Vulnerability Management
The Vulnerability Management Process
2
Vulnerability Databases
• CVE: Common Vulnerabilities and Exposures
• CPE: Common Platform Enumeration
• CVSS: Common Vulnerability Scoring System
― Used to score vulns for prioritization, based on
▪ Proximity of attack vector, attack complexity, privileges required, user interaction required, etc.
• Mostly parts of NVD (National Vulnerability Database) and SCAP (Security Content Automation Protocol) projects
3
Vulnerability Management
AND PATCH MANAGEMENT
• Vendors routinely issue patches, updates and bug fixes
― The day they come out, the bad guys unpack them, disassemble them and trace execution with a debugger (IDA Pro) to find the differences between the original code and the fixed version
― Then they write an exploit and release or use it
― You have a choice between the two horns of a dilemma:
▪ Immediately deploy the patch in order to avoid exploitation, but risk the patch bringing down production systems
▪ Regression test the patch in a test environment, to avoid instability, but risk being pwned
• For personal use – turn on automatic windows updates and only panic if/when something breaks
4
Vulnerability Management
AND PATCH MANAGEMENT
• Enterprises typically have to deploy patches in stages or waves:
― Internet-facing systems first
― Low-criticality systems next
― Most critical systems last – well inside firewall, multiple layers of defence
• Use vulnerability scanners (Qalys, GFI LANGuard, OpenVAS, etc.) to identify systems that are unpatched
― SIEM’s and GRC systems provide platform/patch management
• Deploy patches from repositories
― WSUS (Windows Server Update Services)
― Yum, etc. for Linux
• Useful mailing lists at http://www.patchmanagement.org/.
5
Scoring Vulnerabilities
CVSS
CVSS Attack Vector
• Network (N)
• Vulnerable component is bound to layer 3 (network layer) or above so can be attacked from other networks
• Adjacent (A)
• Vulnerable component is bound to layer 2 and can only be attacked from the same LAN or subnet (e.g. ARP cache poisoning attacks)
• Local (L)
• Vulnerable component is not bound to the network stack, so can be attacked by local logged-in user exploiting read/write/execute capabilities (e.g. privilege escalation attacks)
• Physical (P)
• Requires attacker to physically touch or manipulate the vulnerable component (e.g. cold boot attacks or DMA slurping attacks)
7
CVSS Attack Complexity and Privileges Required
• Attack Complexity (AC)
• Low
• Requires no special conditions or extenuating circumstances; easily repeatable
• High
• Success depends upon conditions beyond the attacker’s control, e.g. repeated attempts to find correct memory offset or getting a phishing email opened by a specific user
• Privileges Required (PR)
• None
• Attacker is unauthorized before the attack
• Low
• Only user privileges are required for the attack
• High
• Requires administrative privileges over the affected component
8
CVSS User Interaction and Scope
• User Interaction (UI)
• None (N)
• No interaction required from any user
• Required (R)
• Success requires a user to take some action, e.g. installing an application
• Scope (S)
• The ability of the vulnerability to impact resources beyond its own means or privileges, e.g. to break out of a sandbox
• Unchanged (U)
• Exploit can only affected resources managed by the same authority
• Changed (C)
• Exploit can affect resources beyond the intended authorization privileges, i.e. the vulnerable component and the impacted component are different
9
CVSS Confidentiality Impact (C)
• High (H)
• Total loss of confidentiality – all resources within the impacted component are divulged to the attacker – or the consequential impact is severe, e.g. disclosure of encryption keys
• Low (L)
• There is some loss of confidentiality, but the attacker may not have direct control over what or how much is disclosed.
• None (N)
• There is no loss of confidentiality
10
CVSS Integrity Impact (I)
• High (H)
• Total loss of integrity or complete loss of protection, e.g. attacker is able to modify any or all files or records – or the consequential impact is severe
• Low (L)
• Modification of data is possible, but the attacker does not have control over the consequence of modification or the extent of modification is limited
• None (N)
• There is no loss of integrity within the impacted component
11
CVSS Availability Impact
• High (H)
• Total loss of availability, which is either sustained (e.g. DoS attack) or persistent (deletion of data). Alternatively, direct, serious consequence will ensue, e.g. attacker can prevent new connections or cause a memory leak which will eventually crash system
• Low (L)
• Reduced performance or service interruptions; partial resource availability, legitimate users still have some access
• None (N)
• No impact to availability within the impacted component
12
CVSS Example
OpenText Document Sciences xPression – SQL Injection
• From Full Disclosure Mailing List, 9th October
Title: OpenText Document Sciences xPression (formerly EMC Document Sciences xPression) – SQL Injection
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14758
Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)
Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)
13
CVSS Example
OpenText Document Sciences xPression – SQL Injection
SQL Injection:
==============
Due to lack of prepared statements an application is prone to SQL Injection attacks. Potential attacker can retrieve data from application database by exploiting the issue.
