Project Start Date: January 6, 2002

Project Last Update: November 4, 2002

Charles Hornat

The Study on the Vulnerabilities of Operating Systems

Overview:

Which Operating System have more vulnerabilities out of the box?  Are they more secure after the latest patches?  Do the latest patches add vulnerabilities?  We wanted to see how much the OS patches released really help and to see which OS is more secure “Out of the Box”.  So we picked several of the more popular Operating Systems and put them to the test.  In this study, the latest version of NESSUS and NMAP were used to scan the Operating Systems installed with default options and no additional patches or configurations.  Then we will scan them with the latest Security Packs and Cluster Patches and compare the scans to learn what security means to the vendors of the Operating Systems and the security scanners we use today.

What is NESSUS?

Nessus is a software package that performs Security Scanning of Operating Systems (OS) and networks.  It is a free product and is very popular in the Security Industry.  Many security professionals use it today to scan their systems looking for common vulnerabilities and companies like Enterasys are incorporating Nessus scanning into their Intrusion Detection products like Dragon and Squire.

Nessus will allow you to save the information it has discovered in several formats, including but not limited to: XML, HTML, Text, and etc.  We provide you with the HTML format with a small paragraph at the beginning of the scan to introduce the scan.  In the beginning of the scan results, you will see a reference to the following: Security holes, Security Notes, and Security Warnings.  We could not find a definition of any of these in the MAN pages or on their site, so we emailed Renaud Deraison, one of the developers of NESSUS and asked for his definitions of the three.  He responded with:

Basically, Security Notes are just "nits". It's information that may be

valuable in itself (ie: the name of the remote operating system, and so

on), but it does not make the host more prone to be victim of an attack.

Security warnings advices we recommand you to follow, or a bug waiting

to be exploited in cunjunction with another vulnerability. A service

that is historically known to be buggy is likely to get such a warning,

even if the tested release was considered as bug free. A service which

operates in clear text may also get a warning and so on. In one word,

I'd call them "disasters waiting to happen". Meaning that they're not

fatal now, but they might be some day.

Security holes means that a cracker can get instant access on your box

(either read any file or walk thru the filesystem or even have a shell

prompt).

Nessus offers much functionality, some of which consist of:

      Up-to-date security vulnerability database- We mostly focus on the development of security checks for recent security holes. Our security checks database is updated on a daily basis, and all the newest security checks are available here and on your FTP servers and mirrors.

      NASL- The Nessus Security Scanner includes NASL, (Nessus Attack Scripting Language) a language designed to write security test easily and quickly. (security checks can also be written in C)

      Smart Service Recognition- Nessus does not believe that the target hosts will respect the IANA assigned port numbers. This means that it will recognize a FTP server running on a non-standard port (31337 say), or a web server running on port 8080

      Cracker Behavior- Nessus does not believe that version x.y.z of a given software is immune to a security problem. 95% of the security checks will actually perform their job - they'll try to overflow your buffers, relay some mails, and even to crash down your computer !

The above information and additional information on Nessus can be found at www.nessus.org.

What is NMAP?

NMAP is a port scanner and OS detection tool.  NMAP was written by a hacker known as FYODOR.  He has, throughout the years, with input from other hackers and security experts, written and developed this tool used by both, the security administrators and the hackers/crackers.  Nmap offers some the following:

      Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, pings sweeps, and more.

      Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -O -sS targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.

      Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the GNU General Public License (GPL).

The above information and additional information can be found at www.insecure.org.

What are Vulnerabilities?

Microsoft (www.microsoft.com) defines a vulnerability as:

A security vulnerability is a flaw in a product that makes it infeasible – even when using the product properly – to prevent an attacker from usurping privileges on the user's system, regulating its operation, compromising data on it, or assuming un-granted trust.

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/security/vulnrbl.asp

Common Vulnerabilities and Exposures (http://www.cve.mitre.org/) defines the word vulnerability as:

A universal vulnerability is a state in a computing system (or set of systems) which either

      allows an attacker to execute commands as another user

      allows an attacker to access data that is contrary to the specified access restrictions for that data

      allows an attacker to pose as another entity

      allows an attacker to conduct a denial of service

What is a default Install?

A default install as used for this report is defined as an installation of an OS without changing, adding, or subtracting from the installation menus.  In other words, just clicking ‘Next’ as the install asks.

The Procedure

For our test, we used RedHat 7.2 on a Compaq Deskpro 233MMX machine.  We installed Nessus 1.0.9 and Nmap 2.54BETA22.  This was connected via a hub to each target machine. 

For the Nessus scan, we choose the option “Enable all but dangerous plugins”.  This option will scan the system for known vulnerabilities in it’s database and skip those that “may harm the remote host by disabling the attacked service or by crashing the host.”  The scan was run and the results for Nessus were saved as html with charts. 

NESSUS uses NMAP to do a default scan, and that is what is displayed with the results from NESSUS.  However, we performed an NMAP scan of our own on some of the scans just to confirm the results.  When we performed the additional scan, we used the following command:

nmap –v –sS target > (machine name)

This command tells Nmap to perform a vanilla SYN scan and be verbose about it.  We had the results piped to a file that represented the machines name.

Test Platforms

We chose operating systems that we felt were being used by most of our readers as well as the results based on a reader poll at the Security Writers Guild (www.securitywriters.org).

Operating Systems to be Scanned and tested:

Results

(Note: additional Operating Systems may be added based on demand)