On Wednesday, August 15th, 2007, Tenable Network Security will begin converting CVSS base scores for Nessus and the Passive Vulnerability Scanner (PVS) plugins from version 1 to version 2. This blog entry discusses how some of the plugin severity and risk ratings will be changing due to our adoption of the new and more accurate CVSS version 2 standard.

CVSSv1 and CVSSv2

Recently, the Forum of Incident Response and Security Teams (FIRST) released new guidelines for scoring vulnerability severity levels. The original standard was CVSS v1 (for version 1) and the new standard is CVSS v2. CVSS version 2 is more accurate than vulnerability severity ratings scored under version 1. It also gives more emphasis to remote, unauthenticated denial of service and compromise vectors.

Tenable Network Security uses the CVSS base score to select Nessus and PVS severity ratings for vulnerability plugins. Values from 1 through 3 receive a Low/Informational rating; 4 through 6 receive a Medium/Warning rating and 7 through 9 receive a High/Hole severity level. CVSS scores of 10 have a severity level of "High/Hole" but also have their Risk factor marked as "Critical".

We will synchronize existing Nessus and PVS plugins with the CVSS v2 base scores in NIST's National Vulnerability Database starting August 15th. Once we implement this change and you update your plugins, you should notice an immediate change in the way scores are displayed in your reports. For example, with v1 you might now see:

  Risk factor :

  Critical / CVSS Base Score : 10.0
  (AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)

Under v2, you will see:

  Risk factor :

  Critical / CVSS Base Score : 10.0
  (CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:N)

In some cases, though, we are unable to sync scores with the NVD so the switch to CVSSv2 scores for some plugins will not occur immediately. This may happen because a Nessus or PVS plugin checks for a vulnerability for which there is no CVE entry, or because NIST has not scored the entry manually (NIST labels these "approximated" scores). In these cases, Tenable will re-score the plugins using the v2 standard as time permits.

Tenable will also begin to use CVSS v2 scoring on all new plugins starting August 15th, 2007.

For Nessus and the PVS, the new scoring methodology affects the severity ratings for many of the plugins which had been previously scored with the CVSS v1 methodology. There are several severity ratings that will change when the new scoring goes into effect. This means that some systems that have been scanned and did not have "High" or "Hole" vulnerabilities may in fact show vulnerabilities with this severity level if re-scanned. Similarly, some serious vulnerabilities do not have as high of a severity under the new scoring.

Detailed Severity Changes

Changes in the vulnerability scoring of note include:

• The scores for 79 plugins remain the same across v1 and v2. With four exceptions, these are for critical vulnerabilities, with a score of 10.0.
• The risk factor and reporting functions for 293 plugins will have a change.
• The risk factor for 30 plugins will actually go down. In one case, it's because the vulnerability requires adjacent network access rather than just remote access.
• Approximately 133 plugins covering issues that can be exploited by an unauthenticated remote attacker without any access complexity and that have one of C, I, or A scored as "partial" will see their risk factor go from Low (with a v1 score of 2.3) to Medium (v2 score 5.0) due to the increased weighting given the remote access vector in CVSSv2 scoring.
• 14 plugins for vulnerabilities that can be exploited by an unauthenticated remote attacker without any access complexity and with one of C, I, or A scored as "complete" will see their risk factor go from Low (with a v1 score of 3.3) to High (v2 score 7.8), again due to the increased weighting given the remote access vector in CVSSv2 scoring.
• 17 plugins for vulnerabilities that can be exploited by an unauthenticated remote attacker with a medium access complexity and with one of C, I, or A scored as "partial" (eg, XSS flaws) will go from a Low risk factor (with a v1 score of 1.9) to Medium (v2 score 4.3) due to the increased weighting given the remote access vector in CVSSv2 scoring.

Example CVSSv1 and CVSSv2 Scoring

Here is an example comparison of relative scores between CVSSv1 and CVSSv2 for a 'cPanel' path disclosure bug:

v1: 1.9 (AV:R/AC:H/Au:NR/C:P/I:N/A:N/B:N)
v2: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

In this example the change in scoring was from 1.9 to 2.6. It is "more" severe than before, but would still be reported as an informational or low vulnerability.

