Tenable Research has discovered six new vulnerabilities in Nokia (Alcatel-Lucent) I-240W-Q GPON routers that can provide attacker with telnet access, DoS the target, or run arbitrary code.

Background

Nokia (Alcatel-Lucent) I-240W-Q Gigabit Passive Optical Network (GPON) routers are designed to replace standard copper networks. These routers have become an attractive target for botnets, and turnaround from disclosure to attack is almost immediate.

Tenable researcher Artem Metla has discovered six new vulnerabilities in Nokia (Alcatel-Lucent) I-240W-Q GPON routers (CVE-2019-3917, CVE-2019-3918, CVE-2019-3919, CVE-2019-3920, CVE-2019-3921, CVE-2019-3922). These vulnerabilities include a remotely accessible backdoor, hardcoded credentials, command injections, and stack buffer overflows.

Analysis

CVE-2019-3917: By sending a specially crafted HTTP request to the device, a remote attacker could partially disable the firewall and expose a Telnet service to external access.

CVE-2019-3918: Hardcoded root credentials were discovered in Dropbear (SSH) and Telnet services.

CVE-2019-3919, CVE-2019-3920: An authenticated attacker can utilize malicious HTTP POST requests to take advantage of unsanitized system() calls to execute shell commands as root user and escalate to the router’s OS level.

CVE-2019-3921 (Authenticated), CVE-2019-3922 (Unauthenticated): An attacker can send malicious HTTP requests to trigger stack buffer overflows that cause a DoS, or arbitrary code execution. Researcher Artem Metla has written a proof of concept for CVE-2019-3921.

Impact

If one of these routers is compromised, a threat actor could launch man in the middle (MitM) attacks to sniff network traffic, modify requests and responses and log all communications. Malicious scripts could also be placed on the device to launch attacks against assets that weren’t previously exposed to external attack. Compromised routers could be used in conjunction with other malicious devices to unleash distributed denial of service (DDoS) attacks. Lastly, these devices could be used to spread malware to create a botnet for a variety of malicious uses.

Solution

Nokia is reportedly working on patches for these vulnerabilities. If you believe you are affected, you can reach out to Nokia for more information.

Get more information

Visit the Tenable Tech Blog on Medium to read researcher Artem Metla’s in-depth story about his work uncovering these vulnerabilities.

• Tenable Research Advisory

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

<p>New vulnerability (CVE-2019-1663) in Cisco RV110W, RV130W, and RV215W devices allows for RCE attacks from malicious HTTP requests.</p>
<h3>Background</h3>
<p>Cisco has <a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci... target="_blank" rel="noopener noreferrer" title="Cisco security advisory for CVE-2019-1663">released a security advisory</a>&nbsp;for CVE-2019-1663, a remote code execution (RCE) vulnerability present in the remote management interface on certain router and firewall devices, the RV110W, RV130W, and RV215W. The vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code through malicious HTTP requests. Cisco has released firmware updates for the affected devices that address this vulnerability.</p>
<h3>Analysis</h3>
<p>Cisco has not released in-depth technical details on how to exploit this vulnerability, but notes that it was discovered by security researchers Yu Zhang and Haoliang Lu at the GeekPwn conference on October 24-25, 2018, and T. Shiomitsu of Pen Test Partners. The vulnerability is reportedly due to improperly validated user input fields through the HTTP/HTTPS user management interface.</p>
<p>Cisco has tagged this vulnerability with <a href="https://cwe.mitre.org/data/definitions/119.html" target="_blank" rel="noopener noreferrer" title="Cisco CWE-119">CWE-119</a>, the designation for a buffer overflow. This means that a pre-authentication user input field on these devices can be manipulated into dropping code into the device’s memory, which it then executes at the system level.</p>
<h3>Solution</h3>
<p>Cisco has released <a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci... target="_blank" rel="noopener noreferrer" title="Cisco firmware">updated firmware</a>&nbsp;for each of the respective devices to address this vulnerability.</p>
<p>Cisco states that this vulnerability is fixed in the following firmware versions:</p>
<ul>
<li>RV110W Wireless-N VPN Firewall: 1.2.2.1</li>
<li>RV130W Wireless-N Multifunction VPN Router: 1.0.3.45</li>
<li>RV215W Wireless-N VPN Router: 1.3.1.1</li>
</ul>
<h3>Identifying affected systems</h3>
<p>A list of Nessus plugins to identify this vulnerability will appear <a href="https://www.tenable.com/plugins/search?q=cves%3A(%22CVE-2019-1663%22)&amp;sort=&amp;page=1" target="_blank" rel="noopener noreferrer" title="Nessus Plugins for Cisco CVE-2019-1663">here</a>&nbsp;as they’re released.</p>
<h3>Get more information</h3>
<ul><li><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ci... target="_blank" rel="noopener noreferrer" title="Cisco Advisory for CVE-2019-1663">Cisco Advisory</a></li>
</ul>
<p><b><i>Join <a href="https://community.tenable.com/s/group/0F9f2000000fyxyCAA/cyber-exposure-... Security Response Team</a> on the Tenable Community.</i></b></p>
<p><b><i> Learn more about <a href="https://www.tenable.com/products">Tenable</a>, the first Cyber Exposure platform for holistic management of your modern attack surface. </i></b></p>
<p>Get a <a href="https://www.tenable.com/products/tenable-io/vulnerability-management/eva... 60-day trial</a> of Tenable.io Vulnerability Management.</p>

Customer presentations, product demos, and an entire day devoted to the public sector are just some of the activities Tenable has planned for RSA Conference 2019.

You’ve heard all about Predictive Prioritization, Tenable’s vulnerability management innovation that re-prioritizes each vulnerability based on the likelihood it will be leveraged in an attack. Now, you can see it firsthand at Booth 5445 in the North Hall during RSA Conference (RSAC) 2019 at the Moscone Center in San Francisco, March 4-8.

Continuous demonstrations of our latest product breakthroughs are just some of the activities we have planned for RSAC this year. We’ll also be celebrating the 21st Anniversary of Nessus with special events at our booth on Monday, March 4, from 5:00 pm - 7:00 pm and throughout the conference.

If you’re planning to take in any of the educational sessions at RSAC, we encourage you to make time to see Tenable’s Kevin Flynn presenting on the topic of  Cyber Risk Management: New Approaches for Reducing your Cyber Exposure, on Thursday, March 7, at 1:30 pm - 2:20 pm PT in Moscone South Esplanade 153.

Members of the public sector are invited to join us at the RSA Public Sector Day, taking place at the Marriott Marquis on Monday, March 4, from 10:00 am - 5:00 pm PT. Eitan Goldstein, Tenable’s Senior Director for Strategic Initiatives, will lead a panel discussion entitled Government Cyber Security and The Ever Increasing Threat at 2:45 pm - 3:30 pm. Goldstein will be joined onstage by: Kevin Cox, Program Manager, Continuous Diagnostics and Mitigation (CDM) Program, Department of Homeland Security’s Office of Cybersecurity and Communications; Chris Novak, Director, Verizon Threat Research Advisory Center (VTRAC); Troy Taitano, Chief, Cyber Modernization Division, NRO; and Jennifer Silk, Senior Advisor for Cybersecurity, Office of the Chief Information Officer, Department of Energy.

