Two years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations used that list, and the expanded Top Twenty, which followed a year later, to prioritize their efforts so they could close the most dangerous holes first. The vulnerabilities that led to all three examples above - the Solar Sunrise Pentagon incident, and the Code Red and NIMDA worms - are on that list.

This updated SANS/FBI Top Twenty is actually two Top Ten lists: the ten most commonly exploited vulnerable services in Windows, and the ten most commonly exploited vulnerable services in Unix. Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these twenty services.

While experienced security administrators will find the Top Twenty to be a valuable resource in their arsenal, the list is especially intended for those organizations that lack the resources to train, or those without technically-advanced security administrators. The individuals with responsibility networks in those organizations often report Printer Friendly Version (PDF) >>
Related Resources
FBI/GSA/SANS/British NISCC/Canadian OCIPEP Press Release on the Top Twenty
Tools that Test for the Top Twenty
(Updated Nov. 21, 02)
Testing for the Top Twenty Internet
Security Vulnerabilities
Staying Current: The Critical Vulnerability Assessment (e-mail every Monday, free)
Monitoring All New Vulnerabilities (email every Thursday, free)
Upcoming Training programs for Hardening Windows or UNIX Systems
GISRA Scanning Requirements and NASA Case Study
SANS/FBI Top 20 List, October 2001
Air Force CIO John Gilligan's remarks at 2001 Top 20 Announcement
SANS/FBI Original Top 10 List, July 2000

Weekly Update of Critical New Vulnerabilities
v3.21 - 10/29/02
- Sections W9.1 & W9.3 added Windows ME
- Section U4.1/U4.5 - General Edits
v3.2 - 10/17/02
- Section W3 - Cumulative patch for SQL Server
- Sections WS, U1, U2, U4, U5, U8, U9 -
CVE/CAN listings
- Section U9.5 - General Edits
- Section U4.1/U4.5 - General Edits
v3.1 - 10/07/02
- Section W3 - Cumulative patch for SQL Server
Server
v.3.0 - 10/01/02
- New Version Posted

that they have not corrected many of these flaws because they simply do not know which vulnerabilities are most dangerous, they are too busy to correct them all, or they do not know how to correct them safely. Traditionally, auditors and security managers have used vulnerability scanners to search for five hundred or a thousand or even two thousand very specific vulnerabilities, blunting the focus administrators need to ensure that all systems are protected against the most common attacks. When a system administrator receives a report showing thousands of vulnerabilities across hundreds of machines, he is often paralyzed.

The Top Twenty is a prioritized list of vulnerabilities that require immediate remediation. The list is sorted by service because in many cases a single remedy -- disabling the service, upgrading to the most recent version, applying a cumulative patch -- can quickly solve dozens of specific software flaws, which might show up on a scanner. This list is designed to help alleviate that problem by combining the knowledge of dozens of leading security experts. They come from the most security-conscious federal agencies, the leading security software vendors and consulting firms, the top university-based security programs, and CERT/CC and the SANS Institute. A list of participants may be found at the end of this document.

The SANS/FBI Top Twenty is a living document. It includes step-by-step instructions and pointers to additional information useful for correcting the security flaws. We will update the list and the instructions as more critical threats and more current or convenient methods are identified, and we welcome your input along the way. This is a community consensus document -- your experience in fighting attackers and in eliminating the vulnerabilities can help others who come after you. Please send suggestions via e-mail to info@sans.org with the subject "Top Twenty Comments."

Notes For Readers:
CVE Numbers
You'll find references to CVE (Common Vulnerabilities and Exposures) numbers accompanying each vulnerability. You may also see CAN numbers. CAN numbers are candidates for CVE entries that have not yet been fully verified. For more data on the award-winning CVE project, see http://cve.mitre.org.

