What is network segmentation?

Network segmentation, in its simplest form, is the act or practice of dividing a computer network into smaller parts, subnetworks, or network segments. In recent years,it has evolved into a foundational enterprise control to improve network performance and security. However, without effective verification strategies like Cyber Asset Attack Surface Management (CAASM), network segmentation can be easily undermined by misconfigurations and multi-homed machines.

Let’s explore a practical comparison to network segmentation – a house with an open floor plan. This design ensures ease of movement and makes the space feel larger, but presents a challenge for achieving privacy and security. You likely don’t want everyone that enters your home to have unfettered access to all areas. Adding walls and changing the architecture of a home is much harder after it’s been built; however, doors and locks can help add security controls while maintaining the original functionality. For example, if a contractor is scheduled to work on the garage, doors and locks add a level of segmentation that ensures access is only granted for the area where the work needs to be done. Lateral movement into the house is unlikely and garage repair alone does not merit access to other areas. Essentially, network segmentation is akin to a house with defined areas of access to make safe and secure spaces when needed.

What are the benefits of network segmentation?

• Better operational performance Segmentation reduces network traffic congestion.

• Improved security:

  • Limit the damage done by cyber attacks: Segmentation improves cybersecurity postures by limiting how far an attack can spread by reducing lateral movement. For example, segmentation keeps a malware outbreak in one segment from spreading to systems in another.

  • Protect vulnerable devices: Segmentation can prevent harmful traffic from reaching devices that are unable to protect themselves. For example, on a factory floor that contains OT/ICS devices that were not designed with advanced security defenses, segmentation can stop harmful Internet traffic from reaching them.

• Containing network problems: Segmentation minimizes the impact of local failures on other parts of the network. When localized problems arise, network segmentation helps to minimize production downtime and decrease corporate latency due to misconfigurations.

• Controlling access: Access can be controlled by creating VLANs to segregate the network. For example, visitors can access a “guest network”, so they can access the Internet, but not the corporate network itself. Another example is separating networks during a corporate divestiture, so that employees only have access to the corporate network of their company and not the other.

• Meet industry compliance standards Regulations are a driving factor in network segmentation. For example, businesses subject to Payment Card Industry Data Security Standard (PCI DSS) requirements must validate cardholder data environment (CDE) segmentation during the security audit process. The PCI guidance on scoping and segmentation describes a common CDE administration model.

How do you verify network segmentation is implemented correctly?

Verifying that segmentation is working correctly can be challenging, especially across large and complex environments. Common techniques to validate segmentation, such as reviewing firewall rules and spot testing from individual systems can only go so far, and comprehensive testing, such as running full network scans from every segment to every segment, can be time intensive and are rarely performed on a regular basis.

Verifying safe network segmentation with CAASM

Network bridge detection

Network bridge detection is a useful tool when validating the effectiveness of network segmentation and testing whether an attacker can reach a sensitive network from an untrusted network or asset. Examples of this include laptops plugged into the internal corporate network that are also connected to a guest wireless segment, or systems connected to an untrusted network, such as a coffee shop’s wireless network that also have an active VPN connection to the corporate network.

The runZero Platform detects network bridges by looking for extra IP addresses in responses to common network probes (NetBIOS, SNMP, MDNS, UPnP, and others) and only reports bridges when there is at least one asset identified with multiple IP addresses. Typical hardening steps, such as desktop firewalls and disabled network services are limiting factors that will usually prevent multi-homed assets from being detected by runZero; however, the click-through demo below shows how to use network bridge detection to search for multi-homed assets in the runZero inventory.

Identifying Potentially Risky Network Bridges

This runZero network bridge report is an interactive view of possible paths that can be taken through the network by traversing multi-homed assets. When detected, single IP addresses are omitted to keep the graph practical and actionable for defenders.

runZero enables you to click through asset and subnet details within the external (red) and internal (green) networks. Clicking a bridged node once will highlight the networks it is connected to and show a link which leads to the full asset details for that node. Alternatively, clicking a network once will highlight the connections to bridged nodes and show a link to the Asset Inventory page with a CIDR-based inventory search.

This report helps you see where segmentation may be broken, and can cut down on the number of surprises encountered in a future security audit.

The Asset Route Pathing Report

The runZero Platform also enables you to visualize potential network paths between any two assets in an organization by creating the asset route pathing report. This unique methodology identifies surprising and unexpected paths between assets that may not be accounted for by existing security controls or reviews.

The report generates a graph of multiple potential paths by analyzing IPv4 and IPv6 traceroute data in combination with subnet analysis of detected multi-homed assets – without requiring access to the hosts or network equipment.

