Cloudflare has open sourced a “lightweight” network vulnerability scanner that it uses in-house to help identify vulnerable services running in its vast network. Early reactions suggest that it shouldn’t be the sole vulnerability management tool being used in the network.
Actually a "thin wrapper" around Nmap, Flan Scan combines network mapping with vulnerability scanning, Cloudflare said. The company developed Flan Scan after “unsuccessful attempts” to use existing scanners, wrote Nadin El-Yabroudi, a security engineer at Cloudflare. One of the scanners Cloudflare was using was extremely expensive—"one of our highest security costs"—and it wasn't using many of the features to justify the price tag. Another was an open source one which was difficult to deploy throughout Cloudflare's infrastructure, which extends to more than 190 data centers.
The clock was ticking, because the company had to finish an internal scan to meet a compliance deadline.
“We needed a scanner that could accurately detect the services on our network and then lookup those services in a database of CVEs to find vulnerabilities relevant to our services,” El-Yabroudi said. And it had to be easy to deploy across Cloudflare’s network.
Little More than Nmap
Under the hood, Flan Scan is essentially Nmap, a popular open source networking scanning tool, using the vulners script, which relies on a third-party API to check if a given software has any known security vulnerabilities.
Flan Scan runs inside a Docker container and includes sample Kubernetes configuration and deployment files. It pushes scan results to Google Cloud Storage of Amazon Web Services’ Simply Secure Storage (S3) buckets, making it possible to run many scans across a large network and store the results in one central location for processing. Flan Scan runs the ICMP ping scan to grab all the IP addresses that are online, the SYN scan to check the 1,000 most common ports for each of those IP addresses, and service detection scan to find services running on found open ports. Nmap performs TCP handshake and banner grabbing scans. Users can also opt for UDP and IPv6 scanning.
A bit of Python code converts the Nmap output into a LaTeX report. “Cloudflare’s mission is to help build a better Internet for everyone, not just Internet giants who can afford to buy expensive tools,” El-Yabroudi said.
Mixed Reactions
Flan Scan found that Cloudflare’s FreeIPA nodes, which manage Linux users and hosts, were running outdated versions of Apache with several medium-severity vulnerabilities, El-Yabroudi said. A vulnerable PostgreSQL instance which was leftover from a performance dashboard (which no longer exists) was also found in the environment.
A user named “hannob” ran Flan Scan “against a few servers” and reported on Reddit (and Hacker News) as being “not impressed.” The report flagged issues for a Debian system running Apache, but they were “all old vulnerabilities where fixes were backported to Debian’s packages,” Hannob wrote. “These are false positives.” There was also a warning on another server about the XMSS issue in OpenSSH, but the service was disabled on the server. The user’s perspective was that Flan Scan reports that vulnerabilities exist for that software, and not that the vulnerability is actually present on the system.
However, multiple Hacker News users pointed out that kind of behavior resulting in false positives is happens with other scanners, as well, and is not unique to Flan Scan.
Reddit users were a bit more harsh in their assessment, wondering if Cloudflare was moving to “checkbox driven compliance” instead of proper security.
El-Yabroudi said Flan Scan was “part of a larger effort to expand” its vulnerable management program. One of the examples was how Cloudflare uses osquery to perform host-based vulnerability tracking and correlates those results with Flan Scan results.
“It's a good 50% tool. Easy to configure, easy to deploy, gets me actionable info, doesn't give me everything but I can move quickly with it,” a Reddit user commented. “I'm going to use this in an environment that currently has nothing.”