|
|
Why Your Network is Still Vulnerable
By: Brian Martin
October 4, 1999
You trust the security experts. Their books and articles about
security are often the bibles of System Administrators.
Their one paragraph biographies tell you of their ten to twenty years
doing network security. They take on impressive titles of neat sounding
companies they secure. Why is it these experts often give you the
absolute worst advice that could cross your ears?
Time and time again, security 'experts' casually recommend that you
use or deploy a package like the SATAN security scanner to test your
network for vulnerabilities. While few references to SATAN will claim it
is the end all solution to computer security, the mere fact people ever
recommended the tool is absurd. More disturbing is that over four years
after it is released, some continue to reference it in a serious
manner.
Before I continue, I'd like to qualify and assure you this is not a
rant against SATAN's (or any other tool's) authors. The attention and
hype that propelled SATAN into the media spotlight is no fault of
theirs. Rather, other security 'experts' and/or media outlets cried wolf
before it was released and helped create the "demise of the internet" as
it was once called. This article will focus on SATAN as an example,
simply because of the label it received from so many. Please keep in
mind that SATAN is a forefather to most of the commercial scanners you
are familiar with. So time progresses and people realize the futility
of recommending a utility never designed for intensive and thorough
auditing, right? Of course not.
Politically Correct
Instead of researching options more suitable for these books and
articles, many security professionals dutifully recommend SATAN, COPS,
Tiger and other out of date utilities. The question is why? Regardless
of the answer, it isn't a good enough reason. Security experts have an
ethical obligation to recommend viable and solid solutions to their
readers and customers. Each and every time they don't, they further
validate weak utilities as a method for securing your network. Days
after auditing your network with these tools, their network falls victim
to an intruder and they can't figure out why.
SATAN was last released as version 1.1.1 on March 20, 1995. Obviously,
network security concerns move at the speed of light. Any security audit
tool not updated hours ago is already behind the times. So how can so
many security professionals continue to recommend such an old and
outdated tool? The only answer that comes to mind is the concept of
being Politically Correct. The media told the masses this was a serious
tool and should be regarded as a legitimate network auditing tool. Who
would want to go against the grain and say otherwise? No one
apparently.
Media and mainstream press put SATAN on a pedestal of unseen heights.
As a result, several security professionals are still looking up and not
seeing the scanner for what it is. Every day that passed with no
qualified individuals speaking up, the more it lent to what the media
had already said. Four years later, this is the first article to
my knowledge that is doing that.
Who's on the Bandwagon?
If you haven't read many security articles, you may not have run across
a reference to SATAN. In case you haven't, lets look at a few of the
many media outlets, security professionals and others who tell you to
use it.
It started in 1995 with a wave of articles and press frenzy surrounding
the tool's release. To this day, articles still seem to latch onto the
idea SATAN is a viable tool for network security. In 1995, an Oakland
Tribune article said:
"It's like randomly mailing automatic rifles to 5,000 addresses.
I hope some crazy teen doesn't get a hold of one."
More recently SATAN has popped back up in more articles. James Glave
quoted a Microsoft spokesperson on the use of SATAN in his article
"Back Orifice a pain in the..?" (27).
In April, Kevin Reichard wrote about the tool in his article "Network
Security" (28).
Many popular and respected magazines have run articles suggesting the
use of SATAN. Among them are Linux Journal (1), Info Security
News (2), Security Advisor
(3) and Information
Security (An ICSA Publication) (4).
Most disturbing is that most of the publically available security
magazines each push SATAN onto their readers at one point or another.
These are the so-called experts, the people that should know the program
does little for today's networks. Yet as late as September 1998, three
years since SATAN's last release, they are still doing it.
Visit your local bookstore and you will be lucky to find more than
five or ten security books. Over the past five years over one hundred
books focusing on security have crossed these shelves. Interestingly
enough, a healthy percentage each make the misplaced recommendation
of SATAN as a valuable auditing tool. Worse, the idea of using such
outdated and inferior tools has crossed beyond the realm of security
books. A few of these books you may have seen are Practical Unix &
Internet Security (5), UNIX
System Administrator's Companion (6),
Halting the Hacker (7), and
Internet Besieged (8).
Recently, O'Reilly released an entire book devoted to using SATAN to
protect your networks.
(9) To a degree,
this release gave the ultimate validation to the tool's ability to
protect your network. Are these books unworthy of attention? No. I would
hazard they are being politically correct.
To keep on the bandwagon of overhype and undue attention, several
security advisories have been released to prepare the net for this tool.
One issue remains unresolved though. Why have few advisories followed
the various SATAN advisories warning users of other utilities that are
far more dangerous to their organization? In 1995 we were flooded with
advisories from every response team or security group out there. CERT
CA-95:06 (10),
CIAC F-19 (11),
CIAC F-20 (12), CIAC F-21 (13), CIAC F-23 (14),
CIAC F-24 (15),
SMS 00130A (16), NASIRC (17), Assist 95-11 (18),
Assist 95-19 (19),
and Auscert
AA-95.03 (20) are
just a few of the security advisories warning us of the impact of
SATAN.
