Cisco Secure Consulting

Vulnerability Statistics Report

I. Public Internet Vulnerabilities

During the last six months, Cisco Secure Consulting conducted 46 Internet "Security Posture Assessments." Cisco looked at a total of 9,874 network interfaces which, at the time of the assessments, had an average of 3.34 network services running on each interface for a total of 33,046 network services that were accessible from the Internet. Each customer had an average of 214 Internet accessible network interfaces for an average of 718 network services per customer.

On average, every network interface assessed had some form of vulnerability, and customers had an average of 227 vulnerabilities associated with their Internet presence. From a host by host perspective, an average of 21.9% of the network interfaces assessed had some form of vulnerability, and an average of one in three operational network services had some form of vulnerability.

The following is a break out of the Top 5 Most Vulnerable Services we found. The number of overall vulnerabilities identified per service ranks them.

• 23.5% of the vulnerabilities identified were associated with the RPC network service (TCP port 111). The availability of RPC services from the Internet is typically not required and the need to allow Internet access to an RPC portmapper should be audited, as there are numerous vulnerabilities associated with the RPC sub-services.

• 21.8% of the vulnerabilities identified were associated with Web service (TCP port 80). Today, nearly all companies require a Web presence. However, securely managing a Web server requires some diligence. Most of the vulnerabilities we identified were associated with older, outdated Web server configurations or applications that had been added to the Web server with inherent vulnerabilities. Most of these vulnerabilities can be resolved with a little research and some diligence on the part of administrative staff.

• 18.9% of the vulnerabilities identified were associated with the SMTP network service. Although securely managing an Internet SMTP server is about as daunting a task as managing a Web server, it can be accomplished with a little research and diligence. Again, most of the vulnerabilities we identified resulted from outdated versions of Sendmail or mis-configurations.

• 12.8% of the vulnerabilities identified were associated with SNMP. Network management should never be conducted from the Internet. Therefore, SNMP should not be accessible from the Internet. All SNMP traffic destined to port UDP port 161 should be filtered at the Internet firewall or filtering device. If network management is outsourced, look into an Extranet configuration or a VPN for protection.

• 5.6% of the vulnerabilities identified were associated with the FTP network service. Securely managing an Internet FTP server is a task that requires diligence. This becomes even more difficult if you allow anonymous access to your FTP server. Audit the need to this service, if it is not required, disable the FTP service on all Internet accessible network devices and filter incoming TCP port 21 at the Internet firewall or filtering device. Should it be required, there are numerous guidelines for securely configuring an anonymous FTP server available.

To understand the true vulnerability state of the assessed customers, we have to break down the identified vulnerabilities into classes. Below are the major classes of vulnerabilities identified by Cisco Secure Consulting Services. The three major classes are: Denial of Service, Reconnaissance and Access.

A. Denial of Service Vulnerabilities

An average of 4.9% of the network interfaces assessed had some form of Denial of Service vulnerability. This is a critical issue as we venture into the age of Internet reliance. No longer can corporate America afford to have network resources adversely affected by Internet attacks. Allowing access to unnecessary services or simple mis-configurations causes most of these vulnerabilities and securing them should be fairly trivial.

These were the Top 3 Denial of Service vulnerabilities:

• 4.6% of the vulnerabilities identified were caused by running outdated, unnecessary services. These are legacy services, and most often are not used in today’s IT environments. If your environment does not require the use of these services, they should be disabled completely.

• Fewer than 1% of the vulnerabilities identified were associated with the BOOTP network service. This service is used for DHCP and should never allow access from the Internet. Disable BOOTP on your Internet accessible network devices.

• Fewer than 1% of the vulnerabilities identified were associated with the FTP network service. There is a buffer overflow associated with some versions of the FTP server. Should you be running a vulnerable version, you should ensure that you implement the appropriate patch or upgrade your FTP server version.

B. Reconnaissance Vulnerabilities

An average of 13.5% of the network interfaces assessed had some form of Reconnaissance vulnerability, potentially allowing remote users to gather information about network devices that could aid in compromising assets.

These were the Top 5 Reconnaissance vulnerabilities:

• 5.8% of the vulnerabilities identified were associated with the RPC network service. You can remotely request information from the RPC portmapper by typing rpcinfo –p <IP Address> and this will provide information about the RPC network services that are configured to run on the remote network device. You should disallow the ability to conduct this type of activity from the Internet by filtering incoming RPC requests to TCP port 111 or disabling the RPC portmapper altogether.

• 4.4% of the vulnerabilities identified were associated with the SMTP network service. Today, e-mail is a requirement for most companies connected to the Internet. Securely managing an Internet mail server is no trivial task but can be accomplished with some research and diligence.

