Exceeding CIS and NIST Benchmarks - Third Party Patch Auditing

For organizations that actively keep track of and manage their base operating system patches and configurations, a somewhat lofty goal is to try and tighten down third party patches. Organizations can have all Microsoft patches installed and their systems hardened to NIST, CIS and vendor recommendations, and still have major exposure and security issues issues tracking down open source, freeware and third party applications.

This blog entry discusses some of the pain points in managing these third party applications and some ways to scan for them with Nessus and the Passive Vulnerability Scanner.

The Pain Of Non-Standard Patching

I recently went through a security audit and patch upgrade on a personal Microsoft laptop. It had no Microsoft flaws or security issues and was locked down fairly tightly. Having said that, it still had major security issues with a variety of third-party applications. When scanned with Nessus using credentials, it found:

• VMWare Server was out of date a few releases
• Several versions of the JAVA Runtime environment were enabled
• My favorite FTP client (FileZilla) was a full major version out of date
• Quicktime had not been updated in long while
• An ActiveX control in FLEXnet Connect was also exploitable
• The APSB07-12 advisory for Flash

The upgrade process was anything like my typical smooth and silent Microsoft upgrades that happen during shutdowns and on Tuesdays. If you want to avoid my long list of things that were required to get the laptop secured, feel free to skip to the next section.

With VMware, I needed to reboot the laptop, and then reconfigure the virtual NAT environment after wondering why I couldn't ssh into my Linux VMs.

With the JAVA vulnerabilities, even though live updates had been enabled, multiple older versions of the JAVA runtime environment had been installed and were vulnerable to a variety of exploits.

When upgrading to FileZilla 3 from FileZilla 2, the older version was not uninstalled. Even though I ran the upgrade process, it didn't uninstall the older version and I had to manually check the 'About' link within the application to realize that the laptop treated these like two separate applications and not an upgrade.

The Quicktime install was very old, even though live updates were supposedly enabled. Performing a manual download from Apple fixed all vulnerabilities detected by Nessus. I was very tempted to try and figure out why the updates were not occurring, but there were other issues to patch.

Nessus plugin 25371 had also detected an issue with a FLEXnet ActiveX control. This is a vulnerability in InstallSheild. I didn't have time to figure out which application actually installed this issue, and the available patch from Macrovision seemed to focus more on developers than end-users. In the end, I had to manually set a registry setting as recommended by CERT.

And lastly, I had my biggest issue patching the Adobe APSB07-12 Flash bug. Our Nessus plugin checks for both a Flash plugin as well as an Active X control. Simply downloading the patch within Firefox isn't enough. To get the latest Active X control, you need to actually visit Adobe's update site with Internet Explorer.

The point of this exercise was that I was just one user. On an enterprise with dozens or 100s of users, if third party applications are in use, it can become very difficult to keep normalized configurations, let alone secure laptops and desktops.

Active Scanning with Nessus

With more than 17,000 plugins in its database of vulnerabilities it can check for, Nessus looks for a wide variety of non-Microsoft vulnerabilities on Microsoft platforms. These security issues include, but are not limited to:

• Issues with popular email and web clients such as Opera, Mozilla and Thunderbird
• Vulnerabilities in security specific products such as anti-spyware, anti-virus and even Secure Shell clients
• Backup and network management software from EMC, CA
• Media players from Apple and Real Networks
• A wide variety of Internet chat, video conferencing, FTP and other common applications such as Skype, Goggle Talk and FileZilla.

If these services have a "server" component of them (such as iTunes which does listen on certain ports even though it is a client application) Tenable's research team will attempt to write a Nessus plugin that can recognize these services and attempt to see what patch level they are.

However, the most reliable way to identify this type of software is with administrator credentials. Most modern Microsoft environments, an IT audit group can leverage the administrator account on Windows XP Pro, and Windows 2003 systems to audit all installed software and configurations with Nessus.

Another byproduct of auditing system with credentials with Nessus is the ability to enumerate all software installed on the network. When managed by the Security Center, the list of enumerated and discovered software can be analyzed with a variety of tools and even be used to categorize systems based on the type of software installed.

Continuous Network Monitoring with the PVS

Tenable's research group also focuses on the type of network traffic generated by these third party applications. The Passive Vulnerability Scanner rules are typically in lock-step with the type of client-side vulnerabilities discovered by a Nessus credentialed audit.

In the above example of third-party patching I went through, the PVS detected most of the issues with the exception of the Flex licensing security hole.

The PVS has the advantages of not requiring credentials to audit a host and being able to run 24x7, but does have a disadvantage that the software needs to be used on the target platform. This is not a large disadvantage when looking for software in use in your organization. Users who download these tools will likely use them at least once, which the PVS can see and record.

Some of our customers actually prefer to use what the PVS finds because those are the clients that are actually in use on the network.

Putting it All Together

The main advantage of exceeding a compliance standard is that your network configurations can have much more leeway before coming "non compliant". A more practical benefit of focusing on third party security issues is that your network will also be more secure and uniform.

We've blogged before about how Nessus and the PVS can be used to audit your patches (as well as your patching process). If this article was interesting to you, the following Tenable blog entries will also likely be of use:

• Testing the Effectiveness of your Patch Management System
• Knowing When to Patch
• Finding Vulnerabilities Oder than 30 Days
• Reporting Vulnerabilities in an IT Managed Environment