On May 15, Red Hat disclosed a critical vulnerability in a script included in NetworkManager for the Dynamic Host Configuration Protocol (DHCP) client on Red Hat Enterprise Linux (RHEL). The vulnerability was discovered by Google engineer Felix Wilhelm. The proof of concept for the command injection vulnerability CVE-2018-1111 is so simple that it fits into a single tweet. Wilhelm tweeted:“CVE 2018-1111 is a pretty bad DHCP remote root command injection affecting Red Hat derivates: https://access.redhat.com/security/vulnerabilities/3442151…. Exploit fits in a tweet so you should patch as soon as possible.”

Analysis

DHCP is a protocol used to automatically assign dynamic IP addresses, Domain Name System (DNS) server addresses and other network configuration data to devices. To exploit this vulnerability, an attacker must be on the same network as the vulnerable systems. This is very common when a public Wi-Fi hotspot is offered (e.g., at airports, public libraries or coffee shops).

Red Hat states, “A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.”

Solution

RHEL Server 6 and 7 are vulnerable. We recommend that all Red Hat customers running affected versions of the dhcplient package urgently apply updates. Other affected Linux distributions include:

• CentOS 6.x and 7.x
• Fedora 26, 27 and 28
• Rawhide

Red Hat's update services for SAP solutions on x86 and IBM Power architectures are also affected.

Other operating systems derived from Fedora/RHEL are likely to be affected, including HPE's ClearOS and Oracle Linux as well as the recently discontinued Korora Linux.

Tenable Research has developed and released the following checks and plugins for this vulnerability.

Additional information

• Red Hat CVE-2018-1111
• Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

Every month, we ask our researchers to nominate a vulnerability of the month. Novelty, sophistication or just plain weirdness are some of the potential criteria for selecting a vulnerability of the month. After the nominations are collected, the candidates are shortlisted and voted on by our 70-plus-member research organization, combining the total experience and knowledge of Tenable Research to identify the vulnerability of the month.

Background

On the heels of a failed patch to another Java deserialization vulnerability in Oracle WebLogic Servers, the research team voted to highlight a Red Hat JBoss vulnerability this month. CVE-2017-12149 is another remote code execution (RCE) vulnerability with a 9.8 CVSS3 score. This vulnerability allows an unauthenticated attacker to execute arbitrary code on a remote host. It affects JBoss Enterprise Application Platform (EAP) 5 deployed on Red Hat Linux.

What makes this the vulnerability of the month?

Attacks leveraging Java deserialization vulnerabilities are becoming a common target for attackers. Serialization is a technique used to translate an object into a binary format that can be easily stored. The reverse process is called deserialization. The problem is that applications frequently fail to validate the data obtained from an untrusted source before trying to deserialize it. This can allow attackers to execute arbitrary code and trigger server side command execution. The issue is listed as “Deserialization of Untrusted Data” in Mitre’s Common Weakness Enumeration database.

Vulnerability details

In Jboss EAP 5, attackers can achieve RCE because of weak HTTP input validation implemented before deserialization process execution. This vulnerability (CVE-2017-12149) allows usage of unsafe classes from "functor" package provided by Apache Commons Collection Library 3.X < 3.2.2 / 4.X < 4.1 (CVE-2015-7501). The vulnerable version of the library is shipped by default with Jboss EAP 5.

Unfortunately, the combination above is not the only one that can be used to conduct this type of attack. Attackers can also try to utilize “property-oriented programming” (POP) to build custom malicious objects chains. These objects chains are composed of code snippets that can be used to manipulate the properties of an object to trigger the RCE by using unsafe classes from the target application. That’s why serialized objects validation is such a challenging task.

In addition, tools like ysoserial make it trivial to utilize well-known objects chains to exploit deserialization vulnerabilities in web servers and applications, increasing the exposed attack surface.

JBoss EAP 5 is affected by this Java deserialization vulnerability due to a flaw in the doFilter method of the ReadOnlyAccessFilter class. A remote attacker could exploit this flaw with a crafted serialized object passed via HTTP request to execute arbitrary code on the host.

Anyone running JBoss EAP 5 with publicly accessible http-invoker.sar component could be impacted by the issue. JBoss EAP 6 and 7 do not provide the HTTP invoker so they’re not affected.

Additional resources

• Nessus Plugin ID: 109321
• Critical Oracle WebLogic Server Flaw Still Not Patched
• Mitigation options provided by Red Hat
• Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

The ongoing saga of the Spectre and Meltdown vulnerabilities has just taken a new turn. Discovered by Google Project Zero (GPZ) and Microsoft, the new variants affect everything from desktops, laptops and mobile devices to infrastructure-as-a-service. These flaws are present in nearly all modern microprocessors and could allow an attacker to steal sensitive information by accessing privileged memory as a result of abusing a feature called speculative execution. We’ve been following the ongoing developments of these vulnerabilities from their first disclosure back in January 2018 and have released coverage to help keep our customers secure based on previous developments. The vulnerability has continued to evolve – variants of Spectre have surfaced that utilize speculative execution side-channel attack methods and have been assigned CVE-2018-3639 as well as CVE-2018-3640.

The new derivatives are called Variant 3a (Rogue System Register Read (RSRE)) and Variant 4 (Speculative Store Bypass) and were discovered and jointly disclosed by GPZ and Microsoft's Security Response Center (MSRC).

Impact assessment

According to CERT, Side-Channel Vulnerability Variants 3a and 4 may allow an attacker to access sensitive information on affected systems. When the original Spectre and Meltdown vulnerabilities were disclosed, many companies like Intel, Red Hat and Microsoft issued updates to patch the issues. However, the fixes haven't always worked as intended, and some customers experienced performance as well as other issues when they applied the patches.

This time around, Intel has delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors. This mitigation has been set to off by default, providing their customers the choice of whether to enable it. With the configuration set to off, they have observed no performance impact. However, if enabled, they observed a performance impact of approximately two to eight percent based on overall scores for benchmarks. They expect it will be further released into production BIOS and software updates over the coming weeks by various vendors.

Vulnerability details

Intel is classifying Variant 3a as a medium-risk vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information.

Intel is classifying Variant 4 as a medium-risk vulnerability that exploits “speculative bypass.”
When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. Many of the exploits it uses were fixed in the original set of patches for Spectre and Meltdown. This makes real-world exploitation of these issues harder.

Exploitation

Intel has stated they haven’t received any reports of this method being used in real-world exploits. In addition, mitigation techniques that were deployed for Variant 1 back in January can also be applied to Variant 4, which are already available. Additionally, Intel and its partners will be providing a combination of microcode and software updates for mitigating Variant 4.

According to a Microsoft Security release, an attacker could read privileged data across trust boundaries with a successful exploit: "Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639. However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel." With that being said Microsoft has also stated, "At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate."

Red Hat’s VP of the operating system platform, Denise Dumas, issued a statementsaying: “These vulnerabilities could allow a malicious actor to steal sensitive information from almost any computer, mobile device, or cloud deployment. Importantly, several technology industry leaders, including Red Hat, have worked together to create patches that correct this issue, underscoring the value of industry collaboration. It is key that everyone -- from consumers to enterprise IT organizations -- apply the security updates they receive. Because these security updates may affect system performance, Red Hat has included the ability to disable them selectively in order to better understand the impact on sensitive workloads.”

