Sample Network Assessment

Title Page

Table of Contents

1. Executive Summary
2. Audit Goals and Objectives
3. Audit Methodology
4. Audit Context
5. Potential Vulnerabilities and Suggested Corrective Actions
6. Appendix
7. Glossary

Executive Summary

The Advanced Technology Laboratory (ATL) is a self contained and self supporting network subdomain, atl.yoyodyne.com. It maintains its own DNS server (cerebus) and its own NIS domain (atl). The network is composed of approximately 30 hosts running various operating systems including Solaris, Linux, OpenBSD, Windows NT and a single machine with Mac OSX.

Of the 21 hosts audited 11 have High risk ratings due to possibly exploitable services. In each of these cases, manual inspection should be made to verify or correct the patch level of these services or these services should be evaluated for removal.

Additional Medium and Low risk items were discovered. These should also be manually verified, corrected or reviewed against the current security stance.

Audit Goals and Objectives

The primary objective of this audit is to discover networking and security deficiencies in the ATL network.

Audit Methodology

Auditing was done via manual inspection using such tools as nmap, ping and traceroute.

Automated inspection was done using Saint.

Physical access was provided, as were accounts on local hosts and the NIS domain.

Audit Context

The Advanced Technology Laboratory (ATL) is a self contained and self supporting network subdomain, atl.yoyodyne.com. It maintains its own DNS server (cerebus) and its own NIS domain (atl). The network is composed of approximately 30 hosts running various operating systems including Solaris, Linux, OpenBSD, Windows NT and a single machine with Mac OSX.

The network is 100baseT switched ethernet and inhabits the 167.35.53.0/26 subnet. Broadcast is designated as 167.35.53.64 with a gateway at 167.35.53.62. The predominant networking protocol is TCP/IP over ethernet.

The machines Hawthorn and Rowan are master and backup for the NIS domain, atl.

A Beowulf cluster composed of 20 machines share a 100baseT switched network. This network inhabits the 172.20.0.0/16 subnet and is only accessible when logged on to the Beowulf head node (167.35.53.13). This host does not forward packets to the internal 172.20.0.0/16 subnet. 172.20.0.0/16 falls in the 172.16/12 block of IANA reserved IP addresses for private intranets. The Beowulf subnet was excluded from this audit.

Network Map

Active Hosts

The following hosts were active (as reported by nmap) during the audit:

cerebus.atl.yoyodyne.com (167.35.53.1)

Solaris 2.5, 2.5.1

chestnut.atl.yoyodyne.com (167.35.53.2)

Solaris 8

alder.atl.yoyodyne.com (167.35.53.3)

Solaris 2.5, 2.5.1

elm.atl.yoyodyne.com (167.35.53.4)

Solaris 2.5, 2.5.1

hawthorn.atl.yoyodyne.com (167.35.53.5)

Solaris 2.5, 2.5.1

hazel.atl.yoyodyne.com (167.35.53.6)

Solaris 2.5, 2.5.1

willow.atl.yoyodyne.com (167.35.53.7)

OpenBSD 2.6

erwin.atl.yoyodyne.com (167.35.53.8)

Linux 2.1.122 - 2.2.16

mulberry.atl.yoyodyne.com (167.35.53.10)

OpenBSD 2.6

oak.atl.yoyodyne.com (167.35.53.11)

Solaris 2.5, 2.5.1

rowan.atl.yoyodyne.com (167.35.53.12)

Solaris 2.5, 2.5.1

beowulf.atl.yoyodyne.com (167.35.53.13)

Linux 2.1.122 - 2.2.16

cluster.atl.yoyodyne.com (167.35.53.14)

Windows NT4

blackbox.atl.yoyodyne.com (167.35.53.15)

OpenBSD 2.6

atlhub.atl.yoyodyne.com (167.35.53.16)

3Com SuperStack II

furby.atl.yoyodyne.com (167.35.53.17)

Mac OSX

redbox.atl.yoyodyne.com (167.35.53.21)

OpenBSD 2.6

bluebox.atl.yoyodyne.com (167.35.53.22)

OpenBSD 2.6

kerberos.atl.yoyodyne.com (167.35.53.23)

OpenBSD 2.6

infowar.atl.yoyodyne.com (167.35.53.29)

Sun Solaris 8

holly.atl.yoyodyne.com (167.35.53.43)

Printer

swr2-1.nba.yoyodyne.com (167.35.53.61)

Cisco Catalyst 1900 switch

gwr2.nba.yoyodyne.com (167.35.53.62)

Cisco Router/Switch

(167.35.53.63) (broadcast address)

Servers

DNS

Cerebus

FTP

Alder, Bluebox, Cerebus, Elm, Hawthorn, Hazel, Kerberos, Mulberry, Oak, Rowan, Willow, Chestnut, Infowar

POP, IMAP

Elm, Rowan

NIS

Hawthorn, Rowan

NFS

Alder, Cerebus, Elm, Hawthorn, Hazel, Oak, Rowan, Chestnut

SMTP

Alder, Cerebus, Elm, Hawthorn, Hazel, Kerberos, Mulberry, Oak, Rowan, Willow, Chestnut, Infowar, Beowulf, Erwin

R Services

Alder, Bluebox, Cerebus, Elm, Hawthorn, Hazel, Kerberos, Oak, Rowan, Chestnut, Infowar

Telnet

Alder, Bluebox, Cerebus, Elm, Hawthorn, Hazel, Kerberos, Oak, Rowan, Chestnut, Infowar

WWW

Alder, Infowar, Cluster

WWW (non-standard port webcache)

Elm

XDM

Chestnut, Infowar

Potential Vulnerabilities and Suggested Corrective Actions

The following potential vulnerabilities were found during the audit.

Potential Root Access via Buffer Overflow (Rating High)

Alder

• Calendar Manager service may be vulnerable (CVE 1999-0320 1999-0696)
• sadmind may be vulnerable to buffer overflow (CVE 1999-0977)
• tooltalk version may be vulnerable to buffer overflow (CVE 1999-0003)
• rpc.statd is enabled and may be vulnerable (CVE 1999-0018 1999-0019 1999-0210 1999-0493)

Chestnut

• rpc.statd is enabled and may be vulnerable (CVE 1999-0018 1999-0019 1999-0210 1999-0493)

Cerebus

• Calendar Manager service may be vulnerable (CVE 1999-0320 1999-0696)
• sadmind may be vulnerable to buffer overflow (CVE 1999-0977)
• tooltalk version may be vulnerable to buffer overflow (CVE 1999-0003)
• rpc.statd is enabled and may be vulnerable (CVE 1999-0018 1999-0019 1999-0210 1999-0493)

Elm

• Calendar Manager service may be vulnerable (CVE 1999-0320 1999-0696)
• sadmind may be vulnerable to buffer overflow (CVE 1999-0977)
• tooltalk version may be vulnerable to buffer overflow (CVE 1999-0003)
• rpc.statd is enabled and may be vulnerable (CVE 1999-0018 1999-0019 1999-0210 1999-0493)

Hawthorn

• Calendar Manager service may be vulnerable (CVE 1999-0320 1999-0696)
• sadmind may be vulnerable to buffer overflow (CVE 1999-0977)
• tooltalk version may be vulnerable to buffer overflow (CVE 1999-0003)
• rpc.statd is enabled and may be vulnerable (CVE 1999-0018 1999-0019 1999-0210 1999-0493)

Hazel

• Calendar Manager service may be vulnerable (CVE 1999-0320 1999-0696)
• sadmind may be vulnerable to buffer overflow (CVE 1999-0977)
• tooltalk version may be vulnerable to buffer overflow (CVE 1999-0003)
• rpc.statd is enabled and may be vulnerable (CVE 1999-0018 1999-0019 1999-0210 1999-0493)

Kerberos

• OpenBSD ftpd pre 6.5

Mulberry

• OpenBSD ftpd pre 6.5

Oak

• Calendar Manager service may be vulnerable (CVE 1999-0320 1999-0696)
• sadmind may be vulnerable to buffer overflow (CVE 1999-0977)
• tooltalk version may be vulnerable to buffer overflow (CVE 1999-0003)
• rpc.statd is enabled and may be vulnerable (CVE 1999-0018 1999-0019 1999-0210 1999-0493)

Rowan

• Calendar Manager service may be vulnerable (CVE 1999-0320 1999-0696)
• sadmind may be vulnerable to buffer overflow (CVE 1999-0977)
• tooltalk version may be vulnerable to buffer overflow (CVE 1999-0003)
• rpc.statd is enabled and may be vulnerable (CVE 1999-0018 1999-0019 1999-0210 1999-0493)

Willow

• OpenBSD ftpd pre 6.5

Corrective Action:

• Alder, Cerebus, Elm, Hawthorn, Hazel, Oak, and Rowan should be manually inspected for the proper patch level installation of Calander Manager, sadmind and tooltalk.
• Kerberos, Mulberry and Willow should be manually inspected for the proper patch level installation of ftpd.
• Alder, Chestnut, Cerebus, Hawthorn, Hazel, Oak and Rowan should be manually inspected for the proper patch level installation of rpc.statd

Potential User shell Problems (Rating: High)

Alder

• Unauthorized Access via Web Server (jj) (CVE 1999-0260)

Corrective Action:

• The jj CGI script should be patched or removed from the server.

