Should we hate WebDAV for security reasons?
Yes, says eEye Digital Security, which today focuses a wrathful gaze on WebDAV (short for "Web-based Distributed Authoring and Versioning", the IETF protocol that allows computers to edit and manage files collaboratively on remote web-based machines). "WebDAV is bad," says eEye CTO Marc Maiffret, summing up the findings in the research report the security firm put forward today that argues no matter where it’s used, WebDAV is so bad for security, companies should make every effort to turn it off.
Maiffret says he hopes the report will spur constructive debate about not only WebDAV, but the possibilities of using software configuration and filtering as a security defense. The report argues that software configuration management is a critical but often overlooked security defense against hackers trying to exploit software vulnerabilities.
"A significant number of Microsoft software vulnerabilities fixed in 2010 could have been proactively mitigated by applying two simple configuration changes," states the report. "The two mitigations are the blocking of WebDAV connections and the disabling of Office file converters. Combined, these two mitigators would have prevented approximately 12 percent of all vulnerabilities patched by Microsoft in 2010 from easy exploitation."
The report explains WebDAV as the HTTP-based protocol predominantly used for collaboration. "WebDAV can be used internally at an organisation for document management, editing, etc - it can also be used for activities such as content publishing, where an organisation's marketing department, for example, is empowered to make website updates themselves."
But eEye argues that WebDAV has become too useful to hackers. "Due to the high number of exploits that require a distribution method such as WebDAV to work, the eEye Reseach Team recommends that measures are put in place to disable WebDAV."
The report adds that though WebDAV has been around for quite a while, and the abuse of it by hackers has been known, the stakes rose last August when a vulnerability called "DLL Hijacking" became widely discussed.
"Attackers can store a malicious version of a DLL file in the WebDAV share however, and upon convincing the user to open a perfectly harmless and legitimate file, execute code under the context of that user," the report points out. "Because of the nature of that vulnerability, it could not be patched by Microsoft without breaking a multitude of third-party applications in the process. It was up to third-party developers to patch their software individually."
It would be "guesswork" to try and come up with "every possible DLL Hijacking scenario within all third-party applications", the report notes. "Because of this fact, we would like to underscore the importance of disabling WebDAV, not only for Microsoft software vulnerabilities, but also third-party applications."
Another finding by security researchers last year contributed to eEye's admonition. The report notes researcher Tavis Ormandy in April 2010 released information about a vulnerability in the Java Development Toolkit that concerned insufficient parameter validation which allowed an attacker to run arbitrary commands under the context of the logged in user.
"Shortly after, a Metasploit Module was released to exploit this vulnerability. One of the conditions for this module was that the user had the WebClient (WebDAV) service enabled," the report points out. Metasploit is the available vulnerability-test tool which can be used by either legit IT administrators or attackers to determine network weaknesses.
EEye recommends restricting webDAV functionality by using the Microsoft group-policy object (GPO) system to manage and enforce policy settings across the organisation. Another means would be filtering out WebDAV communication at the network perimeter using an intrusion-prevention system (IPS). But if blocking WebDAV at the perimeter, eEye would advise "only block the traffic after determining that it is not required by any internal systems". Maiffret says the recommendation to disable WebDAV when possible applies not just to Microsoft-based systems but wherever else it’s used. “Google also uses WebDAV," says Maiffret. He adds he invites debate over these ideas, citing a dialogue in the eEye online forums.
Another suggestion made by the report is to turn off the Microsoft NTVDM subsystem, the Windows service that emulates 16-bit functionality for legacy software since it's not used unless trying to run DOS programs in newer versions of Windows, which few are likely to want to do. Two vulnerabilities discovered in 2010 and patched by Microsoft, MS10-015 and MS10-098, could have been mitigated just by disabling the NTVDM subsystem, the eEye report argues.
In addition, the report makes other assertions about security. It makes the argument that there's a huge security gain in updating to the latest Microsoft software, "but it must be stressed, that while they are specifically fixing weaknesses in newer software versions, they are not going back and fixing vulnerabilities in older (yet still supported) platforms". The report also advocates using a proxy server.
"Organisations should require that all network traffic, not just for specific applications, be routed through an authenticated proxy server before being sent into to the open Internet." Why? Because, according to eEye, "routing all traffic through a proxy server adds one additional step for attackers to take when attempting to communicate back from within the network itself. A fair amount of malware is not equipped to be proxy aware".
"This means that after installation, when it attempts to perform a 'connect back' to the infecting host, the connection will drop before ever leaving the network."
EEye says this proxy server approach, which does not seem to be widely used today, "would make detecting infections much easier" though it "would inevitably lead to false positives". Though the approach wouldn't prevent the infection from spreading inside the network, eEye says it would "prevent an attacker from gaining knowledge that a successful infection was ever performed" and prevent "siphoning data from the network".
In another topic related to configuration, the report says all internal traffic between individual hosts and the network should be encrypted at all times, including traffic travelling in and between VLANs. "An attacker would not be able to plug a malicious machine into the physical network and sniff traffic, nor would they be able to connect to the network's file shares."
The report argues that use of these types of various configuration deployments would have gone a long way in preventing two of the most talked-about attacks in 2010: the Aurora attack on Google believed to have originated in China, and the Stuxnet malware attack, which targeted industrial control systems, which many speculated to have originated as a cyber-attack against Iran.