And, you’ll have the opportunity to attend presentations from Tenable customers and partners, who will share their experiences and key learnings in our in-booth theater. (Added bonus: if you watch one of our in-booth theater presentations, you’ll be entered for a chance to win prizes, including a set of Bang & Olufsen Wireless Earphones.) Below is a complete list of customer presentations taking place at Tenable Booth 5445 in the North Hall during RSAC 2019:

Tenable Customer Presentations at RSAC 2019

Adobe Security Bulletin APSB19-14 addresses a file upload restriction bypass vulnerability that has been exploited in the wild.

Background

On March 1, Adobe published APSB19-14, an out-of-band security bulletin to address a critical vulnerability in Adobe ColdFusion. Affected versions include ColdFusion 2018 Update 2 and earlier, ColdFusion 2016 Update 9 and earlier, and ColdFusion 11 Update 17 and earlier.

Analysis

This security bulletin addresses CVE-2019-7816, a file upload restriction bypass vulnerability. Exploitation of this vulnerability could allow an attacker to gain arbitrary code execution “in the context of the running ColdFusion service.” According to Adobe, they are aware of a report that this vulnerability has been exploited in the wild.

In order to exploit the vulnerability, an attacker would need to be able to upload a malicious file to a directory that is publicly accessible and then execute that file remotely.

Solution

Adobe has released security the following updates for Cold Fusion 2018, 2016 and 11 to address this vulnerability:

• Adobe ColdFusion 2018 Update 3
• Adobe ColdFusion 2016 Update 10
• Adobe ColdFusion 11 Update 18

Tenable recommends users to upgrade to these versions of ColdFusion as soon as possible.

Additionally, users are advised to modify settings to prevent users from making HTTP requests to directories that contain uploaded files.

Identifying affected systems

A list of Nessus plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Security updates available for ColdFusion [APSB19-14]

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Vulnerability overload got you down? Attend my talk at the RSA Conference 2019 and learn about a new approach to cyber risk management.

It's that time of year again - the RSA Conference (RSAC) 2019 descends on San Francisco March 4-8. The crowds will likely be thicker than ever. The lines for just about everything even longer. But the biggest problem for those inside the Moscone Center is deciding where you should spend your time amidst the noise and flashing lights.

If you're faced with vulnerability overload, as I presume many of you are, you need to check out Tenable's new Predictive Prioritization functionality. It's now shipping as part of Tenable.sc and will be available soon in Tenable.io. We'll demonstrate it during RSAC, among the many activities we have planned at Tenable booth 5445 in the North Hall.

Predictive Prioritization is a data science-based approach to help you fix first the vulnerabilities that matter most. It dramatically improves remediation efficiency and effectiveness by letting you focus on the specific vulnerabilities that have been or will likely be exploited. The result is a potential 97% reduction in the vulnerabilities you need to remediate with the highest priority.

Predictive Prioritization is designed to augment the existing CVSS scoring system. An interesting perspective on issues surrounding CVSS -- and the inherent weakness of using it for vulnerability prioritization -- is described at length in this paper from Carnegie Mellon University’s Software Engineering Institute.

At RSAC 2019, I’ll be giving a talk entitled ‘Cyber-Risk Management: New Approaches for Reducing Your Cyber-Exposure’ on Thursday, March 7 at 1:30 in Moscone South Esplanade, Room 153. My presentation will go into some depth on Predictive Prioritization and place it in the context of the overarching problem of cyber risk management. Here’s a quick preview:

Learn more:

• Here’s a complete look at Tenable’s RSAC 2019 activities - come see us at Booth 5445 in the North Hall during RSAC 2019.
• For more information on Predictive Prioritization, including white papers and other resources, visit www.tenable.com/predictive-prioritization.

A new global study conducted by Ponemon Institute explores cyber risk in the public sector: What are the top priorities for public sector cybersecurity leaders in 2019? Why has preventing attacks on OT become a major concern?

Cybersecurity in Public Sector: Five Insights You Need to Know presents the results of a Ponemon Institute study, sponsored by Tenable, which queried 244 public sector professionals on four continents regarding their current cybersecurity operations. The respondents represented a proportional mix of leadership, management and operations roles in both IT and information security. The breadth of respondents is important because the results, therefore, reflect the opinions of those who create cyber strategy, those who implement it and those who face the day-to-day realities of this complex subject.

In this blog post, I’ll summarize the key findings from the study as well as offer my own insights to help explain what is driving the respondents’ opinions.

Cybersecurity in public sector: five insights you need to know

The five insights presented in the study and the order in which they appear are equally important for understanding the current posture of public sector cybersecurity. The first insight from the study is that public sector cyber-related attacks are ceaseless. In fact, 88% of public sector organizations have suffered at least one damaging cyberattack over the past two years; 62% have experienced two or more.Cyberattacks in the public sector have been rampant for many years prior to 2019 and will remain true well into the future.

However, the second insight – that attacks on IoT and OT assets are now a top priority – is an emerging concern that directly impacts the remaining three insights. IoT and OT assets create a larger number of potential vulnerabilities, requiring both enhanced visibility (third insight) into an expanded attack surface and staff who know how to cover these new assets.

Furthermore, the expanded attack surface alters the relationship between cyber risk and business risk (fourth insight) by adding the catastrophic effects of a loss of critical IoT or OT services to the mix. This would be similar to planning for a hurricane or other natural disaster, but without the “natural” part.

Finally, the number of incremental vulnerabilities inherent in an expanded attack surface demand better prioritization of those vulnerabilities (fifth insight) for remediation to stay one step ahead of the bad guys.

It’s time to pay more attention to the entire attack surface, including IoT and OT

Here are my insights that provide additional context for the study’s findings:

• The easy stuff is done already. Public sector cyber professionals have done an excellent job promoting basic cyber hygiene among public sector employees. As a result, phishing attacks have been dramatically reduced in the public sector. This means that more attention can now be given to complex threat vectors that target IoT and OT.
• Digital transformation has expanded the attack surface. The swift pace of digital transformation in the public sector has created a swift expansion of the digital attack surface, with more IoT and OT devices being used to improve community services. “Smart city” and “smart state” initiatives have increased demand for new mobile applications and interconnected devices, all of which is increasing the number of threats confronting public sector IT and infosec professionals.
• Converged IT/OT environments. Public sector IT and cybersecurity leaders are increasingly being asked to manage a converged IT/OT environment, requiring them to adopt methods and tools that help to identify, prioritize and remediate vulnerabilities more efficiently.
• Cyber is cool. Today’s youth have had “eyes on glass” since before they could walk. High schools teach information security courses. Universities now grant degrees in information security. The military has created scads of new cyberwarrior roles. All this means cyber is now officially cool. Unfortunately for public sector IT and security professionals, this means recruiting and retention have become infinitely harder.

For a closer look at the study, download Cybersecurity in Public Sector: Five Insights You Need to Know now.

Google Chrome 72.0.3626.121 released to address in-the-wild exploitation of CVE-2019-5786.

Background

On March 1, Google announced the availability of Google Chrome version 72.0.3626.121 for Windows, Mac and Linux. On March 5, Google provided additional context about this release.

Analysis

Google Chrome 72.0.3626.121 addresses CVE-2019-5786, a Use-After-Free (UAF) vulnerability in FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user’s computer. According to Google, this vulnerability has been exploited in the wild and was discovered and reported by Clement Lecigne, a security engineer from Google's Threat Analysis Group, at the end of February.

Solution

Tenable strongly advises users to upgrade to Google Chrome 72.0.3626.121 as soon as possible. Justin Schuh, leader of Google Chrome’s Security and Desktop team, has issued a public service announcement about this particular release.

