Tenable Blog

When Denial of Service Become Remote Code Execution

When vulnerabilities are discovered, they are classified by various organizations using different methods. For example, CVSS scoring uses an algorithm to determine a severity rating from 1 to 10. This rating has been adopted by the NVD (National Vulnerabilities Database) and is used by Tenable to provide scores within the Nessus plugins. Sometimes a vulnerability is announced and its original rating is set as moderate or low. This is frequently the case with Denial Of Service (DoS) vulnerabilities as they allow an attacker to disrupt services but not gain remote access to the system. However, sometimes an advisory describes a vulnerability that seems to only cause DoS conditions, but is really an indicator of a condition that may permit remote code execution. This discrepancy typically occurs because the researcher does not fully understand or does not diagnose the underlying problem.

A Nessus user recently asked us the following question:

"I would like to have Nessus read Nmap scan results from the command line. I already have Nmap portscanning and operating system fingerprinting, can I import the Nmap findings using Nessus in batch mode?"

Tenable has supported Nmap usage within Nessus for several years. Nmap and Nessus have different types of scanning philosophies and understanding how they work can help you achieve success with your network scanning efforts. The Nessus server includes its own portscanning, service fingerprinting and operating system identification techniques that are similar but independent from Nmap’s. However, you may run into a situation where Nmap was run first and you already have the output from this tool and want to apply the results to your vulnerability scan. I set out to do this in my lab and realized this would be a good opportunity to highlight some of the features in Nessus. Below is a step-by-step guide on configuring Nessus to run batch mode scans based on Nmap results:

The story:

Spies Penetrate Pentagon's Joint Fighter-Jet Project (April 21, 2009)
Cyber spies have stolen tens of terabytes of design data on the US's most expensive costliest weapons system -- the $300 billion Joint Strike Fighter project. Similar breaches have been found in the Air Force's Air Traffic Control System. The attacks began as far back as 2007 and continued into 2008. The spies encrypted the data that they stole, making it difficult for investigators to know exactly what data was taken. The fact that fighter data was lost to cyber spies was first disclosed by U.S. counterintelligence chief Joel Brenner. Brenner also expressed concern about spies taking control of air traffic control systems, saying there could come a time when "a fighter pilot can not trust his radar."
http://online.wsj.com/article/SB124027491029837401.html

I've touched before on the topic of data leakage and national security; now it seems that the national security establishment is banging the same drum, albeit louder than I ever could. Such an embarrassing "slip" would normally be deeply buried - the fact that it's being outed by the  "U.S. Counterintelligence Chief" ought to tell you something: this is part and parcel of the government's new "yellow terror" cybersecurity red scare. I don't know about you, but I'm on the fence about this - part of me wants to be happy that cybersecurity is being taken seriously, whereas the other part of me remembers the disastrous Department of Homeland Security and War On Terror. I detect a distressing pattern of our government saying "be afraid, be very afraid. and, oh, yeah, pull out your wallet."

Stacking Up to CIS Benchmarks

The Center for Internet Security (CIS) establishes consensus benchmarks for a large variety of applications and operating systems. These benchmarks are a valuable aid to evaluate the security of your systems. Tenable has produced a number of Nessus audit files that have been certified by the Center for Internet Security to perform audits against the CIS standards. These audit files are available to ProfessionalFeed and Security Center customers through the the Tenable Support Portal.
To use these audit files, you will need to provide Nessus with credentials to login to the target host to compare the configuration against the CIS standards. Scans that use login credentials run much faster than network-based scans and the results often provide more detailed vulnerability
findings and information on configuration issues.

PCI-DSS Scanning

The effectiveness of the Payment Card Industry (PCI) standards to secure systems responsible for credit card transaction processing is a question of debate among information security professionals. Regardless of the hype or negativity surrounding PCI, it remains a requirement for many organizations to follow. Nessus has built-in PCI-DSS compliance checks that compare scan results with the PCI standards and produce a report on your compliance posture. It is very important to note that a successful compliance scan does not guarantee compliance or a secure infrastructure. Compliance scanning is just one tool to be used as part of a comprehensive program that includes the appropriate policies and procedures to ensure that assets are appropriately protected.