Patch Auditing

Research Spotlight: Oracle Patch Auditing

by Paul Asadoorian on July 8, 2010

Oracle has implemented a quarterly patch release cycle for its customers. Patches for all Oracle products are released on this schedule, and typically fix dozens of vulnerabilities in their database software, Sun Java (recently acquired) and other enterprise products.. They have a similar rating system to other major vendors (such as Microsoft and Cisco) with regular patch release cycles. Oracle describes the severity of each vulnerability using the Common Vulnerability Scoring System (CVSS): "Access Vector", "Access Complexity", "Authentication", "Confidentiality", "Integrity" and "Availability". It is a great way to categorize vulnerabilities; however, this still leaves you with the important task of scheduling, testing and applying the updates. Tenable's Research team has added the ability to perform an Oracle patch audit into the Nessus vulnerability scanner. A new plugin was created (oracle_rdbms_query_patch_info.nbin) that logs into an Oracle database and runs a set of queries to determine which patches are missing: Query 1 - Determines the hostname of the system the database is running on (important when Nessus is testing an Enterprise Manager Grid Controller that contains patch information of other hosts). Query 2 - This query pulls the installed "PatchID" and the "Oracle_home" it is installed in. Query 3 - If Nessus found any PatchIDs in Query 2, it looks up all the bugs that were superseded by each PatchID that was found in Query 2. The patch information comes from the same tables that are used by Oracle Enterprise Manger and Oracle Enterprise Manager Grid Controller for patch management.

Penetration Testing Summit 2010

by Paul Asadoorian on June 17, 2010

The SANS Penetration Testing Summit was held this year at the Hyatt Baltimore in Baltimore, MD on June 14 - 15 and was focused on “What Works in Penetration Testing". The event was held just across from Camden Yards, home of the Baltimore Orioles. Tips For Penetration Testers I participated in a panel discussion with Joshua Wright, Vincent Liu and Joshua Abrams titled, "Most Effective New Technique You've Applied in the Past 12 Months". We started by having each of us share two fun, new or interesting penetration testing techniques that we've applied in the past year. It was a great discussion, covering topics such as wireless, vulnerability assessments and what tools to get started with. I shared a story with the audience about lock picking. The story details the travels of my friend (let's call him "Bob") who was put into a situation where he had to pick a lock. Bob did not have his lock-picking set and was forced to use more crude tools. In the end, Bob ended up prying off the entire doorknob with even more rudimentary and crude tools. I then circled back around to the lessons learned and how they apply to both lock picking and penetration testing:

Nessus Spotlight: su+sudo Feature

by Carole Fennelly on May 28, 2010

With the release of Nessus 4.2.2 a new method of credential elevation has been included for Unix-based hosts that have sudo installed: “su+sudo.” This method allows you to provide credentials for an account that does not have sudo permissions, su to a user account that does, and then issue the sudo command. This configuration provides greater security for your credentials during scanning, and satisfies compliance requirements for many organizations. To enable this feature, simply select “su+sudo” in the “Elevate privileges with” section under the credentials/SSH settings as shown in the following screen shot: Under the “SSH user name”, and “SSH password” tabs, enter the credentials that do not have sudo privileges. In the example above, the user account is “raven.” From the “Elevate privileges with” pull-down menu, select “su+sudo.” Under the “su login” and “su/sudo password” tabs enter the user name and password that do have privileged credentials, in this example “sumi.” No other scan policy changes are required.

Microsoft Patch Tuesday Roundup - April 2010 - Superman Edition

by Paul Asadoorian on April 14, 2010

It’s A Bird, It’s a DoS, It’s Remote Code Execution! I've always cautioned people about the danger of disregarding vulnerabilities that are labeled as "Denial of Service" ( Such as MS10-014 from February ) for a couple of reasons. First, when a bug exists in the code that allows something to "crash", there is usually a potential that the "crash" could somehow allow for code execution (remember that a buffer overflow is just a controlled crash). Second, when code is being analyzed so that the bug can be fixed, the surrounding code is often analyzed to be certain there are no other bugs or vulnerabilities. This analysis could lead to the disclosure of other vulnerabilities or a new way to turn a DoS into remote code execution. This appears to be the case with MS10-20, which was first publicly disclosed as a DoS bug in the SMB client. Microsoft is now reporting it as a vulnerability that "could” allow remote code execution. Upon further inspection, the security bulletin reports five vulnerabilities related to the SMB client that are patched in MS10-20. The first is the original DoS bug reported by Laurent Gaffie to the Full Disclosure mailing list on November 11, 2009. The general consensus was to dismiss this bug because it was "just a DoS".

