Alan Hargreaves' Blog

The ramblings of a former Australian SaND TSC* Principal Field Technologist

A plea to security auditors

When you give your customers the list of “vulnerabilities” to take up with their vendor, can you please make sure of a couple of things?

  1. Actually identify the security vulnerability with a reference so we don’t have to try to interpret your vague description of it (a pointer to one of the sites that reports security vulnerabilities isn’t that hard is it?)
  2. Verify that the system really is vulnerable. As I pointed out in an earlier blog, looking at the version label is not always enough to say that a version is vulnerable. Let alone the fact that sometimes even the best of tools get false positives.

One call I have been dealing with over the last few days identified that a customer was vulnerable to five different items. After working out what was really meant by three of them I was able to determine that they were vulnerabilities that we put patches out for back in 2003 and the customer had patches on the system that included these fixes. If the scanner software had probed the vulnerability it would have seen the product in question safe. Of the other two, “rexec” was commented out of /etc/inetd.conf and netstat -a showed nothing listening on port 512, and they actually did still have rshd running, which they needed to turn off.

Because of the vagueness of the descriptions I was given I had to spend quite some time researching three of those vulnerabilities to find exactly what they meant (not helped by how old they were).

You can probably imagine how pleased I was at having to spend time doing this research when I have other calls in my queue that really also needed attention, only to find out that it could all have been avoided.


Written by Alan

March 18, 2011 at 3:01 pm

Posted in Security, Solaris

3 Responses

Subscribe to comments with RSS.

  1. Often the problem is the point that everybody with a pen test tool calls themself a security auditor ….

    Joerg M.

    March 18, 2011 at 6:16 pm

  2. Hear, hear! You would think they get paid by the vuln. It does seem as if they don’t feel obligated to address the possible mitigating factors that might declare you safe.

    Even the software vendors themselves can be guilty of cutting corners. The first couple of Oracle quarterly CPU releases that covered Solaris had these problems.

    I had to make a spreadsheet that cross-referenced three or four docs to get what could have easily been incorporated in the announcement. The good news is that they listened to my (and others) feedback, and the latest CPU is an improvement.

    It’s still not perfect — due to intentionally ambiguous alert descriptions (some of which they file themselves), I still don’t always know the underlying root cause; but, at least I know which patch I need to fulfill the checkbox reviews and audits. =-)

    -cheers, CSB

    Craig S. Bell

    March 19, 2011 at 7:38 am

  3. I couldn’t possibly comment Joerg 😉

    Craig, I’m glad that you are seeing some improvement in what we do.


    March 21, 2011 at 5:15 pm

Comments are closed.

%d bloggers like this: