Part ONE: Executive Summary of Vulnerability Scanning

A vulnerability scanning is the art of using one computer to look for weaknesses in the
security of another computer - so that you can find and fix the weaknesses in your systems
before someone else finds that there is a security weakness and decides to break in. Its a bit
like a shop keeper making sure all the doors and windows are closed and locked, the money
is in the safe and the alarm is set, before closing up for the evening (Houghton, 2003).

A vulnerability scanning assess a variety of vulnerabilities across information systems

(including computers, network systems, operating systems, and software applications) that
may have originated from a vendor, system administration activities, or general day-to-day
user activities:

1. Vendor-originated: this includes software bugs, missing operating system patches,

vulnerable services, insecure default configurations, and web application
vulnerabilities.

2. System administration-originated: this includes incorrect or unauthorised system

configuration changes, lack of password protection policies, and so on.

3. User-originated: this includes sharing directories to unauthorised parties, failure to

run virus scanning software, and malicious activities, such as deliberately
introducing system backdoors (The Government of the Hong Kong Special
Administrative Region, 2008).

1
 There are three major types of vulnerability scanning to find network soft
spots:

1. Network: General-purpose scanning that scours networks for potential

vulnerabilities.
2. Port: Designed to search a network for open ports that attackers could use as illicit
entry points.
3. Web Application Security: Enables to conduct ongoing risk assessments to
identify the vulnerability of Web applications to hostile attacks (Edwards, 2008).

A vulnerability assessment works to improve security posture and develop a more

mature, integrated security program (Drew, 2015). By performing security posture
assessment, you get a clear picture of current security issues that help in recognizing the
vulnerability, risks and loopholes in the existing architecture (Sejati, 2015).

A vulnerability assessment works to improve security posture and develop a more

mature, integrated security program (Drew, 2015). By performing security posture
assessment, you get a clear picture of current security issues that help in recognizing the
vulnerability, risks and loopholes in the existing architecture (Sejati, 2015).

IT enterprise security risk assessments are performed to allow organizations to assess,

identify and modify their overall security posture and to enable security, operations,
organizational management and other personnel to collaborate and view the entire
organization from an attackers perspective. This process is required to obtain organizational
managements commitment to allocate resources and implement the appropriate security
solutions. A comprehensive enterprise security risk assessment also helps determine the value
of the various types of data generated and stored across the organization. Without valuing the
various types of data in the organization, it is nearly impossible to prioritize and allocate
technology resources where they are needed the most. To accurately assess risk, management
must identify the data that are most valuable to the organization, the storage mechanisms of
said data and their associated vulnerabilities (Schmittling & Munns, 2010).

2
Part TWO: Carry Out Vulnerability Scanning & Analyse Scanning Results

Our network environment is Local Area Network (LAN). We believe it has various severity,
risk, or priority level.

We use Nessus web application scanner to scan for available vulnerabilities at the chosen
network and system. As a result, we have discovered 3 CVE ID (Common Vulnerability
Exposure Identification). They are CVE 2003-0533 ( Stack-based buffer overflow in
certain Active Directory service functions in LSASRV.DLL of the Local Security Authority
Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4,
XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME) , CVE 2008-4835
(SMB in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003
SP1 and SP2, Vista Gold and SP1, and Server 2008) , and CVE 2005-2120 ( Stack-based
buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft
Windows 2000 SP4, and XP SP1 and SP2 ).

Figure 1. Network topology of our environment

3
2.1 CVE 2003-0533

2.1.1 Definition
Stack-based buffer overflow in certain Active Directory service functions in
LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in
Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003,
NetMeeting, Windows 98, and Windows ME, allows remote attackers to
execute code via a packet that causes the DsRolerUpgradeDownlevelServer
function to create long debug entries for the DCPROMO.LOG log file, as
exploited by the Sasser worm (Mitre, 2015).

A buffer overflow vulnerability exists in a Microsoft Active Directory service

logging function that is exposed by the LSASS DCE/RPC interface. The
vulnerability occurs due to the misuse of a vsprintf() call (Cert, 2004)

2.1.2 Causes of vulnerability

A buffer overrun vulnerability exists in LSASS that could allow remote code
execution on an affected system (Microsoft, 2004)

Vulnerability Impact Windows98, WindowsNT Windows Windows

Identifiers
98SE ,ME 4.0 2000 XP
Metafile Remote NONE Critical Critical Critical
Vulnerability code
CAN-2003-0906 Execution
Help Remote NONE NONE NONE Critical
Support code
CAN-2003-0907 Execution
Negotiate Remote NONE NONE NONE Critical
Vulnerability code
CAN-2004-0119 Execution
ASN.1 double Remote Critical Critical Critical Critical
code
free vulnerability Execution
-CAN 2004-0123
Aggregate Critical Critical Critical Critical
Serverity of All
vulnerabilities
Table 1 .Security Level of CVE-2003-0533

4
2.1.4 Possible Attack Risks
A remote unauthenticated attacker could exploit this vulnerability to execute
arbitrary code on the vulnerable system (Cert, 2004). An attacker who successfully
exploited the most severe of these vulnerabilities could take complete control of
an affected system, including installing programs; viewing, changing, or deleting
data; or creating new accounts that have full privileges. (Microsoft, 2004).

