OpenVAS Open Vulnerability Assessment System

Name: Hieu Nguyen, Bao Chen, John Roberts November 11, 2012

Table of Contents I. Describe the technique ........................................................................................................ 3 Tool name and Description of the tool ................................................................................... 3 Language in which tool written .............................................................................................. 4 OS Targeted ............................................................................................................................ 4 II. Describe the vulnerabilities to which this tool targets. ................................................... 4 Vulnerabilities and malicious attacks ..................................................................................... 5 Remediation suggestions ....................................................................................................... 7 III. Assessment and Hardening .............................................................................................. 7 IV. Conclusion .......................................................................................................................... 7 V. References ........................................................................................................................... 9

I. Describe the technique

Tool name and Description of the tool

Open vulnerability assessment system (OpenVAS) is a GUI-based pen testing tool and vulnerabilities scanner. It is an open source solution, and it was originally forked from Nessus. 1 It is a scanner for the Linux/Windows environment. Figure 1.1 shows OpenVAS It is made up with three parts: client, server, and plugins. The client connects to the server to configure it to run the scan. The OpenVAS scanner discovers vulnerabilities of a target host and prints out the analytical result. The HTML reports consists: summary of a scope scan (date and time); host summary consists of total of host it has been scanned along with high, medium, and low threat level; results per host consists of the service (port) correlates to the threat level; it explains the kind of vulnerability a long with suggestion on how to fix it. Lastly the report provides link references in case the network administrator wants to learn more about the exploit.

Figure 1.1. OpenVAS architecture.

To scan the network the client account must be added in the OpenVAS manager. OpenVAS CLI allows the client to use Linux terminal to use execute OpenVAS Management Protocol (OMP); the OMP which allows to create batch processes to drive OpenVAS Manager. 3 The Greenbone Security Assistant (GSA) provides the secure HTTP (HTTPS) to manage the OpenVAS and OpenVAS Administrator. The Greenbone Security Desktop provides the client software for Linux, Windows, and Mac users. The OpenVAS scanner service can scan many target hosts concurrently. It receives the latest NVTs feed update from either public (default) or commercial. The public NVTs is maintaining by OpenVAS project. The commercial NVT is maintaining by Greenbone Networks. 4 The OpenVAS manager service provides scheduled scans, and 3

reports format plugin framework such as XML, HTML, Latex, etc. The OpenVAS administrator service consists of user management (only the valid added users are allow to scan the network), feed status view, and feed synchronization. OpenVAS uses SQlite database to store all the configurations, and scanned results. The NVTs scripts are saved in the local hard drive.

Language in which tool written

OpenVAS was started in 2005. The current version is 5. Written language in C, and one module in C++. 5 OpenVAS uses Network Vulnerability Tests (NVTs) script to test for the target host. The NVTs are written in Nessus attack script language (NASL). If one familiar with C language then writing NVTs plug in should be easy. 6 The reasons Nessus picked NASL over Perl because it is a secure scripting language it does not allow malicious user to write a script to execute the system commands or connect to connect to third-party hosts (they can only establish connections with the remote host currently being tested). In addition, NASL does not use pointer and memory management, therefore it is not vulnerable to the buffer overflows. NASL is a strong security language -- it allows one to write a script to compliance with network policy. For instance, if a corporate policy requires the network administrator to use Apache 2.0 only, instead of waiting for the NVTs update, the administrator can write his/her own NVTs plug in for the existing NVTs library to check all the entire Apache server that are using Apache 2.0. Perl scripting is not secure scripting language since it allow user to create a backdoor to allow the hacker to compromise the target-scanning host. NASL is a secure scripting language since the NASL interpreter limits user to use certain commands. 7

OS Targeted
OpenVAS scans any operation systems, which consists of services and ports for vulnerability. There is no limit to what OpenVAS scanner can do -- it gives the network administrator to write any kind of NVTs script to meet the corporate policy requirements. II. Describe the vulnerabilities to which this tool targets. During our groups OpenVAS demonstration, we explored three vulnerabilities that OpenVAS detected on a base, unpatched Windows Server 2003 virtual machine. First, some background about how the demonstration was set up. OpenVAS.org, the official home of OpenVAS, provides a .OVA image of a pre-built virtual machine OpenVAS. The .OVA file format is relatively uncommon. It is a single-file derivative of the Open Virtualization Format (OVF), a processor-independent, hypervisor-independent file format for distributing virtual machines. The OVF file format was originally designed by a consortium of technology companies, including Dell, HP, IBM, Microsoft, VMWare, and XenSource.8 Following the specifications original design, it was submitted to the Distributed Management Task Force (or the DMTF) for neutral approval by a third party. The Open Virtualization Format has gained industry acceptance, including support in VirtualBox since 2009 in version 2.2 9 and in VMWare Workstation since May 2010 in version 7.1.10 Further technical details of the current version of the Open Virtualization 4

