[This was originally published on the OSVDB blog.]
SANS has released their Top 20 Internet Security Vulnerabilities for 2005. Started in June 2000, “the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities”. The list was designed to help administrators tackle the most critical issues on their network, targeting the most often exploited vulnerabilities.
Looking back at the first report, the list covers fairly specific programs or services with known vulnerabilities. BIND (named), RPC services (rpc.ttdbserverd, rpc.cmsd, rpc.statd), IIS RDS, Sendmail, sadmind and mountd, unpassworded default accounts, IMAP/POP and SNMP are eight of the ten on the original list. Two of the items are more abstract, covering “CGI programs and application extensions (e.g., ColdFusion) installed on web servers” as well as “Global file sharing and inappropriate information sharing via NetBIOS [..] or UNIX NFS exports”. Overall, this list provides a good basis for mitigating vulnerabilities, which is arguable based on your definition of the word.
Wikipedia defines a vulnerability as “a weakness or other opening in a system”. Fortunately for me/us, CVE has already covered this issue with their Terminology page and I don’t have to expand on this in more depth. This definition is a fundamental distinction in the world of VDBs and important when evaluating anything (especially papers) on vulnerabilities. While SANS does not explicitly define ‘vulnerability’, the wording of the introduction leans toward a definition of a specific software flaw that can be used to gain access or elevated privileges, rather than the more broad definition of a weakness/opening (or ‘exposure‘ as CVE calls it).
Based on that observation, the original Top20 list kept to the point and formed a list of specific flaws in computer systems (8 of 10) as well as two exposures. Looking at the current list, one has to wonder if the current level of abstraction has made the list more like a beginner’s guide to securing your computer rather than a list of often exploited vulnerabilities. The 2005 list does not make a distinction between the use of the word vulnerability over the last five years, nor does it define the word. In future lists, I believe it is essential that SANS begin to do so and disclaim their work accordingly.
The first entry on the 2005 list is “Windows Services” (W1) which covers just about every major Microsoft Windows service imaginable, including MSDTC and COM+ Service, Print Spooler Service, Plug and Play Service, Server Message Block Service, Exchange SMTP Service, Message Queuing Service, License Logging Service, WINS Service, NNTP Service, NetDDE Service and Task Scheduler. This type of entry more qualifies as an exposure backed by dozens of vulnerabilities. The second and third entries are “Microsoft Internet Explorer” (W2), an entire Web Browser, and “Windows Libraries” (W3) which are most certainly general exposures, not specific vulnerabilities. Fourth, “Microsoft Office and Outlook Express” (W4) cover half a dozen programs including Word, Excel, PowerPoint and Access. Many of the vulnerabilities associated with these products may overlap with “Windows Libraries” as well. The fifth entry “Windows Configuration Weaknesses” (W5) is an abstract entry that can cover an enormous range of exposures that can leave a system open to attack. So far, 5 out of 5 Windows related entries are exposures, not vulnerabilities.
The second section covers Cross-Platform Applications which sets itself up to be a fairly high level entry. Backup software (C1), Anti-virus Software (C2), PHP-based Applications (C3), Database Software (C4), File Sharing Applications (C5), DNS Software (C6), Media Players (C7), Instant Messaging Applications (C8), Mozilla and Firefox Browsers (C9), and Other Cross-platform Applications (C10) make up this wide ranged list that covers an incredible amount of software, operating systems and protocols. It is easy to argue that this list covers well over 50% of the vulnerabilities reported in 2004 (over 4,500 disclosed, and over 6,200 in 2005), making one question the value of a “Top 20” list that covers thousands of vulnerabilities. Consider that “backup software” or “media players” is fairly high level and reaches a level of abstraction that matches beginner security literature. Then consider “other cross-platform applications” is a catch-all for almost everything else out there since most products can be installed on any operating system these days.
The third section starts out with a high level of abstraction and gets worse. First is UNIX Configuration Weaknesses (U1) which would cover a wide range of operating systems such as Linux (all flavors), FreeBSD, NetBSD, OpenBSD, Solaris, AIX, HP-UX, IRIX and dozens of other UNIX variants. This would also cover Mac OS X which is a UNIX based operating system, which is very curious given the second entry under this section. “Mac OS X” (U2) is an entire operating system, and this entry even covers some software that comes with it such as the Safari web browser. Considering Microsoft IE and Mozilla browsers got their own entries above, we begin to see that the list doesn’t even maintain a consistant level of abstraction.
The last sections covers “Top Vulnerabilities in Networking Products”. We start with “Cisco IOS and non-IOS Products” (N1) which covers any product made by Cisco. Given their high installation base, they are an obvious target for vulnerabilities but once again, listing an entire vendor which includes their thousands of products? Next it lists “Juniper, CheckPoint and Symantec Products” (N2) which cover all products by these three vendors. Reading the definition of this entry makes me wonder if they ran out of time when trying to finish the document. Vulnerabilities were announced in these products.. exploit code available for some.. duh? This applies to any software out there, even other vendors with a high installation base. Last on the list is “Cisco Devices Configuration Weaknesses” (N3) which seems to be redundant to N1. One entry for “all Cisco products” and a second entry for “misconfiguring all Cisco products”?!
In summary, the “The Twenty Most Critical Internet Security Vulnerabilities (Updated) ~ The Experts Consensus” covers what? Certainly not the Top 20 vulnerabilities as defined by many security practitioners and vulnerability databases. You can’t even argue the list contains 20 exposures when it lists entire operating systems (Mac OS X/U2), configuration weaknesses (Windows/W5, Unix/U1, Cisco/N3) as well as redundant entries (Cisco N1 and N3). So, what does this list really cover? Who is this list supposed to help exactly? Telling administrators to upgrade all software and verify all configurations seems like a shorter and sweeter way of saying the same thing.