Originally published: http://www.hackernews.com/orig/whyvuln.html
Why Your Network is Still Vulnerable
You trust the security experts. Their books and articles about
security are often the bibles of System Administrators.
Their one paragraph biographies tell you of their ten to twenty years doing network
security. They take on impressive titles of neat sounding companies
they secure. Why is it these experts often give you the absolute worst
advice that could cross your ears?
Time and time again, security 'experts' casually recommend that you
use or deploy a package like the SATAN security scanner to test your network for
vulnerabilities. While few references to SATAN will claim it is the
end all solution to computer security, the mere fact people ever
recommended the tool is absurd. More disturbing is that over four years
after it is released, some continue to reference it in a serious
manner.
Before I continue, I'd like to qualify and assure you this is not a
rant against SATAN's (or any other tool's) authors. The attention and hype that propelled
SATAN into the media spotlight is no fault of theirs. Rather, other
security 'experts' and/or media outlets cried wolf before it was
released and helped create the "demise of the internet" as it was once
called. This article will focus on SATAN as an example, simply because of the
label it received from so many. Please keep in mind that SATAN is a forefather
to most of the commercial scanners you are familiar with. So time progresses and
people realize the futility of
recommending a utility never designed for intensive and thorough auditing,
right? Of course not.
Politically Correct
Instead of researching options more suitable for these books and articles,
many security professionals dutifully recommend SATAN, COPS, Tiger and other out of date
utilities. The question is why? Regardless of the answer, it isn't a good
enough reason. Security experts have an ethical obligation to recommend
viable and solid solutions to their readers and customers. Each and every time they
don't, they further validate weak utilities as a method for securing
your network. Days after auditing your network with these tools, their
network falls victim to an intruder and they can't figure out why.
SATAN was last released as version 1.1.1 on March 20, 1995. Obviously,
network security concerns move at the speed of light. Any security audit
tool not updated hours ago is already behind the times. So how can so many
security professionals continue to recommend such an old and outdated
tool? The only answer that comes to mind is the concept of being
Politically Correct. The media told the masses this was a serious tool
and should be regarded as a legitimate network auditing tool. Who
would want to go against the grain and say otherwise? No one apparently.
Media and mainstream press put SATAN on a pedestal of unseen heights.
As a result, several security professionals are still looking up and not
seeing the scanner for what it is. Every day that passed with no
qualified individuals speaking up, the more it lent to what the media
had already said. Four years later, this is the first article to
my knowledge that is doing that.
Who's on the Bandwagon?
If you haven't read many security articles, you may not have run across
a reference to SATAN. In case you haven't, lets look at a few of the
many media outlets, security professionals and others who tell you to
use it.
It started in 1995 with a wave of articles and press frenzy surrounding
the tool's release. To this day, articles still seem to latch onto the
idea SATAN is a viable tool for network security. In 1995, an Oakland
Tribune article said:
"It's like randomly mailing automatic rifles to 5,000 addresses.
I hope some crazy teen doesn't get a hold of one."
More recently SATAN has popped back up in more articles. James Glave
quoted a Microsoft spokesperson on the use of SATAN in his article
"Back Orifice a pain in the..?" (27). In April, Kevin Reichard wrote
about the tool in his article "Network Security" (28).
Many popular and respected magazines have run articles suggesting the
use of SATAN. Among them are Linux Journal (1), Info Security News (2),
Security Advisor (3) and Information Security (An ICSA Publication) (4).
Most disturbing is that most of the publicly available security
magazines each push SATAN onto their readers at one point or another.
These are the so-called experts, the people that should know the program
does little for today's networks. Yet as late as September 1998, three
years since SATAN's last release, they are still doing it.
Visit your local bookstore and you will be lucky to find more than
five or ten security books. Over the past five years over one hundred
books focusing on security have crossed these shelves. Interestingly
enough, a healthy percentage each make the misplaced recommendation
of SATAN as a valuable auditing tool. Worse, the idea of using such
outdated and inferior tools has crossed beyond the realm of security
books. A few of these books you may have seen are Practical Unix &
Internet Security (5), UNIX System Administrator's Companion (6),
Halting the Hacker (7), and Internet Besieged (8). Recently, O'Reilly
released an entire book devoted to using SATAN to protect your networks. (9)
To a degree, this release gave the ultimate validation to the tool's
ability to protect your network. Are these books unworthy of attention?
No. I would hazard they are being politically correct.
To keep on the bandwagon of overhype and undue attention, several security
advisories have been released to prepare the net for this tool. One issue
remains unresolved though. Why have few advisories followed the various
SATAN advisories warning users of other utilities that are far more
dangerous to their organization? In 1995 we were flooded with advisories
from every response team or security group out there. CERT CA-95:06 (10),
CIAC F-19 (11), CIAC F-20 (12), CIAC F-21 (13), CIAC F-23 (14),
CIAC F-24 (15), SMS 00130A (16), NASIRC (17), Assist 95-11 (18),
Assist 95-19 (19), and Auscert AA-95.03 (20) are just a few of the
security advisories warning us of the impact of SATAN.
