Scanning Embedded Systems In The Enterprise With Nessus
It’s the Small Things
Embedded systems continue to be overlooked in many environments, but often can present as much risk, if not more, than other systems on your network. Every enterprise has some form of an embedded device, from printers to routers and switches, that exists on the network and exposes services that could be exploited. Some recent examples include:
- HP Printer Directory Traversal - Printers are found in every enterprise network, and while thought to be limited in functionality, can present great risk to your sensitive information. A recent directory traversal vulnerability underscores this risk. Since most do not bother to harden the printers, management services available via HTTP are frequently left open. In this case the directory traversal allows attackers to view the print cache, potentially acquiring sensitive information from documents awaiting printing. Nessus contains a plugin to detecet this vulnerability, plugin ID 36129, HP LaserJet Directory Traversal.
- Aruba SSH Authentication Bypass - Dubbed "thin AP" solutions from Aruba and other manufacturers, this technology allows you to more easily manage your wireless network and security. All of the processing is done on the "Controller", such as encryption and session management. A flaw exists that allows a remote attacker to login and bypass authentication under certain conditions (if SSH public key trust are in use). This would allow an attacker to access the encryption keys and potentially capture and/or view the decrypted wireless traffic.
- Mini-Web Vulnerabilities - The MiniWeb is a very small and cross-platform web server. It suffers from several vulnerabilities, including remote file viewing and a remote buffer overflow. The dangerous issue is that MiniWeb could be used in any number of embedded systems functioning as the web server. Nessus contains a plugin for these vulnerabilities, plugin ID 31345, GET Request Traversal Arbitrary File Access.
Tuning Your Scan
There are several factors to consider when scanning embedded systems:
- Speed - Embedded systems are typically much less powerful (less CPU, memory and hard disk space, if any) than most other systems on your network. In addition, the interface exposed to the network is typically for management of the device, and therefore gets a much lower priority with regard to performance. Given these factors, embedded systems typically take much longer to respond to the constant stream of requests that a vulnerability scanner will send to the device.
- Availability - You should configure your scan for a balance between speed and availability. If your scan settings are too aggressive, you can easily overwhelm the host, most likely filling up the TCP state table and causing the device to become unresponsive. If you do bring down the device you could disrupt operations, prevent others from managing the device and cause the scan to end prematurely, potentially missing vulnerabilities.
- Platform - Many embedded systems are based on common operating systems such as Windows or Linux and stripped down to the bare essentials. Your scan settings should reflect this and be configured to find missing patches and other platform specific vulnerabilities, as you may be surprised at the results.
Let’s look at some settings that work well when scanning embedded systems. In order not to overwhelm the TCP/IP stack on embedded systems, limit the port scanner range to a few select ports. The list in the screenshot below represents services commonly found on management interfaces of embedded systems, such as HTTP, FTP, TELNET and SNMP.
Safe checks has been disabled for this scan, but this can be enabled if you are worried about crashing a service or the entire device. Since we are limiting to a select group of ports, both the "Nessus UDP scanner" and "Nessus TCP scanner" have been enabled along with the "Nessus SNMP scanner". In the screenshot below, a username and password has been entered in the "Advanced" tab under "Login Configurations":
Many embedded systems will implement Basic Authentication to manage access to the web management interface. A very common username and password combination is "admin/admin", which has been entered and will be used by Nessus to attempt to login to HTTP servers. If successful, the web application testing plugins will test the web management interface with credentials and identify any easily discoverable web application bugs, such as XSS and SQL injection.
When not scanning large networks you can tell Nessus to be more thorough and run plugins that may be experimental or take a bit longer:
The "Enable CGI scanning" checkbox performs web application checks, "Enable experimental scripts" runs plugins that are still in the testing phases and "Thorough test (slow)" causes several Nessus plugins to perform extensive additional checks.
Plugin Selection & Plugins Targeting Embedded Systems
The majority of the Nessus plugin families apply to embedded system scanning, primarily due to the fact that most embedded systems contain common ports and services and are based on popular operating systems already in widespread use. However, since embedded systems are sensitive to Denial of Service (DoS), the "Denial of Service" plugin family can be disabled as it contains plugins that will purposely attempt to cause DoS conditions. DoS testing can be done separately to prevent interference with finding other vulnerabilities.
There are also some plugin families that rarely apply to embedded systems, including "Netware", "NIS" and "Peer-To-Peer File Sharing". These plugin families have also been disabled. Typically embedded systems do not run Novell software, support NIS or run P2P services and associated software so they can be safely disabled.
Nessus contains several specific plugins to test embedded system for vulnerabilities. A few recent examples include:
- embedded_web_server_detect.nasl - Detects over 60 signatures associated with embedded web servers including printers, wireless routers and VoIP phones.Continually updated with new web server signatures.
- mikrotik_blank_password_www.nasl - Checks for a blank password on Mikrotik router HTTP web management interface. This plugin looks at the HTML login page, tests for default credentials and does not rely on Basic Authentication.
- linksys_ap_default_password.nasl - Test the popular WRT54G series router default password pairs. Currently looks for a blank username and password of "admin" and the "admin/admin" username/password pair.
Embedded systems exist in all enterprise environments, primarily as management interfaces for devices such as printers, routers and switches. They should be segmented on their own network, have the services into that network restricted, as they can contain vulnerabilities and be susceptible to DoS conditions. Nessus can be used to identify vulnerabilities, including DoS conditions, in embedded systems. Several options exist in Nessus to ensure an accurate and successful scan. Tenable maintains several plugins that identify several vulnerabilities in common and specific embedded systems. It is important to include embedded systems within your vulnerability management program and patch them on a regular cycle just as you would any other system on your network.