Will Continuous Penetration Testing lead to more Zero-Days?

Point-in-time penetration testing has long been the mainstay of our industry. For many of our clients, testing is conducted for a period of weeks at a quarterly or semi-annual cadence. One such client had undergone a four-week engagement before transitioning to continuous penetration testing. While their recent engagement identified several vulnerabilities, testing efforts indicated a minimal risk of potential threats. However, through continuous testing, a well-hidden and previously undetected zero-day vulnerability was identified.

On more careful inspection, OccamSec’s penetration testers discovered two zero-day vulnerabilities (CVE-2023-34037, CVE-2023-34038) residing within a VMware Horizon Server being used by the client. These vulnerabilities not only revealed a vector for HTTP Request Smuggling attacks from external threat actors, but also allowed attackers to ascertain the internal IP address of the VMware instance. While this discovery may not be deemed critical, it underscores the setbacks of time constraints in short assessment windows and benefits of continuous penetration testing.

OccamSec immediately initiated communications with VMWare Security to ensure responsible disclosure. The timeframe for this collaborative process can vary widely, spanning anywhere from a few days to several months, encompassing the journey from issue reporting to patch development or the creation of a workaround. While coordinating with VMWare Security, OccamSec remained in constant communication with the client, providing updates on VMware’s progress to ensure they were fully informed until a fix was released.

Automated tools are designed to detect vulnerabilities based on predetermined patterns and attack vector signatures. Nevertheless, automation stumbles when faced with vulnerabilities instilled with complex logic. These vulnerabilities lack a clear pattern for automation to trace and identify, necessitating human testers to understand the intended behavior of an affected system and pinpoint inconsistencies or abuse of logic. This combination of automation and human analysis on a continuous basis provides a deeper coverage of the attack surface, allowing for discovery of more impactful vulnerabilities.

The VMware vulnerabilities would have gone unnoticed had continuous penetration testing not been utilized. Incenter and continuous penetration testing supplied an additional layer that allowed a thorough evaluation of the client environment with more time allocated. This addition of time and human expertise along with the underlying automation created an inescapable net for detection of these zero-day vulnerabilities.

A functional relationship between automation and human penetration testers is necessary in crafting a robust security posture for organizations across the board.

You can view the VMware Security Advisory at the following link detailing versions of VMware Horizon that were affected: https://www.vmware.com/security/advisories/VMSA-2023-0017.html .