Tenable Researcher David Wells discovered a vulnerability in Slack Desktop for Windows that could have allowed an attacker to alter where files downloaded within Slack are stored. Tenable worked with Slack via HackerOne based on our coordinated disclosure policy and Slack has since released a new version of its Windows desktop client to address this vulnerability. Users should ensure their Slack desktop application is up to date.

Background

Tenable Research discovered a download hijack vulnerability in Slack Desktop version 3.3.7 for Windows. This vulnerability, which has been patched, would have allowed an attacker to post a crafted hyperlink into a Slack channel or private conversation that changes the document download location path when clicked. It does require user interaction to exploit, giving it a CVSSv2 score of 5.5 (Medium). 

Slack has 10 million active users every day and 85,000 organizations use the paid version. We cannot confirm how many of those are Windows App users.

Analysis

An attacker can abuse the "slack://" protocol handler, which has the capability to change sensitive settings in the Slack Desktop Application. A crafted link like  “slack://settings/?update={‘PrefSSBFileDownloadPath’:’<pathHere>’}” will change the default download location. This download path can be an attacker-owned SMB share, which would cause all future documents downloaded in Slack to be instantly uploaded to the attacker's server. The attacker could also manipulate the contents of the documents after download before the victim opens them. 

The hyperlink text can be masqueraded by using the "attachment" feature in Slack, which allows an attacker to replace the hyperlink’s actual uniform resource identifier with any custom text, possibly fooling users into clicking.

Vendor response

Tenable reported to Slack a vulnerability related to the Slack Desktop Application for Windows via HackerOne. Slack patched the bug as part of its latest update for Slack Desktop Application for Windows, v3.4.0. Slack investigated and found no indication that this vulnerability was ever utilized, nor reports that its users were impacted. As always, users are encouraged to upgrade their apps and clients to the latest available version.

Impact

Attack scenarios:

The attack can be performed through any Slack direct messaging or Slack channel to which an attacker might be authenticated. Using this attack vector, an insider could exploit this vulnerability for corporate espionage, manipulation, or to gain access to documents outside of their purview. 

While less effective, these hyperlink attacks could be done without Slack channel authentication, via external .rss feeds or other content pulled into a Slack channel from an external source that may contain attacker-crafted hyperlinks. This attack could be launched by someone outside of the organization but there are variables that might reduce the chances of success, like knowing which .rss feeds the target Slack subscribes to. 

Once the download path has been altered, the attacker can not only steal documents downloaded in the Slack Application, they can also manipulate the documents. For example, if financial documents like invoices are downloaded, the attacker could not only read account numbers but also change them. Additionally, if an Office Document (Word, Excel, etc.) is downloaded, the attacker's server could inject malware into it, so that when opened, the victim machine is compromised.

Solution

Confirm that your Slack for Windows is updated to version 3.4.0. Administrators of Slack deployed via Microsoft Install can read here for more information on how to manually update.

Additional information

• Visit the Tenable Tech Blog on Medium to read researcher David Wells’s in-depth story about his work uncovering this vulnerability.
• Tenable Advisory

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

We wondered whether mainstream media coverage of vulnerabilities changed how companies perform vulnerability management. So we asked them. Here’s what we learned.

In technical circles, vulnerabilities have always been news. More often now though, vulnerabilities are mainstream news. They are regularly covered in business outlets read by company leaders who may not otherwise get involved in the nitty gritty of vulnerability management. 

2018 was a big year for vulnerabilities in the media. Starting off immediately with Meltdown and Spectre in January, it felt like the coverage never stopped. Seeing this, we wondered whether and how this coverage changed the way companies were doing vulnerability management. So we asked them. Through the course of doing broad-scope interviews with CISOs and security analysts, we were sure to ask about their experiences with vulnerabilities in the news.

We asked interviewees “Has news coverage of vulnerabilities impacted your work? If so, how?” 

Most of them had experienced some sort of disruption to their normal operations because of vulnerability news coverage. The top two examples given were the speculative execution vulnerabilities, Meltdown and Spectre, and Struts2. The full report, Headline Vulnerabilities: How Media Coverage Shapes the Perception of Risk, contains details on strategies, tactics, and challenges that developed while responding to these incidents. Our key findings were that: 

• High-profile vulnerabilities are not just a concern for security teams. These vulnerabilities, whether or not technically critical, can pose serious reputational risks and require relationship management with customers, partners, regulators and other key stakeholders. 
• Media coverage is not an objective metric for determining the true criticality of a vulnerability, particularly in the context of a specific enterprise. The role of the media is to investigate and report on stories, not conduct risk analysis. They will report on vulnerabilities that are interesting, but not necessarily critical. 
• However, media coverage may still influence holistic risk evaluations. While security teams are aware that media coverage is not an ideal measure of technical risk, they need to discuss their risk evaluation process with others. They also need to accept that the overall risk presented by a lower-severity vulnerability might require action.
• Part of the role of a security team is to manage perceived risk and to advise key stakeholders, especially senior decision-makers, and enable a measured response to vulnerabilities based on contextualization, rather than hype. CISOs must be armed with vulnerability data in the proper context in order to properly convey their organizations’ Cyber Exposure to business leaders and invest resources appropriately to reduce risk.

