On Feb 17, 2006, at 10:51, Mansour wrote:
I mean is it an important to patch the system even if this
vulnerability can't be exploited remotely ?
Security is all about containment and assuming the worst case scenario.
Your web server may be 'secure' today, but as an administrator you
need to assume that there is a flaw in it leading to a shell access
with its the privileges. If your local utilities/kernel are not
patched, then jumping from 'httpd' to 'root' will be fairly easy. At
the opposite, if all the patches were applied, then you make the life
of an intruder much harder and your intruder will be able to use your
host as a relay (assuming you have set up laxist firewall rules
allowing outgoing connections from your web server).
Even better, if you delete all the unused packages from your
webserver, you make things even harder for the intruder, as the
number of potential vulnerabities will shrink proportionally to the
number of packages removed, and going from 'httpd' to 'root' will be
even more difficult.
If you remove all the unnecessary services you never launch, then
you're doing yourself and your company a favor because in two years,
when someone else takes ownership of your webserver and decides to
also turn it into a name server, he won't launch an old version
unpatched version of bind nobody upgraded.
What Nessus does is that it's underlining all the potential
vulnerabilities on your system. Some of them may not be exploitable
today, some may be, and some will be exploitable tomorrow when your
usage pattern of the server changes. In the end, it's up to you to
prioritize what needs to be fixed and removed and what amount of time
you can dedicate to this task (securing an e-commerce server exposed
to the outside world is of course very different than fixing an
intranet webserver displaying the joke of the day).
-- Renaud
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
