Full compromise of Websense Data Security via vulnerability chaining

Data Loss Prevention putting your data at risk?

Organizations are under increasing pressure of (government) regulations, including SOX, PCI, HIPAA, and others. The increasing number of (insider) data breaches is also a great concern. Data Loss Prevention (DLP) software can monitor web and mail traffic (in some cases even encrypted traffic) in order to prevent sensitive data from leaking.

DLP software is presented as a ‘silver bullet’ to protect organizations from reputational damage, regulatory fines, and data breaches. Given the nature of these products, one might expect that security is a top priority for DLP software vendors.

We conducted a series of security tests on Websense TRITON v7.8.3 and Websense V-Series v7.7. The results were shocking as we found security vulnerabilities in Websense’s core software components. These components lack basic security controls such as input validation, authorization, and data protection (encryption).

Last week, Bluecoat (another DLP vendor) hit the news concerning security problems found in their ProxySG (Secure Web Gateway) product. It appears that these security vendors don’t have a secure development life cycle process in place.

Demo: compromise of Websense Data Security

In the following video we'll show how Websense Data Security can be compromised by a remote attacker. We used the following attack scenario:

  1. Attacker creates an email that triggers a DLP email Policy (keywords han and blueprints).
  2. The email contains a Cross-Site Scripting payload that exploits a Command Injection vulnerability. The injected command will be executed with elevated privileges.
  3. The injected command will add a user named HAXPO. In the video it is demonstrated that this user was successfully created by abusing the command injection vulnerability.

The Command Injection vulnerability allows a remote attacker to perform a wide range of attacks including starting a reverse shell. In most cases this allows an attacker to gain remote access to the Websense appliance as it is common that the appliance resides on the outer network perimeter.

Securify @Haxpo2015ams

Visit us at our booth for demo's, crypto puzzles and code review Spot the Bug challenges with great prizes. Details will be released soon! Securify HAXPO

Overview of findings

In total we disclosed 8 security vulnerabilities affecting Websense Data Security. 5 additional vulnerabilities were reported to Websense that are not yet disclosed. The disclosed issues are listed below:

Vragen of feedback?