API Security Weekly: Issue #65
In this article, look into some recent API vulnerabilities, such as in Siemens plant operation control system, D-Link routers, and Cisco network management.
Join the DZone community and get the full member experience.Join For Free
This week, we look into the recent API vulnerabilities in Siemens plant operation control system, D-Link routers, and Cisco network management. In addition, OWASP has formally released their first-ever Top 10 list of API security.
Vulnerability: Siemens SPPA-T3000
The application server of the Siemens plant operation control system SPPA-T3000 had API vulnerabilities. The AdminService API was accessible without authentication as long as you had network access to it and knew how to craft requests for it.
The vulnerabilities could allow an attacker to execute arbitrary code on the server, perform a Denial-of-Service (DoS) attack on the server communications, or even access sensitive information and user passwords.
You might also like: REST API Security Vulnerabilities
This is an example of OWASP API2:2019 — Broken authentication.
Siemens has published a detailed report on all the discovered vulnerabilities as well as how to mitigate them. They have also highlighted that all vulnerabilities require a network access to specific components that, if the system has been correctly set up as they recommend, should not be accessible.
API security needs to be set up in layers. These days, when network edge is becoming increasingly challenging to control, you can no longer rely on internal network not being accessible to attackers. Rogue actors can be company insiders or can find a way to get onto the network. API authentication and authorization need to protect API functions for these scenarios.
Miguel Mendez Z. and Pablo Pollanco have found a vulnerability in the UPnP API of D-Link DIR-859 routers. This vulnerability allows attackers to inject malicious code for the router to perform.
This is an example of OWASP API8:2019 — Injection.
In their detailed post, Mendez and Pollanco demonstrate how this allowed them to get and maintain access to the router. They also helpfully list all the affected router models and when fixes should be available.
To prevent such attacks, always strictly define the payloads and parameters that your APIs expect (schemas, regular expressions for strings, and so on) and enforce them.
Steven Seeley has found ore than 120 vulnerabilities in Cisco Data Center Network Manager (DCNM) and its APIs. Among these were also three critical issues, with CVSS score of 9.8, more or less as bad as it gets.
For example, static key shared between installations was used for encryption, allowing attackers to forge access tokens and perform admin calls.
In addition, the web-based management interface had hard-coded credentials.
It cannot be stressed too much: never, ever, use hardcoded credentials.
And static keys for token encryption and signing is a bad idea, because if your access tokens can be forged they are not really protecting the APIs, and instead just give you a false sense of security.
Reports: OWASP API Security Top 10 2019 Officially Released
On the very last day of the year, 31 December, 2019, Erez Yalon of the OWASP API Security Top 10 team announced the general availability of the report.
The OWASP API Security Top 10 document is a PDF that explains each vulnerability along with its frequency, severity, typical root causes, as well as recommendations for mitigation.
The final list of OWASP API Security Top 10 2019 is:
- API1:2019 — Broken object level authorization
- API2:2019 — Broken authentication
- API3:2019 — Excessive data exposure
- API4:2019 — Lack of resources and rate limiting
- API5:2019 — Broken function level authorization
- API6:2019 — Mass assignment
- API7:2019 — Security misconfiguration
- API8:2019 — Injection
- API9:2019 — Improper assets management
- API10:2019 — Insufficient logging and monitoring
You can subscribe to this newsletter at APIsecurity.io.
Published at DZone with permission of Dmitry Sotnikov, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.