Sample Client Sample Vulnerability Assessment Prepared By Corporate Armor Month XX, XXXX CorporateArmor.com Executive Summary The Corporate Armor team worked with sample client’s staff to perform a vulnerability scan of their internal servers. The data collected was analyzed to determine which potential vulnerabilities impact the 7 endpoints scoped for this engagement. The scan results detail each of the vulnerabilities found in the environment and recommend appropriate steps to remediate the scan findings. 7 Endpoints Scanned 41 4 2 Vulnerabilities Found Critical Vulnerabilities Can Be Fixed By Patches Based on analysis of the scan, the sample client’s current patching procedure is not far behind to fix issues identified by the vendor. There are only 2 vulnerabilities identified that can be fixed by currently available patches. However, rd Corporate Armor recommends the client create a solution for managing 3 party software to ensure their endpoints are kept up to date. Other vulnerabilities identified require configuration or other changes to secure the endpoints. Corporate Armor has broken down the recommended remediation steps into two categories: tactical and strategic. Tactical recommendations are high risk items to address immediately. Strategic recommendations are longer term items that require active business management through completion. Remediation Steps 10 3 Tactical Recommendations Strategic Recommendations CorporateArmor.com Tactical Recommendations Recommendations are ranked in order of decreasing severity. Recommendation # Affected Hosts Recommendation Detail 1 10.0.0.1 2 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.6 10.0.0.1 10.0.0.2 Default or easily guessable SNMP community strings are currently in use and should be changed to a unique string in accordance with company policy around SNMP settings for systems/devices Limit database access to only necessary systems 3 4 5 10.0.0.1 10.0.0.3 10.0.0.2 6 10.0.0.2 7 10.0.0.2 8 10.0.0.2 9 10.0.0.3 10.0.0.4 10.0.0.5 10 Update application to utilize HttpOnly flag for cookies, as this could ultimately lead to exposure to a cross-site scripting again, in which an attacker can acquire cookie information more easily without this parameter set Update application to utilize Secure flag for cookies Disable the ability to enumerate the root web server directory Apply Apache HTTPD patch to resolve Range header remote DoS (CVE-2011-3192) Disable HTTP TRACE Method Update web application form action to submit sensitive data over a secure channel Disable Anonymous LDAP Directory Access Scan perimeter network and/or public IP addresses to ensure unwanted services or ports aren’t available externally Strategic Recommendations Recommendation # Recommendation Detail 1 Perform periodic vulnerability scans of internal and externally available servers and services to identify risks before they become an issue rd Create procedures to review 3 party software and patching systems Review and limit access to services and ports to ensure unwanted or unauthorized access isn’t inadvertently made available to the systems 2 3 Additional details of the vulnerability scan and findings are found in the sections below. The critical risks are explained in detail in Table 2 below. The two lists above are not all encompassing but are the more significant findings that Corporate Armor recommends the client focus their time. These recommendations will benefit client’s overall security posture in both the short and long term. Corporate Armor provides remediation services billed as a separate engagement. CorporateArmor.com Vulnerability Scan Data Scan Findings and Remediation Corporate Armor executed a vulnerability scan against a set of internal servers located within Sample Client’s environment. The vulnerability scan discovered 41 vulnerabilities. The vulnerabilities found are broken down into three categories using Qualys scoring and terminology. The Qualys score reflects how much risk a vulnerability poses to the security posture of the business and the score correlates to the categories Moderate (3), Severe (4) and Critical (5). The categories are described below: Severity Description Moderate Host has vulnerabilities that may result in potential misuse of host, i.e. disclosure of partial file contents, unauthorized use of services, directory browsing, denial of services attacks, etc. Host can potentially be controlled by attackers or highly sensitive information may potentially be leaked, i.e. full read access to files, potential backdoors, etc. Host can easily be controlled by attackers and can lead to the compromise of entire corporate network security, i.e. full read and write access to files, remote execution of commands, etc. Severe Critical Of the 41 vulnerabilities found, 4 of these were critical vulnerabilities. All of the critical vulnerabilities are resolvable via patching or configuration changes. 37 of the vulnerabilities were severe with no moderate vulnerabilities found in the environment as seen in Figure 1 on the right: Vulnerabilities by Severity Of the systems scanned, there weren’t any that were free of vulnerabilities. All ports were scanned for the server, 172.17.2.38, however, no response was received so we were unable to test that host. ALACTX01 is the only host that has known exploits available from the vulnerabilities found. Critical Severe Moderate Vulnerabilities 0 20 40 Vulnerability Summary by IP Address Address Operating System Exploits Malware Vulnerabilities 172.17.2.8 Microsoft Windows Server 2008 R2, Standard Edition SP1 0 0 11 172.17.2.39 Microsoft Windows Server 2008 R2, Standard Edition SP1 5 0 9 172.17.2.40 Microsoft Windows Server 2008 R2, Standard Edition SP1 0 0 8 172.17.2.35 Microsoft Windows Server 2008 R2, Standard Edition SP1 0 0 5 172.17.2.36 Microsoft Windows Server 2008 R2, Standard Edition SP1 0 0 5 172.17.2.37 Microsoft Windows Server 2008 R2, Standard Edition SP1 0 0 3 Table 1 CorporateArmor.com Critical vulnerabilities and vulnerabilities with readily available exploits are the vulnerabilities that should be addressed first. There are also several vulnerabilities that could lead to further escalation if not addressed, requiring a configuration change to the