A9 2017 – Using Components with Known Vulnerabilities

You’ve done it! Congratulations! Your code is nearly perfect and secure, it was tested by a dozen pairs of eyes and money spent on code analyzing software was not in vain. It’s just one final step – let DevOps deploy it and let your customers work with the amazing web site you’ve made.

Next morning you’ve got an email from your boss and he’s not angry. He’s in rage! He’s not impressed with progress you made, but asks a single burning question – what’s that huge white face with stupid mustache he sees instead of a web site?

Your site was defaced overnight. You call DevOps and now it’s your turn to ask questions – guys, what web server do you deploy it on? Is it secure? Do you update it from time to time? Never? Oh …
6
Web sites do not operate by themselves. They work on top on web servers. Moreover, they use tons of 3rd party libraries, frameworks, databases and other stuff that no one really checks. Some of them are opensource, some are not developed anymore but widely used. Just think of it, some opensource libraries contain code that is 20 years old! And it’s maintained by volunteers. There’s just no way for a company to make everything from scratch! Having this in mind can help you easily understand that making a secure code is not enough. In fact, it’s not even a 10% of the deal.

In all time classic movie, «The Matrix Reloaded», Trinity runs a nmap scanner against some careless electric company to discover a version of ssh that it uses. Luckily for her it had known vulnerability, so she saved the day once again.

1

(Of course, there’s no such thing as “sshnuke” (Although you can find a pun on a github)

In this example it’s clear that no matter how much money and efforts a company spent on their software, their system was hacked just because ssh component wasn’t updated it time.

I just must give my pardons here (to my wife first of all, since she’s a big fan) – I don’t think that «Matrix Reloaded» is a worthy movie to watch more than once, but this nmap scene is so iconic. Hey, it’s 2003 movie, and the previous hacker movie called «Hackers» (eh?) depicts hacking like this:

2

And you just can’t get serious when user interface looks like you’re floating through some 3 dimensional city. No wonder that so many young people started learning computers just realized that it wasn’t that exciting (In fact it’s way more exciting for some!)

It doesn’t get any better over years and what I see on television nowadays is hacking with ipconfig and ping commands.

3

One guy from the tv industry told me once, that they mostly don’t try to show things as they are in real life, but as a viewer imagines them. That explains things a little.  

Ok, back to our example. If you can’t get through a web site security, why not look at a web server it runs on. Here’s a scan example. Same old nmap.

4

I can check version of vsftpd 2.3.4 only to find what is vulnerable and exploitable in a minute. Admin must’ve used ftp to upload files to a web server. So, there’s no need to check anything else – we’re there.

So, what do we do? First of all, you have to answer to the following questions:

  •           Do you know the exact versions of software packages you’re using?
  •           Is the software you’re using is still supported?
  •           Do you scan your system to know vulnerabilities from time to time?
  •           What about updates? Does it take months to deploy a newer version of the software?

If the answers are mostly negative I’m afraid that your system is vulnerable. Or even already breached but you just don’t know it yet.

To fix things you have to make the answers to these questions above positive! That’s an easy part. Next you have to remove everything that is not used – software, drivers, dependencies, you name it. And finally, you have to establish the patch management process.

5

3 thoughts on “A9 2017 – Using Components with Known Vulnerabilities”

  1. Just want to add that the patch/change management in legacy envi it’s like unicorn. It could be in theory, but in reality isn’t. If your company have never do this before you came and you decided to solve it at some point then you will get a lot challenges and problems. Mostly non-technical.

    Like

      1. By the way it’s also possible. If broken bones are connected by wrong way there is no any doctor who could help you =) needs a new breaking )

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s