Urgently required actions

Refer to hardware and software vendors for patches or microcode and deploy as soon as they are available.

Tenable Research is monitoring the situation and will release coverage as required to help keep our customers secure.

Identifying affected systems

• Refer to hardware and software vendors’ releases.

Get more information

• Intel Tech Release
• Microsoft Security Release
• Red Hat Tech Release
• Red Hat Speculative Store Bypass
• Learn more about Tenable.io®, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

Editor's Note: This post was edited for accuracy on May 23, 2018.

Earlier this year, we introduced Tenable.io on-prem, an on-prem deployment option for our Cyber Exposure platform. While Tenable.io is first and foremost a cloud-delivered platform, Tenable.io on-prem is the right platform for organizations who have strict requirements to keep their security and compliance data locally within their organization’s boundary.

Customer choice and flexibility are important to us, which is why we’ve worked hard to ensure that our on-prem customers get many of the same great capabilities that our cloud customers have come to love. This includes: Nessus sensors for active and agent-based scanning and passive network monitoring, an API and SDK for those who want to automate the sharing of Tenable.io capabilities and vulnerability data, the same user-friendly UI and now Web Application Scanning.

We’re very excited to launch Web Application Scanning on-prem and meet this critical need for our on-prem customers. Web Application Scanning on-prem works with Tenable.io on-prem and ensures on-prem scanning of web applications, allowing data to be kept locally, on a customer’s premises.

Why do you need Web App Scanning?

Why do you need Web App Scanning? Well, it’s no secret that lack of web application security can kill companies. Take Equifax, for example. We’re all familiar with this breach. And many of us were affected by it. It originated from unpatched vulnerabilities in the Apache Struts web application.

The reality is Equifax isn’t alone in their poor cyber hygiene: the average time it takes to remediate high-risk and critical web application vulnerabilities is measured in months, not days or even weeks. Taking it a step further, the amount of vulnerabilities in web applications is staggering, with TechRepublic reporting that 99.7% of web apps have at least one vulnerability.

And organizations often have hundreds – or thousands – of web applications. The sheer prevalence of vulnerabilities makes this attack vector attractive to adversaries. And the potential impact web app attacks could have on your company makes this blind spot an essential one to secure. We can help.

Tenable Web App Scanning is available in the cloud or on-prem. Benefits include:

• Comprehensive vulnerability scanning for modern web applications
• Accurate vulnerability coverage to minimize false positives and negatives
• Safe scanning with the capability to define parts of critical web applications that are safe to scan and define other parts that should never be scanned, to prevent performance latency and disruptions
• Highly automated scans with the capability to easily define frequency and timing parameters for continuous testing
• Unified view of all your vulnerabilities in one place to eliminate gaps and inconsistencies that come with managing multiple, siloed solutions
• Complete understanding of the sitemap and layout of your web apps to see and assess your web apps globally
• Flexible deployment: Available in the cloud or on-prem for organizations that need the ability to keep web application scanning data locally

Learn more about Web Application Scanning

• Visit the Web Application Scanning webpage
• Contact us to see how Tenable can help you prevent web app attacks

One problem which has been lingering for too long in the security industry is the concept that “security research” has long been way more of an art than a science. As our industry matures, we need to change this approach and add more scientific rigor to our industry.

This is why at Tenable, we decided to take a pragmatic and formal approach to research. We believe that there’s an urgent need to make the internet a safer place for everyone. For us, that begins with a singular focus on pinpointing security problems and sharing our findings quickly, openly and responsibly with the broader tech community.

Today we’re unveiling Quantifying the Attacker’s First-Mover Advantage– a first-of-its-kind study that looks at the immediate, crucial moves that security teams and their adversaries make in the hours or days after a vulnerability is first discovered. This type of study is important for our industry as we continue to hone the discipline and rigor that we apply to driving security into the very heart of every digital organization. Moreover, Quantifying the Attacker’s First-Mover Advantage indicates that security is a sprint, not a marathon and that the way the race begins has tremendous implications for how it will end. It also underscores the need for a more agile approach to security, a CI/CD-inspired cyber program more in sync with the realities of today’s dev cycles, if you will.

We believe that this type of research is one fundamental way that we can help to keep people safer. It’s one of the ways we give back to the community.

Expect to hear more from our researchers over the next few weeks as we unveil new, original research.

Tenable Research has just released a report on the difference in time between when an exploit is publicly available for a given vulnerability and the first time that a vulnerability is assessed.

For this study, we analyzed the 50 most prevalent critical and high-severity vulnerabilities from just under 200,000 vulnerability assessment scans over a three-month period in late 2017 to anchor the analysis to the real world. We used these vulnerabilities to derive the “time to exploit availability” and “time to assess” to calculate the median delta.

The delta represents the first move that both the defender and attacker can make in this race. While it does not represent the full OODA Loop (observe, orient, decide, and act) for both parties, it does indicate who has the best start – and who will ultimately win.

A negative delta means attackers have a window of opportunity to exploit a vulnerability before defenders are even aware that they are at risk.

Attackers are racing ahead

Our analysis shows that the median delta was -7.3 days. The median time to exploit was 5.5 days, compared to a median time to assess of 12.8 days. On average, this gives attackers a seven-day head start on the defenders.

The delta was negative for 76 percent of analyzed vulnerabilities. So, on a vulnerability-by-vulnerability basis, the attackers seize the first-mover advantage more often than not.

When the delta was positive, it was usually because it took so long for an exploit to become available – rather than the defenders’ speedy scanning frequency. The fact that for 34 percent of the analyzed vulnerabilities, an exploit was available on the same day the vulnerability was disclosed is sobering. But it really gets interesting when we drill down into the individual vulnerabilities.

Twenty-four percent of the 50 most prevalent vulnerabilities we analyzed are actively being exploited in the wild by malware, ransomware or exploit kits. A further 14 percent were sufficiently critical to be discussed in the media. The sample set contained vulnerabilities being targeted by the Disdain and Terror exploit kits, Cerber and StorageCrypt ransomware and even by APT groups such as Black Oasis to install the FinSpy surveillance software.

Seizing the advantage back

Most security professionals have a hunch they’re playing catch up, but having the attackers’ lead quantified helps to determine how far behind we are and what we need to do to close the gap.

Many organizations conduct vulnerability assessments on a monthly or even quarterly cycle. This is mostly driven by internal factors, rather than external drivers, such as monthly patch cycles set by the company. We tend to forget that we have an adversary who is dictating the rules of engagement. While we have no control over when the attacker decides to attack, or how, we do have control over our own environment.

Our own analysis of scanning behavior indicates that just over 25 percent of organizations are conducting vulnerability assessments with a frequency of two days or fewer. This is an achievable goal, and will reduce the head start that attackers have for most vulnerabilities. But, with latency inherently built into the process, this still leaves a residual risk that cannot be solved solely by improving the scan frequency.

A more effective approach to vulnerability and Cyber Exposure management is not based on a start-stop model or discrete cycles. Instead, it must be based on:

• Continuous assessment of our security posture
• Proactively addressing predictable risks
• Rapidly reacting to unanticipated and emerging ones

The threat landscape is evolving at an unprecedented pace across an expanding attack surface, necessitating a more agile process that functions as a feedback loop. The new emerging discipline of SecDevOps already provides some established best practices. But this will also require that security and operational teams are better aligned and cooperate more closely.

