CYBIR discovers vulnerability in VIPRE Update Proxy

At CYBIR , we have always been committed to securing our client’s environments by focusing on proactive security solutions, rigorous penetration testing and vulnerability scanning.  Understanding that not all threats come from within, our team does not stop at the client’s environment.  Instead, we analyze third party solutions that may cause risk to the client.

And that is exactly what happened during a penetration test engagement that could have been considered routine.  But CYBIR does not consider anything routine when it comes to our client’s security.  During the testing and subsequent analysis, CYBIR’s Partner & Exploit Developer, Ken Pyle discovered several weaknesses in the Proxy Configuration of the leading Antivirus Developer VIPRE.

To make life easier for their customers, VIPRE offered a free solution – VIPRE Update Proxy – to simplify the process for VIPRE Endpoint Security Cloud administrators.  VIPRE endpoint agents are constantly obtaining updated signature definitions and other security content to be fully up to date on the latest security threats.  In most networks, endpoints are downloading new definitions multiple times a day which represents a significant increase in bandwidth.  The VIPRE Update Proxy attempts to solve this problem by pointing the endpoints to the proxy and fetch updated definitions through the local cache as opposed to going through the firewall for every request, ultimately reducing bandwidth usage.

Enter CYBIR’s Ken Pyle.  As Ken took a deeper dive into the VIPRE Proxy Update, he quickly realized that the out of the box configuration did not prompt the sysadmins to lock it down further or advise against potentially deploying the proxy in a risky part of the network (i.e. on a network boundary).  The VIPRE team assumed that sysadmins would put the proxy on a random endpoint with no special privileges or network access and then lock down that endpoint with local firewall rules, but this thought process was not properly explained the configuration documentation.

According to an article by David Corlette  posted on VIPRE’s website:

When CYBIR took a look, they realized that without further locking things down, an unsuspecting sysadmin could allow local systems to access internet resources they might not otherwise have, or at least hide what they are doing; they also realized that if the sysadmin put the proxy on a host that spanned multiple networks, it could allow local systems to transit into networks they are not supposed to. All in all, CYBIR found nine different ways that the Update Proxy could be used to get up to no good, due to the “starter” not-locked-down configuration that VIPRE provided by default (and the fact we hadn’t updated the embedded nginx in a while).”

Upon discovery of the vulnerability, CYBIR reached out directly to VIPRE and was directed to submit a ticket, as is their normal process.  After some time had passed with no response, Ken and the CYBIR Team continued to pursue VIPRE to alert them of the issues and work towards a resolution.  It was through this persistence that VIPRE reviewed the ticket, agreed with CYBIR’s findings, and took swift action to correct the problems.  VIPRE was so thankful of CYBIR’s efforts that the offered an apology to Ken and the CYBIR team saying:

“We also owe CYBIR a bit of an apology for delays in updates getting to the CYBIR team. Regardless of the process, we are grateful to Ken for pointing out that we have a duty to provide a safer configuration and more explicit instructions on how to use the VIPRE Update Proxy safely to our customers (we are a security company after all!), and we have released a new version of the tool that addresses the issues that CYBIR raised with us along with improvements to the documentation.”

The updated documentation can be found here: Customer Success: Update Proxy and VIPRE recommends that customers update to this new version.

For the CYBIR Team this is a great example of our approach.  No situation is routine, every client environment is unique and requires meticulous attention.  It also highlights CYBIR’s commitment to security, whether it is for our clients or third-party solutions that our clients deploy.