Google has released an open-source enterprise network vulnerability scanner called Tsunami that is designed specifically to find high-risk bugs such as remote code execution and is extensible through the use of plugins.
The scanner was built with large-scale organizations in mind and gives security teams the ability to create and add their own plugins to Tsunami to check for exposure to new vulnerabilities or attacks. Tsunami joins a crowded field of existing network vulnerability scanners, both commercial and free and open source tools, but the main difference is Google’s scanner isn’t meant to scan networks for every possible known vulnerability. Instead, Tsunami is built to look for a small set of vulnerabilities that an enterprise security team can specify as it sees fit.
“As attackers increasingly invest in automation, the time window to react to a newly released, high severity vulnerability is usually measured in hours. This poses a significant challenge for large organizations with thousands or even millions of internet-connected systems. In such hyperscale environments, security vulnerabilities must be detected and ideally remediated in a fully automated fashion,” Google said in the documentation for Tsunami.
“To do so, information security teams need to have the ability to implement and roll out detectors for novel security issues at scale in a very short amount of time. Furthermore, it is important that the detection quality is consistently very high.”
A prime example of where Tsunami could come in handy is the recently disclosed remote code execution vulnerability (CVE-2020-5902) in F5 Networks’ BIG-IP networking products. That vulnerability is as serious as it gets, allowing a remote unauthenticated attacker to gain control of a target device, and the F5 gear is deployed in a number of sensitive environments such as government agencies and financial institutions. Within hours of the vulnerability disclosure last week, attackers began exploiting the bug and experts warned that any system that had not been patched already should be considered compromised.
For a large enterprise that might have locations around the world and networking gear in dozens of data centers, knowing what the company’s exposure to that kind of vulnerability is as quickly as possible would be vital. There are multiple public exploits available for the F5 vulnerability along with a Metasploit module. GreyNoise Intelligence data shows exploit attempts against the vulnerability coming from many different locations around the world. In that kind of situation, time is of the essence and knowing if and where exposures exist can be the difference between a rush to patch and a serious compromise.
Tsunami is a modular scanner that runs in two discrete steps. The first phase is a reconnaissance scan that identifies all of the open ports on any host it’s run against. The scanner then runs a series of fingerprinting plugins that enumerate all of the services, protocols, and software running on those ports. That process produces a pair of reports, which Tsunami then uses to verify vulnerabilities in the second step.
“In the Vulnerability Verification step, Tsunami executes the VulnDetector plugins in parallel to verify certain vulnerabilities on the scan target based on the information gathered in the Reconnaissance step. VulnDetector's detection logic could either be implemented as plain Java code, or as a separate binary / script using a different language like python or go,” the documentation says.
Each detection plugin is written to detect one specific vulnerability, so security teams can write and add their own plugins to look for newly disclosed vulnerabilities or known flaws in new gear.
Tsunami is available on GitHub.