PaulDotCom mailing list archives
Scanning of cumulative vulns/patches
From: rgula at tenablesecurity.com (Ron Gula)
Date: Wed, 17 Feb 2010 16:42:00 -0500
On 2/17/2010 2:17 PM, Albert R. Campa wrote:
What do you guys think of scanning and reporting of cumulative vulnerabilities?
It is a very slippery slope. The more you reduce what is being reported, the less detail you have. If you reduce enough, you can get to reports that really over summarize such as "Here are the systems that aren't being patched". You lose any visibility of the types of vulns that have been subsumed into the "cumulative" report. It's also not as easy as it seems.
For example. If you have vulnerability A that supercedes vulnerability B. Nessus will report both A and B as vulnerable, but for patching only Vulnerability A needs to be patched. So why report vulnerability B? Should the scanner ingore superceded vulnerabilities? Is the only plus to reporting both A and B is to have a history of old vulnerabilities not patched?
Your example is over simplistic. In lots of cases you have complex progressions of vuln reporting such as product 2.0 to 2.5 is vulnerable, but not product 2.6 and high or 3.x. One vulnerability might be present in each of these releases. Also, would the "fix" be to upgrade to 2.5 or 3.0 in this case? Don't put your vuln scanner in charge of your IT. Use your vuln scanner to measure how IT is doing.
What about metrics? A and B might be vulnerable but only patch A needs to be installed.
This is absolutely an issue, but vuln scanners need to test for both if a cumulative patch or service patch has been installed, or if a simple hotfix has been installed.
If an admin gets a vuln report with both A and B, can they easily figure out oh, this is cumulative, so I only need to install A, or are they going to try to install both.
If you are giving an admin a vuln report, I hope it is from a credentialed patch audit with a focus on missing patches. If you aren't doing credentialed scans, you are not speaking the same language as as admin unless you are narrowly testing for some issue like MS08-68 (Confiker's exploit) or one of the Adobe flaws. Ron Gula, CEO Tenable Network Security
Current thread:
- Scanning of cumulative vulns/patches Albert R. Campa (Feb 17)
- Scanning of cumulative vulns/patches Jamie Starkel (Feb 17)
- Scanning of cumulative vulns/patches Ron Gula (Feb 17)
- Scanning of cumulative vulns/patches Paul Asadoorian (Feb 17)
- Scanning of cumulative vulns/patches Albert R. Campa (Feb 17)
- Scanning of cumulative vulns/patches Shane Kelly (Feb 18)