A good example of the another vulnerability jumping a dramatic amount in its severity rating is one that effects the Kaspersky Antivirus solution. Nessus plugin 24758 checks for a CPU DOS. The CVSS v1 and v2 scores are below:

v1: 3.3 (AV:R/AC:L/Au:NR/C:N/I:N/A:C/B:N)
v2: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

If the anti-virus solution is running on a mail server, then exploitation could be achieved remotely, without authentication and without any user interaction. CVSSv2 takes these factors into higher consideration when scoring vulnerabilities which results in a "high" score of 7.8.

Learn More About CVSS

For more information about the Common Vulnerability Scoring System, please visit the CVSS Special Interest Group's web site located at http://www.first.org/cvss/.

Today, Tenable's research group released a remote Nessus plugin check (ID #25035) for a new vulnerability in Microsoft DNS servers. Microsoft has released a security advisory with details of the vulnerability and Tenable has confirmed the issue with an exploit in our lab.

To exploit this flaw, an attacker needs to connect to the DNS server RPC interface and send a malformed RPC query. Until a patch is available, all Microsoft RPC queries to effected DNS servers should be prevented from potential attackers.

This plugin is currently available to Nessus Direct Feed subscribers. Direct Feed subscriptions include access to the latest vulnerability checks, the ability to have Nessus perform agent-less configuration and content audits and technical support.

Security researchers interested in this type of Windows RPC security vulnerability should also find Tenable's mIDA plugin for IDA Pro also useful.

Digital Bond has placed screen shots of the SCADA checks for Nessus under development in their blog. Below is a screen shot of some of the plugins being developed for the new "SCADA" family.

The research for the SCADA plugins has yielded four types of SCADA plugins:

• device specific checks for Modicon PLCs
• application specific checks for Windows OS based SCADA components (through Windows RPC calls)
• protocol specific checks to find COTP and Modbus
• checks for known SCADA vulnerabilities

These checks will be available to Nessus Direct Feed subscribers and Security Center users.

Tenable has already implemented many SCADA protocol decodes in the Passive Vulnerability Scanner. The PVS can be placed inside or on the perimeter of a network running SCADA protocols and passively determine both SCADA specific applications and generic vulnerabilities. Tenable has a webinar about this subject this Friday at 3:00 PM EST. Tenable has also produced a white paper on protecting and monitoring SCADA networks with both active and passive vulnerability auditing.

Yesterday, Tenable's research group released Nessus plugin #22449 which can detect Windows systems that are missing a set of patches covered in Microsoft bulletin MS06-055. This patch fixes security issues related to Outlook and Internet Explorer's use of the Vector Markup Language APIs. Systems with this vulnerability are exposed to exploitation from visiting hostile web pages or receiving email designed to exploit the flaws in VML. The plugin is a patch audit and requires domain credentials to analyze the remote system. This plugin is available to all Direct Feed subscribers and Security Center users.

Tenable Network Security discovered a security flaw in software commonly used to backup important corporate data. After notifying Symantec of the problem, their engineers conducted a review of all effected products and have released a set of hotfixes. Tenable has also released a Nessus plugin which detects the missing patch.

This particular vulnerability effects enterprise networks which use the "Backup Exec" software to ensure their data is stored in a safe and central location. This also makes it convenient for an insider to attack one spot and obtain the data they are after.

Recently, Tenable was asked about detecting DNS servers that were configured to respond to DNS "recursion" queries. The issue is that a remote attacker could spoof a recursive DNS query with a source address of a network they wish to cause a denial of service for. The attacker spoofs a query with a small payload and causes the DNS server to reply with much more data. This floods the target network with answers to questions it never asked for.

In 2005, the US CERT organization put out a note titled "The Continuing Denial of Service Threat Posed by DNS Recursion" which detailed the attack technique and methods to secure various commercial and open source DNS servers. This vulnerability has been around for several years but according to CERT, is still actively used for DDOS attacks. Tenable has two methods to detect these vulnerabilities.

First is Nessus plugin #10539. This plugin detects DNS recursion in general. If you run Nessus from inside your network, then being able to perform such a query isn't necessarily an issue. However, if you have placed your Nessus scanner outside of your network, or are auditing a remote DNS server, being able to perform a recursive query is likely a problem. 

