By h4ckNinja in infosec

Should you hide version numbers?

Should you hide version numbers?
Photo by charlesdeluvio / Unsplash

In AppSec, it's not uncommon to come across a report recommending that the version number in response headers be hidden or that the version number at the bottom of a COTS installation gives away too much information.

Information Disclosure (or Information Leakage, depending on who you ask) is when an application or server discloses information about the environment or the users. For example, stack errors may display information about credentials or session information about the user. This information can then often be leveraged to attack the environment further. Version numbers can also fall into this category.

The argument for hiding version numbers

When asked why people recommend hiding version numbers, the argument usually goes something like this: "Version numbers can tell an attacker what version of the software is running so they can look up exploits specific to that version of the software." Technically, this is true - much information can be gleaned about the environment by knowing what software is installed and the installed version. Are they up-to-date? Are they only a couple of versions behind? Are they a lot of versions behind? This can provide insight into the company's patch management capabilities and general attitude towards IT maintenance.

This was a big problem for Equifax in 2017. Equifax, of credit reporting bureau infamy, suffered a significant breach in mid-2017 due to a missing patch for Struts. There certainly are real-world consequences for not maintaining software.

The argument against hiding version numbers

Countering the above argument for hiding version numbers, the rebuttal usually goes something like this: "Whether you hide the version numbers or not, an attacker is still going to scan and attack anyway, and providing the version numbers assists in automated scanning to know what needs to be upgraded." Enterprise information security programs will often use automated scanning such as Qualys, Assetnote, Edgescan, Nessus, and a number of other choices, including in-house scanning. These tools rely on accurate version numbers to detect and report known missing patches. Turning off the version number in response headers or disabling the version number from being reported elsewhere makes the job much more challenging to accurately and quickly triage out-of-date software to be patched.

A word about patch Management and Asset Inventory

For any scanning to be successful, there, of course, needs to be an accurate record of what the company owns. Accurate asset inventory is necessary for vulnerability management to be effective, along with many other benefits.

Patch management at the OS level can be automated with tools such as Chef, Puppet, Salt, and more. However, for this to work, accurate records need to reflect not just hardware and software but also who owns each piece.

However, when all the pieces do come together, the benefits of automated patching, documentation of who owns what, what those components are, and tracking patch schedules will make the life of an organization much more manageable.

Conclusion

Should you hide the version number in your software? Emphatically - no. Organizational awareness and maturity, along with supporting components of a strong information security program, make hiding version numbers not only unnecessary but also dangerous.