Assessing the security of SCADA devices has always been a challenging task. SCADA devices are used in several critical infrastructure industries, including power plants, manufacturing, chemical processing, and nuclear reactors. Thus, the high availability and security of these devices are of the utmost importance. The challenge lies in assessing the security of SCADA devices without causing any adverse effects. The special purpose-built systems often operate within a limited scope and use protocols that are specific to the tasks being performed, such as Modbus, OPC, and DNP3.

In 2006, Tenable Network Security released the first Nessus® vulnerability scanner and Tenable Passive Vulnerability Scanner (PVS) SCADA plugins (you can read the original release notes for PVS in a post titled "SCADA Network Monitoring" and the original release for Nessus titled "SCADA Checks For Nessus 3"). In April 2011, a new round of SCADA plugins were released for Nessus (covering devices from Movicon, 7-Technologies, and more).

Tenable is now pleased to announce the availability of additional SCADA plugins for Nessus ProfessionalFeed, Tenable SecurityCenter, and PVS users. Tenable's research team worked alongside SCADA experts from Digital Bond to test and identify a wide variety of common SCADA devices. The plugins were announced at Digital Bond’s S4 Conference on SCADA security held on January 19, 2012. Note: Digital Bond’s Dale Peterson joined us on the Tenable Network Security podcast episode 110 and spoke about the new plugins and SCADA security.

Below is a sample of some of the new SCADA plugins:

Note -- this blog was updated on Feb 2, 2012 to highlight detection of the Symantec advisory SYM12-002 as well as new additional Nessus local checks to audit pcAnywhere installations.

With the recent news from Symantec that their source code theft has left pcAnywhere open to attack, it makes sense to audit your network for instances of this desktop sharing software. 

Nessus has many checks that identify the presence of pcAnywhere, the type of network access supported by it, and some vulnerabilties in the application. A current list is shown below for reference:

• 10006   Symantec pcAnywhere Status Service Detection (UDP)
• 10794   Symantec pcAnywhere Detection (TCP)               
• 10798   Symantec pcAnywhere Service Unrestricted Access       
• 20743   Symantec pcAnywhere Launch with Windows Caller Properties Local Privilege Escalation
• 32133   Symantec pcAnywhere Access Server Detection Service
• 35976   Symantec pcAnywhere CHF File Pathname Format String Denial of Service
• 57795   Symantec pcAnywhere Installed (local check)
• 57796   Symantec pcAnywhere Multiple Vulnerabilitities (SYM12-002)

In addition, running a credentialed scan with Nessus plugin 20811 provides the ability to detect installed software on Windows computers, which can be useful to find instances of pcAnywhere that may be installed, but not actively running. Note that strings and versions vary from release to release. An example string as reported by a recent Nessus scan is “Symantec pcAnywhere [version 11.5.0]”.

Network traffic can also be monitored with the Passive Vulnerability Scanner to identify instances of pcAnywhere on the network. A current list of passive plugins to detect pcAnywhere is shown below. 

• 03306 Symantec pcAnywhere Detection
• 06087 Symantec pcAnywhere Detected

Finally, Tenable’s Log Correlation Engine, will normalize logs from the PVS for observed pcAnywhere sessions in real-time with an event name of “PVS-PCAnywhere_Detected”. These sessions are automatically detected and analyzed for anomalies and connections from known botnets.

External Nessus scans can be performed to determine if your network has any Internet facing instances of pcAnywhere. The Nessus PerimeterService is ideal for this type of scanning as it can scan an unlimited number of Internet-facing IP addresses very rapidly. Users of the Passive Vulnerability Scanner have automatic detection of any Internet-facing service, including pcAnywhere.

An in-depth Nessus Discussions Forum post details how SecurityCenter, Passive Vulnerabiltiy Scanner and Log Correlation Engine users can track pcAnywhere vulnerabilities and usage in realtime.  

Do you know how many mobile devices reside on your network? Is your security architecture designed to secure the mobile platform and protect your users and the network from the threats they pose?

Mobile devices are a security concern for many reasons. Mobile devices are typically unmanaged – meaning they may or may not be running AV software, a firewall, or conform to enforceable security policies. Yet, whether they are provided to your employees as part of your operations or not, they are likely accessing resources on your network. To compound the problem, many mobile devices connect to your local network and the Internet directly on two separate mediums. For example, the device may associate to a wireless belonging to your organization and a 3G/4G connection to the Internet.

