Verizon Fios Quantum Gateway Routers Patched for Multiple Vulnerabilities

April 9, 2019, 5:48 am

≫ Next: Critical Vulnerability in Siemens Spectrum Power (CVE-2019-6579) Patched in Monthly Advisory

≪ Previous: CVE-2019-0211: Proof of Concept for Apache Root Privilege Escalation Vulnerability Published

<p>Tenable Research discovered multiple vulnerabilities in Verizon’s Fios Quantum Gateway routers.</p>
<h2>Background</h2>
<p>Tenable Research has discovered multiple vulnerabilities in the <a href="https://www.verizon.com/home/accessories/fios-quantum-gateway/" target="_blank" rel="noopener noreferrer" title="Tenable Research discovered multiple vulnerabilities in Verizon Fios Quantum Gateway">Verizon Fios Quantum Gateway</a> (G1100) router. Verizon has released firmware version 02.02.00.13 to fix these vulnerabilities.</p>
<h2>Analysis</h2>
<p>There is a sticker on the side of the routers. Each customer is given a different Wireless network name, Wireless password, and Administrator password. These vulnerabilities are focused around the Administrator password, not the password you use to connect to the Wi-Fi. The Administrator password is there for the Verizon customer to log into the router to perform various tasks that define the network. The vulnerabilities include:</p>
<h3>CVE-2019-3914 - Authenticated Remote Command Injection</h3>
<p>This vulnerability can be triggered by adding a firewall access control rule for a network object with a crafted hostname. An attacker must be authenticated to the device's administrative web application in order to perform the command injection. In most cases, the vulnerability can only be exploited by attackers with local network access. However, an internet-based attack is feasible if remote administration is enabled; it is disabled by default.</p>
<h3>CVE-2019-3915 - Login Replay</h3>
<p>Because HTTPS is not enforced in the web administration interface, an attacker on the local network segment can intercept login requests using a packet sniffer. These requests can be replayed to give the attacker admin access to the web interface. From here, the attacker could exploit CVE-2019-3914.</p>
<h3>CVE-2019-3916 - Password Salt Disclosure</h3>
<p>An unauthenticated attacker is able to retrieve the value of the password salt by simply visiting a URL in a web browser. Given that the firmware does not enforce the use of HTTPS, it is feasible for an attacker to capture (sniff) a login request. The login request contains a salted password hash (SHA-512), so the attacker could then perform an offline dictionary attack to recover the original password.</p>
<h2>Impact</h2>
<p>These routers are supplied to all new Verizon Fios customers unless they elect to use their own router, which isn’t very common. Tenable researcher <a href="https://twitter.com/lynerc" target="_blank" rel="noopener noreferrer" title="Tenable Researcher Chris Lyne on Twitter">Chris Lyne</a> has outlined several potential attack scenarios for these vulnerabilities.</p>
<h4>Scenario 1: Rebellious teen (insider threat)</h4>
<p><i>CVE-2019-3915 - Login Replay</i></p>
<p>Let's assume the Verizon customer is a parent of a teenager. The teenager wants to circumvent parental controls, as teens are wont to do. Let's assume the parent is smart and has changed the Administrator password for the router. The teen can’t just use the credentials on the sticker to log into the administrative interface and change the parental controls. They have to try something else.</p>
<p>It's safe to say that a concerned parent would log into the router from time to time to check whether the teen has tried to flout the parental controls. Because HTTPS is not enforced in the web browser, a clever teen could perform packet sniffing and record the parent’s login. After recording the login sequence, the teen could then replay the login to gain access to the router's administrative interface (CVE-2019-3915). At this point, he or she could change the parental controls, delete evidence of misbehavior, etc.</p>
<h4>Scenario 2: The house guest who never left (insider threat, remote attack)</h4>
<p><i>CVE-2019-3914 - Authenticated Remote Command Injection</i></p>
<p>People have house guests over all the time - family members, friends, friends of friends, or maybe even AirBNB guests. Often, you'll give your guests your Wi-Fi password (WPA2 key) to allow them to use your internet connection.</p>
<p>So, the house guest is physically in your home and has connected to your Wi-Fi. The house guest can determine your public IP address by visiting <a href="https://www.whatismyip.com/" target="_blank" rel="noopener noreferrer" title="https://www.whatismyip.com/">https://www.whatismyip.com/</a> on their mobile device. They could also take a photo of the credential sticker on the Verizon Fios Quantum Gateway router.</p>
<p>Using this information, the house guest could do either of the following:</p>
<ol>
<li>Log into the router's administrative web interface to enable Remote Administration.</li>
<li>Hope that Remote Administration is already enabled. (A <a href="https://www.shodan.io/search?query=title%3A%22Verizon+Router%22&lang... target="_blank" rel="noopener noreferrer" title="Shodan.io search for Verizon Fios router vulnerabilities">Shodan.io search</a> shows 15,323 Verizon routers with Remote Administration enabled.)</li>
</ol>
<p>After the house guest leaves, he or she can exploit CVE-2019-3914 remotely, from across the internet, to gain remote root shell access to the router's underlying operating system. From here, the house guest has control of the network. The attacker can create back doors, record sensitive internet transactions, pivot to other devices, etc.</p>
<h4>Scenario 3: Verizon tech support social engineering (remote attack)</h4>
<p><i>CVE-2019-3914 - Authenticated Remote Command Injection</i></p>
<p>Social engineering attacks aren’t just about phishing campaigns and data breaches due to untrained employees. They happen against “average” consumers all the time, too. It is entirely possible that a malicious actor would perform social engineering by masquerading as a Verizon tech support employee.</p>
<p>In this scenario, the attacker, posing as a customer support employee, calls a Verizon customer (victim) and pretends there is some sort of an issue with their Verizon Fios service. The attacker asks the customer for his/her Administrator password on the side of the router and to log into the router's admin web interface. At this point, the attacker could ask for the Public IP address which is conveniently displayed immediately after logging in. Also, the attacker would ask the victim to enable Remote Administration.</p>
<p>With this information, the attacker can exploit CVE-2019-3914 remotely, with the same outcome as Scenario 2.</p>
<h2>Solution</h2>
<p>Users are urged to confirm that their router is updated to version 02.02.00.13, and if not, contact Verizon for more information. It is recommended that users keep remote administration disabled.</p>
<h2>Additional information</h2>
<ul>
<li>Visit the <a href="https://medium.com/tenable-techblog/verizon-fios-router-authenticated-co... target="_blank" rel="noopener noreferrer" title="Tenable Tech Blog on Medium">Tenable Tech Blog on Medium</a> to read researcher <a href="https://twitter.com/lynerc" target="_blank" rel="noopener noreferrer" title="Tenable Researcher Chris Lyne on Twitter">Chris Lyne</a>’s in-depth story about his work uncovering these vulnerabilities</li>
<li><a href="https://www.tenable.com/security/research/tra-2019-17" target="_blank" rel="noopener noreferrer" title="Tenable Advisory">Tenable Advisory</a></li>
</ul>
<p><b><i>Learn more about <a href="https://www.tenable.com/products">Tenable</a>, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a <a href="https://www.tenable.com/products/tenable-io/vulnerability-management/eva... 60-day trial</a> of Tenable.io Vulnerability Management. </i></b></p>

