Tenable Network Security Podcast Episode 180 - "Detecting Backdoors, One Vulnerability Trumps All (Sometimes)"
Announcements
- We're hiring! - Visit the Tenable website for more information about open positions.
- Check out our video channel on YouTube which contains new Nessus and SecurityCenter tutorials.
- Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
- Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
- You can subscribe to the Tenable Network Security Podcast on iTunes!
Discussion & Highlighted Plugins
Detecting Backdoors
- The latest Nessus plugin feed update includes detection for Poison Ivy, a popular backdoor used by attackers. Poison Ivy allows a remote attacker to control the compromised system, and has mechanisms to jump from process to process. While anti-virus products should detect the presence of this software, there's always a chance of gaps. For example, by modifying the Poison Ivy binary, you can change its signature. This means if your AV software is out-of-date, an attack will be successful. If a determined attacker, dare I say "APT," were to modify this software to bypass even up-to-date AV software, Nessus can be used as a second line of defense in conjuction with malicious process detection adding more malware detection layers.
Catching Third-party Software Vulnerabilities
- Perhaps one of the toughest challenges still for IT today, is keeping up with third-party software. Users will find ways to install software on their own (such as virtual machine software). Filling in the gaps nicely is the Tenable Passive Vulnerability Scanner (PVS). I've been running PVS on my lab network and witnessed firsthand as it flagged a PuTTY vulnerability on one system, and told me that my Flash player was out-of-date on my other system. Third-party vulnerabilities have a tendency to hide, and PVS helps uncover them in a big way.
One Vulnerability Trumps All (Sometimes)
- Reading about OSPF vulnerabilities has me worried, especially when the description states: This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic. Routing protocol attacks, while limited to the local network (unless they refer to BGP) can be particularly damaging. "Intercepting traffic" has a deeper meaning. If an attacker is able to insert themselves into the middle of TCP/IP communications, the possibilities for attack are endless. IT teams must assign a high priority to this type of attack. While some traffic will be encrypted, injection attacks can undermine the encryption. For example, the ability to add any HTML or Javascript to any website the user visits translates into global XSS vulnerabilities, allowing an attacker to undermine any security controls you may have in place (eventually).
New & Notable Plugins
Nessus
General
- CA ARCserve Backup for Laptops and Desktops Server, CA Protection Suite, and CA Desktop Management Suite Integer Underflow
- PuTTY 0.52 to 0.62 Multiple Vulnerabilities
- Mac OS X Directory Service Buffer Overflow
- Poison Ivy Detection
- TrustPort WebFilter help.php hf Parameter Directory Traversal
- HP Switch Identification
- HP ProCurve 5400 zl Switches Compact Flash Card Security Issue
- MS13-059: Cumulative Security Update for Internet Explorer (2862772)
- MS13-060: Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2850869)
- MS13-061: Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2876063)
- MS13-062: Vulnerability in Remote Procedure Call Could Allow Elevation of Privilege (2849470)
- MS13-063: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2859537)
- MS13-064: Vulnerability in Windows NAT Driver Could Allow Denial of Service (2849568)
- MS13-065: Vulnerability in ICMPv6 Could Allow Denial of Service (2868623)
- MS13-066: Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (2873872)
- MS KB2862966 : Updates to Improve Cryptography and Digital Certificate Handling in Windows
- MS KB2861855: Updates to Improve Remote Desktop Protocol Network-Level Authentication
- MS KB2862973: Update for Deprecation of MD5 Hashing Algorithm for Microsoft Root Certificate Program
- Cisco Intrusion Prevention System Jumbo Frame Denial of Service (cisco-sa-20080618-ips)
- HP ProCurve Switches Remote Unauthorized Information Disclosure
- Adobe Camera Raw Plugin Multiple Vulnerabilities (Mac OS X)
- PHP 5.5.x < 5.5.1 xml.c Buffer Overflow
- BigTree CMS Detection
- BigTree CMS index.php SQL Injection
- Western Digital My Net Router main_internet.php Admin Credential Disclosure
- OpenX flowplayer-3.1.1.min.js Backdoor Remote Code Execution
- OSPF LSA Manipulation Vulnerability in Cisco ASA (cisco-sa-20130801-lsaospf)
- OSPF LSA Manipulation Vulnerability in Cisco IOS (cisco-sa-20130801-lsaospf)
- OSPF LSA Manipulation Vulnerability in Cisco IOS-XE (cisco-sa-20130801-lsaospf)
- OSPF LSA Manipulation Vulnerability in Cisco NX-OS (cisco-sa-20130801-lsaospf)
Passive Vulnerability Scanner
Tenable Compliance Checks
Security News Stories
- Open Security Research: Remote Code Execution on Wired-side Servers over Unauthenticated Wireless
- ZMap - The Internet Scanner
- If You Send To Gmail, You Should Have 'No Legitimate Expectation Of Privacy' | Business Insider
- Researchers release tool to pickup the SLAAC in Man-In-The-Middle attacks using IPv6 | Network World
- Putty Security Update (SSH Tool)
- Poison Ivy: Assessing Damage and Extracting Intelligence
- Hackers use new tactic to attack U.S. media sites | Reuters
- Attention, parents: Baby monitor hacked; default password to blame?
- Zuckerberg Facebook hacker gets $10k fundraiser bug bounty
- CSOs: Stop flogging the threats and start providing solutions
- Bloke leaks '1000s' of Twitter login tokens, says he can hack ANY twit
Related Articles
NIST Cybersecurity Framework Adopted by Thirty Percent of US Organizations
February 18, 2016In the February 18, 2016 Risky Business podcast, Cris Thomas speaks with Patrick Gray about the NIST Cybersecurity Framework. Gartner recently announced that 30% of all US organizations - both public...
Tenable Network Security Podcast Episode 206 - "PCI, Breaches and more!"
September 15, 2014
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
- Podcast