Ron Gula

We often hear about vulnerabilities in client software, such as web browsers and email applications, that can be exploited by malicious content. The repeated stories about botnets, infected web sites, and viruses which infect us with malicious documents, movies, and other content have ingrained the concept of an exploitable client in our minds. Unfortunately, client software can also be targeted with attacks from compromised servers accessed by the clients, and some client software actually listens for connections. In this blog entry, we will discuss auditing client software for vulnerabilities and describe the three different types of client-side exploits and how they can impact the risk of your network.

With Nessus 5, the results from a single vulnerability scan can be filtered to show which hosts have ancient vulnerabilities, which hosts aren’t being managed, and also which hosts have been exploitable for long periods of time. This blog entry discusses the new Nessus 5 filters, how they can be used to track high-risk vulnerabilities, and how enterprise users of Tenable SecurityCenter can leverage these filters for dashboards and asset-based reporting.

Note -- this blog was updated on Feb 2, 2012 to highlight detection of the Symantec advisory SYM12-002 as well as new additional Nessus local checks to audit pcAnywhere installations. With the recent news from Symantec that their source code theft has left pcAnywhere open to attack, it makes sense to audit your network for instances of this desktop sharing software.  Nessus has many checks that identify the presence of pcAnywhere, the type of network access supported by it, and some vulnerabilties in the application. A current list is shown below for reference: 10006   Symantec pcAnywhere Status Service Detection (UDP) 10794   Symantec pcAnywhere Detection (TCP)                10798   Symantec pcAnywhere Service Unrestricted Access        20743   Symantec pcAnywhere Launch with Windows Caller Properties Local Privilege Escalation 32133   Symantec pcAnywhere Access Server Detection Service 35976   Symantec pcAnywhere CHF File Pathname Format String Denial of Service 57795   Symantec pcAnywhere Installed (local check) 57796   Symantec pcAnywhere Multiple Vulnerabilitities (SYM12-002)

Tenable’s Passive Vulnerability Scanner (PVS) performs protocol analysis on network traffic to discover vulnerabilities and log the sessions that have occurred. Unlike network forensic systems which log the actual packets and session content, the PVS creates a single syslog message for each identified network session. These logs are ideal for consumption by a SIEM or log analysis tool such as Tenable’s Log Correlation Engine. This blog entry describes what types of applications are logged and how they can be used for alerting and analysis.

As a vendor, Tenable has to demonstrate compliance in many different types of categories. The Payment Card Industry, the Center for Internet Security and US government's FDCC program all have certification standards and procedures for vendors like Tenable. Since Tenable is certified in most of these these categories (we're in the process of becoming an ASV), I though it would be interesting for our blog readers to share some of our insights into the differences and misconceptions between them.