↧

Critical Vulnerability in Siemens Spectrum Power (CVE-2019-6579) Patched in Monthly Advisory

April 10, 2019, 12:42 pm

≫ Next: Why Global Collaboration Is Key to Effective Cyber Defense

≪ Previous: Verizon Fios Quantum Gateway Routers Patched for Multiple Vulnerabilities

<p>Siemens Security Advisory Day (SAD) for April 2019 addresses a variety of vulnerabilities, including a critical vulnerability in Siemens Spectrum Power.</p>
<h3>Background</h3>
<p>On April 9, Siemens published its monthly Siemens Advisory Day release across a variety of Siemens products. This includes 11 CVEs newly addressed in Siemens products along with updates to previous advisories, including additional CVEs and product updates and mitigations. The most critical of these vulnerabilities could give an unauthenticated attacker administrative privileges.</p>
<h3>Analysis</h3>
<p>Siemens Spectrum Power 4.7 customers that utilize project enhancement (PE) Web Office Portal (WOP) are vulnerable to <a href="https://cert-portal.siemens.com/productcert/txt/ssa-324467.txt" target="_blank" rel="noopener noreferrer" title="CVE-2019-6579">CVE-2019-6579</a>, a critical vulnerability that an unauthenticated attacker with network access could exploit to obtain administrative privileges. This vulnerability has the highest CVSSv3 score possible of 10.0, as it requires no user interaction, and can be exploited as long as WOP is used and the attacker has access to the web server via TCP port 80 or port 443.</p>
<p>Other newly addressed CVEs in Siemens products include denial of service vulnerabilities within the web server (<a href="https://cert-portal.siemens.com/productcert/txt/ssa-480230.txt" target="_blank" rel="noopener noreferrer" title="CVE-2019-6568">CVE-2019-6568</a>) and the <a href="https://new.siemens.com/global/en/products/automation/industrial-communi... target="_blank" rel="noopener noreferrer" title="OPC UA">OPC UA</a> server (<a href="https://cert-portal.siemens.com/productcert/txt/ssa-307392.txt" target="_blank" rel="noopener noreferrer" title="CVE-2019-6575">CVE-2019-6575</a>) of Siemens products. Both of these CVEs have a CVSSv3 score of 7.5.</p>
<p>There were also multiple vulnerabilities patched in components and libraries used by Siemens products, including curl and libcurl in the <a href="https://cert-portal.siemens.com/productcert/txt/ssa-436177.txt" target="_blank" rel="noopener noreferrer" title="SINEMA Remote Connect">SINEMA Remote Connect</a> (CVE-2018-1461, CVE-2018-16890, CVE-2019-3822) and the Quagga BGP daemon in <a href="https://cert-portal.siemens.com/productcert/txt/ssa-451142.txt" target="_blank" rel="noopener noreferrer" title="RUGGEDCOM ROX II">RUGGEDCOM ROX II</a> (CVE-2018-5379, CVE-2018-5380, CVE-2018-5381). <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-5379" target="_blank" rel="noopener noreferrer" title="CVE-2018-5379">CVE-2018-5379</a> is a critical double free vulnerability with a CVSSv3 score of 9.8, that could be exploited via a spoofed BGP UPDATE message delivered on the network, resulting in denial of service (DoS) or achieving arbitrary code execution. CVE-2019-6570 appears to be a vulnerability in the Siemens SINEMA Remote Connect itself, not in a component or library.</p>
<p><a href="https://cert-portal.siemens.com/productcert/txt/ssa-141614.txt" target="_blank" rel="noopener noreferrer" title="CVE-2017-12741">CVE-2017-12741</a> is a denial of service vulnerability in the Siemens SIMOCODE pro V EIP that could be exploited by a remote attacker sending specially crafted packets to UDP port 161. While this advisory is the first release (1.0) from Siemens about this CVE for this product, the CVE itself is associated with a variety of <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-12741#vulnConfigurationsArea" target="_blank" rel="noopener noreferrer" title="Siemens product configurations">Siemens product configurations</a> already.</p>
<p>The remaining CVEs addressed in this month’s SAD are updates to previous advisories published by Siemens. For instance, <a href="https://cert-portal.siemens.com/productcert/txt/ssa-901333.txt" target="_blank" rel="noopener noreferrer" title="SSA-901333">SSA-901333</a> contains an update for the <a href="https://www.tenable.com/blog/responding-to-krack-what-you-need-to-know" target="_blank" rel="noopener noreferrer" title="KRACK (Key Reinstallation Attack)">KRACK (Key Reinstallation Attack)</a> vulnerabilities for the SINAMICS V20 Smart Access Module while <a href="https://cert-portal.siemens.com/productcert/txt/ssa-268644.txt" target="_blank" rel="noopener noreferrer" title="SSA-268644">SSA-268644</a> adds updates to solutions for <a href="https://www.tenable.com/blog/spectre-and-meltdown-still-haunting-intelamd" target="_blank" rel="noopener noreferrer" title="variants 3a and 4 of Spectre-NG">variants 3a and 4 of Spectre-NG</a> for the SIMATIC HMI Panels V14.</p>
<h3>Solution</h3>
<p>Spectrum Power 4.7 users can obtain the Web Office Portal fix, Bugfix bf-47456_PE_WOP_fix by contacting Siemens Energy Customer Support at <a href="mailto:support.energy@siemens.com" target="_blank" rel="noopener noreferrer" title="support.energy@siemens.com">support.energy@siemens.com</a>.</p>
<p>Siemens SINEMA Remote Connect Client <a href="https://support.industry.siemens.com/cs/de/en/view/109764829" target="_blank" rel="noopener noreferrer" title="V2.0 HF1">V2.0 HF1</a>, Server <a href="https://support.industry.siemens.com/cs/de/en/view/109764829" target="_blank" rel="noopener noreferrer" title="V2.0">V2.0</a> and SIMOCODE pro V EIP <a href="https://support.industry.siemens.com/cs/ww/en/view/109756912" target="_blank" rel="noopener noreferrer" title="V1.0.2">V1.0.2</a> is also available for download, while RUGGEDCOM ROX II V2.13.0 can be obtained by contacting the <a href="https://support.industry.siemens.com/my/WW/en/requests#createRequest" target="_blank" rel="noopener noreferrer" title="RUGGEDCOM support team">RUGGEDCOM support team</a>.</p>
<p>For the denial of service vulnerabilities in Siemens industrial product <a href="https://cert-portal.siemens.com/productcert/txt/ssa-480230.txt" target="_blank" rel="noopener noreferrer" title="web servers">web servers</a> and <a href="https://cert-portal.siemens.com/productcert/txt/ssa-307392.txt" target="_blank" rel="noopener noreferrer" title="OPC UA servers">OPC UA servers</a>, please refer to the respective Siemens Security Advisory documents for associated product updates and/or mitigation steps.</p>
<p>For solutions and updates on older advisories, including additional CVEs and availability of patches or mitigations, please refer to the table below</p>
<div>
<table>
<tbody>
<tr>
<td>
<p><span style="font-weight: 400;"><b>Siemens Security Advisory ID</b></span></p>
</td>
<td>
<p><span style="font-weight: 400;"><b>Document Title</b></span></p>
</td>
<td>
<p><span style="font-weight: 400;"><b>Document</b></span></p>
</td>
</tr>
<tr>
<td>
<p><span style="font-weight: 400;">SSA-179516</span></p>
</td>
<td>
<p><span style="font-weight: 400;">OpenSSL Vulnerability in Industrial Products</span></p>
</td>
<td>
<p><span style="font-weight: 400;"><a href="https://cert-portal.siemens.com/productcert/txt/ssa-179516.txt" target="_blank" rel="noopener noreferrer">TXT</a></span></p>
</td>
</tr>
<tr>
<td>
<p><span style="font-weight: 400;">SSA-268644</span></p>
</td>
<td>
<p><span style="font-weight: 400;">Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products</span></p>
</td>
<td>
<p><span style="font-weight: 400;"><a href="https://cert-portal.siemens.com/productcert/txt/ssa-268644.txt" target="_blank" rel="noopener noreferrer">TXT</a></span></p>
</td>
</tr>
<tr>
<td>
<p><span style="font-weight: 400;">SSA-844562</span></p>
</td>
<td>
<p><span style="font-weight: 400;">Multiple Vulnerabilities in Licensing Software for WinCC OA</span></p>
</td>
<td>
<p><span style="font-weight: 400;"><a href="https://cert-portal.siemens.com/productcert/txt/ssa-844562.txt" target="_blank" rel="noopener noreferrer">TXT</a></span></p>
</td>
</tr>
<tr>
<td>
<p><span style="font-weight: 400;">SSA-901333</span></p>
</td>
<td>
<p><span style="font-weight: 400;">KRACK Attacks Vulnerabilities in Industrial Products</span></p>
</td>
<td>
<p><span style="font-weight: 400;"><a href="https://cert-portal.siemens.com/productcert/txt/ssa-901333.txt" target="_blank" rel="noopener noreferrer">TXT</a></span></p>
</td>
</tr>
<tr>
<td>
<p><span style="font-weight: 400;">SSB-439005</span></p>
</td>
<td>
<p><span style="font-weight: 400;">Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP</span></p>
</td>
<td>
<p><span style="font-weight: 400;"><a href="https://cert-portal.siemens.com/productcert/txt/ssb-439005.txt" target="_blank" rel="noopener noreferrer">TXT</a></span></p>
</td>
</tr>
</tbody>
</table>
</div>

