Professional Documents
Culture Documents
OpenVAS - Open Vulnerability Assessment System
OpenVAS - Open Vulnerability Assessment System
Name: Hieu Nguyen, Bao Chen, John Roberts November 11, 2012
Table of Contents I. Describe the technique ........................................................................................................ 3 Tool name and Description of the tool ................................................................................... 3 Language in which tool written .............................................................................................. 4 OS Targeted ............................................................................................................................ 4 II. Describe the vulnerabilities to which this tool targets. ................................................... 4 Vulnerabilities and malicious attacks ..................................................................................... 5 Remediation suggestions ....................................................................................................... 7 III. Assessment and Hardening .............................................................................................. 7 IV. Conclusion .......................................................................................................................... 7 V. References ........................................................................................................................... 9
To scan the network the client account must be added in the OpenVAS manager. OpenVAS CLI allows the client to use Linux terminal to use execute OpenVAS Management Protocol (OMP); the OMP which allows to create batch processes to drive OpenVAS Manager. 3 The Greenbone Security Assistant (GSA) provides the secure HTTP (HTTPS) to manage the OpenVAS and OpenVAS Administrator. The Greenbone Security Desktop provides the client software for Linux, Windows, and Mac users. The OpenVAS scanner service can scan many target hosts concurrently. It receives the latest NVTs feed update from either public (default) or commercial. The public NVTs is maintaining by OpenVAS project. The commercial NVT is maintaining by Greenbone Networks. 4 The OpenVAS manager service provides scheduled scans, and 3
reports format plugin framework such as XML, HTML, Latex, etc. The OpenVAS administrator service consists of user management (only the valid added users are allow to scan the network), feed status view, and feed synchronization. OpenVAS uses SQlite database to store all the configurations, and scanned results. The NVTs scripts are saved in the local hard drive.
OS
Targeted
OpenVAS scans any operation systems, which consists of services and ports for vulnerability. There is no limit to what OpenVAS scanner can do -- it gives the network administrator to write any kind of NVTs script to meet the corporate policy requirements. II. Describe the vulnerabilities to which this tool targets. During our groups OpenVAS demonstration, we explored three vulnerabilities that OpenVAS detected on a base, unpatched Windows Server 2003 virtual machine. First, some background about how the demonstration was set up. OpenVAS.org, the official home of OpenVAS, provides a .OVA image of a pre-built virtual machine OpenVAS. The .OVA file format is relatively uncommon. It is a single-file derivative of the Open Virtualization Format (OVF), a processor-independent, hypervisor-independent file format for distributing virtual machines. The OVF file format was originally designed by a consortium of technology companies, including Dell, HP, IBM, Microsoft, VMWare, and XenSource.8 Following the specifications original design, it was submitted to the Distributed Management Task Force (or the DMTF) for neutral approval by a third party. The Open Virtualization Format has gained industry acceptance, including support in VirtualBox since 2009 in version 2.2 9 and in VMWare Workstation since May 2010 in version 7.1.10 Further technical details of the current version of the Open Virtualization 4
Format (version 1.1.0) can be found from DMTFs web site: http://dmtf.org/sites/default/files/standards/documents/DSP0243_1.1.0.pdf The vulnerable virtual machine was built from an ISO image containing Windows Server 2003 Standard. The ISO image did not contain Windows Server 2003 R2 or any service packs. The virtual machine never received Windows Updates, allowing it to remain vulnerable to OpenVASs scans (and potentially to exploitation). The OpenVAS virtual machine, however, was updated with the latest Network Vulnerability Tests (or NVTs) available from the OpenVAS public feed. Performing the update was trivially simple; one can connect the OpenVAS virtual machine to the public Internet, and issue the command openvas-nvt-sync (without quote) to pull the latest NVTs into the local OpenVAS servers vulnerability database. This OpenVAS public NVT feed is typically updated on each weekday. The NVT feed is maintained by volunteers, and there is no formalized validation or testing process outside of what the submitting volunteer themselves performs11. Thus, the public NVT feed is acceptable for use in contexts such as this demonstration, but a higher-quality, more tightly-controlled NVT feed should be used in a real-world context. The Greenbone Security Feed is available for this purpose, developed by Greenbone Networks GmbH. 12 It also provides a contract specifying an SLA, which is of interest to businesses and other large-scale institutions utilizing OpenVAS for vulnerability assessment and management.
