Tenable Blog

Availability of public exploit scripts for two vulnerabilities in Cisco Small Business WAN VPN routers coupled with incoming scans for vulnerable devices indicate that attackers are preparing to launch attacks.

Background

On January 23, Cisco published a list of security advisories including advisories for two vulnerabilities in Cisco Small Business RV320 and RV325 dual gigabit WAN VPN routers. Both vulnerabilities exist within the routers’ web-based management interface. The first is CVE-2019-1652, a command injection vulnerability that exists in firmware versions 1.4.2.15 through 1.4.2.19. The second is CVE-2019-1653, an information disclosure vulnerability that exists in firmware versions 1.4.2.15 and 1.4.2.17.

Analysis

In order to exploit CVE-2019-1652, a remote attacker would need to be authenticated and have administrative privileges. However, CVE-2019-1653 requires no authentication, so a remote attacker can easily retrieve sensitive information including the router’s configuration file, which includes MD5 hashed credentials as well as diagnostic information.

Proof of concept

On January 24, a security researcher published a repository of exploit scripts on Github to target these vulnerabilities. One of the scripts can be used to exploit CVE-2019-1653 to retrieve the configuration file from the router as well as the diagnostic information. This information includes hashed credentials for the router, which are trivially hashed using MD5. The md5 hash is md5($password.$auth_key), with the auth_key being a static value that can be readily found by running ‘GET /’ and parsing the output. The other script is designed to exploit CVE-2019-1652 by using default credentials or cracked credentials.

Troy Mursch, who operates the Twitter handle @bad_packets, has observed incoming scans probing for vulnerable versions of the Cisco RV320/RV325 routers, which indicates that attacks are beginning to ramp up. Cursory SHODAN searches indicate that over 20,000 devices matching the affected router models may be publicly exposed.

⚠️ WARNING ⚠️
Incoming scans detected from multiple hosts checking for vulnerable Cisco RV320/RV325 routers.

A vulnerability in the web-based management interface of these routers could allow an unauthenticated, remote attacker to retrieve sensitive configuration information. pic.twitter.com/OhQD55WNZD
— Bad Packets Report (@bad_packets) January 25, 2019

Solution

Cisco has released software updates to address both of these vulnerabilities. CVE-2019-1652 is addressed in Cisco RV320 and RV325 firmware versions 1.4.2.20 and later while CVE-2019-1653 is addressed in RV320 and RV325 firmware versions 1.4.2.19 and later. These software updates can be retrieved from the Cisco Software Center.

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

In today's edition of Tenable's State and Local Government Video Blog Series, we discuss how IRS 1075 (FTI) and CJIS Security compliance can help organizations reduce cost, create resource efficiencies and improve your ability to close the cyber exposure gap.

Most state and local governments and organizations face a constantly changing compliance landscape, and often must adhere to multiple regulatory compliance standards, each with their own set of requirements for handling sensitive information.

Two important requirements that state and local jurisdictions must pay attention to are:

IRS Publication 1075 – Tax Information Security Guidelines for Federal, State, and Local Agencies, 2016 edition (FTI)
Criminal Justice Information Services (CJIS) Security Policy version 5.7

In today’s video blog, Steve Smith, Business Development Executive for Tenable discusses these compliance regulations with Kent Dyer, Tenable SLG Sales Engineer. The two share their guidance on how Tenable can help organizations fulfill requirements for meeting and demonstrating compliance, while also saving time when facing required audits. More importantly, the same solution can provide a platform for assessing and managing cyber risk and closing the cyber exposure gap.

Watch here:

Deploying Tenable.sc across the environment can provide cost savings, resource efficiencies and better visibility into risk and cyber exposure across the enterprise – both meeting and exceeding compliance requirements.

Learn more

Download the whitepaper to learn more about how Tenable can help state and local government agencies meet many of the technical requirements of these standards: Campaign UTM for this landing page:

Researcher Alex Inführ discovered that LibreOffice 6.1.0-6.1.3.1 is susceptible to a code injection attack if a user hovers their mouse over a malicious URL.

Background

Researcher Alex Inführ disclosed a LibreOffice vulnerability (CVE-2018-16858) in versions 6.1.0-6.1.3.1 which shows that code injection is possible on both Linux and Windows versions when a user hovers their mouse over a malicious URL.

Update: Tenable Research was able to confirm that this vulnerability is also exploitable on macOS by editing the Proof of Concept (PoC) code.

Analysis

While this vulnerability does require user interaction, an OpenDocument Text (ODT) file containing a malicious URL is not likely to be flagged by most corporate security defenses. There isn’t any malicious code or otherwise altered elements to the document. It wouldn’t be seen as malware, and the text can be changed to the same color as the document background to make it invisible to the average user.

Furthermore, when the vulnerability is exploited, it doesn’t generate a warning dialogue of any kind. As soon as the user hovers over the malicious URL, the code is executed immediately. The current Still (Stable) Branch of LibreOffice (6.0.7) is not susceptible to this vulnerability.