The CVE and CAN numbers reflect the top priority vulnerabilities that should be checked for each item. Each CVE vulnerability reference is linked to the associated vulnerability entry in the National Institute of Standards and Technology's ICAT vulnerability indexing service (http://icat.nist.gov). ICAT provides a short description of each vulnerability, a list of the characteristics of each vulnerability (e.g. associated attack range and damage potential), a list of the vulnerable software names and version numbers, and links to vulnerability advisory and patch information.

Ports to Block at the Firewall
At the end of the document, you'll find an extra section offering a list of the ports used by commonly probed and attacked services. By blocking traffic to these ports at the firewall or other network perimeter protection devices, you add an extra layer of defense that helps protect you from configuration mistakes. Note, however, that using a firewall to block network traffic directed to a port does not protect the port from disgruntled co-workers who are already inside your perimeter, or from hackers who may have penetrated your perimeter using other means.

Back to Top ^

Top Vulnerabilities to Windows Systems

W1 Internet Information Services (IIS)
W2 Microsoft Data Access Components (MDAC) -- Remote Data Services
W3 Microsoft SQL Server
W4 NETBIOS -- Unprotected Windows Networking Shares
W5 Anonymous Logon -- Null Sessions
W6 LAN Manager Authentication -- Weak LM Hashing
W7 General Windows Authentication -- Accounts with No Passwords or Weak Passwords
W8 Internet Explorer
W9 Remote Registry Access
W10 Windows Scripting Host

Top Vulnerabilities to Unix Systems

U1 Remote Procedure Calls (RPC)
U2 Apache Web Server
U3 Secure Shell (SSH)
U4 Simple Network Management Protocol (SNMP)
U5 File Transfer Protocol (FTP)
U6 R-Services -- Trust Relationships
U7 Line Printer Daemon (LPD)
U8 Sendmail
U9 BIND/DNS
U10 General Unix Authentication -- Accounts with No Passwords or Weak Passwords

Back to Top ^
Top Vulnerabilities to Windows Systems (W)
W1 Internet Information Services (IIS)
W1.1 Description
IIS is prone to vulnerabilities in three major classes: failure to handle unanticipated requests, buffer overflows, and sample applications. Each will be addressed briefly here.

Failure to Handle Unanticipated Requests. Many IIS vulnerabilities involve a failure to handle improperly (or just deviously) formed HTTP requests. A well-known example is the Unicode directory traversal vulnerability, which was exploited by the Code Blue worm. By crafting a request to exploit one of these vulnerabilities, a remote attacker may:

View the source code of scripted applications.
View files outside of the Web document root.
View files the Web server has been instructed not to serve.
Execute arbitrary commands on the server (resulting in, for example, deletion of critical files or installation of a backdoor).

Buffer Overflows. Many ISAPI extensions (including the ASP, HTR, IDQ, PRINTER, and SSI extensions) are vulnerable to buffer overflows. A well-known example is the .idq ISAPI extension vulnerability, which was exploited by the Code Red and Code Red II worms. A carefully crafted request from a remote attacker may result in:

Denial of service.
Execution of arbitrary code and/or commands in the Web server's user context (e.g., as the IUSR_servername or IWAM_servername user).

Sample Applications. Sample applications are generally designed to demonstrate the functionality of a server environment, not to withstand attacks, and are not intended to serve as production applications. Combined with the facts that their default location is readily known and their source code is readily available for scrutiny, this makes them prime exploit targets. The consequences of such exploits can be severe; for example:

A sample application, newdsn.exe, allowed the remote attacker to create or overwrite arbitrary files on the server.
A number of such applications allow remote viewing of arbitrary files, which may be used to gather information such as database userids and passwords.
An iisadmin application, ism.dll, allows remote access to sensitive server information including the Administrator's password.
W1.2 Operating Systems Affected

