Cyber Security Expo
 
The Meaning of Security by Charles Hornat on 05/09/02

Abstract

The term ‘Security’ can be interpreted differently by people and vendors. In this paper, we study the different interpretations from SUN Solaris and NESSUS. This study was done by performing security scans of the SUN Solaris 8 Operating System before and after applying SUN security patches. We will analyze the before and after scans that are performed on the system, look at what the Operating System vendor explained the patches would do and compare the end result with expectations set by the vendor. In the end, you will see that applying patches isn’t a complete solution to securing your systems, but a mere step in the process.


Table of Contents

Abstract
Table of Contents
The Meaning of Security
What is NESSUS?
What is Nmap?
What are Vulnerabilities?
The Target
The Attacker
What is a Cluster Patch?
The Test
Before Scan Review
Comparison of Scans
Nmap After
Conclusion
Further Reference
References
APPENDIX A:Nessus Before Output
APPENDIX B:Nessus After Output


The Meaning of Security

“Security can have different meanings to different people.” This is a simple statement that many people agree with. In a recent online poll at the Security Writers Guild[1], someone asked the question: What is security? There were numerous responses posted covering many different aspects of security. Some of the responses were:

Security to me is the balancing act between keeping the users data safe and secure from unwanted change or viewing and keeping the system as easy to use as possible.”
Mandra 12/25/2001

Security, in the sense that its used here, is every angle of security. As most hacking sites are. Securing systems, breaking into systems, figuring out how systems work. All of it.
OGMA 12/27/2001

ISO17799 describes something similar, but broader in scope which is being adopted by many companies worldwide.
1. Information Security Policy
2. Security Organization
3. Asset Classification & Control
4. Personnel Security
5. Physical & Environment Security
6. Access Control
7. Communications & Operations Security
8. Systems Development and Maintenance
9. Business Continuity Planning
10. Audit and Compliance

Bog 12/30/2001

As seen above, there are many different opinions on what security means, and the same can be said of vendors. If vendors do not agree on or have different definitions of security, how do administrators better protect or understand how different vendors view security? The idea for this study was to focus on an Operating System vendor (SUN) and two security scanning tools (NESSUS and Nmap) and see if all the vendors viewed security the same way. While this particular study was focused on exploits of a common operating system, it would be the basis to determine how OS vendors and security experts define the same threats, thus, giving administrators a better understanding of how to analyze systems and interpret the vendor’s statements.


What is NESSUS?

NESSUS is a software package that performs Security Scanning of operating systems and networks. This product is free and is very popular in the Security Industry. Many security professionals use it today to scan their systems looking for common vulnerabilities and companies such as Enterasys[2] have incorporated the NESSUS scanning tool into their Intrusion Detection products to help with vulnerability correlation[3]. Information Security Magazine awarded NESSUS the “Best 2002 Security Freeware/Shareware.”[4]

NESSUS offers much functionality including but not limited to:

  • An Up-to-date security vulnerability database
  • An attack scripting language (NASL) that allows the operator to write specific or custom tests quickly and easily
  • A Smart Service Recognition that takes into consideration the fact that not all specific applications run on IANA assigned ports
  • 95% of all security checks that NESSUS performs are actually attempted by NESSUS

In the scan results, a reference to the following is seen: Security holes, Security Notes, and Security Warnings. Definitions for any of these could not be found in the MAN pages or on the NESSUS site, so I emailed Mr. Renaud Deraison, one of the developers of NESSUS to ask for his definitions of the three. He responded with:

Basically, Security Notes are just "nits". It"s information that may be valuable in itself (i.e.: the name of the remote operating system, and so on), but it does not make the host more prone to be victim of an attack.

Security warnings advices we recommend you to follow, or a bug waiting to be exploited in conjunction with another vulnerability. A service that is historically known to be buggy is likely to get such a warning, even if the tested release was considered as bug free. A service which operates in clear text may also get a warning and so on. In one word, I"d call them "disasters waiting to happen". Meaning that they"re not fatal now, but they might be some day.

Security holes means that a cracker can get instant access on your box (either read any file or walk thru the filesystem or even have a shell prompt).

Notepad 1: Deraison"s Response

This information will help us understand the report that is output by NESSUS. Further information on NESSUS can be found and downloaded at www.nessus.org/.


What is Nmap?

Nmap is a free port scanner and OS detection tool. Nmap was written by a hacker known as FYODOR. Fyodor, throughout the years with input from other hackers and security experts, has written and developed this tool used by both communities. Nmap is known for the following:

  • Flexibility: supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, pings sweeps,
    and more.
  • Ease of use: Offers a rich set of advanced features for power users or simple commands. There are even graphical (GUI) versions available to suit any auditor’s preference. Additionally, it comes with newer distributions of Linux.
  • It’s Free: The primary goal of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks for potential vulnerabilities...