Also, seriously, update your Chrome installs... like right this minute. #PSA

— Justin Schuh (@justinschuh) March 6, 2019

Identifying affected systems

A list of Nessus plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Stable Channel Update for Desktop (72.0.3626.121)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Cisco released security advisories for multiple vulnerabilities including CVE-2019-1614, an authenticated RCE vulnerability affecting many Cisco switches running NX-OS.

Background

On March 6th, Cisco released advisories for multiple vulnerabilities. One noteworthy update amongst them was an NX-API remote code injection vulnerability (CVE-2019-1614) wherein an authenticated remote attacker could execute code on a number of Cisco products running NX-OS. The attack is executed via the NX-API, which is disabled by default on NX-OS devices. Cisco has released an advisory bundle for the affected FXOS and NX-OS devices. Additionally, Cisco has provided updates to their advisories for CVE-2019-1663 and CVE-2018-0296.

Analysis

If the NX-API is enabled on an affected device, an attacker could send malicious HTTP/HTTPS requests that take advantage of improperly sanitized code on the device, which executes the injected code as the root user. Since most of these devices are switches, this would give an external threat actor a foothold into an organization’s network on a trusted device.

Cisco also updated the advisories for Cisco RV110W, RV130W, and RV215W Routers (CVE-2019-1663) and Cisco Adaptive Security devices (CVE-2018-0926) to indicate that Cisco’s Product Security Incident Response Team (PSIRT) is aware of ongoing attempts to exploit these vulnerabilities by attackers.

Solution

Cisco has included the fixes for these vulnerabilities in the latest version of NX-OS for the affected devices. Cisco has recently begun to bundle associated advisories, so please check the advisory page for updates and versioning information for your relevant devices.

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Cisco security advisories for March 6th
• Cisco FXOS and NX-OS Software Security Advisory
• Cisco advisory for CVE-2019-1614

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Security baselines are helpful but to be sure of their effectiveness you need to perform regular audits. Here’s how you can use Tenable.io and Nessus Professional to audit the security baselines included within the Microsoft Security Compliance Toolkit.

An important portion of information security is ensuring systems and software are configured in a secure manner. If you look at the Critical Security Controls lists many organizations produce, Secure Configurations typically appear within the top 5. To support this, we have seen more and more vendors create Security Best Practices documents to help customers protect their infrastructure, such as Microsoft with the Microsoft Security Compliance Toolkit (MSCT). There are also organizations such as the Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) producing best practice documents. At Tenable, we have also created Best Practice audits for some popular software.

Some of these documents contain principles (ie: Limit Administrator Privilege) vs prescriptive statements (ie: Lock-out Account After 3 Failed Logins). While both types of documents provide value to an organization, the documents with prescriptive statements are generally easier to validate compliance, as the value is either a pass or fail. Documents with principle statements are usually open to more interpretation, so audits usually require more effort to determine compliance. The Microsoft Security Compliance Toolkit provides prescriptive configurations and guidance.

What is Microsoft Security Compliance Toolkit?

Microsoft produced a set of tools so organizations can apply Microsoft-recommended security configurations to their environment. The typical method for deploying the baselines is via Active Directory using Group Policy Objects (GPOs), or individually via local policy. Also included with the baselines are spreadsheets documenting the settings.

The toolkit contains baselines for newer Microsoft Operating Systems, including:

Windows Server:

• Windows Server 2019
• Windows Server 2016
• Windows Server 2012 R2

Windows 10:

• Windows 10 v1809 (October 2018 Update)
• Windows 10 v1803 (April 2018 Update)
• Windows 10 v1709 (Fall Creators Update)
• Windows 10 v1703 (Creators Update)
• Windows 10 v1607 (Anniversary Update)
• Windows 10 v1511 (November Update)
• Windows 10 v1507

The Windows Server and Windows 10 baselines cover the Core OS and Internet Explorer.

There is also a security baseline for Office 2016.

Why utilize the Microsoft Security Compliance Toolkit?

When you leverage the configuration baselines from Microsoft Security Compliance Toolkit, you are taking an important step to improve your security posture. There are also operational benefits to adopting the baselines. Some of these benefits include:

• Less complex environment. When using a standard configuration, there is an expectation that all hosts with the same configuration will behave in a similar manner. The fewer different configurations you have to maintain, the easier to test and troubleshoot.
• Leverage expertise. Most organizations don’t have the resources to completely develop and test their own security baselines. It is good practice to leverage expertise from a trusted source. They can save you a lot of time and effort in creating and maintaining baselines.
• Better awareness. Having standard configurations is beneficial when analyzing impacts to the environment, including detection of new vulnerabilities, impact of change requests, detecting configuration drift/misconfigurations, etc.

Configuration Auditing with Tenable.io and Nessus

Security baselines are great, but to be sure of their effectiveness you need to perform regular audits. Tenable.io and Nessus Professional include recently created audits for the security baselines included within the Microsoft Security Compliance Toolkit. In addition to the benefits listed above, automated configuration auditing adds the following benefits:

• Validate the configuration is properly applied.
• Ensure changes to the environment have not inadvertently modified security settings.
• Based on scan frequency, be able to narrow down the suspected window of a configuration change.
• Greatly reduce the manual effort of performing these tasks.
• Individual checks are mapped to several cybersecurity frameworks and standards. This information and scan history can help support evidence of compliance efforts.

Getting Started Auditing Microsoft Security Compliance Toolkit

You can get started auditing security baselines from the Microsoft Security Compliance Toolkit today. Visit http://downloads.tenable.com and select the audit file(s) for the baselines applied in your environment, then log into Tenable.io or Nessus.

These audits are simple to set up as they do not leverage variables, and the audits have platform checks built in, so each audit will only run on the appropriate OS version.

For example, if you have a Windows 10 environment with v1809 and v1803, you can set up a scan with both audits, and only the appropriate audit will be evaluated on the host.

Once the configuration is saved, run the scan and review the results.

For demonstration purposes, this scan was run against a single non-remediated host. Below is example output from one of the checks.

Each result contains the following information:

- Status - Pass / Fail / Warning

- Remediation steps are displayed if the check did not pass

- When possible, actual results from the system will be included

Wrap-up

If your organization currently does not follow security baselines, or you have created your own but the maintenance is a burden, it may be worth taking a look at the baselines provided as part of the Microsoft Security Compliance Toolkit. These baselines can save you a lot of effort in creation and maintenance.

Additionally once you adopt the security baselines, ensure you are performing regular audits to ensure the baselines are properly in effect.

At Tenable, we strive to regularly update our policy compliance audits to match the newest versions published by Microsoft. We also realize there are many cybersecurity frameworks available for organizations to follow, so we regularly map the checks in the policy compliance audits to various framework controls.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

In part three of our six-part blog series on improving your cybersecurity strategy, we discuss the challenges organizations face in pinpointing those vulnerabilities which pose the greatest threat to their business, and offer five tips for improving your prioritization efforts.

The number of vulnerabilities has nearly doubled in the past two years. But the number of vulnerabilities being exploited is only a small fraction of the total. Achieving an accurate view of your entire attack surface, so you can effectively respond to those vulnerabilities which represent the greatest threat to your organization, requires a new approach we call Cyber Exposure.

The discipline of Cyber Exposure depends on your ability to accurately answer four key questions:

• Where are we exposed?
• How should we prioritize based on risk?
• How are we reducing our exposure over time?
• How do we compare to our peers?

