HackerView Vulnerability Assessment

profilejimpop1998
ISEC350sampleassignment.docx

WEEK 6 PAPER A-6 1

WEEK 6 PAPER A-6 11

Abstract

In this Paper I will be reviewing the HackerView Vulnerability Assessment that was provided to us. In doing this I will be identifying who the vulnerability assessment is intended for, being the customer, a recap on all the major vulnerabilities that were found within the network, and then I will address remediation activities based on vulnerability type.

Week 6 Paper A-6

With more businesses growing their online presence for growth, there comes a need to have a strong and secure network so the data they handle is kept safe and the inner works of their network runs smoothly. It is important to know how your network is doing and if there is any vulnerabilities within it that could lead to harmful results. In this assignment we were given a vulnerability assessment done on the Silicon Forest Technology Group. This assessment shows us many aspects of the network they are using and the vulnerabilities within it. In this paper I will be describing the vulnerabilities that were found within their network and some remediation activities that can be done in order to bring their security risk from significant down to a more appropriate level.

Before taking a deeper look into this vulnerability assessment done through HackerView, we need to know who this assessment is for and why they need it. After going over the HackerView vulnerability assessment we can see that this assessment is for the Silicon Forest Technology Group. With this being said, they would be the intended customer for this assessment as it is their network that is being assessed and they would need the information conveyed in the assessment in order to fix the vulnerabilities within their network to make it more secure. In this assessment we can see how the people who are performing this vulnerability assessment on this network start with basic and/or easily accessible information to then try and find their way into the network to see what all can potentially be done. After starting with this basic information and then working with it, we can see how they are able to slowly work their way into the system. This then leads the white hat hackers, the ones performing the tests, to find the vulnerabilities within the network which is outlined at the end of the assessment. After reviewing the Raw Scanner Output in the assessment we can see there is a total of 51 vulnerabilities within the network with an average security rating of 4.7. If we look at these vulnerabilities based off severity, there are 14 confirmed at a severity of 5, 4 confirmed at a severity of 4, 8 confirmed at a severity of 3, 21 confirmed at a severity of 2, and 4 confirmed at a severity of 1. The five biggest categories where the vulnerabilities are at is with windows having 19 confirmed within it, the web server having 7 confirmed within it, TCP/IP having 7 confirmed within it, SMB/NETBIOS having 6 confirmed within it, and RPC having 4 confirmed within it. All of these vulnerabilities are related to patches, workarounds, Microsoft Computer Management MMC snap-in, and updates.

Now that we have a basic understanding of the severity of vulnerabilities within the network and the top areas in which these vulnerabilities occur, we can now take a deeper look at the identified vulnerabilities within this network. I will be going over the vulnerabilities from highest severity to lowest severity that have been outlined in the detailed results of the vulnerability assessment. The first vulnerability identified within the network is that Microsoft Windows Server could allow Remote Code Execution. This vulnerability is rated at a severity of 5 and is in the category of Windows. The reason why this is a huge vulnerability is because the server service is vulnerable to remote code execution due to the service not properly handling specially-crafted RPC requests. This means any anonymous user who can deliver a specially-crafted message to the affected system could try and exploit this vulnerability. This really boils down to that an attackers who successfully exploits this vulnerability could take complete control of the affected system. The detailed results of this assessment show many areas where information can be found on the exploitability and associated malware with this vulnerability.

