Sample Client Sample Vulnerability Assessment Corporate Armor

Sample Client
Sample Vulnerability Assessment
Prepared By
Corporate Armor
Month XX, XXXX
CorporateArmor.com
Executive Summary
The Corporate Armor team worked with sample client’s staff to perform a vulnerability scan of their internal servers. The
data collected was analyzed to determine which potential vulnerabilities impact the 7 endpoints scoped for this
engagement. The scan results detail each of the vulnerabilities found in the environment and recommend appropriate
steps to remediate the scan findings.
7 Endpoints Scanned
41
4
2
Vulnerabilities Found
Critical Vulnerabilities
Can Be Fixed By Patches
Based on analysis of the scan, the sample client’s current patching procedure is not far behind to fix issues identified by
the vendor. There are only 2 vulnerabilities identified that can be fixed by currently available patches. However,
rd
Corporate Armor recommends the client create a solution for managing 3 party software to ensure their endpoints are
kept up to date. Other vulnerabilities identified require configuration or other changes to secure the endpoints.
Corporate Armor has broken down the recommended remediation steps into two categories: tactical and strategic.
Tactical recommendations are high risk items to address immediately. Strategic recommendations are longer term
items that require active business management through completion.
Remediation Steps
10
3
Tactical Recommendations
Strategic Recommendations
CorporateArmor.com
Tactical Recommendations
Recommendations are ranked in order of decreasing severity.
Recommendation #
Affected Hosts
Recommendation Detail
1
10.0.0.1
2
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.6
10.0.0.1
10.0.0.2
Default or easily guessable SNMP community strings are currently in
use and should be changed to a unique string in accordance with
company policy around SNMP settings for systems/devices
Limit database access to only necessary systems
3
4
5
10.0.0.1
10.0.0.3
10.0.0.2
6
10.0.0.2
7
10.0.0.2
8
10.0.0.2
9
10.0.0.3
10.0.0.4
10.0.0.5
10
Update application to utilize HttpOnly flag for cookies, as this could
ultimately lead to exposure to a cross-site scripting again, in which
an attacker can acquire cookie information more easily without this
parameter set
Update application to utilize Secure flag for cookies
Disable the ability to enumerate the root web server directory
Apply Apache HTTPD patch to resolve Range header remote DoS
(CVE-2011-3192)
Disable HTTP TRACE Method
Update web application form action to submit sensitive data over a
secure channel
Disable Anonymous LDAP Directory Access
Scan perimeter network and/or public IP addresses to ensure
unwanted services or ports aren’t available externally
Strategic Recommendations
Recommendation #
Recommendation Detail
1
Perform periodic vulnerability scans of internal and externally
available servers and services to identify risks before they become
an issue
rd
Create procedures to review 3 party software and patching
systems
Review and limit access to services and ports to ensure unwanted or
unauthorized access isn’t inadvertently made available to the
systems
2
3
Additional details of the vulnerability scan and findings are found in the sections below. The critical risks are explained in
detail in Table 2 below. The two lists above are not all encompassing but are the more significant findings that Corporate
Armor recommends the client focus their time. These recommendations will benefit client’s overall security posture in