Vector : ——– https://[…]/xAdmin/html/cm_doclist_view_uc.jsp?cat_id=503 &documentId=185365177756%20and%201=1&documentType=xDesignPu blish&documentName=ContractRealEstate
^
Results can be retrieved using blind SQL injection method.
14
CVSS Example
OpenText Document Sciences xPression – SQL Injection
• CVSS 3.0 Metrics:
• Attack Vector (AV): Network
• Attack Complexity (AC): Low
• Privileges Required (PR): Low
• User Interaction (UI): None
• Scope (S): Unchanged
• Confidentiality (C): High
• Integrity (I): High
• Availability (A): High
• Now use https://www.first.org/cvss/calculator/3.0 to calculate the score.
15
CVSS Example
OpenText Document Sciences xPression – SQL Injection
Confirmed at https://nvd.nist.gov/vuln/detail/CVE-2017-14758 16
Security Assessment
• Tests that controls are effective
• Can be performed by automated tools – vulnerability scanners:
― Nessus, OpenVAS
― IBM ISS
― IBM Rational AppScan
― GFI LANguard
― Nikto, Burpsuite, w3af (for web application testing)
• Generally quite noisy
― Should trigger IDS and generate lots of log entries
17
OpenVAS Scans Dashboard
18
Information Security Continuous Monitoring
• “Maintaining ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions”
• An ISCM strategy:
― Is grounded in a clear understanding of organizational risk tolerance
― Includes metrics that provide meaningful indications of security status at all organizational tiers
― Ensures continuous effectiveness of all security controls
― Verifies compliance with all security requirements
― Is informed by all IT assets and helps to maintain visibility into the security of those assets
― Maintains awareness of threats and vulnerabilities
See http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf 19
ISCM Development, Implementation and Maintenance
• Define an ISCM strategy
― Based on risk tolerance, assets, vulnerabilities, etc.
• Establish an ISCM program
― Determine metrics, status monitoring frequencies, etc.
• Implement an ISCM program
― Collect metrics, perform assessments, report. Automate
• Analyze data and Report findings
― Collect additional data to clarify if necessary
• Respond to findings
― With technical, management or operational controls to mitigate
• Review and Update the ISCM strategy
20
Security Operations Center
• Found in large enterprises and managed security service providers
• Typically manned 24 x 7, or “follow the sun”
• Multiple workstations displaying dashboards from SIEM
• Monitor network traffic, firewall and IDS alerts
• Often have attached malware analysts and forensic investigators
― Can respond to suspicious activity, identify malware, update firewall and IDS rules to block
21
Factors Affecting Monitoring Frequency
• Security control volatility
• System categorization and impact levels
• Security controls or specific assessment objects providing critical functions
― (Bastion hosts, e.g. firewalls, log servers, etc.)
• Security controls with identified weaknesses
• Organizational risk tolerance
• Threat information
• Vulnerability information
• Risk assessment results
• Reporting requirements
22
Penetration Testing
Penetration Testing
• Deeper than assessment
• Usually performed manually, after automated discovery
― Attempts to exploit vulnerabilities using hacker tools & techniques
• Tests multiple layers of defence
• May include social engineering
• Never undertake without a signed written contract
― (Known as a “get out of jail free card”)
• Must be performed according to a methodology
― NSA IAM (Information Assurance Methodology)
― GCHQ CHECK (from “health check”)
― OSSTMM (Open Source Security Testing Methodology Manual)
24
Levels of Penetration Testing
• Level 1: “Black box” pen-test
― From outside network, with no prior knowledge
• Level 2: “Crystal box” pen-test
― From outside network, with inside knowledge
― Will take advantage of knowledge of network configuration, software revisions, IDS/IPS rules, etc.
• Level 3: “Red team” pen-test
― On the inside network
― Tests resilience and isolation of intranet enclaves
― May have an active “Blue team” defending
25
Penetration Testing Process
Full Scan
Initial Network Scan
Service and Host Information
TCP & UDP Ports
Version number and OS platform info
Results
Firewall and target host configuration
Vuln details, scripts, exploits
Final Report
Full Network Scan
Low-Level Network Testing
Vulnerability Testing
Network Service Identification
Investigation of Vulns
26
Initial Network Scan
• DNS zone transfer ― Usedigaxfr
• ICMP ping-sweep ― nmap -sP
• Test for common services ― SMTP
― IMAP/POP ― HTTP
― SSH
― Etc.
27
Full Network Scan
• Identify open, closed and filtered ports
― Based on TCP SYN -> SYN-ACK -> ACK three-way handshake ― SendSYN,getback–what?
