Swascan Offensive Security Team has identified at least 2 Critical vulnerabilities on what was believed to be Xerox ’s digital assets passively identified by using the Domain Threat Intelligence
(DTI) tool.
DTI – Domain Threat Intelligence – is service from Swascan’s Cyber Security Testing Cloud Suite. The service does not perform any security tests on the target and only operates on information available on the web or dark web (Osint and Closint).
In line with the industry standard procedure of Responsible Vulnerability Disclosure the findings were reported immediately to Xerox that proceeded to begin its investigation and then remediate and close all possible vulnerabilities.
Technical Details
As explained, during some passive security checks (using Swascan’s own DTI) on some well-known internet domains, Swascan’s Cyber Security Research Team detected some important vulnerabilities on two selected IP’s.
Strongly based on pure intelligence Data, the Domain Threat Intelligence provides useful information and indicators to implement better cyber defence strategies and improve the resilience of your company perimeter.
The Threat Intelligence gathering activity is carried out through a process of research, individuation and selection of all the publicly available information relating to the domain, subdomain and compromised email of the interested party. All this information is gathered through a completely passive analysis.
An Example of a DTI output
In this case, Swascan through the DTI was able to detect 3 targets with two main vulnerabilities:
- User enumeration;
- RDP Network Level Authentication not configured
As soon as those anomalies were detected Swascan proceeded to inform the Xerox PSIRT through the industry standard Responsible vulnerability disclosure process.
Included were all the proof as concepts of possible exploits, a list of vulnerable addresses and all the recommended remediation activities.
In particular the two detected vulnerabilities were of the following categories:
- CWE-203: User Enumeration: The web application responds to some HTTP requests differently depending on whether the specified user exists or does not exist in the local credential store. A potential attacker could then make subsequent requests to enumerate valid users and perform attacks;
- CWE-287: RDP Network Level Authentication not configured: An incorrect configuration was detected in authentication to Remote Desktop services. Network-level authentication (NLA) is not used to access the server, allowing an at-tack to open an RDP session.
Swascan recommended to Xerox the upgrade of the exposed services and to Implement an effective account lockout policy so that the system will block potential attackers IPs if too many failed login attempts are made.
On their part, the Xerox PSIRT quickly followed through on the suggestions and the information provided by Swascan, showing once again the importance and the value of collaborations between Cyber Security companies and IT/Service providers.
Through Xerox’s own investigation it was found that both the hosts are not owned/managed by Xerox and they were a result of past or current business association with a third-party organization. They have been remediated appropriately and no longer associated with Xerox. All items presented are currently fixed.
Pierguido Iezzi, CEO of Swascan, added: “This a textbook example of how third-party risks are one of the most insidious part of a modern Cyber Security Framework. Managing the extended perimeter is key for an efficient and resillience perimeter”.
As a closing note Xerox thanked Swascan for bringing these items to their attention.
“Your efforts and dedication to responsible disclosure are appreciated”.