<p></p>

<h3>Identifying affected systems</h3>

<p>A list of Nessus plugins to identify these vulnerabilities will appear <a href="https://www.tenable.com/plugins/search?q=%22SSA-141614%22%2C%20%22SSA-30... target="_blank" rel="noopener noreferrer" title="Nessus Plugins for Siemens CVEs">here</a> as they’re released.</p>

<h3>Get more information</h3>
<ul>
<li><a href="https://cert-portal.siemens.com/productcert/txt/ssa-324467.txt" target="_blank" rel="noopener noreferrer" title="Siemens Security Advisory for Spectrum Power 4.7">Siemens Security Advisory for Spectrum Power 4.7</a></li>
<li><a href="https://cert-portal.siemens.com/productcert/txt/ssa-307392.txt" target="_blank" rel="noopener noreferrer" title="Siemens Security Advisory for Denial-of-Service in OPC UA in Industrial Products">Siemens Security Advisory for Denial-of-Service in OPC UA in Industrial Products</a></li>
<li><a href="https://cert-portal.siemens.com/productcert/txt/ssa-141614.txt" target="_blank" rel="noopener noreferrer" title="Siemens Security Advisory for Denial-of-Service in SIMOCODE pro V EIP">Siemens Security Advisory for Denial-of-Service in SIMOCODE pro V EIP</a></li>
<li><a href="https://cert-portal.siemens.com/productcert/txt/ssa-480230.txt" target="_blank" rel="noopener noreferrer" title="Siemens Security Advisory for Denial-of-Service in Web Server of Industrial Products">Siemens Security Advisory for Denial-of-Service in Web Server of Industrial Products</a></li>
<li><a href="https://cert-portal.siemens.com/productcert/txt/ssa-436177.txt" target="_blank" rel="noopener noreferrer" title="Siemens Security Advisory for Multiple Vulnerabilities in SINEMA Remote Connect">Siemens Security Advisory for Multiple Vulnerabilities in SINEMA Remote Connect</a></li>
<li><a href="https://cert-portal.siemens.com/productcert/txt/ssa-451142.txt" target="_blank" rel="noopener noreferrer" title="Siemens Security Advisory for Multiple Vulnerabilities in RUGGEDCOM ROX II">Siemens Security Advisory for Multiple Vulnerabilities in RUGGEDCOM ROX II</a></li>
</ul>
<p><b><i>Join <a href="https://community.tenable.com/s/group/0F9f2000000fyxyCAA/cyber-exposure-... Security Response Team</a> on the Tenable Community.</i></b></p>
<p><b><i> Learn more about <a href="https://www.tenable.com/products">Tenable</a>, the first Cyber Exposure platform for holistic management of your modern attack surface. </i></b></p>
<p>Get a <a href="https://www.tenable.com/products/tenable-io/vulnerability-management/eva... 60-day trial</a> of Tenable.io Vulnerability Management.</p>