Windows NT 4 (any flavor) running IIS 4
Windows 2000 Server running IIS 5
Windows XP Professional running IIS 5.1
W1.3 CVE Entries
CVE-2001-0241, CVE-2001-0333, CVE-2001-0500, CAN-2002-0079, CVE-2000-0884,
CVE-2000-0886, CAN-2002-0071, CAN-2002-0147, CAN-2002-0150, CAN-2002-0364,
CAN-2002-0149, CVE-1999-0191, CAN-1999-0509, CVE-1999-0237, CVE-1999-0264,
CVE-2001-0151, CAN-1999-0736, CVE-1999-0278, CAN-2002-0073, CVE-2000-0778,
CVE-1999-0874, CVE-2000-0226, CAN-1999-1376, CVE-2000-0770, CVE-2001-0507

W1.4 How to Determine if you are Vulnerable
Given the number of vulnerabilities, some of which are addressed only in a cumulative security roll-up package from Microsoft, it is simplest to presume that you are vulnerable if the cumulative roll-up has not been applied. To determine whether the cumulative roll-up has been applied on your server, check the registry for the entry listed for your platform below.

Windows NT 4:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q319733
Windows NT 4 Terminal Server Edition:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q317636

Windows 2000:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q319733

Windows XP:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q319733

Alternatively, you may use HFNetChk (see "Stay Current" under W1.5) to verify the presence of the corresponding patch:

NT 4: Q319733
NT 4 Terminal Server Edition: Q317636
2000 or XP: Q319733
You are probably vulnerable to sample application exploits if any of the following files resides in your %wwwroot%/scripts directory (e.g., C:\inetpub\wwwroot\scripts or D:\web\scripts) or any subdirectory thereof:

code.asp
codebrws.asp
ism.dll
newdsn.exe
viewcode.asp
winmsdp.exe
W1.5 How to Protect Against It

Apply the current patches. In the case of IIS 4 on NT 4 with Service Pack 6a, this means applying a cumulative security roll-up package and a single hotfix. In the case of IIS 5 or 5.1 on Windows 2000 or XP (respectively), the roll-up and the hotfix are included in service packs. URLs are provided below.
IIS 4 on NT 4:

Service Pack 6a: http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/allSP6.asp
Security Rollup: http://www.microsoft.com/ntserver/nt s/downloads/security/q319733/
Hotfix: http://www.microsoft.com/ntserver/nts/downloads/security/q321599/

IIS 4 on NT 4 Terminal Server Edition:

Service Pack 6: http://www.microsoft.com/ntserver/terminalserver/downloads/recommended/tsesp6/
Security Rollup: http://www.microsoft.com/ ntserver/terminalserver/downloads/critical/q317636/
Hotfix: http://www.microsoft.com/ntserver/nts/downloads/security/q321599/

IIS 5 on Windows 2000:

Service Pack 3: http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/

IIS 5.1 on Windows XP:

Service Pack 1: http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/

Stay Current. These service packs, rollup patches and hotfixes only remedy vulnerabilities that are already known. As new IIS weaknesses are uncovered, you will need to patch accordingly. HFNetChk, the Network Security Hotfix Checker, assists the system administrator in scanning local or remote systems for current patches. The tool works on Windows NT 4, Windows 2000, and Windows XP. The current version can be downloaded from Microsoft at http://www.microsoft.com/technet/security/tools/hfnetchk.asp.

Eliminate Sample Applications. Sample applications, including the iisadmin tool, may be used to verify that a server installation works as expected, but should be deleted immediately thereafter. These applications can be found in the %wwwroot%/scripts directory. Ideally, however, the administrator should choose not to install the sample applications and Web-based administration tools at all.

Unmap Unnecessary ISAPI Extensions. Most IIS deployments have no need for most of the ISAPI extensions that are mapped by default, particularly .htr, .idq, .ism, and .printer. All unused ISAPI extensions should be unmapped. This can be done by hand through the Internet Services Manager, but the IIS Lockdown Wizard from Microsoft will also do the job. The current version can be downloaded from Microsoft at http://www.microsoft.com/technet/security/tools/locktool.asp.

