Cambium Group, LLC. CAMAS Advisory



I'm not sure if its appropriate for this list but it is related to penetration testing and vulnerability disclosure (moderators decide).


Cambium Group, LLC. CAMAS Advisory -- http://snosoft.blogspot.com/

We've finally released the Cambium Group, LLC Content Management System ("CAMAS") advisory after much waiting and debate. These issues were discovered in CAMAS during a customer penetration test that we did in August of 2007. The security vulnerabilities that are disclosed in the advisory are kept very high level and low detail as to not arm any potentially malicious people. The security vulnerabilities that were discovered in 2007 still exist today according to some recent Google research that we did. In fact, according to Google's cache the Cambium Group's own website was vulnerable as of Feburary 9th 2009. We can't ethically test Cambium Group customer's websites without their permission, hence why we rely on Google for this information. Google tends to identify vulnerabilities in websites while crawling them and as a result those vulnerabilities become searchable if you know what to look for.

Note:

You can check with Google to see if you're instance of CAMAS is or was vulnerable. The way that you do that is to type the following string, but replace "company" with the name of your company:company 1064 You have an error in your SQL

Normally when we discover a security vulnerability in third party technology (used by many different businesses) we notify the vendor and provide the vendor with methods for eliminating the risks that we discovered. We followed this same practice with the Cambium Group, LLC. but no fixes were created or pushed out to their customers according to what we saw (Vendor Status and Chronology). As a result we were unable to release the aforementioned advisory without a potential negative impact on Cambium Group customers (our job is to protect businesses, not to increase their risk). That all changed when a Whistle Blower (not affiliated with us in any way) posted an email to the Full Disclosure mailing list and exposed the vulnerabilities to the public on Wed, February 11th 2009.

When the whistle blower let the cat out of the bag, he posted the information to a forum that was frequented by hackers both good and bad. So now the hackers were aware of the security risks the Cambium Group customers were not (unless the Cambium Group notified its customers in 2007). Because of this now elevated level of risk, we decided that it would be prudent to release our advisory from 2007 to make sure that Cambium Group customers were educated about the risks too.

In addition to our advisory being published, there also exists a good article that was written by Dan Goodin at the register. Dan Goodin took the time to contact the Cambium Group to hear their side of the story, so the article is worth a read.

Here is how Cambium Group customers can protect themselves (our recommendations):

We recommend that any Cambium Group customer consider installing a reverse proxy with application layer filtering capabilities. These proxies are designed to analyze web traffic being sent from web users to your website. If the data is normal web traffic then it is allowed to reach your website, but if it contains malicious data that matches known attack patterns then it is blocked and never reaches your website. This prevents attackers from being able access the vulnerable components of websites that suffer from various risks. Examples of such proxies are ModSecurity and BlueCoat (there are many others and we're not affiliated with any of them).

The other way to defend against these vulnerabilities is to impliment properly designed parameterized stored proceedures and to use strong input validation and data sanitization techniques as defined by theOpen Web Application Security Project. This is true for for any Web Application, not just CAMAS. Never the less, in the case of CAMAS the Cambium Group would need to impliment these changes, you would probably not be able to because CAMAS is not an open source product.


Adriel T. Desautels
ad_lists@xxxxxxxxxxxxx
--------------------------------------

Subscribe to our blog
http://snosoft.blogspot.com