Information Gathering (Rating: Medium)

Alder, Blackbox, Bluebox, Chestnut, Cerebus, Elm, Hawthorn, Hazel, Infowar, Kerberos, Mulberry, Oak, Redbox, Rowan, and Willow

• Excessive finger information (CVE 1999-0612)

Alder, Blackbox, Bluebox, Chestnut, Cerebus, Elm, Hawthorn, Hazel, Kerberos, Mulberry, Oak, Redbox, Rowan, and Willow

• Information from rusersd could help hacker (CVE 1999-0626)

Corrective Actions:

• The implementation of fingerd should be reviewed based on the network security stance. Finger can provide a potential attacker with user account information.
• The implementation of rusersd should be reviewed based on the network security stance. Rusers can provide a potential attacker with user account information.

Potential Vulnerabilities: (Rating: Medium/Low)

Alder

• Various potential vulnerabilities in CGI scripts (ref. Saint Report). CGI scripts should be reviewed for upgrade or removal.
• Possible SMTP mail relay. Review for appropriateness.
• SSH may be vulnerable. Verify RSAREF2 is at proper patch level or is not used.

Bluebox

• SSH may be vulnerable. Verify RSAREF2 is at proper patch level or is not used.

Chestnut

• SSH may be vulnerable. Verify RSAREF2 is at proper patch level or is not used.

Cluster

• System may be vulnerable to DoS attacks. Verify appropriate Windows NT patch level

Cerebus

• DNS may be vulnerable. Review patch level of DNS
• Possible SMTP mail relay. Review for appropriateness.
• SSH may be vulnerable. Verify RSAREF2 is at proper patch level or is not used.

Elm

• Possible SMTP mail relay. Review for appropriateness.
• SSH may be vulnerable. Verify RSAREF2 is at proper patch level or is not used.

Hawthorn

• Possible SMTP mail relay. Review for appropriateness.
• SSH may be vulnerable. Verify RSAREF2 is at proper patch level or is not used.

Hazel

• Possible SMTP mail relay. Review for appropriateness.
• SSH may be vulnerable. Verify RSAREF2 is at proper patch level or is not used.

Infowar

• Review need for test-cgi CGI.

Kerberos

• SSH may be vulnerable. Verify RSAREF2 is at proper patch level or is not used.

Oak

• Possible SMTP mail relay. Review for appropriateness.
• SSH may be vulnerable. Verify RSAREF2 is at proper patch level or is not used.

Rowan

• Possible SMTP mail relay. Review for appropriateness.
• SSH may be vulnerable. Verify RSAREF2 is at proper patch level or is not used.

Additional Recommendations

R Services (Rating: Medium)

The use of R services (rsh, rlogin, rexec, rcp) should be reviewed against the current security stance. R service sessions are vulnerable to sniffing. User misconfiguration can facilitate a compromise.

FTP and Telnet (Rating: Medium)

FTP and Telnet services should be reviewed against the current security stance. Both of these services are vulnerable to sniffing. These services could be replaced by SSH and SCP which provide encrypted authentication and sessions.

XDM (Rating: Medium/Low)

XDM service on Chestnut and Infowar should be reviewed against the current security stance.

WWW (non-standard port webcache) (Rating: Investigate)

This should be investigated on Elm.

ATL Switch (atlhub) (Rating: Medium)

Configuration of the ATL Switch (atlhub.atl.yoyodyne.com) can be access via Telnet or WWW. Both are password protected but neither provide session encryption. There is a potential for session hijacking or sniffing. Options include: disabling remote administration or using a switch which provides for encrypted sessions (ssh/ssl).

SNMP (Rating: Medium/Low)

Standard or guessable SNMP community names for writable MIB entries exist. It is suggested that they be disabled or renamed.

Echo and Chargen Services (Rating: Medium/Low)

Echo and chargen, or other combinations of UDP services, can be used in tandem to flood a server. These services should be reviewed for removal.

Smurf Amplification (Rating: Medium/Low)

ICMP packets to broadcast addresses are allowed. This could facilitate a denial of service attack. Solutions could include a filtering router.

Appendix

Add any additional required information here (example: Saint Report)

Glossary

A standard and/or expanded Glossary would be inserted here.