We will discuss these and other report findings at Tenable’s Edge 2019 user conference, May 21-23 in Atlanta, during the session “Expert Panel: Separating Media Hype from Real-World Risk,” on Thursday, May 23, at 9:15AM-10:00AM. The session, to be moderated by Paul Roberts, Publisher and Editor in Chief, The Security Ledger, features: Kevin Kerr, CISO, Oak Ridge National Laboratory; Greg Kyrytschenko, Head of Security Services, Guardian; Ramin Lamei, Senior Director, Information Security Officer, Global Payments; and Claire Tills, Research Analyst, Tenable.

However, there is another angle not covered in the report that I would like to discuss: it isn’t just the coverage in the business press that can impact how vulnerability management gets done. Security teams are tracking a much wider set of channels than their executives are for vulnerabilities. While security teams aren’t using this coverage as a single source of vulnerability intelligence, it can be used as a metric (combined with others) for prioritization. Let’s examine that aspect of the vulnerability media landscape. 

Vulnerability media landscape

While the Headline Vulnerabilities report focuses mainly on how organizations respond to major media coverage, stories that reach the level of the New York Times and broadcast news, the vulnerability media landscape covers a lot more than just those stories. While the pressure to perform is highest when the executive leadership or board of directors becomes aware of a vulnerability, security teams often use media coverage as a metric for severity. Media coverage typically will increase the priority of a vulnerability and this is particularly true once attacks are observed in the wild. For instance, Atlassian published an advisory for vulnerabilities in Confluence Server back on March 20, including a fix for CVE-2019-3396. However, it wasn’t until proof-of-concept (PoC) code and exploitation of this vulnerability became public that media outlets picked up on it. While it may not push it to the top of the pile, media coverage does act as an additional data point for prioritization.

Tenable’s Security Response Team (SRT) tracks vulnerabilities in the news (and other sources) and, since the beginning of 2019, nearly every noteworthy vulnerability disclosed has been covered by the media. That creates a lot of noise for security teams to manage. Media coverage is becoming less useful as a metric because the media landscape is changing. 

Reflecting on the changes to the media landscape, Ryan Seguin, research engineer on the SRT said, "I think over the last five years you've had a perfect storm of factors in the industry. The first major impact on vulnerability media coverage was Heartbleed in 2014, and the second being Twitter becoming the de facto method of communication for researchers. Heartbleed certainly wasn't the first vulnerability to get a catchy name, but in my anecdotal experience, its publication created a sort of vulnerability research gold rush. Since 2014, researchers are increasingly dedicated to being the next person to discover the perfect vulnerability worthy of a great writeup and a dazzling web page. In addition to getting your name out in the world and building your credibility, bug bounty programs have also become more lucrative, and more organized.” This shift in how researchers publicize their work to compete for attention has driven media outlets to deliver the high volume, noisy news cycles we are seeing.

The vulnerabilities and tactics discussed in the report align with the theme of boardroom interest that has maintained popularity in cybersecurity for the last few years. How do security teams not only react to, but capitalize on the increased attention from C-levels and boards? Especially in 2018, that attention turned toward vulnerability management. Whether this attention is triggered by a story in the business press or a technical outlet like Bleeping Computer, security teams need to be able to articulate the risks posed by vulnerabilities in terms that allow key stakeholders to make the best decisions.

Learn more:

• Download the report Headline Vulnerabilities: How Media Coverage Shapes the Perception of Risk
• Attend the webinar, Tenable Research Explores Headline-Making Vulnerabilities: Does Publicity Skew Perception?, on June 19 at 2:00PM ET. 

Five vulnerabilities, including four zero-day vulnerabilities, have been disclosed in Windows Task Scheduler, Windows Error Reporting, Internet Explorer 11, Microsoft Edge and Windows Installer, which could be used by attackers to elevate privileges.

Background

From May 21 through May 23, a security researcher published proof-of-concept (PoC) code for five vulnerabilities in Windows Task Scheduler (bearlpe), Windows Error Reporting (angrypolarbear2), Internet Explorer 11 (IE11), Microsoft Edge, and Windows Installer. Four of the five vulnerabilities are zero-days. These follow previous public disclosures from this researcher of zero-day vulnerabilities in Windows Task Scheduler in August 2018, Data Sharing Service in October 2018 and ReadFile.exe and Windows Error Reporting (WER) in December 2018.

Analysis

The five vulnerabilities published are named based on the folder names for each PoC:

1. “bearlpe” (zero-day)
2. “angrypolarbear2”
3. “sandboxescape” (zero-day)
4. “CVE-2019-0841-BYPASS” (zero-day)
5. “InstallerBypass” (zero-day)

bearlpe targets the Windows Task Scheduler .job import functionality, while angrypolarbear2 targets the WER tool’s reporting queue task. CVE-2019-0841-BYPASS, which targets Microsoft Edge and was originally discovered by another researcher, appears to still be vulnerable. InstallerBypass targets the rollback scripts used when an installation is canceled.

All four of these vulnerabilities target the writing of discretionary access control lists (DACLs), where some of the vulnerabilities require the usage of native hardlinks.

The sandboxescape vulnerability works on IE11 and can be combined with an existing IE remote code execution (RCE) vulnerability to break out of IE11's sandbox. Due to a flaw in, or exposed by, the IShdocvwBroker ShowOpenFile() method, a specially crafted HTML file can be evaluated with elevated permissions. When evaluated, this file does not have protected mode enabled. The researcher notes this vulnerability will "work on other sandboxes that allow the opening of windows filepickers through a broker."

Proof of concept

The PoCs are available on Github in repository folders called bearlpe, angrypolarbear2, sandboxescape, CVE-2019-0841-BYPASS and InstallerBypass.

