Académique Documents
Professionnel Documents
Culture Documents
Final Report
Presented to:
Company ABC
April 2010
This response contains proprietary information of Patriot Technologies and its associated
partners. It is presented with the understanding that you will not reproduce this document and
you will not distribute it or show it to people outside your organization without the written consent
of Patriot Technologies.
The capabilities of the hardware and software described in this proposal are based on information
currently available and on information obtained from your company or agency. The capabilities
represent the genuine expectations of Patriot Technologies but cannot be guaranteed. Patriot
Technologies makes every effort to ensure the accuracy of the contents of this document, but
does not accept liability for any errors or omissions.
Table of Contents
Executive Summary ......................................................................................................................... 3
Scope of Engagement ..................................................................................................................... 5
Detailed Findings ............................................................................................................................. 6
Conclusions ..................................................................................................................................... 8
Remediation Plan ............................................................................................................................ 9
Vulnerability Summary Table ....................................................................................................... 9
Executive Summary
Patriot Technologies performed an external vulnerability assessment for the Company ABC
(ABC)) in April of 2010. This engagement was limited in scope for up to 20 separate IP addresses
that were supplied by ABC and was conducted from the Patriot Technologies offices in Frederick,
MD. As stated this was an external assessment, to be conducted from the viewpoint of a
malicious person attempting to discover vulnerabilities that could possibly be exploited to gain
unauthorized access to ABC systems. No exploitation was conducted for this project.
Patriot has concluded all vulnerability assessment activities and assesses the overall risk to ABC
resources as HIGH – meaning that it is likely that if ABC was being targeted for cyber intrusions
there is a good chance of the malicious person(s) succeeding.
The assessment of ABC’s external facing systems revealed 56 total vulnerabilities of which 6
were rated as “High”. Vulnerabilities rated at these levels, if found to not be a false positive, would
potentially allow someone administrator-level access to the server in question. This could lead to
files/information (public and/or private) being copied, stolen, and/or modified for malicious
purposes. Refer to Figure 1 for a complete breakdown of vulnerabilities.
While it is common for computer systems to have some vulnerability the results from this
assessment indicate the following gaps with respect to information security:
Patriot recommends the following actions to address the issues listed in this report:
• A meeting should be held with all relevant parties to develop a remediation plan to address
the issues identified in this report. This plan should take into account, among other factors,
the criticality of the vulnerability and the affected system.
• ABC should review their change control program for possible deficiencies that would have
potentially allowed these vulnerabilities to be present. This also includes reviewing current
methods of staying up-to-date on security in general so that all risks can be evaluated.
• ABC should review their procedures for developing, and deploying, web-based applications.
Web-based attacks are on the increase with known exploits for the identified vulnerabilities
readily available to malicious persons.
• ABC should contract to have their internal systems assessed for similar vulnerabilities. It is
reasonable to expect that if the public-facing systems are mis-configured the systems that
support the internal network will be in a similar state.
It should be noted that comprehensive, detailed reports have been provided to the ABC POC
prior to the issue of this report so that remediation efforts can be researched. More details
regarding this assessment can be found in the body of this document.
Scope of Engagement
Company ABC (ABC) has contracted with Patriot Technologies to perform an external
vulnerability assessment of up to 20 of their public-facing IP addresses. This engagement is
specifically meant to simulate actions from the perspective of a malicious person outside the
ABC’s offices. This would simulate someone trying to attack ABC from the Internet.
The ABC Point of Contact (POC), Mr. John Smith, provided Patriot with a range of public-facing
IP addresses that were to be evaluated. A kick-off telephone conference was held between
Patriot and ABC to discuss the logistics of the assessment activities i.e. time/date to begin and
emergency contact procedures in the event the scanning system were to cause a degradation of
the ABC systems. Patriot also provided ABC with the IP address of the scanning system so that
monitoring staff would know that this activity, which can be considered malicious under different
circumstances, was in fact authorized.
• Reports from all scanning tools – delivered upon completion of all scans to the ABC Point of
Contact (POC) utilizing e-mail.
• Final report with risk rating delivered to the POC.
• ABC has the option of requesting a formal presentation of the results to ABC by Patriot at
ABC’s location. This request must be made within one (1) week of delivery of the final report.
If such a request is made the actual scheduling and presentation will be determined based
upon ABC’s schedule.