In part two of our six-part series, we explored ways to answer the question “where are we exposed?” Once you’ve gained an accurate view of your entire attack surface, it’s time to consider how to prioritize your vulnerability response strategy. Since no two organizations are alike, this requires understanding the level of business threat each vulnerability poses to the critical assets in your particular organization.

For example, let’s say you encounter a vulnerability with a “critical” CVSS score. Yet, when you begin to investigate its true threat, it turns out the vulnerability doesn’t present such a significant risk to your business after all. Perhaps there are characteristics that make it unappealing to the criminal element for widespread exploitation. Maybe it affects an application or asset type which has a low level of criticality for your day-to-day operations. Or involves an app that’s effectively air-gapped so as not to pose a threat. It’s only when you are able to accurately make such a risk-based assessment of vulnerabilities that you can truly being to improve your response process.

Assessing Risk: By the Numbers

The idea of conducting a threat-centric evaluation of each vulnerability seems daunting when you consider the thousands disclosed annually. There were some 16,500 new vulnerabilities in 2018, of which only 7% had a public exploit available and an even smaller subset were ever weaponized by threat actors. The Tenable data science team estimates only 3% of vulnerabilities will be exploited. Put another way, it means that only a small percentage of the thousands of vulnerabilities disclosed every year pose a legitimate threat.

At a time when organizations of all sizes are challenged to keep their cybersecurity teams adequately staffed, being able to prioritize your vulnerability response tactics is more essential than ever. According to the report Measuring and Managing the Business Costs of Cyber Risk, conducted by Ponemon Institute on behalf of Tenable, the majority of organizations say the security function does not have adequate staffing to scan vulnerabilities in a timely manner. Without effective response prioritization, how can you know where to invest limited resources and personnel to protect your organization’s most critical assets?

5 Steps for Effective Vulnerability Prioritization

Effective prioritization requires complete visibility into your attack surface. Once you’ve achieved that, taking these five steps will kickstart your prioritization efforts:

1. Prioritize your threat responses based on the vulnerabilities for which exploits are currently happening -- or for which you can expect activity in the near future -- based on predictive probability analysis. You’ll need continuous situational awareness and threat context in order to make this assessment.
2. Let data drive your decisions. When you’re armed with a quantified analysis of vulnerabilities and where attackers have the lead, you’ll be well informed about where to respond first.
3. Maintain a fluid response priority list to allow for the inclusion and proper ranking of emerging threats.
4. Keep an updated inventory of critical assets so you know precisely what is at risk and where attackers are most likely to take aim. This can also help improve your backup and recovery plans.
5. Replace the current start-stop models and discrete cycles with continuous security assessments and response prioritization models. Align operational processes to support rapid response. Be sure to also support ad hoc remediation and mitigation requests rather than just focus on those stemming from regular maintenance and patch windows.

Remember, your priorities will change regularly based on constantly shifting data about the day’s greatest threats and your own organization’s internal security status. Having effective processes in place will help you make risk prioritization an intrinsic part of your Cyber Exposure practice.

In part one of our six-part blog series on improving your cybersecurity strategy, we explored 4 Cybersecurity Questions Every CISO Should Be Ready to Answer. In part two, we covered 3 Tips for Identifying Your Organization’s Cyber Exposure Gap. In part four, we’ll explore how to reduce your organization’s exposure over time.

Learn more:

• Read more about Cyber Exposure here: https://www.tenable.com/cyber-exposure 
• Download the Vulnerability Intelligence Report from Tenable Research
• Watch the on-demand webinar Eliminate Vulnerability Overload with Predictive Prioritization

Thank you to all the customers who took the time to share your experience working with Tenable, and for trusting us to help you understand and reduce your cybersecurity risk.

At Tenable, our customers are at the heart of what we do. So imagine our delight when we learned Tenable was named a March 2019 Gartner Peer Insights Customers’ Choice for Vulnerability Assessment.

Not only did you give us the most five-star ratings in this category as of March 19, 2019, but we also received 281 verified reviews in the last 12 months -- more than twice as many as others in this market. Of those reviewers, 130 customers gave Tenable five out of five stars!

Gartner Peer Insights Customers’ Choice is based on customers’ views of the market’s highest-rated vendors and is determined by both the quantity of reviews (minimum of 50) and overall rating (minimum of 4.2 out of 5). Gartner verifies every review before publishing, to ensure its authenticity, with one (lowest) to five (highest) stars given based on various criteria: evaluation and contracting; integration and deployment; service and support; and product capabilities. 

To see the full list of vendors in the March 2019 Gartner Peer Insights Customers' Choice for Vulnerability Assessment, click here. 

Gartner classifies “the vulnerability assessment (VA) market as vendors that provide capabilities to identify, categorize and manage vulnerabilities. These include unsecure system configurations or missing patches, as well as other security-related updates in the systems connected to the enterprise network directly, remotely or in the cloud.”

Thanks for Your Kind Words

Below is a sampling of the typical reviews Tenable received:

“Easy Integration And Great Results. We've used the system to help figure out any possible security holes that we've had opened on our app and db layers along with using it for PCI compliance.” Systems Administrator, Services Industry

“Ability To Integrate Improves Cyber Hygiene...Tenable.sc has allowed easy implementation and consolidation of information from our 40 plus Nessus scanners and 25,000 plus agents across our environment. It has also been easy to integrate with other tools and our SIEM to provide greater visibility and automated corrective actions for our cyber hygiene.” CISO in Government Industry 

“Very robust system with seemingly endless possibilities. Using a service such as this is a must as vulnerabilities are ever changing and evolving. Support & Reporting are great as well. Simply the best solution around.”  Information Security Analyst in Finance Industry

Having so many of you take time out of your busy schedules to not only rate our solutions but write such emotive reviews means the world to us. The number of vulnerabilities organizations face has almost doubled in the last two years. Patching everything is not only impossible but impractical and places unnecessary pressure on already stretched resources and people. With just a fraction of vulnerabilities weaponized, we’re focusing our efforts on helping our customers identify the real -- rather than the theoretical -- risks in their infrastructure to reduce their Cyber Exposure.

Thank you to all the customers who took the time to share your experience of Tenable with others, and for trusting us to help you understand and reduce your cybersecurity risk.

About Gartner Peer Insights and Customers’ Choice

Peer Insights is an online platform of ratings and reviews of IT software and services that are written and read by IT professionals and technology decision-makers. The goal is to help IT leaders make more insightful purchase decisions and help technology providers improve their products by receiving objective, unbiased feedback from their customers. Gartner Peer Insights includes more than 70,000 verified reviews in more than 200 markets. For more information, please visit www.gartner.com/reviews/home.

 Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.

Learn more:

Tenable customers reviewed Nessus, Tenable.io and Tenable.sc. To read what they’re saying, visit: https://www.gartner.com/reviews/home.

The Gartner Peer Insights Customers’ Choice badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice distinctions are determined by the subjective opinions of individual end-user customers based on their own experiences, the number of published reviews on Gartner Peer Insights and overall ratings for a given vendor in the market, as further described here, and are not intended in any way to represent the views of Gartner or its affiliates.

Third-party components are used to build most new web applications, and these components are highly vulnerable. Here’s how you can use Tenable.io Web Application Scanning (WAS) to assess common vulnerabilities in custom code.

Today’s web applications are highly complex in terms of business features and technical architecture. This complexity leads to a dramatically expanded attack surface requiring a new approach to web application scanning.