Will Dormann, a vulnerability analyst at CERT/CC, tested the bearlpe PoC and confirmed exploitation succeeds on fully patched Windows 10 32-bit systems, 64-bit systems and Windows Server 2016 and 2019. However, Dormann was not able to reproduce exploitation on Windows 7 or Windows 8 systems.

Solution

At the time this blog post was published, four of the five vulnerabilities remain zero-days and Microsoft has not confirmed whether it would patch them in the June 2019 Patch Tuesday release. For angrypolarbear2, it was reported to Microsoft and fixed in the May 2019 Patch Tuesday release and has a CVE identifier of CVE-2019-0863. Interestingly enough, one of the two researchers credited with finding CVE-2019-0863 is named “Polar Bear,” which is the name the researcher uses in their Github Repository name as well. Tenable is continuing to monitor for additional updates regarding the zero-day vulnerabilities.

Identifying affected systems

A list of plugins to identify CVE-2019-0863 can be found here.

Based on the testing of the bearlpe PoC, it appears that Windows 10 32-bit and 64-bit systems are vulnerable as well as Windows Server 2016 and Windows Server 2019. Once Microsoft releases patches for these vulnerabilities, we will update this post to provide a link to the plugins to identify affected systems. Until then, to identify affected assets, we recommend using the following plugins:

• Microsoft Internet Explorer Version Detection
• Microsoft Internet Explorer Version Detection (NNM)
• Microsoft Edge Browser Installed
• Microsoft Edge Browser Detection (NNM)
• OS Identification (OS Version displayed in the Plugin Output)
• Windows 10 Operating System Detection (NNM)

Get more information

• Github Repository for bearlpe
• Github Repository for angrypolarbearbug2
• Github Repository for sandboxescape
• Github Repository for CVE-2019-0841-BYPASS
• Github Repository for InstallerBypass

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

At Tenable’s GovEdge 2019 public sector user conference, June 4-5 in Washington, D.C., you’ll learn how to make the most of your Tenable deployment and gain valuable Cyber Exposure best practices — all while networking with your peers, our experts and an entire ecosystem of partners. Here’s what you can expect.

At Tenable, we know cybersecurity is more than just your job — it’s your mission. That’s why we’re looking forward to welcoming you to GovEdge 2019, June 4-5 at the Ronald Reagan Building in Washington, D.C., where you’ll join more than 200 of your peers for a program designed to strengthen our collective resolve to make the digital world a safer place.

Here are five things you won’t want to miss at GovEdge 2019:

1. Keynote addresses on June 4 by Grant Schneider, Federal Chief Information Security Officer (CISO) and former Chief Information Officer (CIO) for the Defense Intelligence Agency and Jeannette Manfra, Assistant Director of the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security.
2. Tenable University on June 5. This full day of hands-on workshops and educational sessions is specifically developed for Federal Civilian and Defense agencies and for State and Local government. Whether you’re looking for help with advanced vulnerability management using Tenable.sc (formerly SecurityCenter), craving a behind-the-scenes look at Nessus plugins or simply need advice on best practices we’ve got you covered. Tenable University offers the chance to hone your skills and take your deployment to the next level. You’ll receive a certificate of attendance which can be used for continuing professional education credits.
3. Firsthand customer experiences and best practices.Throughout the conference, you’ll have the opportunity to hear directly from your fellow Tenable customers in a variety of keynotes, panel sessions and breakout presentations. Presenters will be on hand from the following organizations: Oak Ridge National Laboratories, Raytheon Space and Airborne Systems, the National Reconnaissance Office (NRO) and the State of Maryland, among others. Find the full list of speakers here. 
4. The Partner Pavilion. This is where Tenable’s Cyber Exposure ecosystem comes to life. You’ll have the opportunity to connect with experts from some of our leading partner organizations, including: Amazon Web Services, CyberArk, immixGroup, IronBow, Force 3, Recorded Future, RedSeal, and ServiceNow and Splunk. Learn more about our partners here. 
5. Tenable executives and experts. You’ll hear from Tenable’s leading executives, including Chairman and CEO Amit Yoran, Chief Product Officer Ofer Ben-David, and Chief Security Officer Robert Huber. And that’s just the beginning. Tenable experts will be on hand to guide you during University sessions and a range of breakout sessions to suit every skill level and use case. See the complete agenda here. 

You’ll also have the chance to engage in deeper conversations with your peers and connect with cyber experts from Tenable and the broader industry at our June 4 evening reception in the Reagan Center Rotunda. 

We look forward to seeing you at GovEdge 2019. If you're unable to join us this year, please contact your Tenable sales rep or email publicsectorsales@tenable.com to learn more about our plans in 2020.

Learn more

• For more details about GovEdge 2019, visit https://www.tenable.com/govedge-2019.

Researchers discover critical remote command execution vulnerability in older versions of Exim. Over 4.1 million systems are potentially vulnerable to local exploitation and remote exploitation is possible in non-default configurations.

Background

On June 3, maintainers of the mail transfer agent (MTA) known as Exim acknowledged on the open source security (OSS) mailing list the existence of a critical vulnerability in Exim versions 4.87 through 4.91 reported to them by security researchers at Qualys. On June 5, the security researchers published an abridged advisory regarding their discovery on the same mailing list.

