Tuesday, September 23, 2003

Try Tenable Security's NeVO before 30 Sep 03!

I downloaded the demo version of Tenable Security's NeVO today. I was unable to get it to work on Red Hat Linux 7.3 but I did install it successfully on FreeBSD 4.8 RELEASE. NeVO is a passive vulnerability scanner. It sits and watches your network for services and protocols which could be exploited by an intruder. It doesn't actively check for vulnerabilities like an assessment product might do. This is similar to Sourcefire's RNA or "Real-time Network Awareness" concept.

Below is an example of NeVO's output. It's in the .nsr format produced by the active vulnerability assessment tool Nessus, written by Tenable employee Renaud Deraison. For example:

10.1.1.1|27201/tcp|8518|INFO|The remote host is using a version of Portable OpenSSH which may allow an attacker to determine if an account exists or not by a timing analysis.;Solution : Upgrade to OpenSSH-portable 3.6.1p2 or newer;CVE : CAN-2003-0190
10.1.1.1|27201/tcp|8501|INFO|The remote host is running a SSH server :;SSH-2.0-OpenSSH_3.5p1
10.1.1.1|27201/tcp|8528|REPORT|The remote host is running a version of OpenSSH which is vulnerable to a flaw in the buffer handling functions which may possibly leading to command execution.;Solution : Upgrade to OpenSSH 3.7 or newer
10.1.1.2|443/tcp|
10.2.0.3|161/udp|4582|INFO|The remote host is running an SNMPv1 agent. Having such an agent open to outside access may be used to compromise sensitive information. Certain SNMP agents may be vulnerable to root compromise attacks.
10.2.0.3|161/udp|4500|INFO|The remote host is running an SNMPv1 server that uses a well-known community string - public;Solution : This signature was obtained through direct sniffing of the network, so if possible, migrating systems to SNMP v3 would be more secure. For non-local attacks though, your community string is easily guessed and should be changed to something more random.
10.2.0.123|0/tcp|1|INFO|The remote host OS could not be recognized. Its fingerprint is : 64437:255:1371:1:0:1:1:48
10.2.0.123|0/tcp|8502|INFO|The remote host is running a SSH client: SSH-2.0-PuTTY-Release-0.53b

Notice how NeVO detected SSH running on a port other than 22 TCP -- in this case, 27201 TCP. Service identification on non-standard ports is something I've been interested in finding. (For service active service identification on non-standard ports, try AMAP. NeVO data can be imported into Nessus for easier reading, or imported into a spreadsheet.

This is a great idea. At the very least it could be used to supplement active vulnerability assessment products. Sometimes active VA crashes hosts with weak TCP/IP stacks or other vulnerable services. Passive VA works by observing parties access those stacks or services. It's a great way to collect security data in sensitive environments where no one trusts active VA products. I would argue that hosts should be robust enough to withstand scanning, but it helps to have another option available. This demo version of NeVO expires 1 Oct 03.

No comments: