Security Holes Found In Some DLP Products

Researchers to reveal key security flaws in commercial and open-source data loss prevention software at Black Hat USA next week.

Its a case of a security tool harboring security vulnerabilities: A pair of researchers has discovered multiple flaws in commercial and open-source data loss prevention (DLP) products.
Zach Lanier, senior security researcher at Duo Security, and Kelly Lum, security engineer with Tumblr, next week at
Black Hat USA in Las Vegas
will demonstrate the cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities they discovered in four commercial DLP products and one open-source tool they investigated. They plan to name names next week during their talk,
Stay Out of the Kitchen: A DLP Security Bake-Off
, where they also will provide proof-of-concept attack examples.
Lanier and Lum -- who wont divulge full details until their talk next week -- say they really werent surprised to find flaws in DLP systems that enterprises rely on to keep private and sensitive information from leaking outside the organization. It was not a huge shock, Lum says. But I was a little surprised that some of the vulnerabilities were very simple, which means they should be easily fixed. Its curious that they could have been easily avoided in the first place.
Many of the flaws were found in the web-based interfaces of the products, namely, the administrative panels. XSS and CSRF were the most common ones found there, they say.
Some were endpoint and some were network-based… and some in how they do reporting, for example, says Lanier. We also evaluated the document parsing pieces that classify and protect the data.
While Lanier and Lum did not find any specific bypass vulnerabilities in the DLP tools they tested, they did find flaws that would allow an attacker to reconfigure or change the behavior of the DLP system so that it no longer monitors data leaks, for example.
An attacker could shut down or reconfigure a DLP system via some of the bugs, Lanier says. They could disable DLP policies and add new elements to the policies… or add new users.
Another scary option is that an attacker could take a document out of quarantine and siphon its contents, he says.
One of the DLP solutions used a Python scripting language to do a lot of the heavy lifting around the analysis engine and policy. There is an insecure module inside Python that could lead to arbitrary code execution, Lanier says. That would allow someone with access to the administrative server to spread malware to various endpoints that were managed by that server.
Since all DLP processes run in privileged mode, they also [would allow] privileged [user] code execution. That was one of the big, non-web things we found vulnerable, he says.
The researchers, as of this posting, were also still studying the third-party KeyView document parsing/filtering engine used by many DLP and big-data products. Lanier says they are looking for potential vulnerabilities as well as a possible inspection bypass issue, but nothings concrete just yet.
Meanwhile, Lanier and Lum say their research shows that DLP vendors arent properly vetting their software for flaws.
This speaks to how important it is to start looking at these products with a more jaundiced eye. Lots of sensitive data -- credit card numbers, social security numbers are at risk if the tools are not solid security-wise, Lum says.
Lanier will discuss the newly found vulnerabilities in commercial and open-source DLP software in todays 1:00 p.m. ET broadcast of Dark Reading Radio, Data Loss Prevention (DLP) FAIL. Register
here
to tune in and ask him questions via the online chat.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Security Holes Found In Some DLP Products