Vulnerabilities

Shmoocon 2011 Conference Wrap-Up

by Paul Asadoorian
February 1, 2011

Getting to ShmooCon each year is always challenging (as is trying to get home). Mother Nature seems to enjoy disrupting the travel to and from the conference, which is held in Washington, D.C in January or February of each year. Despite the weather issues, I've always found it to be a conference worth attending. It features quality talks, leading security researchers sharing thoughts and ideas and several extra events such as "Firetalks" and "Hacker Karaoke".

Nessus-Shmoo-sm.png

From Printer to Domain Admin

I've always been fascinated with the concept of attacking printers. The common misconception of "oh, it’s only a printer" makes them a prime target for attackers because people believe that printers pose little to no security risk. This mindset typically translates to the following conditions, which help to fuel my fascination:

SSL Certificate Authority Auditing with Nessus

by Ron Gula
December 28, 2010

Do you know where all of your organization’s SSL certificates are and if they are providing enough protection to you and your customers? Nessus can be used to identify all SSL certificates in use, test if they are expired and with the advent of plugin # 51192, test that they have been securely signed by a valid certificate authority. This blog entry will review Nessus’s SSL certificate auditing ability and describe how plugin #51192 can help monitor your network for untrustworthy SSL certificates.

Microsoft Patch Tuesday Roundup - December 2010 - "Bad Santa" Edition

by Paul Asadoorian
December 15, 2010

MadSanta-SM.jpg

Attackers have been very naughty, IT departments have been mostly nice and Microsoft has fulfilled the role of “Bad Santa”. This holiday season, Microsoft has filled your stockings with 17 security bulletins fixing 40 vulnerabilities. But where does that leave us?

What Else Could You Say?

Note: The word "could" appears in the title of all 17 security bulletins this month

I could say a lot of things about this month's Microsoft Patch Tuesday release. I could say that you should apply patches (except that my boss hates the word “should”). I could say that despite all of the patches released, there are still most likely to be 0-day exploits for several unpublished vulnerabilities. I could also say that your organization needs a solid patch management program. I could say, well, you get the point. After more than a year of writing up each one of the Microsoft Security bulletins, there's a lot I could say. The fact remains that several trends continue in the Microsoft "Black Tuesday" madness:

Plugin Spotlight: D-Link DCC Protocol Security Bypass

by Paul Asadoorian
October 28, 2010

Reconfiguring Access Points

Wireless threats come in many different forms, such as disclosure of cleartext credentials, breaking encryption schemes such as WEP and attacking wireless drivers on client systems. While you can extend the range of wireless signals, for the most part these attacks require that the attacker be in close physical proximity of the wireless network and/or client to execute. This is the primary reason why most organizations do not assign a high priority to defending against these attacks. There are far more attackers on the Internet than will be in close proximity to your wireless deployment.

However, something that worries me greatly are wireless attacks that break down these physical barriers. What if attackers could remotely attack a system and then use it to perform local wireless attacks? There have been some papers posted about using the local client system to enumerate wireless networks, but not much in the way of launching attacks. Malware that embeds itself in wireless routers has received limited exposure (except for the infamous "Chuck Norris" worm, that may have been due to the popularity of the "Chuck Norris Facts" web site).

In an effort to stay ahead of attackers, I recommend that organizations place a higher priority on protecting wireless clients and access points. There are several very concerning vulnerabilities in access points that are trivial to exploit. One example is the D-Link DCC Protocol Security Bypass.

Nessus Reaches Plugin 50000

by Paul Asadoorian
October 21, 2010

I am often astonished as to just how many vulnerability checks are included with Nessus. There is something to be said for the scope of the nearly 40,000+ plugins (the numbering of the plugins started at 10001). On October 19, 2010, Nessus plugin number 50,000 was published into the feed. Let's go back and take a look at some of the first plugins:

The "official" first numbered Nessus plugin in the feed is ColdFusion Multiple Vulnerabilities (File Upload/Manipulation) - Plugin ID 10001. I found some interesting information about this vulnerability:

"Although this vulnerability has been known for a while we think it is worse than originally thought. Users can upload and potentially execute files on the web server. Furthermore, few sites seem to have fixed the problem. Major commercial, government, and military sites have been found to still be vulnerable. We hope this advisory helps get the word out to all those webmasters.

-weld"


New Nessus Feature: Public Exploit Availability

by Paul Asadoorian
October 1, 2010

A new feature was introduced with the latest update to the Nessus web server (2.0.0) and Flash interface (build 20100913A) to provide "exploitability" information to the user. Each plugin now contains a field that indicates whether or not a publicly-known exploit for the vulnerability exists:

ExploitAvailable.png

The value will either be "True" if an exploit exists or "False" if an exploit is not publicly known. Nessus checks select sources for the presence of an exploit and updates this field accordingly. I purposely chose a "Medium" level vulnerability for this example, as exploits do not only have to be associated with “High” level alerts. In the above case, the vulnerability is a denial of service condition for NTP (Network Time Protocol), which just happens to have an exploit publicly available.

Microsoft Patch Tuesday Roundup - August 2010 - "Geronimo!" Edition

by Paul Asadoorian
August 12, 2010

This month's Patch Tuesday has been described by some as a "hot mess of vulnerabilities". This record-breaking Patch Tuesday contains 15 security bulletins that fix 34 vulnerabilities. While many people have been quick to classify which of these are "critical", I believe that criticality and risk are best determined by the affected organization, not third parties. However, I do recommend that everyone review the information presented, especially the resources prepared by the Internet Storm Center and the Open Source Vulnerability Database. Both of these sources pull in all of the relevant information about each security bulletin, providing a more complete picture to help evaluate your own prioritization efforts. The bulletins prepared by Microsoft are still not exploring the various aspects of each vulnerability and specifically do not always specify whether or not vulnerabilities can be exploited.

The "Mitigating Factors"

In the MS10-047 and MS10-048 security bulletins, which cover eight separate vulnerabilities, Microsoft states the following as a mitigating factor:

"Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users."

I don't like to point fingers or call people out, but Microsoft’s statement is not true. The statement that an attacker "must have" valid logon credentials is a bit concerning. If "logon credentials" are something that you have in your possession, such as a pen or a mouse, then the attacker does not need them. An attacker can certainly convince an already logged in user to execute the code to perform the privilege escalation. In this scenario, the attacker does not "have" the logon credentials. They are currently able to execute code as a non-privileged user, which is a completely different situation. The vulnerability can be executed remotely, provided you have already exploited a vulnerability that has granted you permissions to execute code as a non-privileged user. This is a very common method of attack, as users can be tricked into running all sorts of programs, code from a web site, email attachments and more. There are certain advantages to being logged in to a system as an administrator or with SYSTEM privileges, such as accessing files, installing keystroke loggers and sniffing the network.

parachute.jpg

Security Metrics - Is This Network Getting Better?

by Ron Gula
August 9, 2010

Metrics that show risk are an excellent way to communicate security information to different people and groups within an organization. However, trend lines can hide a lot of details and nuances. This blog entry discusses an example network where a month’s worth of scan data is used to trend overall vulnerabilities, those that have been around longer than thirty days and correlating systems needing a reboot with residual security issues.

Pages