| >Do these scanners ever work? For this particular vulnerability? I doubt it. (Source: I worked on building such a scanner recently). Let's begin with a vulnerability that is obviously detectable with an off-the-shelf scanner: "Buffer overrun in Linux CIFS Server". We can detect a host with this vulnerability by simply scanning the local subnet for live IP addresses then fingerprinting the host to determine it is Linux, checking if it responds on the SMB port and finally sending it a test exploit payload and see if it responds in the expected way (or crashes). This all takes a few ms. But now consider what if the vulnerability is only exploitable by an authenticated session? Well we could have our scanner ask the operator for a set of credentials for each CIFS server it finds. But what if the vulnerability requires a mounted share? Well the scanner can ask the operator for the name of a share, or if it is lucky it could try to guess one. Perhaps we could be happy with the scanner identifying the version of Samba running on the server and concluding from patch history knowledge that it is vulnerable. But boxes get locally patched and often there isn't enough information in the externally visible version info to tell one way or the other. Now think about trying to do this in the context of the vulnerability "If your application uses Struts and allows file upload then it might have this RCE vulnerability". We don't even know if we're using Struts in any of our applications. We may have hundreds of applications. Is it possible to tell from the outside that Struts is being used? (I'm not sure but probably not). You could note that the web server is Tomcat and therefore the application is written in Java and therefore it might use Struts. There will be hundreds if not thousands of potential CVEs to check for given only that information. You don't know if a given web application even supports file upload. How to you tell? Look at pages for the string "Click to upload"?? (Yes I have seen this done). Given that it is often a hard task for a human to figure out how to use one of these applications, and that they would need to possess all kinds of valid data to even get the application into the state where it permits file upload, I think you can see this is not going to be easy. Add in the fact that each state change may take a sizable fraction of a second and there could be thousands of plausible vulnerabilities to check for. The driving of the application has to be done inside a headless browser process which will often sail off into space paying you no heed.. Even if the 10,000 monkeys happen to type Shakespeare, there will be a mass of false positive results in the report which a human has to trawl through. And the scan will not complete in finite time. Not so easy after all. What is relatively easy is to have humans keep an eye on the applications for which they are responsible, reading the security mailing lists for the dependencies and taking appropriate action. |