The Gorilla CISO has a blog post about vulnerability management that is worth reading. It sounds really familiar, though I’m dealing with it on a much much smaller scale.
” The way we manage patch and vulnerability information is something out of the mid-80′s.”
Tell me about it. Today I read RSS feeds (US CERT, SANS ISC, vendors, white hats, bloggers etc) and emails from vulnerability alert services (Deepsight, Microsoft Technical Account Manager, random people who read about a patch/virus in the Wall Street Journal). That gets entered into a spreadsheet with the CVE, Bugtraq, and vender reference ID. Once Qualys releases a detection the Qualys ID gets added as well along with the detection count.
This is a tediously manual process that no one seems to actually give a damn about. The auditors didn’t like the way we were (are?) managing vulnerabilities (it may still be a POAM item). And the reports seemed to mean nothing to management. It worked better when I didn’t bother creating the spreadsheet, and just told them what patches we deployed this month, and the detection count for a few key vulnerabilities that I felt required management attention, (Adobe Reader, MS08-067, etc).
At the Gartner Information Security Summit in National Harbor, MD (near DC) I attended a track titled “Qualys, Inc.: Using SaaS to Build Full Life Cycle Program for Security and Compliance.” I was hoping this might have a suggestion for how to do this. Unfortunately it seemed like the solution was creating a home grown database and correlating the results of multiple scanners. I’m sure that works great, but without instructions on building such a database, its a lot of work to build from scratch.
iDefense is now integrating the your Qualys vulnerability scan results into their vulnerability intelligence. If you could afford such a thing (apparently we can’t), you’d still have a problem. Vulnerability scans run at set times and systems may not be online when the scan is run. While its great for scanning servers, Qualys alone does not give an accurate reflection of all vulnerabilities for your end user equipment. While talking with Forescout, I found that they had a plugin for Retina. Forescout is a NAC product. When a computer comes online, the plugin would check with Retina and find out when the device was last scanned. If its longer than your configurable setting (hasn’t been scaned in X days), then it fires up Retina to initiate a scan. Qualys provides the appropriate APIs to do this as well, so I asked Forescout to look into improving their Qualys plugin.
The combination of iDefense, Qualys and Forescout (if Forescout updates the plugin) would be quite formidable in vulnerability lifecycle management. What’s left is desired configuration monitoring. Are my systems continuing to conform to my security policy. I am not currently scanning that regularly. Once I get a tool for that, then its one more thing to integrate.
There is no simple solution. I may have to polish up the SQL skills and take a run at building something myself.
Posts tagged ‘DeepSight’
Enterprise Vulnerability Management
More JAVA Updates
We just finished rolling out Java 1.5 update 14. As we’ve come to expect with all updates, that means another update is right around the corner. SUN has not disappointed.
Sun JDK and JRE 5.0 Update 15
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun JDK and JRE 6 Update 5
http://java.sun.com/javase/downloads/index.jsp
SUN SDK and JRE 1.4.2_17
http://java.sun.com/j2se/1.4.2/download.html
Multiple vulnerabilities have been disclosed:
- Two privilege-escalation vulnerabilities affect Java Runtime
Environment Virtual Machine. An untrusted application downloaded from a
website may be able to elevate its privileges to read and write local
files or execute local applications.
- A privilege-escalation vulnerability affects Java Runtime Environment
(JRE) when processing XSLT transformations. An applet may be able to
exploit this to read unauthorized URI, potentially execute arbitrary
code, or cause denial-of-service conditions.
- Three buffer-overflow vulnerabilities affect Java Web Start. These
issues may be exploited by a malicious Java Web Start application to
elevate privileges and perform arbitrary actions as the currently
logged-in user.
- A privilege-escalation vulnerability affects Java Web Start. A
untrusted application may be able to grant read and write permission to
local files, or execute local application in the context of the currently
logged-in user.
