SUN vs. NESSUS

 

March 5, 2002

(Still being edited)

 

Introduction

Security can have different meanings to different people.  In this paper, we will study the different interpretations that SUN Solaris 8 and NESSUS have.  This will be conducted by performing scans of the SUN Solaris 8 Operating System before and after applying a SUN Cluster Patch.  We will discuss the before and after scans that are performed on the system.  And you will also see the results as generated by the tool NESSUS and be able to compare and analyze the data yourself.

 

The Meaning of Security

“Security can have different meanings to different people.”  This is a simple statement that many people will agree with.  In a recent online poll at the Security Writers Guild[1], someone asked the question: What is security?  The responses that posted were numerous and covered many different aspects of security.  Some of the responses included:

 

“Security to me is the balancing act between keeping the users data safe and secure from unwanted change or viewing and keeping the system as easy to use as possible.”

 

“Security, in the sense that its used here, is every angle of security. As most hacking sites are. Securing systems, breaking into systems, figuring out how systems work. All of it.”

 

“ISO17799 describes something similar, but broader in scope which is being adopted by many companies worldwide.

  1. Information Security Policy
    2. Security Ogranization
    3. Asset Classification & Control
    4. Personnel Security
    5. Physical & Environment Security
    6. Access Control
    7. Communications & Operations Security
    8. Systems Development and Maintenance
    9. Business Continuity Planning
    10. Audit and Compliance”

 

 

 

To take this a step further, we wanted to see what security meant to Operating System developers, hackers, and security scanners.  The idea was to focus on an Operating system vendor (SUN) and a security scanning tool (NESSUS) and see if they viewed security as being the same.  While this particular study was focused on exploits of a common Operating System, it would be the basis to determine how companies defined the same threats as security.

 

What is NESSUS?

NESSUS is a software package that performs Security Scanning of Operating Systems and networks.  This product is free and is very popular in the Security Industry.  Many security professionals use it today to scan their systems looking for common vulnerabilities and companies such as Enterasys[2] are incorporating NESSUS scanning into their Intrusion Detection products like Dragon and Squire.  NESSUS offers much functionality, some of which consist of:

*      Up-to-date security vulnerability database- NESSUS mostly focuses on the development of security checks for recent security holes. Their security checks database is updated on a daily basis, and has all the newest security checks are available.

*      NASL- The NESSUS Security Scanner includes NASL, (NESSUS Attack Scripting Language) a language designed to write security test easily and quickly. (security checks can also be written in C)

*      Smart Service Recognition- NESSUS does not believe that the target hosts will respect the IANA assigned port numbers. This means that it will recognize a FTP server running on a non-standard port (31337 say), or a web server running on port 8080

*      Cracker Behavior- NESSUS does not believe that version x.y.z of a given software is immune to a security problem. 95% of the security checks will actually perform their job - they'll try to overflow your buffers, relay some mails, and even to crash down your computer!

More information on NESSUS can be found and downloaded at www.NESSUS.org.

 

What is NMAP?

NMAP is a port scanner and OS detection tool.  NMAP was written by a hacker known as FYODOR.  He has, throughout the years, with input from other hackers and security experts, written and developed this tool used by both, the security administrators and the hackers/crackers.  Nmap offers some the following:

*      Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, pings sweeps, and more.

*      Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -O -sS targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.

*      Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the GNU General Public License (GPL).

The above information was taken from the FAQ at www.insecure.org and the program NMAP can be downloaded there as well.

What are Vulnerabilities?

Common Vulnerabilities and Exposures[3] defines the word vulnerability as:

A universal vulnerability is a state in a computing system (or set of systems) which either

*      allows an attacker to execute commands as another user

*      allows an attacker to access data that is contrary to the specified access restrictions for that data

*      allows an attacker to pose as another entity

*      allows an attacker to conduct a denial of service

 

Microsoft[4] defines a vulnerability as: A security vulnerability is a flaw in a product that makes it infeasible – even when using the product properly – to prevent an attacker from usurping privileges on the user's system, regulating its operation, compromising data on it, or assuming un-granted trust.[5]

The Target

Our target operating system for this paper was the SUN Solaris 8 operating system.  This operating system is used by many companies around the world, varying in size and purpose.  A recent study done by Dataquest, announced that SUN made up 55% of the market share of RISC/UNIX servers. In addition to that, the SUN operating system would symbolize a great number of installations that many applications, databases and web sites are deployed on today.  Solaris is an operating system developed by SUN Microsystems.  It is developed for two types of hardware platforms:  Intel and Sparc.  Sparc is the platform we choose for this experiment.  We installed a default install of Solaris 8 on a Sparc Ultra 10 and ran our test against it.