Analysis

CVE-2019-10149 is a remote command execution vulnerability introduced in Exim version 4.87 which was released on April 6, 2016. In default configurations, a local attacker is capable of exploiting this vulnerability to execute commands as the “root” user “instantly” by sending mail to a specially crafted mail address on localhost that will be interpreted by the expand_string function within the deliver_message() function. Remote exploitation under the default configuration is possible, but considered to be unreliable, as an attacker would need to maintain connection to a vulnerable server for 7 days.

In certain non-default configurations, remote exploitation is possible. For instance, if the requirement for ‘verify = recipient’ ACL was removed from the the default configuration file (src/configure.default), uncommenting out the ‘local_part_suffix = +* : -*’ under the userforward router in the default configuration, or if Exim was “configured to relay mail to a remote domain, as a secondary MX (Mail eXchange).”

Proof of concept

At the time this blog was published, no proof-of-concept (PoC) was available for this vulnerability. However, we anticipate PoCs to become available in the near future.

Impact Assessment

Exim is widely distributed. At the time of publication, Shodan search results show over 4.1 million systems running versions of Exim that are considered vulnerable (4.87-4.91), while 475,591 are running the latest patched version (4.92). In other words, nearly 90% of systems with Exim are vulnerable to local exploitation and potentially to remote exploitation based on the configuration.

Total Results by Version Number

• Exim 4.87: 206,024
• Exim 4.88: 24,608
• Exim 4.89: 206,571
• Exim 4.90: 5,480
• Exim 4.91: 3,738,863
• Exim 4.92: 475,591

Solution

While this vulnerability was reported via the exim-security mailing list on May 27, 2019, it appears that the vulnerability was unknowingly patched in Exim version 4.92.

Exim maintainers announced that their fix for CVE-2019-10149 is now public and that it can be backported to all affected versions from 4.87 through 4.91. They note that older releases are “considered to be outdated” and are therefore no longer supported.

Some information about CVE-2019-10149 in Linux Distributions can be found here:

• Debian Security Tracker: CVE-2019-10149
• Red Hat CVE Database: CVE-2019-10149
• Ubuntu CVE Tracker: CVE-2019-10149
• Gentoo Bugzilla: CVE-2019-10149
• Amazon Linux Security Center: ALAS-2019-1221

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Initial Report on CVE-2019-10149 on oss-security
• Abridged Advisory on CVE-2019-10149 on oss-security

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Vulnerability management was the centerpiece of Tenable’s public sector user conference, where cybersecurity and government leaders came together to explore ways to close their Cyber Exposure gap.

Last week, I was pleased to kick off GovEdge 2019, Tenable’s  public sector user conference, June 4-5 at the Ronald Reagan Building in Washington, D.C. The event brought together cybersecurity and government officials, federal and state cybersecurity leaders and industry experts to discuss the most pressing cybersecurity issues of the day and how we can minimize threats to our nation’s infrastructure. 

Vulnerability management was the centerpiece of the two-day event, which included keynotes and breakout sessions on June 4 and Tenable University hands-on workshops on June 5. Attendees were able to mix, mingle and learn how Tenable's Predictive Prioritization, Lumin and other tools can help organizations identify blind spots and close their Cyber Exposure gap. 

We were honored to welcome two incredible guest keynotes: Grant Schneider, the Federal Chief Information Security Officer (CISO) from the U.S. Office of Management and Budget, and Jeanette Manfra, Assistant Director for Cybersecurity at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). 

Schneider discussed how federal cybersecurity strategy has evolved  from focusing on process and policy to emphasizing access and accountability. Manfra illustrated how the newly created CISA, under DHS, implemented an operational directive mandating that federal agencies patch their critical vulnerabilities within 15 days and high vulnerabilities within 30 days. 

James Hayes, Vice President Global Government Affairs, kicking off GovEdge 2019, Tenable's public sector user conference.

Schneider and Manfra also both spoke about the challenges facing government agencies and employees, including the lack of resources to address the increase of threats across the elastic attack surface. Tenable is thankful to have such capable experts in Grant and Jeanette at the helm managing cybersecurity at the highest levels of government.  

Tenable Chairman and CEO Amit Yoran discussed how a sense of cyber helplessness is affecting organizations of all sizes as they grapple with relentless efforts from cyber adversaries every day of the week. He illustrated how most cyber threats stem from known vulnerabilities because they are cheaper for hackers to use and have a lower risk. 

Other session highlights included: 

• John Evans, the Chief Information Security Officer for the State of Maryland, discussing the value of Tenable at the state level. 
• Kevin Kerr, the Chief Information Security Officer at Oak Ridge National Laboratory, explaining how to integrate tools to improve cyber hygiene. 
• Troy Taitano,  Chief of the Cyber Modernization Division of the National Reconnaissance Office (NRO), sharing the techniques his organization is using to assist in automatically tallying software, hardware and its configurations with system security plan data, privileged user data and Public Key Infrastructure (PKI) certificates.

GovEdge 2019 was a great success, marked by industry leaders coming together for a robust and extensive dialogue. The knowledge-sharing available at events like these help keep all of us one step ahead of the cyber adversaries.  We’ll soon announce our plans for next year, and we look forward to continuing our momentum in 2020.

Tenable’s first-ever Diversity and Inclusion Council brings together company leaders who are committed to creating an environment of inclusiveness and empowerment.  

The House Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection and Innovation held a hearing on May 21 highlighting the importance of growing and diversifying the cybersecurity talent pipeline. At Tenable, we wholeheartedly agree that diversity is key to innovation and countering threats in cybersecurity. 