- An unauthorized-access vulnerability affects Java Web Start. A
malicious Java Web Start application can exploit this issue to create
files on the vulnerable system. It may then be able to execute those
files to run arbitrary code in the context of the currently logged-in
user.
- A same-origin bypass vulnerability affects the Java Plug-in. An applet
may be able to exploit this issue to execute local applications that are
accessible to the user running the plugin.
- A privilege-escalation vulnerability affects Java Runtime Environment
in the image-parsing library. A malicious applet may be able to exploit
this to read and write to local scripts and execute local applications in
the context of the currently logged-in user.
- Two denial-of-service vulnerabilities affect the color management
library that may cause the Java Runtime Environment to crash.
- An unauthorized-access vulnerability affects the Java Runtime
Environment that may allow JavaScript code to make connections to network
services. This may aid in further attacks.
- A buffer-overflow vulnerability affects Java Web Start. A Java Web
Start application may be able to exploit this issue to elevate
privileges, read/write arbitrary files, and execute arbitrary local
applications in the context of the currently logged-in user.
(Symantec Deepsight Alert Service)
Adobe Reader 8.1.2 Released
Adobe Reader 8.1.2 is out, download here.
There are not any new security advisories for Adobe Reader at this time. Until I hear otherwise, this may just be a bugfix release.
Update:The 8.1.2 release notes are available. The summary states “The Adobe Reader 8.1.2 update addresses a number of customer workflow issues and security vulnerabilities while providing more stability.”
Update 2 Symantec Deepsight reports that a proof-of-concept exploit is available to members of the Immunity Partners Program.
FrSIRT Closes Public Exploits Section
The public exploits section at the French Security Incident Response Team website has gone members only.
That website had been a good site for exploit code for the non-grayhat to learn what exploits are easily available. All too often patching cant occur until justified by a credible threat. that site would act as a barometer in a way not matched by even pay services like Symantec Deepsight. I’m going to miss that.
Private exploit available for Symantec RAR vulnerability
Dave Aitel over at ImmunitySec has released exploit code for the Symantec RAR vulnerability which was announced in December. This code has been released only to customers of ImmunitySec only. This is a sign that it is possible to develop an exploit for this vulnerability. Not only that, if history is any indication, the super dupper bad guys probably already have it and have been using it in secret in targeted attacks.
[update] – I see this is old news, this actually occured on 2/6/2006, but Symantec Deepsight Alert Service only told me about it now.
ElseNot Project
I’ve been working at building a spreadsheet of patches, which are exploited, as well as the ratio of patched to unpatched systems at my company.
Its kind of a pain to search through old Deepsight notices to see which patches have associated exploits. The Elsenot Project posts which Microsoft patches have associated exploits. I’m not really a fan of their stated goal “an exploit for every Microsoft vulnerability” but it is a good quick reference. One thing they could do better is in addition to linking to exploit code they should also use the common name where possible such as slammer, or code red.
Symantec Site Redesign
I learned this morning from Chris Mosby’s blog that Symantec had performed a site redesign. This was news to me because everything was normal last night at 1am.
Normally I’d say hopefully this is a sign Symantec is migrating from Lotus Notes and we wont have to deal with slow site updates (replication) and incredibly long URLs anymore. Unfortunately what has replaced it is worse.
Normally my entrance page to Symantec’s antivirus information is www.symantec.com/avcenter. This now redirects me out to the main page.
Virus page URLs used to be somewhat predictable. This made it possible to find a writeup before it was posted to the main page and before it was searchable. Now virus links look like http://www.symantec.com/enterprise/security_response/risks/advisories/virus.jsp?id=32736 You cant tell at a glance what that link is for. Once you are at the writeup page, instead of having everything you need on one page, there are now four links. Overview, Removal, Technical Details and Recommendations. I’m so glad that Symantec already sends me these writeups through the DeepSight Subscription service. I’d hate to have to load 4 pages when one would do.
I’m getting 404s from the site, so hopefully they are still in the process of working out the kinks.
Feedback related to the Symantec website can be posted here