The above information was gathered from the FAQ at http://www.insecure.org/ and the program NMAP can be downloaded from there as well.


What are Vulnerabilities?

This practical uses the term ‘vulnerability’ to determine the level of secure-ness of an Operating System. To better understand what we are looking at in the analysis, let’s look at some definitions of the word ‘Vulnerability’. You will see that similar to the Security Writers members, the definitions vary here as well. But they follow a common philosophy of the word ‘weakness’. Whether it is in the software or setup, to be vulnerable is to be weak.

Common Vulnerabilities and Exposures[5], a well known web site in the industry for gathering vulnerabilities and announcing them to the public, define the word vulnerability as:

A universal vulnerability is a state in a computing system (or set of systems) which either

  • allows an attacker to execute commands as another user
  • allows an attacker to access data that is contrary to the specified access restrictions for that data
  • allows an attacker to pose as another entity
  • allows an attacker to conduct a denial of service[6]

Microsoft[7], an Operating System vendor, defines vulnerability as:

A security vulnerability is a flaw in a product that makes it infeasible – even when using the product properly – to prevent an attacker from usurping privileges on the user"s system, regulating its operation, compromising data on it, or assuming un-granted trust.[8]


The Target

Our target operating system for this paper is the SUN Solaris 8 operating system (OS). This operating system is used by many companies and corporations around the world, varying in size and purpose. A recent study done by Dataquest[9], announced that SUN made up 68.5% of the market share of RISC/UNIX servers in the year 2001. In addition to that, the SUN operating system symbolizes a great number of installations that many applications, databases and web sites are deployed on today. Solaris is an operating system developed by SUN Microsystems. It is developed for two types of hardware platforms: Intel and Sparc. Since the OS is native to the Sparc platform, this platform was chosen for this experiment. A default install of Solaris 8 on a Sparc Ultra 10 is what the test were performed against.


The Attacker

A Dell Pentium 3 with Redhat[10] 7.2 was used as the attacking system. No additional patches were applied to this installation of Redhat Linux. Linux was chosen because it is the Operating System of choice for hackers, script kiddies. Also, many of today’s top security analysis tools are developed for it and run native on it.

In this study, Nmap version 2.54 BETA 22 and NESSUS 1.0.9 were used to scan the target machine. NESSUS also was used to scan for vulnerabilities in the services and in the Operating System itself. These two were picked for their popularity, performance and flexibility among the Security community. Nmap identified the ports and services that were listening on the target machine.


What is a Cluster Patch?

A cluster patch is a special patch that is offered by Sun on its web site. It is a comprehensive patch consisting “of Operating System patches deemed to be of a universal interest or related to security.”[11] To take it a step further, the README file for the specific cluster patch details:

NAME: Solaris 8 x86_Recommended Patch Cluster
DATE: Jan/04/02

##############################################################################

This patch cluster is intended to provide a selected set of patches for the designated Solaris release level. This is a bundled set of patches conveniently wrapped for one-step installation. Only install this cluster on the appropriate Solaris system. Carefully read all important notes and install instructions provided in this README file before installing the cluster. A cluster grouping does not necessarily imply that additional compatibility testing has occurred since the individual patches were released.

##############################################################################

CLUSTER DESCRIPTION
-------------------

These Solaris Recommended patches are considered the most important and highly recommended patches that avoid the most critical system, user, or security related bugs which have been reported and fixed to date. In most cases a Solaris security patch will be included in the recommended patch set. It is possible, however, that a security patch may not be included in the recommended set if it is determined to be a more obscure application specific issue and not generally applicable.

During initial installation of the Solaris product other patches or patch sets may be provided with the product and required with product installation. Refer to the Solaris product installation documentation to be sure that all the patches required at product installation are already installed. This patch cluster can then be used to update or augment the system with the recommended patches included.

Notepad 2: Cluster Patch Readme

The first part of the above README file states “These Solaris Recommended patches are considered the most important and highly recommended patches that avoid the most critical system, user, or security related bugs which have been reported and fixed to date.” This line would certainly convince most administrators looking for a security patch to install the Cluster Patch and feel more secure. And rightfully so! The Cluster Patch does indeed contain security patches for common and well known vulnerabilities that hackers and crackers would exploit. But would it contain the ones that NESSUS would find?


The Test

As previously mentioned, a default install of Solaris 8 was done on an Ultra 10. No additional configurations or patches were installed on this target machine. The scan was then performed from the Redhat Linux system with NESSUS and Nmap. The results from the NESSUS scan can be found at the end of this paper in Appendix A. The final output of the scan from NESSUS found the following...

NESSUS Before:
Number of security holes found: 2
Number of security warnings found: 25
Number of security notes found: 6

It’s important to remember that this was the default install of the operating system with default options selected. There were no customizations or system updates. Whenever a new OS is installed, it is best practice to install the latest patches.

