UK government security center, i100 publish NMAP scripts for vulnerability scanning

The UK's National Cyber Security Center (NCSC) has released NMAP scripts to help defenders search for specific vulnerabilities in their networks. 

On January 25, the NCSC said the trial project is a joint effort between the cybersecurity guidance organization and the Industry 100 (i100).

i100 is a cohort of public and private sector companies working with the NCSC to "bring industry and government expertise together in a way that helps us all learn lessons, identify systemic vulnerabilities and reduce the future impact of cyberattacks."

The project is called Scanning Made Easy (SME) and is a collection of NMAP Scripting Engine (NSE) scripts developed to tackle what NCSC calls a "frustrating" problem: the use of scripts that are not suitable, or necessarily safe, to run. 

"When a software vulnerability is disclosed, it is often easier to find proof-of-concept code to exploit it, than it is to find tools that will help defend your network," the organization says. "To make matters worse, even when there is a scanning script available, it can be difficult to know if it is safe to run, let alone whether it returns valid scan results."

The i100 and NCSC's script package is based on the industry-standard NSE framework that has been in development for decades and can be used to write simple scripts and automate network tasks. 

When SME is run, a script will deploy to check for specific vulnerabilities that could impact the security of an organization. A description of the vulnerability and a link to the associated vendor's advice on how to mitigate the flaw are also included. 

"While there won't be a script for every single vulnerability, our plan is that scripts will be developed, and continuously reviewed, for critical vulnerabilities and for vulnerabilities that are consistently causing headaches for system administrators," the NCSC says.

To ensure SME's framework and scripts are constant, a set of developer guidelines has been published. If developers want to submit a script, they have to be in the .nse format, "relate to one of the high priority vulnerabilities impacting the UK," run in isolation, have a low false-positive rate, and they must be as unintrusive as possible. 

In addition, the NCSC requires scripts to be made public and to be freely available under open source terms. NCSC will then verify submitted scripts before adding them to the SME portfolio. 

The first script being released is for vulnerabilities in the Exim message transfer agent (MTA). Known collectively as 21Nails and discovered by Qualys, CVE-2020-28017 through CVE-2020-28026 can be chained together to perform remote code execution (RCE) and gain root privileges. 

In related security news this week, a critical memory corruption vulnerability in polkit that impacts a range of Linux distros has been disclosed by researchers. 

Previous and related coverage

• Staff negligence is now a major reason for insider security incidents
  
• Mirai splinter botnets dominate IoT attack scene
  
• Google open-sources Tsunami vulnerability scanner
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0