Filter HTTP Requests. Many IIS exploits, including Code Blue and the Code Red family, use maliciously formed HTTP requests in directory traversal or buffer overflow attacks. The URLScan filter can be configured to reject such requests before the server attempts to process them. The current version has been integrated into the IIS Lockdown Wizard, but can be downloaded separately from Microsoft at http://www.microsoft.com/technet/security/tools/urlscan.asp.

Back to Top ^
W2 Microsoft Data Access Components (MDAC) -- Remote Data Services
W2.1 Description
The Remote Data Services (RDS) component in older versions of Microsoft Data Access Components (MDAC) has a program flaw which allows remote users to run commands locally with administrative privilege. Combined with a flaw in Microsoft Jet database engine 3.5 (part of MS Access), this exploit may also provide anonymous external access to internal databases. These flaws are well-documented and solutions have been available for more than two years, but outdated or misconfigured systems remain exposed and subject to attack.
W2.2 Operating Systems Affected
Most Microsoft Windows NT 4.0 systems running IIS 3.0 or 4.0, Remote Data Services 1.5, or Visual Studio 6.0.

W2.3 CVE Entries
CVE-1999-1011

W2.4 How to Determine if you are Vulnerable
If you are running Microsoft Windows NT 4.0 and IIS 3.0 or 4.0, then check for the existence of "msadcs.dll" (this is typically installed in "C:\Program Files\Common Files\System\Msadc\msadcs.dll", but that may vary depending on your system).

W2.5 How to Protect Against It
An excellent guide to the RDS and Jet weaknesses and how to correct them is available at http://www.wiretrip.net/rfp/p/doc.asp?id=29&iface= 2.

Microsoft has also issued several security bulletins detailing this exploit and how to repair it via configuration changes:

http://support.microsoft.com/support/kb /articles/q184/3/75.asp
http://www.microsoft.com/technet/secur ity/bulletin/ms98-004.asp
http://www.microsoft.com/technet/secur ity/bulletin/ms99-025.asp
Alternatively, you can prevent this problem by upgrading to MDAC version 2.1 or greater (although this may introduce compatibility issues). The most recent MDAC versions are available at http://www.microsoft.com/data/download.htm

Back to Top ^
W3 Microsoft SQL Server
W3.1 Description
The Microsoft SQL Server (MSSQL) contains several serious vulnerabilities that allow remote attackers to obtain sensitive information, alter database content, compromise SQL servers, and, in some configurations, compromise server hosts.
MSSQL vulnerabilities are well-publicized and actively under attack. A recent MSSQL worm in May 2002 exploited several known MSSQL flaws. Hosts compromised by this worm generate a damaging level of network traffic when they scan for other vulnerable hosts. Additional information on this worm can be found at

http://www.incidents.org/diary/diary.php?id=157
http://www.eeye.com/html/Research/Advisories/AL20020522.html
Port 1433 (MSSQL default port) has also been regularly registered as one of the top scan ports in the Internet Storm Center. More detailed information about recent MSSQL exposures can be found in CERT Advisory 2002-22.

W3.2 Operating Systems Affected
Any Microsoft Windows system with Microsoft SQL Server 7.0, Microsoft SQL Server 2000 or Microsoft SQL Server Desktop Engine 2000 installed.

W3.3 CVE Entries
CAN-2002-1138, CAN-2002-1137, CAN-2002-0056, CAN-2002-0649, CAN-2001-0542,
CAN-2000-1081, CVE-1999-0999, CAN-2002-0624, CAN-2002-0154, CAN-2000-1209,
CAN-2002-1123, CAN-2002-0186, CVE-2000-0202, CVE-2000-0402, CVE-2000-0485,
CVE-2000-0603, CVE-2001-0344, CVE-2001-0879, CAN-2000-0199, CAN-2000-1082,
CAN-2000-1083, CAN-2000-1084, CAN-2000-1085, CAN-2000-1086, CAN-2000-1087,
CAN-2000-1088, CAN-2001-0509, CAN-2002-0187, CAN-2002-0224, CAN-2002-0641,
CAN-2002-0642, CAN-2002-0643, CAN-2002-0644, CAN-2002-0645, CAN-2002-0650,
CAN-2002-0695, CAN-2002-0721, CAN-2002-0729, CAN-2002-0859, CAN-2002-0982

