Top 3 Vulnerabilites in System Pentests

2. October 2024

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents them and provides tips on how to avoid them - for #moresecurity across all IT assets.

Today we look at the three most common security-critical vulnerabilities that our analysts have identified in System Pentests in recent years.

Why System Pentests?

One of the most important elements of corporate security is the security of all IT system components. This enables you to protect your company against ransomware attacks, as potential vulnerabilities in your IT systems are a common entry point. If attackers potentially gain a foothold in the company network through vulnerabilities in the internal IT system, they are able to spread further within the system.

In this way, sensitive data is regularly stolen or manipulated and other users in the network are targeted. The loss of confidentiality, integrity and availability of information are frequent consequences of a successful attack and can harm your company. Our system pentests are an effective security measure to comprehensively check your IT systems for these and other vulnerabilities.

Standard Login Credentials

In many companies and organizations, a potential security vulnerability is delivered with the software: After software services are installed, the default login credentials assigned by the vendor are often not changed, even when a change is strongly recommended. This lack of change creates significant risks. Attackers can easily gain access to systems by using login credentials that are often publicly known.
But how can the attackers access the login credentials? Standard login credentials, which are often used when installing software in companies, are widely used. Many software providers issue a user name and password for this purpose. The problem with this is that in most cases this data can be found in publicly accessible documentation or online forums. Even an attacker with limited technical skills can exploit this information to quickly and easily gain unauthorized access to critical systems in your company. The potential impact of such an attack ranges from data loss to system outages to full-scale security breaches that can cause significant financial and reputational damage.

Security tip: To minimize the risks related to default login credentials, you should take the following concrete measures in your company:

  1. Change default login credentials: After installing any software, a change to default usernames and passwords should be made immediately.
  2. Implement password policies: Specific requirements should be set for the strength and complexity of passwords to ensure that they are not easily guessed.
  3. Regular training: Your employees should be regularly trained on the risks of default credentials and password management best practices.
  4. Monitoring and auditing: Access to systems should be continuously monitored and audits should be conducted to ensure that no default credentials are in use.

Java RMI Vulnerabilites

The Java Remote Method Invocation (RMI) protocol is often used to implement distributed computing with multiple systems. This enables a client to execute a method of a Java object on a remote server. A list of all available methods of a server is kept in a registry, which is requested by the client. This provides all the necessary information for the client to call the actual method on the server.

None of this is a problem in itself. However, over the long time that the Java RMI protocol has been in existence, new vulnerabilities have regularly become known, some of which can be easily exploited. For example, data processed by the server can be incorrectly evaluated. In these so-called deserialization attacks, an attacker can execute arbitrary code. If certain methods (e.g. action(), execute(), system()) are not further secured, these can also be used directly to execute arbitrary code.
Most known vulnerabilities can be identified directly with special scanners, such as the Remote Method Guesser (further information can be found here).

Security tip: Due to the large number of possible vulnerabilities in the Java RMI protocol, the following measures are recommended:

  1. Compliance with current best practices: All data coming from the client/user should be classified as untrustworthy and should be validated accordingly in advance, for example to avoid being susceptible to deserialization attacks. Furthermore, all potential errors in processing (exceptions) should also be properly intercepted.
  2. Update Java: The Java Enhancement Proposal 290 (JEP290) protects against some attacks. Corresponding patches have been provided for all major Java implementations, so that deserialization attacks against current Java RMI endpoints should not be possible.

Outdated Software

Once the required software has been installed, practice shows that it is unfortunately often no longer actively maintained by the responsible IT department. Security patches are either not applied at all or are applied too slowly. Similar to the previously mentioned vulnerability with regard to the standard login information, attackers who are not technically experienced can quickly search public sources for known vulnerabilities for the software version used. Attackers can often infiltrate malware through these vulnerabilities, launch ransomware attacks or even bring entire systems to their knees.
Ie National Vulnerability Database (NVD), Exploit-DB or the GitHub Security Advisory Database. To enable a simple search across all sources, our colleague Dustin Born has developed the search_vulns tool (https://www.usd.de/search-vulns-schwachstellensuche-leicht-gemacht/), which is made available to the community free of charge. You can try it out directly at the following link: https://search-vulns.com/

In general, known vulnerabilities in systems and their versions are maintained in large databases, such as the National Vulnerability Database (NVD), Exploit-DB oder die GitHub Security Advisory Database. To enable a simple search across all sources, our colleague Dustin Born has developed the search_vulns tool, which is made available to the community free of charge. You can try it out directly at the following link: https://search-vulns.com/

Security tip: The potential damage caused by using outdated software is promptly very high. However, countermeasures can often be implemented quickly and inexpensively. The following activities should therefore be actively implemented on an ongoing basis:

  1. Regular updates: All software applications and services should be updated regularly. Security updates should be installed immediately.
  2. Patch management: For a large number of applications and services, a (semi-)automatic patch management system is recommended.
  3. Automated scans: A major advantage of automated vulnerability scans is the fast and cost-effective identification of outdated software, including potential vulnerabilities. These should be carried out on a weekly or monthly basis on all internal and external assets in order to be able to react quickly if necessary.


It is important to note that there may be many other vulnerabilities in addition to those mentioned. As every IT system is different, new threats can also arise. A system pentest can provide clarity and help you to effectively protect the data of your company, your customers and your employees.

Would you like to comprehensively examine your IT systems and identify potential gateways for attackers? Contact us, we will be happy to help you.

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories