Vulnerability Management - General best practices for searching a vulnerability

While checking if a vulnerability exists in your environment, take care of the following points:

1. Check if the scanning vendor has published a signature to detect the vulnerability. Sometimes a QID/Plugin ID is mapped to the CVE ID but will be in development phase and is not yet published.
2. Check if authentication is required to detect the vulnerability. For plugin ID, you can check the type (local/remote), and for QID, the discovery method (Remote Only/Authenticated Only/Remote and Authenticated).
3. Sometimes scanning vendors will detect a patch to the vulnerability instead of searching for the vulnerability itself. If the patch is superseded by some other patch which is already installed, then the detection is a false positive.
4. Sometimes a feature of a OS will be vulnerable. Check whether the detection logic is checking the OS version for flagging the vulnerability. If this is the case then you will need to check with platform support teams as in the feature is in use or not.
5. Ensure scan traffic is not obstructed by firewall (Basically, if you are searching a vulnerability in a system(s), ensure the system(s) are getting scanned properly).

The whole point is, do not just enter QID/Plugin ID in filter, hit enter and based on search results decide whether the vulnerability exists or not. If architecture is scanner based, operationalize troubleshooting authentication issues and if it is agent based, offline agent issues.

Happy Learning !!

Vulnerability Management - Tussle with Application team

Qualys has started considering RSA and DHE algorithms with 1024 bits key size as weak (QID 38863). There are a lot of applications which implement their own SSL/TLS libraries. Now, here comes the issue. Windows has its own library for SSL/TLS aka Schannel. When you install a JAVA application on Windows platform, as the application has its own library, making changes at OS level is not enough.

Whenever you find QID 38863 detected on a Windows platform, take the following actions:

1. Identify the port on which QID is flagged
2. Run the command -> netstat -ano | findStr "2216"
3. Check the process ID of the process using that port 
4. Open task manager and check for the name of the process or run the command -> tasklist /fi "pid eq 2216"

If it is a JAVA application, then you will have to ask the application support team to go through the following links and make necessary changes:

https://docs.oracle.com/en/applications/jd-edwards/administration/9.2.x/eotsc/disabling-weak-cipher-suites-globally-through-java.html#u30144032

https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html

Similarly for .NET application, https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls

Most probably, the application team would not appreciate this as for making any change they will have to take backup, take downtime, perform the change and then ask for a rescan. But as a security analyst you will have to justify as in why disabling weak protocols and cipher suites is important.

For applications which use Windows native SSL/TLS i.e. Schannel, you can make the changes at OS level.

Following are the registry paths which you can refer:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

Following is the wikipedia page for comparison between various TLS implementations:  

https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations

Please don't try to search for CVE corresponding to QID 38863 as you won't find one.

Happy Learning !!

Vulnerability Management - Agent Based Scan

 Just in case if you think agent based architecture is the best, get to know about the following points:

1. Agents cannot be installed on IoT and network devices such as routers, switches and firewalls.
2. Agents cannot discover vulnerabilities related to SSL.
3. Agents cannot discover newly added devices as they do not perform discovery scan.

There are other drawbacks as well but then drawbacks also exist in scanner based architectures.

Please refer the below link for lists of Qualys agent versions and their supported platforms:

https://success.qualys.com/support/s/article/000006675

Please refer the below link for lists of Nessus agent versions and their supported platforms:

https://docs.tenable.com/generalrequirements/Content/NessusAgentSoftwareRequirements.htm

Happy Learning !!