Hello Aaron,
From: "L. Aaron Kaplan" kaplan@cert.at, Date: Mar 13, 2017
I have a question. We are processing nearly all the shadowserver feeds now (VNC is still missing) and we stumbled across a problem that we can not 100% solve currently: how do you deal with 'accessible and only potentially vulnerable' devices?
Let me elaborate. Usually we sent out notifications on vulnerable devices (ENISA taxonomy: "Vulnerable". Examples: open recursive DNS, open NTP, anything mis-useable for UDP amplification attacks, etc).
However, at some point, accessible and (only potentially vulnerable) devices came into the game. I.e. a device running telnet (or something on the telnet port). Or VNC. The VNC server might be protected by a pwd.
So, how to deal with that? An ISP might rightfully say that this telnet port is there intentionally and we should not complain?
So, we now have two types that we are talking about:
- Vulnerable and openly accessible ports
- Potentially vulnerable (but not proven) and accessible ports
Candidates for the second type would be:
- VNC
- telnet
- RDP
- (maybe) Redis
- (maybe) ES
- (maybe) memcached
- (maybe) Mongo
What's your stance on this? How do you deal with it?
we are using eCSIRT.net taxonomy (actually mkII from Don Stikvoort), and we have stumbled into this. eCSIRT.net is two level, so we have decided to add another "distinctive" level - Vulnerable.Config and Vulnerable.Open, where the former is "just" open (your case, I believe), and the latter is the confirmed vulnerability. (See [1].) Regarding the "uncertainty" problem - in my opinion that is another type of information, orthogonal to classification, as any info can be uncertain or in some way unverified. In Idea we have the "Confidence" key, which may be the indicator that the event is not completely reliable.
Note that we are sending out * a lot* as a national CERT and we would not like an ISP to be swamped by our mails if it does not have to be the case.
I feel your pain. :) Been there (heck, mostly we still are). We (at Czech NREN level) have ended with marking the varieties of events we are sending out with "severity" (low, med, high, crit), and deciding how often to send reports based on that. (End admins are also able to mark some services as "legitimate" to filter out false positives, but that might not be good approach at national level, where you usually want to take careful stance).
Cheers -- Pavel Kácha, CESNET