We shouldn’t underestimate the value of vulnerability assessment in providing intelligence and situational awareness of Cyber Exposure and providing the “feedback” in the loop. Even if it isn’t feasible to remediate every vulnerability at once, continuous assessment can drive ad hoc, emergency response remediation or determine that mitigating controls such as access control must be applied to bridge the remediation delay and resulting exposure gap.

Speed up the time to assess vulnerabilities

For recommendations on how you can speed up time to assess vulnerabilities and detailed insights into our analysis, download the Quantifying the Attacker’s First-Mover Advantage report.

In today’s changing threat landscape, protecting your organization and its data from modern attacks is critical. Many organizations rely on Tenable® for their vulnerability management and Cyber Exposure needs. As such, we take our responsibility seriously and are committed to providing you with industry-leading solutions and support to help you minimize cyber risk.

In fact, customer success is our number-one priority, which is why we’re excited to announce a new technical support plan to help our customers maximize the value of their Tenable investment and ensure they have the technical resources they need to be successful and protect their organization at all times.

Technical Support overview: Three levels of support to meet your needs

The new support plan provides complete, responsive and high-quality support for all customers. We offer three levels of support to meet our customers’ unique needs:

Standard Support

The standard Support plan is included free with all Nessus Professional subscriptions. It includes 24x7x365 support via the community, chat and email.

Advanced Support

Advanced Support is free to all enterprise customers (Nessus Professional customers can purchase it for an additional cost). It includes 24x7x365 support via the community, chat, email and phone.

Elite Support

Elite Technical Support provides 24x7x365 personalized attention. Technical experts with a deep understanding of their customer’s unique environment and product usage offer proactive case management. Customers who purchase elite support get direct access to a level 2 Elite Technical Support Engineer (TSE). The Elite TSE team consists of senior engineers with deep technical experience to help customers resolve problems quickly and ensure their organization is protected at all times.

Elite support also includes early entry access to beta releases and exclusive access to technical support tools and communities.

A dedicated TSE and Technical Support Operations Manager (TSOM) are also available with elite support:

• Dedicated, full-time TSE: 100% dedicated to your during regular business hours
• TSOM: Performs monthly reviews of the customer’s case history, trends and metrics. Provides case consolidation and coordination across large organizations. Monitors all cases across the organization to ensure timely responses and proper resources.

With Tenable Technical Support, customers have peace of mind knowing their products are performing optimally and protecting their organization.

Learn more about Tenable Technical Support

For more information about Tenable support offerings:

• Visit the Technical Support webpage
• Review the Elite Support data sheet

One of the most transformative changes in the IT industry over the last decade has been the adoption of public cloud (IaaS) services such as AWS, Azure and GCP.

Public clouds are more than “just” running servers in a remote data center. They’re all about using infrastructure as code. This means that the various building blocks they offer – storage services, virtual machines and containers – as well as the underlying network can all be modified via calls to the public cloud APIs. Companies using public clouds gain enormous velocity and elasticity advantages, which have, in turn, fueled the emergence of DevOps.

For all its advantages, public cloud and DevOps adoption also means the use of many new technologies – and a drastic increase in the velocity of change across the attack surface. This leads to reduced visibility into the infrastructure itself and often more complexity, which tends to be the enemy of security.

Cybersecurity starts with cyber hygiene

We believe that security starts with effective cyber hygiene – making sure every bit of the computing infrastructure is accounted for, configured properly and up-to-date. Keeping an eye on the state of the infrastructure and making sure it’s up-to-date reduces the cyberattack surface dramatically. After all, 99% of vulnerabilities exploited today are ones known by security for at least 12 months.

However, cyber hygiene is difficult to maintain in the dynamic world of public cloud. Many security teams we’ve talked to don’t know what’s running, let alone how up-to-date and tightly configured these components are.

Look no further than the many problems stemming from the misuse of public cloud infrastructure, such as default SSH credentials.

Public cloud is a boon to security

In spite of these high-profile incidents, we consider the disciplined use of public cloud as a boon to security – as long as DevOps methodologies and technologies are used wisely. Immutable containers, microservices and automated security testing can actually improve an organization’s level of security.

But, many security solutions are built with physical, on-premise data centers in mind – not with the vital levels of scale and visibility required for public cloud. Security teams need this scale and visibility to keep track of what’s happening in their public cloud infrastructure. It also provides the necessary background and data to properly engage with the DevOps teams – enabling what many in the industry refer to as DevSecOps.

Cyber Exposure: Providing greater visibility into cloud security

The discipline of Cyber Exposure will help security leaders embrace DevSecOps principles to manage and measure the cyber risk of public cloud infrastructure. Traditional vulnerability management practices must evolve to provide greater visibility into cloud security through:

• Live discovery and continuous monitoring of cloud assets
• Integration between the static and dynamic scanning of cloud assets across the software development lifecycle
• Automated, seamless workflow integration with DevOps

Today, we’re excited to announce new and important product capabilities in Tenable.io to help you embrace the use of public cloud:

• New Cloud Connectors for Microsoft Azure and Google Cloud Platform: Continuously discover and track asset changes in Azure and GCP cloud environments to ensure all cloud workloads are known and assessed for vulnerabilities. Together, with the existing Cloud Connector for AWS, these new connectors provide a unified view of cybersecurity risks across the top three most widely deployed public cloud (IaaS) platforms.
• New container runtime scanning in Tenable.io Container Security: Gain visibility into the Cyber Exposure of containers running in production. This important product enhancement is enabled by the combination of Tenable.io Container Security and Tenable.io Vulnerability Management working together to seamlessly integrate security into the end-to-end DevOps process – from build to production.
• New web application discovery in Tenable.io Web Application Scanning: Identify web applications owned and deployed across an organization, including previously unknown applications, to understand Cyber Exposure throughout your web application estate. This new capability solves a critical visibility challenge – the number of web applications deployed is often much higher than what the security team is aware of.

We’re thrilled with the growing use of DevOps, and believe it can really help security when done right. Public cloud is a pillar of DevOps. With the right insight and seamless integration, security teams can enable DevSecOps to provide the necessary guardrails for any organization to use these new technologies safely and responsibly.

Resources: How to secure public cloud infrastructure

For more information:

• Join today’s webinar (noon EDT), “Secure DevOps: Application Security from Development Through Runtime,” co-hosted with the Cloud Security Alliance
• Read the press release
• Visit: www.tenable.com/solutions/cloud-security

Yesterday, the Snyk Security team released information about a widespread archive extraction vulnerability known as Zip Slip. Zip Slip allows cyberattackers to write arbitrary files on the system, potentially permitting remote command execution. Zip Slip is a combination of “arbitrary file overwrite” and “directory traversal” weaknesses. An attacker could unzip files outside the normal unzip path and overwrite sensitive files, including critical OS libraries or server configuration files.

Analysis

The vulnerability affects thousands of projects, including ones from Amazon, Apache, HP and Pivotal due to their usage of the vulnerable open-source libraries. The affected libraries are available for a broad range of programming languages, including JavaScript, Python, Ruby, .NET, Go and Groovy.