Below is the researcher’s Proof of Concept video demonstrating an invisible URL opening a command prompt on the vulnerable version:

Solution

LibreOffice addressed this vulnerability in release 6.1.3.2, and upgrading to that version or later should mitigate the vulnerability.

Identifying affected systems

A list of Nessus plugins to identify this vulnerability can be found here as they're released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Enterprises running InduSoft Web Studio should update their software and ensure these critical systems are not exposed to the internet.

Tenable Research has discovered an unauthenticated remote code execution (RCE) vulnerability in InduSoft Web Studio 8.1.2.0. ICS-CERT has assigned CVE-2019-6545 and CVE-2019-6543 for this vulnerability.

Background

InduSoft Web Studio is an automation tool for human-machine interface (HMI) and supervisory control and data acquisition (SCADA) systems. According to its website, Web Studio is used in manufacturing, oil and gas, municipal water and correctional facilities and even by a drag racer.

By exploiting this vulnerability, an attacker can run commands on the targeted system by directing it to fetch a malicious database configuration file (DB.xdc) from an attacker-controlled server.

Analysis

The vulnerability is a result of Web Studio's builtin language being made available to unauthenticated remote attackers. The builtin language allows users to execute operating system level commands. An attacker can execute the builtin language by sending a properly crafted DBProcessCall message (command 66). Using DBProcessCall, the attacker can direct Web Studio to load a database configuration file from a remote server. The configuration file can contain malicious builtin language commands which Web Studio will then execute.

Command 66 only requires permission 0 to run, meaning it doesn’t require authentication and/or authorization. The attack would work even if Security is enabled, a Main password is set and the Guest account is deleted.

Proof of concept

Proof of concept (PoC) code has been uploaded to the Tenable Research GitHub and you can see a video PoC here.

Solution

Aveva has issued a security bulletin for this vulnerability, along with a software update. Enterprises running InduSoft Web Studio should update their software to InduSoft Web Studio v8.1 SP3 and ensure these critical systems are not exposed to the internet.

Additional information

Visit the Tenable Tech Blog on Medium to read researcher Jacob Baines’s in-depth story about this vulnerability.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

A remote code execution bug in the Chinese open source framework ThinkPHP is being actively used by threat actors to implant a variety of malware, primarily targeting Internet of Things (IoT) devices.

Background

Over the last few months, attackers have been leveraging CVE-2018-20062, a remote code execution (RCE) vulnerability in Chinese open source PHP framework ThinkPHP, to implant a variety of malware. While the vulnerability was patched on December 9, 2018, a proof of concept (PoC) was published to ExploitDB on December 11.

Analysis

Shortly after the publication of the PoC, researchers observed an uptick in attackers scanning for vulnerable versions of ThinkPHP. On December 20, Trend Micro published a blog about a new IoT botnet called Miori that spreads using CVE-2018-20062. According to Trend Micro researchers, additional IoT malware known as IZ1H9 and APEP began to utilize the same vulnerability as an infection vector.

In January 2019, the Akamai security team not only observed this vulnerability being used in attacks to implant IoT malware, but also discovered it being used to spread cryptocurrency miners and Windows malware. Trend Micro posted another blog on January 25, detailing the usage of this vulnerability by IoT malware known as Hakai and Yowai.

On February 4, researchers at Check Point named ThinkPHP as the initial infection vector in attacks targeting systems to implant a backdoor trojan known as SpeakUp.

Despite being patched in December 2018, CVE-2018-20062 has become a popular vulnerability for attackers looking to implant IoT malware onto systems. The vulnerability has also been observed in the propagation of other types of malware like cryptocurrency miners and trojans. We expect this to remain a popular exploit with attackers as long as systems remain unpatched.

Solution

This vulnerability was patched in ThinkPHP versions 5.0.23 and 5.1.31. Users are strongly encouraged to upgrade to a newer version of the framework.

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities can be found here.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Tenable introduces Predictive Prioritization, a groundbreaking, data science-based process that re-prioritizes each vulnerability based on the likelihood it will be leveraged in an attack.

Are you feeling overloaded by the number of vulnerabilities facing your organization daily? You’re not alone.

There were 16,500 new vulnerabilities in 2018. The ‘good’ news is that only 7% of these vulnerabilities had a public exploit available and an even smaller subset is ever weaponized by threat actors. The Tenable data science team estimates only 3% of vulnerabilities will be exploited. The ‘bad’ news is that it hasn’t been easy to figure out which of the 3% you need to worry about. Until now.

Today, Tenable introduces Predictive Prioritization, a groundbreaking new process that uses advanced data science techniques to solve the vulnerability overload problem. It’s included as a core functionality within Tenable.sc and will be included in Tenable.io later this year, so you don’t need to buy an add-on prioritization platform. And it’s way more than just a list of vulnerabilities with known active exploits. Predictive Prioritization re-prioritizes each vulnerability based on the likelihood it will be leveraged in an attack. Over 150 data sources, including Tenable vulnerability data and third-party vulnerability and threat intelligence, are utilized by a proprietary machine learning algorithm to identify the vulnerabilities with the highest likelihood of exploitation.

