Plugin Spotlight: SMB Insecurely Configured Service
Misconfiguration can Lead to Compromise
As a former full-time systems administrator, I understand the pain of managing and maintaining systems. A significant amount of testing is often required to ensure that you have the correct configuration settings, not just in terms of security, but also for system stability. Once you have the correct configuration it is difficult to maintain consistency across the environment on an ongoing basis (especially across hundreds, or even thousands, of disparate systems). This problem crosses all platforms and Unix/Linux and Windows administrators alike share the same challenges. Some examples include:
- Authentication/Logon services implementing the appropriate policies
- Ensuring all services are logging properly
- Permissions on existing users and running processes
- Various configuration settings associated with installed services (and typically specific to the service)
Improperly configured systems often lead to instability and security problems. For example, a program running as root, or administrator, could be exploited by an attacker to gain access to a system. A configuration change (or multiple changes) needs to be put in place to make a service run as a lesser privileged user to limit what an attacker can do on a system (even if only for a period of time until they find a privilege escalation exploit). Some of the more difficult systems to penetrate are those that are properly maintained and configured. All systems administrators may not be security “experts”, but are typically highly skilled individuals who know their systems very well and run a tight ship. A lax attitude (e.g., "Oh, that system can run as root, it’s not hurting anything") greatly increases your risk and makes the attackers’ job easier, not harder.
The Devil is in the Details
Keeping track of service configuration is a very tedious process. Fortunately, Nessus has several plugins and .audit files that can help. A great example is a new plugin that detects the permissions of the services running on Windows systems. Plugin 44676 "SMB Insecurely Configured Service" checks the permissions of each service to see if SERVICE_CHANGE_CONFIG, WRITE_DAC or WRITE_OWNER are enabled for "Everyone". Research indicates that access control entries (ACEs) are stop-on-first-match; meaning if an “Allow ACE for Everyone” appears before a “Deny ACE for Everyone”, the “Deny ACE” will be ignored. The plugin will evaluate each service's ACE and take the rule order into consideration.
The risk with this configuration error is that if a Windows service is configured to allow “Everyone” to change its configuration, a local user could execute arbitrary commands, either deliberately or accidentally. For example, if a service is configured to run goodprogram.exe but has insecure permissions, anyone can re-configure the service to run evil.exe. If a service runs as the 'Good Program' user, that account can become compromised. If a service is running as SYSTEM (as many services do), an attacker could take over the entire system.
To run this plugin, Nessus must be configured with credentials to log into the Windows target. When the plugin finds a mis-configured service, it will produce output such as:
This plugin is available in the feed and is a welcome addition to the Nessus plugin database, allowing users to easily audit the running services on all Windows hosts within your environment.
Resources
Best practices and guidance for writers of service discretionary access control lists
Contributions for this post were made by Brian Adeloye., Vulnerability Research Engineer here at Tenable Network Security.
Related Articles
Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog
October 23, 2023Tenable ranked first in multiple vulnerability management categories, including the most comprehensive coverage and quickest detection of CISA's Known Exploited Vulnerabilities, according to a Miercom report commissioned by Tenable.
Tuning Network Assessments for Performance and Resource Usage
September 13, 2022Using the correct tool for the job and optimizing scanner placement will have a large impact on scan efficiency with Nessus, Tenable.io and Tenable.sc.
Terrascan Joins the Nessus Community, Enabling Nessus To Validate Modern Cloud Infrastructures
May 17, 2022The addition of Terrascan to the Nessus family of products helps users better secure cloud native infrastructure by identifying misconfigurations, security weaknesses, and policy violations by scanning Infrastructure as Code repositories.
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!
- Nessus