both the short and long term. Corporate Armor provides remediation services billed as a separate engagement.
CorporateArmor.com
Vulnerability Scan Data
Scan Findings and Remediation
Corporate Armor executed a vulnerability scan against a set of internal servers located within Sample Client’s
environment. The vulnerability scan discovered 41 vulnerabilities. The vulnerabilities found are broken down into three
categories using Qualys scoring and terminology. The Qualys score reflects how much risk a vulnerability poses to the
security posture of the business and the score correlates to the categories Moderate (3), Severe (4) and Critical (5). The
categories are described below:
Severity
Description
Moderate
Host has vulnerabilities that may result in potential misuse of host, i.e. disclosure of partial file
contents, unauthorized use of services, directory browsing, denial of services attacks, etc.
Host can potentially be controlled by attackers or highly sensitive information may potentially be
leaked, i.e. full read access to files, potential backdoors, etc.
Host can easily be controlled by attackers and can lead to the compromise of entire corporate
network security, i.e. full read and write access to files, remote execution of commands, etc.
Severe
Critical
Of the 41 vulnerabilities found, 4 of these were critical vulnerabilities. All of the critical vulnerabilities are resolvable via
patching or configuration changes. 37 of the vulnerabilities were severe with no moderate vulnerabilities found in the
environment as seen in Figure 1 on the right:
Vulnerabilities by Severity
Of the systems scanned, there weren’t any that were free of
vulnerabilities. All ports were scanned for the server, 172.17.2.38,
however, no response was received so we were unable to test that
host. ALACTX01 is the only host that has known exploits available
from the vulnerabilities found.
Critical
Severe
Moderate
Vulnerabilities
0
20
40
Vulnerability Summary by IP Address
Address
Operating System
Exploits
Malware
Vulnerabilities
172.17.2.8
Microsoft Windows Server 2008 R2,
Standard Edition SP1
0
0
11
172.17.2.39
Microsoft Windows Server 2008 R2,
Standard Edition SP1
5
0
9
172.17.2.40
Microsoft Windows Server 2008 R2,
Standard Edition SP1
0
0
8
172.17.2.35
Microsoft Windows Server 2008 R2,
Standard Edition SP1
0
0
5
172.17.2.36
Microsoft Windows Server 2008 R2,
Standard Edition SP1
0
0
5
172.17.2.37
Microsoft Windows Server 2008 R2,
Standard Edition SP1
0
0
3
Table 1
CorporateArmor.com
Critical vulnerabilities and vulnerabilities with readily available exploits are the vulnerabilities that should be addressed
first. There are also several vulnerabilities that could lead to further escalation if not addressed, requiring a configuration
change to the platform. For example, when the HttpOnly flag is missing within a cookie, it could lead to exposure to
cross-site scripting, in which an attacker could easily acquire cookie information without this parameter set. Some
vulnerabilities deal with the type of service being used and its lack of authentication required, such as the LDAP services
on several servers that allow for anonymous connections, resulting in the possibility for an attacker to gain additional
information. The table below displays these previously discussed vulnerabilities, affected hosts, and an associated
remediation task ID. A key for the remediation tasks can be found on the following page.
Host
Vulnerabilities
Remediation Task ID
10.0.0.1