Predictive Prioritization is used to calculate a Vulnerability Priority Rating, which automatically indicates the remediation priority for each vulnerability. For example, a vulnerability currently being exploited on a widely deployed service would have a significantly higher rating than a vulnerability for which no working exploit has been observed. The Vulnerability Priority Rating is a dynamic value and changes with the threat landscape. Updated daily, it allows you to take advantage of the latest threat intelligence as you prioritize your remediation efforts.

What about CVSS?

Predictive Prioritization augments existing Common Vulnerability Scoring System (CVSS) scores. CVSS has the following significant limitations:

It lacks the granularity needed to provide an accurate measure of criticality. For example, to derive a score CVSS only looks at if the vulnerability could be exploited - not if it actually is being exploited.
CVSS is a relatively static number and does not change in response to changes in the threat landscape as vulnerabilities are weaponized.
The majority of vulnerabilities are scored through CVSS as ‘high’ or ‘critical.’ Common sense dictates that if everything is important than nothing is, creating an overload of vulnerabilities to remediate.

Predictive Prioritization is the tool you need to focus on what matters. To learn more, attend our webinar, Eliminate Vulnerability Overload with Predictive Prioritization and visit https://www.tenable.com/predictive-prioritization.

Tenable.sc 5.9 gives customers increased visibility into their attack surface with a first-of-its-kind innovation, Predictive Prioritization, which combines threat intelligence and machine learning to help customers understand the likelihood a vulnerability will be exploited in their unique environment.

Last year we promised increased innovation and accelerated development to Tenable.sc (formerly SecurityCenter). Our goal is to provide our customers, and the market at large, with a consolidated view of their entire security environment to help them see more, do more and reduce their cyber risk. Tenable.sc 5.9 makes good on that promise.

Available now, Tenable.sc 5.9 brings customers increased visibility into their attack surface, and an exciting new innovation to help customers make informed decisions to speed up incident response and vulnerability remediation.

Want to learn more? Read on.

Prediction Prioritization now in Tenable.sc

Prioritizing vulnerabilities has been a longstanding problem. With the ever increasing number of vulnerabilities to sift through, where do you start?

With Tenable.sc 5.9, customers now get a groundbreaking new innovation, Predictive Prioritization. Announced earlier this year, predictive prioritization combines threat intelligence and machine learning to deliver the Vulnerability Priority Rating for each vulnerability. The Vulnerability Priority Rating represents the likelihood a given vulnerability will be exploited in the next 28 days, along with its severity.

Using the Vulnerability Priority Rating, customers can understand the actual impact of vulnerabilities in their unique environments so they can prioritize remediation efforts on the vulnerabilities with the greatest impact. This rating is calculated nightly for every vulnerability Tenable tracks, factoring in current threat intelligence information to enable customers to focus on remediating the vulnerabilities with the highest likelihood of being leveraged in a cyber attack.

Tenable Vulnerability Priority Rating

Increased support for SSO solutions

Tenable.sc 5.9 additionally adds support for Security Assertion Markup Language (SAML). This gives customers multiple SSO/authentication options such as Shibboleth and Okta to streamline their security with one-click login, centralized authentication and increased security and convenience. We’re excited to bring these innovations and integrations to market and continue building a Vulnerability Management platform that meets our customers evolving needs and helps them see more, do more and reduce their cyber risk.

To learn more about Predictive Prioritzation, read the blog Overcoming Vulnerability Overload with Predictive Prioritization and attend the webinar on February 14. To download Tenable.sc 5.9 visit the downloads page or review the release notes.

CVE-2019-5736 allows for an escape to host attack in specific container configurations.

Background

A new vulnerability (CVE-2019-5736) was recently announced in runc, the runtime used by popular container platforms Docker and Kubernetes. The disclosure for this vulnerability details how a malicious container can escape its sandbox and execute arbitrary commands on the host. This attack does, however, come with some caveats, and isn’t exploitable in certain configurations that follow good security practices.

Analysis

In order to properly exploit this vulnerability, a malicious or compromised container would need to be deployed, and uid 0 would need to be mapped to that container. Docker has documentation for namespace configuration which, with proper application, prevents this attack from being exploitable on vulnerable hosts. The malicious container then either runs commands as root or piggybacks off an administrator running any other unrelated commands as root to exploit the host.

Many organizations use third-party prepackaged containers to solve business needs. An attacker could compromise one of these prepackaged containers with malicious code, or they could craft a malicious container that advertises itself as fulfilling some other needed enterprise function. This is the most likely way an external threat actor would be able to deploy a rogue container into an enterprise environment.

Solution

Red Hat, Debian, Amazon Web Services (AWS), Google Cloud Platform (GCP), Docker, NVIDIA, and Kubernetes have published blogs or security advisories that include information about the vulnerability as well as the availability of security updates for this vulnerability. Building containers in a development environment, and scanning and securing them before production deployment will reduce the likelihood of inadvertently deploying malicious images. Also avoid using images running as root whenever possible to minimize risk.