Format (version 1.1.0) can be found from DMTFs web site: http://dmtf.org/sites/default/files/standards/documents/DSP0243_1.1.0.pdf The vulnerable virtual machine was built from an ISO image containing Windows Server 2003 Standard. The ISO image did not contain Windows Server 2003 R2 or any service packs. The virtual machine never received Windows Updates, allowing it to remain vulnerable to OpenVASs scans (and potentially to exploitation). The OpenVAS virtual machine, however, was updated with the latest Network Vulnerability Tests (or NVTs) available from the OpenVAS public feed. Performing the update was trivially simple; one can connect the OpenVAS virtual machine to the public Internet, and issue the command openvas-nvt-sync (without quote) to pull the latest NVTs into the local OpenVAS servers vulnerability database. This OpenVAS public NVT feed is typically updated on each weekday. The NVT feed is maintained by volunteers, and there is no formalized validation or testing process outside of what the submitting volunteer themselves performs11. Thus, the public NVT feed is acceptable for use in contexts such as this demonstration, but a higher-quality, more tightly-controlled NVT feed should be used in a real-world context. The Greenbone Security Feed is available for this purpose, developed by Greenbone Networks GmbH. 12 It also provides a contract specifying an SLA, which is of interest to businesses and other large-scale institutions utilizing OpenVAS for vulnerability assessment and management.

Vulnerabilities and malicious attacks

While preparing the demonstration, a prime example of the public OpenVAS NVT feeds lack of reliability and quality control presented itself. After updating the local OpenVAS server with the latest set of public NVTs and performing a scan of the vulnerable Windows Server 2003 virtual machine, OpenVAS discovered a few vulnerabilities. Most were valid vulnerabilities built in the Windows virtual machine; however, alongside these valid findings, OpenVAS also mis-discovered a Linux kernel RPC exploit. This demonstrates one reason why the public NVT feed should be taken with taken with a grain of salt. OpenVAS discovered three valid Windows Server 2003 vulnerabilities. The first of these was MS09-001.13 MS09-001 contains multiple vulnerabilities, all of which are rectified by installing a single Windows update. If exploited, MS09-001 allows remote code execution, including the ability to create new users accounts with full administrative privileges over the local machine. Microsoft rates this vulnerability as critical for Windows Server 2003. Other versions of Windows running an SMB server are also affected by this vulnerability, including Windows 2000, Windows XP, Windows Vista, and Windows Server 2008. The effects on Windows Vista and Windows Server 2008 are less severe than on older versions of Windows. An attacker can exploit MS09-001 by sending a specially-crafted SMB packet to a vulnerable host. In most cases, this vulnerability will simply result in a denial-of-service to SMB on the vulnerable host. However, in some cases, the malicious SMB packet can allow an unauthenticated user direct remote code execution privileges, including the ability to create new user 5

accounts with administrative rights over the machine. MS09-001 stems from how Microsofts SMB server code handles malformed packets. Essentially, the code expects incoming packets to be generated from a Windows machine, and isn't set up to handle custom-generated packets generated by software other than a standard Windows SMB client. An attacker can craft a malicious SMB packet in such a way that a buffer overflow will be triggered on the SMB server. As a result of this buffer overflow, the attacker can gain the ability to execute arbitrary remote code and create themselves an administrative account. There are actually three individual vulnerabilities contained within MS09-001, all of which rely on the attacker specially crafting SMB packets. The first vulnerability, the buffer overflow vulnerability, is CVE 2008-4834. The second and third vulnerabilities also require malformed SMB packets, but instead of a buffer overflow, they have to do with the SMB server improperly validating parameters in the SMB packet. The second vulnerability in MS09-001 is CVE-2008-4835. This vulnerability has similar consequences to CVE 2008-4834, in that an attacker can gain remote code execution privileges in the worst case, or deny server to SMB in other cases. The third vulnerability in MS09-001 is CVE 2008-4114. This vulnerability is less dangerous than the first two, because an attacker cannot use it to gain remote code execution privileges, but instead can only cause a denial-of-service to the SMB server. For all the vulnerabilities contained in MS09-001, there are two primary countermeasures to be taken. First and foremost, SMB and NetBIOS over TCP/IP should be blocked at the edge of the network. Specifically, ports TCP/139 and TCP/445 should never be allowed directly into a network with Windows hosts running. The second countermeasure is to periodically run Windows update, as Microsoft releases patches for these types of vulnerabilities. In this case, Microsoft has released a patch that can be applied via Windows update or directly from http://support.microsoft.com/kb/958687. The second vulnerability that OpenVAS detected was MS10-012.14 Once again, MS10-012 refers to a set of individual vulnerabilities that Microsoft has patched via a single Windows update. The vulnerabilities within MS10-012 affect many versions of Windows, including Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7, and Windows Server 2008. The first vulnerability within MS10-012 is an SMB pathname overflow vulnerability: a specially-crafted SMB packet with an overflow in the expected pathname allows an attacker to either perform a denial-of-service attack, or in the rarer case, gain complete control over the affected system. This pathname overflow vulnerability requires the attacker to send an SMB packet as an authenticated user. The second vulnerability in MS10-012 again requires the attacker to send a special SMB message. The malicious message can cause memory corruption in the SMB server, causing a denial-of-service. The attacker does not need to be authenticated to perform this attack. The third vulnerability in MS10-012 is a null pointer vulnerability; a specially-crafted SMB message will cause denial-of-service without the attacker being authenticated. The fourth and final vulnerability in MS10-012 is an elevation-of-privilege vulnerability. The attacker can properly predict the NTLM challenge sequence by flooding the SMB server with NTLM challenge requests. Once the sequence has been predicted, the attacker 6