According to Snyk, issues have also been found in the Java ecosystem. While following the SDLC best practices of code reuse, developers share portions of code in various online forums. Some of the code snippets have been found to be vulnerable to Zip Slip. thereby making applications that reused these code snippets potentially vulnerable, too.

The Zip Slip vulnerability affects multiple archive formats, including tar, jar, war, apk, rar and 7z. An attacker can use a specially crafted archive that holds files with directory traversals in their names to exploit the vulnerability.

Solution

The Snyk security team has listed the affected libraries and recommended mitigation steps here.

Tenable^® Research is monitoring the situation on behalf of our customers. We’ll release Nessus^® plugins as required to help identify the Cyber Exposure gap.

Additional information

• Snyk whitepaper on Zip Slip
• GitHub reference
• Learn more about Tenable.io,^® the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

On June 11, we’re rolling out a subscription auto-renewal program for customers who purchased through our eCommerce site after July 10, 2017.

We created the auto-renewal program with one goal in mind: to make doing business with us easier. Most of our customers renew their licenses each year, and we have heard from many of you that a manual renewal process is less than ideal. With auto-renewal, you no longer need to worry about when your product‘s subscription expires or take steps to keep your product active. We’re making this process transparent for you.

We also understand that a subscription auto-renewal program isn’t for everyone. At any time during the life of your subscription, you can easily opt-out of auto-renewal. There are three easy ways for you to unsubscribe from the auto-renewal program, if you choose:

• The order confirmation email you received when you first purchased your product from our eCommerce store has a link to manage your subscription. You can opt-out of auto-renewal from that link.
• In your Tenable^® account, you can also opt-out of auto-renewal at any time. On the “Manage your Account” page, on the right side next to your activation code, you’ll see a link that says “cancel auto-renewal.” Click the link and follow the prompt to opt-out. Note: If you’re not enrolled in auto-renewal, you’ll simply see a link that says “Renew” and you can easily manually renew your subscription anytime from here.
• 30 days before your license expires, you’ll receive an email from us indicating that we’ll be renewing your subscription the following month. That email will include a link to manage your subscription, where you can easily cancel your auto-renewal.

No matter which option you choose, canceling your auto-renewal subscription will not impact your existing license or current subscription. You will still have access to your licensed products for the length of your subscription, and you can manually renew your license at any time in the future.

We are laser focused on providing you with a great customer experience, from building great products to making it easy to work with us, and are always listening to your feedback to make our customer experience even more awesome. As always, our doors and ears are open, so if you have any questions or suggestions, we’re always happy to hear them. Contact us at: support@tenable.com.

Thank you for being such great customers!

The Adobe Flash Player is widely adopted and a choice target for attackers given its history with vulnerabilities and the potential footprint exploits can have. Adobe consistently provides security updates for critical vulnerabilities. However, CVE-2018-5002 is the second zero-day vulnerability in Adobe Flash Player this year (the earlier one being CVE-2018-4877). Today, Adobe released a security patch for this vulnerability, along with other critical updates. This vulnerability was independently discovered by ICEBRG, Qihoo 360 and Tencent and impacts Adobe Flash Player 29.0.0171 and earlier versions. According to Adobe, the vulnerability is a stack-based buffer overflow bug that could allow arbitrary code execution.

Impact assessment

An attacker who successfully exploits the vulnerability could take control of an affected system. Exploits in the wild have leveraged Microsoft Office documents containing malicious Flash Player content via targeted email campaigns. At this time, the targeted systems seem to be Windows devices in the Middle East, according to Qihoo 360 Core Security. Adobe has released a security update for Adobe Flash Player on various affected platforms, including Windows, macOS, Linux, and Chrome OS.

Urgently required actions

Adobe Flash Player requires an immediate update to version 30.0.0.113 for all platforms.

Identifying affected systems

Tenable® has been monitoring the situation. We’ve released the following Nessus® plugins to assist our customers in finding and securing their exposure to CVE-2018-5002 as well as the other vulnerabilities patched in this update.

Get more information

• Qihoo360
• Adobe
• Learn more about Tenable.io,® the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

Researchers at Positive Technologies discovered a serious flaw (CVE-2018-0253) in Cisco’s Secure Access Control System (ACS). System administrators use Cisco ACS to authenticate users across the network. The vulnerability allows external access to the Cisco ACS web interface, thereby allowing attackers to possibly gain unrestricted access to the internal network.

Analysis

An attacker who successfully exploits the ACS Report component of Cisco ACS could execute arbitrary commands on the affected system, which would be processed at the targeted user's privilege level.

The Cisco vulnerability received a CVSS v3.0 score of 9.8 out of 10, indicating a "critical" degree of severity. According to Cisco, “The vulnerability is due to insufficient validation of the Action Message Format (AMF) protocol. An attacker could exploit this vulnerability by sending a crafted AMF message that contains malicious code to a targeted user. A successful exploit could allow the attacker to execute arbitrary commands on the ACS device.”

If Active Directory is integrated with Cisco ACS, an attacker could possibly steal the credentials of the domain administrator.

Solution

This vulnerability affects all releases of Cisco Secure ACS prior to Release 5.8 Patch 7.

Cisco has released software updates that address this vulnerability, and they are available for download.

Tenable^® has released a Nessus^® plugin to help our customers determine their Cyber Exposure gap.

Additional Information

• Cisco Security Advisory
• Learn more about Tenable.io,^® the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

One of the greatest challenges that enterprises face is prioritizing vulnerabilities for remediation. Trying to determine which vulnerabilities pose a true imminent risk deserving of immediate attention can feel like a game of Whac-A-Mole due to the sheer volume of critical vulnerabilities.

An analysis of CVE data by Tenable Reseach’s Lucas Tamagna-Darr shows the number of disclosed vulnerabilities has grown on average by 15 percent year-over-year – with more than 12,000 unique vulnerabilities being added to CVE in 2017 alone! Of these, over 3,500 were rated with a High or Critical severity. That’s an average of almost 10 per day. And the situation is only getting more overwhelming – we project the total number of disclosed vulnerabilities will grow to above 15,000 in 2018.

Strategic remediation prioritization – know which vulnerabilities pose the biggest risk

The objective of strategic vulnerability remediation prioritization is to identify the vulnerabilities that pose the greatest actual risk to an organization. Many organizations rely on the Common Vulnerability Scoring System (CVSS) to prioritize. But, this yields far too many “critical” vulnerabilities for most organizations to realistically remediate or mitigate given the time and resources available to them. CVSS does a good job of generally evaluating the risk that a specific vulnerability poses. However, it fails to identify which vulnerabilities represent a true risk to a specific organization.

Shifting paradigms – Cyber Exposure management

Situational awareness is now a necessary component of an effective remediation prioritization strategy. This approach is sometimes called threat-centric, intelligence-driven, adversary-focused vulnerability management.

At Tenable, we call this Cyber Exposure. The Cyber Exposure discipline focuses on vulnerabilities that are actively being exploited in the wild by malware, ransomware, Exploit Kits (EKs) and threat actors and are therefore most likely to lead to an actual data breach. Ideally, the business criticality and context of an asset are also correlated to fully assess your Cyber Exposure. The objective is to filter down the overall volume of critical vulnerabilities to a manageable amount that merits immediate prioritization for remediation.