The disclosure by the researchers includes the following mitigations:

Setting SELinux to enforcing mode on containers prevents them from being able to overwrite the host runc binary (Note that researchers discovered that this does not work for Fedora based hosts.)
If the host runc binary is set to read only, a malicious container wouldn’t be able to overwrite and exploit it.
A low privileged user inside the container or a new user namespace with uid 0 mapped to that user removes write access to the runc binary on the host.

Identifying affected systems

A list of Nessus plugins to identify this vulnerability will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Until now, security leaders have lacked visibility into the risk posture of the operational technology (OT) environments that are critical to their organization’s digitization initiatives. Security leaders now have a single platform to manage and measure cyber risk across both IT and OT.

Business-driven digitization initiatives increasingly require interconnected IT and OT systems to optimize production, drive innovation and increase sustainability. However, most security leaders responsible for managing and measuring cyber risk lack visibility into OT environments.

Security Leaders Cannot Manage and Measure Cyber Risk in OT

Traditional IT asset discovery and vulnerability assessment tools are not widely used in OT because they may disrupt operations. Therefore, security leaders don’t know what assets are installed in their OT environments, what unexpected connections need to be investigated, or what high-priority vulnerabilities must be remediated. The result: security leaders cannot manage and measure cyber risk in OT environments.

Effective risk management is built on a unified understanding of the entire IT/OT attack surface, which includes OT networks – many of which include IT-based systems – and IT networks. The problem is that identifying and assessing IT and OT devices each requires specialized technologies – active scanning for IT and passive monitoring for OT. And, until now, these specialized technologies resulted in disjointed data and a fractured understanding of converged cyber risk. Tenable considers this fractured understanding to be a significant cyber exposure gap for organizations, and one worth addressing.

Extend Processes and Controls to OT

IT Security leaders need to work with OT staff to extend existing IT processes and controls to the OT environment. Of course, adaptations will be required to accommodate unique OT constraints. Organizations may be tempted to independently implement separate processes and controls for IT and OT. This approach avoids the challenge of gaining agreement between IT and OT staff. However, it widens the cyber exposure gap and increases the likelihood of a business-disrupting cyber event.

For example, separate and disjointed IT and OT asset inventories could create a blind spot regarding which assets support an important manufacturing line, and a major upgrade to a dependent IT server could disrupt the entire manufacturing line. Similarly, remediation of vulnerabilities on the IT server may need to be prioritized higher because of its importance to the manufacturing process.

Now, a Single Cyber Exposure Solution Spans OT and IT

Tenable gives security leaders a Cyber Exposure solution that spans both OT and IT networks, from the plant floor up to enterprise applications. Selected asset and vulnerability data can now be imported from Industrial Security into Tenable.sc™ (previously SecurityCenter). Security leaders can now rely on a single platform to manage and measure cyber risk across both OT and IT networks.

Asset inventories deliver an up-to-date view of what must be protected. Vulnerability assessment identifies and prioritizes weaknesses that, if unremediated, could become a pathway for adversaries to compromise control systems and disrupt critical operational processes. Dashboard and report templates can be customized to simplify stakeholder communication.

The Tenable.sc™ on-premises cyber exposure platform, when used with Industrial Security™ includes multiple sensors and aggregation points, each optimized for IT and OT network requirements.

With Tenable.sc OT integration cybersecurity leaders now have a single platform to manage and measure cyber risk across both IT and OT.

Tenable.sc™ delivers a unified view of information collected from Nessus scanners and Industrial Security consoles across IT/OT networks.

Cyber Exposure Technology Ecosystem Streamlines IT and Security Processes

Additionally, Tenable.sc™ integrates with many partners in the Tenable Cyber Exposure Technology Ecosystem to enhance remediation/response processes while utilizing existing investments. Examples include:

Siemens professionals available to deliver and deploy Industrial Security and to provide a range of industrial control systems design and vulnerability management services.
ITSM solutions, such as ServiceNow Security Operations Vulnerability Response, which synchronize asset records, incorporate asset criticality to enhance risk scoring, manage the remediation workflow and report status.

Learn More

Click here to learn more about how Tenable.sc™ and Industrial Security™ converge to help you manage and measure cyber risk in converged IT/OT environments.

Drupal has released a security advisory to address a critical remote code execution vulnerability (CVE-2019-6340).

Background

On February 20, Drupal released a security advisory (SA-CORE-2019-003) for CVE-2019-6340, a remote code execution vulnerability in its software. This vulnerability has received a security risk rating of Highly Critical as defined by Drupal.

Analysis

According to the security advisory, arbitrary PHP code execution is possible due to a lack of data sanitization in certain field types linked to non-form sources. However, specific site configurations are affected by this vulnerability.

Affected Configurations

Drupal 8: Sites that use JSON:API or RESTful Web Services (with PATCH or POST requests enabled)
Drupal 7: Sites that use RESTful Web Services or the Services module

The vulnerability was discovered by the Drupal Security Team, so it does not appear that this vulnerability has been exploited in the wild at this time.