With all of the news articles, books, security advisories and other
miscelaneous hype, how could anyone go against the grain and jump off
the bandwagon?
Satan is as Satan Does
Giving these various doomsday media outlets the benefit of the doubt,
we could at least expect them to talk to knowledgeable professionals.
That leads to two more questions. First, why didn't they do just that?
Second, why are some security professionals writing articles
recommending it? Some might argue that since it has a point and click
graphical user interface, it is easy for the novice admin. I certainly
don't buy that. Considering it takes a unix host, perl, x-windows and
other resources that are not the easiest to setup, expecting novice
admins to use it is not logical.
Martin Freiss (author of 'Protecting Networks with SATAN') writes in
his introduction about the extent of SATAN protecting your network:
"Naturally, SATAN cannot detect every security vulnerability.
In particular, there are security problems in the transfer
protocols of the Internet and intranets.. True security can
be achieved only if all dangers are known, including those
that SATAN cannot detect.."
Based on these words, I think it fair to say that those people familiar
with the tool realizes its limits. Most security professionals when
asked if there is an end all be all solution to network security,
will answer no such beast exists. On the other hand, they will also tell
you that no one tool will be the 'demise of the internet' like some
claimed.
Falling Short
Technically speaking, why shouldn't these organizations and people be
recommending SATAN? Let's examine what the program does in the way
of vulnerability checking on a remote host. The following list is taken
from the documentation.
- NFS file systems exported to arbitrary hosts
- NFS file systems exported to unprivileged programs
- NFS file systems exported via the portmapper
- NIS password file access from arbitrary hosts
- Old (i.e. before 8.6.10) sendmail versions
- REXD access from arbitrary hosts
- X server access control disabled
- arbitrary files accessible via TFTP
- remote shell access from arbitrary hosts
- writable anonymous FTP home directory
First thing we notice is that it scans for ten whole vulnerabilities.
Thinking back to the start of this year alone, you should be aware that
over one hundred vulnerabilities have been brought to light on
the Internet. So the sheer percentage of vulnerabilities doesn't quite
cut it. Commercial competitors of SATAN like ISS and Cybercop pride
themselves and attempt to gain market share based on the high number of
vulnerabilities they scan for (over 500).
Since numbers are often misleading, lets look at some real world
examples of why SATAN is not a good recommendation. If you are tasked to
deal with network security and you run any flavor of unix, you are
probably aware of the hundred or so vendor based security advisories for
your platform of choice. Some of the more recently exploited
vulnerabilities:
- ToolTalk (rpc.ttdb): Detailed in NAI Advisory #29 (23)
- Statd (rpc.statd): Detailed in SMS Advisory #186 (24)
- Calender Manager (rpc.cmsd): Detailed in SMS Advisory #188 (25)
- Cold Fusion (WinNT): Several problems covered in many advisories (26)
- wu-ftpd, named (DNS), pop (mail), imap (mail), nisd, autofsd, and
more.
Comparing the list of vulnerabilities being widely exploited on the
Internet today with the list of vulnerabilities SATAN checks for, we
can see it does one thing quite well. It falls short. For you NT
administrators, seek help elsewhere.
Insult to Injury
Yes, it gets worse. Not only does the program fall short in assisting
with network security analysis, it poses a serious threat to your
network security in ways that didn't previously exist.
As outlined in CERT CA-95:07 (21),
there is a "Password Disclosure" issue with SATAN 1.0, fixed in version
1.1. CIAC F-22 (22) covers
another
vulnerability that allows unauthorized users to execute commands and
gain
root access through SATAN. Marc Heuse later posted to Bugtraq regarding
SATAN and other widely used security tools having /tmp race conditions
allowing unauthorized users to create or overwrite any file on the
system. This last vulnerability was found in SATAN 1.1.1, the last
version released. No further revisions have been forthcoming so the
issue has not been fixed.
So What's the Solution?
So if tools like SATAN are antiquated, what is a viable freeware
solution? Like most tools, there are always alternatives. In the past
few years, a more current tool based on SATAN's foundation has arisen,
called SAINT (30). As of August
19, 1999, SAINT version 1.4 was released adding more features and
security checks that address current security concerns. Among these are
checks for well known NT security holes, Operating System
fingerprinting, as well as several new Unix vulnerabilities. The
continued development and community effort to support this product has
turned it into a much better foundation for testing network security
than many other tools like it. Due to its active development and
continued support for detecting new vulnerabilities, this seems like a
great alternative to recommending outdated tools. When possible, don't
rely on canned tools at all. They will never come close to the ability
and instinct of a qualified security consultant.
Conclusion
A few dozen cliches come to mind as a way to wrap up this article. I
think I have sufficiently shown that everyone from the media to security
experts continue to quote SATAN as a way to defend your network. Because
the tool has not been updated in several years, it is far behind the
times in addressing network security issues. On top of it not being
adequate by any stretch of the imagination, it poses further risk to
your machines. Despite all this, the recommendation to use inferior
technology still comes pouring in.
Brian Martin (bmartin@attrition.org)
Copyright 1999
|
|
|