↧

Why Global Collaboration Is Key to Effective Cyber Defense

April 10, 2019, 5:23 pm

≫ Next: Critical OS Command Injection Vulnerability in Citrix SD-WAN Center Discovered

≪ Previous: Critical Vulnerability in Siemens Spectrum Power (CVE-2019-6579) Patched in Monthly Advisory

The proliferation of connected devices is driving exponential growth in the digital attack surface, making it increasingly important for businesses, organizations and governments to collaborate on eliminating blind spots, prioritizing threats and reducing exposure and loss.

Effective cybersecurity requires a mix of innovative technologies at the business level and sound policy at all government levels to enable technology development and deter bad actors. Because cyber threat actors operate across national borders, businesses and governments should strive to pursue technological partnerships and global policy alignment. Establishing strong cybersecurity technology partnerships, and strengthening alignment of effective global cybersecurity policies, will help global businesses and governments address today’s threat landscape and stand better prepared to handle the adversaries of tomorrow.

On March 1, Tenable hosted the Australian Cyber Security Mission to the USA 2019, a delegation of Australian cybersecurity company executives, federal, state and territory government officials, and leading cybersecurity academics, at our Columbia, Maryland, headquarters. The purpose of the Mission, which was organized by the Australian Trade and Investment Commission (Austrade) in partnership with the Australian Cyber Security Growth Network (AustCyber), was to introduce the delegation to leading technology and financial companies, business associations, and government agencies in the New York City, Washington D.C., and San Francisco areas in order to share best practices, learn about innovation strategies, and explore potential partnerships. The delegation also attended the RSA Conference, one of the world’s largest and most renowned cybersecurity conventions.

During the visit to Tenable, Co-Founder Jack Huffard and Chief Financial Officer Steve Vintz provided an overview of Tenable’s major innovation milestones. The meetings with the delegation presented the Tenable team with a unique opportunity to discuss the global cybersecurity ecosystem. We discovered that we are all in heated agreement that cybersecurity cannot be solved through a single, silver bullet approach. Rather, effective cybersecurity is dependent upon on a mix of complementary technologies, practices, and processes.

Tenable partners with a range of innovative technology companies to bring leading, integrated cybersecurity solutions to our customers. Throughout the presentations and follow-on discussions, Tenable leaders emphasized the value we place on innovative business partnerships, including with international partners.

The RSA Conference in San Francisco in early March provided additional opportunities for the delegation and Tenable to explore technology partnerships and discuss global policy objectives, including with government officials from both the USA and Australia. While there was vigorous discussion across a range of issues, we picked up on some key themes of agreement:

There is a critical need for international policy alignment among allied governments to expose bad cyber actors and establish norms for cyber behavior.
Flexible, outcome-oriented cybersecurity policies can help raise the bar for improving cyber hygiene while allowing for continued innovation.
Effective public-private partnerships, including those with international allies, will be vital to helping protect critical national infrastructure.

Industry and government have a responsibility to take firm action on cybersecurity, particularly as the threat landscape grows and expands. Cybersecurity transcends our traditional geographic lines. Bad actors don’t consider physical borders, and therefore our global strategy to combat critical cybersecurity issues shouldn’t either.

Learn more:

Visit us at https://www.tenable.com/solutions/government/us-fed to find out about our solutions to protect federal networks, information and infrastructure.
See why Tenable was named a March 2019 Gartner Peer Insights Customers' Choice.
Register for GovEdge 2019, June 4-5 in Washington, DC, to learn how to make the most of your Tenable investment.

↧

Critical OS Command Injection Vulnerability in Citrix SD-WAN Center Discovered

April 11, 2019, 11:42 am

≫ Next: Predictive Prioritization Is Now Available in Tenable.io!