platform. For example, when the HttpOnly flag is missing within a cookie, it could lead to exposure to cross-site scripting, in which an attacker could easily acquire cookie information without this parameter set. Some vulnerabilities deal with the type of service being used and its lack of authentication required, such as the LDAP services on several servers that allow for anonymous connections, resulting in the possibility for an attacker to gain additional information. The table below displays these previously discussed vulnerabilities, affected hosts, and an associated remediation task ID. A key for the remediation tasks can be found on the following page. Host Vulnerabilities Remediation Task ID 10.0.0.1  Default or Guessable SNMP community names: public Default or Guessable SNMP community names: private Database Open Access Missing HttpOnly Flag From Cookie Missing Secure Flag From SSL Cookie     A001 B001 C001 D001  Microsoft IIS ISAPI Extension Enumerate Root Web Server Directory Vulnerability  Apache HTTPD: Range header remote DoS (CVE-2011-3192) HTTP TRACE Method Enabled Missing HttpOnly Flag From Cookie Missing Secure Flag From SSL Cookie Form action submits sensitive data in the clear LDAP Anonymous Directory Access Permitted Database Open Access Missing Secure Flag From SSL Cookie LDAP Anonymous Directory Access Permitted LDAP Anonymous Directory Access Permitted       B001 C001 E001 F001 G001 H001    B001 D001 I001  I001  I001  B001     10.0.0.2     10.0.0.3  10.0.0.4    10.0.0.5  10.0.0.6  CorporateArmor.com Database Open Access Remediation Task ID Remediation Step A001 The default or easily guessable SNMP community string is currently in use. This should be changed to a unique string in accordance with company policy around SNMP settings for systems/devices B001 Limit database access to only necessary systems C001 Update application to utilize HttpOnly flag for cookies D001 Update application to utilize Secure flag for cookies E001 Disable the ability to enumerate the root web server directory F001 Apply Apache HTTPD patch to resolve Range header remote DoS (CVE-2011-3192) G001 Disable HTTP TRACE Method H001 Update web application form action to submit sensitive data over a secure channel I001 Disable Anonymous LDAP Directory Access In addition to the vulnerabilities identified above, Corporate Armor recommends reviewing all of the vulnerabilities found during this engagement, and determine next steps to remediate, mitigate, or document accepting the risk associated to vulnerabilities that either will not or cannot be remediated. Taking this approach will keep the company’s security posture moving in the right direction. Appendix A contains additional details on the vulnerabilities found and the steps for remediating the scan’s findings. It is recommended that this document be reference throughout the remediation process CorporateArmor.com Appendix A: Scan Vulnerability Details Full details have been truncated for the purpose of the example deliverable. The actual Vulnerability Assessment Document would likely contain several additional pages of detail. 3.1. Critical Vulnerabilities 3.1.1. Default or Guessable SNMP community names: public (snmp-read-0001) Description: The Simple Network Management Protocol (SNMP) is a commonly used network service. Its primary function is to provide network administrators with information about all kinds of network connected devices. SNMP can be used to get and change system settings on a wide variety of devices, from network servers, to routers and printers. The drawback to this service is the authentication is an unencrypted "community string". In addition many SNMP servers provide very simple default community strings. The community string "public" is a default on a number of SNMP servers. This community string can allow attackers to gain a large amount of information about the SNMP server and the network it monitors. Attackers may even reconfigure or shut down devices remotely. Affected Nodes: Affected Nodes: Additional Information: 172.17.2.8:161 (webmail.legion-aux.org) Running vulnerable SNMP service. Successfully authenticated to the SNMP service with credentials: uid[null] pw[public] realm[null] References: Source Reference BID 2896 BID 3795 BID 3797 CVE CVE-1999-0186 CVE CVE-1999-0254 CVE CVE-1999-0472 CVE CVE-1999-0516 CVE CVE-1999-0517 CVE CVE-2001-0514 CVE CVE-2002-0109 XF atmel-vnetb-ap-snmp-security(6576) XF linksys-etherfast-default-snmp(7827) CorporateArmor.com Vulnerability Solution: 1. If you do not absolutely need SNMP, disable it. SNMP version 1 is inherently insecure. SNMP version 3 provides more complex authentication and encryption. 2. If you must use SNMP be sure to use complex and difficult to guess community names. Use the same policy for community names as you use for passwords. 3. Try to make all your MIB's read only. This will limit the damage an attacker can do to your network. 3.2. Severe Vulnerabilities 3.2.1. X.509 Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch) Description: The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate. Before issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by "https://www.example.com/", the CN should be "www.example.com". In order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname). A CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted. Affected Nodes: Affected Nodes: Additional Information: 172.17.2.40:443 (ALAVCENTER) The subject common name found in the X.509 certificate ('CN=ALAvCenter') does not seem to match the scan target '172.17.2.40':Subject CN 'ALAvCenter' does not match node name '172.17.2.40' 172.17.2.40:8443 (ALAVCENTER) The subject common name found in the X.509 certificate ('CN=ALAvCenter') does not seem to match the scan target '172.17.2.40':Subject CN 'ALAvCenter' does not match node name '172.17.2.40' References: None Vulnerability Solution: The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the client and server. 3.3. Moderate Vulnerabilities No moderate vulnerabilities were reported. Full details have been truncated for the purpose of the example deliverable. The actual Vulnerability Assessment Document would likely contain several additional pages of detail. CorporateArmor.com