Solution

Drupal recommends disabling all web services modules or disabling certain request types (PUT/PATCH/POST) server side to mitigate this vulnerability until patches can be applied.

Drupal has released Drupal 8.6.10 and Drupal 8.5.11 to address this vulnerability. There is no core update for Drupal 7. However, there are security updates for contributed modules for Drupal 7 and Drupal 8. Some of the updated modules include:

Identifying affected systems

A list of Nessus plugins to identify this vulnerability will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

A 19-year-old vulnerability in WinRAR’s ACE file format support (CVE-2018-20250) has been identified as part of an attack in the wild.

Background

On February 20, researchers at Check Point Research (CPR) published a blog detailing their discovery of multiple vulnerabilities within a library used by WinRAR, a popular file compression tool, to extract ACE archives. When exploited, these vulnerabilities can lead to remote code execution. An exploit script was published to Github one day after CPR’s blog post. The 360 Threat Intelligence Center (TIC) has reportedly identified an in-the-wild sample that attempts to exploit this vulnerability.

Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.https://t.co/bK0ngP2nIy

IOC:
hxxp://138.204.171.108/BxjL5iKld8.zip
138.204.171.108:443 pic.twitter.com/WpJVDaGq3D
— 360 Threat Intelligence Center (@360TIC) February 25, 2019

Analysis

CPR disclosed a total of four CVEs: CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253.

CVE-2018-20250 is an absolute path traversal vulnerability in unacev2.dll, the DLL file used by WinRAR to parse ACE archives that has not been updated since 2005 (14 years ago). A specially crafted ACE archive can exploit this vulnerability to extract a file to an arbitrary path and bypass the actual destination folder. In its example, CPR is able to extract a malicious file into the Windows Startup folder.

CVE-2018-20251 is a vulnerability in how WinRAR calls a validation function when handling ACE archives. The validation function is designed to prevent the extraction of files that contain path traversal patterns. However, the value from the validation function is not returned until after files or folders have been created.

Both CVE-2018-20252 and CVE-2018-20253 are out-of-bounds write vulnerabilities during the parsing of crafted archive formats. Successful exploitation of these CVEs could lead to arbitrary code execution.

Proof of concept

CPR created a proof of concept video, included in its blog post, that showcases how an ACE archive can extract a malicious file into the Windows Startup folder.

A proof of concept was also published to Github.

Solution

WinRAR has decided to drop support for unpacking ACE archives in WinRAR 5.70 Beta 1. The current beta version is 5.70 Beta 2. WinRAR users are encouraged to upgrade to the latest beta version as soon as possible.

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Tenable Research has discovered six new vulnerabilities in Nokia (Alcatel-Lucent) I-240W-Q GPON routers that can provide attacker with telnet access, DoS the target, or run arbitrary code.

Background

Nokia (Alcatel-Lucent) I-240W-Q Gigabit Passive Optical Network (GPON) routers are designed to replace standard copper networks. These routers have become an attractive target for botnets, and turnaround from disclosure to attack is almost immediate.

Tenable researcher Artem Metla has discovered six new vulnerabilities in Nokia (Alcatel-Lucent) I-240W-Q GPON routers (CVE-2019-3917, CVE-2019-3918, CVE-2019-3919, CVE-2019-3920, CVE-2019-3921, CVE-2019-3922). These vulnerabilities include a remotely accessible backdoor, hardcoded credentials, command injections, and stack buffer overflows.

Analysis

CVE-2019-3917: By sending a specially crafted HTTP request to the device, a remote attacker could partially disable the firewall and expose a Telnet service to external access.

CVE-2019-3918: Hardcoded root credentials were discovered in Dropbear (SSH) and Telnet services.

CVE-2019-3919, CVE-2019-3920: An authenticated attacker can utilize malicious HTTP POST requests to take advantage of unsanitized system() calls to execute shell commands as root user and escalate to the router’s OS level.

CVE-2019-3921 (Authenticated), CVE-2019-3922 (Unauthenticated): An attacker can send malicious HTTP requests to trigger stack buffer overflows that cause a DoS, or arbitrary code execution. Researcher Artem Metla has written a proof of concept for CVE-2019-3921.

Impact

If one of these routers is compromised, a threat actor could launch man in the middle (MitM) attacks to sniff network traffic, modify requests and responses and log all communications. Malicious scripts could also be placed on the device to launch attacks against assets that weren’t previously exposed to external attack. Compromised routers could be used in conjunction with other malicious devices to unleash distributed denial of service (DDoS) attacks. Lastly, these devices could be used to spread malware to create a botnet for a variety of malicious uses.

Solution

Nokia is reportedly working on patches for these vulnerabilities. If you believe you are affected, you can reach out to Nokia for more information.

Get more information

Visit the Tenable Tech Blog on Medium to read researcher Artem Metla’s in-depth story about his work uncovering these vulnerabilities.

Tenable Research Advisory

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

New vulnerability (CVE-2019-1663) in Cisco RV110W, RV130W, and RV215W devices allows for RCE attacks from malicious HTTP requests.

