opensource.google.com

Menu

Tsunami: An extensible network scanning engine for detecting high severity vulnerabilities with high confidence

Thursday, June 18, 2020

We have released the Tsunami security scanning engine to the open source communities. We hope that the engine can help other organizations protect their users’ data. We also hope to foster collaboration, and encourage the security community to create and share new detectors on top of Tsunami.

When an attacker begins to exploit security vulnerabilities or security misconfigurations, such as weak passwords, an organization needs to react quickly in order to protect potentially vulnerable assets. With attackers increasingly investing in automation, the time window to react to a newly released, high severity vulnerability is usually measured in hours. This poses a significant challenge for large organizations with thousands or even millions of internet-connected systems. In such hyperscale environments, security vulnerabilities must be detected and, ideally, remediated in a fully automated fashion. To make this possible, information security teams need to be able to roll out detectors for novel security issues at scale in a very short amount of time. Furthermore, it is important that the detection quality is consistently very high. To handle these challenges, we created Tsunami: an extensible network scanning engine for detecting high severity vulnerabilities with high confidence.

Google leverages Google's Kubernetes Engine (GKE) to continuously scan and protect all of our externally facing systems with the Tsunami scanning engine. When scanning a system, Tsunami executes a two-step process:
  1. Reconnaissance: In the first step, Tsunami detects open ports; then subsequently identifies protocols, services, and other software running on the target host using a set of fingerprinting plugins. To avoid reinventing the wheel, Tsunami leverages existing tools such as nmap for some of these tasks.
  2. Vulnerability verification: Based on the information gathered through reconnaissance, Tsunami selects all vulnerability verification plugins matching the identified services. To confirm that a vulnerability indeed exists Tsunami executes a fully working, benign exploit.
In its initial version, Tsunami ships with detectors for the following security issues:
  • Exposed sensitive UIs: Applications such as Jenkins, Jupyter, and Hadoop Yarn ship with UIs that allow a user to schedule workloads or to execute system commands. If these systems are exposed to the internet without authentication, attackers can leverage the functionality of the application to execute malicious commands.
  • Weak credentials: Tsunami uses other open source tools such as ncrack to detect weak passwords used by protocols and tools including SSH, FTP, RDP, and MySQL.
In the coming months, we plan to release many more detectors for vulnerabilities similar to remote code execution (RCE). Furthermore, we are working on several other new features that will make the engine more powerful and easier to use and extend.

In order to make contributions easy, we split our codebase into two Github Repositories:
  1. A repository for the main scanning engine
  2. A repository for Tsunami scanning plugins
If you have any questions or if you would like to contribute, don't hesitate to reach out to us.

By Guoli Ma, Claudio Criscione & Sebastian Lekies, Vulnerability Management Team
.