accounts with administrative rights over the machine. MS09-001 stems from how Microsofts SMB server code handles malformed packets. Essentially, the code expects incoming packets to be generated from a Windows machine, and isn't set up to handle custom-generated packets generated by software other than a standard Windows SMB client. An attacker can craft a malicious SMB packet in such a way that a buffer overflow will be triggered on the SMB server. As a result of this buffer overflow, the attacker can gain the ability to execute arbitrary remote code and create themselves an administrative account. There are actually three individual vulnerabilities contained within MS09-001, all of which rely on the attacker specially crafting SMB packets. The first vulnerability, the buffer overflow vulnerability, is CVE 2008-4834. The second and third vulnerabilities also require malformed SMB packets, but instead of a buffer overflow, they have to do with the SMB server improperly validating parameters in the SMB packet. The second vulnerability in MS09-001 is CVE-2008-4835. This vulnerability has similar consequences to CVE 2008-4834, in that an attacker can gain remote code execution privileges in the worst case, or deny server to SMB in other cases. The third vulnerability in MS09-001 is CVE 2008-4114. This vulnerability is less dangerous than the first two, because an attacker cannot use it to gain remote code execution privileges, but instead can only cause a denial-of-service to the SMB server. For all the vulnerabilities contained in MS09-001, there are two primary countermeasures to be taken. First and foremost, SMB and NetBIOS over TCP/IP should be blocked at the edge of the network. Specifically, ports TCP/139 and TCP/445 should never be allowed directly into a network with Windows hosts running. The second countermeasure is to periodically run Windows update, as Microsoft releases patches for these types of vulnerabilities. In this case, Microsoft has released a patch that can be applied via Windows update or directly from http://support.microsoft.com/kb/958687. The second vulnerability that OpenVAS detected was MS10-012.14 Once again, MS10-012 refers to a set of individual vulnerabilities that Microsoft has patched via a single Windows update. The vulnerabilities within MS10-012 affect many versions of Windows, including Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7, and Windows Server 2008. The first vulnerability within MS10-012 is an SMB pathname overflow vulnerability: a specially-crafted SMB packet with an overflow in the expected pathname allows an attacker to either perform a denial-of-service attack, or in the rarer case, gain complete control over the affected system. This pathname overflow vulnerability requires the attacker to send an SMB packet as an authenticated user. The second vulnerability in MS10-012 again requires the attacker to send a special SMB message. The malicious message can cause memory corruption in the SMB server, causing a denial-of-service. The attacker does not need to be authenticated to perform this attack. The third vulnerability in MS10-012 is a null pointer vulnerability; a specially-crafted SMB message will cause denial-of-service without the attacker being authenticated. The fourth and final vulnerability in MS10-012 is an elevation-of-privilege vulnerability. The attacker can properly predict the NTLM challenge sequence by flooding the SMB server with NTLM challenge requests. Once the sequence has been predicted, the attacker 6
can access SMB resources as the targeted user, leading to potential information data leakage and abuse of printers or other resources available through SMB.
Remediation
suggestions
To remediate the vulnerabilities found in MS10-012, countermeasures similar to MS09001 should be taken. TCP/139 and TCP/445 should be blocked at the edge firewall, and the applicable Windows update should be applied 15. The third and final important vulnerability that OpenVAS identified is a Remote Desktop Protocol (RDP) vulnerability. Hosts running RDP servers version 5.2 or before are vulnerable to this, including Windows 20-00, Windows Server 2003, and Windows XP. The RDP vulnerability allows an attacker to perform a MITM attack against an RDP session. The issue is that the private key used to sign the terminal server's public key is a static, hard-coded value in the publicly-available mstlsapi.dll library. This allows an attacker sniffing on the wire between the RDP client and server to successfully predict a valid signature and gain access to the contents of the RDP session. 16 Cain & Abel 2.7 and above is able to exploit this vulnerability. 17 Notably, Microsoft has not released a patch that mitigates this issue. To remediate this issue, one must use Remote Desktop over trusted networks (for example, over a trusted LAN or a VPN tunnel). The other option is to use a version of Remote Desktop server above version 5.2, which means upgrading the server OS past Windows Server 2003. III. Assessment and Hardening As mentioned earlier, OpenVAS will make an assessment report after each scan. The report first provides a summary of each host scanned and severity of each issue. Then it will provide detailed report of each hosts open ports and available services. For each issue the report will color-code the severities (red-high, yellow-medium, blue-low, graylog). It will then provide the overview of the vulnerability, its impact on the system, its impact level such as what it impacts (network, applications, etc), the software/OS it affects, a fix, and references. Also it provides detailed reports on the non-severe issues complied from the NVTs such which ports are open, the possible exploitation of an open port, and recommendations on how to fix them. With this report, an auditor or system/network administrator can easily assess each found issue and remediate them by the level of severity with the given fix. Also the issues with no fix given, the auditor could investigate the port or service and proactively patch up any hole in the system/application/network. IV. Conclusion OpenVAS is a useful vulnerability assessment tool. It allows users to interact with the OpenVAS server via command line interface, web browser or a desktop application from any platform (*nix, Windows, Mac). The comprehensive assessment report allows auditors and administrators to fix known issues on systems and applications and remediate issues before they occur. The reliability in this open source software is questionable due to getting NVTs from a public community, which may or may not be tested thoroughly. Thus it is recommended to also use the commercial feed from
Greenbone Networks if this tool is used in a business environment. In the end this easy to use tool with fantastic reporting should be in an auditors toolbox.
V. References 1 Chapter 4 - Penetration Testing http://library.books24x7.com.ezproxy.rit.edu/assetviewer.aspx?bookid=40102&chunkid= 487814908 2 http://www.openvas.org/software.html 3 http://www.openvas.org/software.html 4 http://www.openvas.org/openvas-nvt-feed.html 5 http://www.greenbone.net/technology/openvas.html 6 http://www.openvas.org/compendium/developers-guide-for-nvts.html 7 NASL (Why NASL?) http://library.books24x7.com.ezproxy.rit.edu/assetviewer.aspx?bookid=32366&chunkid= 586487478¬eMenuToggle=0&hitSectionMenuToggle=0&leftMenuState=1 8 http://dmtf.org/news/pr/2007/9/dmtf-accepts-new-format-portable-virtual-machinesvirtualization-leaders 9 https://www.virtualbox.org/wiki/Changelog-2.2 10 https://www.vmware.com/support/ws71/doc/releasenotes_ws71.html 11 http://www.openvas.org/openvas-nvt-feed.html 12 http://www.greenbone.net/technology/gsf.html 13 http://technet.microsoft.com/en-us/security/bulletin/MS09-001 14 http://technet.microsoft.com/en-us/security/bulletin/MS10-012 15 http://support.microsoft.com/kb/294871 16 http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.902658 17 http://secunia.com/advisories/15605/