Penetration Test Reports and Vulnerability Aggregation

Penetration test reports, aggregating findings and thinking more deeply.

Something I like to do on my Penetration Test reports is aggregate findings of a similar nature together. As a case in point let's take "Out Of Date Server Software" or "Server Software Missing Security Patches". Server software in this case means things like Apache, Jboss, Tomcat, Mysql, etc, etc. Below is a fairly typical example:

Server Software Out Of Date

CVSS Score: 9.8


Impact/Probability: High/High

Description: The affected hosts have server software installed which is out-dated and missing security patches for known vulnerabilities. It is important to apply all security updates in a timely manner to ensure hosts are not affected by known vulnerabilities. Security patches are a good source of information for malicious actors and new exploits and malicious software is often created by reverse engineering security patches after release. Exploit code is often widely available to exploit issues marked as "Critical" or "Important". The Metasploit Framework for example is a freely available tool that provides an attacker with a the means to launch attacks against the vulnerable server. Additionally, older vulnerabilities are still heavily targeted; a methodical patching approach that emphasizes consistency and coverage is more important than expedient patching

Remediation: Upgrade the server software to a version that is currently up-to-date. Ensure that a rigorous patching policy is implemented and maintained to prevent out of date vulnerable software remaining on the system.

Technical Analysis:

Server Software
Name CVE Affected Host
Apache CVE-2022-28330 CVE-2022-30556 CVE-2022-30522 host1 host2
Apache Tomcat CVE-2020-9484 CVE-2021-25329 host1
Cisco TelePresence CVE-2019-15273
Netatalk CVE-2018-1160 host5
Microsoft SQL Server CVE-2020-1044 CVE-2019-1068 CVE-2017-5753 host4 host2 host1
HP System Management Homepage CVE-2016-4538 CVE-2015-3195 CVE-2016-2015 CVE-2016-4343 CVE-2016-2106 host1 host2 host3
Firebird SQL Server CVE-2007-3181 host6
Dropbear SSH Server CVE-2016-7408 CVE-2016-7407 CVE-2016-7406 CVE-2016-7409 host2 host3 testpc

You will have to excuse the reStructuredText table but im sure you get the idea. However, on a few occasions now clients have taken umbrage with this approach due to the lack of detail and provided feedback similar to the following:

Scrolling down to section 5.1 takes me to "Server Software out Of Date", This gives me a list of 9 applications that need addressing. These 9 applications don't have their own finding reference number or any detail about what vulnerable versions are installed, what versions of the software supplied a fix or any specific remediation advice for that software.

Everything stated above is of course correct, but unfortunately misses the point entirely.

As well as making the report more readable, the idea behind aggregating findings like this is to highlight a common root cause. In this case, the goal is not to go through the list of software, log into the affected machines, and upgrade it to a newer version no longer vulnerable to the listed CVEs. The goal is to determine why out of date software is in use, and why security patches are not being installed in a timely manner. The aim then is to put in place processes, procedures and checks to ensure all software is updated and remains so. Although in practice you will likely have to go through the list of software, log into the affected machines, and upgrade it to a newer version no longer vulnerable to the listed CVEs - if that was the only thing you did, then 6 months later you will be faced with exactly the same dilemma, probably stemming from another pen test report with a list of software that needs upgrading. The outcome of any good penetration test is to help identify and address the root cause of vulnerabilities and put controls and mitigations in place to ensure a real attacker cant exploit the same issue. Not to play a game of security Whac-a-mole.