Next, the latest cluster patch was applied from SUN. The patch installed in approximately an hour and the second scan was performed. The results of this scan can be found at the end of this paper in Appendix B. An overview of the results of the scan...

NESSUS After:
Number of security holes found: 2
Number of security warnings found: 24
Number of security notes found: 6

The end result, the SUN cluster patch only closed one warning found by NESSUS. SUN’s Cluster Patch specified “considered the most important and highly recommended patches that avoid the most critical system, user, or security related bugs which have been reported and fixed to date” did not really help the NESSUS audit performed on the system.

This finding reinforces the initial comment that “Security can have different meanings to different people.” In this particular case, one can see that the interpretations of security differs amongst NESSUS and SUN in securing the SUN Solaris system. An evaluation of the reports generated by NESSUS can help better understand this conclusion.


Before Scan Review

Warning found on port echo (7/tcp)
Warning found on port daytime (13/tcp)
Warning found on port chargen (19/tcp)
Warning found on port ftp (21/tcp)
Information found on port ftp (21/tcp)
Warning found on port telnet (23/tcp)
Information found on port telnet (23/tcp)
Warning found on port smtp (25/tcp)
Information found on port smtp (25/tcp)
Warning found on port finger (79/tcp)
Warning found on port finger (79/tcp)
Warning found on port exec (512/tcp)
Warning found on port login (513/tcp)
Warning found on port shell (514/tcp)
Warning found on port submission (587/tcp)
Information found on port submission (587/tcp)
Information found on port general/tcp
Information found on port general/udp
Warning found on port unknown (32777/udp)
Warning found on port unknown (32773/tcp)
Warning found on port unknown (32775/udp)
Warning found on port unknown (32776/udp)
Vulnerability found on port unknown (32772/udp)
Warning found on port unknown (32774/udp)
Warning found on port unknown (32778/udp)
Warning found on port unknown (32773/udp)
Warning found on port unknown (4045/udp)
Vulnerability found on port unknown (32779/udp)
Warning found on port general/icmp
Warning found on port general/icmp
Warning found on port echo (7/udp)
Warning found on port daytime (13/udp)
Warning found on port chargen (19/udp)

Fig 1: Before Vulnerabilities

In reviewing the initial scan results, services like Telnet and FTP are vulnerabilities. These services are active by default for Solaris. Such services have a history for vulnerabilities and being un-secure in the way data is transmitted and authentication information. In other words, when telnet or FTP is used, the login name and password are sent in plain text. It is not encrypted in any way and thus, allowing an attacker the opportunity to easily sniff the login, password and any data that may be transmitted through that communication method. The Cluster Patch that SUN puts out does not de-activate services running on the system and can not really secure these found vulnerabilities or weaknesses. The recommended method of dealing with telnet and FTP is to replace these services with SSH or a similar type of secure product and disable Telnet and FTP. In this example, NESSUS identified this as a security problem, and SUN did not address this in its Cluster Patch.

Further studies prove that this is the case for some of the other vulnerabilities in the list shown in Figure 1.


Comparison of Scans

What are the differences between the before and after scan? The Cluster Patch performed the following changes:

Removed
Warning found on port ftp (21/tcp)
Warning found on port unknown (32773/udp)
Vulnerability found on port unknown (32772/udp)


Added
Warning found on port unknown (32772/udp)
Vulnerability found on port unknown (32773/udp)


The Cluster patch removed a vulnerability on port 32772/udp and created a warning.
The Cluster patch removed a warning on port 32773/udp and created a vulnerability.
The Cluster patch removed a warning on ftp 21/tcp.


Nmap After

NESSUS used Nmap to scan for open ports on the target machine, however, we felt we wanted to do our own NMAP scan and see the results since NESSUS only uses Nmap to scan for ports 1-15000 by default. Nmap will do a scan of the most common ports used today which would not be limited to just the first 15000 ports. The operating system was scanned after the cluster patch was applied to see what services were still running. The results can be seen in Figure 2. It’s important to note that just because a service is running and listening on a certain port, it doesn’t mean that it automatically becomes a vulnerability. However, the more services running on a single system, the more potential there is for a vulnerability to exist, whether by mis-configuration or software bug.

port state service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
19/tcp open chargen
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
37/tcp open time
79/tcp open finger
111/tcp open sunrpc
512/tcp open exec
513/tcp open login
514/tcp open shell
515/tcp open printer
540/tcp open uucp
587/tcp open submission
4045/tcp open lockd
6000/tcp open x11
6112/tcp open dtspc
7100/tcp open font-service
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
32775/tcp open sometimes-rpc13
32776/tcp open sometimes-rpc15
32777/tcp open sometimes-rpc17
32778/tcp open sometimes-rpc19

Fig 2: Nmap scan after


Conclusion

Is applying the latest security patches and service packs enough to secure a Sun Solaris 8 server? As test like this were performed against other operating systems, similar results were found. This example should prompt security administrators and server engineers to realize that neither, vendor patches nor NESSUS scanning should make us feel that all the bases are covered. It should be a joint effort by both, vendor patches and assessment, and that administrator training and education in security is the only way to ensure a more secure system.