So, situational awareness becomes key. We must take into account adversaries’ activities in the wild and their actual Tactics, Techniques and Procedures (TTPs). Let’s stop looking at vulnerabilities in isolation and “all things being equal.” We should instead look at potential threats and their associated vulnerabilities to identify which ones subsequently represent the greatest risk. For that, you need to evaluate the threats themselves – to determine if they should be on your “watch list.”

Exploit Kits have been a prominent potential threat for enterprises for the past decade, targeting unsuspecting users by infecting them with malware via compromised websites. In the past year, active EK deployments – and their development by cyber criminals – has dropped. So, let’s take a look at whether EKs and the vulnerabilities they target still represent a critical, real-world risk that need to be prioritized first for remediation.

What is an Exploit Kit?

Exploit Kits are used to embed malicious code into a website. They provide pre-packaged exploits that target unpatched browsers and applications. There’s a thriving commercial market offering EKs. And many are easy to use, even by less technical cyber criminals. EKs generally target client-side vulnerabilities.

The majority of attacks using EKs infect a target without their knowledge, through two primary methods:

Opportunistic drive-by-exploitation

Cyberattackers will exploit vulnerable web servers to deploy the EK. They embed malicious code in websites, which can infect any visitor with a vulnerable web browser or enabled libraries and plugins.

Targeted exploitation through phishing

Attackers either set up their own website to deploy the EK or exploit a vulnerable website to do so. They then send a crafted email to a potential victim that includes a link to the infected website in the hope the target will click the link and visit the site.

Historically, the primary objectives when deploying EKs were stealing credentials and banking information, deploying ransomware and using the infected machines as bots in DDoS attacks. More recently though, threat actors are repurposing EKs to mine cryptocurrencies (so-called “drive-by-mining”).

Analysis

We analyzed many different EK’s¹ using a variety of sources² to gather a list of commonly targeted vulnerabilities (see below):

The first thing that’s noticeable is how old many of the targeted vulnerabilities are – some CVEs date back to 2014! Adobe Flash still dominates the top lists. (Although new exploits targeting Flash have become less common, reflecting its shrinking prevalence in the wild.)

In second place come Microsoft applications, specifically Internet Explorer, Edge and their associated libraries. These targeted vulnerabilities are more recent, with the majority disclosed in 2017.

Threat actors are not dumb. Like any commercial endeavor, they focus on return on investment (ROI). The fact they’re still targeting old vulnerabilities shows they’re still achieving some success with them. But, it also shows that EK developers are having to rely on older vulnerabilities, indicating a lack of more recent effective exploits.

This also isn’t the first time that EKs have faced declining effectiveness. Prior to 2016, EKs primarily targeted Java vulnerabilities, but pivoted to exploiting Flash due to the declining availability of effective Java exploits.

Our own analysis indicates the vulnerabilities currently being targeted by EKs have a very low prevalence in customer environments. That’s not surprising, considering the age of many of them. But, it’s important to note that our own data set is focused on organizations that conduct active vulnerability management. This is not always the case. A recent joint report from Ponemon and ServiceNow states that 37% of the enterprises they surveyed that had experienced a breach in the past 24 months did not scan for vulnerabilities at all. Home users and many small businesses also often do not actively manage vulnerabilities.

Conclusion: Exploit Kits are in decline – for now

An observant and facetious reader may say the best defensive strategy to protect against EKs is to dump Internet Explorer and Adobe Flash. And there is, in fact, a lot of merit in that advice.

Other browsers are far less commonly exploited by EKs, most obviously Google Chrome, despite a market share of just over 60 percent. Flash is already being phased out, with the proportion of Flash-enabled sites rapidly declining. In addition, Flash will be EOL in 2020. Aside from legacy applications and dependencies, there’s no good reason for anyone to still have Flash installed.

Real-world EK activity has been observed to be on the decline in the past 24 months. From 2016 to 2017, EK deployments, measured by the volume of websites serving EKs, has dropped by 300%, according to some sources. The active development of EKs has also declined by as much as 62%.

There are a variety of reasons for this. Arrests of cyber criminals offering EKs and the concerted takedown of EK infrastructure by law enforcement and tech companies have had an impact. But a primary reason for the decline is based on a lack of effective client-side exploits and subsequently vulnerable targets.

More generally, our overall conclusion is EKs are not the risk they once were. They don’t warrant the same strategic focus as in past years.

To be clear, we’re not saying that you should not remediate the targeted vulnerabilities if you have the resources. But, if your objective is to identify the threats and associated vulnerabilities for remediation that reduce the most amount of real-world risk, EKs right now don’t make the top of the list.

But this will also always depend on what specific software you have deployed and the maturity of your vulnerability management program. If you’re still heavily using IE and have older versions of Flash installed, EKs still pose a relevant threat.

We should also not make the mistake of interpreting a EK hiatus as the final gasp. The rumors of the death of EKs may have been exaggerated. EK developers can easily add new exploits as they become available. An EK is, by design, a delivery platform for exploits, weaponizing them to automate attacks. The amount of suitable and effective vulnerabilities for weaponization in EKs has currently shrunk. And browser security mechanisms have improved. But, it’s unclear if this will be permanent or if a new wave of discovered vulnerabilities will breathe new life into EKs as a critical threat.

The EK model is mature, tried and tested. And we’re already seeing them being repurposed for other tasks. While the names of the actors may change and the stage is smaller, the play itself has actually become more lucrative if we consider the rise in drive-by-mining.

For now, EKs represent a diminished risk compared to prior years. But, let’s not get complacent. The threat environment is dynamic and constantly evolving. We’ll be monitoring threat activity in case this changes again in the future.

Notes

1. These included Neutrino, Hunter, RIG, Disdain, Terror, Magnitude, Electroneum, XMRig, Astrum, Gh0st RAT, Nuclear Pack, Angler, Sundown and Kaixin
2. Recorded Future, Talos, ZScaler, Palo Alto, Symantec and various blogs

The Rubik's Cube makes a perfect gift for any occasion. Learn how to solve the cube on Ruwix.

Increasingly, operational technology (OT) environments are interconnecting with IT and adopting exploitable IT-based assets and protocols. This means OT systems are exposed to IT threats. Additionally, IT/OT convergence is expanding the cyberattack surface. Threat actors who have compromised IT networks may be able to access OT systems from the IT network. These converged environments contain a mix of IT and OT devices and systems, some of which can be easily disrupted with traditional IT active scanning techniques.

For most industrial environments, Tenable^® deploys and uses continuous, passive monitoring, which is non-disruptive to OT networks. However, there are situations with converged IT/OT networks where an active scan is preferred or necessary, and where it may be difficult to segment IT and OT scan targets.

To solve this dilemma, Tenable introduces ICS/SCADA Smart Scanning. This unique capability discovers and thoroughly assesses IT-based systems (e.g., supervisory, site operational control, ERP or scheduling) in the converged environment, while reducing the risk that active scanning will disrupt OT devices if they’re inadvertently encountered during a scan.

Measuring Cyber Exposure across the entire converged IT/OT environment

With the combination of ICS/SCADA Smart Scanning and passive network monitoring, Tenable safely measures Cyber Exposure across the entire converged IT/OT environment, providing complete visibility into your cyber risks.

