At the Black Hat conference this week, a researcher pointed out vulnerabilities that can be present in devices that rely on Active X to download clients.
The presentation by Michael Zusman, a senior consultant for the Inrtrepidis Group, was focused on the impact this has on some SSL VPN products, but the lesson is just as valid for NAC clients that are downloaded to client machines via Active X.
Zusman, whose background includes a stint at SSL VPN vendor Whale Communications (now part of Microsoft) described several hacks against SSL VPN agents that are downloaded at the start of sessions. When he told vendors about them, they took steps to block his exploits.
One of the vulnerabilities he perceived was that part of some SSL products include an endpoint scan similar to what is done in NAC using dissolvable clients based on Active X. In fact, NAC’s endpoint-checking element is seen by some as an outgrowth of this capability in SSL VPNs. (Compare NAC products)
He asserts that in SSL VPNs the process can be exploited and an attacker could alter the data from the scan so a non-compliant device could gain access. Similarly, a device could gain more access than its actual state should allow.
Basically, he’s pointing out one way the information an endpoint serves up about itself can be unreliable and that if it is, that can expose the network to greater risk.
This problem with devices reporting on their own state - known as the lying endpoint - is acknowledged within NAC circles. One way around it is use of hardware chips in endpoints that verify the integrity of the machine in a secure state as outlined by Trusted Computing Group. Zusman’s talk gives another reason to take a look at this.