Recently I made a comment in twitter where I said that I cringe every time a hear that to confirm a vulnerability an exploit must be ran to confirm and prove it. Some people agreed that it is not the perfect solutions other argued that it is the best one. Let me explain in more that 140 character chunks why I cringe. The scenario I refer to is that of an internal security team managing the security of their infrastructure on a daily basis.
- There are safer ways to check if a vulnerability is present after performing a patch deployment or a configuration change. Most scanner now a days have credential checks where they check versions of files, presence of package and even if the server has been rebooted or not in addition to the network validation of connecting to a possible service and interacting with it to try to determine in a safe way if the service is vulnerable or not. We also have systems in most medium to big organizations that inventory the hosts and can produce detailed reports of what patches have been installed and which not, some tools are even free. Many times the Security team just needs to ask for confirmation from one of the infrastructure teams or have read permissions to those inventory systems. Other times why may just need to put a bit of elbow grease and determine what specific permission they would need on a account that is only used for scanning.
- Not all exploit frameworks and tools have all exploit and attacks for every vulnerability that you may be exposed to. In fact network remote exploits are every time less and less and the numbers have shifted to client side, even with my love of Metasploit Framework I know that Cavas, Core Impact and many other tools will have exploit that the other does not and many just do not get added to the tools, others would require that we automate the user actions that would execute the vulnerable software against a file or attacker system to prove it is vulnerable. this mean that one is leaving a very large number of possible vulnerabilities missed if exploitation is the only way.
- I do not discard the use of exploits as a verification method, it could be use for certain critical vulnerabilities where we may have taken actions to implement countermeasures against and a patch is not present. Now this has to be done in a planned way where both the security team and other infrastructure teams must participate to be able to deploy, test and validate. Running any exploit against all reported vulnerable systems is risky since many may crash a service or the server, if done without planning and proper communication between the teams this could have business impact consequences and further deteriorate any existing political or personal problems in a organization.
One of the arguments I got was that many companies the teams do not talk, are just not willing to work together or by design there is a separation of roles and responsibilities that prohibits working together. To be honest I see this as a big problem in management and leadership in a organization. Are there companies that are like this? yes. Should we try our best to change this if we work in such a company? absolutely. If we are in that situation our success will vary or we may not be successful at all but that does not make running exploits for confirmation without planning or knowing the risks that it may cause the option and solution. I know that some will agree and others will not but I felt it was better I wrote it down that sending twitter public and direct messages al day long and be able to transmit my reasoning for the comment. Hope my 0.02 cents on the subject may be helpful to someone and I'm open to opinions and counter arguments.