UK’s NCSC Pushes NMAP Scanner Scripts to Fill Defender Gap

The U.K. government’s cybersecurity agency has announced plans to ship a collection of well-tested, reliable scanning scripts to help defenders find and fix high-priority software security vulnerabilities.

The new project, called Scanning Made Easy, will push out a collection of NMAP Scripting Engine scripts as part of an initiative to help system owners and administrators find systems with specific vulnerabilities.

“When a software vulnerability is disclosed, it is often easier to find proof-of-concept code to exploit it, than it is to find tools that will help defend your network,” the NCSC said in a note explaining the motivation for the project.

To make matters worse, even when there is a scanning script available, the agency said it can be difficult to know if it is safe to run or will even return valid scan results. Scanning Made Easy (SME) was born out of our frustration with this problem and our desire to help network defenders find vulnerable systems, so they can protect them,” the NCSC said.

[ READ: Inside The UK’s Active Cyber Defense Program ]

To fill this gap, the agency is teaming up with its i100 private sector partners to provide reliable, well-tested scripts that are easy to deploy and provide better attack surface visibility for known vulnerabilities.

The agency said the scripts will be written using the NMAP Scripting Engine (NSE) and will be created for critical documented vulnerabilities that are difficult to find on internal corporate networks. 

“While there won’t be a script for every single vulnerability, our plan is that scripts will be developed, and continuously reviewed, for critical vulnerabilities and for vulnerabilities that are consistently causing headaches for system administrators,” the agency said.

It said the scripts will be written and tested by private sector partners and will conform to the NCSC Scanning Made Easy script developer guidelines that mandate how the scripts should be developed and tested.

The first available SME script was released to help defenders find the presence of known remote code execution vulnerabilities in the Exim message transfer agent (MTA).  The NMAP script for the Exim vulnerabilities, publicly known as 21Nails, is available on GitHub.

[ READ: CISA Adds Zoho, Qualcomm, Mikrotik Flaws to ‘Must-Patch’ List ]

The NCSC said the script contains information regarding how it checks for the presence of the vulnerability, why the check is not intrusive, why there may be False Positives and why there may also be False Negatives.

“Even if you don’t think you have an Exim MTA, it’s worth running the scan anyway, you might be surprised by what you find installed on your network,” the agency said, noting that the Exim script will output simple-to-read results including a description of the vulnerability and a link to the vendor security advisory. 

“Running this script often and following the linked vendor advice will help to keep your network secure,” the NCSC said, urging defenders to develop and consider sharing their own NMAP scripts with the community.

Related: Five Eyes Nations Issue Joint Guidance on Log4j Flaws

Related: CISA Adds Zoho, Qualcomm, Mikrotik Flaws to ‘Must-Patch’ List

Related: Fewer-Than-Expected Log4j Attacks, but Mirai Joins the Fray