It’s also important to point out that in this case, the vendor patch actually broke a service thus making it more vulnerable. Port 32773/UDP was a warning in NESSUS’ report, but after the cluster patch was applied, it became a hole.

Looking at the results found in this study, one could understand why hackers/attackers are successful in attacking systems around the world. There are many services that are installed by default and are just not secure, leaving the real work of securing the Operating System up to the administrator. So be warned, if you’re the type of administrator who believes that simply applying the latest patches and service packs is sufficient, think again!

This study was put together using tools readily available for download on the internet for free. Research was completed to determine which OS would be best represented in a corporate environment. Determining which tools would provide the most value to the end result was also researched over the internet using sites like Google[12], Security Focus[13] and etc. And finally, I would like to thank Renaud Deraison who graciously responded via email to help further clarify and assist in helping better understand this analysis.


Further Reference

This study demonstrated that simply applying the latest cluster patch was not enough, so what else could be done to better protect our systems? There are several sites and books that could help you achieve above and beyond what we covered here today in a Solaris environment. Some good references for are:

SANS – SANS offers great information on securing UNIX as well as most other operating systems today. Check out their reading room as well.

Solaris 8 Security Book- there is a book called Solaris 8 Security written by Edgar Danielyan. It covers in depth techniques that can be used to secure the Solaris 8 OS.

Solaris Security – written by Peter Gregory is an excellent book covering how to secure your system depending on the role it will play in your organization.

The SUN web site – The SUN website has a whole section dedicated to Security and can be found at http://www.sun.com/security/index.html

On the technical side, SUN distributes a product called the Solaris Security Toolkit[14]. This toolkit is also known as the Jumpstart Architecture and Security Scripts (JASS) Toolkit and was developed by members of the Enterprise Engineering and Professional Services teams and is free for the download. Its primary function is to provide a method for Sun Administrators to quickly and easily secure their systems. JASS was applied to the same system used above in the OS Scan test and proved to be effective at shutting down services.

JASS is distributed with several self containing scripts that are designed to shut down all services except those needed for the system to fulfill its functions. For testing purposes, the secure.driver was run, which is supposed to shutdown all services like FTP, TELNET, and Rlogin services by running all the hardening scripts contained in JASS. It proved to be effective and worked as described thus eliminating services that are security weak, but also removing functionality.


References

“What is security to SWG?” 1 March 2002. URL: http://www.swg.uklinux.net/cgi-bin/ultimatebb.cgi?ubb=get_topic&f=20&t=000002

Deraison, Renaud. “NESSUS”. URL: http://www.nessus.org/

Fyodor. “NMAP”. URL: http://www.insecure.org/

“Enterasys Networks”. URL: http://www.enterasys.com/

“Common Vulnerabilities and Exposures”. URL: http://www.cve.mitre.org/

“Microsoft”. URL: http://www.microsoft.com/

“Redhat Linux”. URL: http://www.redhat.com

“Sun Microsystems”. URL: http://www.sun.com

“Information Security magazine”. URL: http://www.infosecuritymag.com/

“Security Focus”. URL: http://www.securityfocus.com/

“Google”. URL: http://www.google.com/

“SANS”. URL: http//www.sans.org

Danielyan, Edgar. Solaris 8 Security . New Riders Publishing, 2001.

Gregory, Peter H. Solaris Security. Sun Microsystems Press. 2000


APPENDIX A:Nessus Before Output

Solaris 8 Default Install, no patches or configuration

Nessus Scan ReportA.txt

------------------


APPENDIX B:Nessus After Output

Solaris 8 scan after the latest cluster patch

Nessus Scan ReportB.txt

------------------


[1] http://www.securitywriters.org

[2] http://www.enterasys.com

[3] http://www.enterasys.com/ids/server/vct.html

[4] http://www.infosecuritymag.com/awards2002/winners.html

[5] http://www.cve.mitre.org

[6] http://www.cve.mitre.org/about/terminology.html

[7] http://www.microsoft.com

[8] http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/security/vulnrbl.asp

[9] http://www.sun.com/smi/Press/sunflash/2002-02/sunflash.20020212.4.html

[10] http://www.redhat.com

[11] http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access

[12] http://www.google.com/

[13] http://www.securityfocus.com/

[14] http://www.sun.com/software/security/jass/#download

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , Infosecwriters.com. All rights reserved. Comments are property of the respective posters.