Default or Guessable SNMP community
names: public
Default or Guessable SNMP community
names: private
Database Open Access
Missing HttpOnly Flag From Cookie
Missing Secure Flag From SSL Cookie




A001
B001
C001
D001

Microsoft IIS ISAPI Extension Enumerate
Root Web Server Directory Vulnerability

Apache HTTPD: Range header remote
DoS (CVE-2011-3192)
HTTP TRACE Method Enabled
Missing HttpOnly Flag From Cookie
Missing Secure Flag From SSL Cookie
Form action submits sensitive data in the
clear
LDAP Anonymous Directory Access
Permitted
Database Open Access
Missing Secure Flag From SSL Cookie
LDAP Anonymous Directory Access
Permitted
LDAP Anonymous Directory Access
Permitted






B001
C001
E001
F001
G001
H001



B001
D001
I001

I001

I001

B001




10.0.0.2




10.0.0.3

10.0.0.4



10.0.0.5

10.0.0.6

CorporateArmor.com
Database Open Access
Remediation Task ID
Remediation Step
A001
The default or easily guessable SNMP community string is currently
in use. This should be changed to a unique string in accordance
with company policy around SNMP settings for systems/devices
B001
Limit database access to only necessary systems
C001
Update application to utilize HttpOnly flag for cookies
D001
Update application to utilize Secure flag for cookies
E001
Disable the ability to enumerate the root web server directory
F001
Apply Apache HTTPD patch to resolve Range header remote DoS
(CVE-2011-3192)
G001
Disable HTTP TRACE Method
H001
Update web application form action to submit sensitive data over a
secure channel
I001
Disable Anonymous LDAP Directory Access
In addition to the vulnerabilities identified above, Corporate Armor recommends reviewing all of the vulnerabilities found
during this engagement, and determine next steps to remediate, mitigate, or document accepting the risk associated to
vulnerabilities that either will not or cannot be remediated. Taking this approach will keep the company’s security posture
moving in the right direction.
Appendix A contains additional details on the vulnerabilities found and the steps for remediating the scan’s findings. It is
recommended that this document be reference throughout the remediation process
CorporateArmor.com
Appendix A: Scan Vulnerability Details
Full details have been truncated for the purpose of the example deliverable. The actual Vulnerability Assessment Document
would likely contain several additional pages of detail.
3.1. Critical Vulnerabilities
3.1.1. Default or Guessable SNMP community names: public (snmp-read-0001)
Description:
The Simple Network Management Protocol (SNMP) is a commonly used network service. Its primary function is to
provide network administrators with information about all kinds of network connected devices. SNMP can be used to get
and change system settings on a wide variety of devices, from network servers, to routers and printers. The drawback to
this service is the authentication is an unencrypted "community string". In addition many SNMP servers provide very
simple default community strings. The community string "public" is a default on a number of SNMP servers.
This community string can allow attackers to gain a large amount of information about the SNMP server and the network it
monitors. Attackers may even reconfigure or shut down devices remotely.
Affected Nodes:
Affected Nodes:
Additional Information:
172.17.2.8:161 (webmail.legion-aux.org)
Running vulnerable SNMP service.
Successfully authenticated to the SNMP service with credentials:
uid[null] pw[public] realm[null]
References:
Source
Reference
BID
2896
BID
3795
BID
3797
CVE
CVE-1999-0186
CVE
CVE-1999-0254
CVE
CVE-1999-0472
CVE
CVE-1999-0516
CVE
CVE-1999-0517
CVE
CVE-2001-0514
CVE
CVE-2002-0109
XF
atmel-vnetb-ap-snmp-security(6576)
XF
linksys-etherfast-default-snmp(7827)
CorporateArmor.com
Vulnerability Solution:
1. If you do not absolutely need SNMP, disable it. SNMP version 1 is inherently insecure. SNMP version 3 provides more
complex authentication and encryption.
2. If you must use SNMP be sure to use complex and difficult to guess community names. Use the same policy for
community names as you use for passwords.
3. Try to make all your MIB's read only. This will limit the damage an attacker can do to your network.
3.2. Severe Vulnerabilities
3.2.1. X.509 Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch)
Description:
The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the
certificate.
Before issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as
specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the
subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a
certificate presented by "https://www.example.com/", the CN should be "www.example.com".
In order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an
attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is
the validity of the subject's CN, that should match the name of the entity (hostname).
A CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack
is being conducted.
Affected Nodes:
Affected Nodes:
Additional Information:
172.17.2.40:443 (ALAVCENTER)
The subject common name found in the X.509 certificate
('CN=ALAvCenter') does not seem to match the scan target
'172.17.2.40':Subject CN 'ALAvCenter' does not match node name
'172.17.2.40'
172.17.2.40:8443 (ALAVCENTER)
The subject common name found in the X.509 certificate
('CN=ALAvCenter') does not seem to match the scan target
'172.17.2.40':Subject CN 'ALAvCenter' does not match node name
'172.17.2.40'
References:
None
Vulnerability Solution:
The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting
the certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority
(CA) trusted by both the client and server.
3.3. Moderate Vulnerabilities
No moderate vulnerabilities were reported.
Full details have been truncated for the purpose of the example deliverable. The actual Vulnerability Assessment Document
would likely contain several additional pages of detail.
CorporateArmor.com