Monthly Archives: May 2017

Open Port 445, WannaCry,India, — A report

When WannaCry wrecked havoc last week there were widespread concerns that a lot of systems in India had fallen to this malware. However there were conflicting reports about the infection rate in India. Some reports cited that it was not as bad as expected while others differed.

With this in mind, I just wanted to know how vulnerable we were for this malware.

As per documents WannaCry malware tries to spread by infecting hosts that has port 445 open with Server Message Block (SMB) version 1 and running an unpatched version of Windows. Firstly, there is absolutely no need for systems to expose port 445 to internet, but why they are open could be topic for another blog post.

I looked up Shodan to identify the number of systems in India running with port 445 open to Internet. The result was a whopping 25000+ systems.

There is an interesting aspect to this. The numbers varied to a large degree over a period of week. Peeking on Weekdays and tapering on weekends. The following chart gives an overview:

On the weekdays the number of machines online with port 445 open were around 25342 at the highest while on weekends it lowered to 17000! Thats a different of nearly 8000, so looks like lot of systems are shutdown at the weekends. Do note that the Shodan crawlers work 24/7 and update the results realtime.

Though Shodan resulted around 25,000+ systems with port 445 open, not all of these machines were running vulnerable versions of Windows Operating Systems. Taking one of the days when the number was at its peak, following is the breakup:

There is however a large chunk of machines running older versions of Windows. Windows 2003/XP/2008/7/Vista accounted for nearly 65% of the servers scanned. Following chart gives the breakup of Windows Machines (Servers and Desktops editions included):

As you can see, lot of machines in India are running out of date operating systems. Note that machines like Windows Server 2003, Windows XP, Windows 7 have met their End Of Life. Microsoft went beyond its policy of not releasing security updates to their EOL products by actually releasing security updates for discontinued Operating Systems like XP, 2003 and others. If you are still running those Operating Systems please patch, better, Upgrade. Check this Microsoft page for more information — Customer Guidance for Wannacrypt Attacks

SMB Version Spread:

smb version spread in India

Note that SMB v.1 is vulnerable to WannaCry Attack

SMB Authentication Status.

For the exploit to work, SMB Authentication should be in a disabled state. Fortunately a good percentage of scanned machines seemed to have authentication enabled. Also note that exposing network shares to public is a security nightmare as it can leak data meant for internal users. At the least, enable password protection.

Top Cities in India with Port 445 Open:

Metros seemed to top the list of cities where machines were running with port 445 open. There is no reason for anyone to expose port 445 on internet. At the most they are needed for file / printer sharing and it should be limited to Local network. One should configure their firewalls to block port 445

ISPs with subscribers having Port 445 publicly exposed.

BSNL seems to operate a network with maximum number of machines having port 445 open. I am not surprised to see port 445 open is such large numbers on BSNL network. I suspect UPnP (Universal Plug n Play) feature is enabled by default in the Routers provided by BSNL and this in turn is causing the port 445 on internal hosts to be exposed! (people using BSNL/ISP Provided routers please comment)

There is an nmap script to check if the machine is vulnerable or not. To correlate the above findings, I randomly checked few machines in the list and couple of them turned out to be vulnerable, while others did not. Based on this, following seems to fit the bill for WannaCry infection:

  • Running SMB version 1.0
  • Running an unpatched version of Windows 7 / xp/ 2012/ 8 / 2003
  • Port 445 exposed to internet
  • Authentication disabled

If you are running a version of Windows and would like to check if the required patch is installed or not, please refer the article below:

https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed

Further reading:

Amazon AWS Inspector Review

I was quite excited by the prospect of using AWS Inspector as it is supposed to replaced some of the expensive tools like Nessus, Expose, Qualys etc for getting a holistic view of your infrastructure from a security perspective. Usually, it is a challenge to scan the servers /assets in the cloud. The complexities of Instant provisioning, Virtual Private Circuits (VPCs), multiple regions, different availability zones add to the license restrictions of the tools. If you are using any of the tools listed above, you could use only one scanning engine and pay up for the additional scanners. There are certain workarounds to these situations, but the results are not optimum.

Using a native tool like AWS Inspector would not only help in overcoming the technical challenges but also sensible from a commercial standpoint. Although AWS Inspector does not advertise itself to be a full-fledged Vulnerability Assessment Scanner, it does claim to help one understand the risk posture of their servers, be it public facing or privately hosted.