Our increasingly diverse employee base works tirelessly each day to ensure that software vulnerabilities are identified and quickly patched to help public and private organizations of all sizes eliminate blind spots, prioritize threats and close their respective cyber exposure gaps. Such actions are essential to protecting our nation and our critical infrastructure. Success in cybersecurity demands a multipronged approach that relies upon a diverse view of the problem. Simply put, diversity of thought as well as racial and gender diversity make our industry stronger.  

Why? Because diversity isn’t just a nice to have, it’s a must have. According to The Washington Post, women make up only 11% of the U.S. cyber workforce, and we’re experiencing a national shortage of over 300,000 cybersecurity professionals in both the public and private sectors. A diverse workforce is a prerequisite to unlocking the full potential of any organization, including our own. Along with the rest of the industry and lawmakers, we’ve taken meaningful action to address the diversity gap. 

Last year, I helped co-found Tenable’s first-ever Diversity and Inclusion Council. The council brings together company leaders who believe that creating an environment that ensures all employees feel welcome and empowered improves the work we do and gives us an increased sense of satisfaction. It also focuses on uplifting the next generation of world-class cybersecurity talent. 

Tech customers are increasingly challenging IT providers to diversify and provide greater opportunity to job seekers from all backgrounds. Anyone looking to make the business case for diversity need look no further than Intel’s 2018 Diversity and Inclusion Report, which showcases how the company has pivoted to embrace and grow a pipeline of underrepresented minorities and women in their U.S. workforce, and is working toward global inclusion.     

There is still more work to be done — for us here at Tenable and industry-wide. Congress should use its power to improve federal job preparedness programs and provide funding to bolster the application of these initiatives to help advance our competitiveness on a global scale. For example, Rep. Jim Langevin’s Cybersecurity Skills Integration Act (H.R. 1592) would help prioritize the key skills needed for cybersecurity professionals to effectively protect our critical infrastructure. This bill would help retool our workforce to identify new threats posed to traditional IT environments via the new elastic attack surface in areas like internet of things (IoT), operational technology (OT), cloud and mobile. 

However, Congress alone can’t grow and diversify the workforce; we need private-sector and institutional partners. Individual companies and organizations like the International Consortium of Minority Cybersecurity Professionals, which have long advocated for minorities in the cybersecurity field, also make an impact. 

Earlier this year, I had the opportunity to speak to undergraduate students enrolled in the University of Maryland’s Advanced Cybersecurity Experience for Students (ACES) program. These students are the next generation of cybersecurity professionals, and it was great to share my experiences in the industry and the work we’re doing at Tenable to help close the cybersecurity skills gap. This group of talented, aspiring cybersecurity professionals are what the cybersecurity industry needs. As I shared with the group, this important change is starting at schools like UMD. 

James Hayes, Tenable's VP of global government affairs (fourth from left) with students of the University of Maryland's Advanced Cybersecurity Experience for Students (ACES) program.

As Rob Joyce, Senior Cybersecurity Advisor to the Director of NSA, recently noted, we need to make systemic changes that address the cybersecurity skills gap and encourage the next generation of diverse cybersecurity professionals. An influx of cybersecurity talent is important to tackling the ever-expanding attack surface and threat landscape. If we’re going to be successful and close the cyber exposure gap, increasing diversity must be a priority. As an industry, we owe it to ourselves to help solve this talent shortage, and our collective success relies on it. 

While there has been robust dialogue on the issue, and tangible work from Congress and the private sector, numbers don’t lie. Our nation cannot afford a shortage of more than 300,000 cybersecurity professionals. As an industry and as a country, we have an incredible amount of work to do to if we wish to fill a pipeline of talented professionals to protect against tomorrow’s cyber threats.

Improving the diversity of our industry should be top of mind for every leader in cybersecurity. At Tenable, we remain committed to increasing diversity and supporting the next generation of cyber talent. 

The SandboxEscaper privilege escalation bugs are among the nearly 90 vulnerabilities patched in Microsoft’s June 2019 Security Updates. Here’s what you need to know.

Microsoft’s June 2019 Security Updates have been released, with nearly 90 vulnerabilities patched in this update, 21 of which are critical.

SandboxEscaper Privilege Escalation Bugs Patched

This month’s release contains fixes for the four local privilege escalation zero-day vulnerabilities disclosed by SandboxEscaper at the end of May 2019.

CVE-2019-0888 | ActiveX Data Objects (ADO) Remote Code Execution Vulnerability

An ActiveX vulnerability (CVE-2019-0888) was discovered that could allow an attacker to run code on the victim’s machine if said victim visited a malicious website.

If your organization blocks ActiveX objects from running in your user’s browsers, that would prevent this vulnerability from being exploited, but we always recommend applying patches ASAP.

CVE-2019-1019 | Microsoft Windows Security Feature Bypass Vulnerability

A vulnerability in the NETLOGON service (CVE-2019-1019) would allow a man-in-the-middle attack to obtain session keys from a user’s logon session, and log into the same target machine as the legitimate user.

Tenable Solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name Contains June 2019.

With that filter set, click on the plugin families to the left, and enable each plugin that appears on the right side. Note that if your families on the left say Enabled then that means all of the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A public list of all of the plugins for Tenable’s June 2019 Patch Tuesday update can be found here as they're released.

Learn more:

• Microsoft’s June 2019 Security Updates
• SandboxEscaper: Local Privilege Escalation Bugs Including Four Zero-Day Vulnerabilities Disclosed
• Tenable plugins for Microsoft June 2019 Patch Tuesday Security Updates

At Tenable, we look forward to working with our partners on Capitol Hill to move the IoT Cybersecurity Improvement Act forward and strengthen the security of federal networks.  

