Vulnerability Assessment

Final Report

Presented to:

Company ABC
April 2010

Sales Order # XXXXX

This response contains proprietary information of Patriot Technologies and its associated
partners. It is presented with the understanding that you will not reproduce this document and
you will not distribute it or show it to people outside your organization without the written consent
of Patriot Technologies.

The capabilities of the hardware and software described in this proposal are based on information
currently available and on information obtained from your company or agency. The capabilities
represent the genuine expectations of Patriot Technologies but cannot be guaranteed. Patriot
Technologies makes every effort to ensure the accuracy of the contents of this document, but
does not accept liability for any errors or omissions.

Copyright Patriot Technologies 2010

 ABC Confidential – For Internal Use Only

Table of Contents
Executive Summary ......................................................................................................................... 3 
Scope of Engagement ..................................................................................................................... 5 
Detailed Findings ............................................................................................................................. 6 
Conclusions ..................................................................................................................................... 8 
Remediation Plan ............................................................................................................................ 9 
Vulnerability Summary Table ....................................................................................................... 9 

Copyright 2010 - Patriot Technologies, Inc.

Page 2 of 9
 ABC Confidential – For Internal Use Only

Executive Summary
Patriot Technologies performed an external vulnerability assessment for the Company ABC
(ABC)) in April of 2010. This engagement was limited in scope for up to 20 separate IP addresses
that were supplied by ABC and was conducted from the Patriot Technologies offices in Frederick,
MD. As stated this was an external assessment, to be conducted from the viewpoint of a
malicious person attempting to discover vulnerabilities that could possibly be exploited to gain
unauthorized access to ABC systems. No exploitation was conducted for this project.

Patriot has concluded all vulnerability assessment activities and assesses the overall risk to ABC
resources as HIGH – meaning that it is likely that if ABC was being targeted for cyber intrusions
there is a good chance of the malicious person(s) succeeding.

The assessment of ABC’s external facing systems revealed 56 total vulnerabilities of which 6
were rated as “High”. Vulnerabilities rated at these levels, if found to not be a false positive, would
potentially allow someone administrator-level access to the server in question. This could lead to
files/information (public and/or private) being copied, stolen, and/or modified for malicious
purposes. Refer to Figure 1 for a complete breakdown of vulnerabilities.

Figure 1 - Scan Results

Copyright 2010 - Patriot Technologies, Inc.

Page 3 of 9
 ABC Confidential – For Internal Use Only

While it is common for computer systems to have some vulnerability the results from this
assessment indicate the following gaps with respect to information security:

• Application Development – 13 of the high-level vulnerabilities were reported on one system

and they all are related to known attacks using SQL queries. Based on the scanner findings it
would appear that the application(s) on this system were developed with a lack of proper data
sanitization, validation, or filtering for invalid entries.
• Patch Management – Of the 19 high-level vulnerabilities reported 3 of them indicate older
versions of software in use that contain known exploitable issues. One possible indication of
this is a lack of patch management and/or awareness for secure configuration standards. A
robust patch management system would have at least identified (through various means)
issues with the versions of software running on these systems and remediation efforts could
have been discussed and acted on accordingly. However it should be noted that the versions
of software discovered on these systems may have been required by the application in order
to function correctly.
• Access Control Standards – The other three high-level vulnerabilities indicate a lack of
access restrictions from external sources to internal systems/files. Specifically the
vulnerability identified could potentially allow an attacker to identify a data source of their
choosing – resulting in sensitive data being stored outside the organization on a non-ABC
owned system.
• Configuration Control – The items listed above are all key players in a larger scheme of
configuration control. Standards for applications (developed in-house and/or purchased) as
well as the underlying computer systems need to be established and followed. Part of this
control function is to ensure that systems/applications are patched/updated as needed or
required and that access levels are appropriately assigned to the various groups of users
who are accessing the system/application.
• Perimeter Security Configuration – These vulnerabilities – by virtue that they are reachable
from an external source – may also indicate that the perimeter security devices in place at
ABC may not be optimally configured. Part of this engagement between Patriot and ABC
includes a review of their perimeter firewall configuration which has not yet occurred. Thus
the results from that review are not included in this report.

Patriot recommends the following actions to address the issues listed in this report:

• A meeting should be held with all relevant parties to develop a remediation plan to address
the issues identified in this report. This plan should take into account, among other factors,
the criticality of the vulnerability and the affected system.
• ABC should review their change control program for possible deficiencies that would have
potentially allowed these vulnerabilities to be present. This also includes reviewing current
methods of staying up-to-date on security in general so that all risks can be evaluated.
• ABC should review their procedures for developing, and deploying, web-based applications.
Web-based attacks are on the increase with known exploits for the identified vulnerabilities
readily available to malicious persons.
• ABC should contract to have their internal systems assessed for similar vulnerabilities. It is
reasonable to expect that if the public-facing systems are mis-configured the systems that
support the internal network will be in a similar state.