• 3.7% of the vulnerabilities identified were associated with the Network File System service. Running NFS on any resources that are accessible from the Internet is a bad idea. Furthermore, allowing access to your file system from the Internet is even worse. If required, you should look into some more secure solutions to sharing your data. Otherwise, disable NFS on your Internet accessible resources and filter incoming request to the NFS service at your Internet firewall or filtering device.

• 3.7% of the vulnerabilities identified were associated with the Statd RPC network service. Statd provides server status remotely. There is no reason to contact the Statd service from the Internet. We suggest you look into other, more secure means of obtaining server status from the Internet should you require this. Otherwise, disable the Statd services and filtering incoming request to the Statd service at your firewall or Internet filtering device.

• 3.1% of the vulnerabilities identified were associated with the Web application Cold Fusion. There are sample pages that come with Cold Fusion that allow a remote user to send specially formatted codes and gather information about your server. At a minimum, remove the sample pages from your Internet Web server.

C. Access From Outside the Network

An average of 11.2% of the network interfaces assessed has some form of Access vulnerability from outside the network. This is the most dangerous major class of vulnerability. These vulnerabilities allow very direct means of compromise of your network devices. This type of access lends the ability to review data, modify or delete data, cause disruption, or further compromise your network.

These were the Top Five Access vulnerabilities:

• 5.2% of the vulnerabilities identified were associated with the weak user authentication. In the past, we have been able to crack an average of 53% of the passwords that we obtain from compromised network.

• 4.5% of the vulnerabilities identified were associated with the mail relay function of Internet SMTP servers. This vulnerability allows for remote email spamming and mail relaying to other email destinations.

• 3.6% of the vulnerabilities identified were associated with allowing anonymous access to the FTP service. Securely managing an anonymous FTP server requires some research and diligence. As new vulnerabilities are published at a rate of 15 per month, the administration staff must stay on top of the vulnerabilities that affect their environments. If anonymous FTP access is required, the server version and the vulnerabilities that affect it should used to patch or upgrade the FTP server. Otherwise, disable the FTP service and anonymous access and filter incoming requests to TCP port 21 at your Internet firewall or filtering device.

• 2.3% of the vulnerabilities identified were associated with Internet SMTP servers. This vulnerability is the "PIPE-FROM" vulnerability and allows a remote user to "pipe" the contents of a specially formatted e-mail message to another program on the mail server.

• 1.3% of the vulnerabilities identified were associated with the SNMP network service. This is simply allowing access to SNMP MIBs with a simple, default community string of "private."

II. Corporate Intranet Vulnerabilities

Over the past six months, Cisco Secure Consulting conducted 42 corporate Intranet Security Posture Assessments. A total of 51,512 network interfaces were identified. These had an average of 4.7 network services running on each interface for a total of 241,965 network services. Each customer had an average of 1,226 network interfaces for an average of 5,761 network services per customer.

On average, every network interface had some form of vulnerability, and customers had an average of 1,435 vulnerabilities associated with their Intranet network. From a host by host perspective, an average of 28.5% of the network interfaces assessed had some form of vulnerability and an average of one in four operational network services had some form of vulnerability.

As vulnerabilities are inherent in network services, the following is a break out of the Top 5 Most Vulnerable Intranet Services. The number of overall vulnerabilities identified per service ranks them.

• 29.1% of the vulnerabilities identified were associated with the RPC network service (TCP port 111). The need to run an RPC portmapper should be audited, as there are numerous vulnerabilities associated with the RPC sub-services.

• 19.3% of the vulnerabilities identified were associated with the SMTP network service. Securely managing an SMTP server is a task that requires research and diligence. Most of the vulnerabilities identified were a result of outdated versions of Sendmail or mis-configurations.

• 16.3% of the vulnerabilities identified were associated with the SNMP network service. Most of the vulnerabilities identified were a result of using default community names. Just as in password selection, be sure to select community names that are difficult to guess.

• 8.5% of the vulnerabilities identified were associated with the Finger network service. Today, there is no sound reason to run finger on your networked hosts therefore it should be disabled completely. Vulnerable versions of this service can allow remote users to gather username information to use in "brute force password guessing programs.

• 7.9% of the vulnerabilities identified were associated with the Telnet network service. These vulnerabilities are not inherent in the Telnet service but can result from weak authentication.

To understand the true vulnerability state of the assessed customers, we have to breakdown the identified vulnerabilities into classes. Below you will find major classes of vulnerabilities as defined by Cisco Secure Consulting Services. The three major classes are Denial of Service, Reconnaissance, and Access.

A. Denial of Service Vulnerabilities

An average of 4.9% of the network interfaces assessed had some form of Denial of Service vulnerability. This is becoming critical as we venture into the age of Internet reliance. No longer can corporate America afford to have network resources adversely affected by Internet attacks. Allowing access to unnecessary services or simple mis-configurations causes most of these vulnerabilities and securing them should be fairly trivial.