Billions of devices connect the world we live in and track our daily activities and patterns. From the smartwatch on your wrist to your front door security camera, your personal data and everyday movements enable our digitally transformed lives. Internet of things (IoT) devices are also enabling more advanced technological capabilities for the federal government, including critical infrastructure, and it’s critical to ensure that these devices are cyber-secure.

Many IoT devices are shipped with existing vulnerabilities, which can heighten risk. For example, many devices include factory-set, hardcoded passwords. Other devices can’t be patched or updated. This presents critical security gaps and leaves networks vulnerable to cyberattacks and data compromises. 

To address these growing security challenges, Senator Mark Warner (D-VA), along with his colleagues Senators Cory Gardner (R-CO), Maggie Hassan (D-NH) and Steve Daines (R-MT), and Representatives Robin Kelly (D-IL) and Will Hurd (R-TX) introduced the IoT Cybersecurity Improvement Act (S. 734/H.R. 1668). This legislation would establish baseline security requirements for IoT devices purchased by the federal government to create a stronger and more secure ecosystem. It is an important step forward in shrinking the ever-expanding attack surface. 

The IoT Cybersecurity Improvement Act would require the National Institute of Standards and Technology (NIST) to develop recommended standards for the use of IoT devices by the federal government and would issue guidelines for each agency consistent with those recommendations. In consultation with cybersecurity researchers and private-sector industry experts, NIST would also be required to publish guidance on policies and procedures for reporting, coordinating, publishing and receiving information about security vulnerabilities in devices used by the government and the resolution of such vulnerabilities. Additionally, the Office of Management and Budget (OMB) and the General Services Administration (GSA) contractors and vendors would be required to adhere to these established NIST guidelines. 

NIST’s recommended standards for federal IoT devices would act as a key baseline to help agencies manage their risk. It would also be an important step towards addressing the standards gap and the cyber exposure gap for IoT devices. The current lack of guidance continues to put the security of federal agencies at risk.  

Tenable strongly supports the bill’s call for NIST to include Cyber Exposure considerations in a report on the increasing convergence of IT, IoT and OT devices, networks and systems. Cyber Exposure, a way to manage and measure the modern attack surface, helps organizations accurately understand and reduce cyber risk. Ultimately, Tenable believes there must be a shift in mentality away from traditional IT management for IoT to more self-healing IoT devices. This would reduce the burden on consumers so they don’t need to serve as system administrators for each device. Further, we will need to build stronger trust in consumer IoT devices, as they tend to have access to much more personal information (photos, health data, etc.) about us than computers. We applaud the development of standards and guidelines at NIST to help assert that trust.

The IoT Cybersecurity Improvement Act is an important step to help secure the billions of IoT devices that connect our world. The government has significant buying power, and stronger federal procurement standards for the security of IoT will lead to stronger security practices in the commercial marketplace as well. We also believe this legislation will play a strong role as the government works to manage its collective cyber risk. Finally, other nations are moving forward with IoT security regulations and requirements and we believe it is important for the U.S. to play a leadership role in IoT security policy. 

Developing advanced cyber hygiene practices is in the best interest of the global ecosystem. We urge the Oversight and Reform Committee to advance this critical piece of legislation and we hope it will be considered by the full House and Senate in the near future. We look forward to working with our partners on Capitol Hill to move the bill forward and strengthen the security of federal networks.  

Learn more:

• Cyber Exposure and the modern attack surface
• Data security is a global economic imperative
• IT/OT cybersecurity convergence: start strong with these six controls

The Fijian island landscape may look very different from the Cyber Exposure landscape, but surviving them has more in common than you would think. And I have the personal experience to prove it.

In 2018, I took a short break from my position as a Technical Writer at Tenable and traded writing documentation for vulnerability management solutions for something a little less high-tech. I flew to Fiji to compete on the CBS reality television game Survivor: David vs. Goliath. I survived two cyclones, underwent grueling physical and mental challenges and lived on a diet of only rice and coconuts for 32 of 39 days, until I was voted out in eighth place. It was the experience of a lifetime, pushing me far beyond what I thought I was capable of.

Among the many challenges I faced on Survivor, I learned several valuable lessons. Here are four of my takeaways and how they relate to cybersecurity:

1. You can’t succeed alone

It’s basically impossible to survive on an island alone. As a tribe, we were completely responsible for building our own shelter, finding food and building fire. Though everyone came from different walks of life we all worked as a team, using everyone’s unique knowledge and skills to our advantage.

Much like a functional tribe, the Tenable Cyber Exposure ecosystem includes a wide range of integrations and technology partners. These integrated solutions help increase the breadth of visibility across the modern attack surface and foster better collaboration across Security and IT Operations teams.

I’m grateful that throughout my adventures, my manager and technical writing team at Tenable had my back and fully supported me. To me, their support exemplified the Tenable value of One Tenable: the idea that we’re all one team, working together and winning together.

2. You have to learn to prioritize risk

Like any game worth playing, there is no reward without risk. I knew the $1 million prize on Survivor wouldn’t come easy, and I would have to take risks to get myself further in the game. These decisions ranged from low-risk (sticking with the majority and voting out a consensus target) to high-risk (blindsiding my ally at a critical time because I thought it might get me closer to winning).

I constantly weighed external risks in the game. Was a clash of personalities with an adversary an imminent threat to my game? Was it worth cooking an extra scoop of rice if it meant we’d run out of our rice supply sooner? Evaluating and prioritizing the various risks in the game were key to making strategic decisions.

