The Top 10/20 Internet Security Vulnerabilities � A Primer

The Top 10/20 Internet Security Vulnerabilities – A Primer Randy Marchany VA Tech Computing Center The SANS Institute COVITS 2000

Introduction
This presentation is designed to give you a brief overview of the top 10 most critical Internet Security threats.
These aren’t the only threats…. just the most common at the moment.
Hopefully, we’ll eliminate these threats and create a new list next year.
The Top 10 and Top 20 documents are in Appendix A of this presentation.

Introduction
We’ll review the original Top 10 list first
We’ll review the new items in the Top 20
We’ll also provide a list of common ports to filter or monitor.

Pay Me Now or Pay Me Later
E = D + R
E = amount of time you’re exposed
D = amount of time it takes to detect an attack
R = amount of time it takes to react to an attack
Easiest way to calculate the cost of an Incident
Multiply average hourly wage * Time * People

Why Are We Vulnerable?
Computer systems and programs have become more complex in the past 25 years.
Quality control hasn’t been able to keep up due to market pressures, programming skill deficiencies, etc.
Most of these programs/systems are based on code that was never intended to be “production” quality.They were “proof of concept” programs that became the basis of production systems.

So Many Systems, Not Enough Time…..
2.3 million hosts are connected to the Net each month. There aren’t 2.3 million sysadmins. Something has to give….
Unfortunately, it’s the sysadmin.
Not enough training, too many conflicting demands on their time.
The Prime Directive: Keep the system up!
Patch the system? When I have time….

Hacking = Rocket Science? Not!
Any good hacker can write the attack tool. The real skill is making so easy to use that a CEO could launch the attack.
There are lots of hacker WWW sites where you can get these tools. These sites try to outdo each other by designing the best, baddest, user-friendly site.

Why Are the Attacks Successful?
We didn’t close all the doors because we’re too busy doing “real” stuff.
If the hackers got caught, we didn’t punish them. It would be too embarrassing to admit we got hit. Our Incident Response Plans were inadequate.

Why Are the Attacks Successful?
The attack designers studied (cased) the target code carefully.
A lot of attacks are based on Buffer Overflows.
Example: a program expects 80 input characters max. You give it 5000 characters. How does the code handle it?

Some Pointers About the Lists
Each item in the list is divided into 4 parts
A description of the vulnerability
The systems affected by the vulnerability
A CVE number identifying the vulnerability
Some suggested corrections

Some Pointers about the Lists
What’s a CVE number?
CVE = Common Vulnerabilities & Exposures reference number that is used to uniquely identify a vulnerability.
It’s like the Dewey Decimal #’s that are used in the library. You can go to any library and find the same book using the same Dewey catalog number
CVE’s does the same for vulnerabilities.

Some More Pointers about the Lists
Ports to block/monitor at the firewall are provided at the end of the Top 20 list.
Remember this only works for EXTERNAL attacks. Internal attacks need additional security measures.

Some More Pointers about the Lists
Automated Scanning for the Top 20
SARA – freeware scanning tool designed specifically for this. See http://www. cisecurity .org
Commercial scanners are becoming available.
Links to ICAT Vulnerability Index
Each entry is linked to the NIST ICAT indexing service. ICAT entries contain a short description of the vulnerability and other info.

Item #1: BIND
All Internet systems have a hostname and an IP address.
Every home is known by its address and who lives in it. “hey, is that Randy’s house?” “Yeah, it’s at 24 Main St.”
“ Randy’s house” = hostname
“ 24 Main St.” = IP address
BIND ( B erkeley In ternet D omain) maps hostnames to IP addresses.
It’s the set of “phone books” of the Internet.

Item #1: BIND
Every network needs a couple of systems that run BIND. They’re called nameservers .
Old versions of BIND have security holes.The nameservers aren’t always up-to-date. They were when they were installed but that was years ago. It works so why fix it? Right? Wrong!

Item #1: BIND
The Danger:
Hackers get full control of the nameserver and can use it for anything they want.
A Solution
Make sure your version is higher than BIND 8.2.2 patch level 5

Item #2: CGI Scripts
CGI = Common Gateway Interface
It’s the language that programmers use to display and read your input to a WWW based form.
Not everyone knows how to use it so WWW server vendors supply examples.
The examples have security holes in them. Some CGI programmers haven’t checked their code.