Limitations with traditional web application scanning

Web application scanning has been traditionally focused on generic web app vulnerability detection. This is a mandatory requirement to discover and remediate common vulnerabilities, such as injection, cross-site scripting, broken authentication or insecure deserialization (see OWASP and CWE for more information). However, traditional web application scanning alone can often miss component vulnerabilities, which can be exploited in real world attacks.

The complexity of web applications ranges widely - from a single static page to a full transactional business platform. However, even a simple web application is built with multiple layered third-party components, like web servers, web application servers, web frameworks, programming languages and JavaScript libraries. The problem for security teams is that many of these components are outdated and contain multiple high-risk vulnerabilities.

Third-party components are creating growing cyber risk

While common web vulnerabilities - like those identified by OWASP - are often used for targeted attacks, third-party component vulnerabilities are being weaponized for use in automated attacks that look for vulnerable components to exploit.

Equifax is the best-known breach in the last two years as a result of threat actors exploiting third-party components. The entry point was likely an outdated Apache Struts exploited to get remote code execution on the targeted web application. Therefore, a third-party component vulnerability was the main issue. Content Management Systems (CMS) are also becoming a significant web attack vector. Web applications using unpatched Drupal were widely exploited with Drupalgeddon (1, 2 and 3) attacks over the past several years. WordPress, used by an estimated 30% of all web applications, has also been targeted recently with CVE-2017-1001000 actively exploited in 2017.

The ability to identify and assess these third-party components is critical in web application security, and it must be part of a comprehensive web application scanning solution.

Tenable Web Application Scanning approach

Web application security assessments have to cover weaknesses and vulnerabilities for internal development and third-party components used to build the web application. The assessment process includes the following main steps:

1. Browsing and enumerating hidden files and directories to identify web application entry points;
2. Fingerprinting to provide information about all components used and their versions, which can identify additional entry points; and
3. Vulnerability and misconfiguration detection based on information gathered during the previous steps to understand security issues to fix.

This full assessment process must be run frequently due to the continuously evolving attack surface and threat landscape, which create new entry points and vulnerabilities.

At Tenable, we have a product called Tenable.io Web Application Scanning (WAS) that can be used to assess common vulnerabilities in custom code, such as SQL Injection, Cross-Site Scripting (XSS), XML External Entity, Command Injection and Path Traversal, among many others. Once common web vulnerabilities are covered, WAS can also assess third-party component vulnerabilities.

For example, for web applications built with Drupal, WAS can detect Drupal and identify its version. Then vulnerabilities can be reported with version-based plugins (e.g., one of the plugins for SA-CORE-2019-003 security release) or remote-check plugins (e.g., the plugin for SA-CORE-2018-002).

Misconfiguration detection is also a potential critical security issue as it can lead to full web application takeover if a web application is not configured properly. A fully patched WordPress can leak usernames and provide access to its administration console without restriction. With these misconfigurations, an attacker is able to brute-force username passwords to get access to the WordPress administration panel and take control of the web application. To guard against this security threat example, WAS is able to enumerate WordPress usernames and detect whether a WordPress administration panel is available.

The same approach is applied to web framework components, which are more difficult to detect and assess. ThinkPHP is one of the web frameworks WAS is able to fingerprint, and for which it can provide remote-check plugins for critical vulnerabilities like CVE-2018-20062 and the most recent Remote Code Execution (RCE) for ThinkPHP 5.x < 5.0.24. JavaScript libraries are also components that must be assessed to detect Cross-Site Scripting and other critical vulnerabilities (e.g., jQuery File Upload). jQuery, Bootstrap or YUI are some of the JavaScript libraries WAS supports in its broad vulnerability coverage.

Learn more

Web applications can be extremely complex to secure, and the web application attack surface and threat landscape are continuously evolving. All third-party components must be covered in terms of misconfiguration and vulnerability detection in a web application scanning solution. Because WAS is backed by Tenable Research, the industry’s largest vulnerability research organization, the product supports a broad range of web application vulnerability detection plugins spanning custom web development and 3rd-party components.

If you’re interested in learning more, please join us on March 27 for a complimentary webinar on how to Protect Your Web Applications from Component Vulnerabilities. You can also try WAS in your environment. Click here to start a free 60-day evaluation.

Popular WordPress plugin vulnerable to unauthenticated attacks continues to be targeted despite the availability of a patch.

Background

On March 17, researchers at Ninja Technologies Network (NinTechNet) published a blog about their discovery of a critical zero-day vulnerability in the Easy WP SMTP plugin that attackers began exploiting in the wild on March 15. According to WordPress, the Easy WP SMTP plugin has over 300,000 active installations. The Easy WP SMTP plugin authors released a patched version of the plugin on March 17. However, researchers at Defiant continue to observe attacks in the wild targeting this plugin.

Analysis

The vulnerability exists in version 1.3.9 of the Easy WP SMTP plugin. It was reportedly introduced when the authors added Import/Export functionality to the admin_init function. According to NinTechNet, this function is used to “view/delete the log, import/export the plugin configuration and to update options in the WordPress database.” The issue appears to be that any logged-in user is capable of executing these commands, as the code does not validate their privileges. What makes this more severe is the plugin’s use of AJAX, which is available in the admin_init function and allows unauthenticated users to execute these commands without logging into a vulnerable site.

Proof of concept

NinTechNet provided a proof of concept in its blog post that uploads a file to a vulnerable WordPress site, modifying its settings to allow any user to register on the site and grant administrator permissions to all users. They also mention that this vulnerability could be leveraged to achieve remote code execution.

Solution

The Easy WP SMTP plugin was updated to version 1.3.9.1 on March 17 to address this vulnerability. It is important for site administrators to ensure this plugin is up to date.

Site administrators must regularly review what plugins are running on their sites and whether they are up-to-date. Plugin updates may contain fixes for security issues and failure to update can leave sites vulnerable to compromise.

Identifying affected systems

A list of Nessus plugins to identify this vulnerability will appear here as they’re released.

Get more information

• NinTechNet blog post
• Wordfence report on exploitation in the wild
• Easy WP SMTP plugin description page

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Multiple security vulnerabilities found in Grandstream devices’ web interfaces include remote code execution and user credentials stored in plaintext.

Background

According to Threatpost, a number of Grandstream telephony and networking devices contain multiple vulnerabilities which could lead to remote code execution (RCE) attacks. Compromised devices would also allow an attacker to install malware, enable video/audio recording, and read all of the locally stored credentials which the devices store in plaintext.

Analysis

In Trustwave SpiderLabs' original advisory, the different RCE vulnerabilities are explained in detail, including proof-of-concept examples. An attacker could send malicious HTTP requests to the web interface on these devices to take control of them, eavesdrop through audio/video capabilities, and implant malware that the SpiderLabs researchers believe could be used to launch cross-site request forgery (CSRF) attacks.

The list of affected devices and associated firmware can be found below:

Pre-authentication RCE:

• GAC2500 -- F/W version: 1.0.3.30
• GVC3202 -- F/W version: 1.0.3.51
• GXP2200 -- F/W version: 1.0.3.27 (end of life product)
• GXV3275 -- F/W version: 1.0.3.210
• GXV3240 -- F/W version: 1.0.3.210

Post-Authentication RCE:

• GXV3611IR_HD -- F/W version: 1.0.3.21
• UCM6204 – F/W version: 1.0.18.12
• GXV3370 -- F/W version: 1.0.1.33
• WP820 -- F/W version: 1.0.1.15
• GWN7000 -- F/W version: 1.0.4.12
• GWN7610 -- F/W version: 1.0.8.9

Solution

Upgrading to the latest firmware version for affected devices reportedly fixes these vulnerabilities. However, SpiderLabs researchers report that the patch for the GAC2500 is insufficient, and that it is possible other devices may still be vulnerable. Disabling the web interface, which is enabled by default, should also mitigate these vulnerabilities.