can access SMB resources as the targeted user, leading to potential information data leakage and abuse of printers or other resources available through SMB.

Remediation suggestions
To remediate the vulnerabilities found in MS10-012, countermeasures similar to MS09001 should be taken. TCP/139 and TCP/445 should be blocked at the edge firewall, and the applicable Windows update should be applied 15. The third and final important vulnerability that OpenVAS identified is a Remote Desktop Protocol (RDP) vulnerability. Hosts running RDP servers version 5.2 or before are vulnerable to this, including Windows 20-00, Windows Server 2003, and Windows XP. The RDP vulnerability allows an attacker to perform a MITM attack against an RDP session. The issue is that the private key used to sign the terminal server's public key is a static, hard-coded value in the publicly-available mstlsapi.dll library. This allows an attacker sniffing on the wire between the RDP client and server to successfully predict a valid signature and gain access to the contents of the RDP session. 16 Cain & Abel 2.7 and above is able to exploit this vulnerability. 17 Notably, Microsoft has not released a patch that mitigates this issue. To remediate this issue, one must use Remote Desktop over trusted networks (for example, over a trusted LAN or a VPN tunnel). The other option is to use a version of Remote Desktop server above version 5.2, which means upgrading the server OS past Windows Server 2003. III. Assessment and Hardening As mentioned earlier, OpenVAS will make an assessment report after each scan. The report first provides a summary of each host scanned and severity of each issue. Then it will provide detailed report of each hosts open ports and available services. For each issue the report will color-code the severities (red-high, yellow-medium, blue-low, graylog). It will then provide the overview of the vulnerability, its impact on the system, its impact level such as what it impacts (network, applications, etc), the software/OS it affects, a fix, and references. Also it provides detailed reports on the non-severe issues complied from the NVTs such which ports are open, the possible exploitation of an open port, and recommendations on how to fix them. With this report, an auditor or system/network administrator can easily assess each found issue and remediate them by the level of severity with the given fix. Also the issues with no fix given, the auditor could investigate the port or service and proactively patch up any hole in the system/application/network. IV. Conclusion OpenVAS is a useful vulnerability assessment tool. It allows users to interact with the OpenVAS server via command line interface, web browser or a desktop application from any platform (*nix, Windows, Mac). The comprehensive assessment report allows auditors and administrators to fix known issues on systems and applications and remediate issues before they occur. The reliability in this open source software is questionable due to getting NVTs from a public community, which may or may not be tested thoroughly. Thus it is recommended to also use the commercial feed from

Greenbone Networks if this tool is used in a business environment. In the end this easy to use tool with fantastic reporting should be in an auditors toolbox.

V. References 1 Chapter 4 - Penetration Testing http://library.books24x7.com.ezproxy.rit.edu/assetviewer.aspx?bookid=40102&chunkid= 487814908 2 http://www.openvas.org/software.html 3 http://www.openvas.org/software.html 4 http://www.openvas.org/openvas-nvt-feed.html 5 http://www.greenbone.net/technology/openvas.html 6 http://www.openvas.org/compendium/developers-guide-for-nvts.html 7 NASL (Why NASL?) http://library.books24x7.com.ezproxy.rit.edu/assetviewer.aspx?bookid=32366&chunkid= 586487478&noteMenuToggle=0&hitSectionMenuToggle=0&leftMenuState=1 8 http://dmtf.org/news/pr/2007/9/dmtf-accepts-new-format-portable-virtual-machinesvirtualization-leaders 9 https://www.virtualbox.org/wiki/Changelog-2.2 10 https://www.vmware.com/support/ws71/doc/releasenotes_ws71.html 11 http://www.openvas.org/openvas-nvt-feed.html 12 http://www.greenbone.net/technology/gsf.html 13 http://technet.microsoft.com/en-us/security/bulletin/MS09-001 14 http://technet.microsoft.com/en-us/security/bulletin/MS10-012 15 http://support.microsoft.com/kb/294871 16 http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.902658 17 http://secunia.com/advisories/15605/