
The vast majority of network attacks are focused on the most commonly discovered vulnerabilities and the ease with which they can be exploited. Drive-by attacks seek out a single common vulnerability, or ‘low hanging fruit,’ and then determine whether any of the hacked network is of interest. Targeted attacks will use the most common vulnerability list to create a path from first contact to flag capture.
In either attack scenario, a network with any of the top 100 vulnerabilities looks weak and invites attack. You may have four attack dogs in your warehouse for overnight protection, but leaving the loading door unlocked increases the likelihood that someone will try to enter. Keep the dogs, but please close the door.
Regardless of how an attacker gained their first foothold, these common vulnerabilities are the most likely paths of attack. The first point of contact for an attacker could be phishing, access control bypass, endpoint attack, or another method. The most valuable targets are located further into the network, and hackers WILL seek the shortest path available.
Most Common High Risk Vulnerabilities:
1.Microsoft Windows HTTP.sys Code Execution Vulnerability
- OpenSSH Trusted X11 Cookie Connection Policy Bypass Vulnerability
- OpenSSH Privilege Separation Monitor Weakness
- OpenSSL Running Version Prior to 0.9.8zc POODLE
- Mountable NFS Shares
- Apache APR apr_palloc Heap Overflow
- .NET Framework and Microsoft Silverlight Allows Code Execution (MS11-039)
- Combined Security Update(MS12-034)
- Internet Explorer 8 Allows Code Execution(KB2847140)
- Cisco SSH Malformed Packet DoS
- Insecure Library Loading Allows Code Execution (KB2269637)
- Vulnerabilities in Windows Kernel-Mode Drivers Allow Elevation of Privilege (MS12-047)
- Vulnerabilities in Elevation of Privilege Using Windows Service Isolation Bypass (982316)
- PHP Running Version Prior to 5.2.15
- Unauthorized Digital Certificates Allow Spoofing (KB2728973)
- VMware ESX Running Version Prior to 4.1
- OpenSSL Running Version Prior to 1.0.1i
- Oracle Java SE Multiple Vulnerabilities (October 2010 CPU)
- Oracle Java SE Multiple Vulnerabilities (June 2011 CPU)
- Multiple Vendor IPMI ‘cipher zero’ Authentication Bypass Vulnerability
- Vulnerabilities in MySQL Unsupported Version Detection
- Vulnerabilities in Server Service Allows Code Execution (MS08-067, Network)
- Vulnerabilities in Group Policy Allows Code Execution (MS15-011)
- Vulnerabilities in Apache Running Version Prior to 2.2.28
- Vulnerabilities in PHP CGI Query String Code Execution
- Vulnerabilities in SQL Injection
- Vulnerabilities in Cross Site Scripting
- Vulnerabilities in Custom Web Code
- Vulnerabilities in VMware ESXi 3.5
- Vulnerabilities in PHP Running Version Prior to 5.3.11
- Vulnerabilities in NSClient Default Password
- Vulnerabilities in PHP Unsupported Version Detection
- .NET Framework Allows Code Execution (MS11-044)
- .NET Framework Allows Code Execution (MS11-028)
- Vulnerabilities in Microsoft XML Core Services Allows Code Execution (KB2719615)
- Vulnerabilities in Microsoft SQL Server Allows Code Execution (MS09-004,KB959420)
- Vulnerabilities in PHP Running Version Prior to 5.3.26
- Vulnerabilities in PHP Running Version Prior to 5.3.22
- Vulnerabilities in .NET Framework and Microsoft Silverlight Allow Code Execution (MS12-016)
- Vulnerabilities in Flash Player Running Version Prior to 10.3.183.75 / 11.7.700.169 (APSB13-14)
- Vulnerabilities in Remote Portmapper Forwards NFS Requests
- Flash Player Running Version Prior to 11.7.700.232 / 11.8.800.94 (APSB13-17)
- Windows 2000 Unsupported Installation Detection
- Flash Player Running Version Prior to 10.3.183.68 / 11.6.602.180 (APSB13-09)
- Flash Player Running Version Prior to 10.3.183.75 / 11.7.700.169 (APSB13-11)
- Flash Player Running Version Prior to 10.3.183.15 / 11.7.102.62 (APSB12-05)
- Flash Player Running Versions Prior to 10.3.183.15 / 11.1.102.62 (APSB12-03)
- Flash Player Running Versions Prior to 10.3.183.10 / 11.0.1.152 (APSB11-28)
- Flash Player Running Version Prior to 10.3.183.67 / 11.6.602.171 (APSB13-08)
- Flash Player Running Version Prior to 10.3.183.51 / 11.5.502.149 (APSB13-05)
- Flash Player Running Version Prior to 10.3.183.50 / 11.5.502.146 (APSB13-04)
- Sun Java JRE Unsupported Version
- Flash Player Running Version Prior to 10.3.183.7 (APSB11-26)
- PHP Running Version Prior to 5.3.13