In their own words:

“Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.”

Setting up AWS Inspector needed reasonable effort as it required agent installation, asset tagging and defining of roles. The instructions provided by AWS was easy to follow.

However, I felt the reporting was below average and needed considerable improvement.

Installation & Running the Assessments:

To get started one needs to install the software agent on all the servers (ec2- instances) and initiate the scan from the AWS Web Console. The agent can be installed via command line and it is available for Linux as well as Windows flavors. Amazon Inspector requires read-only access to resources in the account

Following are the supported Operating Systems:

Linux OS:

  • Amazon Linux (2015.03, 2016.03, 2016.09)
  • Ubuntu (14.04 LTS, 16.04 LTS)
  • Red Hat Enterprise Linux (7.2)
  • CentOS (7.2)

Windows OS:

  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

Supported AWS regions:

  • US West (Oregon)
  • US East (N. Virginia)
  • EU (Ireland)
  • Asia Pacific (Incheon)
  • Asia Pacific (Mumbai)
  • Asia Pacific (Tokyo)
  • Asia Pacific (Sydney)

Scanning features

The assets can be scanned, based on what are called as Rules package. It is basically set of rules based on templates, similar to PCI, CIS benchmark etc . Following are the available ones at AWS currently:

· Common Vulnerabilities and Exposures

· Center for Internet Security (CIS) Benchmarks

· Security Best Practices

· Runtime Behavior Analysis

While the first two in the list are pretty much straight-forward, Security Best Practices lists out deficiencies based on the following categories:

Runtime Behavior Analysis provides insight on the following parameters:

NOTE: Currently, AWS does not allow custom or self-configured rules package.

Depth of scan:

Unlike the different scan templates available in the Vulnerability Assessment tools like Advanced Network Scan, Configuration Audits, PCI Scans and etc, AWS classifies its scanning depth based on the time! A point to note is that more the duration, the comprehensive will be its scan and consequently the outcome too.

You can set your duration to any of the following available values:

  • 15 minutes
  • 1 hour (recommended)
  • 8 hours
  • 12 hours
  • 24 hours

Scoring

Vulnerabilities determined from the scans are classified as following:

· HIGH

· MEDIUM

· LOW

· INFORMATIONAL

Pricing

Amazon Inspector is free for upto 250 agents for the first 90 days. The pricing differs post 90 days, more information on pricing here

Here is my analysis:

Limitations:

Maximum number of hosts that could be scanned in a single run is 50, however you can install Inspector on upto 500 instances. AWS calls this as running agents and it has a hard limit without any provisions to request the raise in this limit. If you compare this with tools like Nessus or Nexpose, then it is a big limitation as these tools allow upto 1024 IP addresses depending on the licenses

Report formats:

This is where I felt a big let down by AWS. The reports are neither readily consumable nor readily actionable. With AWS Inspector:

You can either view the results online or download it in CSV format. Only in the web console can you sort around based on parameters like HIGH, MEDIUM, LOW, INFORMATIONAL etc and you cannot use these to present an executive summary like in other tools.

The exported CSV file does not include the host name or the IP Addresses. Instead you will have to figure out the host based on the agent ID. Also, you will need to save it as spreadsheet (.xls, .ods etc ) to preserve the custom changes.

I had to play around with the pivot functionality to identify the host with maximum vulnerabilities or identify CVE which is prevalent across all the hosts.

Report includes the following information:

  • Severity
  • Date
  • Finding
  • Target
  • Template
  • Rules Package
  • ARN
  • Rule
  • AWS agent ID

AWS already provides many features and tools centered around various aspects of securely managing AWS instances and services like AWS Config, EC2 Systems manager, Cloudwatch, Cloudtrail, Trusted Advisor etc

I think AWS should consider improving the reporting functionality (executive summary, detailed summary, host IPs/names, top 10 machines with vulnerabilities, options to export report to PDF, xls, ods etc) if the AWS inspector is to provide meaningful and impactful inputs to the people using it. It has good potential to eat into the markets currently controlled by the likes of Nessus, Nexpose, Qualys and etc

#aws #awsinspector #vulnerabilityassessment #infosec #security