The Second Item – CGI Scripts
All Web servers could be affected by this “feature”.
The Danger
Your WWW pages could be changed a la DOJ, CIA, FBI, Valujet.
Your WWW server could be used to attack other sites
A Solution
Remove unsafe CGI scripts from the WWW server

Item #3: Remote Procedure Calls (RPC)
RPC allows a computer to run a program on another computer.
It’s used by computers that share files between them.
Many client – server systems depend on the use of RPC calls.
Unix systems (Solaris, AIX, HP-UX, Linux, Tru64, Irix) were primarily affected but any computer that uses the RPC subsystem is vulnerable

Item #3: Remote Procedure Calls (RPC)
The Danger:
Older versions of RPC have security weaknesses that allow hackers to gain full control of your computer(s).
A Solution
Disable the RPC services if you don’t use them
Install the latest vendor patches

Item #4: Microsoft Internet Information Server (IIS)
Windows NT and Windows 2000 Web servers use IIS to support web services.
IIS has a component called Remote Data Services (RDS) that could allow a hacker to run remote commands with administrator privileges.
Code Red, NIMDA

Item #4: Microsoft Internet Information Server (IIS)
The Danger:
A hacker can run commands on another system without having to access it directly.
A Solution:
Read the Microsoft technical bulletins that describe how to fix the problem

Item #5: Sendmail Weakness
Sendmail is one of the original Internet email programs.
It was a graduate programming project that was never designed to work in a “production” environment.
It became the defacto standard.
Pre-version 8.10 had security problems
Some vendors still ship Sendmail v5.65!
Most vendors shipped their systems with these older versions.

Item #5: Sendmail Weakness
The 1988 Internet Worm exploited a problem in sendmail.There are a lot of systems that still run that version of sendmail. Why? It works!
The Danger:
Hackers can run commands on your systems without ever logging into your system. Hackers can take over your machine.
A Solution:
Update to the latest version of sendmail

Item #6: sadmind and mountd
Sadmind is used by Solaris applications to run distributed sysadmin operations. It executes the request on the server from a client program. Sounds like RPC? It is.
Mountd controls file sharing across the network using NFS. This is the program that “attaches” a remote disk to your computer.

Item #6: sadmind and mountd
The Danger:
Hackers can cause these programs to give them access to root. They can take over your machine.
This was one of the primary ways hackers used to set up the systems used in the recent DDOS attacks against Yahoo, CNN and other sites.
A Solution:
Install the latest vendor patches for sadmind and mountd.

Item #7: Global File Sharing
You can share files between computers using tools like Network Neighborhood (Windows), AppleShare(Macintosh) or NFS(Unix).
By default, the access is read-write .

Anyone on the same network could access your files. In the old days, the network was small but now the network is the Internet so anyone anywhere in the world could access your files if you let them.
The problem is that you don’t always know that you’re letting them.

This is a real danger to homes that have direct connect modems.
The Danger:
People can get access to your personal data, for example, your checking account data (if you use MSMoney), your email, etc.
A Solution:
Make sure you know what you’re sharing.
Make sure you know who’s sharing the data with you.

Item #8: User Accounts with No Passwords
Some systems come with demo or guest accounts with no passwords or well known passwords.
The initial/default password for VMS system manager account, SYSTEM was MANAGER. The initial password for the Field Service account, FIELD, was SERVICE.

People forgot to change these passwords.
The first thing hackers do is check to see if the defaults passwords were changed. Why waste a lot of effort if the door is unlocked?

The Danger:
Someone can get complete control of your system.
Someone can get access to your system via a general accounts and then run exploit tools on your systems to get full control of your system.
A Solution:
Change your root, administrator passwords before the systems goes into production.
Run a password checking program to discover who has weak passwords on your system. Do it before the hackers do!

Item #9: IMAP, POP Vulnerabilities
IMAP and POP are two common email protocols that provide additional features to email users.
They allow users to access their email accounts from anywhere on the Internet.

Item #9: IMAP, POP Vulnerabilities
Firewalls usually allow email using these services to pass through the firewall.
Quality control of the software is inconsistent most of the time.

Item#9: IMAP, POP Vulnerabilities
The Danger:
Hackers can gain access to your internal network if they can subvert IMAP or POP mail server systems.
If successful, they gain complete control of your system.
A Solution:
Make sure you’ve installed the latest patches.
Run the services on your mail servers only.

Item #10: SNMP Vulnerabilities
Simple Network Management Protocol (SNMP) is used by network managers to monitor the status, performance and availability of the network.
The Net Mgrs can remotely manage their routers, printers, systems using SNMP.

SNMP has very weak authentication. Its default “password” is “private”.
Everyone knows this.

The Danger:
Hackers can gain control of network devices such as routers. They could shut them down.
They can map your network w/o your knowledge.
A Solution:
Pick strong community strings (passwords) for your SNMP devices.
Make the MIBs read only.

Summary
Most of the successful system and network attacks exploit a small set of vulnerabilities.
The Top 10 list briefly describes this set of vulnerabilities and gives you references to learning more about them.
More importantly, it gives you some suggested fixes for the problem.
Our individual security depends on our mutual security.

The SANS/FBI Top 20 List If we had fixed the top 10, there wouldn’t be a top 20. 

