[Dailydave] Catch22's in Vulnerability Management

Ron Gula rgula at tenable.com
Thu Feb 7 11:20:10 EST 2013 

Multiple comments.

Finding client-side vulnerabilities through network monitoring instead of
having to log in was one of the reasons we wrote the Passive Vulnerability
Scanner. For less mature organizations who don't want to or don't know
how to get creds for 5k desktops, sniffing who is vulnerable is a very real
alternative and extremely effective with no impact.

We also added functions to Nessus such that it can speak directly with
TEM (Bigfix), SCCM, WUS, RedHat Satellite and a few others. This lets
you do two things. First, you can get patch data from them and mix this
with your uncredentialed vuln scan. Second, if you do a credentialed
scan, you can cross reference this with what is in your patch management
system down to the DLL sort of level.

As was pointed out, the blog we have here really goes into the various
issues: http://www.tenable.com/blog/protecting-scanning-credentials-from-malicious-insiders

I am really not that concerned about some of the attacks you point
out compared to the concern of securing the systems doing the scanning
and hosting the data. The big thing on the Windows side is packet signing.
Hi-jacking is indeed an issue as well.

Lastly, PCI ASV scans do not require credentialed audits which pushes
false positive analysis from back ported banners onto the admin and the
ASV vendor. This was one of the reasons we did an integration with RedHat
Satellite so that could cross reference some sort of old looking banner with
an actual patch with out needing to log in as root from the cloud.

Ron Gula
Tenable Network Security

From: Dave Aitel <dave at immunityinc.com<mailto:dave at immunityinc.com>>
Date: Wednesday, February 6, 2013 2:03 PM
To: "dailydave at lists.immunityinc.com<mailto:dailydave at lists.immunityinc.com>" <dailydave at lists.immunityinc.com<mailto:dailydave at lists.immunityinc.com>>
Subject: [Dailydave] Catch22's in Vulnerability Management

I love both our Qualys and Tenable friends, but I have to say, I worry about "authenticated scans". Perhaps my worry is unwarranted, but having a domain admin that is connecting to and trying to authenticate to every host on the network seems like a very bad idea.

For example:

  *   What if you do a NTLM proxy attack?
  *   What if you downgrade your accepted protocols to NTLMv1 and then crack the hash and now are domain admin for free?
  *   What if there is some vulnerability in the web apps or host box that supports these programs?
  *   When Qualys, for example, logs into MS SQL, and I have MITM on that network, why can't I just take over the connection and be admin from then on?

https://community.qualys.com/docs/DOC-4095
http://static.tenable.com/documentation/nessus_credential_checks.pdf

If these attacks work, it's a bit of a catch22. In order to achieve compliance, you must be out of compliance!

I assume people are using authenticated scans, because without it, you're generally getting lots of false positives to weed through, which is annoying (and for which we sell CANVAS plugins :>).

-dave


--
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
www.infiltratecon.com<http://www.infiltratecon.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130207/e1c2b646/attachment-0001.html>

More information about the Dailydave mailing list