The Value Of Credentialed Vulnerability Scanning

by Paul Asadoorian on March 5, 2010

"What Am I Doing Wrong?" I am often asked, "What am I doing wrong in regard to security?". This question is usually in reaction to some event, such as a failed audit, a network outage as a result of malware or worm or a breach that was detected in the environment. I ran into this situation while doing incident response for a large university. It was my job to monitor the network and respond to the major incidents that were occurring (it was also up to me to determine what was "major" and what was not). I worked with many different network and system administrators on campus to help them improve the security of their respective departments. However, this was an academic environment full of students and professors who wanted to work in a free and open environment, which turns out is one of the most difficult to secure! If a department had a compromise, I would do my best to help them figure out what happened and take measures to prevent it from happening again. A comprehensive assessment would next be performed to gain a better understanding of the security shortcomings and appropriate remediation measures. These types of assessments can be a daunting task for any security professional. Nessus was one of the primary tools we used to get a handle on the vulnerabilities in the environment. While it is important to scan for vulnerabilities such as missing patches or buffer overflows, assessments need to go deeper than that because attackers will use any approach they can to breach a system. A mis-configured system does not necessarily have a CVE or BID entry. The more comprehensive the audit, the better chance I had of making a recommendation that would effect change and result in better security (which really boiled down to me not having to come back in “incident response mode”).

Microsoft Patch Tuesday - January 2010 - "Aged Cheese" Edition

by Paul Asadoorian on January 14, 2010

Stinky, Aged Operating System? It’s that time of the month again - Microsoft patch Tuesday of course! This month I expected to research several different vulnerabilities, how they work, methods to detect them, etc. However, Microsoft is only patching one vulnerability this month. I can’t believe there is only one vulnerability this month! In any case, this month's vulnerability occurs in the way applications handle Embedded OpenType fonts . I was a bit puzzled as to why so much effort was going into font rendering until I discovered that it is common for web sites to implement different languages and have them display correctly to the end user (primarily for “non-English” languages). The vulnerability is triggered when a user renders fonts on a web page or by opening a Microsoft Office document that contains embedded fonts. An interesting fact about this bulletin (which only covers one CVE entry, CVE-2010-0018 ) is: "This security update is rated Critical for Microsoft Windows 2000, and is rated Low for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2."

Patch Tuesday - November 2009

by Paul Asadoorian on November 13, 2009

Another Tuesday, another round of security bulletins from Microsoft. Are you patched? Nessus contains credentialed local checks for all security bulletins, and a network-based uncredentialed check for MS09-064 . Severity is a Matter of Perspective What struck me as interesting this month are the severity ratings. Microsoft publishes these ratings as a guide to help customers evaluate the vulnerability risk. In many cases, they seem to be doing their customers a disservice. For example, a remotely exploitable vulnerability in Microsoft Word or Excel could be leveraged by attackers to compromise desktop systems. These types of vulnerabilities are frequently exploited by attackers and penetration testers alike to gain access to sensitive information. The advice I always give to organizations is to evaluate each vulnerability with respect to how it affects your business, not what has been published by the vendor. In addition, if the evaluation of severity is coming from a vendor, it should adhere to some industry accepted standard calculation, such as the CVSS score . Nessus plugins use this scale (1-10, with 10 being the most severe) as a rating for the severity of the vulnerability. While Microsoft rates MS09-067 (a vulnerability in which arbitrary code can be executed as a result of opening an Excel file) as important, Nessus gives it a CVSS score of 9.3. Use these ratings as a guide to develop your patching strategy. For example, if you heavily use Excel, you will need to patch right away. If you do not use Excel, then it is not as critical to patch. You could employ a temporary solution for mitigation by blocking incoming Excel file attachments while you focus on vulnerabilities that pose a bigger risk.

Scanning Windows 7 With Nessus 4.2

by Paul Asadoorian on November 12, 2009

Windows 7 - a "Shiny" New Operating System Most experts agree that producing Windows Vista was not a shining moment for Microsoft. It was plagued with problems from the start, including performance and stability issues . Many organizations flat out refused to upgrade from Windows XP to Vista, deeming it not worth the investment of resources and overall cost of the upgrade. Windows 7 is now here to replace Vista and XP, and the reviews have been positive from the beginning. In my own environment, I stayed away from Vista and jumped right into Windows 7. I believe that as Windows XP comes to its end of life, Windows 7 will step right in to replace it, despite the upgrade costs. Most people will likely skip the Windows Vista upgrade and gravitate towards the "shiny" new Windows 7 operating system . An example of the "shiny" new OS, Windows 7 makes several improvements to the end user interface.

Using Nessus To Audit Microsoft Patches

by Paul Asadoorian on October 25, 2009

Last week Microsoft released 13 security bulletins covering 34 vulnerabilities , much to the delight of overworked system administrators who now have to roll out and test the patches in their environment. Organizations are most likely at different stages in the patch deployment process, some may still be testing and some may have the patches rolled out to the entire environment. What all organizations have in common is the need to verify that patches have been installed properly. Nessus has several features, including credentialed scanning and plugins that list missing patches and can assist in the patch verification process. We have produced a short video that demonstrates how to run this type of scan: You can also find a full size version of the above video on the Tenable YouTube Channel .

When Patch Auditing Tools Collide

by Ron Gula on July 27, 2009

I recently had a customer report they were experiencing Nessus “over reporting” when compared to his Windows patch auditing tool. This blog reviews some of the many reasons you can get different results with different tools, especially on Windows operating systems.