Background

Cisco has released a security advisory for CVE-2019-1663, a remote code execution (RCE) vulnerability present in the remote management interface on certain router and firewall devices, the RV110W, RV130W, and RV215W. The vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code through malicious HTTP requests. Cisco has released firmware updates for the affected devices that address this vulnerability.

Analysis

Cisco has not released in-depth technical details on how to exploit this vulnerability, but notes that it was discovered by security researchers Yu Zhang and Haoliang Lu at the GeekPwn conference on October 24-25, 2018, and T. Shiomitsu of Pen Test Partners. The vulnerability is reportedly due to improperly validated user input fields through the HTTP/HTTPS user management interface.

Cisco has tagged this vulnerability with CWE-119, the designation for a buffer overflow. This means that a pre-authentication user input field on these devices can be manipulated into dropping code into the device’s memory, which it then executes at the system level.

Solution

Cisco has released updated firmware for each of the respective devices to address this vulnerability.

Cisco states that this vulnerability is fixed in the following firmware versions:

RV110W Wireless-N VPN Firewall: 1.2.2.1
RV130W Wireless-N Multifunction VPN Router: 1.0.3.45
RV215W Wireless-N VPN Router: 1.3.1.1

Identifying affected systems

A list of Nessus plugins to identify this vulnerability will appear here as they’re released.

Get more information

Cisco Advisory

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Customer presentations, product demos, and an entire day devoted to the public sector are just some of the activities Tenable has planned for RSA Conference 2019.

You’ve heard all about Predictive Prioritization, Tenable’s vulnerability management innovation that re-prioritizes each vulnerability based on the likelihood it will be leveraged in an attack. Now, you can see it firsthand at Booth 5445 in the North Hall during RSA Conference (RSAC) 2019 at the Moscone Center in San Francisco, March 4-8.

Continuous demonstrations of our latest product breakthroughs are just some of the activities we have planned for RSAC this year. We’ll also be celebrating the 21st Anniversary of Nessus with special events at our booth on Monday, March 4, from 5:00 pm - 7:00 pm and throughout the conference.

If you’re planning to take in any of the educational sessions at RSAC, we encourage you to make time to see Tenable’s Kevin Flynn presenting on the topic of Cyber Risk Management: New Approaches for Reducing your Cyber Exposure, on Thursday, March 7, at 1:30 pm - 2:20 pm PT in Moscone South Esplanade 153.

Members of the public sector are invited to join us at the RSA Public Sector Day, taking place at the Marriott Marquis on Monday, March 4, from 10:00 am - 5:00 pm PT. Eitan Goldstein, Tenable’s Senior Director for Strategic Initiatives, will lead a panel discussion entitled Government Cyber Security and The Ever Increasing Threat at 2:45 pm - 3:30 pm. Goldstein will be joined onstage by: Kevin Cox, Program Manager, Continuous Diagnostics and Mitigation (CDM) Program, Department of Homeland Security’s Office of Cybersecurity and Communications; Chris Novak, Director, Verizon Threat Research Advisory Center (VTRAC); Troy Taitano, Chief, Cyber Modernization Division, NRO; and Jennifer Silk, Senior Advisor for Cybersecurity, Office of the Chief Information Officer, Department of Energy.

And, you’ll have the opportunity to attend presentations from Tenable customers and partners, who will share their experiences and key learnings in our in-booth theater. (Added bonus: if you watch one of our in-booth theater presentations, you’ll be entered for a chance to win prizes, including a set of Bang & Olufsen Wireless Earphones.) Below is a complete list of customer presentations taking place at Tenable Booth 5445 in the North Hall during RSAC 2019:

Tenable Customer Presentations at RSAC 2019

Organization	Session title	Dates/Times	Presenter
Emerson Electric	Cybersecurity Superheros	Wednesday, March 4, 4:30 pm PT; and Thursday, March 7, 12:45pm PT	Jon Brown, Manager, Application and Product Security Testing, Emerson Electric
Express Scripts	The User’s Unfiltered Experience	Tuesday, March 5, 1:30 pm PT; and Thursday, March 7, 10:30 am PT	Garet Stroup, Director, Information Risk Management, Express Scripts
Global Payments	Existing Problem, Simplified Approach to Vulnerability Management	Tuesday, March 5, 3:00 pm PT; and Wednesday, March 6, 10:30 am PT	Ramin Lamei, Senior Director, Information Security Officer, Global Payments
Oak Ridge National Laboratory (ORNL)	How ORNL Is Addressing Not Being “Wanting”	Tuesday, March 5, 10:30 am PT; and Thursday, March 7, 12:00 pm PT	Kevin Kerr, CISO, Oak Ridge National Laboratory
Prologis	Our Evolution with Tenable: From Nessus Scans to Protecting Modern Assets in the Cloud with Tenable.io	Wednesday, March 6, 3:00 pm PT	Tyler Warren, Director of IT Security, Prologis

Learn more:

Read all about Tenable’s activities at RSAC 2019
Join us for RSA Public Sector Day
See what Predictive Prioritization is all about

Adobe Security Bulletin APSB19-14 addresses a file upload restriction bypass vulnerability that has been exploited in the wild.

