This week, we look into the recent API vulnerabilities in Siemens plant operation control system, D-Link routers, and Cisco network management. In addition, OWASP has formally released their first-ever Top 10 list of API security.
Vulnerability: Siemens SPPA-T3000
The application server of the Siemens plant operation control system SPPA-T3000 had API vulnerabilities. The AdminService API was accessible without authentication as long as you had network access to it and knew how to craft requests for it.
This is a clear example of OWASP API2:2019 — Broken authentication. The vulnerabilities could allow an attacker to execute arbitrary code on the server, perform a Denial-of-Service (DoS) attack on the server communications, or even access sensitive information and user passwords.
Siemens has published a detailed report on all the discovered vulnerabilities as well as how to mitigate them. They have also highlighted that all vulnerabilities require a network access to specific components that, if the system has been correctly set up as they recommend, should not be accessible.
API security must be set up in layers. These days, when controlling the network edge is becoming increasingly challenging, you can no longer rely on your internal network being impregnable. Rogue actors can be company insiders or attackers can find a way in to your network on their own. API authentication and authorization must be there to protect API functions in these scenarios.
Miguel Mendez Z. and Pablo Pollanco have found a vulnerability in the UPnP API of D-Link DIR-859 routers. This vulnerability allows attackers to inject malicious code for the router to perform.
In their detailed post, Mendez and Pollanco demonstrate how this allowed them to get and maintain access to the router. They also helpfully list all the affected router models and when fixes should be available.
This is an example of OWASP API8:2019 — Injection. To prevent such attacks, always strictly define the payloads and parameters that your APIs expect (schemas, regular expressions for strings, and so forth) and enforce your definitions.
Steven Seeley has found ore than 120 vulnerabilities in Cisco Data Center Network Manager (DCNM) and its APIs. Among these were also three critical issues, with CVSS score of 9.8, more or less as bad as it gets.
For example, static key shared between installations was used for encryption, allowing attackers to forge access tokens and perform admin calls. In addition, the web-based management interface had hard-coded credentials.
It cannot be stressed too much: never, ever, use hardcoded credentials. Static keys for token encryption and signing is also a bad idea, because if your access tokens can be forged, they are not really protecting the APIs, and instead just give you a false sense of security.
Guidelines: OWASP API Security Top 10 2019 officially released
On the very last day of the year, 31 December, 2019, Erez Yalon of the OWASP API Security Top 10 team announced the general availability of the report.
The OWASP API Security Top 10 document is a PDF that explains each vulnerability along with its frequency, severity, typical root causes, as well as recommendations for mitigation.
The final list of OWASP API Security Top 10 2019 is:
- API1:2019 — Broken object level authorization
- API2:2019 — Broken authentication
- API3:2019 — Excessive data exposure
- API4:2019 — Lack of resources and rate limiting
- API5:2019 — Broken function level authorization
- API6:2019 — Mass assignment
- API7:2019 — Security misconfiguration
- API8:2019 — Injection
- API9:2019 — Improper assets management
- API10:2019 — Insufficient logging and monitoring
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy