[__jf__]

In 2017 I got a second hand Cisco ASA just to play with the shadowbrokers tools. EXTRABACON was the codename for the SNMP exploit using a buffer overflow.

This was an interesting excercise because there were NO logs of this happening on the Cisco ASA, not even when ramping every loglevel to debug. Well only on the console port. Exception in readline() or something like it. Doing stuff for security monitoring in daily life this ehm was alarming, but not unexpected. Fixing “No logs” is often a challenge for blue teams.

Anyway it was alarming enough to find and read through the Common Criteria EAL4+ certification docs for the Cisco ASA only to find that SNMP was excluded from certification scope. I still have the idea in the back of my head to explore scope exclusions in other certification docs for other unfortunate exclusions.

Also the lack of mitigations like stack canaries, ASLR or others was quite surprising for a certified black box security device on the network perimeter.

[tptacek]

CCTL testing of commercial products at basically any level is a joke; you can just look at the list of certified commercial products and the subsequent vulnerability feeds for them. I'm unaware of anyone in the field that takes them seriously.

[jnwatson]

The assumptions about environment and the system-under-test has been the Achilles' heel in any certification I've been part of.

It isn't like the CC folks aren't aware of the problem. The idea was that the Security Target (definition of the system) could declare conformance to a standardized Protection Profile which consumers could use as a shortcut to understanding what was promised.

However, nobody looks at STs nor PPs except the vendor and the certifier, so all that work is for naught. You could absolutely get a CC cert with the environment that it is unplugged from a network.

[ralph84]

Just like almost every FIPS 140 validated crypto module has a "FIPS mode" that is what was validated but is never actually used in production, even by government customers.

[jnwatson]

I'm unfortunately quite familiar with that.

Beyond getting slower updates, etc, FIPS mode has the unintentional side effect of being the "look at me I have interesting stuff" flag for potential attackers. It is usually quite easy to determine remotely that a networked device is in FIPS mode, too (due to allowed crypto protocols, etc).