It should be noted that comprehensive, detailed reports have been provided to the ABC POC
prior to the issue of this report so that remediation efforts can be researched. More details
regarding this assessment can be found in the body of this document.

Copyright 2010 - Patriot Technologies, Inc.

Page 4 of 9
 ABC Confidential – For Internal Use Only

Scope of Engagement
Company ABC (ABC) has contracted with Patriot Technologies to perform an external
vulnerability assessment of up to 20 of their public-facing IP addresses. This engagement is
specifically meant to simulate actions from the perspective of a malicious person outside the
ABC’s offices. This would simulate someone trying to attack ABC from the Internet.

The ABC Point of Contact (POC), Mr. John Smith, provided Patriot with a range of public-facing
IP addresses that were to be evaluated. A kick-off telephone conference was held between
Patriot and ABC to discuss the logistics of the assessment activities i.e. time/date to begin and
emergency contact procedures in the event the scanning system were to cause a degradation of
the ABC systems. Patriot also provided ABC with the IP address of the scanning system so that
monitoring staff would know that this activity, which can be considered malicious under different
circumstances, was in fact authorized.

Patriot Security Engineer utilized security industry-recognized vulnerability scanning technology

to conduct the vulnerability assessment during April of 2010. Once all scanning activities were
complete a detailed analysis was performed of the findings.

The deliverables for this engagement were agreed to as:

• Reports from all scanning tools – delivered upon completion of all scans to the ABC Point of
Contact (POC) utilizing e-mail.
• Final report with risk rating delivered to the POC.
• ABC has the option of requesting a formal presentation of the results to ABC by Patriot at
ABC’s location. This request must be made within one (1) week of delivery of the final report.
If such a request is made the actual scheduling and presentation will be determined based
upon ABC’s schedule.

Copyright 2010 - Patriot Technologies, Inc.

Page 5 of 9
 ABC Confidential – For Internal Use Only

Detailed Findings
This section will list all vulnerabilities that were reported at the “High” level. Included in each
finding will be a recommendation on how to mitigate the issue or reduce the risk of exploitation to
an acceptable level. A complete report of all vulnerabilities has been provided to ABC under
separate cover, this list includes all categories of vulnerabilities so that a comprehensive project
plan can be created. The proposed remediation plan (See next section) is based upon the
complete listing of vulnerabilities.

Finding: Web Application SQL Injection Vulnerability (13 Instances)

Rating: High

IP Address: xx.xx.xx.xx

Description: The presence of a potential SQL Injection attack vector exists on the target
web server. This vulnerable code could potentially allow attackers to inject arbitrary SQL
code into its rendered web pages or database. An attacker could further leverage this
resource to execute arbitrary scripts in the context of the web host and compromise the
integrity of the web server or its clients.

Remediation: Implement strict user and server side validation, keyword filtering, and ISO-
8859-1 character encoding on all user-supplied input locations of a website. Ensure that all
SQL requests are performed through stored procedures or parameterized requests to the
SQL database. Alternatively for servers with .NET-based web applications, certain SQL
injection attacks may be mitigated by integrating LINQ extensions within code.

Finding: CGI – getdrvrs.exe (3 Instances)

Rating: High

IP Address: xx.xx.xx.xx xx.xx.xx.xx xx.xx.xx.xx

Description: The IIS program /scripts/tools/getdrvrs.exe allows a remote user to create a

new ODBC database source on the host using a path, files name, and database driver of
his choosing, and could be exploited for a number of malicious purposes.

Remediation: Remove /scripts/tools/getdrvrs.exe, or if this is not a viable option, restrict

access to the file as much as possible.

Copyright 2010 - Patriot Technologies, Inc.

Page 6 of 9
 ABC Confidential – For Internal Use Only

Finding: PHP Multiple Vulnerabilities (20081208)

Rating: High

IP Address: xx.xx.xx.xx

Description: PHP contains multiple vulnerabilities when processing malformed PCRE

regular expressions, legacy IMAP requests, font files, delimiter arguments, and file names.
Successful exploitation of these vulnerabilities could allow safe_mode restrictions to be
bypassed, execution of arbitrary code, or could cause denial of service conditions.
Note: This audit is designed for versions of PHP obtained from PHP.net and may report
false findings with vendor specific backports.

Remediation: Upgrade PHP to version 5.2.8 or newer.

