From: Security Guy (security@sligoinc.com)
Date: Wed Jun 13 2007 - 09:38:44 EDT
On 6/11/07, Harold Castro <b0ydaem0n@yahoo.com> wrote:
> Hi,
>
> I'm new in pen testing.
> Recently, I came across this firewall appliance
> running Apache/1.3.26
> (Unix) mod_dtcl mod_ssl/2.8.10 OpenSSL/0.9.7 during an
> external pentest.
Eeew.
>
> 1. First, find out what is the firmware version of
> that machine.
See below
> 2. Then find out if the apache version on that
> particular firmware really had a security issues
> confirmed by the manufacturer and if there
> were any patches provided to address such issues. For
> this, I have to obtain the CHANGES logs, patches
> documentations etc. But the problem is
> this is not like an open source thing where you have
> access to everything.
Even with open source, how many people actually LOOK at the code, much
less try to fix it.
>
> This creates a problem. How do you go about it??
> Should I just mention in the report that, "this
> particular host contains several high risk
> vulnerabilities and poses a significant risk. However,
> if you have applied the patches or did a firmware
> upgrade then you don't have to worry anymore."
Haha, if that were the case I would close-up shop and never work
again! Even with supported products, just "applying the patches ...
and don't have to worry anymore" is not a good strategy.
>
> And one more thing, if their appliance is no longer
> supported by the manufacturer, do you give a
> replacement suggestion in your report?
>
Yes. Recommend a supported product
>
> If all else fails, do you tell the customer that it is
> safe to ignore those warnings and vulnerabilities
> because you, on a hacker's perspective, was not able
> to penetrate the network by making use of those
> vulnerabilities found, that the hacker might have a
> hard time as well and eventually opt for another
> target?
Good lord, no. Remember that a PenTest does not prove the negative!
Just because YOU can't get in to their network does not mean that a
skilled hacker could not write a 0day to get through the firewall.
My suggestion: mention that you don't really have enough information
to make a good recommendation on the box, get access to it, evaluate
the configuration and get some hard info on the box itself, maybe even
who the manufacturer really is.
-Karl
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:52 EDT