An off-port web server is one that doesn't run on the common ports of 80 or 443. Management consoles, development systems, devices that speak HTTP for their protocol and many other systems can run on any port, typically 8080 or 8443.

Another Microsoft Patch Tuesday is upon us. This month I was surprised that two vulnerabilities making headlines recently were not included in this Microsoft Patch Tuesday, namely the 0-day Windows SMB Vulnerability and the reported “Pwn2Own” IE vulnerability. The best way to remediate any vulnerability is to apply a patch provided by the vendor, and it’s puzzling why Microsoft is delaying the release of patches for these widely publicized vulnerabilities.

To further aid in your efforts to evaluate the exposures presented by the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:

• MS11-015 - Vulnerabilities in Windows Media Could Allow Remote Code Execution - Nessus Plugin ID 52583 (Credentialed Check)

Over the past few months, fields in Nessus reports indicating whether or not an exploit exists for a given vulnerability have continued to evolve. We first announced this feature in October 2010 in a post titled New Nessus Feature: Public Exploit Availability. Ron Gula then wrote a follow-up post called ”If an exploit falls in the forest, does anyone hear it being patched?”, that described the usefulness of the information contained within the "Exploit available" and "Exploitable With" fields in Nessus plugins.

The Nessus interface has now received an update that will display the "Exploitable With" field directly in the report (prior to the latest version, this field was only contained in the HTML export).

Click for larger image

And the race is on to apply patches to the Microsoft Windows systems in your environment! One of the bulletins this month, MS011-04, fixes remotely exploitable issues in the IIS FTP service. To me, FTP falls in the same category as Telnet, which is "You should be using SSH instead". Despite the lack of security that FTP offers, it still appears to be wildly popular decades later. I performed some searches using "SHODAN", "The Computer Search Engine", which scours the Internet looking for open ports, services and banners. I told it to find systems with port 21 (FTP) open and got the following results:

• United States: 27,355
• China: 15,341
• India: 11,122
• Egypt: 10,476
• Thailand: 10,068

Getting to ShmooCon each year is always challenging (as is trying to get home). Mother Nature seems to enjoy disrupting the travel to and from the conference, which is held in Washington, D.C in January or February of each year. Despite the weather issues, I've always found it to be a conference worth attending. It features quality talks, leading security researchers sharing thoughts and ideas and several extra events such as "Firetalks" and "Hacker Karaoke".

From Printer to Domain Admin

I've always been fascinated with the concept of attacking printers. The common misconception of "oh, it’s only a printer" makes them a prime target for attackers because people believe that printers pose little to no security risk. This mindset typically translates to the following conditions, which help to fuel my fascination:

Do you know where all of your organization’s SSL certificates are and if they are providing enough protection to you and your customers? Nessus can be used to identify all SSL certificates in use, test if they are expired and with the advent of plugin # 51192, test that they have been securely signed by a valid certificate authority. This blog entry will review Nessus’s SSL certificate auditing ability and describe how plugin #51192 can help monitor your network for untrustworthy SSL certificates.

Attackers have been very naughty, IT departments have been mostly nice and Microsoft has fulfilled the role of “Bad Santa”. This holiday season, Microsoft has filled your stockings with 17 security bulletins fixing 40 vulnerabilities. But where does that leave us?

What Else Could You Say?

Note: The word "could" appears in the title of all 17 security bulletins this month

I could say a lot of things about this month's Microsoft Patch Tuesday release. I could say that you should apply patches (except that my boss hates the word “should”). I could say that despite all of the patches released, there are still most likely to be 0-day exploits for several unpublished vulnerabilities. I could also say that your organization needs a solid patch management program. I could say, well, you get the point. After more than a year of writing up each one of the Microsoft Security bulletins, there's a lot I could say. The fact remains that several trends continue in the Microsoft "Black Tuesday" madness:

Balancing Risk

Security continues to be a balance between providing users with features and mitigating risk. . Client-side vulnerabilities seem to be the hole that many of us are stuck spinning our wheels in.

A new video has been uploaded to the Tenable Security YouTube Channel titled, "Advanced Web Application Scanning Using Nessus":

Reconfiguring Access Points

Wireless threats come in many different forms, such as disclosure of cleartext credentials, breaking encryption schemes such as WEP and attacking wireless drivers on client systems. While you can extend the range of wireless signals, for the most part these attacks require that the attacker be in close physical proximity of the wireless network and/or client to execute. This is the primary reason why most organizations do not assign a high priority to defending against these attacks. There are far more attackers on the Internet than will be in close proximity to your wireless deployment.

