ISS Internet Scanner Cannot be relied upon for conclusive Audits

From: Mr. joej (mr_joejat_private)
Date: Sun Feb 07 1999 - 18:28:55 PST

Next message: Tomas Björklund: "More oshare testing (cont.)"

Previous message: Marc Heuse: "Re: Buffer overflow and OS/390"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Before I even start I want to point out that I am NOT
product bashing! ISS's products provide the average
administrator a good way to audit his/her own network.
But there have been numerous companies pop up using only
ISS products to provide security audits and security
expertise.  This is inadequate.  Granted if someone
doesn't use Internet Scanner for at least part of an
audit, they better be real good ....err REAL good.

ISS Internet scanner for example:
Granted ISS never claims to test for all known
vulnerabilities.  This is no surprise, new holes are out
everyday.  But my problem is that of the vulnerabilities
that Internet Scanner says that it is testing, I have
found a few that it DOESN'T even though it says it is.

Example 'Router Checks' I wanted to scan my network to see
if I had any routers that were vulnerable to the old
ioslogon bug.  After a quick scan, I found none.  I knew
this wasn't right, there was one somewhere I hadn't upgraded
yet.  After testing by hand I found it.  I talked to ISS about
this for a while, after sending logs and talking to the engineers
their reply was 'well snmp is disabled ....' The rest of their
reply was something about how this vulnerability was related to
snmp therefor Internet Scanner couldn't scan for it.  This is WRONG.

After some testing this is what was found.  Internet Scanner only
tests for this bug if it can either gain access to a shell (by
guessing the telnet password), or by getting snmp access to get
the IOS version information.  Based upon this, Internet Scanner
determines whether or not the router is vulnerable.  This is WRONG.

This same holds true to all router checks except ascend udp kill.
My follow up question, How many other vulnerabilities does Internet
Scanner say it will scan, but really doesn't?


ISS: Either be very very clear that you are not 'really' scanning
for these vulnerabilities, or just scan for them.


Sorry for the long message, but I wanted to be clear, and its late ....


JoeJ

Mr_JoeJat_private

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Next message: Tomas Björklund: "More oshare testing (cont.)"
Previous message: Marc Heuse: "Re: Buffer overflow and OS/390"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:59 PDT