SNS, "Report on Host Vulnerabilities"
Departmental security contacts today received a message from SNS entitled “Report on Host Vulnerabilities.” This report was generated by SNS’s Foundstone scanner, which looks at every machine on campus and tries to determine if any network security vulnerabilities exist. To do this, the scanner connects to the machine to see what services are running, and, to the extent that it is possible, tries to determine what version of the software is running for each service. It then compares those version numbers against a database of known vulnerabilities, and generates a report as follows:
128.32.x.x (hostname1.Berkeley.EDU) MAC: Not available
Severity: High CVE-2000-0923 Aplio IP Phone authenticate.cgi Command Execution
128.32.x.x (hostname2.Berkeley.EDU) MAC: Not available
Severity: Medium CVE-1999-0517 SNMP Default Community Name
Severity: Medium No CVE-ID HP Printer FTP Access
128.32.x.x (hostname3.Berkeley.EDU) MAC: Not available
Severity: High CVE-2006-3747 Apache HTTP Server mod_rewrite Vulnerability
Severity: Medium CVE-2007-5000 Apache mod_imap Module Vulnerability
There are three components in the report; a description of the supposed vulnerability, a reference number which you can use to look up the vulnerability and (in some cases) learn how to fix it, and a subjective rating on the severity of the vulnerability.
The methods Foundstone uses to determine the services and versions are not entirely reliable, so these reports often have a number of false positives. The version numbers are usually self-reported by the applications, and they can vary from platform to platform. In addition, the severity cannot take into consideration your local configuration, which can mean that you may be running an application in which a vulnerability exists, but which cannot be exploited on your configuration. Foundstone is working with very limited information.
So, what do you do when you get one of these reports? First, you have to find the machines and figure out who they belong to; these messages are going to the overall security contact for the department, so some departments will get large reports referencing many different machines. Departments need to be able to track down the machine owners, even for machines which are being managed by PIs or grad students. Many departments do not currently have good mechanisms for locating machines by IP address; that’s a problem.
Once you’ve found the machine, the owner needs to sanity-check the report. Often, Foundstone scans will discover services running on machines that the owner was unaware of; check if there is really a service running, and if so, whether it’s really necessary. Disable it if you don’t need it. Check if the machine is set up to automatically receive software updates; if not, configure it to do so.
Today’s reports include a number of non-traditional computing devices like copiers and printers. These devices, as they become more and more sophisticated, also become increasingly vulnerable to security problems. The “hostname2.Berkeley.EDU” machine referenced above is probably an HP printer with a default network configuration. In most cases, the services listed on the report can be shut down, but it can depend on how you’re using the machine. You’ll have to contact your local IT folks, or your copier/printer manufacturer to look into it.
SNS is planning to run these scans on a regular basis; we hope that the reports continue to improve in accuracy (they’re way better now than when we first saw them), and that the security and configuration of our machines also continues to improve.