The need for prioritization probably sounds familiar to many cybersecurity professionals. According to the National Vulnerability Database, there were 16,500 new vulnerabilities disclosed in 2018 alone, of which only a small fraction was actively weaponized for cyberattacks. When faced with such a high number of vulnerabilities in the cybersecurity landscape, you have to be able to identify, investigate and prioritize risk in order to identify what poses an actual threat to your business. One way to do that is with Predictive Prioritization, a machine learning algorithm from Tenable which helps you focus on the vulnerabilities that matter most.

3. You must be able to adapt to an ever-changing environment

On day one of the game, the host Jeff Probst presented us with the following premise for our season’s theme: “It’s not about who has the advantage, but what is the advantage?”

Three weeks into playing Survivor, late into the game, my alliance was at a disadvantage because we were in the minority. It appeared we would be picked off by the majority alliance, which had the numbers over us. Suddenly, the strategic landscape of the game changed: one of my alliance partners found a hidden advantage, allowing us to steal a vote from the other alliance. True to Probst’s words, it didn’t matter who had the initial advantage, because we had an advantage that trumped theirs, allowing us to reclaim power in the game.

In cybersecurity, attackers often have the first-mover advantage. Security teams have the power to reclaim the advantage by developing a risk-centric mindset. The Tenable advantage is the ability to adapt to new and evolving threats. The Cyber Exposure landscape is constantly changing, so you have to learn to be adaptable when it comes to your cybersecurity efforts.

4. At times, being proactive is better than being reactive

It’s good to be adaptable and react to a problem. It’s even better to be proactive and know when something might become a problem before it does. On Survivor, when I found myself in danger of being voted out of the game, I couldn’t be passive and merely hope things would go my way.

I decided to live by the phrase, “Hope is not a strategy.” Being proactive meant I had to take matters into my own hands, like stepping up for the main role in a team challenge, or initiating a strategic conversation to solidify an alliance.

In cybersecurity, merely hoping your assets aren’t vulnerable isn’t enough to shield you from attacks. Instead, you have to take fate into your own hands and find solutions that help you close your Cyber Exposure gap.

Though I’m back at my usual job, writing documentation for our Tenable products, my experience on Survivor will never leave me. I learned the value of being a team player, as well as how to be analytical, adaptable and proactive. Just like the Tenable products I write about.

Watch the video below to hear more about my experiences:

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Researchers at Netflix have disclosed new remote denial of service and resource consumption vulnerabilities in most Linux and FreeBSD versions.

Background

On June 17, Netflix published an advisory to its GitHub repository for security bulletins. The advisory highlights the discovery of four Transmission Control Protocol (TCP) networking vulnerabilities in the Linux and FreeBSD kernels, including a severe vulnerability called “SACK Panic” that could result in “a remotely-triggered kernel panic on recent Linux kernels.”

Analysis

The advisory highlights four separate vulnerabilities, each of which impacts either specific versions of the Linux and FreeBSD kernels or all Linux kernel versions.

CVE-2019-11477, known as “SACK Panic,” is an integer overflow vulnerability that can be triggered by a remote attacker sending a sequence of TCP Selective ACKnowledgements (SACKs) to a vulnerable system, which could result in a system crash (kernel panic). Successful exploitation of this vulnerability will result in a denial of service (DoS) on affected systems.

CVE-2019-11478 is an excess resource consumption vulnerability that can be triggered by a remote attacker sending a sequence of SACKs to a vulnerable system, resulting in the fragmentation of the TCP retransmission queue. Additionally, an attacker might “cause an expensive linked-list walk for subsequent SACKs” via the same TCP connection on Linux kernel versions prior to 4.15, resulting in further fragmentation, which has been dubbed “SACK slowness.” Successful exploitation of this vulnerability will drastically hinder system performance, and may potentially cause a complete DoS.

CVE-2019-11479 is an excess resource consumption vulnerability that can be triggered when a remote attacker sets a low Maximum Segment Size (MSS) for a TCP connection, causing a vulnerable system to utilize additional bandwidth and resources, because its responses are sent across “multiple TCP segments each of which contain only 8 bytes of data.” Exploiting this vulnerability will cause affected systems to run at maximum resource consumption, which could hinder system performance while attempting to process the malicious requests.

CVE-2019-5599 is similar to CVE-2019-11478, in that sending a sequence of SACKs will result in fragmentation, but this vulnerability impacts the RACK send map in the RACK TCP stack on FreeBSD 12.

Solution

Netflix provided patches and mitigation for each of the four vulnerabilities in its advisory. The associated patches include:

Linux kernel developer and maintainer Greg Kroah-Hartman announced that patches have been rolled into the stable kernel releases for the following versions:

• 4.4.182
• 4.9.182
• 4.14.127
• 4.19.52
• 5.1.11

Kroah-Hartman mentions that outside of the 3.16.y branch, which he does not maintain, all other kernel branches are end-of-life. Therefore, if patching is not feasible, applying the mitigations from the advisory are strongly recommended.

Additional downstream patches are available or in the works for various Linux distributions including Red Hat, Ubuntu, Debian, and SUSE. Amazon Web Services (AWS) released a security bulletin to address questions around the vulnerability and its impact on various services, including availability of patched versions of the Linux kernel for Amazon Linux and Amazon Linux 2.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• SACK Panic Advisory from Netflix on GitHub
• Red Hat TCP SACK PANIC Advisory

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io.

