NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Web-Based Admin Consoles: The Critical, Overlooked Security Exposure you must Address

August 10, 2021

  • Blog
  • Archive

In the last decade of technology progression, we’ve seen a lot of impressive enhancements and improvements to various aspects of IT operations. Critical services and technologies have become easier to implement, simpler to use, and more efficient to maintain over time.

Sounds amazing, right? Well, of course! But with this ease of implementation, use, and maintenance comes a possible dark side. The dark side I’m talking about here concern the various technologies in use for many services’ and tools’ administrative consoles – they’re web services. And sadly, these web consoles are rife with many of the same web application security issues that have plagued us for years.

This is not a new problem. Web-based admin consoles have been in use for a long time, and for a vast array of technology areas, including security platform access, development, web services, application deployment, content development, and much more. Examples of critical web application admin interface vulnerabilities include the following:

  • JBoss JMX Console Access Vulnerability: Originally recorded as CVE-2007-1036, this vulnerability allows remote attackers to bypass authentication and gain administrative access via direct requests.
  • A Ruby on Rails web console authentication bypass flaw (CVE-2015-3224) permitted an unauthenticated attacker to access the console and potentially see or modify sensitive information about applications.
  • In May 2021, it was announced that the Cisco Hyperflex web console permitted an unauthenticated, remote attacker to perform a command injection attack on a web management console that provided root access and allowed them to execute arbitrary commands on an affected device. Two CVEs were issued (CVE-2021-1497 and CVE-2021-1498).

A wide variety of these vulnerabilities exist in the wild, and most involve important applications that increasingly rely on web-based console access for administrative activities. WordPress, for example, has seen a slew of vulnerabilities and attacks targeting the admin console, ranging from authentication bypass attacks to web shell uploads.

In addition to actual vulnerabilities, many web-based admin consoles are poorly configured and open to trivial attacks, like brute force password guessing. Code Spaces, a code hosting and sharing service hosted in Amazon, was breached by an attacker in June 2014. The attacker broke into the Amazon-hosted company by guessing their credentials for the management login page, and then demanded a ransom. When Code Spaces refused to pay (and tried to delete the attacker account) the hacker retaliated by deleting everything Code Spaces had.

As we move toward more converged technology platforms and cloud services, this problem gets even more concerning. The majority of admin consoles are now web consoles, and these are under attack at all times by sophisticated attackers. In fact, the 2021 Verizon Data Breach Investigations Report (DBIR) research highlighted that more breaches occurred in cloud-based environments than in on-premises environments for the very first time. According the report, his was largely due to web-based consoles and assets being exposed and poorly configured.

In the security community, we must focus on web-based consoles more than ever, particularly those that grant access to critical assets and services like cloud data centers and similar platforms. Fortunately, there are newer, better ways to provision access to highly sensitive web consoles today, and enterprises need to include this important use case in privileged access management planning.

For a deeper dive on this topic, check out my on-demand webinar: The Rise of Web-based Admin Consoles...and Why That's Terrifying.


Learn how to lock down web consoles and improve multicloud security: Get the guide
Photograph of Dave Shackleford

Dave Shackleford, Cybersecurity Expert and Founder of Voodoo Security

Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From August 6, 2021:
KuppingerCole Executive Review of Endpoint Privilege Management & the BeyondTrust Solution
From August 16, 2021:
What is System for Cross-domain Identity Management (SCIM) & What are the Benefits?

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.