- Flash Player Running Version Prior to 10.3.183.43 / 11.5.502.110 (APSB12-27)
- Flash Player Running Version Prior to 10.3.183.48 / 11.5.502.135 (APSB13-01)
- Flash Player Running Version Prior to 10.3.183.43 / 11.5.502.110 (APSB12-24)
- Flash Player Running Version Prior to 10.3.183.24 / 11.4.402.279 (APSB12-22)
- Flash Player Running Version Prior to 10.3.183.23 / 11.4.402.265 (APSB12-19)
- PHP Running Version Prior to 5.3.14
- Flash Player Object Confusion Vulnerability (APSB12-09)
- Flash Player Running Version Prior to 10.3.183.19 / 11.3.300.256 (APSB12-14)
- Flash Player Running Version Prior to 10.3.183.5 (APSB11-21)
- Flash Player Running Version Prior to 10.3.181.26 (APSB11-18)
- Flash Player Unspecified Memory Corruption (APSA11-01)
- Flash Player Running Version Prior to 10.3.181.14 (APSB11-12)
- Flash Player Running Version Prior to 10.2.152.26 (APSB11-02)
- PHP Running Version Prior to 5.4.17
- Flash Player Unspecified Code Execution (APSB10-22)
- Adobe Flash Player Multiple Vulnerabilities (APSB10-26)
- Adobe Flash Player Multiple Vulnerabilities (ASPB10-14)
- Vulnerability in .NET Framework and Microsoft Silverlight Allow Code Execution (MS11-078)
- Vulnerability in HTTP.sys Allows Remote Code Execution (MS15-034, Network Check)
- OpenSSH Running Version Prior to 7.0
- Obsolete Web Server Software Detection
- Lighttpd ‘hostname’ Directory Traversal and SQLi Vulnerabilities
- .NET Framework Allow Code Execution (MS12-035)
- Samba CAP_DAC_OVERRIDE File Permission Security Bypass (Network)
- PHP Running Version Prior to 5.3.15
- Vulnerability in Microsoft Malware Protection Engine Allows Code Execution (KB2846338)
- Microsoft Malware Protection Engine (MMPE) Privilege Escalation (2491888)
- Dropbear SSH Server Channel Concurrency Use-after-free Code Execution
- Proxy Allows Gopher:// Requests
- Cisco IOS Software Processing of SAA Packets Flaw
- SNMP Disclosure of HP JetDirect EWS Password
- Dabber Worm Detection (MS04-011)
- PHP Running Version Prior to 5.3.2_5.2.13
- Flash Player Multiple Memory Corruption Vulnerabilities (APSB12-07)
- Microsoft Windows SMB2 ‘_Smb2ValidateProviderCallback()’ Vulnerability (MS09-050, Network Check)
- Microsoft SQL Server Blank Password
- statd RPC Format String
- HP StorageWorks MSA P2000 Hidden ‘admin’ User Default Credentials
93.Vulnerabilities in .NET Framework Allows Code Execution (MS12-038)
- radmin Detection
- Vulnerabilities in .NET Framework Allow Code Execution (MS12-074)
- Flash Player ActionScript Predefined Class Prototype Addition Code Execution (APSB11-07)
- NFS Shares World Readable
- Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program (KB3097617)
- NVIDIA Display Driver Service Stack Buffer Overflow (Registry)
100.Flash Player Memory Corruption (APSB13-16)
Most Common Medium Risk Vulnerabilities:
- SMB Listens on Port
- Windows Terminal Service Detection
- Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure
- SMB Signing Disabled
- Deprecated SSL Protocol Usage
- Source Disclosure
- Shared Directory Access (Login)
- SSL Medium Strength Cipher Suites Supported
- Default Community Names (SNMP Agent)
- Microsoft’s SQL TCP/IP Listener
- SNMPwalk Port Scanner
- VNC Security Types Detection
- AutoComplete Not Disabled
- Unencrypted Telnet Server
15.Obtain Network Interfaces List via SNMP
- SSL Suites Weak Ciphers
- SNMP Agent Default Community Name (public)
- SSL Certificate Expiry
- Database Reachable from the Internet
- Non-SSL Login
- Vulnerabilities in SQL Server Allows Elevation of Privilege (MS12-070, Network)
- Microsoft IIS Tilde Character Information Disclosure Vulnerability
23.LDAP Null Directory Bases
- Appweb Insecure SSL Renegotiation
- Web Server Cross Site Scripting
- DNS Server Allows Recursive Queries
- WebDAV Detection
- Linux Kernel UDP Implementation IP Identification Field OS Disclosure
- SSH Protocol Version 1 Detection
- MS SQL Server Resolution Service Amplification Reflected DRDoS Vulnerability
- SMB Shares Enumeration
- Apache HTTP Server Range Header Denial of Service Vulnerability (DoS)
- PHP expose_php Information Disclosure
- Apache HTTP Server Byte Range DoS
35.SMTP Service Cleartext Login Permitted
- Apache UserDir Sensitive Information Disclosure
- Obtain Processes List via SNMP
- Remotely Accessible Registry
- OpenSSL Heartbeat Vulnerability (Heartbleed)