▪ SYN-ACK – service is up and running, willing to respond
▪ RST – host is reachable, but no service on that port
▪ Nothing – host is behind a firewall
▪ ICMP “destination unreachable for administrative reasons” – host is behind a firewall with a n00b idiot admin
• For both TCP and UDP
• Use nmap with stealth scanning options
― -sS (SYN only)
• Platform fingerprinting via TCP
― nmap –O (uses –sX “Xmas Tree” scan, etc.)
28
TCP SYN Header Capture
29
Advanced Stealth Scanning
• Idle time scan
― Makes use of an otherwise quiet ‘innocent bystander’ host on the Internet
― Sends TCP datagrams using spoofed source address – that of the host to be scanned
▪ Idle host replies to scan victim – based on what comes back it may send other datagrams
▪ Examines differences in IP header ID field to infer interactions
• FTP bounce scan
― Again, spoofs victim’s address as source IP address
― Uses FTP PORT directives to get FTP server to interact with scan
victim
― Infers interactions, open ports, etc.
• In both cases, the victim never sees the IP address of the attacker
30
Network Service Identification
• Use application fingerprinting tools
― E.g. dig @dns chaos txt version.bind returns BIND version number
• Examine
― Banner messages
― Initial handshake exchanges (use Wireshark for this)
• May also identify:
― Library and subsystem versions
▪ e.g. OpenSSL
― Supported protocol versions
▪ e.g. SSL 3.0, TLS 1.0, 1.1, SSH 1.0
― With consequent vulnerabilities
• Surprisingly effective as current generation of admins are unaware of or unable to change banner messages
31
SSH Version and Protocol
32
Investigation of Vulnerabilities
• Cross-reference acquired platform, application and version information against
― MITRE CVE / NIST CVSS
― MITRECPE
― ISSX-Force
― FullDisclosuremailinglist
― “underground” hacker sites
• Obtain or develop exploits
― PoC (Proof of Concept) code
― Metasploitplugins
― Knownsharedexploits
▪ These will be easily identified by next-gen firewalls and antimalware
• So modify the source code, recompile and test by submitting to VirusTotal
33
A (Typical?) Vulnerability
[FD] [CVE-2017-7240] Miele Professional PG 8528 – Web Server Directory Traversal
Title:
======
Miele Professional PG 8528 – Web Server Directory Traversal
Author:
=======
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
CVE-ID:
=======
CVE-2017-7240
Risk Information:
=================
Risk Factor: Medium
CVSS Base Score: 5.0
CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS Temporal Vector: CVSS2#E:POC/RL:OF/RC:C CVSS Temporal Score: 3.9
34
A (Typical?) Vulnerability
[FD] [CVE-2017-7240] Miele Professional PG 8528 – Web Server Directory Traversal
Timeline:
=========
2016-11-16 Vulnerability discovered
2016-11-10 Asked for security contact
2016-11-21 Contact with Miele product representative 2016-12-03 Send details to the Miele product representative 2017-01-19 Asked for update, no response
2017-02-03 Asked for update, no response
2017-03-23 Public disclosure
Status:
=======
Published
35
A (Typical?) Vulnerability
[FD] [CVE-2017-7240] Miele Professional PG 8528
– Web Server Directory Traversal
Affected Products:
==================
Miele Professional PG 8528 (washer-disinfector) with ethernet interface.
Vendor Homepage:
================ https://www.miele.co.uk/professional/large-capacity-washer- disinfectors-560.htm?mat=10339600&name=PG_8528
Details:
========
The corresponding embeded [sic] webserver “PST10 WebServer” typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide [sic] in subsequent attacks.
36
A (Typical?) Vulnerability
[FD] [CVE-2017-7240] Miele Professional PG 8528
– Web Server Directory Traversal
Proof of Concept:
=================
~$ telnet 192.168.0.1 80
Trying 192.168.0.1…
Connected to 192.168.0.1.
Escape character ist ‘^]’.
GET /../../../../../../../../../../../../etc/shadow HTTP/1.1
HTTP/1.1 200 OK
Date: Wed, 16 Nov 2016 11:58:50 GMT
Server: PST10 WebServer
Content-Type: application/octet-stream
Last-Modified: Fri, 22 Feb 2013 10:04:40 GMT Content-disposition: attachment; filename=”./etc/shadow” Accept-Ranges: bytes
Content-Length: 52
root:$1$$Md0i[…snip…]Z001:10933:0:99999:7:::
Fix:
====
We are not aware of an actual fix.
37
Vulnerability Testing
• Launch exploits and attack scripts against services to qualify and test vulnerabilities
• Highly platform-specific and dependent on skills and resources of pen- testers
38