≪ Previous: Why Global Collaboration Is Key to Effective Cyber Defense

Tenable Research has discovered a critical vulnerability in Citrix SD-WAN Center that could lead to remote code execution.

Background

On April 10, Citrix released a security bulletin for CVE-2019-10883, an operating system (OS) command injection vulnerability in Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN Center 10.0.x before 10.0.7. Tenable Research discovered this vulnerability while developing a plugin for CVE-2017-6316 and reported it to Citrix.

Citrix Netscaler SD-WAN (software defined wide-area network) allows enterprises to manage their networks and create a virtual WAN. These types of products are used to support branch offices and remote data centers, and to maintain connectivity for cloud-based applications. According to the Citrix website, Netscaler SD-WAN is used in several industries like shipping, non-profit, hospitality and others.

Analysis

While reviewing CTX236992, Tenable Research observed that most of the vulnerabilities in this security bulletin required authentication. For the purpose of writing an uncredentialed Nessus plugin, we ended up looking at two unauthenticated command injection vulnerabilities mentioned in the writeup by the researchers who were credited in CTX236992. These vulnerabilities appeared to be linked to CVE-2017-6316, a vulnerability in the Citrix SD-WAN appliance.

Through our research of CVE-2017-6316, we discovered the Citrix SD-WAN Center 10.2.0.136.733315 was vulnerable to insufficient validation of user-supplied data ($username) in the controller located at /home/talariuser/www/app/Controller/UsersController.php (CVE-2019-10883).

Proof of concept

An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary commands with root privileges. This could be achieved by running the following cURL command:

curl -skv --tlsv1.2 -d '_method=POST&data%5BUser%5D%5Busername%5D=%60sudo%20id%20>/tmp/test%60&data%5BUser%5D%5Bpassword%5D=my_password&data%5BUser%5D%5BsecPassword%5D=my_secPassword' 'https://[target_host]/login'

The output from running this command:

root@VWC:/home/talariuser/www/app/Controller# cat /tmp/test

uid=0(root) gid=0(root) groups=0(root)

Vendor response

Tenable Research contacted Citrix in early February and confirmed they reproduced the vulnerability by the end of February. Citrix published its security bulletin for this vulnerability on April 10.

Solution

Users should upgrade to Citrix SD-WAN Center 10.2.1 or later and NetScaler SD-WAN Center 10.0.7 or later. Additionally, Citrix provided a list of best practices that should be used to harden the security of the SD-WAN Center.

Get more information

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

↧

Predictive Prioritization Is Now Available in Tenable.io!

April 16, 2019, 6:00 am

≫ Next: IT/OT Cybersecurity Convergence: Start Strong with These Six Controls

≪ Previous: Critical OS Command Injection Vulnerability in Citrix SD-WAN Center Discovered

Predictive Prioritization is a game-changer for risk-based vulnerability management. And now it’s a core capability of Tenable.io, helping you focus first on the 3% of vulnerabilities that matter most.

We are excited to announce that Predictive Prioritization is now available in Tenable.io to help you focus first on the security issues that matter most.

The traditional method of prioritizing vulnerabilities using CVSS has significant limitations. It scores the majority of CVEs as “High” or “Critical,” exacerbating the vulnerability overload problem. If everything is important, then nothing truly is.

Experts agree: CVSS doesn’t answer what to patch first

We’re not the only ones recognizing the limitations of prioritizing vulnerabilities using CVSS alone. The Carnegie Mellon University Software Engineering Institute published Towards Improving CVSS in December 2018, concluding that CVSS doesn’t answer the fundamental question of what vulnerabilities organizations should patch first:

“CVSS is designed to identify the technical severity of a vulnerability. What people seem to want to know, instead, is the risk a vulnerability or flaw poses to them, or how quickly they should respond to a vulnerability.”

Predictive Prioritization can help with remediation efficiency

Predictive Prioritization combines more than 150 data sources, including both Tenable and third-party vulnerability data as well as threat intelligence, to identify the vulnerabilities with the highest likelihood of exploitability. This dramatically improves your remediation efficiency and effectiveness by allowing you to focus on the 3% of vulnerabilities that have been – or will likely be – exploited.

Predictive Prioritization Machine Learning

Vulnerability Priority Rating: Prioritizing remediation according to risk

Predictive Prioritization generates a Vulnerability Priority Rating (VPR) score ranging from 1 (lowest risk) to 10 (highest risk), which changes with the threat landscape. VPR is now a core data element in Tenable.io to help you prioritize remediation based on actual cyber risk.

Additional capabilities now available in Tenable.io

We’re also introducing additional capabilities to help you get the most value from Predictive Prioritization:

Understanding VPR Key Drivers

Get contextual insights into the factors influencing the VPR calculation, including CVSSv3 impact score, threat recency and exploit code maturity.