OT devices like programmable logic controllers (PLCs) and remote terminal units (RTUs) that monitor the activity and state of machinery (e.g., pumps, valves and motors) and environmental factors (e.g., temperature, pH and vibration) need to be inventoried and assessed for vulnerabilities to measure and manage risk to OT processes. However, these OT devices may be too sensitive to withstand the active scanning approach commonly used in IT environments. Specifically, they may be sensitive for the following reasons:

• Limited CPU power: They can be overwhelmed by too many requests because they’re designed to do only one thing at a time and may be less powerful than tablets.
• Real-time communications: The protocols involved often expect an unbroken stream of readings from a device. If they’re delayed substantially, they may have issues re-establishing communications. A full vulnerability scan probes many areas of a device very quickly, which can overly burden the limited CPU power and delay communications.
• Design tradeoffs: OT devices are designed to be resilient to power disruptions, vibrations or particles in the air. Many OT devices, especially legacy devices, have not been designed to withstand a heavy flow of network communications.
• Custom operating system and software: OT devices generally do not run widely used and widely tested operating systems, such as Windows or Linux. They may include a small HTTP server, but it is limited in feature set. When a vulnerability scanner attempts to check for SSL issues, the embedded HTTP server can crash. Since the device is only designed to do one thing at a time, this usually means the entire device reboots – causing costly downtime and potentially unsafe working conditions.
• Set it and forget it: Unlike desktops, it may be months or years before someone looks at a physical OT device. It could be operating marginally, covered in dust and close to failure. The additional load of a full vulnerability scan can cause it to reach the overload point.

Because of the risk of degradation and/or disruption, the common practice within OT environments is to avoid using active scanning approaches with OT devices. Instead, passive monitoring is used, and because passive monitoring does not interact with the sensitive devices, the devices are not impacted by it.

IT/OT convergence is resulting in many IT-based systems being deployed in the OT environment. These IT-based systems may be Windows computers running human machine interface (HMI), SCADA monitoring and historian applications. Additionally, these systems are increasingly networked to supply chain management and scheduling applications that may include databases and virtual infrastructure, which may reside in the cloud.

Typically, these IT-based systems are discovered and assessed with active scanning because active scanning can deliver much deeper insight about installed software (and related vulnerabilities), user accounts, configurations and malware.

Potential problem

Ideally, sensitive OT would be logically separated from IT-based OT systems, such as Windows computers. However, in reality, such segmentation may not exist. The potential problem is that if an existing OT device’s IP address changes or a new OT device is added, and that device is not omitted from the active scan, the scan could cause an outage.

Solution: ICS/SCADA Smart Scanning

ICS/SCADA Smart Scanning is a new attribute that can be applied to many existing scan templates. Existing scan parameters (e.g., IP ranges to be scanned/not scanned, ports, schedules and other settings) do not need to be modified.

When the “Scan Operational Technology devices” box is checked, a full scan of OT devices is performed. When it is not checked, ICS/SCADA Smart Scanning takes effect.

ICS/SCADA Smart Scanning cautiously identifies OT devices and stops scanning them once they’re discovered. Here’s how it works:

1. Smart Scanning pings the IP address to determine if a device is using that address.
2. Smart Scanning runs probes against open known OT ports/protocols. Initially supported protocols are:
   • Siemens S7
   • Modbus
   • BACnet
   • Omron FINS
   • Ethernet CIP
   • 7T IGSS
   • ICCP COTP
     Note: ICS/SCADA Smart Scanning reduces the plugins run against devices by 90%. This eliminates the plugins that put the greatest load on the device, including HTTP and SSH testing.
3. When an OT port/protocol is identified, Nessus^® will report the ports that were identified to be open and the OT protocol found. Many of the protocols include INFO or QUERY commands to capture basic information about the device. If this is supported by the discovered protocol, the additional information, usually including the device type, will be recorded.
4. The scan stops for that device. The plugin 109142 results show the OT device when an OT protocol was identified and normal scans of OT devices were not enabled.
5. The user can use the devices listed by plugin 109142 to add the device to the “do not scan” list.

Caveat

Tenable cannot guarantee that ICS/SCADA Smart Scanning will not cause issues. Therefore, it should only be used after it has been tested with each device type in a laboratory environment and when it is known not to conflict with warranties and service agreements.

Okta’s Research and Exploitation team released details on June 12 about an issue with third-party code-signing validation using Apple’s APIs. The flaw, which dates back to 2005, makes it possible for attackers to make malicious code appear to be signed by Apple when, in fact, it is not. Multiple third-party applications are affected– particularly those which offer “whitelisting services” – because developers misinterpreted the code-signing API, leading to incomplete signature validation in their applications.

The flaw affects packages from third-party vendors, including Google (CVE-2018-10405), Facebook (CVE-2018-6336) and VirusTotal (CVE-2018-10408), among others. Affected packages are listed on Okta’s advisory page. However, this flaw likely affects many other vendors.

Tenable’s analysis

This flaw exists because of the difference in the way the system loader (Mach-O) validates signed code and the way it’s validated by third-party security applications using the code- signing API.

The flaw takes advantage of the checking of the Fat/Universal file format and its use of several Mach-O files that apply to specific native CPU architectures. According to Okta, for the vulnerability to work:

• “The first Mach-O in the Fat/Universal file must be signed by Apple, can be i386, x86_64, or even PPC.
• The malicious binary, or non-Apple supplied code, must be ad-hoc signed and i386 compiled for an x86_64 bit target macOS.
• The CPU_TYPE in the Fat header of the Apple binary must be set to an invalid type or a CPU Type that is not native to the host chipset.”

This results in a partial signature check “…but without checking the CA [certificate authority] root of trust.”

Tenable’s solution

Apple does not consider this an issue it would directly fix in the APIs. Instead, Apple has placed the onus on third-party developers who use the code-signing APIs.

Tenable Research has developed the following plugin for the issue and we continue to monitor the situation for our customers:

Additional information

• Okta advisory
• Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

Every month, we ask our researchers to nominate a vulnerability of the month. Novelty, sophistication or just plain weirdness are some of the potential criteria for selecting a vulnerability to highlight. After the nominations are collected, the candidates are shortlisted and voted on by our 70-plus-member research organization, combining the total experience and knowledge of Tenable Research to identify the vulnerability of the month.

Background

Electron is an open-source framework for developing desktop applications. According to Electron’s website, it’s currently used in 581 apps. On May 14, a vulnerability (CVE-2018-1000136) was publicly disclosed that could potentially result in remote code execution (RCE). This isn’t the same vulnerability as CVE-2018-1000006, a different critical RCE vulnerability disclosed in January with a faulty patch that received media attention at the time.

What makes this the vulnerability of the month?

This is a good example of the competition for attention in vulnerability disclosure. CVE-2018-1000136 was disclosed the week before eFail, the email encryption vulnerability that temporarily sent the security world into a tizzy. The Efail kerfuffle played out for a few days before cooler heads prevailed and remembered that a name and a flashy logo do not an apocalypse make.