However, something that worries me greatly are wireless attacks that break down these physical barriers. What if attackers could remotely attack a system and then use it to perform local wireless attacks? There have been some papers posted about using the local client system to enumerate wireless networks, but not much in the way of launching attacks. Malware that embeds itself in wireless routers has received limited exposure (except for the infamous "Chuck Norris" worm, that may have been due to the popularity of the "Chuck Norris Facts" web site).

In an effort to stay ahead of attackers, I recommend that organizations place a higher priority on protecting wireless clients and access points. There are several very concerning vulnerabilities in access points that are trivial to exploit. One example is the D-Link DCC Protocol Security Bypass.

I am often astonished as to just how many vulnerability checks are included with Nessus. There is something to be said for the scope of the nearly 40,000+ plugins (the numbering of the plugins started at 10001). On October 19, 2010, Nessus plugin number 50,000 was published into the feed. Let's go back and take a look at some of the first plugins:

The "official" first numbered Nessus plugin in the feed is ColdFusion Multiple Vulnerabilities (File Upload/Manipulation) - Plugin ID 10001. I found some interesting information about this vulnerability:

"Although this vulnerability has been known for a while we think it is worse than originally thought. Users can upload and potentially execute files on the web server. Furthermore, few sites seem to have fixed the problem. Major commercial, government, and military sites have been found to still be vulnerable. We hope this advisory helps get the word out to all those webmasters.

-weld"

A new feature was introduced with the latest update to the Nessus web server (2.0.0) and Flash interface (build 20100913A) to provide "exploitability" information to the user. Each plugin now contains a field that indicates whether or not a publicly-known exploit for the vulnerability exists:

The value will either be "True" if an exploit exists or "False" if an exploit is not publicly known. Nessus checks select sources for the presence of an exploit and updates this field accordingly. I purposely chose a "Medium" level vulnerability for this example, as exploits do not only have to be associated with “High” level alerts. In the above case, the vulnerability is a denial of service condition for NTP (Network Time Protocol), which just happens to have an exploit publicly available.

This month's Patch Tuesday has been described by some as a "hot mess of vulnerabilities". This record-breaking Patch Tuesday contains 15 security bulletins that fix 34 vulnerabilities. While many people have been quick to classify which of these are "critical", I believe that criticality and risk are best determined by the affected organization, not third parties. However, I do recommend that everyone review the information presented, especially the resources prepared by the Internet Storm Center and the Open Source Vulnerability Database. Both of these sources pull in all of the relevant information about each security bulletin, providing a more complete picture to help evaluate your own prioritization efforts. The bulletins prepared by Microsoft are still not exploring the various aspects of each vulnerability and specifically do not always specify whether or not vulnerabilities can be exploited.

The "Mitigating Factors"

In the MS10-047 and MS10-048 security bulletins, which cover eight separate vulnerabilities, Microsoft states the following as a mitigating factor:

"Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users."

I don't like to point fingers or call people out, but Microsoft’s statement is not true. The statement that an attacker "must have" valid logon credentials is a bit concerning. If "logon credentials" are something that you have in your possession, such as a pen or a mouse, then the attacker does not need them. An attacker can certainly convince an already logged in user to execute the code to perform the privilege escalation. In this scenario, the attacker does not "have" the logon credentials. They are currently able to execute code as a non-privileged user, which is a completely different situation. The vulnerability can be executed remotely, provided you have already exploited a vulnerability that has granted you permissions to execute code as a non-privileged user. This is a very common method of attack, as users can be tricked into running all sorts of programs, code from a web site, email attachments and more. There are certain advantages to being logged in to a system as an administrator or with SYSTEM privileges, such as accessing files, installing keystroke loggers and sniffing the network.

Metrics that show risk are an excellent way to communicate security information to different people and groups within an organization. However, trend lines can hide a lot of details and nuances. This blog entry discusses an example network where a month’s worth of scan data is used to trend overall vulnerabilities, those that have been around longer than thirty days and correlating systems needing a reboot with residual security issues.

Which Vulnerabilities Are You Looking For?