Sorting vulnerabilities by VPR score

Sort through vulnerabilities by VPR severity to quickly understand and investigate the full list of high-risk vulnerabilities. Also, compare vulnerabilities with high VPR but low CVSS scores to see the difference firsthand.

New dashboards based on VPR

Take advantage of the new VPR widget on the main Tenable.io dashboard (see above screenshot) to understand and analyze which critical vulnerabilities you need to address immediately.

The takeaway: You now have a tremendous amount of vulnerability information at your fingertips in Tenable.io.

For example, let’s look at the Amazon Linux vulnerability from a few months ago. CVSSv3 scores this Linux kernel weakness as 5.9.

But, VPR scores it 9.2 due to its high exploit code maturity, product coverage and threat recency. If you have this vulnerability in your environment, run ‘yum update kernel’ and reboot the instance pronto!

Tenable.io continues to earn customer praise

Although we’re only four months into 2019, it’s been a busy year for Tenable.io. The product was recognized as the Best Vulnerability Management Solution at the 2019 SC Awards in March. In addition, Tenable was named a March 2019 Gartner Peer Insights Customers’ Choice for Vulnerability Assessment, driven in part by Tenable.io.

We’ve also earned many customer testimonials from organizations such as Verizon Media (formerly Oath), Netskope and Stone Pagamentos discussing why Tenable.io is essential to their security stack.

Zero in on the vulnerabilities that matter most

Incorporating Predictive Prioritization as a core function in Tenable.io is a game-changer for vulnerability management managed in the cloud. If you’re ready to find and fix your most pressing vulnerabilities, start with a Tenable.io trial today.

Learn more about Predictive Prioritization now

Want to learn more about Predictive Prioritization? Here are a few resources to check out:

Participate in the April 24 webinar, “What’s New in Tenable.io,” where we’ll discuss Predictive Prioritization and answer any questions you may have
Review the Predictive Prioritization FAQ, featuring our customers’ top questions about this new capability
Read the whitepaper, Predictive Prioritization: How to Focus on the Vulnerabilities That Matter Most
Download the ebook, 3 Things You Need to Know About Prioritizing Vulnerabilities

↧

IT/OT Cybersecurity Convergence: Start Strong with These Six Controls

April 17, 2019, 4:41 am

≫ Next: Oracle Critical Patch Update For April Contains 297 Fixes

≪ Previous: Predictive Prioritization Is Now Available in Tenable.io!

As IT and OT teams converge, industrial businesses need to create better cybersecurity plans and strategies to confront modern threats. Where's the best place to start? Try these six cybersecurity controls.

The teams responsible for securing IT and operational technology (OT) in organizations have been able to operate without much interaction because the systems and software they supported were unique and discrete.

That all started to change a little over a decade ago, and the worlds of IT and OT have been steadily converging ever since. This trend is a byproduct of digital transformation and shifting technologies pushing enterprises of all sizes, including those in the industrial sector, to digitize their infrastructure. This often entails exposing once air-gapped and isolated equipment – think of a device with Windows-based Human/Machine Interface sitting on an OT network – to the wider public internet.

"IT systems are increasingly showing up in the OT environment," Ted Gary, Sr., a senior product marketing manager at Tenable, noted during a recent Tenable webinar entitled Six Common Controls Unite and Strengthen IT/OT Security, which explored the issue of IT and OT convergence and what it means for the overall business.

This convergence of two important and completely different disciplines has led to a growing concern about cybersecurity, as manufacturing equipment and applications which were previously isolated are now subject to the same types of attacks that have plagued IT hardware and software for years. At the same time, Industrial Control Systems (ICS) and supervisory control and data acquisition (SCADA) systems have become a target of Advanced Persistent Threat (APT) groups intent on cyber espionage.

Threats to industrial systems represent a large and growing challenge for CISOs. Having responsibility for overall company security, CISOs must find a way to bridge the gap between IT and OT. It's not an easy task, said Gary, who was joined during the webinar by Seth Matheson, a public sector sales engineer with Tenable.

As the amount of OT finding its way onto the corporate LAN steadily increases, the attack surface expands accordingly. At the same time, since IT is typically responsible for business technology and the networks these system run on, there's some concern about who can take ownership of issues such as patching, since many OT systems cannot be readily patched

"IT tends to set the policy, but OT owns the controls," Gary added.

Where to begin? For Gary, the answer is to keep it simple, and start at the beginning.