This Electron vulnerability, while serious, may have also been overhyped. Electron states that only a minority of applications have the (very) specific configuration which would make them vulnerable. However, Electron is used by big names like Discord, Slack, Signal, Skype and WordPress, making it attractive headline fodder. Neither Electron nor the researcher who discovered the vulnerability confirmed its presence in any specific applications. But, without concern for any evidence, the coverage focused on Electron’s use in popular applications. In fact, Slack took to Twitter to confirm that it wasn’t vulnerable.

Cross-site scripting vulnerabilities aren’t routinely prioritized

What’s noteworthy about this vulnerability is that it relies on cross-site scripting (XSS), one of the most popular types of web application security vulnerabilities. By exploiting low-hanging fruit like XSS, attackers can modify HTML and JavaScript code served by a webpage to execute arbitrary code on a client, gaining access to escalate privileges and execute lateral transfer. Organizations may not always prioritize XSS vulnerabilities as highly as others, but it’s important to understand how several lower severity vulnerabilities can be combined to create a greater risk to an organization.

Vulnerability details

Discovered by Brendan Scarvell of Trustwave’s SpiderLabs, this vulnerability is present in Electron versions 1.7.x, 1.8.x and 2.0.0-beta and could result in RCE. By default, Electron applications allow access to Node.js, a client-side JavaScript runtime environment. If an electron application contains an XSS attack, whereby the application fails to properly sanitize user input, an attacker can re-enable the nodeIntegration setting via the WebView embedding function and the window.open command. If exploited, the attacker can execute arbitrary code.

By default, nodeIntegration is set to false, but this vulnerability allows it to be enabled, giving attackers access to Node.js built-in modules and potential RCE. However, this isn’t a trivial vulnerability to exploit. Several conditions have to be met for exploitation.

According to Electron, an application is affected if all of the following are true:

• Runs on Electron 1.7, 1.8, or a 2.0.0-beta
• Allows execution of arbitrary remote code
• Disables Node.js integration
• Does not explicitly declare webviewTag: false in its webPreferences
• Does not enable the nativeWindowOption option
• Does not intercept new-window events and manually override event.newGuest without using the supplied options tag

Despite this, Electron recommend updating all applications to the latest version.

Additional resources

• Blog post from Electron
• Complete list of Electron-based programs
• SpiderLabs report
• Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

Award-winning Tenable® Industrial Security adds approximately 350 new operational technology (OT) asset detections and delivers interactive 2D topology mapping and 3D visualization.

Tenable Industrial Security provides safe, reliable asset discovery and vulnerability detection purpose-built for industrial control systems (ICSs) and supervisory control and data acquisition (SCADA) systems. Based on Nessus Network Monitor, Tenable Industrial Security uses passive network monitoring designed for critical systems that require a non-intrusive approach to vulnerability detection. The OT-native solution helps identify and prioritize OT risks, so you can keep safety-critical production assets secure and fully functional.

To build on our strategic partnership with Siemens and expand visibility into industrial environments, we’re adding approximately 350 new ICS/OT asset detections. Nessus Network Monitor 5.5 achieved general availability on May 15 and adds approximately 150 new detections focused primarily on Siemens’ programmable logic controllers (PLCs) and human-machine interface (HMI) applications, including:

• 8 families of Siemens PLCs
• 3 families of Siemens HMIs
• 9 families of Siemens industrial drives
• 7 families of communications modules

Nessus Network Monitor 5.5.1, scheduled to GA later this month, will add approximately 200 new OT asset detections, including:

• 8 families of Schneider PLCs
• 2 families of Schneider HMIs
• 2 Schneider applications
• 2 families of Rockwell/Allen-Bradley PLCs
• 20+ new Modbus communications, drives, energy meters and other devices

The new asset detection capabilities are premium Nessus Network Monitor content, available when Nessus Network Monitor is used as a sensor for Industrial Security.

Interactive 2D topology mapping and 3D visualization – understand your OT environment in seconds

In addition to increased device support, Industrial Security 1.1, which also achieved general availability on May 15, has a significantly improved user interface with the addition of interactive 2D topology mapping and 3D visualization. With interactive topology mapping, you can understand your OT environment at a glance. Devices are clustered based on IP addresses, and vulnerabilities are color-coded to provide a cyber risk heat map.

Vulnerability insight is critical in OT environments

Understanding vulnerabilities in OT environments is a critical part of measuring and managing cyber risk. Patches are infrequently applied to ICS devices in the OT environment due to extremely high-availability requirements. Nonetheless, vulnerability insight is required to inform other mitigation strategies, such as stronger access controls, more restrictive firewall rules and data diodes (hardware that enforces one-way data flow). Visualizing and interacting with the plethora of information easily is necessary to gain the insights required to manage risk – which the new user interface delivers.

Use case: Determining where the business is most exposed

Consider this use case: You need to identify sections of your network where there may be increased risk. You use the vulnerability severity lens to see where your network has a large number of highly vulnerable assets communicating with one another. The following screen shots walk through that use case.

The screenshot below shows 225 monitored assets, clustered by connections. The color-coding shows vulnerabilities in a heat map:

• Red dots indicate critical vulnerabilities
• Orange dots indicate high vulnerabilities
• Yellow dots indicate medium vulnerabilities
• Green dots indicate information-level vulnerabilities

The screenshot below zooms in on the the most vulnerabilities. The icons represent the system type, the color-coding corresponds to the highest vulnerability severity level found on the device and the number represents the number of the most critical vulnerabilities.

The 3D topology view shown below helps you understand connections across the Purdue Model.

The latest Nessus Network Monitor and Industrial Security releases give you greater insight into your OT environment, so you can better measure and manage cyber risk. To see Industrial Security in action, watch the on-demand webinar, Understand and Reduce Cyber Risk in Converged IT/OT Environments.

Cisco released a high-severity patch update for CVE-2018-0296 on June 22 which affects the Adaptive Security Appliance (ASA). There’s no time to waste in deploying this patch, as the company’s advisory notes it is currently being exploited in the wild.

The ASA patch, which addresses the lack of proper input validation of the HTTP URL, is the latest in a long list of updates from Cisco this month. A slew of patches were issued June 6, followed by a whopping 34 patches on June 20, including five critical and 19 high-severity patches for its Firepower firewalls (FXOS) and Nexus switches (NX-OS). Another 10 medium-severity fixes also were issued this month for a variety of other Cisco systems.

The five critical vulnerabilities all scored a 9.8 CVSS v3 rating. Four of these addressed flaws with packet header processing. The fifth, CVE-2018-0301, affects  Cisco’s NX-OS Software NX-API.

Analysis

ASA (CVE-2018-0296)

This issue could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. Cisco states certain ASA software may not trigger a device reload, however an attacker could view sensitive system information without authentication by using directory traversal techniques. As of June 22, 2018, this issue has been seen being exploited in the wild and a Python directory traversal exploit was available on GitHub.

NX-OS / FXOS / NX-API (CVE-2018-0304, CVE-2018-0308, CVE-2018-0312, CVE-2018-0314, CVE-2018-0301)

According to Cisco, the first four critical CVEs all address a similar issue in Cisco Fabric Services. An unauthenticated, remote attacker could send a maliciously crafted Cisco Fabric Services packet to read protected memory, trigger a denial of service, or execute arbitrary code, leading to full system compromise.