Second, Tenable's Passive Vulnerability Scanner has a rule to detect DNS servers which have responded to recursive DNS queries. The screen shots below show a view of DNS issues passively discovered under the Security Center.

The first screen shot lists all "port 53" vulnerabilities passively found. Vulnerability #03703 is the one identifying a recursive DNS server. Other information includes a list of machines with UDP port 53 open, and machines which "browse" on port 53. The second screen shot is the actual description which is worded as if the PVS was deployed internally.

Being able to passively monitor for such issues 24x7 without scanning is very useful, especially if a new DNS server is added or an undocumented change is made to a DNS serve before the next active scan. If the PVS is placed outside your network, or in a spot where it can see external DNS queries, then it will also see successful external recursive DNS queries.

Regardless if you are a large or small network, if you have DNS servers that do respond to recursive DNS queries from external sources, you may be contributing to someone else's DDOS attack and not even know it. The CERT note mentioned in their testing, 80% of all DNS servers were subject to this problem. Because there are so many DNS servers to use, attackers can launch their attacks using multiple DNS servers. Each site participating in the attack may only contribute a small percentage of the overall bandwidth, but the target network gets flooded.

Tenable Direct Feed and Security Center users have updated Nessus plugins to check for all vulnerabilities disclosed by the recent "Microsoft Tuesday" patches. The majority of these checks are for client-side issues and require local access with domain credentials. There were 12 local checks in total including two for Microsoft Office.

There is one highly critical remote flaw (MS06-040) which is a stack overflow. It is possible to exploit Windows 2000 and XP SP1 remotely if they are not protected by a firewall. Windows 2003 SP1 and XP SP2 may also be exploitable, but could just be subject to a denial of service attack. Tenable has developed Nessus plugin 22194 which can check for MS06-040 remotely without any credentials at all.

Tenable is also actively analyzing these patches for detection with the Passive Vulnerability Scanner.

Tenable released a TASL script for the Log Correlation Engine that can use netflow, sniffed network sessions, firewall logs and even network IDS logs to help identify botnets, maleware and zombie networks.

The basic premiss is that for certain protocols like SSH, Telnet, IRC and custom high-port control mechanisms, if we have a "large" user population suddenly all decide to visit an IP address on the other side of the world, this could indicate a "phone home" or some sort of control mechanism.

In our testing we've seen 100s of IP addresses all start to connect on a variety of ports. In some cases, we've seen user populations all descend upon Google and MySpace at the same time, but most of the time, we've been looking at a botnet of some sort. Seeing several 100 computers all connect to IRC at the same is an example most people are familiar with, but with this sort of correlation script, we're seeing odd ports targeted throughout the 0-65535 port range.

Consider the following example (sanitized) log:

This shows that host 210.51.x.x was visited at least once by 20 unique IP addresses from our "local" network. In each case the destination port was 62105. We've shared these logs with some experts for comment and many people have suggested that port 62105 is used in cases by the Skype application. These hosts involved in the session were not running Skype as determined by our Passive Vulnerability Scanner and Nessus scans.

Let's look at a different example:

The TASL script creates an event named "Crowd_Surge". In this example, one of the destination IP addresses for one of these events also was listed as a being tracked by the Internet Storm Center. The screen shot is an event summary of the last five days of all logs for the IP in question. The screen shot below is a port summary of all ports (destination and source) for the IP in question. Notice the large amount of port 9001.

The Internet Storm Center portal lists 9001 as Tor. If you are familiar with how Tor works, this pattern may make sense to you. However, the number of IP addresses involved with this log was several thousand.

As Tenable gets feedback from its customers about various observed traffic, we will post some results in this blog.

Today, the Tenable Research Team released a new version of mIDA, an IDA (Interactive Disassembler) plugin that allows one to extract Windows RPC server interfaces and to recreate the IDL definitions.

By using the disassembler engine, mIDA supports almost all RPC interfaces.

Version 1.0.6 introduced the following changes :

• Bugfixes (crash and better parsing of some structures)
• Support of MIDL compiler 7 used in Windows Vista
• NDR Library version 0x60001
• FC_SUPPLEMENT, FC_EXPR, FC_FORCED_BOGUS_STRUCT and the new range format

We would like to thank all people who sent us bug reports and feedback about previous versions and encourage everyone to do the same to help us improve this plugin.

You can download mIDA here