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Threatpost Blog
• Trustwave SpiderLabs Security Advisory TWSL2019-003

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Creating a cybersecurity program wherein you can assess your web applications and websites doesn’t need to be any more difficult than setting up a vulnerability management program. Easy-to-use tools that provide clear results make the job fairly straightforward, which pushes the maturity of your overarching cybersecurity up a notch.

Many states have published guidelines or passed laws requiring all websites and web applications to be assessed for security vulnerabilities before they are promoted to production on the internet. Many web applications have serious flaws that could lead to the unauthorized exposure of sensitive data if they were compromised.

In my previous work as a CISO and security practitioner, I’ve had the chance to work with a lot of different tools. The Tenable.io Web Application Scanner (WAS) is an easy-to-use product for assessing your web sites and web applications and provides easy-to-read, actionable results that can be used to remediate vulnerabilities and flaws. Unlike many other products on the market, there are no manual steps, and you don’t need a Ph.D. in web application development to run it.

So, what should I do?

Thinking not as a Security Engineer, but rather as a former CISO and security practitioner, the following 10-step recipe should work well for most organizations to build an effective Web App Assurance Program:

1. Start small. Test a simple website or application to get a feel for the product.
2. Learn when to use the different types of scans you can do using Tenable.io WAS: 
   • Legacy Web App scan – used to assess your web infrastructure that is exposed to the internet; web servers and open ports. This is essentially running Nessus against your web servers.
   • Web App Overview scan – similar to a discovery scan with Nessus, this does a limited assessment, and is useful for building a sitemap to determine your deeper scanning strategy.
   • Web App Scan – the main (deep) scan type. This is a flexible scan that can be run with and without credentials, which is useful for seeing what an authenticated user can see and do vs. an unauthenticated user. I recommend running both.
3. Focus on repairing the vulnerabilities according to the business criticality of the application. (Think about what type of information is connected to a website or web application.) For example, a critical vulnerability on a webpage that serves up news may not be as high a priority to remediate as a medium vulnerability on an important constituent portal web application.
4. Set up an internal WAS scanner using the Tenable WAS virtual appliance to assess any internal web servers that are not exposed to the public internet. This way, you can scan your apps and sites before they are exposed to the public. (Did I mention that there is no cost for the scanners since you’re subscribed to Tenable.io WAS?)
5. Consider giving your developers access to scan their own internal test and dev environments. This will allow them to test their own code before it’s ready to be promoted to production on the internet.
6. Develop and document a formal Approval to Operate program, or ATO, where a senior Security official has to evaluate and sign off on any applications before they are promoted to production on the internet.
7. If something can’t be patched or fixed within a reasonable time, document it in a “Provisional Approval to Operate,” where you have details on the vulnerability listed along with a plan for remediation. Make sure there is follow-up to get the vulnerability taken care of and schedule a review within a reasonable amount of time.
8. Develop a regular scanning cadence. (Once every x days for apps with low-sensitivity data, once every y days for apps with highly sensitive data.) Remember, a scan is only a snapshot in time, and as more vulnerabilities are found and published, your scan information loses its relevance. You have to continue to scan your applications on a regular basis.
9. On the heels of the “Start small” advice (see No. 1), once you have a good idea of what you are doing, expand the program out to cover more websites and web applications.
10. Integrate this process into your organizational Software Development Life Cycle (SDLC).

Using the above recipe, you can create a software assurance program for your organizational web applications, which will go a long way towards maturing your overall security posture. I’ve always said that since we fight a never-ending battle to secure our enterprises, we must at the minimum strive to push the needles in the right direction. This is a great way to do that.

Learn more

• Download the Cybersecurity Insider’s 2018 Application Security Report to learn more about the latest application security trends, see how organizations are protecting applications, and discover which tools and best practices IT cybersecurity teams are prioritizing.

Magento Commerce and Open Source advisory provides fixes for RCE, XSS, SQLi, and XSRF vulnerabilities.

Background

Magento has released a security advisory for 30+ vulnerabilities, including an unauthenticated Remote Code Execution (RCE) vulnerability which Magento is highly recommending users patch as soon as possible. Magento is an e-commerce management tool widely used by many online platforms. With the frequency of Magecart attacks, proper e-commerce security is critical for any modern business.

Analysis

In the advisory, “PRODSECBUG-2198” is a high severity unauthenticated SQL injection vulnerability that could allow an attacker to run code on a target Magento instance, and the advisory lists that this could lead to sensitive data leakage. Data leakage for e-commerce platforms involve personal and financial information, and Security Boulevard reports that this attack is “Very Easy” to execute. No specific details or publicly available exploits exist at this time, but Magento is recommending customers upgrade to protect their stores.

Solution

Magento site owners should update to the patched versions as soon as possible. PRODSECBUG-2198 has been patched in the following Magento releases:

• Magento Open Source 1.9.4.1
• Magento Commerce 1.14.4.1
• Magento Commerce 2.1.17
• Magento Commerce 2.2.8
• Magento Commerce 2.3.1

Identifying affected systems

A list of plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Magento Advisory
• Security Boulevard analysis of PRODSECBUG-2198

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Cisco finalizes patch for RV320 and RV325 after researchers determined a previous patch was incomplete.

Background

On April 4, Cisco published updated advisories to address two vulnerabilities in its RV320 and RV325 routers that were originally reported in January 2019. Additionally, Cisco published advisories for two newly discovered, medium severity bugs in the same routers.

Analysis

Tenable blogged about these vulnerabilities CVE-2019-1652 and CVE-2019-1653 in late January when public exploit scripts were published. Shortly after publication, reports about exploit attempts against these devices surfaced. Additionally, Troy Mursch, (@bad_packets), reported over 9,000 devices were reportedly vulnerable to exploitation.

Initially, Cisco said it had patched these vulnerabilities in firmware versions 1.4.2.20 and later (CVE-2019-1652) and firmware versions 1.4.2.19 and later (CVE-2019-1653). However, threerecentadvisories from RedTeam Pentesting GmbH including new proof of concept (PoC) code were published on March 27, indicating that the previous patches were incomplete. Cisco confirmed the findings from RedTeam Pentesting and indicated that a complete patch was imminent. Troy Mursch updated his previous blog post, highlighting that over 8,000 devices were still vulnerable to CVE-2019-1653.

Using the latest data from @binaryedgeio, we've scanned 14,045 Cisco RV320/RV325 routers and found 8,827 are leaking their configuration file, including admin credentials, to the public internet.

Map of total vulnerable hosts found per country: https://t.co/8TDKyIGUTepic.twitter.com/7ffywLebEt

— Bad Packets Report (@bad_packets) March 28, 2019

In addition to these updated advisories, Cisco published two new advisories for medium severity bugs in the same routers. CVE-2019-1827 is a reflected cross-site scripting (XSS) vulnerability in the Online Help web service on the routers, while CVE-2019-1828 is a weak credential encryption vulnerability. Both vulnerabilities could be exploited by an unauthenticated, remote attacker. The latter could reveal encrypted administrative credentials, but requires the attacker to be operating as a man-in-the-middle. Because the device uses a weak encryption algorithm, a man-in-the-middle would likely be able to decrypt these credentials and gain administrative access to the vulnerable device.