Background

On March 1, Adobe published APSB19-14, an out-of-band security bulletin to address a critical vulnerability in Adobe ColdFusion. Affected versions include ColdFusion Update 2 and earlier, ColdFusion 2016 Update 9 and earlier, and ColdFusion 11 Update 17 and earlier.

Analysis

This security bulletin addresses CVE-2019-7816, a file upload restriction bypass vulnerability. Exploitation of this vulnerability could allow an attacker to gain arbitrary code execution “in the context of the running ColdFusion service.” According to Adobe, they are aware of a report that this vulnerability has been exploited in the wild.

In order to exploit the vulnerability, an attacker would need to be able to upload a malicious file to a directory that is publicly accessible and then execute that file remotely.

Solution

Adobe has released security the following updates for Cold Fusion 2018, 2016 and 11 to address this vulnerability:

Tenable recommends users to upgrade to these versions of ColdFusion as soon as possible.

Additionally, users are advised to modify settings to prevent users from making HTTP requests to directories that contain uploaded files.

Identifying affected systems

A list of Nessus plugins to identify this vulnerability will appear here as they’re released.

Get more information

Security updates available for ColdFusion [APSB19-14]

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Vulnerability overload got you down? Attend my talk at the RSA Conference 2019 and learn about a new approach to cyber risk management.

It's that time of year again - the RSA Conference (RSAC) 2019 descends on San Francisco March 4-8. The crowds will likely be thicker than ever. The lines for just about everything even longer. But the biggest problem for those inside the Moscone Center is deciding where you should spend your time amidst the noise and flashing lights.

If you're faced with vulnerability overload, as I presume many of you are, you need to check out Tenable's new Predictive Prioritization functionality. It's now shipping as part of Tenable.sc and will be available soon in Tenable.io. We'll demonstrate it during RSAC, among the many activities we have planned at Tenable booth 5445 in the North Hall.

Predictive Prioritization is a data science-based approach to help you fix first the vulnerabilities that matter most. It dramatically improves remediation efficiency and effectiveness by letting you focus on the specific vulnerabilities that have been or will likely be exploited. The result is a potential 97% reduction in the vulnerabilities you need to remediate with the highest priority.

Predictive Prioritization is designed to augment the existing CVSS scoring system. An interesting perspective on issues surrounding CVSS -- and the inherent weakness of using it for vulnerability prioritization -- is described at length in this paper from Carnegie Mellon University’s Software Engineering Institute.

At RSAC 2019, I’ll be giving a talk entitled ‘Cyber-Risk Management: New Approaches for Reducing Your Cyber-Exposure’ on Thursday, March 7 at 1:30 in Moscone South Esplanade, Room 153. My presentation will go into some depth on Predictive Prioritization and place it in the context of the overarching problem of cyber risk management. Here’s a quick preview:

Learn more:

Here’s a complete look at Tenable’s RSAC 2019 activities - come see us at Booth 5445 in the North Hall during RSAC 2019.
For more information on Predictive Prioritization, including white papers and other resources, visit www.tenable.com/predictive-prioritization.

A new global study conducted by Ponemon Institute explores cyber risk in the public sector: What are the top priorities for public sector cybersecurity leaders in 2019? Why has preventing attacks on OT become a major concern?

Cybersecurity in Public Sector: Five Insights You Need to Knowpresents the results of a Ponemon Institute study, sponsored by Tenable, which queried 244 public sector professionals on four continents regarding their current cybersecurity operations. The respondents represented a proportional mix of leadership, management and operations roles in both IT and information security. The breadth of respondents is important because the results, therefore, reflect the opinions of those who create cyber strategy, those who implement it and those who face the day-to-day realities of this complex subject.

In this blog post, I’ll summarize the key findings from the study as well as offer my own insights to help explain what is driving the respondents’ opinions.

Cybersecurity in public sector: five insights you need to know

The five insights presented in the study and the order in which they appear are equally important for understanding the current posture of public sector cybersecurity. The first insight from the study is that public sector cyber-related attacks are ceaseless. In fact, 88% of public sector organizations have suffered at least one damaging cyberattack over the past two years; 62% have experienced two or more.Cyberattacks in the public sector have been rampant for many years prior to 2019 and will remain true well into the future.

However, the second insight – that attacks on IoT and OT assets are now a top priority – is an emerging concern that directly impacts the remaining three insights. IoT and OT assets create a larger number of potential vulnerabilities, requiring both enhanced visibility (third insight) into an expanded attack surface and staff who know how to cover these new assets.

Furthermore, the expanded attack surface alters the relationship between cyber risk and business risk (fourth insight) by adding the catastrophic effects of a loss of critical IoT or OT services to the mix. This would be similar to planning for a hurricane or other natural disaster, but without the “natural” part.

Finally, the number of incremental vulnerabilities inherent in an expanded attack surface demand better prioritization of those vulnerabilities (fifth insight) for remediation to stay one step ahead of the bad guys.