When Microsoft releases their patches each month, I find it interesting to review the criticality of each vulnerability. Microsoft has, in their typical fashion, used some very interesting wording to describe the latest batch of vulnerabilities. When reading each security bulletin, I try to imagine the worst-case scenario and look at the glass as half empty. Microsoft seems to paint a picture and believes the glass to be half full by using phrases such as:

In MS10-042: "The vulnerability cannot be exploited automatically through e-mail." - I believe what they are stating here is that the user can't just open up an email to have the exploit trigger. Instead, the user has to either open an attachment or click on a link. I can tell you from first-hand experience that it’s not difficult to get someone to click on a link. Typically, you just need to tell them that they've qualified for a free iPad. Getting the user to open an attachment is a little bit trickier, and usually requires more research about the target audience and/or organization. However, this does not mean the attack can't scale to trick thousands of people, as did an email appearing to come from the World Cup with an Excel document attached. The Excel document posed as a schedule for the World Cup, but really contained malware that attempted to infect the end-user's computer.

One of the advantages of Tenable’s suite of Unified Security Monitoring products is that continuous vulnerability monitoring can be used to find reintroduced security issues. Vulnerabilities that were once mitigated but are now back again represent process and organizational issues that must be handled differently. Simply reporting the vulnerability again and waiting for it to be patched does not address the fundamental flaw in the process. This blog entry discusses how recurring vulnerabilities are detected, some of the reasons why they may be recurring and how you can track and report on them with Tenable’s SecurityCenter.

Patch Tuesday Gives Birth to "Zombie Wednesday"

The Tenable research team spent the night writing 14 new plugins to check for the latest round of Microsoft patches. While many will have to schedule patch installations, those who run with full automatic updates enabled are theoretically all patched by now. However, it doesn't hurt to check with a quick Nessus patch audit.

Microsoft is in Love With the Word "Could"

There are several terms used by Microsoft throughout their advisories that spread uncertainty about the risk of the vulnerabilities presented. The excessive use of the world "could" is one such example. In the MS10-002 bulletin Microsoft states:

"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

I “could” also win the lottery, inherit millions of dollars and walk on water. In the case of this exploit "could" is an exceptionally bad word choice as there are several example videos showcasing the exploit in action using open-source software. The other issue with the above statement is the obligatory "users with less rights on the system will be less impacted". Someone should tell the Microsoft PR team that there are two privilege escalation exploits on the list this month, and one has been widely publicized for almost a month. On that note, let’s take a closer look at the 14 bulletins and 26 vulnerabilities that were patched this month.

A customer recently asked us to provide a count of patches issued in 2009 for various Unix and Linux-based operating systems. To honor their request, we turned to OSVDB, the Open Source Vulnerability Database. OSVDB covers over 60,000 vulnerabilities, spans over 26,000 products and has a powerful search engine that can produce search results based on disclosure date(s), vendor and/or product, CVSSv2 scores, references, vulnerability classifications and more. When generating any statistic regarding vulnerabilities, it is important to qualify the statistics and understand they are only as good as the data set that generated them. While OSVDB does not have a complete data set, it is the only Vulnerability Database (VDB) that provides powerful and flexible search capabilities.

Plugins, Glorious Plugins

In 2009, Tenable released over 8,100 new plugins (and the year isn’t over yet!). These plugins have covered several different types of vulnerabilities, including web applications, embedded systems, local checks for operating systems and much more. We polled Tenable employees in our research and content groups to find some of our favorite plugins released this year,and compiled the following list:

Another Tuesday, another round of security bulletins from Microsoft. Are you patched? Nessus contains credentialed local checks for all Microsoft security bulletins.

"Specially Crafted"

I have always wondered what the term "specially crafted" really means. What is "special"? Merriam-Webster defines it as "distinguished by some unusual quality". "Unusual" is relative, and means that someone has defined what "usual" means. This is where we start to enter a grey area. How do we determine what is "special" if the "usual" is not clearly defined? In this case, I'm talking about RFCs, the documents used to define what "usual" means with respect to Internet protocols. One of the vulnerabilities this month has to do with IPSec and specifically ISAKMP, the key management protocol. Apparently a "specially crafted" packet will cause this service to eat up CPU cycles and cause a DoS condition. These flaws are common, but my concern is that this condition may not always be caused by a malicious attacker using a tool such as Scapy. For example, a VPN client might send "specially crafted" packets because the programmer, who wrote the client software, misinterpreted the RFC. I wish that Microsoft would be a little more forthcoming regarding the details of the flaw, particularly how difficult it is to exploit.