Solution

Cisco says firmware version 1.4.2.22 for RV320 and RV325 addresses the incomplete fixes for CVE-2019-1652 and CVE-2019-1653. The release notes for 1.4.2.22 show that CVE-2019-1827 and CVE-2019-1828 are also addressed based on the associated Cisco Bug IDs.

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability
• Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability
• Cisco Small Business RV320 and RV325 Routers Online Help Reflected Cross-Site Scripting Vulnerability
• Cisco Small Business RV320 and RV325 Routers Weak Credential Encryption Vulnerability
• Tenable Blog: Public Exploit Scripts for Vulnerable Cisco Small Business RV320 and RV325 Devices Now Available

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

A new report from Ponemon Institute and Tenable reveals that 62% of organizations in industries relying on operational technology experienced two or more business-impacting cyber attacks in the past 24 months.

If you follow cybersecurity news as avidly as we do, you already know that industrial control systems underlying critical infrastructure are vulnerable, and they are under attack. But, how bad is it? Tenable commissioned Ponemon Institute to answer this question and provide insight into past events, preparedness and future priorities. The data from 701 respondents in industries that have OT infrastructure is presented in the report, Cybersecurity in Operational Technology: 7 Insights You Need to Know. A few highlights are discussed below.

OT is Not Well Defended and Vulnerabilities Abound

Visibility into the Attack Surface is Insufficient. Only 20% of respondents agreed or strongly agreed that they had sufficient visibility into their organization’s attack surface. This is very concerning because all security controls/processes depend on the visibility provided by comprehensive asset inventories. You are unlikely to manage and secure assets if you don’t even know about them.

Inadequate Staffing and Manual Processes Limit Vulnerability Management. The shortage of cybersecurity professionals has been well documented. In 2017, Forbes quoted the IS Audit and Control Association (ISACA) as predicting a global shortage of 2 million cybersecurity professionals by 2019. We are now in 2019, and I haven’t seen any data disprove ISACA’s prediction. The well-publicized cybersecurity skills shortage is exacerbated by reliance on manual processes to assess and remediate vulnerabilities.

Top Impediments to Effective Vulnerability Management

Using a five-point scale of strongly agree to strongly disagree, the following percentage of respondents agreed or strongly agreed with the below statements.

Source: Cybersecurity in Operational Technology: 7 Insights You Need To Know, Ponemon Institute and Tenable, April 2019.

Vulnerabilities Continue to Proliferate. The ability to assess and remediate vulnerabilities in a timely manner is extremely important. In the first 45 days of 2019, the Industrial Control System-Computer Emergency Response Team (ICS-CERT) issued 45 alerts describing vulnerabilities in industrial control systems¹. These vulnerabilities apply to products from leading control system manufacturers, including ABB, AVEVA, Mitsubishi, Omron, Rockwell, Schneider Electric, Siemens and Yokogawa. That quantity is small compared to the 405 IT vulnerabilities discovered during the same period. However, staff responsible for OT security cannot put blinders on and focus only on OT vulnerabilities because IT/OT convergence means that both ICS and IT vulnerabilities can be exploited to attack critical infrastructure. 450 combined OT and IT vulnerabilities in 45 days is challenging for many organizations to assess and remediate. This velocity may or may not continue throughout the year, but even if it decreases by half, the number is challenging to manage without an automated process.

OT is Under Attack

According to the Operational Technology Cybersecurity Insights report, manual vulnerability management processes result in inadequate protection against cyber-attacks. The report reveals most organizations in industries that have OT infrastructure have experienced multiple cyber-attacks causing data breaches and significant disruption/downtime to business operations, plant and operational equipment. Over the past 24 months:

• 90% have experienced at least one damaging cyberattack, and 62% have experienced two or more. These data refer to all damaging attacks, not just attacks against OT infrastructure. IT attacks are included because some can result in attackers pivoting from IT into OT.
• 50% experienced an attack against OT infrastructure that resulted in downtime to plant and/or operational equipment.
• 23% experienced a nation-state attack. Nearly one quarter were able to attribute an attack to a nation state. This is a serious concern due to the high level of expertise and funding nation-states can provide. Nation-states attackers are not script kiddies.

How Can You Move Forward?

The survey reveals that 70% of respondents view “Increasing communication with C-level and board of directors about the cyber threats facing our organization” as one of their governance priorities for 2019. If this applies to you, you can reference the survey data in discussions with executive leadership as you discuss your organization’s security posture relative to OT attacks.

About this study

The report Operational Technology Cybersecurity Insights is based on a survey of 710 IT and IT security decision-makers in the following industries: energy and utilities; health and pharmaceutical; industrial and manufacturing; and transportation industries. Respondents were from the United States, United Kingdom, Germany, Australia, Mexico and Japan, and all respondents have involvement in the evaluation and/or management of investments in cybersecurity solutions within their organizations. The consolidated global findings are presented in this report. Download your free copy here.

¹Tenable Research discovered a Remote Code Execution vulnerability in InduSoft Web Studio, an automation tool for human-machine interface and SCADA systems.

Learn more

Join Larry Ponemon, PhD., Chairman and Founder of the Ponemon Institute and me at our upcoming webinar as we present and discuss the survey insights.

16,500 new vulnerabilities were disclosed in 2018 – and CVSS categorized the majority as high or critical. With vulnerabilities on the rise, how can you identify the biggest threats to your business – and know what to fix first? Predictive Prioritization is an innovative process that changes how organizations tackle vulnerability overload, enabling you to zero in on remediating the vulnerabilities that matter most. Curious how Predictive Prioritization works? Get answers to this and other common questions in the Predictive Prioritization FAQ.

Q. What is Predictive Prioritization?

A. Predictive Prioritization is the process of re-prioritizing vulnerabilities based on the probability they will be leveraged in an attack.

Q. What is the difference between Predictive Prioritization and a Vulnerability Priority Rating (VPR)?

A. The output of the Predictive Prioritization process is the Vulnerability Priority Rating (VPR), which indicates the remediation priority for an individual vulnerability. VPR operates on a scale of zero to 10, with 10 being the greatest severity. Watch the video below to learn more about VPR.

Q. Why do I need a VPR score? Doesn’t CVSS already prioritize vulnerabilities?

A. CVSS does a good job capturing the scope and impact of vulnerabilities; it offers a sound explanation of what could happen if a given vulnerability is exploited. It also provides a foundation to gauge the likelihood of a vulnerability being exploited. However, its current application fails to deliver the granularity needed to prioritize effectively. Approximately 60% of all CVEs are rated High or Critical by CVSS.

Predictive Prioritization remains true to the CVSS framework (see figure below), but enhances it by replacing the CVSS exploitability and exploit code maturity components with a threat score produced by machine learning – powered by a diverse set of data sources. This means organizations can make remediation decisions based on the vulnerabilities that:

• Are likely to be exploited
• If exploited, will have a major impact

Q. Do VPR scores replace CVSS scores?

A. No. We recommend supplementing your existing processes for prioritization (e.g., CVSS) with VPR.

Q. How do VPR severity bands compare to CVSS severity bands?

A. The same cutoffs are used in CVSS and VPR to create bands. However, the distributions are very different as a result of the prioritization process (see figure below).