These were the Top 4 Denial of Service vulnerabilities:

• 13.2% of the vulnerabilities identified were caused by running outdated unnecessary services. These are legacy services and most often are not used in today’s IT environments. If your environment does not require the use of these services, they should be disabled completely.

• Fewer than 1% of the vulnerabilities identified were associated with the FTP network service vulnerability called "PASV." There is a problem with some FTP servers where allowing PASVcommands can result in the server being vulnerable to Denial of Service. If you are running a vulnerable version, you should ensure that you implement the appropriate patch or upgrade your FTP server version.

• Fewer than 1% of the vulnerabilities identified were associated with the BOOTP network service. This service is used for DHCP and should never allow access from the Internet. Disable BOOTP on your Internet accessible network devices.

• Less than 1% of the vulnerabilities identified were associated with the FTP network service buffer overflow vulnerability. This buffer overflow is associated with some versions of the FTP server. Should you be running a vulnerable version, you should ensure that you implement the appropriate patch or upgrade your FTP server version.

B. Reconnaissance Vulnerabilities

On average, 13.5% of network interfaces assessed had some form of Reconnaissance vulnerability that could allow a remote user to compromise your network and gather information about your devices.

These were the top 5 Reconnaissance vulnerabilities:

• 4.9% of the vulnerabilities identified were associated with the RPC network service. You can remotely request information from the RPC portmapper by typing rpcinfo –p <IP Address> and this will provide information about the RPC network services that are configured to run on the remote network device. You should disallow the ability to conduct this type of activity from the Internet by filtering incoming RPC requests to TCP port 111 or disabling the RPC portmapper altogether.

• 4.5% of the vulnerabilities identified were associated with the finger network service. The vulnerability known as "finger-global" allows remote users to send the finger service a specially formatted command to obtain a list of valid users with accounts on the server.

• 4.0% of the vulnerabilities identified were associated with the SMTP network service. Today, e-mail is a requirement for companies connected to the Internet, and securely managing an Internet mail server is no trivial task. But it can be accomplished with some research and diligence.

• 3.8% of the vulnerabilities identified were associated with the Statd RPC network service. Statd provides server status remotely. Disable the Statd service.

• 3.6% of the vulnerabilities identified were associated with the SNMP network management service. An SNMP server with a community name set to "public" will allow remote users to gather information that could lead to compromise. Select community names as you would a password.

C. Access From Within the Network

On average, 11.2% of the network interfaces we reviewed had some form of Access vulnerability. This is the most dangerous major class of vulnerability. These vulnerabilities allow a very direct way to compromise network devices. This type of access lends the ability to review data, modify or delete data, cause disruption, or further compromise a network.

These were the top 5 Access vulnerabilities:

• 10.1% of the vulnerabilities identified were associated with the weak user authentication. In the past, we’ve been able to crack an average of 53% of all passwords we obtain from compromised networks.

• 4.5% of the vulnerabilities identified were associated with the mail relay function of Internet SMTP servers. This vulnerability allows for remote email spamming and mail relaying to other email destinations.

• 3.6% of the vulnerabilities identified were associated with Internet SMTP servers. This vulnerability is the "PIPE-FROM" vulnerability, and allows a remote user to "pipe" the contents of a specially formatted e-mail message to another program on the system.

• 2.0% of the vulnerabilities identified were associated with Internet SMTP servers. This vulnerability is the "PIPE-TO" vulnerability, and allows a remote user to "pipe" the contents of a specially formatted e-mail message to another program on the system.

• 1.6% of the vulnerabilities identified were associated with the SNMP network service. This is simply allowing access to SNMP MIBs with a simple, default community string of "private".

III. Remote or Dial-Up Access Vulnerabilities

Over the past six months, Cisco Secure Consulting Service conducted Remote Access Security Posture Assessments on the servers of 36 customers. These customers had an average of about 5,000 telephone numbers with an average of 162.3 either authorized or unauthorized remote access servers.

• 14.5 % of the carriers identified were connected directly to network devices. These remote access points were probably intended for remote connectivity for the administration staff.

• 5.7% of the carriers identified were connected directly to UNIX servers. These remote access points were also probably intended for remote connectivity for the administration staff.

• 3.3% of the carriers identified were connected directly to other devices that have an ASCII or some other emulation package.

Virtually all vulnerabilities associated with remote access servers are a result of weak authentication. Many remote access server software packages have "out-of-box" configurations that require no authentication. Even if authentication is required, management of the packages is often user based and can be reconfigured by any user with access to the resource. All remote access servers should be consolidated on the network, and stronger authentication mechanisms should be employed.

Both of these perspectives are important for understanding your external security posture. Often, companies will devote heavy resources to securing and managing the Internet presence while overlooking the ability to circumvent all of that technology with a $50 modem. If you have users that require remote access to the network a centralized remote access architecture is mandatory. The only means of detecting an unauthorized remote access server is to conduct a Remote Access Server assessment whereby all of the telephone numbers that you own can be assessed.