Penetration Test Reports and Vulnerability Aggregation
Penetration test reports, aggregating findings and thinking more deeply.
Something I like to do on my Penetration Test reports is aggregate findings of a similar nature together. As a case in point let's take "Out Of Date Server Software" or "Server Software Missing Security Patches". Server software in this case means things like Apache, Jboss, Tomcat, Mysql, etc, etc. Below is a fairly typical example:
Server Software Out Of Date
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact/Probability: High/High
Description: The affected hosts have server software installed which is out-dated and missing security patches for known vulnerabilities. It is important to apply all security updates in a timely manner to ensure hosts are not affected by known vulnerabilities. Security patches are a good source of information for malicious actors and new exploits and malicious software is often created by reverse engineering security patches after release. Exploit code is often widely available to exploit issues marked as "Critical" or "Important". The Metasploit Framework for example is a freely available tool that provides an attacker with a the means to launch attacks against the vulnerable server. Additionally, older vulnerabilities are still heavily targeted; a methodical patching approach that emphasizes consistency and coverage is more important than expedient patching
Remediation: Upgrade the server software to a version that is currently up-to-date. Ensure that a rigorous patching policy is implemented and maintained to prevent out of date vulnerable software remaining on the system.
Technical Analysis:
| Name | CVE | Affected Host |
|---|---|---|
| Apache | CVE-2022-28330 CVE-2022-30556 CVE-2022-30522 | host1 host2 |
| Apache Tomcat | CVE-2020-9484 CVE-2021-25329 | host1 |
| Cisco TelePresence | CVE-2019-15273 | 10.152.229.51 10.129.6.108 10.144.85.27 |
| Netatalk | CVE-2018-1160 | host5 |
| Microsoft SQL Server | CVE-2020-1044 CVE-2019-1068 CVE-2017-5753 | host4 host2 host1 10.152.229.51 |
| HP System Management Homepage | CVE-2016-4538 CVE-2015-3195 CVE-2016-2015 CVE-2016-4343 CVE-2016-2106 | host1 host2 host3 |
| Firebird SQL Server | CVE-2007-3181 | host6 |
| Dropbear SSH Server | CVE-2016-7408 CVE-2016-7407 CVE-2016-7406 CVE-2016-7409 | 10.128.108.253 host2 host3 testpc |
You will have to excuse the reStructuredText table but im sure you get the idea. However, on a few occasions now clients have taken umbrage with this approach due to the lack of detail and provided feedback similar to the following:
Scrolling down to section 5.1 takes me to "Server Software out Of Date", This gives me a list of 9 applications that need addressing. These 9 applications don't have their own finding reference number or any detail about what vulnerable versions are installed, what versions of the software supplied a fix or any specific remediation advice for that software.
Everything stated above is of course correct, but unfortunately misses the point entirely.
As well as making the report more readable, the idea behind aggregating findings like this is to highlight a common root cause. In this case, the goal is not to go through the list of software, log into the affected machines, and upgrade it to a newer version no longer vulnerable to the listed CVEs. The goal is to determine why out of date software is in use, and why security patches are not being installed in a timely manner. The aim then is to put in place processes, procedures and checks to ensure all software is updated and remains so. Although in practice you will likely have to go through the list of software, log into the affected machines, and upgrade it to a newer version no longer vulnerable to the listed CVEs - if that was the only thing you did, then 6 months later you will be faced with exactly the same dilemma, probably stemming from another pen test report with a list of software that needs upgrading. The outcome of any good penetration test is to help identify and address the root cause of vulnerabilities and put controls and mitigations in place to ensure a real attacker cant exploit the same issue. Not to play a game of security Whac-a-mole.