At Glasswall we are proud to announce that we have developed two new additional cameras to increase our file-based threat support capabilities.
A camera is a term used at Glasswall to describe a piece of code or a plugin in our core Glasswall CDR Engine that allows our CDR Platform to perform CDR on specific file types.
Introducing SVG and WebP CDR capability
SVG and WebP file support is vital – without it, organizations are vulnerable to a number of attack surfaces. Our core engine can now process both SVG and WebP file types, helping our file-based threat protection capabilities reach even further.
Ensuring efficacy for all our CDR solutions is a core part of what we do. Developing new cameras to increase our file support capabilities helps us to deliver a better overall solution for our customers, but it is our extensive pre-release testing that ensures Glasswall CDR cameras really deliver for our users.
Each camera is tested within the Glasswall CDR engine to ensure its ability to successfully reconstruct files – potentially pre-loaded with malware – to their manufacturers known-good specification.
Glasswall support for SVG and WebP file types also utilizes content management policies. Users can switch on and off the sanitization of certain content items based on their company policy.
What are the risks posed by SVG files?
Entities:
SVG files are an XML-based vector image. XML-based images allow ‘the entity to be included’ function. This is where Entities can be used to define shortcuts to special characters, and can be declared to be internal or external.
Why is this a risk?
Entities are specifically targeted by XML Bombs or Exponential Entity Expansion attacks, such as the Billion Laughs Attack. Bad actors are able to take advantage of XML entities within the SVG file.
They can then write their own XML code with entities that are many levels deep. When an XML parser loads this SVG file, it will begin to expand and process the data strings, and because of the depth the bad actor created within the XML entity, the Parser will become overwhelmed and crash, causing the whole service to crash. This is an especially common attack vector used to take down e-commerce and other high-value websites.
Scripts
All aspects of an SVG document can be accessed and manipulated using scripts in a similar way to HTML. The default scripting language is ECMAScript (closely related to JavaScript) and there are defined Document Object Model (DOM) objects for every SVG element and attribute. Scripts are enclosed in <script> elements, meaning that if a web server allows a user to upload an arbitrary SVG image, it is then vulnerable to cross-site scripting.
Why is this a risk?
JavaScript code can be executed within the browser context, which means an attacker can use a compromised file to perform malicious activities, such as stealing information.
Foreign Objects
SVG has a feature that allows for the injection of HTML code. SVG is an XML-based vector image so HTML cannot simply be put into it. This would cause the syntax of the XML to be broken. To avoid this, SVG has an element known as a Foreign Object that allows the inclusion of elements from a different XML namespace. In the context of a browser, this would most likely be (X)HTML.
Why is this a risk?
(X)HTML code can be rendered from the SVG to a webpage. This ability to run any HTML code means the user is at risk of attacks such as phishing, bypass same-origin and CSRF (Cross-Site Request Forgery) from inside the compromised SVG image.
Hyperlinks
Just like (X)HTML, SVG supports linking to content within the document and to external resources, for example, other SVG documents, HTML or XML documents, images, videos, or any other kind of typical resource you may want to link to.
Why is this a risk?
The xlink:href attribute defines a reference to a resource as a reference IRI. The exact meaning of that link depends on the context of each element using it. You could be compromised to the Billion Laughs Attack via this method, or unwillingly access a resource on the web to download a payload.
What are the risks posed by WebP files?
Data disclosure
For WebP, we have included a new content management switch for the removal of metadata when reconstructing a file. This secures end users against data disclosure risks, removing data such as the author of the file. The following also applies to .SVG file support. We determine whether a file is masquerading as something else. If the file is something other than WebP when it’s DNA is analysed, the Glasswall engine will process the true file type or block it if that file type is unsupported.
The ‘determine file type’ feature of the engine applies to all Glasswall Supported file types. This goes beyond just checking the extension (which can be changed) and utilizes more reliable techniques including high-level structural verification, magic number checks and GUIDs/class IDs found in some formats.
The Glasswall Engine will also ensure that the file is not malformed. It is possible in some cases for bad actors to append payloads to certain structures within the file. By ensuring attributes within structures such as the file header are as expected, Glasswall secures against these types of risks. The file is reconstructed back to the ‘known good’ specification, complying in this case with the WebP Container Specification.
Why is this a risk?
The metadata of a file can contain sensitive information, such as author name, classified information or infrastructure operations, which is not meant to be broadcast publicly. If bad actors access this information, it can have far-reaching and long-standing consequences for the organization’s reputation, partners, and individuals.
Glasswall’s file support future
At Glasswall our product development roadmap is never ending. We continually work to develop new cameras to support more file types, and we continuously make performance improvements to our core CDR engine and associated products to ensure the best level of file-based security is achieved for all our clients.
To experience the benefits of Glasswall CDR, trial our Desktop Freedom solution for free.
