One of our daily tasks is to assess and improve the security of our customers or colleagues. To achieve this use security tools (linked to processes). With the time, we are all building our personal toolbox with our favourite tools.Yesterday, I read an interesting blog article about extracting saved credentials from a compromised Nessus system[1]. This in indeed a nice target forthe bad guy! Why?

Such security tools deployed inside a network have interesting characteristics:

  • They have credentials stored in configuration files or databases. They just need those credentials to be able to perform their tasks. A vulnerability scanner is a good example. It may have Windows credentials, SSH credentials to connect to the scanned systems and perform a local scan.
  • They contain interesting data to build the topology of the network or to discover all the assets (IP addresses, VLANs, remote sites, etc)
  • They are allowed to connect to ANY hosts in the network (just because they need to scan the network)
  • Their IP addresses might be excluded from the log files (just because they are way too verbose)

The first blog article reminded me other bad stories with security products:

  • McAfee ePolicy Orchestrator[2]
  • Acunetix web scanner [3]

And the same remains valid also with monitoring tools like Nagios[4].

The security of security/monitoring tools must be addressed like any other regular asset. Access to them must be restricted, logged and they must be installed with least privileges. But hats what you already do, right?

[1] https://www.appsecconsulting.com/blog/extracting-saved-credentials-from-a-pwn3d-nessus-system/
[2] https://funoverip.net/2013/06/mcafee-epolicy-0wner-preview/
[3] https://osandamalith.com/2014/04/24/pwning-script-kiddies-acunetix-buffer-overflow/
[4] http://seclists.org/fulldisclosure/2016/Dec/58

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status