A05:2021 – Security misconfiguration

November 11, 2024 Celia Catalán

Introduction

Vulnerability Description

As a continuation of this series of posts on the OWASP Top Ten vulnerabilities, in this post we will comment on the vulnerability A05:2021 - Security Misconfiguration or in Spanish: Incorrect cybersecurity configuration.

This vulnerability refers to unimplemented or incorrectly implemented cybersecurity configurations and can manifest itself in various ways, from the use of default or insecure configurations to the unnecessary exposure of sensitive information or the enabling of unnecessary services.

It occurs when an application or server is not configured correctly, allowing an attacker to exploit this lack of configuration to access sensitive data, elevate privileges, and gain control of the application.

Impact

This vulnerability can have devastating consequences for an organization.

By exploiting an insecure configuration, attackers can gain access to sensitive information, elevate application privileges, or even use compromised resources to carry out attacks on third parties.

The impact of this vulnerability can be reflected in the following points:

Exposure of sensitive information: When a system is not properly configured, it can allow an adversary to access sensitive data, such as user credentials, personal information, or trade secrets.

System Control: In some cases, misconfiguration can give attackers the ability to take complete control of the system, allowing them to modify or destroy data or use system resources to carry out carry out other attacks.

Compromise of system availability: An adversary can take advantage of incorrect configuration to launch denial of service (DoS) attacks that disrupt normal operation of the application or server, which can impact availability of services for legitimate users.

Using the system as an attack platform: Compromised systems due to poor security configuration can be used by attackers as platforms from which to launch attacks on other systems, which can greatly expand the reach of the attack. damage.

Practical examples

Credential exposure in application source code and escalation of privileges

One of the most common examples of this vulnerability is when an application is deployed with default configurations, passwords in the application code used in the development stage, or user permissions that are broader than necessary.

To demonstrate this, the Zerolynx web lab is accessed with an unprivileged user, user1 in this case.

When accessing the application, you can see how the user's panel has been accessed and you only have access to this user's items , although there are none created in this case.

When inspecting the code, you can see how due to poor security configuration, a comment created in the development stage, which provides administration credentials, has not been removed:

If these credentials are now used, the web application can be accessed as a user with Administrator privileges, as shown in the following images.

Exposure of the application file structure

If the system displays detailed error messages or default configuration files, it could be revealing valuable internal information such as software versions or file paths, the information of which allows an attacker to know the versions the system uses and exploit existing public vulnerabilities that affect these versions.

If the IP address of the server that supports the laboratory, which is being used to demonstrate this vulnerability, is accessed, the default Apache page is displayed due to a misconfiguration.

If the route is accessed /ZVulnLabs/, since the server has not been configured correctly, all the files are shown because it is vulnerable to Directory Listing, which gives information about the directory structure and the files that make up the application:

If the folder is accessed /ZVulnLabs/uploads/ You can directly access the files that have been uploaded to the web application, in addition to obtaining the version from the Apache server.

Compromised availability due to vulnerable software

The lack of updating of the applications is also due to poor configuration, allowing an attacker to make use of vulnerabilities whose exploits have been published, which would make it easier for an adversary to compromise the application.

Taking the above into account, if vulnerabilities are sought for the version of Apache/2.4.57 (Debian) Server, it is confirmed that this version has associated public vulnerabilities, such as CVE-2023-43622:

This vulnerability allows an attacker to initiate an HTTP connection with a window size of zero, which would allow an adversary to perform a Denial of Service or DoS. In addition, it has an associated public exploit, which for an attacker who wanted to compromise the availability of the web service, it would be trivial to exploit this vulnerability.

Mitigations

As mitigations for this vulnerability, OWASP recommends the following:

A repeatable hardening process makes it quick and easy to deploy and properly implemented. The development, QA, and production environments must be configured identically, using different credentials in each.

A minimal platform without unnecessary features, components, documentation and samples.

Review and update appropriate configurations to all security releases, updates, and patches as part of the patch management process.

The use of a segmented application architecture that provides effective and secure separation between application components.

Correct implementation of Security Headers.

Implementation of automatic processes before deploying to production that ensure the effectiveness of the measures adopted.

Conclusions

The Security Misconfiguration vulnerability continues to be one of the main causes of security breaches in applications and systems. The inherent complexity of modern technology infrastructures makes misconfiguration a common, but preventable, problem.

By implementing secure installation processes, automating system robustness, maintaining a minimal platform, and implementing proper patch and update management, organizations can significantly reduce their exposure to this vulnerability.

Justo Martín, Cybersecurity Analyst at Zerolynx.

return to blog