Each finding will tell you how the vulnerability was detected.
In this case, OpenVAS
found a Ruby-based web page and sent it a request, attempting to make a system call.
The error message that resulted suggested to OpenVAS
that these system calls are
allowed through the application. Since system calls are used for important functions
like reading and writing files, gaining access to hardware and other important func‐
tions, these calls could potentially provide access to the
attacker or cause damage to
files on the system. It’s because of that potential level of access that the severity was
rated so high.
When you get a result like this, it’s worth trying as best as you can to duplicate it
manually. This is where you may want to turn up the logging as high as you can. This
can be done by going to the scanner preferences and turning on Log Whole Attack.
You can also check the application log from the target application to see exactly what
was done. Repeating the attack and then modifying it in useful ways can be impor‐
tant. For example, manual testing of the
vulnerability identified in
Figure 4-14
resul‐
ted in an error message indicating that the function was not implemented. What
OpenVAS tried wasn’t completely successful, so additional testing and research is
needed.
If you need help performing
the additional testing, the findings will have a list of
resources. These web pages will have more details on the vulnerability, which can
help you understand the attack so you can work on duplicating it. Often, these
resources point to the announcement of the vulnerability.
They may also provide
details from vendors about fixes or workarounds.
Another column to take a look at is the second column, which is labeled with just an
icon. This is the column indicating the solution type.
The solutions may include
workarounds, vendor fixes, or mitigations. Each finding will provide additional
details about the workarounds or fixes that may be possible.
One of the vulnerabilities
that was detected was features of an SMTP server that could lead an attacker to infor‐
mation about email addresses.
Figure 4-15
shows one of the findings and its solution.
This particular solution is a workaround. In this case, the workaround is to disable
the two functions in the mail server.
Figure 4-15. OpenVAS solution
