Vulnerability scanner

Ruslan Rakhmetov, Security Vision

To realise cyber threats, attackers exploit vulnerabilities - flaws in the design, implementation, and configuration of information systems or security features. Exploiting vulnerabilities is one of the most popular methods of cyberattacks, along with social engineering and malware. Therefore, it is important to identify and address vulnerabilities in a timely manner - install patches, remove outdated software, and implement compensating measures. The key tools for vulnerability detection are security scanners (vulnerability scanners), which we will describe in this article.

Let's start with the definition: according to the provisions of ISO/IEC 27000:2018, a vulnerability is a weakness in an asset or control and management tool that can be exploited by attackers to realise a cyber threat. The GOST R 56546-2015 standard describes vulnerability as a flaw in a software and hardware asset or information system as a whole that can be exploited to realise a cyber attack. It should be taken into account that vulnerabilities are not only common mistakes made during software development, but also unsafe configurations, errors in the design of information systems, and shortcomings in the organisation of corporate processes. Vulnerabilities can occur in system, application, special software, firmware, network equipment, and security features. The main characteristic of a vulnerability is its degree of danger, which is calculated using the CVSS system. You should work with the new version of CVSS v4, as it has additional metrics for a more detailed description of vulnerability properties.

A vulnerability scanner or security scanner is a tool for detecting vulnerabilities in a company's infrastructure and network perimeter (e.g. web applications). The scanner's task is to find vulnerabilities on devices within a given network range and generate a report that shows the vulnerabilities and where they were found (e.g., device srv-dc01.domain.local, system library C:Windows\system32\drivers\srv.sys, vulnerability CVE-2017-0144 ‘EternalBlue’, CVSS Base Score: 8.8). In addition, scanners should provide information or a link to recommendations on how to remediate vulnerabilities - for example, by installing updates, applying a temporary workaround, disabling or removing the vulnerable component. More advanced solutions - such as vulnerability management systems, which are often combined with security scanners in a single solution - allow you to keep track of assets, build a resource-service model of the infrastructure, monitor the security parameters of devices, perform compliance checks of assets compliance with various requirements, visualise the state of infrastructure security, and build detailed reports.

According to the principle of operation, vulnerability scanners are divided into the following main types:

1.  Scanning banners, using scripts to detect vulnerabilities: scanners that are used to analyse installed software without authentication scan the network ports of the target system and try to determine the version of the software that responded to the network request. This method is often referred to as ‘black box’ or ‘pentest’ scanning because the scanner does not obtain any prior information about the asset and does not authenticate to it to gather detailed information - this is particularly suitable for emulating the actions of an attacker who does not have valid credentials to remotely connect to the device of interest. For example, a web server may respond to any external connection with a message that contains the web server name and version (e.g., Microsoft IIS 8.5, Apache HTTP Server 2.2.15, etc.). From the application version information, the scanner determines if there are published vulnerabilities for the application. In addition, some security scanners use scripts for more accurate network scanning, vulnerability detection and pentests: for example, Nmap scanner uses NSE (Nmap Scripting Engine) with Lua scripting support, and Nessus and OpenVAS scanners support scripting in NASL (Nessus Attack Scripting Language).

2. authenticated scanning: scanners use a validated account to remotely connect to the asset being scanned and collect information about the installed software. This method is often referred to as ‘white-box’ or ‘agentless scanning,’ and the privilege level of the scanning account allows information to be collected in varying depth and detail. For example, a remote scan using an account with local administrator privileges will provide maximum information about the system, but if the device being scanned is infected with VPO, attackers will be able to gain access to that account and develop their attack. Various technologies are used to restrict the rights of a scanning account (e.g., for Windows - LAPS, for Linux - sudo wrappers), in addition, it is possible to configure granular access rights for an unprivileged account - we wrote about this in an article on Hubre.

3. Agent-based scanning: this kind of scanning involves either automatic installation of a scanning agent on the system being scanned, or manual pre-installation. A scanning agent is a small utility that receives data collection tasks about installed software from a scanning server and then performs them locally on the device being scanned. This method is usually quite fast and functional, but there are disadvantages to this method: first, the agent's presence on each device must be ensured beforehand; second, the agent's operation may cause some performance degradation on the device; third, infection of the scanning server may cause the agents to start executing malicious commands from attackers (e.g., uninstalling all installed software).

4. Retro-scanning: this method uses pre-collected data about the software installed on the assets and its versions. As soon as information appears that a certain version of some software is vulnerable, the scanner analyses the list of software and finds the assets on which such vulnerable software is installed. This indirect method allows to identify vulnerable assets quickly enough without unscheduled scanning or waiting for technological windows for scanning. However, the user may have already updated or uninstalled the software themselves, and the inventory information about the installed software may already be out of date. Therefore, for critical vulnerabilities on important assets, it is recommended to check for the presence (and subsequent update) of vulnerable software using direct methods - authenticated scanning or through an agent.

In addition to the described functionality, important features of a security scanner are:

1. Support for various vulnerability registries: in addition to support for classic CVE and NVD, it is important for the scanner to support the FSTEC register, which contains unique data on Russian software vulnerabilities, as well as vulnerabilities that were discovered by domestic researchers, but for various reasons were not included in the CVE and NVD registries.

2. Support for a wide range of Russian and foreign products: it is important for the scanner to work correctly with new domestic operating systems and identify the name of installed software and its versions. The scanner should also detect portable versions of installed software - this will require access to certain directories on the scanned device.

3. Support for containerisation systems: containerisation technologies and their management (e.g. Docker, Kubernetes, podman) have become widespread, so it is important to detect vulnerabilities in images, running and stopped containers.

4. Support for pentest mode: it is important that the scanner allows to detect and verify in a controlled manner the possibility of real exploitation of vulnerabilities using published exploits. Some scanners also allow to check the strength of passwords due to the bruteforce engine, as well as to analyse the encryption algorithms used by the application.

5. Web Scanning Support: An advanced scanner can support scanning for common web vulnerabilities, verify disclosure of internal information and site settings, perform weak password mining and user brute force.