Q. Which vulnerabilities get a VPR?

A. Currently, Predictive Prioritization produces a VPR for all vulnerabilities that have a CVE published in the U.S. National Vulnerability Database (NVD). We intend to expand the scope of vulnerabilities scored by Predictive Prioritization in the future.

Q. Can the VPR (score) change?

A. Yes, Predictive Prioritization recalculates VPRs for every CVE every day. They may or may not change, depending on the threat landscape. Read the technical whitepaper for more information.

Q. Does Predictive Prioritization generate a VPR for CVEs that do not have a CVSS score?

A. Yes. If a CVE has no published CVSS metrics/scores, Predictive Prioritization will generate a VPR using available information (e.g., the vulnerability’s description), which we feed into a model that predicts the scores based on terms that appear in the raw text.

For example, if the vulnerability’s description contains the terms “Adobe” and “arbitrary code execution,” then the model might predict high CVSS scores due to past activity on vulnerabilities with similar characteristics. When the actual CVSS scores become available, they replace our predicted values. This is advantageous, as it typically takes 45 days for NVD to publish CVSS scores following the vulnerability’s publication.

Q. Help me understand VPR scores. What does a Critical (>9) VPR actually mean? And, what does a Low VPR mean?

A. Broadly speaking, a Critical VPR means the vulnerability in question has a high probability of being exploited and/or, if successfully exploited, its impact would be significant.

On the flip side, Predictive Prioritization assigns a Low VPR to vulnerabilities that have a lower probability of exploitation and/or the impact, if successfully exploited, is low. However, please keep in mind we can never say with 100% certainty that a vulnerability will not be exploited.

Q. Tenable says Predictive Prioritization will help me focus on the 3% that matter most. What does that 3% mean?

A. This 3% corresponds to the vulnerabilities with a High or Critical VPR and gives you an idea of which vulnerabilities to prioritize for remediation. We recommend that you start fixing vulnerabilities with Critical and High VPRs and work your way down the list. In no way are we suggesting that you should ignore the other 97% of vulnerabilities.

Q. How is VPR different from the CVSS temporal score?

A. The main difference between the two is that VPR predicts the future while CVSS only looks at the past. VPR not only considers the availability and functionality of exploit code, but it also predicts the likelihood of exploitation in the short-term future. VPR is also more granular in how it accommodates exploitation.

Q. “Predictive” sounds interesting, but why does it actually matter?

A. Instead of just looking at historical data to score vulnerabilities, using historical data and a predictive machine learning–based algorithm helps us anticipate – and plan for – what’s likely to happen (rather than what’s already happened). When managing risk, it’s important to know if something has happened in the past, but it’s much more important to know what’s likely to happen in the future.

Q. Is there a difference between exploitable and being exploited?

A. Yes. Exploitable simply means there is an exploit available and could be as basic as an unreliable proof of concept posted to a public archive. But, an exploited vulnerability is serious – it means an exploit successfully breached a vulnerability.

Q. What if a vulnerability has already been exploited?

A. While a vulnerability may have been exploited in the past, the likelihood of being actively exploited (i.e., used in cyberattacks) in the future can change over time.

Q. Do you analyze the full history of every vulnerability?

A. We look at all available information since the vulnerability’s publication.

Q. What are the inputs into the machine learning model for the threat score?

A. Predictive Prioritization currently uses more than 150 distinct features as inputs into the machine learning model to produce the threat score. A feature (or input) is an attribute of a CVE that allows us to describe or understand it more clearly. Here are a few examples:

• The age of the vulnerability
• Exploit kit availability
• Chatter on the dark web

Broadly speaking, we tend to group features into these categories:

• Past threat patterns (e.g., evidence of exploitation in the past - how recent? how frequent?)
• Past threat sources (e.g., specific sources showing evidence of exploitation)
• Vulnerability metrics (CVSS metrics such as access vector, attack complexity, base score, etc)
• Vulnerability metadata (age of vulnerability, CVE, vendor/software impacted by the vulnerability, etc)
• Exploit availability using threat intelligence data (is the vulnerability on Exploit Database? Metasploit?)

 Today, that data comes from seven types of sources:

• Information security websites
• Blogs
• Vulnerability disclosures
• Social media
• Forums
• Dark web
• Vulnerability landscape

Explore additional Predictive Prioritization resources

We crafted this FAQ based on our customers’ most common questions about Predictive Prioritization – and we’ll be refreshing this post as needed. You can download a PDF version of this FAQ here.

Here are some other resources you may find useful:

• Watch the on-demand webinar, “To Reduce Your Cyber Exposure, Find and Fix First the 3% of Vulnerabilities that Matter Most.” Learn more about how Predictive Prioritization uses data science and machine learning.
• Read the technical whitepaper, “Predictive Prioritization: Data Science Lets You Focus on the 3% of Vulnerabilities Likely to Be Exploited.”
• Explore the Predictive Prioritization webpage featuring the “3 Things You Need to Know About Prioritizing Vulnerabilities” ebook and product information.

Researcher publishes proof of concept (PoC) for local root privilege escalation bug patched by Apache last week.

Background

Last week, Apache published a security update to address six vulnerabilities in HTTP Server versions 2.4.17 to 2.4.38. This release includes a fix for CVE-2019-0211, a local root privilege escalation vulnerability that could lead to arbitrary code execution.

Analysis

The vulnerability, dubbed CARPE (DIEM), exists in Apache Multi-Processing Modules (MPMs) such as mod_prefork, mod_worker and mod_event. Charles Fol, the researcher who discovered and named the vulnerability, targeted mod_prefork for his breakdown and subsequent PoC.

According to Fol, Apache uses a shared-memory area known as scoreboard to keep tabs on worker processes (lower privileges) managed by mod_prefork (root privileges). Exploitation of this vulnerability requires an attacker to gain read/write access to a worker process (through a separate exploit) in order to manipulate the scoreboard to point to a rogue worker before an Apache graceful restart is initiated by logrotate.

In their advisory, Apache noted that non-Unix systems are unaffected by CVE-2019-0211. This is likely due to the fact that the vulnerability is triggered by an Apache graceful restart (apache2ctl graceful), which is normally executed by logrotate every morning on *Nix systems.

Proof of Concept

Fol published his PoC to Github on April 8. In his blog, he notes this exploit is “between a POC and a proper exploit.” The expectation is now that the PoC is publicly available, it will most likely be refined further and ultimately leveraged by attackers in the wild. This is of great concern on shared hosting environments, where a malicious user could leverage this exploit to gain root access on the host and access files shared by other users on the host environment.

Solution

CVE-2019-0211 is patched in Apache HTTP Server version 2.4.39. *Nix distributions including Ubuntu, Debian, and SuSE have package updates available for install. FreeBSD posted an advisory, but there is no security update available for it yet. Users are encouraged to install these updates as soon as possible.

Additionally, cPanel released a security update for EasyApache 4 that addresses this vulnerability.

Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Nessus users scanning for vulnerable versions of Apache HTTP Server will see the following scan output.

Continuous monitoring via Nessus Network Monitor will result in the following output:

Get more information

• Apache Security Advisory
• Charles Fol's description of CARPE (DIEM)
• Ubuntu Security Advisory
• Debian Security Tracker for CVE-2019-0211
• SuSE: CVE-2019-0211
• FreeBSD: Apache -- Multiple vulnerabilities
• EasyApache 4 Apr 3 Release

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.