Table of Contents
Table of ContentsWhat is SASL?Countermove To Prevent Brute Force AttacksInsight To Simple Authentication and Security Layer FrameworkThe fundamental Simple Authentication and Security Layer ArchitectureLoopholes Of MemcachedSusceptibilities On Dovecot ServerContemporary LoopholesKeep Your Apps Up To Date
Security of sensitive information and data protection are important whether you are a company or an individual. Adding a SASL authentication layer is quite common practice to safeguard data and encryption. However, the authentication layer also has loopholes and vulnerabilities.
In this post, we have listed some of the loopholes of Simple Authentication and Security Layer to look out for! But before going further, let’s know what is SASL.
What is SASL?
Simple Authentication and Security Layer is an authentication layer applied in Internet protocols. It is a framework which grants developers of software & shared libraries with the procedure for data integrity–checking, authentication or encryption. Like all the other frameworks, this framework also has a few known loopholes that you should know. The security patches got released but not everybody has applied it.
Most of the server administrators could identify the error message, “SASL LOGIN authentication failed: authentication failure”
The message might display additional information about the crash, as per the particular software or plugin used. If you get the message more often and also if it is coming from the similar IP address, then you must pay attention to it. As it could be an indication that hackers attempting to intrude and access the server and resources to carry out spam attack.
Countermove To Prevent Brute Force Attacks
Simple Authentication and Security Layer attacks are mostly brute force attacks (a trial-and-error technique used to acquire sensitive information like personal identification number (PIN) or user password. However, there are countermoves that you can choose to safeguard your server, take a look:
- If the SASL message comes from same Internet Protocol address then you can block the address and be done with it.
- If the hackers are using different IPs, then you can rely on tools that work on ML(machine learning) which can tackle a new attacker. However, you need to be sure that your software doesn’t block any legit user.
- If you can make your server to work on a different port, this will make you less prone to attacks.
Insight To Simple Authentication and Security Layer Framework
This is a framework for app protocols, like IMAP or SMTP, that includes authentication support. It inspects if the user has authority to access the server in the way they want. It also comes with a framework for encryption & data-integrity checking.
Let’s check how the framework mechanism works and where loopholes sabotage the process. Here we have listed a flowchart giving information about the process and how information travels between clients and server.
Also Read : Is it safe to use AES 256 Bit Encryption?
The fundamental Simple Authentication and Security Layer Architecture
Server and client apps call their local copies of SASL library via SASL API. SASL library contacts with SASL mechanism via SASL’s SPL.
The flowchart shows the life cycle of SASL. The server actions and client actions are displayed on the right and left-hand side respectively.
The arrows in the midst depict communication between client and server using an external connection.
Loopholes Of Memcached
Memcached is a software bundle that executes a top-notch performance caching server in order to store bits of data acquired from API calls in RAM as well as the database. This assists in accelerating dynamic web apps so that they become suited for big-data projects and large websites.
Two years back in 2016, Cisco’s Talos security researchers discovered remote code execution susceptibilities. All vulnerabilities influenced binary protocol of memcached for keeping and recovering data. SASL was one of the victims. Later in 2016, the issue was fixed.
Susceptibilities On Dovecot Server
The Dovecot server’s SASL authentication component also detected with a Denial of Service Vulnerability. Hackers from a remote location can hit susceptible systems because of a validation error provided vulnerable software uses a cooked-up username while handling Simple Authentication and Security Layer authentication if the auth-policy component has been stimulated.
2.2.25 via 126.96.36.199 were some of the affected version and sadly some of them are still active.
Another loophole was discovered in Dovecot 2.0 up to 2.2.33 and 2.3.0. According to the vulnerability, when SASL authentication is aborted, it results in a memory breach in the Dovecot auth client utilized by login processes. The disclosure has an influence on top quality configurations wherein the corresponding login processes are used again and can result in crashing the process because of memory enervation.
One of the most recent loopholes discovered in Apache Qpid Broker. The Qpid broker, as well as Qpid clients, utilize the Cyrus SASL library, a completely functional authentication framework, which comes with a lot of configuration prospects. The special entity “Authentication Providers.” perform an authentication of receiving AMQP connections in Apache Qpid Broker-J. These providers can support many SASL mechanism, which is provided to the linking clients as part of Simple Authentication and Security Layer arbitration procedure.
Denial of Service vulnerability was discovered in Apache Qpid Broker-J 7.0.0 in the process for authentication of connections for AMQP protocols 0-8,0-91, 0-9, & also 0-10 when PLAIN or XOAUTH2 SASL procedure is employed. The loophole enables invalidated hackers to hit the Broker case.
Must Read : Malware: Too Sassy For Cybersecurity!
Keep Your Apps Up To Date
As of now some of the vulnerabilities are still working and also the previous ones that still exist, haven’t patched up. You need to keep a watchful eye. So, it is recommended to always keep your software up- to date especially Internet-facing servers.