"Could Allow"

I am also somewhat puzzled by the term "could allow". When using it in the context of remote exploits, it’s even more confusing. A vulnerability either allows or does not allow remote code to be executed. Sure, there are mitigating factors, but if the vulnerability does allow for remote code execution, then Microsoft should just come out and say it. When you are reading security bulletins from Microsoft, keep in mind that "could allow" really means "allows under certain circumstances".

While Nessus has traditionally been a network vulnerability scanner, it contains quite a bit of functionality that can be used to identify vulnerabilities in custom web applications. This is not to say that Nessus will replace your favorite web application testing tool (or methodology), but it does provide useful information that can be used as the foundation for web application assessments or to indicate that deeper testing is warranted.

There are two different approaches when performing web application testing. The first is part of a larger so-called "blind" test, where you are given a range of IP addresses and asked to test the devices and systems within those ranges. The web applications running within this space will usually be tested generically, but they may not specifically test for web vulnerabilities in a general scan. You need to first find and enumerate which web applications are running and then run targeted scans that specifically look for web vulnerabilities. The second form of testing is when you are given the URL, and typically credentials, to the web application and asked to test it specifically. Nessus can help with both of these tasks, and provide valuable information that will help with your testing. Nessus provides some of the first steps to web application testing, such as identifying the web server software and technologies, detecting vulnerabilities in common/popular web application software and rudimentary CGI application testing. This post focuses on using Nessus for network-based testing, and describes several compliance based checks that provide very thorough testing of web application environments, including scanning to test for the OWASP PHP security specifications and Apache CIS Benchmarks.

Penetration testers spend a lot of time searching for software vulnerabilities, such as buffer overflows or SQL injection. However, there are many other ways in which networks and systems can present vulnerabilities. Open SMB file shares can disclose sensitive information about an organization: I've found everything from student grades to bank account numbers using this technique. A great way to check for the presence of open SMB shares is to run a quick Nessus scan from the command line as follows:

Microsoft recently released a critical security bulletin, MS08-067 that described a privately reported vulnerability in the Server service and provided a patch for this vulnerability. What was unusual was that this bulletin was released independently of Microsoft’s usual patch notification process and caused quite a bit of concern for many organizations. Tenable used this opportunity to help a number of organizations monitor their networks to determine if this issue had been mitigated. I had the opportunity to speak with many different customers and was surprised at the different priorities, techniques and level of response that varied from organization to organization. In this blog, I will share some of the situations and trends I ran into while working with Tenable Nessus and Security Center customers.

Tenable’s research team released two checks for MS08-067. One of them, plugin #34477, works without any credentials. It verifies the vulnerability by connecting to Windows systems on port 445 or port 139 and performs a check for it. This plugin has the advantage of being fast and not requiring credentials. The other check (plugin #34476) performs a credentialed patch audit for the same vulnerability. This plugin performs file level analysis to ensure that the right system DLLs have been patched. This technique is more accurate than relying on registry checks alone and can also identify systems that have been patched, but perhaps are waiting on a system reboot for them to truly be effective.

I found that the enterprise organizations that tended to rely on un-credentialed scans generally had immature vulnerability and patch management programs. This was by no means a scientific study, but very often, if we were working on an enterprise un-credentialed scan of several thousand hosts for MS08-067, there was no follow up patch audit or configuration audit. The following were typical comments and conversations:

• The organization doing the scanning did not have good communications with IT or the multitude of IT organizations. There was simply too much burden to manage credentials across the organization, and if the IT group(s) had some sort of patch auditing solution, it was not centralized in a way that was accessible to perform a corporate audit.
• There was a perception that MS08-067 was “worm-able” and that the best way to check for it is with an exploit. This is a very dangerous assumption. There are many different scenarios where a network exploit will not work because of a firewall rule or a system configuration. Being un-exploitable and un-patched are two different states. A configuration or firewall filter could eventually change, making the system vulnerable. 
• There were also many organizations that cited the CVSS score of 10 as the main reason for the patching. I would jokingly ask if it would help them politically if we just started putting “10s” on all of the vulnerability audits produced by Nessus so these groups could get the resources they needed. Here was the rub though – I asked about client side issues that had CVSS scores of 10 such as issues with web browsers, email clients and chat clients. The response was often that the organization was not concerned with client-side issues and they ran anti-virus solutions. I have a big issue with this because anti-virus only protects you from common viruses. It does not plug the actual attack vector. For example, anti-virus technology may prevent a malicious site from spreading the latest Trojan to your vulnerable web browser, but at the same time, it will not stop a custom exploit designed to grant access to your network from the outside or any number of scenarios an attacker could attempt.