Finding: PHP 5 php_sprintf_appendstring() Remote Integer Overflow

Rating: High

IP Address: xx.xx.xx.xx

Description: An integer overflow vulnerability exists in PHP 5.2.5 and prior that could allow
context-dependent attackers to remotely execute arbitrary code or cause denial of service
conditions. This vulnerability is due to the "php_sprintf_appendstring()" function of
"formatted_print.c" failing to check the boundaries of integer values. Successful exploitation
requires the webserver to be serving an arbitrary PHP application that uses the affected
function.

Remediation: Apply the CVS patch available from PHP, or update to PHP 5.2.6 or newest
release.

Finding: PHP Multiple Vulnerabilities (200704)

Rating: High

IP Address: xx.xx.xx.xx

Description: Multiple vulnerabilities have been identified in PHP versions prior to 4.4.6 or
5.2.1. These range in severity from information disclosure to denial of service to possible
code execution.<BR><BR>Note: This audit is designed for versions of PHP obtained from
PHP.net and may report false findings with vendor specific backports.

Remediation: Update to PHP 4.4.6 or newer, 5.2.1 or newer, or newest available

vendor-supplied PHP packages.

Copyright 2010 - Patriot Technologies, Inc.

Page 7 of 9
 ABC Confidential – For Internal Use Only

Finding: Microsoft Windows SMB Remote Code Execution (958687) – Remote (2

Instances)

Rating: High

Description: Microsoft Windows Server Message Block (SMB) Protocol contains multiple
vulnerabilities when handling malformed SMB packets. Successful exploitation could allow
a remote unauthenticated attacker to execute arbitrary code with SYSTEM privileges or
could cause the system to stop responding and restart.

This vulnerability was identified on the following systems:

xx.xx.xx.xx xx.xx.xx.xx
Remediation: Install the appropriate patch from Microsoft or through Windows Update.

Conclusions
Company ABC is a medium-sized organization that serves government (federal, state, and local)
and commercial clients. Their information technology infrastructure is fairly robust and
widespread although somewhat immature in that it has not significantly changed in the last
several years. Patriot Technologies, Inc. was asked to perform this vulnerability assessment in
the wake of a major infrastructure update that included several public-facing systems and
applications.

The external vulnerability assessment of ABC revealed a number of high/critical vulnerabilities

that, if exploited, could lead to unauthorized access or the ability for a malicious person to
execute their applications for other purposes. This may lead to exposure of client data and
damage to the image of ABC. In determining the overall risk rating Patriot looks not only at the
number (and severity) of vulnerabilities found but includes other factors such as the age and
possible consequences posed by a specific vulnerability.

Given this information Patriot feels that the systems evaluated, if attacked, are at a HIGH risk
of being successfully exploited.

Copyright 2010 - Patriot Technologies, Inc.

Page 8 of 9
 ABC Confidential – For Internal Use Only

Remediation Plan
Patriot Technologies offers this remediation plan as a series of recommended actions that, should
ABC undertake, would significantly increase the security posture of the ABC public-facing
computer systems. Completion of these actions would reduce (or eliminate) the number of
vulnerabilities associated with said systems. It should be noted that in most cases all
applications/systems will have some vulnerabilities, rated at least as “Low”, with the point being
that a “vulnerability-free” application is not usually feasible. An estimate of time for these actions
is not included as this is dependent on several factors to include external information that is not
available to Patriot.

• Verify the findings from the assessment tools. Patriot utilizes automated tools that are among
the leaders in the security industry however all such tools are prone to false positives.
Identifying any false positives should reduce the amount of resources necessary to complete
the remediation activities.
• Establish a project plan to address all vulnerabilities reported during this engagement. This
project plan should take into account not only the criticality of the reported vulnerability but
also the criticality of the system it was reported against. This may cause “lower-rated”
vulnerabilities to be addressed first given the nature of the target system.
• Consider having another, similar, scan performed once the remediation efforts are
completed. This would help to ensure that the actions performed did eliminate the listed
vulnerabilities. It would also ensure that new vulnerabilities were not exposed as a result of
these remediation efforts.
• Review the existing change control procedures, specifically for application development and
patch management. This will ensure that well-known exploits are mitigated (to some degree),
access rights are appropriately assigned, and that all systems are kept as up-to-date as
possible. If such a procedure does not exist ABC should establish one.
• Consider having an internal assessment performed in their environment. This would help
identify vulnerabilities on systems that were not necessarily publicly available but exposed to
possible malicious/accidental insider activities or in the event that someone were able to
breach an external system.

Vulnerability Summary Table

Vulnerability Risk Rating

Web Application SQL Injection Vulnerability High
CGI – getdrvrs.exe High
PHP Multiple Vulnerabilities (20081208) High
PHP 5 php_sprintf_appendstring() Remote Integer Overflow High
PHP Multiple Vulnerabilities (200704) High

Copyright 2010 - Patriot Technologies, Inc.

Page 9 of 9