component of the Zenoss data centre management tool.
"We are going to trick an admin to set the pager command to something that will give us a shell, Andzakovic said. "We could wait for a machine to go down for a trigger to happen [but] we're going to trigger the test paging command and then get a shell."
Another dangerous arbitrary file upload bug was found in Desktop Central by ManageEngine. The vendor patched the bug last week after being informed of the flaw in August by Cartel.
Nagios XI, billed as the world's most powerful infrastructure monitoring tool, was praised for its quick response to the researchers bug reports. It had replied to reports within an hour and had a new patched version of the product available two days later.
It had two vulnerabilities, the worst being a SQL injection Core Configuration Manager login form that could be used to execute arbitrary queries.