W3.4 How to Determine if you are Vulnerable
If the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer is defined, then you have SQL Server or SQL Server Desktop Engine installed. If you are running an un-patched system or you have not updated your system with the latest patch, your system is very likely to be vulnerable.
Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA). MBSA will scan for missing hotfixes and vulnerabilities in SQL Server 7.0 and 2000. It is available at http://www.microsoft.com/technet/security/tools/Tools/MBSAhome.asp.

Microsoft also has a HOWTO document to help you check your current version: HOW TO: Identify Your SQL Server Service Pack Version and Edition.

To ensure the fix is installed properly, verify the individual files by consulting the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article. They can be found at:

Microsoft SQL Server 7.0
Microsoft SQL Server 2000
W3.5 How to Protect Against It

Summary:

Apply the latest service pack for Microsoft SQL server.
Apply the latest cumulative patch that is released after the latest service pack.
Apply any individual patches that are released after the latest cumulative patch.
Secure the server at system and network level.
Detail:

Apply the latest service pack for Microsoft SQL server. The current Microsoft SQL Server service pack version is:
SQL Server 7.0 Service Pack 4
SQL Server 2000 Service Pack 2
To ensure that you are current with any future upgrades, monitor Make Your SQL Servers Less Vulnerable from Microsoft Technet.

Apply the latest cumulative patch that is released after the latest service pack. The current cumulative patch for all versions of SQL Server is available at MS02-061 Elevation of Privilege in SQL Server Web Tasks (Q316333/Q327068).

To ensure that you are current with any future upgrades, you can check for the latest cumulative patch for Microsoft SQL Server at:
Microsoft SQL Server 7.0
Microsoft SQL Server 2000
Microsoft SQL Server Desktop Engine 2000

Apply any individual patches that are released after the latest cumulative patch. Currently, there is no individual patch after the release of the MS02 -061 Elevation of Privilege in SQL Server Web Tasks (Q316333/Q327068). But to ensure that you are current with any future upgrades, you can check for any newly released individual patches at:
Microsoft SQL Server 7.0
Microsoft SQL Server 2000
Microsoft SQL Server Desktop Engine 2000

Secure the server at system and network level.
One of the most commonly attacked MSSQL exposures is that the default administrative account (known as "sa") is installed with a blank password. If your SQL "sa" account is not password-protected, you effectively have no security and can be affected by worms and other exploits. Therefore, you should follow the recommendation from the "System Administrator (SA) Login" topic in SQL Server Books Online to make sure that the built-in "sa" account has a strong password, even if your SQL server does not run using this account.
Microsoft Developer's Network has documentation on Changing the SQL Server Administrator Login and how to Verify and Change the System Administrator Password by Using MSDE.

Run the MSSQLServer service and SQL Server Agent under a valid domain account with minimal privileges, not as a domain administrator or the SYSTEM (on NT) or LocalSystem (on 2000 or XP) account. A compromised service running with local or domain privileges would give an attacker complete control of your machine and/or your network.

Enable Windows NT Authentication, enable auditing for successful and failed logins, and then stop and restart the MSSQLServer service. Configure your clients to use NT Authentication.

Packet filtering should be performed at network borders to prohibit non-authorized externally-initiated inbound connections to services. Ingress filtering of TCP ports 1433 and 1434 could prevent attackers outside of your network from scanning or infecting vulnerable Microsoft SQL servers in the local network that are not explicitly authorized to provide public SQL services.

