AnsweredAssumed Answered

Vulnerabilities we could miss...

Question asked by noxx on Jul 8, 2019
Latest reply on Jul 10, 2019 by cadams

Hi all,

 

This is a bit embarrassing but my hand has been twisted to ask this question. I've posted it under Best Practices as I would imagine scanning database ports is regarded as a best practice.

 

Background: Our DBA team are receiving alerts because Qualys is scanning their databases which hang of specific ports which are non-standard for that database vendor. The one alert that is causing issues is described as "The prelogin packet used to open the connection is structurally invalid; the connection has been closed" and is related to Kerberos tickets and their size which MSSQL is having trouble with. We are using AD authenticated scans via CyberArk.

 

Problem: They act on these alerts which happen out of business hours because we are scanning out of business hours of course

They want us to stop scanning these ports as the port could only ever be used by the service that is attached to it, the database server and therefore they see no need for these scans as they are aware of what vulnerabilities there would be for that service. The alerts are being generated when we run our Windows Server scans and using the standard list of 1900 TCP ports and UDP.

 

My reaction: Security doesn't trump convenience and that we have no idea what vulnerabilities could lie behind the service or the port for that matter which is why we are using Qualys and perhaps their alerting system should filter out alerts generated from the Qualys scanner IPs, yada yada yada. I could exclude the ports but I am not comfortable about this approach.

 

Question: What vulnerabilities could we possibly be missing if the ports these database servers are using are excluded from scans? i.e. DoS, malformed packets.database vulnerability scan

Outcomes