I did run into organizations that were using the Nessus network checks for MS08-067 very efficiently:

• Some organizations had large patch-management operations and were using network scans to get an independent view of how effectively these patches had been rolled out. Tenable support has often received calls from customers when there was a discrepancy between the patch auditing software and Nessus. We’ve blogged before about the many reasons patch management systems can fail.
• They used Nessus to simulate PCI audits from their ASV and they wanted to get ahead of any potential compliance issues. I would also argue here that patch auditing with Nessus is still quicker and faster than performing a full network scan, but often production PCI systems are extremely locked down and even the auditors do not have direct access to monitor these systems. I find these situations intolerable and see many organizations restricting access to these systems to the point that there are not enough administrators to keep them patched and running. 
• Some organizations had large numbers of Windows XP (not XP Pro) systems that were not part of a domain, and not running some sort of patch auditing agent. Performing a network check on these systems was the only option.

Anytime I had the opportunity to speak with a customer, I urged them to try and take their system monitoring program to the next level:

• If they were just doing scanning, I explained that patch auditing is more comprehensive, quicker, accurate and less intrusive than a network scan. I provided specific examples such as WMI and netstat port scanning as well as Unix and Windows process enumeration. I also pointed a lot of customers to the blog “Knowing When to Patch” which really shows how to move your scanning programming from monitoring for vulnerabilities to monitoring your patch management program.
• If an organization had adopted some sort of patch auditing with Nessus (or even as a complement to an agent-based patch management solution) I suggested that configuration auditing can help minimize variance in operational system settings. This in turn can minimize outages, IT help desk calls and can also increase overall security.  A great example of this occurred when I was chatting with a customer about MS08-067 and I asked if they also could show what the password complexity and lockout polices were for all of their Windows 2003 servers. They could not. However, the point was made and the person I was speaking with is attempting to use MS08-067 to get them to be more proactive. 
• Lastly, if an organization has a good handle on patch and configuration auditing, I ask them how fast they can react to a bad network/system change or a new vulnerability. Detecting non-compliant (insecure or mis-configured) systems early enables it to be corrected quickly and reduces the chance of exploitation. For MS08-067, I asked customers how often they scan their network for new hosts that are un-patched.  Not every security group that does network scanning has access to a log analysis tool or SIM, but for Security Center customers that upgrade to the Log Correlation Engine, I spent some time showing them how they can use logs to look for change in real-time. Similarly, if a group has access to a network span port, running a product like the Passive Vulnerability Scanner allows them to see what is on their network in real-time.

The bottom line here is that although there are many different ways to monitor security, the real question is did you and your staff respond to MS08-067 proactively or reactively?

Yesterday, Microsoft released an out of band security patch (dubbed MS08-067) which fixes an overflow in the ‘server’ RPC service.

Tenable’s Research group has released two Nessus plugins to detect Windows systems that are vulnerable to this vulnerability, which allows almost any Windows 2000, XP and 2003 system to be easily compromised without any credentials. Plugin #34477 named “Vulnerability in Server Service Could Allow Remote Code Execution (958644) – Network Check” identifies Windows systems that are vulnerable to this issue. It verifies the vulnerability by connecting to Windows systems on port 445 or port 139 and reliably and non-destructively performs a check for it. This plugin has the advantage of being fast and not requiring credentials. This plugin is distributed as part of the generic Windows plugin family.

Plugin #34476 named “Vulnerability in Server Service Could Allow Remote Code Execution (958644)” performs a credentialed patch audit for the same vulnerability. This plugin performs file level analysis to ensure that the right system DLLs have been patched. This technique is more accurate than relying on registry checks alone and can also identify system that have been patched, but perhaps are waiting on a system reboot for them to truly be effective. This plugin is distributed as part of the Windows : Microsoft Bulletins family.

Monitoring Your Networks

This particular vulnerability can be reliably exploited. If you have any Windows computers that have direct access to the Internet (without any firewall), they will likely be subject to attacks from worms and botnets. You should use network and host based firewalls to limit traffic to these ports. If you are unsure of which ports you are open to on your network, you should consider performing remote network vulnerability scans with Nessus or monitor your network traffic in real time with a product like the Passive Vulnerability Scanner.