With a view of potential paths between assets, security professionals can verify whether a low-trust asset, such as a machine on a wireless guest network, can reach a high-value target, such as a database server within a cardholder data environment (CDE). Another example would be an OT asset (such as an engineering workstation) being able to access the IT network. This feature highlights potential network segmentation violations and opportunities for an attacker to move laterally from one segment to another.

Summary

In summary, there are many benefits of network segmentation, and fact checking proper implementation can be a difficult, arduous task. runZero is here to help by reducing the burden of misconfigurations and/or improperly defined network boundaries, subnets and VLANS.

Not a runZero customer? Download a free trial today and achieve comprehensive asset inventory and attack surface visibility in minutes.

What are Citrix NetScaler ADCs and Gateways? #

NetScaler Application Delivery Controller (ADC), formerly known as Citrix ADC, acts in a number of capacities to ensure reliable application delivery to users. This can include load balancing across application servers, off-loading of certain operations, security protections, and policy enforcement.

NetScaler Gateway, formerly known as Citrix Gateway, provides single sign-on (SSO) from any device to multiple applications through a single URL.

Latest Citrix vulnerability #

A new vulnerability was disclosed in NetScaler ADC and Gateway products for version 13.1-50.23. 

There is currently no associated CVE with this particular vulnerability because Citrix had already disclosed and issue with a previously assigned CVE-2023-4996.

What is the impact? #

The vulnerability would enable an attacker to remotely obtain sensitive information from a NetScaler appliance configured as a Gateway or AAA virtual server via a very commonly connected Web interface, and without requiring authentication. This bug is nearly identical to the Citrix Bleed vulnerability (CVE-2023-4966), except it is less likely to return highly sensitive information to an attacker.

Are updates or workarounds available? #

Citrix recommends customers update to version 13.1-51.15 or later.

How do I find potentially vulnerable systems with runZero? #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

product:netscaler

CVE-2023-3519 (July 2023) #

In July, 2023, Citrix alerted customers to three vulnerabilities in its NetScaler ADC and NetScaler Gateway products. Surfaced by researchers at Resillion, these vulnerabilities included a critical flaw currently being exploited in the wild to give attackers unauthenticated remote code execution on vulnerable NetScaler targets (CVE-2023-3519). Compromised organizations included a critical infrastructure entity in the U.S., where attackers gained access the previous month and successfully exfiltrated Active Directory data. And at the time of publication, there appear to be over 5,000 public-facing vulnerable NetScaler targets.

What was the impact? #

The three reported vulnerabilities affecting NetScaler ADC and Gateway products were of various types, and each include different preconditions required for exploitation:

• Unauthenticated remote code execution (CVE-2023-3519; CVSS score 9.8 – “critical”)
  • Successful exploitation required the NetScaler target be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or “authentication, authorization, and auditing” (AAA) virtual server.
• Reflected cross-site scripting (XSS) (CVE-2023-3466; CVSS score 8.3 – “high”)
  • Successful exploitation required the victim to be on the same network as the vulnerable NetScaler target when the victim loaded a malicious link (planted by the attacker) in their web browser.
• Privilege escalation to root administrator (nsroot) (CVE-2023-3467; CVSS score 8.0 – “high”)
  • Successful exploitation required an attacker having achieved command-line access on a vulnerable NetScaler target.

U.S.-based CISA reported attackers exploiting CVE-2023-3519 to install webshells used in further network exploration and data exfiltration, causing CVE-2023-3519 to be added to CISA’s Known Exploited Vulnerabilities Catalog. Other common attacker goals, like establishing persistence, lateral movement, and malware deployment, were all potential outcomes following successful exploitation.

Citrix made patched firmware updates available. Admins were advised to update older firmware on vulnerable NetScaler devices as soon as possible.

CISA also made additional information available around indicators of compromise and mitigations.

How did runZero customers find potentially vulnerable NetScaler instances with runZero? #

From the Asset inventory, they used the following prebuilt query to locate NetScaler instances on their network:

hw:netscaler or os:netscaler

Results from the above query should be triaged to verify they are affected ADC or Gateway products and if they are running updated firmware versions.

The following query could also be used in on the Software and Services inventory pages to locate NetScaler software:

product:netscaler

Results from the above query should be triaged to verify they are affected ADC or Gateway products and if they are updated versions.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Latest Rockwell Automation vulnerabilities #

Rockwell Automation has disclosed a vulnerability in their ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR products.