Next up we have the Microsoft SMB Remote Code execution Vulnerability within this network. This vulnerability is also rated at a severity level of 5 and is in the category of Windows. The reason why this is a big vulnerability is because a vulnerability exists in the way SMP allocates space for transaction structure and later tries to clear more memory than it should when a TRANS request is processed, allowing an attacker to take control of the system. Another reason why this is a huge vulnerability is because a flaw exists in the way SMB allocates and clears a data structure relating to the OPEN2 command. SMB protocol software insufficiently validates the buffer size before writing it, which allows attackers to take complete control of the system and allowing for remote execution of code. Lastly there is a denial of service vulnerability due to the way “srv.sys” handles malformed SMB WRITE_ANDX packets sent to an interface that uses a Named Pipe as endpoint. This flaw allows remote attackers to send specially-crafted network messages to a computer running the server service causing it to stop responding. With all this being said, any attempt to exploit these areas within this vulnerability does not require authentication. What this all means then is an attacker who successfully exploits this vulnerability could modify the inner works of the network, from programs to data, or create user accounts with full access to the network. If this vulnerability is exploited successfully, it can lead to denial of service which can cause the affected system to crash and stop responding. The detailed results of this vulnerability outlines a few areas where information can be found on the exploitability associated with this vulnerability.

Moving on now to a less severe vulnerability, we have one being that the NetBIOS Shared Folder List is Available. This vulnerability is rated at a severity level of 3 and is in the category of SMB/NETBIOS. The threat associated with this vulnerability is that unauthorized remote users can list all file systems on this host that are accessible from the remote system. The impact of this vulnerability is that if the vulnerability is successfully exploited, an unauthorized user can use this information to brute force attack the shared resources and initiate file transfers with this server. The detailed results does not provide any information on the exploitability and associated malware with this vulnerability but only a solution that will be covered later in this paper.

The fourth vulnerability identified in this network is one to do with Microsoft Windows Remote Information Disclosure. This vulnerability has a severity level of 3 and is in the category of Windows. The threat associated with this vulnerability is that there is a failure in the Microsoft Windows process which validates authentication information when a client establishes an anonymous logon by using a named pipe connection. This means a user could reach a pipe that requires authentication. The impact of this threat is an attacker who is able to do this successfully could remotely read the user names for users who have an open connection to an available shared resource. The detailed results do not provide any information on exploitability or associated malware for this vulnerability but does provide a solution that will be covered later on in this paper.

Next we have a vulnerability that has been identified as NetBIOS Name Accessible. This vulnerability is at a severity level of 2 and is in the category of SMB/NETBIOS. The threat associated with this vulnerability is that an unauthorized user can obtain this host’s NetBIOS server name from a remote system. The impact of this threat is that the unauthorized user can obtain the list of NetBIOS servers on the network. This list provides information on relationships between server and client computers which means that this unauthorized user can use a vulnerable host to penetrate secure servers. The detailed results do not provide any information on exploitability or malware associated with this vulnerability but provides a solution that will be covered later in this paper.

The last vulnerability identified is an ICMP Based TCP Reset Denial of Service Vulnerability. This vulnerability is rated at a severity level of 2 and is in the category of TCP/IP. The threat associated with this vulnerability is that the target host is vulnerable to a denial of service condition. The impact of this threat is that since the ICMP packets can be spoofed, attackers can exploit this issue by guessing the IP address and port numbers of a TCP connection on the host. They then can reset these connections simply by sending an ICMP hard-error packet. There is no information on the exploitability and associated malware for this vulnerability but there is a solution provided that will be covered later in this paper.