2.1.5 Port Connectivity

TCP port 445 is used for direct TCP/IP MS Networking access without the need for
a NetBIOS layer. This service is only implemented in the more recent versions of
Windows (e.g. Windows 2K / XP). The SMB (Server Message Block) protocol is
used among other things for file sharing in Windows NT/2K/XP.. In Windows
2K/XP, Microsoft added the possibility to run SMB directly over TCP/IP, without
the extra layer of NetBT. For this they use TCP port 445 (SpeedGuide.net, 2015).

The Common Internet File System (CIFS) is a general-purpose information-sharing

protocol formerly known as Server essage Block (SMB). SMB is a message-based
protocol developed by microsoft, Intel, and IBM. SMB is best known as the basis
for microsoft's File Transfer, File Sharing, and Printing". However, SMB is also
used by many other applications. The CIFS standard extends Microsoft's usage of
SMB (Beaver, 2014).

Many security attacks are a numbers game; that's why the large number of
attacks against TCP port 445 is no surprise. Along with ports 135, 137 and 139,
port 445 is a traditional Microsoft networking port. Specifically, TCP port 445 runs
Server Message Block (SMB) over TCP/IP. This is a core means for communication
on a Microsoft-based LAN. If you look at practically any modern Windows host on
your network (e.g., via netstat -an|more from a command prompt), you'll see that
port 445 is open and available. Many attacks against port 445 take place via the
LAN. Malware seeking to exploit undersecured Windows systems is a likely
source. However, these attacks can also originate outside the network and reach
any system for which port 445 has been opened on the firewall (O'Reilly, 2002)

5
2.2 CVE-2008- 4835

2.2.1 Description

SMB in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server
2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to
execute arbitrary code via malformed values of unspecified "fields inside the SMB
packets" in an NT Trans2 request, related to "insufficiently validating the buffer size,"
aka "SMB Validation Remote Code Execution Vulnerability" (Mitre, CVE-2008-4835,
2015). This vulnerability, which is part of Boundary Condition Error class, commonly
found in Avaya Messaging Application Server, Microsoft Windows, and Nortel
Networks (SecurityFocus, 2009).

The remote host is affected by a memory corruption vulnerability in SMB that may
allow an attacker to execute arbitrary code or perform a denial of service against the
remote host (Nessus, 2015).

2.2.2 Causes of Vulnerability

The vulnerability is caused by the Microsoft Server Message Block (SMB) Protocol
software insufficiently validating the buffer size before writing to it. Microsoft Server
Message Block (SMB) Protocol is a Microsoft network file sharing protocol used
in Microsoft Windows (Microsoft, 2009).

6
 2.2.3 Severity Level

SMB Validation Remote Aggregate

Affected Software Code Execution Severity Rating
Vulnerability - CVE-
2008-4835

Microsoft Windows 2000 Service Pack 4 Critical Critical

Remote Code Execution

Windows XP Service Pack 2 and Windows XP Critical Critical

Service Pack 3 Remote Code Execution

Windows Server 2003 Service Pack 1 and Critical Critical

Windows Server 2003 Service Pack 2 Remote Code Execution

Windows Server 2003 x64 Edition and Critical Critical

Windows Server 2003 x64 Edition Service Pack Remote Code Execution
2

Windows Server 2003 with SP1 for Itanium- based Critical Critical
Systems and Windows Server 2003 with SP2 for Remote Code Execution
Itanium-based Systems
.

Table 2.2.3. Severity Rating of CVE-2008-4835 (Microsoft, 2009)

7
 2.2.4 Possible Attack Risks

An attacker who successfully exploited these vulnerabilities could install programs;

view, change, or delete data; or create new accounts with full user rights. An attempt
to exploit the vulnerability would not require authentication, allowing an attacker to
exploit the vulnerability by sending a specially crafted network message to a
computer running the Server service. An attacker who successfully exploited this
vulnerability could take complete control of the system. Most attempts to exploit this
vulnerability would result in a system denial of service condition, however remote
code execution is theoretically possible (Microsoft, 2009)

2.3 CVE 2005-2120

2.3.1 Description

8
Part THREE: Countermeasure / Mitigation Plan / Remedial Measures

3.1 Countermeasure

3.1.1 CVE 2003-0533

Turn on firewall always
Turn on TCP/IP Filtering in order to block all unsolicited inbound TCP/IP
filtering

3.1.2 CVE 2008-4835

Blocked of SMB
Turn on the Firewall
Setting on internet security to high level

3.1.3 CVE 2005-2120

9
3.2 Mitigation Plan

3.2.1 CVE 2003-0533

Only Windows 2000 and Windows XP can be remotely attacked by an
anonymous user. While Windows Server 2003 and Windows XP 64-Bit Edition
Version 2003 contain the vulnerability, only a local administrator could
exploit it.
Windows NT 4.0 is not affected by this vulnerability.
Firewall best practices and standard default firewall configurations.

