U.S. federal agencies are running hundreds of remotely accessible management interfaces that don’t meet recently mandated security requirements, according to Censys researchers.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD) 23-02 on June 13 requiring all federal civilian executive branch (FCEB) agencies to harden their internet-exposed network edge and remote management devices.
“Recent threat campaigns underscore the grave risk to the federal enterprise posed by improperly configured network devices,” the directive states.
It requires FCEB agencies to remove from the internet all management interfaces using network protocols – including HTTP/ HTTPS, FTP, SSH, Telnet, and others – so they are only accessible from an internal enterprise network.
Removal must be undertaken within 14 days of the agency identifying a management interface that falls into the category of devices covered by the directive. Agencies also have a fortnight to implement changes if they receive a notification from CISA, which announced in March it was beefing up plans to proactively alert agencies of attack surface vulnerabilities.
Numerous hosts exposing network appliances
In a June 26 blog post, Censys said its researchers analyzed the attack surfaces of more than 50 organizations and sub-organizations covered by the directive. They found over 13,000 distinct hosts across more than 100 autonomous systems associated with FCEB agencies.
“Examining the services running on a subset of over 1,300 FCEB hosts accessible via IPv4 address, Censys found hundreds of publicly exposed devices within the scope outlined in the directive,” the post said.
The researchers found almost 250 instances of web interfaces for hosts exposing network appliances, many of which were running remote protocols, including SSH and Telnet.
“Among these were various Cisco network devices with exposed Adaptive Security Device Manager interfaces, enterprise Cradlepoint router interfaces exposing wireless network details, and many popular firewall solutions such as Fortinet Fortiguard and SonicWall appliances.”
More than 15 instances of other exposed remote access protocols including FTP, SMB, NetBIOS, and SNMP were also found running on FCEB-related hosts.
“These protocols have a history of security vulnerabilities, and exposing them to the internet raises the risk of being targeted by threat actors trying to gain remote unauthorized access to government infrastructure,” the researchers said.
They also found “multiple” out-of-band remote server management devices including Lantronix SLC console servers. According to CISA, such out-of-band interfaces “should never be directly accessible via the public internet”.
Other vulnerabilities discovered
The researchers said they discovered “other noteworthy security concerns” which fell outside the scope of the Binding Operational Directive on the hosts they investigated.
More than 10 hosts were discovered running HTTP services exposing directory listings of file systems, which Censys said was a common source of sensitive data leakage.
The researchers discovered exposed Nessus vulnerability scanning servers, an attractive target for threat actors because they pinpoint weaknesses in internal networks, providing attackers with useful intelligence and a springboard for future exploitations.
Censys also found exposed Barracuda Email Security Gateway appliances, the target of another recent spate of high-profile and costly attacks.
Over 150 instances of end-of-life software were discovered, including Microsoft Internet Information Services (IIS), OpenSSL, and Exim. “End-of-life software is more susceptible to new vulnerabilities and exploits because it no longer receives security updates, making it an easy target,” the researchers said.
Censys said while CISA’s directive only applied to FCEB agencies, all organizations should harden the interfaces within their networks, given they were often targeted by threat actors.
“These internet-exposed devices have long been the low-hanging fruit for threat actors to gain unauthorized access to important assets, and it’s encouraging that the federal government is taking this step to proactively improve their overall security posture and those of their adjacent systems.”
How widespread is the problem and how hard is the fix?
The BOD more specifically will force Federal agencies to adopt a more comprehensive external attack surface management (EASM) strategy. External attack surfaces are a major source of breaches, exposing insecure or misconfigured APIs, IoT devices and under-patched servers to adversaries.
Rob Gurzeev, CEO and co-founder of attack surface management firm CyCognito, points out that the directive will have a far-reaching impact beyond just FCEB agencies. Non-governmental supply chain partners will also be under increased scrutiny for external attack surface weak spots. These third-party risks or subsidiary risks are often the overlooked weakest link in a tightly managed enterprise network (PDF).
“Big companies have tens of thousands of exposed web interfaces today, as every DevOps tool, OpenSource tool, and even hardware assets have web interfaces for management now,” Gurzeev said. “The shift to the cloud essentially connected millions of ‘machines’ to the internet - not behind a firewall.”
Gurzeev said that despite the fact that the bulk of an organization’s network infrastructure is behind a firewall, 80 percent of the network risk is found within the external attack surface, exposed to the public internet. Wors, he said, external surface vulnerabilities can take ten-times longer to detect and mitigate. “Additionally, dwell time—the period from breach to mitigation—averages three to four months, and can sometimes stretch to six,” he said.
BOD 23-02: Directive Details
The directive mandates agencies regularly scan and report the security readiness of internet-facing devices to CISA. It also requires agencies to fix found issues within 14 days of finding or being notified of them. If a patch isn’t immediately available, then CISA requires agencies to isolate or ban outside access to resources.
- The CISA mandate also includes:
- Comprehensive asset inventory
- A vulnerability management
- Blueprint for incident response
- Mitigation based on risk and compliance
Lastly, agencies must layer Zero Trust Architecture technology into managed networks identified by CISA.
“While this new mandate impacts agencies directly, it also impacts their supply chain partners as well,” wrote Pablo Quiroga, director of product management, at Qualys in a blog post responding to the directive.