- Apache mod_negotiation Multi-Line Filename Upload Vulnerabilities
- Microsoft ASP.NET Information Disclosure Vulnerability (Network, MS10-070)
- Apache Running Version Prior to 2.2.25
- Apache Running Version Prior to 2.2.24
- Apache Running Version Prior to 2.2.23
- Shell Detection
- Shared Directory Access (Share Access)
- Guest Account Accessible (SMB)
- Oracle tnslsnr Version Detection
- Apache mod_suexec Multiple Privilege Escalation Vulnerabilities
- Credit Card Information
- Apache Running Version Prior to 2.2.22
- OpenSSH S/KEY Authentication Account Enumeration
- ntpd Mode 7 Error Response Packet Loop DoS
- Enumerate LANMAN Services via SNMP
- Apache Running Version Prior to 2.2.27
- Enumerate LANMAN Users via SNMP
- OpenSSL Running Version Prior to 0.9.8za
- SMB Host SID User Enumeration
- OpenSSH Multiple Vulnerabilities
- SMB Users Listing
- Enumerate LANMAN Shares via SNMP
- Passwordless Lexmark Printer
- Apache Tomcat Transfer-Encoding Header Vulnerability
- Apache mod_proxy_ajp DoS
- Users in the ‘Admin’ Group
- NFS Server Superfluous
- OpenSSH X11 Session Hijacking Vulnerability
- Unsupported Microsoft XML Parser (MSXML) and XML Core Services
- Apache APR apr_fnmatch DoS
- Fraudulent Digital Certificates Allow Spoofing (KB2524375)
- OpenSSH ‘ForceCommand’ Directive Bypass
- Remotely Accessible Registry (Full Access)
- Vulnerability in Microsoft XML Core Services Allow sCode Execution (MS07-042)
- IIS Sensitive Authentication Information Disclosure
- rsh Detection
- Citrix Server Detection
- SMTP Server Listening on a Non-Default Port
- Source Disclosure
- Missing X-Frame-Options Response
- HSTS Missing From HTTPS Server
- Malformed Bind Request (LDAP Anonymous)
- LDAP NT Search Request Information Retrieval
- SSL RC4 Cipher Suites Supported
- SSLv3 Padding Oracle On Downgraded Legacy Encryption (POODLE)
- Web Application Cookies Lack Secure Flag
- pcAnywhere Detection
- Web Application Cookies Lack HttpOnly Flag
- SSL Certificate is a Self Signed
- Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration Without Credentials
- Microsoft Windows SMB Shares Unprivileged Access
- PHP Running Version Prior to 5.3.9
- HP System Management Homepage Cross-site Request Forgery
- DNS Amplification
- OpenSSL Running Version Prior to 0.9.8zb
- Microsoft Windows Kernel Win32k.sys PATHRECORD chain Multiple Vulnerabilities
- VNC Server Authentication-less
- SMB Use Host SID to Enumerate Local Users Without Credentials
- Vulnerability in MHTML Allows Information Disclosure (MS11-037)
- OpenSSL Running Version Prior to 0.9.8zf
- Directory Disclosure
- phpCMS parser.php XSS
- Chargen Detection
- My Little Forum Cross Site Scripting
- Keene Digital Media Server XSS
- WebCam Watchdog sresult.exe XSS
- Faq-O-Matic fom.cgi XSS
- Goollery viewpic.php XSS
- DCP-Portal Cross Site Scripting Bugs
- Apache Jakarta Cross-Site Scripting Vulnerability
- PHP-CSL Cross Site Scripting
Most Common Low Risk Vulnerabilities:
- HTTP Packet Inspection
- ICMP Timestamp Request
- NetBIOS Information Retrieval
- Windows Host NetBIOS to Information Retrieval
- rpcinfo -p Information Disclosure
- Supported SSL Ciphers Suites
- SSL Verification Test
- Remote Host Replies to SYN+FIN
- Directory Scanner
- TCP Timestamps Retrieval
- VMWare Host Detection
- SSH Server Backported Security Patches
- NULL Session Available (SMB)
- Identify Unknown Services via GET Requests
- VNCviewer in Listen Mode Detection
- robot(s).txt Detection
- DNS Bypass Firewall Rules (UDP 53)
- RPC Portmapper
- SNMP Protocol Version Detection
- Telnet Detection
- IIS Allows BASIC and/or NTLM Authentication
- FTP Clear Text Authentication
- SNMP Route Enumeration
- Device Type
- HTTP TRACE Method XSS Vulnerability
- Microsoft IIS Default Page
- Microsoft’s SQL UDP Info Query
- HTTP Server Backported Security Patches
- LANMAN Browse Listing
- IPSEC IKE Detection
- Apache HTTP Server httpOnly Cookie Information Leak
- Microsoft .NET Handlers Enumeration
- Flash Cross-Domain Policy File
- Veritas NetBackup Agent Detection
- SLP Detection
- VMware ESX/GSX Server Detection
- TTL Anomaly Detection
- Apache HTTP Server httpOnly Cookie Information Disclosure
- SMTP Service STARTTLS Command Support
- SLP Server Detection (udp)
- IIS Content-Location HTTP Header
- Appweb HTTP Server Version
- SMTP Authentication Methods
- TFTPd Detection
- Apache Tomcat Default Error Page Version Detection