The sea of system vulnerabilities makes it hard for a system administrator to know just where to jump in to begin patching them. A place to start is the SANS/FBI Top 20 Internet Security Vulnerabilities List, which was released Wednesday.
The list is the third annual compilation by the SANS Institute and the FBI's National Infrastructure Protection Center (NIPC). This time, the organizations compiled two lists featuring 10 Windows vulnerabilities and 10 Unix flaws.
While it's debatable that both platforms have 10 flaws of equal weight, the organizers thought providing two lists would be more useful. "An administrator only needs to go through the list for their specific system," said Jeff Campione, a longtime SANS affiliate and the list's editor.
The lists cover a range of issues and applications on both platforms.
Microsoft Internet Information Server topped the list of Windows vulnerabilities. The Web server has had its share of vulnerabilities over the last year and was responsible for the spread of Code Red and Nimda in September 2001.
The Apache Web server, however, debuted on the Unix list. While Apache has a "well-deserved reputation for security," the list says, "it has not proved invulnerable under scrutiny."
Exploits in Apache have been few but were well publicized and "quickly utilitized in attacks," the list says. Last month, for example, the Slapper worm took advantage of a vulnerability in OpenSSL running on Linux-based Apache Web servers.
Microsoft's SQL Server database also was new to the list. The company has released two patch packages in the last seven or eight months, including one Wednesday night, covering dozens of vulnerabilities. The database "contains several serious vulnerabilities that allow remote attackers to obtain sensitive information, alter database content, compromise SQL servers, and in some configurations, compromise server hosts," the list said.
Other vulnerabilities listed are more general. For example, password-related issues made both the Windows and Unix lists. Common password vulnerabilities include weak or nonexistent passwords and failure to protect the secrecy of them. "Accounts with bad or empty passwords remain extremely common, and organizations with good password policy [are] far too rare," the list says.
The lists are presented as a starting point for companies tackling vulnerability assessments of their systems. The top vulnerabilities were selected because they were widespread, are actually being exploited and are fixable. Detailed information about the vulnerabilities, including links to patches, is included on the SANS Web site.
Yet system administrators shouldn't pat themselves on the back for just fixing the things on the list.
"The lists are the absolute minimum they should do," said Gerhard Eschelbeck, vice president of engineering at Qualys, a Redwood Shores, Calif.-based firm that offers a scanning tool for finding vulnerabilities, including those on the Top 20 List.
Companies like Qualys helped SANS develop the lists. They provided empirical data on the kinds of vulnerabilities out there. Alumni of SANS educational programs provided anecdotal evidence of the vulnerabilities they have seen.
Just as vulnerability assessment isn't static, neither is the list. The organizers see it as a living document that will be updated and tweaked as new vulnerabilities are added and new information is made available.
Here are the lists of top vulnerabilities:
Top Windows vulnerabilities
- Internet Information Server (IIS)
- Microsoft Data Access Components (MDAC) -- Remote Data Services
- Microsoft SQL Server
- NETBIOS -- Unprotected Windows networking shares
- Anonymous Logon -- Null sessions
- LAN Manager Authentication -- Weak LM hashing
- General Windows Authentication - Accounts with no passwords or weak passwords
- Internet Explorer
- Remote Registry Access
- Windows Scripting Host
Top Unix vulnerabilities
- Remote Procedure Calls (RPC)
- Apache Web Server
- Secure Shell (SSH)
- Simple Network Management Protocol (SNMP)
- File Transfer Protocol (FTP)
- R-Services -- Trust relationships
- Line Printer Daemon (LPD)
- General Unix Authentication -- Accounts with no passwords or weak passwords