As for the the fifth CVE, Cisco states: “The vulnerability is due to incorrect input validation in the authentication module of the NX-API subsystem. An attacker could exploit this vulnerability by sending a crafted HTTP or HTTPS packet to the management interface of an affected system with the NX-API feature enabled. An exploit could allow the attacker to execute arbitrary code as root.” According to the advisory, an attacker would require access to of one of the following enabled virtual port distribution channels (vPCs): CFSoFC, CFSoE, or CFSoIP. (Note: Only CFSoFC is enabled by default.)

Solution

Cisco has released patches for all listed CVE’s for the products affected at this time and advises customers to update immediately. Tenable is continuously monitoring to provide the necessary plugins to assist our clients.

Tenable® has released the following plugins to help our customers determine their Cyber Exposure gap.

Additional Information

• Cisco Advisory
• Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

Tenable Research has a dedicated team that performs vulnerability research on software and hardware from third-party vendors. The goal is to discover zero-day vulnerabilities and work with vendors to get them addressed before hackers discover and exploit them. This post provides an overview of all the vulnerabilities discovered by Tenable Research in May.

You can access all Tenable Research advisories here.

<p>DevOps has become a competitive advantage for many organizations. However, many of these processes are not secure and raise serious challenges for cybersecurity professionals. Here’s how Tenable can help.</p>

<p>DevOps gives business leaders a lot to be excited about. After all, this new approach to software development drastically improves time to market for new services, making it possible to outpace competitors. Organizations have realized other important benefits as well, such as reducing the time spent maintaining existing apps and improving the quality and performance of deployed apps.</p>

<p>It’s no surprise, then, that DevOps has <a href="https://go.forrester.com/blogs/2018-the-year-of-enterprise-devops/">finally reached mainstream status</a>, with one research report indicating that <a href="https://www.ca.com/us/modern-software-factory/content/how-agile-and-devo... of organizations</a> have implemented or plan to implement DevOps. DevOps is an important differentiator as <a href="https://hbr.org/2016/04/you-dont-have-to-be-a-software-company-to-think-... companies eventually become software companies</a>. </p>

<p>On the flip slide, DevOps gives security leaders a lot to be worried about. According to the latest <i><a href="https://puppet.com/resources/whitepaper/state-of-devops-report">State of DevOps Report from Puppet and DORA</a></i>, high IT performers with mature DevOps processes deploy code 46 times more frequently than low IT performers. In raw numbers, that’s more than 1,400 deployments per year for the high IT performers, compared to only 30 for the low performers. </p>

<p>Unfortunately, security teams are largely disconnected from this continuous software delivery process, relying instead on downstream gates designed for the era of waterfall development. <a href="https://sdtimes.com/agile/hpe-security-fortify-report-finds-application-... 20% of organizations</a> incorporate any security testing during development, with another 17% stating they are not using any technologies at all to protect their applications. </p>

<p>To make matters even more difficult, security teams are often <a href="https://dzone.com/articles/10-tips-for-integrating-security-into-devops"... by developers</a> in the organization by 100:1. How can security teams possibly keep up with DevOps velocity while being constrained by limited resources? </p>

<p>Hackers are already taking advantage of poor DevOps cyber hygiene with cryptomining malware attacks using <a href="https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-... Hub backdoors</a>, <a href="https://www.bleepingcomputer.com/news/security/tesla-internal-servers-in... open Kubernetes accounts</a>, and <a href="https://www.theregister.co.uk/2018/05/07/drupal_bug_exploits/">unpatched Drupal web applications</a>. While attacks today are harnessing vast amounts of computational power to generate cryptocurrency revenue, it doesn’t take much imagination to envision future attacks targeting sensitive enterprise or customer data. </p>

<p>Security professionals need to rethink traditional vulnerability management and embrace new security methodologies to secure DevOps processes. We at Tenable believe a new security discipline, called <a href="https://www.tenable.com/cyber-exposure/critical-risk-metric">Cyber Exposure</a>, is required to cover the breadth of the modern attack surface (e.g., cloud services, mobile devices, IoT/OT assets) and provide a new depth of insight into vulnerability data for more accurate visibility and decision-making. Cyber Exposure will help security leaders incorporate new secure DevOps principles to better manage and measure cyber risk by providing:</p>

<ul><li><b>Continuous discovery and scanning</b>. Monthly or quarterly scans do not cut it in the DevOps world. Continuous software delivery means the environment is constantly changing, requiring continuous discovery and assessment of cyber risk. This should occur across the software development lifecycle—from development through operations—to provide full visibility. </li>
<li><b>Security integration into DevOps processes</b>. Security tests and controls need to be an integral part of the software development lifecycle and embedded into the development pipeline. Vulnerabilities, malware, and misconfigurations should be treated as any other type of software defect that diminishes code quality and should be remediated as early as possible in the development lifecycle.</li>
<li><b>Automation of security workflows</b>. To support the scale and speed of DevOps, security controls must be exposed programmatically with APIs into DevOps systems to take advantage of automation throughout the software development lifecycle. For example, instead of security teams manually assessing images during predefined security gates, security testing can be triggered automatically to assess all new builds as they are created.</li></ul></p>

<p>Tenable offers a variety of solutions to help you on your secure DevOps journey. <a href="https://www.tenable.com/solutions/cloud-security">Cloud connectors in Tenable.io</a> continuously track asset changes to ensure all cloud workloads are known and assessed for vulnerabilities. <a href="https://www.tenable.com/products/tenable-io/container-security">Tenable.io Container Security</a> plugs into continuous integration and continuous delivery (CI/CD) systems to remediate vulnerabilities and malware during development. <a href="https://www.tenable.com/blog/intro-to-the-tenable-io-api">Well-documented APIs in Tenable.io</a> allow you to automate security scans and integrate controls in your workflows. And earlier this month, <a href="https://www.tenable.com/press-releases/key-enhancements-to-tenable-cloud... announced</a> several new Tenable.io platform enhancements to support heterogeneous cloud platforms and enable security to be built into the entire software development lifecycle from build to production. </p>

<p>In fact, here’s how one Tenable customer is taking advantage of many of these secure DevOps capabilities today:</p>

<blockquote>“The Tenable.io AWS connector is the key to automating our DevSecOps pipeline. It allows us to gain real-time visibility into our cloud environment to track assets as they are spun up and down so that our other tools can be integrated into the pipeline in an automated fashion.” -- Mick Kohler, Senior Manager, Cyber Security, Enterprise Security, Sysco</blockquote></i>

<p>Want to learn more about securing DevOps? The following resources will help you on your journey:</p>
<ul>
<li>Watch our on-demand webinar, <a href="https://www.tenable.com/webinars/panel-discussion-securing-devops-advice... DevOps, Advice from the Frontlines</a>, featuring three industry experts who have crossed the security-DevOps divide.</li>
<li>Visit our <a href="https://www.tenable.com/solutions/application-security">Application Security & DevOps solutions page</a>.</li>
<li>Read our article, <i><a href="https://www.tenable.com/whitepapers/information-security-in-the-devops-a... Security in the DevOps Age: Aligning Conflicting Imperatives</a></i>.</li>
<li>Try <a href="https://www.tenable.com/try-io">Tenable.io for free</a> for 60 days.</li></ul>