Network and Credentialed Nessus Checks for MS08-067
Yesterday, Microsoft released an out of band security patch (dubbed MS08-067) which fixes an overflow in the ‘server’ RPC service.
Tenable’s Research group has released two Nessus plugins to detect Windows systems that are vulnerable to this vulnerability, which allows almost any Windows 2000, XP and 2003 system to be easily compromised without any credentials. Plugin #34477 named “Vulnerability in Server Service Could Allow Remote Code Execution (958644) – Network Check” identifies Windows systems that are vulnerable to this issue. It verifies the vulnerability by connecting to Windows systems on port 445 or port 139 and reliably and non-destructively performs a check for it. This plugin has the advantage of being fast and not requiring credentials. This plugin is distributed as part of the generic Windows plugin family.
Plugin #34476 named “Vulnerability in Server Service Could Allow Remote Code Execution (958644)” performs a credentialed patch audit for the same vulnerability. This plugin performs file level analysis to ensure that the right system DLLs have been patched. This technique is more accurate than relying on registry checks alone and can also identify system that have been patched, but perhaps are waiting on a system reboot for them to truly be effective. This plugin is distributed as part of the Windows : Microsoft Bulletins family.
Monitoring Your Networks
This particular vulnerability can be reliably exploited. If you have any Windows computers that have direct access to the Internet (without any firewall), they will likely be subject to attacks from worms and botnets. You should use network and host based firewalls to limit traffic to these ports. If you are unsure of which ports you are open to on your network, you should consider performing remote network vulnerability scans with Nessus or monitor your network traffic in real time with a product like the Passive Vulnerability Scanner.
Internally, your networks can be audited with Nessus. If you have a large number of servers to audit, you can also make use of the Tenable Security Center to schedule your scans, analyze the results and share them securely across your various IT organizations. A key feature of the Security Center is the ability to efficiently combine one time scans with ongoing scans as well as credentialed patch audits, regular network scans and real-time results from the Passive Vulnerability Scanner. This allows any size organization to understand when a host was first added, when it was first found vulnerable and when it was remediated with high accuracy and flexibility.
Lastly, since this vulnerability will be likely targeted by malicious users, you should consider your organization’s overall technical ability to detect compromises and react to them. Existing Nessus checks that we’ve recently blogged about such as the ability to detect executables, fake services, Windows systems that have had their HOSTS file modified and even enumeration of each running network service, can all contribute to effective monitoring for compromised systems. If you do run a SIM or NBAD solution such as Tenable’s Log Correlation Engine, I would also recommend review of concepts such as monitoring your network for systems that have connected to known “bad guy” blacklisted IP addresses, finding out which systems on your network have begun sending spam email and finding out when you have systems that suddenly become very communicative with other hosts.
Plugin Usage
To obtain Nessus plugins 34477 and 34476, Nessus ProfessionalFeed and Nessus HomeFeed users should manually update their plugins. Security Center users who wish to perform a scan immediately should choose the “Request Plugin Update” tool under their “Polices” menu.
If you are using Nessus alongside a different patch auditing or network scanning technology, keep in mind that since Nessus has two checks for this, you will get different results in different situations. For example, an agent-based patch auditing tool will be able to identify the vulnerability on a host that is firewalled from a remote Nessus scan. Similarly, Nessus will likely identify this security issue over the network while another scanner that is only performing local patch audits will not. And lastly, if your other scanner or patch auditing tool is only performing registry checks, Nessus will identify this issue much more accurately because of its use of file analysis to verify patch deployments.
For More Information
The following Tenable blog entries are very informative for auditing your network for compromised hosts and general malicious and suspicious activities:
Use Nessus and the Security Center to find out which processes are listening on the remote ports :
Use Nessus and Security Center to detect Windows hosts which have been compromised :
- Detecting Microsoft Executables Being Served by an Unknown Service with Nessus
- Boss, I Think Half of our FTP servers are Fake!
- Detecting Compromised Windows Hosts
Use the Log Correlation Engine and Passive Vulnerability Scanner to detect network anomalies :