Top 20 List Organization
Vulnerabilities that affect all systems
Unix/Linux
Windows
Mac
Mainframes
Windows Vulnerabilities
Unix Vulnerabilities

Top 20 Summary
General – Affects all Systems
G1: Default OS Installations
G2: Accounts with Weak or No Passwords
G3: Non-existent or Incomplete Backups
G4: Large Number of Open Ports
G5: Incorrect Ingress/Egress Packet Filtering
G6: Non-existent or Incomplete Logging
G7: Vulnerable CGI Programs

Top 20 Summary
Windows
W1: Unicode Vulnerability
W2: ISAPI Extension Buffer Overflows
W3: IIS RDS Exploit
W4: Unprotected NETBIOS Shares
W5: Null Sessions
W6: Weak Hashing in SAM (LM Hash)

Top 20 Summary
Unix
U1: RPC buffer Overflows
U2: Sendmail Vulnerabilities
U3: BIND
U4: R Commands
U5: LPD Buffer Overflow
U6: sadmind mountd Buffer Overflow
U7: Default SNMP

OS and application installs are not configured for security
Vendor Philosophy
Better to enable all functions than require the user to turn them on individually.
Convenience vs. Security: Who wins? 

System Impacted
All Unix, Linux, Windows, MacOS are vulnerable to some degree. Windows, SGI are more open than normal.

Are you vulnerable?
If you use default vendor installation programs then you are vulnerable.
Extra extra service/tool installed that is not needed is another window into your system.

How to protect?
Remove unnecessary software/services asap.
Install minimum then add. This can be automated using Minimum Installation guidelines.
Use the CIS Security Benchmark tools for your OS.

G3: Non-existent, Incomplete Backups
Recovery from an incidents requires up-to-date backup.
Have you verified the backups actually work?
Offsite? 9/11 proved this.
How long does it take to RESTORE the data? What is the data xfer rate of your tape drives?
Systems Impacted
Any critical system

Am I vulnerable?
Check backup procedures.
Is the backup interval acceptable?
Are the systems being backup up according to procedure?
Off site storage? Procedures?
Restoration tested and verified?

How to Protect
Daily backups
Monthly backups should be verified.

The more ports open, the more ways to get into the system.
Related to Default OS install vulnerability.
Systems Impacted
Any system that used a vendor default installation program.

Am I vulnerable?
Use netstat command to list open ports.
Run a port scanner (nmap, Nessus) against your system.
Match open ports to legitimate services provided by the machine. If no match, then it’s an unnecessary service.

How to protect myself
Unix: modify /etc/inetd.conf
Windows NT/2000 : use fport from www. foundstone .com to list the ports.
Windows XP: netstat –o command

G5: Incorrect Ingress/Egress Router Filters
Description
IP spoofing hides the attacker.
Numerous attacks (Smurf, mail forgery) use this technique.
Systems Impacted
Unix, Windows, Mac, Routers

Am I vulnerable?
Send a spoofed packet and see if it’s blocked and logged.
.

How to Protect
Incoming packets must not have SRC of your internal network. It must have a DST of your internal network.
Outbound packets must have a SRC of your internal network. Outbound packets must not have a DST of your internal net.
No packet should have SRC/DST of a private address or address listed in RFC1918..
Block any source routed packet with IP options set

G6: Non-existent, Incomplete Logging
Description
You can’t detect an attack if you don’t know what’s going on your network.
Logs are business records!
Systems Impacted
All system and network devices

G6: Non-existent, Incomplete Logging
Am I vulnerable?
Are there logs for the critical assets?
How to Protect?
Set up local and central logging.
Save on CD or other Read-Only device.

W1: Unicode – Web Server Traversal
Description
Unicode provides a unique number for every character regardless of the the platform, program or language.
You can send IIS a carefully constructed URL with an invalid Unicode sequence that will let an attacker see any file anywhere on the system.
You can run programs as well.

Systems Impacted
Windows NT 4.0 with IIS 4.0
Windows 2000 server with IIS 5.0 with no SP2
CVE-2000-0884

Am I vulnerable?
Unpatched version of IIS? Yes!
Did you install MS00-057, MS00-078, MS00-086, MS00-026, MS00-044, SP2? Yes, then ok.

Enter: http://victim/scripts/..%c0% af ../ winnt /system32/ cmd .exe?/c+dir+c:
If you removed scripts dir, then it’ll fail. Replace scripts with whatever you named your script directory.

How to Protect
Install latest Microsoft patches. See http://www.microsoft.com/technet/security/bulletin/MS00-78.asp
Install IIS lockdown tool if you want.
Don’t use IIS for critical functions, IMHO.

Description
Several ISAPI extensions are installed by default when you install IIS. This allows developers to extend IIS by using DLLs.
Several DLLs, idq.dll, have errors that allow buffer overflow attacks.
This lets an attacker take full control of your IIS server.