Detailed Findings
This section will list all vulnerabilities that were reported at the “High” level. Included in each
finding will be a recommendation on how to mitigate the issue or reduce the risk of exploitation to
an acceptable level. A complete report of all vulnerabilities has been provided to ABC under
separate cover, this list includes all categories of vulnerabilities so that a comprehensive project
plan can be created. The proposed remediation plan (See next section) is based upon the
complete listing of vulnerabilities.
Rating: High
IP Address: xx.xx.xx.xx
Description: The presence of a potential SQL Injection attack vector exists on the target
web server. This vulnerable code could potentially allow attackers to inject arbitrary SQL
code into its rendered web pages or database. An attacker could further leverage this
resource to execute arbitrary scripts in the context of the web host and compromise the
integrity of the web server or its clients.
Remediation: Implement strict user and server side validation, keyword filtering, and ISO-
8859-1 character encoding on all user-supplied input locations of a website. Ensure that all
SQL requests are performed through stored procedures or parameterized requests to the
SQL database. Alternatively for servers with .NET-based web applications, certain SQL
injection attacks may be mitigated by integrating LINQ extensions within code.
Rating: High
Rating: High
IP Address: xx.xx.xx.xx
Rating: High
IP Address: xx.xx.xx.xx
Description: An integer overflow vulnerability exists in PHP 5.2.5 and prior that could allow
context-dependent attackers to remotely execute arbitrary code or cause denial of service
conditions. This vulnerability is due to the "php_sprintf_appendstring()" function of
"formatted_print.c" failing to check the boundaries of integer values. Successful exploitation
requires the webserver to be serving an arbitrary PHP application that uses the affected
function.
Remediation: Apply the CVS patch available from PHP, or update to PHP 5.2.6 or newest
release.
Rating: High
IP Address: xx.xx.xx.xx
Description: Multiple vulnerabilities have been identified in PHP versions prior to 4.4.6 or
5.2.1. These range in severity from information disclosure to denial of service to possible
code execution.<BR><BR>Note: This audit is designed for versions of PHP obtained from
PHP.net and may report false findings with vendor specific backports.
Rating: High
Description: Microsoft Windows Server Message Block (SMB) Protocol contains multiple
vulnerabilities when handling malformed SMB packets. Successful exploitation could allow
a remote unauthenticated attacker to execute arbitrary code with SYSTEM privileges or
could cause the system to stop responding and restart.
xx.xx.xx.xx xx.xx.xx.xx
Remediation: Install the appropriate patch from Microsoft or through Windows Update.
Conclusions
Company ABC is a medium-sized organization that serves government (federal, state, and local)
and commercial clients. Their information technology infrastructure is fairly robust and
widespread although somewhat immature in that it has not significantly changed in the last
several years. Patriot Technologies, Inc. was asked to perform this vulnerability assessment in
the wake of a major infrastructure update that included several public-facing systems and
applications.
Given this information Patriot feels that the systems evaluated, if attacked, are at a HIGH risk
of being successfully exploited.
Remediation Plan
Patriot Technologies offers this remediation plan as a series of recommended actions that, should
ABC undertake, would significantly increase the security posture of the ABC public-facing
computer systems. Completion of these actions would reduce (or eliminate) the number of
vulnerabilities associated with said systems. It should be noted that in most cases all
applications/systems will have some vulnerabilities, rated at least as “Low”, with the point being
that a “vulnerability-free” application is not usually feasible. An estimate of time for these actions
is not included as this is dependent on several factors to include external information that is not
available to Patriot.
• Verify the findings from the assessment tools. Patriot utilizes automated tools that are among
the leaders in the security industry however all such tools are prone to false positives.
Identifying any false positives should reduce the amount of resources necessary to complete
the remediation activities.
• Establish a project plan to address all vulnerabilities reported during this engagement. This
project plan should take into account not only the criticality of the reported vulnerability but
also the criticality of the system it was reported against. This may cause “lower-rated”
vulnerabilities to be addressed first given the nature of the target system.
• Consider having another, similar, scan performed once the remediation efforts are
completed. This would help to ensure that the actions performed did eliminate the listed
vulnerabilities. It would also ensure that new vulnerabilities were not exposed as a result of
these remediation efforts.
• Review the existing change control procedures, specifically for application development and
patch management. This will ensure that well-known exploits are mitigated (to some degree),
access rights are appropriately assigned, and that all systems are kept as up-to-date as
possible. If such a procedure does not exist ABC should establish one.
• Consider having an internal assessment performed in their environment. This would help
identify vulnerabilities on systems that were not necessarily publicly available but exposed to
possible malicious/accidental insider activities or in the event that someone were able to
breach an external system.