 

The attacker

The attacking machine, or “War Machine”, was a Dell Pentium 3 with Redhat 7.2[6] installed.  There were no additional patches applied to the installation of Redhat.  In this study, Nmap version 2.54BETA 22 and NESSUS 1.0.9 were used to scan the target machine.  These two were picked for their popularity among the Security community, their performance, and their acceptance among Security Professionals.  Nmap would allow us to view ports that were listening on the target machine and allow us to identify services that were listening.  NESSUS was used to scan for vulnerabilities in the services and in the Operating System itself.

 

What is a Cluster Patch?

A cluster patch is a special patch that Sun offers on their web site.  It is a comprehensive patch consisting “of Operating System patches deemed to be of a universal interest or related to security.”[A1] [7]  To take it a step further, let’s view the README for the specific cluster patch we will install.  

 
NAME: Solaris 8 x86_Recommended Patch Cluster
DATE: Jan/04/02
 
########################################################################
 
This patch cluster is intended to provide a selected set of patches for
the designated Solaris release level.  This is a bundled set of patches
conveniently wrapped for one-step installation.  Only install this
cluster on the appropriate Solaris system.  Carefully read all important
notes and install instructions provided in this README file before
installing the cluster.  A cluster grouping does not necessarily imply
that additional compatibility testing has occurred since the individual
patches were released.
 
########################################################################
 
CLUSTER DESCRIPTION
-------------------
 
These Solaris Recommended patches are considered the most important and
highly recommended patches that avoid the most critical system, user, or
security related bugs which have been reported and fixed to date.  In
most cases a Solaris security patch will be included in the recommended
patch set.  It is possible, however, that a security patch may not be
included in the recommended set if it is determined to be a more obscure
application specific issue and not generally applicable.
 
During initial installation of the Solaris product other patches or patch
sets may be provided with the product and required with product installation.
Refer to the Solaris product installation documentation to be sure that all
the patches required at product installation are already installed.  This
patch cluster can then be used to update or augment the system with the
recommended patches included.

 

As you read the first part of the README in Figure 1, you will see the following line: “These Solaris Recommended patches are considered the most important and highly recommended patches that avoid the most critical system, user, or security related bugs which have been reported and fixed to date.”  This line would certainly convince any administrator looking for a security patch to install the Cluster Patch and feel more secure.  And rightfully so, they should.  The Cluster Patch does indeed contain security patches for common and well known vulnerabilities that hackers and crackers would exploit. 

 

The Test

A default install of Solaris 8 was done on an Ultra 10 as previously mentioned.  No additional configurations or patches were installed on this target machine.  We then took our War Machine, the Linux with NESSUS and Nmap, and began the scan.  We have included the results found from NESSUS in Appendix 1.  The final output of the scan from NESSUS found the following:

 

Number of security holes found : 2

Number of security warnings found : 25

Number of security notes found : 6

Figure 2:NESSUS Before

 

This was not so surprising as it was the default with default options selected.  Next we applied the latest Cluster Patch to this machine.  The patch installed in about an hour and we performed our second scan.  The results can be seen in Appendix 2.  In figure 3, you can see the overview results.

 

Number of security holes found : 2

Number of security warnings found : 24

Number of security notes found : 6

Figure 3: NESSUS After

 

The end result was that the SUN cluster patch only closed one warning found by NESSUS.   SUN’s Cluster Patch, the one that they specifically said is “considered the most important and highly recommended patches that avoid the most critical system, user, or security related bugs which have been reported and fixed to date” did not really help the NESSUS audit we performed on our system.

This reinforces our initial comment that security can have a different meaning for everyone.  And in this case, we have shown that NESSUS has a different idea of a secure SUN Solaris 8 system than SUN has. An evaluation of the reports generated by NESSUS can perhaps help us understand this.

 

Before Scan Review

Warning found on port echo (7/tcp)

Warning found on port daytime (13/tcp)

Warning found on port chargen (19/tcp)

Warning found on port ftp (21/tcp)

Information found on port ftp (21/tcp)

Warning found on port telnet (23/tcp)

Information found on port telnet (23/tcp)

Warning found on port smtp (25/tcp)

Information found on port smtp (25/tcp)

Warning found on port finger (79/tcp)

Warning found on port finger (79/tcp)

Warning found on port exec (512/tcp)

Warning found on port login (513/tcp)

Warning found on port shell (514/tcp)

Warning found on port submission (587/tcp)

Information found on port submission (587/tcp)

Information found on port general/tcp

Information found on port general/udp

Warning found on port unknown (32777/udp)

Warning found on port unknown (32773/tcp)

Warning found on port unknown (32775/udp)

Warning found on port unknown (32776/udp)

Vulnerability found on port unknown (32772/udp)

