Get best of the week

Vulnerability Management - more: management or vulnerabilities?



In this article, we want to share with you the cases that happened to our customers and tell / show / answer the question why vulnerability management is almost always not about vulnerabilities, and the simple thing is “we will filter out 1,000,000 vulnerabilities for you really important minimum "is not enough.

Case # 1 “Oh, we ourselves know that everything is bad with us!”


Object: remote control module (IPMI) installed on critical servers - more than 500 pcs.
Vulnerability: criticality level (CVSS Score) - 7.8

CVE-2013−4786 - vulnerability in IPMI protocol that allowed an attacker to gain access to user’s password hashes, which could lead to unauthorized access and potential account hijacking by attackers.

Description of the case: the customer knew about the vulnerability itself, however, for a number of reasons described below, it didn’t go further than “taking risks”.

The complexity of the case itself is that patches are far from being available for all motherboards using this module, and updating firmware on such a large number of servers is extremely resource-intensive.

There were alternative mitigation methods - access lists (ACLs) on network equipment (it’s very difficult since admins are very distributed and use IPMI from where it comes from) and disabling IPMI, here, I think, comments are unnecessary (just in case: 500 distributed servers should be managed regularly "for the sake of safety, no one will)

here usually ends with the story, but from our side was made additional analysis of vulnerability and it became clear that the password hash an account returned by the server only if requested with existing login server, so it was decided:

1. Change account identifiers to difficult to select
Of course, this is not a panacea. And if, in no hurry, so as not to “shine”, sort through logins, then sooner or later it will be possible to pick it up. But most likely it will take a lot of time to have time to implement additional measures.

2. Change the password so that the hash has to be brutally longer. A
situation similar to Clause 1 - to brute-force the SHA1 hash of a 16-character password will take forever.

As a result, a dangerous vulnerability that was known, and which could even be easily exploited by Script kiddie, was closed with minimal resources.

Case # 2 "We can download OpenVAS without you!"


Object: all routers and switches within the company - more than 350 devices.
Vulnerability : criticality level (CVSS Score) - 10.0

CVE-2018-0171 - vulnerability in the functionality of Cisco Smart Install, the operation of which leads to a change in the configuration of the equipment, including changing the password and its loss by the legal administrator, that is, loss of control over the device. Thus, an attacker will gain full access to the device.

Case Description:Despite the use of several scanners, including commercial ones, none of them showed this vulnerability. Perhaps the signatures at that time were far from ideal for this vulnerability, or the network topology affected, one way or another - a precedent. We, as a company providing this service for a certain time, have our own base with really dangerous vulnerabilities, which we additionally check.

The customer did not use the Smart Install functionality, so the solution itself, due to the complexity of updating the firmware (even considering the out-of-date hardware part), came down to providing the client with a list of IP addresses where the vulnerable service was turned off by the script.

As a result, the critical vulnerability on the vast majority of network equipment, which could go unnoticed, and in the event of an attack would lead to a complete shutdown of the entire company, has been fixed.

Case # 3 “If you wanted to, we would have already been broken!”


Object: domain controller, mail server and a number of other devices / servers / hosts critical for the company
Vulnerability: criticality level (CVSS Score) - 9.3

CVE-2017-0144 - vulnerability in the SMB protocol that allows remote execution of arbitrary code on the server (through a group vulnerabilities, which includes the one in question, were distributed by the WannaCry ransomware).

Case Description: at the start of the provision of services during scheduled scanning, a critical vulnerability was discovered, the only possible recommendation is to install OS updates. The customer agreed on this decision, but based on the results of the control scan, the vulnerability remained. After the escalation of the situation and a personal meeting with the Customer, it turned out that the reason was the human factor - the task was not performed by a specialist.

Consequences: for several days, as a result of ignoring the task, malware that successfully spreads over the network got to the user's workstation, this vulnerability was exploited, which led to the failure of the domain controller.

As a result, the company suffered heavy losses (infrastructure restoration work took several months).

     ,      ,    –      ,    .   –           ,   ,  ,       ,      ,     .

Dmitry Golovnya GolovnyaD
SOC Analyst, Acribia

Source: https://habr.com/ru/post/undefined/

More articles:


All Articles