3.2.2 CVE 2008-4835

Firewall best practices and standard default firewall configurations can
help protect networks from attacks that originate outside the enterprise
perimeter.
Windows Vista and Windows Server 2008 are not affected by this
vulnerability.

3.2.3 CVE 2005-2120

10
3.3 Remedial Measures

3.3.1 CVE 2003-0533

Step 1: Create a read-only file called 'dcpromo.log' in the '%systemroot%debug'
directory. This is reported to be the most effective workaround and will block traffic
on any port.
Users may also carry out the following actions to enable TCP/IP filtering in order to
block all unsolicited inbound TCP/IP filtering:
Step 1: Go to control panel and double click on 'Network and Dialup Connections'.
Step 2: Right click on the network adapter and click 'Properties'.
Step 3: Double click on 'Internet Protocol (TCP/IP)' and press the 'Advanced' button.
Step 4: Choose the 'Options' tab and double click 'TCP/IP filtering.
Step 5: Check the 'Enable TCP/IP filtering (all adapters)' checkbox and choose the
'Permit Only' radio button above 'TCP Ports'. It is advised not to add any ports to this
list and not to select the 'Permit Only' radio button above the 'UDP Ports' label.
Step 6:Select OK 4 times to subsequent prompts and reboot the system.

3.3.2 CVE 2008-4835

Step 1: Open Metasploits with Kali Linux OS then type command msfconsole
Step 2: type command use Auxiliary/dos/windows/smd/Ms09_001_write
Step 3: type Show actions Then type set ACTION <action-name>
Step 4: type command show option then type command run

3.3.3 CVE 2005-2120

11
4. Conclusion
Statistics show that system compromises are on the rise so we must guard against them using
the methods available to us. Vulnerability scanners are one tool available for ensuring secure
systems. However, scanners should not be the only weapon in the security arsenal. They
should be used in addition to firewalls, intrusion detection tools, good security policies, and
all the other defenses noted in this paper. Ideally, scanners should be used as a last defense to
complement the security practices already in place. Just keep in mind that a good follow-up
plan to correct any vulnerabilities found is just as important as detecting them (Cima, 2001)

References

Cert. (2004, April 13). Vulnerability Note VU#753212. Retrieved from Cert | Software Engineering
Institute: http://www.kb.cert.org/vuls/id/753212

Cert. (2004, April 13). Vulnerability Note VU#753212. Retrieved from Cert | Software Engineering
Institute: http://www.kb.cert.org/vuls/id/753212

Cima, S. (2001). Vulnerability Assessment. SANS Institute.

Drew, S. (2015, August 4). Vulnerability Assessments versus Penetration Tests. Retrieved from
SecureWorks: http://www.secureworks.com/resources/blog/vulnerability-assessments-
versus- penetration-tests/
Edwards, J. (2008, June 5). The Essential Guide to Vulnerability Scanning. Retrieved from IT Security:
http://www.itsecurity.com/features/essential-guide-vulnerability-scanning-

060508/ Houghton, K. (2003). Vulnerabilities & Vulnerability Scanning. SANS

Institute.

Mitre. (2015). CVE-2008-4835. Retrieved from Mitre Common Vulnerabilities and Exposures:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4835

O'Reilly. (2002). Common Internet File System (CIFS) and Server Message Block (SMB).
Retrieved from O'Reilly | Building Internet Firewalls:
http://docstore.mik.ua/orelly/networking_2ndEd/fire/ch14_04.htm
Schmittling, R., & Munns, A. (2010). Performing a Security Risk Assessment. Retrieved from ISACA |
Trust
In, and value from, Information Systems:
http://www.isaca.org/Journal/archives/2010/Volume-
1/Pages/Performing-a-Security-Risk-Assessment1.aspx

SecurityFocus. (2009, January 27). Microsoft Windows SMB NT Trans2 Remote Code Execution
Vulnerability. Retrieved from SecurityFocus: http://www.securityfocus.com/bid/33122

Sejati. (2015). Security Posture Assessment (SPA). Retrieved from Sejati | Your IT Partner of Choice:

12
 http://sejati2u.com.my/services/security/security-posture-assessment-spa/

The Government of the Hong Kong Special Administrative Region. (2008). An Overview of
Vulnerability
Scanners. The Government of the Hong Kong Special Administrative Region

13