Warning found on port unknown (32774/udp)

Warning found on port unknown (32778/udp)

Warning found on port unknown (32773/udp)

Warning found on port unknown (4045/udp)

Vulnerability found on port unknown (32779/udp)

Warning found on port general/icmp

Warning found on port general/icmp

Warning found on port echo (7/udp)

Warning found on port daytime (13/udp)

Warning found on port chargen (19/udp)

FIGURE 4:Before Vulnerabilities

 

As we review this before scan results, we see services like Telnet and FTP.  These are active by default for Solaris.  These services have a history for vulnerabilities and being un secure in the way they transmit data and authentication information.  In other words, when you use telnet or FTP, your login name and password are sent in plain text.  It is not encrypted in any way.  The Cluster Patch that SUN puts out does not de-activate services running on the box and can not really secure this.  The recommended method of dealing with telnet and FTP is to use an SSH or a similar type of product and disable Telnet and FTP.  In this example we see NESSUS identifying this as a security problem, and SUN not addressing it in its Cluster Patch.

 

Further studies proved that that is the case for many of the vulnerabilities in the list shown in Figure 4.

 

Comparison of Scans

What is the difference between the before and after scan?  The Cluster Patch performed the following changes:

 

Removed

Warning found on port ftp (21/tcp)

Warning found on port unknown (32773/udp)

Vulnerability found on port unknown (32772/udp)

 

Added

Warning found on port unknown (32772/udp)

Vulnerability found on port unknown (32773/udp)

 

The Cluster patch removed a vulnerability on port 32772/udp and created a warning.

The Cluster patch removed a warning on port 32773/udp and created a vulnerability.

The Cluster patch removed a warning on FTP 21/tcp.

 

NMAP After

NESSUS used NMAP to scan for open ports on the target machine, however, we felt we wanted to do our own NMAP scan and see the results.  We scanned the operating system after the patch to see what was left open by the Cluster patch.  The results can be seen in Figure 3.  Its important to note that just because a service is running and listening on a certain port, it doesn’t mean that it automatically becomes a security hole. 

 

Port            State           Service

7/tcp      open        echo                   

9/tcp      open        discard                

13/tcp     open        daytime                

19/tcp     open        chargen                

21/tcp     open        ftp                    

23/tcp     open        telnet                 

25/tcp     open        smtp                   

37/tcp     open        time                   

79/tcp     open        finger                 

111/tcp    open        sunrpc                 

512/tcp    open        exec                   

513/tcp    open        login                  

514/tcp    open        shell                  

515/tcp    open        printer                

540/tcp    open        uucp                   

587/tcp    open        submission             

4045/tcp   open        lockd                  

6000/tcp   open        X11                    

6112/tcp   open        dtspc                  

7100/tcp   open        font-service           

32771/tcp  open        sometimes-rpc5         

32772/tcp  open        sometimes-rpc7         

32773/tcp  open        sometimes-rpc9         

32774/tcp  open        sometimes-rpc11        

32775/tcp  open        sometimes-rpc13        

32776/tcp  open        sometimes-rpc15         

32777/tcp  open        sometimes-rpc17        

32778/tcp  open        sometimes-rpc19        

 

Conclusion

Is applying the latest security patches and service packs enough to secure your Sun Solaris 8 server?  As we test this against other operating systems, we will find similar results all the way across the board, prompting our security administrators and server engineers to realize that neither, vendor patches nor NESSUS scanning can make us feel we have covered all the bases. 

 

As an attacker, using NMAP or NESSUS, we can see what they would see and how happy they would probably be.  There are many services that are installed by default and are just not secure, leaving the real work of securing the Operating System to the administrator.  So be warned, if you’re the type of administrator who believes that simply applying the latest patches and service packs is sufficient, you may want to think again.

 

Further Reference

Now that you see that simply applying the latest cluster patch is not enough, what else could you do?  There are several sites and books that could help you achieve above and beyond what we covered here today.  Some references for good information are:

 

SANS – SANS offers great information on securing UNIX as well as most other operating systems today.  Check out their reading room as well.

 

Solaris 8 Security Book- there is a book called Solaris 8 Security written by Edgar Danielyan.  It covers in depth techniques that can be used to secure the Solaris 8 OS.

 

Solaris Security – written by Peter Gregory is an excellent book covering how to secure your system depending on the role it will play in your organization.

 

The SUN web site – The SUN website has a whole section dedicated to Security and can be found at http://www.sun.com/security/index.html

 

 


[1] http://www.securitywriters.org

[2] http://www.enterasys.com

[3] http://www.cve.mitre.org

[4] http://www.microsoft.com

[5] http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/security/vulnrbl.asp

[6] http://www.redhat.com

[7] http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access

 [A1]