If TCP ports 1433 and 1434 need to be available on your Internet gateways, enable and customize egress/ingress filtering to prevent misuse of this port.
Additional information on securing Microsoft SQL Server can be found at
Microsoft SQL Server 7.0 Security
Microsoft SQL Server 2000 Security

Back to Top ^
W4 NETBIOS -- Unprotected Windows Networking Shares
W4.1 Description
Microsoft Windows provides a host machine with the ability to share files or folders across a network with other hosts through Windows network shares. The underlying mechanism of this feature is the Server Message Block (SMB) protocol, or the Common Internet File System (CIFS). These protocols permit a host to manipulate remote files just as if they were local.
Although this is a powerful and useful feature of Windows, improper configuration of network shares may expose critical system files, or may provide a mechanism for a nefarious user or program to take full control of the host. One of the ways in which both the Sircam virus (see CERT Advisory 2001-22) and Nimda worm (see CERT Advisory 2001-26) spread so rapidly in the summer of 2001 was by discovering unprotected network shares and placing a copy of itself in them. Many computer owners unknowingly open their systems to hackers when they try to improve convenience for co-workers and outside researchers by making their drives readable and writeable by network users. But when care is taken to ensure proper configuration of network shares, the risks of compromise can be adequately mitigated.

W4.2 Operating Systems Affected
Windows 95, Windows 98, Windows NT, Windows Me, Windows 2000, and Windows XP are all vulnerable.

W4.3 CVE Entries
CAN-1999-0519, CVE-2000-0979, CAN-2000-1079, CAN-1999-0621, CAN-1999-0520,
CAN-1999-0518
W4.4 How to Determine if you are Vulnerable
For Windows NT (SP4), Windows 2000 or Windows XP, the Microsoft Baseline Security Advisor, will report hosts are vulnerable to SMB exploits, and may be used to fix the problem. The tests can be run locally or on remote hosts.

Most commercially-available network-based scanners will detect open shares. A quick, free, and secure test for the presence of SMB file sharing and its related vulnerabilities, effective for machines running any Windows operating system, is available at the Gibson Research Corporation web site at http://grc.com/. Follow links to "ShieldsUP" to receive a real-time appraisal of any system's SMB exposure. Detailed instructions are available to help Microsoft Windows users deal with SMB vulnerabilities. Note that if you are connected over a network where some intermediate device blocks SMB, the ShieldsUP tool will report that you are not vulnerable when, in fact, you are. This is the case, for example, for users on a cable modem where the provider is blocking SMB into the cable modem network. ShieldsUP will report that you are not vulnerable. However, the 4,000 or so other people on your cable modem link can still exploit this vulnerability.

W4.5 How to Protect Against It
Several actions can be taken to mitigate the risk of exploitation of a vulnerability through a Windows Networking Shares:

Disable sharing wherever it is not required. If the host does not need to share files, then disable Windows network shares in the Windows network control panel. If an open share should be closed, you can disable it through Explorer's properties menu for that directory, in Server Manager for Domains or in Group Policy Editor.
Do not permit sharing with hosts on the Internet. Ensure all Internet-facing hosts have Windows network shares disabled in the Windows network control panel. File sharing with Internet hosts should be achieved using FTP or HTTP.
Do not permit unauthenticated shares. If file sharing is required then don't permit unauthenticated access to a share. Configure the share so a password is required to connect to the share.
Restrict shares to only the minimum folders required. Generally only one folder and possibly sub-folders of that folder.
Restrict permissions on shared folders to the minimum required. Be especially careful to only permit write access when it is absolutely required.
For added security, allow sharing only to specific IP addresses because DNS names can be spoofed.
Block ports used for Windows shares at your network perimeter. Block the NetBIOS ports commonly used by Windows shares at your network perimeter using either your external router or perimeter firewall. The ports that should be blocked are 137-139 TCP and 137-139 UDP, and 445 TCP and 445 UDP.