So I cracked open OpenVAS today. Its been a while, and new vulnerabilities occur (and new devices wiggle there way onto my network in fits of weakness!). And OMG their was a lot of ‘High’ vulnerabilities (without even looking @ the medium and low ones).
I let the discover run for a while (179 actives devices on the main subnet), and then started digging in. And some of the things are impossible to fix (the device manufacturer has no updated firmware, there is no way to turn off the ‘feature’ in question, etc).
Some devices were not too bad (e.g. that small NAS I bought to backend my squirrel cameras), turns out I can edit the nginx config file (and disable SSLv3 and thus POODLE), and edit the sshd_config (and thus disable arcfour and 3des-cbc).
But some of them (e.g. 3 of my access points) have ‘HTTP negative content-length buffer overflow’ which in turn allows ‘remote execution’. Ugh. So anyone who has access to that subnet can run a root shell on my routers.
Some I kind of disagree with (e.g. the IPSEC IKE check…. so yeah, my desktop ignores rather than errors on bogus IKE requests, I’m not sure this will matter to me).
And some seem scary, but on reflection I’m ok with (e.g. CRLF injection in dropbear on my border router). Sounds awful (its high rated in OpenVAS), until I reflect that: a) I don’t run xauth on that router (since it doesn’t run X) and b) its only authenticated users (which would be me). So, X11 forwarding off, mission accomplished.
Some kind of disgusted me (e.g. several of my devices crash if you give a MS-DOS device name in an HTTP request, e.g. con: or lpt1: or com1:. Good lord, what year is this? its been 30 years since that was a thing).
But yeah, a lot of the criticals it gave did check out. Routers were crashed, media players exploited, smart tv’s compromised. It did what it said on the tin and p0wned my network.
So, I recommend you give this a try. Its not that hard. Take a spare linux box in your home (or run a new VM for the purpose), and have a crack @ OpenVAS. Make a new target which is your subnet (e.g. 172.16.0.1-172.16.0.254), and let it fly on ‘full and deep’. Post your score in the comments. Mine was:
29 ‘high’ severity (of which 11 where 10.0), 101 ‘medium’. Ugh, so much upgrading and tweaking, and I only got rid of about 2/3 of the high.