CVE-2024-3493 is rated high with CVSS score of 8.6 involves a specific malformed fragmented packet type which can cause a major nonrecoverable fault (MNRF) in Rockwell Automation’s ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR. If exploited, the affected product will become unavailable and require a manual restart to recover it.

What is the impact? #

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

Are updates or workarounds available? #

Rockwell Automation has provided software updates for the impacted versions.

How do I find potentially vulnerable systems with runZero? #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:"1756-EN4TR"

Rockwell Automation PowerFlex 527 vulnerabilities (March 2024) #

In March 2024, Rockwell Automation disclosed multiple vulnerabilities in their PowerFlex 527 product.

CVE-2024-2425 and CVE-2024-2426 are both rated high with CVSS score of 7.5 and both involve improper input validation which could cause a web server to crash and CIP communication disruption, respectively, which leads to requiring manual restarts.

CVE-2024-2427 is rated high with CVSS score of 7.5 and indicates a denial-of-service scenario due to improper network packet throttling which causes a device to crash and require a manual restart.

What was the impact? #

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

Are updates or workarounds available? #

Rockwell Automation does not currently have a fix for these vulnerabilities. Users of the affected software are encouraged to apply risk mitigations and security best practices, where possible.

Users should disable the web server if it is not needed, which should be disabled by default. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.

How do I find potentially vulnerable systems with runZero? #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw.product:"powerflex"

Latest CVE-2024-3094 (XZ Utils backdoor) coverage 

Andres Freund discovered a malicious backdoor in a recent revision of the XZ Utils package. This backdoor was introduced by a threat actor who spent years building trust in the open source community before taking over maintenance of the XZ Utils project. After gaining access as a maintainer, the threat actor introduced the malicious code in multiple obfuscated steps. This backdoor could allow the threat actor to run arbitrary commands without authentication through the OpenSSH daemon.

CVE-2024-3094 is rated critical with CVSS score of 10.0.

An overview of this issue can be found at ArsTechnica.

Russ Cox published a detailed timeline.

What is the impact?

Successful exploitation of this backdoor would allow the actor responsible to run arbitrary system commands without authentication.

Anthony Weems built a fantastic proof-of-concept and demo kit for reproducing the backdoor.

Are updates or workarounds available?

This backdoor was enabled when a build was run on an x86_64 (amd64) system that was building a Debian “DEB” or Red Hat “RPM” package. The issue was caught prior to widespread release and the list of affected distributions is small as a result.

The following distributions shipped a combination of packages that resulted in a backdoored SSH daemon:

• Red Hat Fedora Linux (Rawhide)
• Debian Linux (unstable and testing builds)
• Kali Linux (rolling release)
• OpenSUSE Linux (Tumbleweed & MicroOS)

Additional information about this issue can be found across the web and in various distribution-specific trackers:

• Amazon Linux
• Ubuntu Linux
• Gentoo Linux
• Arch Linux
• Alpine Linux
• GitHub Advisory

How to find potentially affected systems with runZero

The runZero team is investigating whether a direct check against SSH is possible.

In the meantime, we suggest using this runZero Service Inventory query:

_asset.protocol:ssh protocol:ssh (banner:="SSH-2.0-OpenSSH_9.6" OR banner:="SSH-2.0-OpenSSH_9.6p1%Debian%" OR banner:="SSH-2.0-OpenSSH_9.7p1%Debian%")

This query is based on the following logic:

1. Identify any instances of Fedora Rawhide or OpenSUSE Tumbleweed & MicroOS in your environment. The easiest way to find potentially affected installations is to look for OpenSSH servers running version 9.6, which is a recent release specific to those rolling distributions.

2. Identify any instances of Debian or Kali rolling builds. The easiest way to do this is by looking for recently-released (9.6 & 9.7) Debian-flavored OpenSSH services, as these packages were shipped in the Debian unstable and Kali Linux rolling releases.

Fortra has disclosed a vulnerability in their FileCatalyst Workflow product. This vulnerability allows for attackers to write files to arbitrary locations in the filesystem and can lead to arbitrary remote code execution with the privileges of the vulnerable service.

This vulnerability has been assigned CVE-2024-25153 and is considered to be highly critical, with a CVSS score of 9.8.

Note that this vulnerability was reported and fixed in August of 2023, but has only recently been assigned a CVE.

What is the impact?

Successful exploitation of this vulnerability would allow attackers to execute arbitrary code with the privileges of the vulnerable service, potentially leading to complete system compromise.

Are updates or workarounds available?

Fortra has released a fix for this vulnerability and advises all users to upgrade if they have not already done so.

How do I find potentially vulnerable systems with runZero?

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

html.title:”FileCatalyst”