Six Cybersecurity Controls to Help with IT/OT Convergence

The Center for Internet Security (CIS) offers six basic security controls Gary believes can help enterprises form the basis for a cybersecurity strategy they can use to come to grips with the convergence of IT and OT. The controls are documented in the CIS publication CIS Controls: Implementation Guide for Industrial Control Systems, which Gary contributed to.

These basic security controls include:

Inventory and control of hardware assets
Inventory and control of software assets
Continuous vulnerability management
Controlled use of administrative privileges
Secure configurations for hardware and software computers
Maintenance, monitoring and analysis of audit logs

"Start with this basic set of controls," Gary said. "It doesn't matter where you are going, you can build on this foundation."

While starting with basic security controls can help enterprises begin the process of bridging the gaps between IT and OT, as well as improving overall cyber hygiene, there are still other significant obstacles to overcome.

For example, a November 2016 survey Tenable commissioned with the Center for Information Security found organizations are challenged by a lack of trained staff, lack of budget, lack of prioritization and lack of management support among other issues.

So what can CISOs do to meet these challenges?

This is where the so-called "soft skills" come into play. For instance, Gary urged CISOs and other security leaders to work on improving communications to bridge the distance between IT and OT. This can be as simple as setting up informal "Lunch & Learn" sessions between IT and OT during which the two groups can find common ground and agree on a common strategy.

"It'll cost you a couple of pizzas," Gary noted.

These types of conversations can start an enterprise on the road to securing the convergence of IT and OT.

Learn more:

View the on-demand webinar: Six Common Controls Unite and Strengthen IT/OT Security
Read the blog: Choosing an OT Security System? Here Are the 7 Questions to Ask
Download the report Cybersecurity in Operational Technology: 7 Insights You Need to Know

↧

Oracle Critical Patch Update For April Contains 297 Fixes

April 17, 2019, 8:30 am

≫ Next: Sea Turtle DNS Hijacking Campaign Utilizes At Least Seven Patched Vulnerabilities

≪ Previous: IT/OT Cybersecurity Convergence: Start Strong with These Six Controls

Oracle fixes nearly 300 vulnerabilities in second Critical Patch Update for 2019, including bugs in WebLogic, Java SE and several product components.

Background

On April 16, Oracle released its Critical Patch Update for April 2019 as part of its quarterly release of fixes for vulnerabilities. This update contains 297 fixes across a number of Oracle products.

Analysis

In its Critical Patch Update for April 2019, Oracle addressed several vulnerabilities (CVE-2019-2645, CVE-2019-2646, CVE-2019-2647, CVE-2019-2648, CVE-2019-2649, CVE-2019-2650) in Oracle WebLogic Server’s WLS Core Components and Web Services that were reported by security researcher Matthias Kaiser and could be exploited remotely without authentication.

This month’s release contains five security fixes for Oracle Java SE components like Windows DLL (CVE-2019-2699), 2D (CVE-2019-2697, CVE-2019-2698) as well as Oracle Java SE and Oracle Java SE Embedded libraries (CVE-2019-2602) and Remote Method Invocation (RMI) (CVE-2019-2684).

Additionally, this month’s release contains fixes for critical vulnerabilities in components including:

CVE-2019-3772 (Spring Framework)
CVE-2017-5645 (Apache Log4j)
CVE-2018-19362 (FasterXML jackson-databind)
CVE-2019-3822 (libcurl)
CVE-2018-11219 (Redis)
CVE-2018-11236 (glibc)
CVE-2016-4000 (Jython)
CVE-2015-3253 (Apache Groovy)

Once again, this quarter’s Critical Patch Update contained fixes for CVE-2016-1000031, the Apache Commons FileUpload Remote Code Execution vulnerability discovered by Tenable Research. This vulnerability was fixed across 10 different products/applications suites, including Oracle Communications Applications, Oracle Enterprise Manager Products Suite, and Oracle Fusion Middleware.

The following is a full list of products/applications with vulnerabilities addressed in the April 2019 Critical Patch Update:

Oracle Database Server
Oracle Berkeley DB
Oracle Commerce
Oracle Communications Applications
Oracle Construction and Engineering Suite
Oracle E-Business Suite
Oracle Enterprise Manager Products Suite
Oracle Financial Services Applications
Oracle Food and Beverage Applications
Oracle Fusion Middleware
Oracle Health Sciences Applications
Oracle Hospitality Applications
Oracle Java SE
Oracle JD Edwards Products
Oracle MySQL
Oracle PeopleSoft Products
Oracle Retail Applications
Oracle Siebel CRM
Oracle Sun Systems Products
Oracle Supply Chain Products
Oracle Support Tools
Oracle Utilities Applications
Oracle Virtualization

Solution

Customers are advised to apply all relevant patches provided by Oracle in this Critical Patch Update. Please refer to the April 2019 advisory for full details. Identifying affected systems

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

↧