In the last decade of technology progression, we’ve seen a lot of impressive enhancements and improvements to various aspects of IT operations. Critical services and technologies have become easier to implement, simpler to use, and more efficient to maintain over time.
Sounds amazing, right? Well, of course! But with this ease of implementation, use, and maintenance comes a possible dark side. The dark side I’m talking about here concern the various technologies in use for many services’ and tools’ administrative consoles – they’re web services. And sadly, these web consoles are rife with many of the same web application security issues that have plagued us for years.
This is not a new problem. Web-based admin consoles have been in use for a long time, and for a vast array of technology areas, including security platform access, development, web services, application deployment, content development, and much more. Examples of critical web application admin interface vulnerabilities include the following:
- JBoss JMX Console Access Vulnerability: Originally recorded as CVE-2007-1036, this vulnerability allows remote attackers to bypass authentication and gain administrative access via direct requests.
- A Ruby on Rails web console authentication bypass flaw (CVE-2015-3224) permitted an unauthenticated attacker to access the console and potentially see or modify sensitive information about applications.
- In May 2021, it was announced that the Cisco Hyperflex web console permitted an unauthenticated, remote attacker to perform a command injection attack on a web management console that provided root access and allowed them to execute arbitrary commands on an affected device. Two CVEs were issued (CVE-2021-1497 and CVE-2021-1498).
A wide variety of these vulnerabilities exist in the wild, and most involve important applications that increasingly rely on web-based console access for administrative activities. WordPress, for example, has seen a slew of vulnerabilities and attacks targeting the admin console, ranging from authentication bypass attacks to web shell uploads.
In addition to actual vulnerabilities, many web-based admin consoles are poorly configured and open to trivial attacks, like brute force password guessing. Code Spaces, a code hosting and sharing service hosted in Amazon, was breached by an attacker in June 2014. The attacker broke into the Amazon-hosted company by guessing their credentials for the management login page, and then demanded a ransom. When Code Spaces refused to pay (and tried to delete the attacker account) the hacker retaliated by deleting everything Code Spaces had.
As we move toward more converged technology platforms and cloud services, this problem gets even more concerning. The majority of admin consoles are now web consoles, and these are under attack at all times by sophisticated attackers. In fact, the 2021 Verizon Data Breach Investigations Report (DBIR) research highlighted that more breaches occurred in cloud-based environments than in on-premises environments for the very first time. According the report, his was largely due to web-based consoles and assets being exposed and poorly configured.
In the security community, we must focus on web-based consoles more than ever, particularly those that grant access to critical assets and services like cloud data centers and similar platforms. Fortunately, there are newer, better ways to provision access to highly sensitive web consoles today, and enterprises need to include this important use case in privileged access management planning.
For a deeper dive on this topic, check out my on-demand webinar: The Rise of Web-based Admin Consoles...and Why That's Terrifying.
Dave Shackleford, Cybersecurity Expert and Founder of Voodoo Security
Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies.