The Curse of Publicly Exposed Management Interfaces

The state of the management interface security often looks like this.

Let’s face it, modern ICT solutions need to make money for their creators. A business cannot be profitable unless the business model is profitable. If you are in the business of creating network appliances for example, you will inevitably face the problem of economy of scale. How to make the support model for your solution scale with the number of devices pumped out on the market by your sales force?

One of the answers to the problem lies in engineering your product so that your customers can deploy, configure, maintain and patch your software as independently as possible. To that end your engineering team will most likely need to create a web-based management interface, which your customers can use to perform the aforementioned tasks.

The problem, however, lies in the fact that these management interfaces are not meant to be directly exposed to the Internet. Often times the actual business functions are and they are relatively secure, but the management interface is intended to be sitting on a separate management network or at the least access controlled to a specific set of IPs.

This, however, is far from the truth as exemplified by the plethora of vulnerabilities in big ticket items such as F5 TMUI, Sophos and Zyxel firewalls, as well as remote management APIs such as Kubernetes and WinRM.

In this write-up I explore the publicly exposed management interfaces in numbers and the vulnerabilities, which have exposed them to the public eye. Needless to say that the vulnerabilities themselves are just a symptom and the root cause is the public exposure of these interfaces to the whole Internet.