analyzing vulnerability disclosures

I just read an announcement that usernames can be disclosed by the way Windows Server 2003/AD responds to Terminal Services logins from those users trying to log on after their allowed hours. Kudos to the researchers for finding and reporting this, and I mean this post as no dis to them (hey, I read Sid’s site for a reason!). But I do have some commentary to offer.

First, Sid uses the phrase, “This can be exploited to help enumerate valid usernames resulting in a loss of confidentiality.” Not bad, but I think it is very arguable whether usernames are intended to be confidential or not. I mean, that’s what passwords are for, no?

Second, this is a place where a vulnerability needs further clarification once you start trying to cross the bounds from technical geeks to the lesser geeks and business itself. Is this vulnerability a Big Deal? No. What threats could take advantage of this? Well, you have long-standing insiders (yeah, those help desk guys who work all night and get bored and poke around) on a long campaign to pilfer usernames…but if they are employees, chances are they know the username format anyway. Also long-term outside attackers who already have an undiscovered foothold into the network and want to expand their influence. For some reason, this scenario tickles that part of my brain that likes to say, “You have bigger problems at this point.” Maybe someone has Terminal Services accessible to the world, in which case a random port scan could reveal it to an outside attackers who starts trying usernames to grind out more information, or outright access.

My second point is more about those people who interpret vulnerabilities in the context of their respective duties. The disclosure itself is just fine and quite appropriate. I’m simply using it as a sounding board to illustrate the ability to analyze vulnerabilities.

To the author’s credit, he lists criticality being “Less Critical,” although I really don’t know what that means. To me, this vulnerability is minor. It discloses some non-sensitive information pertinent to longer-term attacks by dedicated attackers with nothing better to do.