It’s time to pay more attention to the entire attack surface, including IoT and OT

Here are my insights that provide additional context for the study’s findings:

The easy stuff is done already. Public sector cyber professionals have done an excellent job promoting basic cyber hygiene among public sector employees. As a result, phishing attacks have been dramatically reduced in the public sector. This means that more attention can now be given to complex threat vectors that target IoT and OT.
Digital transformation has expanded the attack surface. The swift pace of digital transformation in the public sector has created a swift expansion of the digital attack surface, with more IoT and OT devices being used to improve community services. “Smart city” and “smart state” initiatives have increased demand for new mobile applications and interconnected devices, all of which is increasing the number of threats confronting public sector IT and infosec professionals.
Converged IT/OT environments. Public sector IT and cybersecurity leaders are increasingly being asked to manage a converged IT/OT environment, requiring them to adopt methods and tools that help to identify, prioritize and remediate vulnerabilities more efficiently.
Cyber is cool. Today’s youth have had “eyes on glass” since before they could walk. High schools teach information security courses. Universities now grant degrees in information security. The military has created scads of new cyberwarrior roles. All this means cyber is now officially cool. Unfortunately for public sector IT and security professionals, this means recruiting and retention have become infinitely harder.

For a closer look at the study, download Cybersecurity in Public Sector: Five Insights You Need to Know now.

Security Leaders Cannot Manage and Measure Cyber Risk in OT

Extend Processes and Controls to OT

Now, a Single Cyber Exposure Solution Spans OT and IT

The Tenable.sc™ on-premises cyber exposure platform, when used with Industrial Security™ includes multiple sensors and aggregation points, each optimized for IT and OT network requirements.

With Tenable.sc OT integration cybersecurity leaders now have a single platform to manage and measure cyber risk across both IT and OT.

Tenable.sc™ delivers a unified view of information collected from Nessus scanners and Industrial Security consoles across IT/OT networks.

Cyber Exposure Technology Ecosystem Streamlines IT and Security Processes

Siemens professionals available to deliver and deploy Industrial Security and to provide a range of industrial control systems design and vulnerability management services.
ITSM solutions, such as ServiceNow Security Operations Vulnerability Response, which synchronize asset records, incorporate asset criticality to enhance risk scoring, manage the remediation workflow and report status.

Learn More

Click here to learn more about how Tenable.sc™ and Industrial Security™ converge to help you manage and measure cyber risk in converged IT/OT environments.

Drupal has released a security advisory to address a critical remote code execution vulnerability (CVE-2019-6340).

Background

Analysis

Affected Configurations

Drupal 8: Sites that use JSON:API or RESTful Web Services (with PATCH or POST requests enabled); Update February 22: Sites that use RESTful Web Services, Hypertext Application Language (HAL) and HTTP Basic Authentication modules
Drupal 7: Sites that use RESTful Web Services or the Services module

The vulnerability was discovered by the Drupal Security Team, so it does not appear that this vulnerability has been exploited in the wild at this time.

Update February 22: Additional analysis has recently been published in relation to this security advisory. This analysis suggests that the note about affected configurations requiring PATCH and POST requests to be enabled is not entirely accurate and claims remote code execution can occur using a GET request without authentication. Tenable has independently confirmed this analysis to be true. As a result, we have updated our Affected Configurations and Solution sections to reflect this new information.

However, we also discovered that RESTful Web Services module isn’t the only module required to trigger this exploit based on the new analysis above. It also requires the Hypertext Application Language (HAL) and HTTP Basic Authentication modules to be enabled as well.

Attempting POC exploit without HAL or HTTP Basic Auth enabled results in an error (Tested on Drupal 8.6.9).

Enabled modules required to trigger the exploit (note: Serialization is enabled when enabling RESTful Web Services).

Enabled modules required to trigger the exploit (note: Serialization is enabled when enabling RESTful Web Services).

Solution

Drupal recommends disabling all web services modules or disabling certain request types (PUT/PATCH/POST) server side to mitigate this vulnerability until patches can be applied.

Update February 22: Disabling PUT/PATCH/POST request types server side is not a feasible mitigation strategy on its own, as new analysis reveals other configurations that are vulnerable. As a result, Tenable strongly recommends upgrading to the patched versions of Drupal as soon as possible.

Identifying affected systems

A list of Nessus plugins to identify this vulnerability will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

A 19-year-old vulnerability in WinRAR’s ACE file format support (CVE-2018-20250) has been identified as part of an attack in the wild.

Background

Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.https://t.co/bK0ngP2nIy

IOC:
hxxp://138.204.171.108/BxjL5iKld8.zip
138.204.171.108:443 pic.twitter.com/WpJVDaGq3D
— 360 Threat Intelligence Center (@360TIC) February 25, 2019

Analysis

CPR disclosed a total of four CVEs: CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253.

Proof of concept

CPR created a proof of concept video, included in its blog post, that showcases how an ACE archive can extract a malicious file into the Windows Startup folder.

A proof of concept was also published to Github.

Solution

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.