This Blog is intended for people who have done an external Penetration Test or Vulnerability Scan and found vulnerabilities on some of your open ports. This is just a quick step through of where the vulnerabilities come from and how to potentially remediate / risk accept different scenarios.
“CVE Vulnerabilities found” In your Penetration Test / Vulnerability scan, what does this mean ?
So for reference we have a couple of our other blogs which may be of interest:
Understand a bit more about CVE Vulnerabilities and Mitre in general.
Existing article on “What to do if you have ports open” which is the precursor to having vulnerabilities.
Below is step through where CVE’s come from and how you should deal with these vulnerabilities.
Getting the Vulnerability from the scan in the first place (the science)
Effectively after your IP Addresses have been found to have “Ports Open”, probing will then happen to see if it can be discovered what is running behind the ports (i.e what particular piece of software or service that is terminating the open port in general). This process is called “Fingerprinting” and once this “Fingerprinting” process has been complete then these results are run against the global CVE databases to work out if there is any known vulnerabilities.
It is as simple as that really, effectively a process will be run to try and “infer” what software is running over that particular Port. Something like this will be returned; “Application Name”, “Vendor Name” and “Version number”. This will then literally be looked up as a search query against the global vulnerability database to see if that particular piece of software has any known vulnerabilities logged against it. Simples (this is actually half of Cyber Security).
The CVE Vulnerability Database in general
We go into a bit more detail around CVEs in our “RoboShadow AI CVE early warning system blog”, however in short the CVE database is looked after by a government organisation called “Mitre” in the USA who collect input from all of the different cyber agencies all over the world.
Effectively this is the main golden source of global vulnerabilities and this “Mite CVE” data base has been going since the early 2000s. Effectively CVE is main fundamental part to all the major Cyber Security platforms, Nessus, Amazon Inspector, Azure Security Centre to name a few and will all have the CVE lookup as a core part of their offering.
Can I patch the problem ?
This is the most common outcome of resolving a CVE vulnerability as this will mean that the CVE can just be patched in the latest software update from the Vendor. In fact a lot of the Software Vendors would of already of released the patch to the issue at the time they disclose the vulnerability to Mitre themselves.
What if I can’t patch the problem ?
So this is a bit more tricky if there is a known vulnerability on some infrastructure you own but it can’t be patched for some reason.
Usually the reason for something like this is that the particular infrastructure cant be upgraded in the conventional sense due to the fact that either the infrastructure has no known patch to fix the CVE or simply you can’t upgrade the infrastructure through fear of breaking the software running therein. If this is the case then there are some things you can do:
- Ring fence the infrastructure – Find ways of being able to lock ports and part of the infrastructure down so that you can massively limit the impact attackers may have of they don’t get in.
- Assesses the criticality – If the platform has everyone’s banks details then you need to be worried, however if the platform holds publicly assessable data anyway then you can worry less and feel less burdened about this non conformance
- Ensure image level backup – Any system that is less secure can be taken offline or “Ransom” owned, definitely ensuring a safe image backup is a must when you have vulnerable kit.
- Put in firewall / WAF tech in front of the resource – You can ring fence a the particular piece of kit by putting proxy tech or WAF tech in front of the vulnerable kit to try and make it less prone to remote attack.
There is also a technique whereby you can disguise a device from being fingerprinted, which doesn’t actually solve the problem but will give you some “Security by Obscurity”. Its fairly easy to go into config of vulnerable tech and stop the banners and http headers which allow your tech to be fingerprinted by the worlds scanning tools. A quick google on most platforms should find a way of disguising vulnerable tech to the world.
Its always worth noting in Cyber Governance processes, you are always aiming for the next budget round. So as long as you have the current vulnerable platform ear marked for future upgrade (and therefore future resolution of that particular vulnerability planned) then this is widely accepted due to the fact there is a remediation plan in place. What is not usually excusable is being ignorant about the issues in the first place.
In general people excited about the need for a full “Human” led penetration test, however we think the core fundamental part of any good security exercise is to at least nail down the basics and ensure that your environment has no vulnerabilities that can be externally exploited.
So this can be on external IP addresses facing raw internet, or it could be CVE vulnerabilities on desktop machines which can allow remote access trojans to execute compromising your teams devices. Either way reconciling your whole environment against the global CVE databases should be your first point of call in Cyber Defence.
You have to remember that your external IP Addresses probably exist in the Shodan database and therefore as soon as you have some tech online,(which becomes vulnerable) then there is a good chance the bad guys will get to you “Programmatically” by using an API within the Shodan platform.
At the same time many of the phishing exercises sent out are trying to get remote access code to run on your machines. We think we are safe with MFA to protect against “Phishing” my credentials but we often forget that vulnerable desktops can allow Hackers remote access if you click on the wrong link and have vulnerabilities in your devices waiting to be exploited.
As always feel free to contact us if you have any questions.
About the Author: Terry Lewis a 25-year Tech Entrepreneur and Technology Blogger.
“I’m lucky to of worked in technology all over the world for large multi-national organisations, in recent years I have built technology brands and developed products to help make technology that bit easier for people to grasp and manage. By day I run tech businesses, by night (as soon as the kids have gone to bed) I write code and I love building Cyber Security technology.