With all of the news articles, books, security advisories and other
miscellaneous hype, how could anyone go against the grain and jump off
the bandwagon?
Satan is as Satan Does
Giving these various doomsday media outlets the benefit of the doubt,
we could at least expect them to talk to knowledgeable professionals.
That leads to two more questions. First, why didn't they do just that?
Second, why are some security professionals writing articles recommending
it? Some might argue that since it has a point and click graphical
user interface, it is easy for the novice admin. I certainly don't buy
that. Considering it takes a unix host, perl, x-windows and other
resources that are not the easiest to setup, expecting novice admins
to use it is not logical.
Martin Freiss (author of 'Protecting Networks with SATAN') writes in
his introduction about the extent of SATAN protecting your network:
"Naturally, SATAN cannot detect every security vulnerability.
In particular, there are security problems in the transfer
protocols of the Internet and intranets.. True security can
be achieved only if all dangers are known, including those
that SATAN cannot detect.."
Based on these words, I think it fair to say that those people familiar
with the tool realizes its limits. Most security professionals when
asked if there is an end all be all solution to network security,
will answer no such beast exists. On the other hand, they will also tell
you that no one tool will be the 'demise of the internet' like some
claimed.
Falling Short
Technically speaking, why shouldn't these organizations and people be
recommending SATAN? Let's examine what the program does in the way
of vulnerability checking on a remote host. The following list is taken
from the documentation.
- NFS file systems exported to arbitrary hosts
- NFS file systems exported to unprivileged programs
- NFS file systems exported via the portmapper
- NIS password file access from arbitrary hosts
- Old (i.e. before 8.6.10) sendmail versions
- REXD access from arbitrary hosts
- X server access control disabled
- arbitrary files accessible via TFTP
- remote shell access from arbitrary hosts
- writable anonymous FTP home directory
First thing we notice is that it scans for ten whole vulnerabilities.
Thinking back to the start of this year alone, you should be aware that over
one hundred vulnerabilities have been brought to light on the Internet.
So the sheer percentage of vulnerabilities doesn't quite cut it. Commercial
competitors of SATAN like ISS and Cybercop pride themselves and attempt
to gain market share based on the high number of vulnerabilities they
scan for (over 500).
Since numbers are often misleading, lets look at some real world examples
of why SATAN is not a good recommendation. If you are tasked to deal with
network security and you run any flavor of unix, you are probably aware
of the hundred or so vendor based security advisories for your platform
of choice. Some of the more recently exploited vulnerabilities:
- ToolTalk (rpc.ttdb): Detailed in NAI Advisory #29 (23)
- Statd (rpc.statd): Detailed in SMS Advisory #186 (24)
- Calender Manager (rpc.cmsd): Detailed in SMS Advisory #188 (25)
- Cold Fusion (WinNT): Several problems covered in many advisories (26)
- wu-ftpd, named (DNS), pop (mail), imap (mail), nisd, autofsd, and more.
Comparing the list of vulnerabilities being widely exploited on the
Internet today with the list of vulnerabilities SATAN checks for, we
can see it does one thing quite well. It falls short. For you NT
administrators, seek help elsewhere.
Insult to Injury
Yes, it gets worse. Not only does the program fall short in assisting
with network security analysis, it poses a serious threat to your network
security in ways that didn't previously exist.
As outlined in CERT CA-95:07 (21), there is a "Password Disclosure" issue
with SATAN 1.0, fixed in version 1.1. CIAC F-22 (22) covers another
vulnerability that allows unauthorized users to execute commands and gain
root access through SATAN. Marc Heuse later posted to Bugtraq regarding
SATAN and other widely used security tools having /tmp race conditions
allowing unauthorized users to create or overwrite any file on the system.
This last vulnerability was found in SATAN 1.1.1, the last version released.
No further revisions have been forthcoming so the issue has not been
fixed.
So What's the Solution?
So if tools like SATAN are antiquated, what is a viable freeware solution? Like
most tools, there are always alternatives. In the past few years, a more current
tool based on SATAN's foundation has arisen, called SAINT (30). As of August 19, 1999,
SAINT version 1.4 was released adding more features and security checks that
address current security concerns. Among these are checks for well known NT security
holes, Operating System fingerprinting, as well as several new Unix vulnerabilities.
The continued development and community effort to support this product has turned it
into a much better foundation for testing network security than many other tools
like it. Due to its active development and continued support for detecting new
vulnerabilities, this seems like a great alternative to recommending outdated
tools. When possible, don't rely on canned tools at all. They will never come close
to the ability and instinct of a qualified security consultant.
Conclusion
A few dozen cliches come to mind as a way to wrap up this article. I think
I have sufficiently shown that everyone from the media to security experts
continue to quote SATAN as a way to defend your network. Because the tool
has not been updated in several years, it is far behind the times in
addressing network security issues. On top of it not being adequate by
any stretch of the imagination, it poses further risk to your machines.
Despite all this, the recommendation to use inferior technology still
comes pouring in.
Brian Martin (bmartin@attrition.org)
Copyright 1999