Systems Impacted
Windows 2000 running Index Server 2.0, Indexing Service
Windows 2000 server, Adv. Server, Server Data Center Edition, Professional

Am I vulnerable?
SP2 installed? No, then you are.
Installed MS01-023, MS01-033, MS01-044, MS01-033, MS01-044, NT4.0 Security Roll-up Package? Yes, then ok.
How to Fix
Install latest patches from Microsoft.
Unmap unnecessary ISAPI extensions

W5: Null Session Connections
Description
Null Session (anonymous login) lets you get info over the net about shares, etc. When 1 machine needs something from another, it uses the local SYSTEM (LocalSystem, W2K) account to open a null session to the remote system. Hackers can use Null logins to gain access to SYSTEM.
This has no password.

Systems Impacted
Windows NT 4.0, Windows 2000
Am I vulnerable?
Go to http:// grc .com and click on the ShieldsUP link to see your system’s SMB exposure.

How to Protect
Needed for Domain Controllers
Block TCP/UDP 139, 445 on the network
Never allow Internet users to access any internal DC.

W6: Weak Hashing in SAM
Description
LAN Manager passwords have very weak encryption.
LM passwords are truncated to 14 characters, padded with spaces to 14 characters, converted to all Upper case, split into 2 seven character pieces.
Crackers only have to do 2 upper case seven characters passwords.

Systems Impacted
Windows NT, Windows 2000
Am I vulnerable?
Running default installation of NT or W2K? Yes because LM is created by default.

How to Protect?
Disable LAN Manager
Use NTLMv2 (version 2 LM)
Read Technet article “ How to Disable LM Authentication on Windows NT [Q147706]

U4: R Commands
Description
If a user logins from a trusted system, then no password is needed to gain access to your system.
rlogin, rsh, rcp
Used by Network Appliance vendors with no concept of security.
Systems Impacted
Any Unix/Linux system

U4: R Commands
Am I vulnerable?
Look for .rhosts, /etc/hosts.equiv files. If there, then yes.
How to Protect
Disable r-command in /etc/inetd.conf.
Fire any one who wants to use it for they have no concept of security.

U5: LPD
Description
The in.lpd program provides local printer services for Unix users.
It listens on port 515 for incoming requests but has a buffer overflow vulnerability allowing root access.
Systems Impacted
Solaris 2.6-8
Linux

U5:LPD
Am I vulnerable?
Are you running unpatched version of lpd? Yes, then you are.
How to Protect
Install latest Solaris or Linux patches.
Disable print service in /etc/inetd.conf
Block access to port 515
Install TCP Wrappers, Portsentry

Common Vulnerable Ports
Common ports probed/attacked
Block or log all access to these ports as necessary.
Login services
telnet: 23/tcp FTP: 21/tcp NetBIOS: 139/tcp
Ssh: 22/tcp r-commands: 512-514/tcp
RPC/NFS
Portmap/rpcbind: 111/tcp/udp
NFS: 2049/tcp/udp lockd: 4045/tcp/udp

NetBIOS: 135/tcp/udp, 137/udp, 138/udp, 139/tcp, 445/tcp/udp
X-Windows: 6000-6255/tcp
DNS: 53/udp, LDAP: 389/tcp/udp
Mail
SMTP: 25/tcp POP: 109/tcp, 110/tcp
IMAP: 143/tcp
WWW
HTTP: 80/’tcp SSL:443/tcp

Small Services
Ports < 20/tcp/udp
Time: 37/tcp/udp
Miscellaneous
TFTP: 69/udp finger: 79/tcp NNTP: 119/tcp
NTP: 123/tcp LPD: 515/tcp syslog: 514/udp
SNMP: 161/tcp/udp, 162/tcp/udp
BGP: 179/tcp SOCKS: 1080/tcp
ICMP:
Block incoming echo requests, outgoing echo reply, time exceeded, destination unreachable. This breaks ping.

Summary
You won’t eliminate all of your exposure by closing these 20 holes. Constant vigilance and awareness is the best defense.
The consequences of failure could drive your company out of business.
There’ll be another top 20 items to inspect in the future but at least we got rid of these items.

References
The complete Top 20 document can be found in the appendix.
Some WWW sites to visit:
http://security.vt.edu
www.sans.org
www.cert.org
www. nipc . gov
www. securityfocus .com
Packetstormsecurity.org
www.cornell.edu/CPL

http://www.slideshare.net	74
http://blackboard.bucks.ac.uk	5
http://www.techgig.com	5
http://itschool.mfu.ac.th	1
http://www.lmodules.com	1

The Top 10/20 Internet Security Vulnerabilities � A Primer

by amiable_indian on Oct 08, 2006

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 86

Statistics