Now that we have a basic understanding of the vulnerabilities going on within this network and how they affect the network, we can now move on to the solutions, or remediation’s, that can be applied in order to eliminate the vulnerability or reduce the threat associated with it. In doing this I will start with the most severe vulnerabilities and work my way to the less severe ones. I will be explaining what can be done in order to help solve these vulnerabilities within the network as well with how the remediation is verified so we know that it is actually doing something for the network. To start, we will talk about the Microsoft Windows Server Service that could allow remote code execution. The remediation for this vulnerability is to apply the long list of patches outlined in the detailed results for this vulnerability. To verify that the patches have actually be installed and are in place, we can have a scan-fix-scan procedure in place before going about applying the patches. We first would scan the network to see what patches are needed, apply the patches, and then scan again to ensure they are in place. This is how we can ensure that the remediation is verified. The next vulnerability identified is the Microsoft SMB Remote Code Execution Vulnerability. The remediation for this vulnerability is to perform a physical work around and apply patches. For the work around it is recommended that TCP ports 139 and 445 be blocked at the firewall so that exploits of this vulnerability cannot happen on the other side of the firewall. To verify that the ports are actually blocked and are helping protect the network, we can use a network scanner on the network to see what ports are open and closed. If ports 139 and 445 are shown to be closed, then the remediation for this part of the vulnerability has been verified. As for the patches that are recommended in the detailed results for this vulnerability, we will do a scan-fix-scan procedure to first identify the patches needed, fix them, then scan again to make sure they have been applied. This is how the remediation of this vulnerability will be verified. The third vulnerability identified is that the NetBIOS Shared Folder List is available. The remediation for this vulnerability is to use the Microsoft Computer Management MMC snap-in to connect and review the shares. Through this one would need to review the machine to ensure that users have not added any additional unauthorized shares, and that all exposed shares are valid. If no shares are needed, you can filter all Microsoft networking and Samba server ports at your firewall and disable null sessions to NetBIOS. Another remediation for this vulnerability is to perform a workaround. The detailed results outlines a process about this but what it is actually doing is modifying the local policy for accessibility. A network scanner can be used to ensure you filtered out the right ports at the firewall and disable the null session to the NetBIOS and a network administrator can review the local policy after the remediation of it has happened to ensure that it was changed correctly and is actually in place. This is how the remediation of this vulnerability will be verified. The fourth vulnerability described in the vulnerability assessment is one that deals with Microsoft Windows remote Information Disclosure. The remediation for this vulnerability is to apply the patches that are outlined for this vulnerability in the detailed results of the vulnerability assessment. To ensure the patches were applied and are in place we will be doing a scan-fix-scan procedure when going about applying the necessary patches for this vulnerability. The scan-fix-scan procedure is how we will verify the remediation of this vulnerability and to make sure that the patches are actually in place. The fifth vulnerability listed in the detailed results is that the NetBIOS Name is Accessible. The remediation for this vulnerability is that if the NetBIOS service is not required on this host, disable it. Otherwise, block any NetBIOS traffic at your network boundaries. Blocking the traffic at our network boundaries would be through firewall filtering and changing the firewall rules. Disabling the NetBIOS service would be done though a physical procedure of going into the host device and disabling that service. We can use a network scanner to ensure that the firewall rules have been changed and the filter is working correctly on said firewall and have a network administrator double check that the NetBIOS service is disabled on host devices that do not require it. Both of these methods mentioned are ways that the remediation for this vulnerability can be verified. Lastly now we have an ICMP Based TCP Reset Denial of Service vulnerability identified in this network. The remediation for this vulnerability is to apply the various updates provided in the detailed results of the vulnerability assessment for this vulnerability as well with a work around that states to block the ICMP hard-error packets using a firewall. Again we can use a network scanner to look at the firewall and make sure that the firewall has actually been configured to block ICMP hard-error packets and we can use the scan-fix-scan procedure to ensure that all updates have been applied and are in place to ensure that everything is up to date. This is how these remediations for this vulnerability will be verified to ensure it has been put into place properly.

From the remediation plan, you can see what vulnerabilities are within the network of the Silicon Forest Technology Group and how they can be addressed. We were able to see how many vulnerabilities were within this network, which were the top areas where the vulnerabilities are, and the severity of each of the vulnerabilities. I also provided a brief explanation about each of the vulnerabilities. From this I was then able to identify remediation actions that should be performed to eliminate the vulnerability or reduce the threat associated with the vulnerability. All in all, the Silicon Forest Technology Group should highly consider applying the remediation suggestions for all the vulnerabilities within their network to bring their level of hackability from significant down to a more appropriate level and to create a more safe and secure network for themselves.

References

HackerView Vulnerability Assessment. (n.d.). HackerView Vulnerability Assessment. Retrieved from https://bluequill.franklin.edu/myfranklin/PortalDownload.do?sectionId=52218&fileId=1702245&foId=2364218&type=attach