Ask us a question

You are here

Did you scan your security scanner?

Vulnerability in Saint Security Suite - Ethical Hacker Testimonial
 

We’ve recently been commissioned by one of our customers to assess some well-known vulnerability scanners. Although the assessment was supposed to focus on functional aspects, the pentester part of myself couldn’t help to take a look at the technical resilience of the different applications. So, after some hours, I began making some basic injection tests.

To my great surprise it only took some minutes to discover a cross-site-scripting (XSS) vulnerability in Saint Security Suite, one of the most reputable scanners. Using the XSS, an attacker can induce a user to unwittingly perform actions within the application, so I created a simple proof of concept to demonstrate how it could be used to silently create an Administrator and take over the entire application. Watch out the video below.

Affected versions: SAINT 9.2 through 9.5.14
SAINT official advisory

Security scanners are developed like any other software, so they could turn out to be vulnerable. Besides, they also contain crucial information, like network devices credentials, assets, and security maps of the network. That’s why these applications should be isolated as much as possible from non-operational networks and protected by a Web Application Firewall.  

The vulnerability was disclosed to Carson & SAINT on April 9 and the proof of concept was provided. The Saint development team reacted very quickly and released the fix on April 19We recommend you to update your installation.

This article has been written by David Bloom, Cyber Security Senior Consultant.

Our approach to cyber-security

Our customers benefit from the expertise and talent of our people, combined with pragmatic and proven methods and the efficiency brought by our assets:

1

Expertise and talent

Since 2001 we have applied our experience in cyber-security gained in various industries, from small to large businesses. Our people are seasoned, certified professionals who continuously improve and extend their knowledge.

2

Pragmatic and proven methods

We rely on most recognised, easily auditable and adopted standards and good practices and apply them pragmatically. We always tailor our approach to your particular context, needs and organisation culture.

3

Asset-based approach

We make use of the most advanced and reliable tools and solutions to support our services. This enables us to be more efficient during delivery, enforce the use of standard auditable methods and provide transparency about our achievements and your results.

+
Certified professionals
0+
Success stories
0
Year of establishment
+ 0%
Average annual growth