Internally, your networks can be audited with Nessus. If you have a large number of servers to audit, you can also make use of the Tenable Security Center to schedule your scans, analyze the results and share them securely across your various IT organizations.  A key feature of the Security Center is the ability to efficiently combine one time scans with ongoing scans as well as credentialed patch audits, regular network scans and real-time results from the Passive Vulnerability Scanner. This allows any size organization to understand when a host was first added, when it was first found vulnerable and when it was remediated with high accuracy and flexibility.

Lastly, since this vulnerability will be likely targeted by malicious users, you should consider your organization’s overall technical ability to detect compromises and react to them. Existing Nessus checks that we’ve recently blogged about such as the ability to detect executables, fake services, Windows systems that have had their HOSTS file modified and even enumeration of each running network service, can all contribute to effective monitoring for compromised systems. If you do run a SIM or NBAD solution such as Tenable’s Log Correlation Engine, I would also recommend review of concepts such as monitoring your network for systems that have connected to known “bad guy” blacklisted IP addresses, finding out which systems on your network have begun sending spam email and finding out when you have systems that suddenly become very communicative with other hosts.

Plugin Usage

To obtain Nessus plugins 34477 and 34476, Nessus ProfessionalFeed and Nessus HomeFeed users should manually update their plugins. Security Center users who wish to perform a scan immediately should choose the “Request Plugin Update” tool under their “Polices” menu.

If you are using Nessus alongside a different patch auditing or network scanning technology, keep in mind that since Nessus has two checks for this, you will get different results in different situations. For example, an agent-based patch auditing tool will be able to identify the vulnerability on a host that is firewalled from a remote Nessus scan. Similarly, Nessus will likely identify this security issue over the network while another scanner that is only performing local patch audits will not. And lastly, if your other scanner or patch auditing tool is only performing registry checks, Nessus will identify this issue much more accurately because of its use of file analysis to verify patch deployments.

For More Information

The following Tenable blog entries are very informative for auditing your network for compromised hosts and general malicious and suspicious activities:

Use Nessus and the Security Center to find out which processes are listening on the remote ports :

• Network Process Auditing With Nessus

Use Nessus and Security Center to detect Windows hosts which have been compromised :

• Detecting Microsoft Executables Being Served by an Unknown Service with Nessus
• Boss, I Think Half of our FTP servers are Fake!
• Detecting Compromised Windows Hosts

Use the Log Correlation Engine and Passive Vulnerability Scanner to detect network anomalies :

• Advanced Blacklist Analysis
• Passive spam Traffic Analysis
• Finding Events that have "Never Been Seen" Before

Recently, CERT issued vulnerability note VU#800113 which describes a variety of issues with multiple DNS commercial and open source tools.

The vulnerability pertains to an attacker being able to perform a cache poisoning attack. This could result in an attacker being able to re-direct email, web and other types of traffic to hosts under their control. This has many implications for identity theft, malware propagation, credit card theft and denial of service.

Tenable's research group has produced several Nessus plugins which test for this vulnerability.

• The "Remote DNS Resolver Uses Non-Random Ports" plugin, ID #33447 and currently available to Direct Feed users, performs a variety of queries to a DNS server to determine if the source ports used in these transactions is sufficiently randomized. You do not need credentials to perform this test. It is purely based on DNS queries sent to the DNS server.
• Plugin #33441 is a credentialed check for Microsoft servers that tests for the presence of the MS08-037 patch which fixes this issue.
• Plugin #33451 and #33450 is a credentialed check for Debian DNS servers.
• Plugin #33462 is a credentialed check for Red Hat DNS servers.
• Plugin #33464 is a credentialed check for Ubuntu DNS servers.
• Plugin #33448 is a credentialed check for CentOS DNS servers. 

As more patches for this advisory become available in other operating systems, Tenable will add checks for those systems as well.

Dan Kaminsky of IOActive, Paul Vixie of the Internet Systems Consortium (ISC) and Danial J. Bernstein have all been credited with finding this security issues and raising awareness to ISPs, vendors and network administrators.

If your organization is modifying their DNS servers because of this vulnerability, we also suggest that you test to see if DNS recursion is enabled and if it is not needed, disable it as well.