Security researchers discover a zero-day vulnerability in Mozilla Firefox used in targeted attacks.

Background

On June 18, the Mozilla Foundation published a security advisory to address a zero-day vulnerability in Mozilla Firefox being used in targeted attacks in the wild.

Analysis

According to the security advisory, CVE-2019-11707 is a type confusion vulnerability in Mozilla Firefox that can result in an exploitable crash due to issues in Array.pop which can occur when manipulating JavaScript objects.

The vulnerability was reported to Mozilla by Google Project Zero’s Samuel Groß and the Coinbase Security team. Further details about the vulnerability and in-the-wild attacks are not public, as the Bugzilla report is currently restricted, and neither Google Project Zero nor Coinbase Security has published a blog about it. We believe this is to allow time for users to update to a patched version of Firefox.

Solution

Mozilla has released Firefox 67.0.3 and Firefox Extended Support Release (ESR) 60.7.1 to address this vulnerability.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Mozilla Foundation Security Advisory 2019-18

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Threat modeling gives vulnerability management teams a good understanding of how attacks work, enabling them to focus prioritization efforts around the bugs most likely to affect their environment.

The importance of threat modeling in assessing security postures is a given nowadays. The vulnerability view, while it does play a central role, is only one part of an assessment. It’s not enough to pinpoint which vulnerabilities or attack vectors are the most relevant at a given time. Taking into account the characteristics of individual attacks and the strategies of attackers enables defenders to prioritize. Instead of defending against all vulnerabilities (which can number in the hundreds and thousands), defenders can prioritize their efforts to focus on a select number that the attacker needs to breach the system. 

In this blog post, I will share a few notes on how attacks are carried out, links to vulnerabilities, and how the right threat model can save the day.

Threat modeling: vulnerabilities vs. attacks

Threat modeling is the formal process of identifying and ranking the threats most likely to affect your environment. Typically, there are two views to threat modeling:

1. the vulnerability view, in which system vulnerabilities, either taken individually or combined, define the technical exposure to attacks; and
2. the attacker and threat landscape view, in which the modeling takes into account the threat landscape, in the form of attack instances, and attacker strategies. 

These models are typically represented through attack graphs, game theory or decision analysis. Regardless of the modeling approach, our interest here is to define the threat-modeling steps most likely to make a difference when it comes to protecting your system.

Targeting all known vulnerabilities that an attacker may exploit is usually pointless. Out of tens of thousands of vulnerabilities, only a fraction is actively exploited in the wild. In addition, it has been shown that vulnerability exploitation can be described by a heavy tail distribution, which basically means a very small fraction of vulnerabilities is responsible for orders of magnitude more attacks than the remaining majority. 

A good example here would be exploit kits, which drive millions of attacks, yet use only a dozen vulnerabilities each at a maximum. Data from Tenable and ReversingLabs, from January 1 through May 5, shows only 2 percent of all known and detected vulnerabilities were seen in ReversingLabs's threat detection feed (file-based malware). Additionally, the top 10 percent of CVEs (out of 638) from that feed is responsible for 50 percent of exploit detections. 

Additional data from Recorded Future, including a broader range of cyber attacks — such as fileless or Web attacks — shows a further 172 CVEs being exploited in the same period, which brings the total to 2.5 percent of all known and detected vulnerabilities in Tenable data. This shows that it’s unrealistic to assume attackers can choose any available vulnerability or path to compromise. 

There is no 'one-size-fits-all' attack strategy, nor defender strategy for that matter. Outside of the 'Attacks-as-a-Service' model, using pre-existing mechanisms — such as the above-mentioned exploit kits — or an existing infrastructure controlled by cybercriminals to launch distributed denial of service (DDoS) attacks, for instance, the attack generation process is usually dynamic and made-to-measure. In fact, attackers might need to re-engineer their attack strategy if nothing in their toolbox works on a target environment, which might translate to a lot more effort in terms of reconnaissance, enumeration or even exploit modification and engineering. 

It’s equally unrealistic to assume attackers are all-knowing about their targets and can choose whichever attack strategy they believe is best.

A typical attack scenario might, for instance, involve a watering hole attack, a phishing attack or password spraying to establish the initial foothold. Once inside, additional effort is required to identify the network and system configuration visible from there and understand which attacks are needed to move to the next target. 

Even though no two attacks are exactly alike, there are similar tactics, techniques and  procedures (TTPs) that attackers use. These should be well understood on the defender side. The MITRE ATT&CK framework offers a good high-level reference. 

Leveraging real-world and timely threat intelligence and attacks knowledge is essential to define (and narrow down) the search space to highly likely and high impact threats for a given environment.

Steps for Threat Modeling

The main question, from the defender perspective, remains “how to decide which vulnerabilities to fix first?” Starting with a given technical exposure, i.e. exploitable vulnerabilities and weaknesses on a system, the basic process would be to identify attack scenarios and characteristics, based on known attack strategies and threat intelligence reports. This would narrow down the initial set to a much smaller number of vulnerabilities that are more likely to lead to realistic attacks on that environment. 

Threat modeling would then require the following basic steps: 

• Identify system vulnerabilities and weaknesses.
• Identify attack paths against your assets, based on these vulnerabilities and weaknesses, taking into account existing countermeasures and safeguards.
• Identify realistic attacks that can leverage existing vulnerabilities and weaknesses on those paths, using both generic and timely knowledge about threats and threat actors. 
• Prioritize risks based on impact and asset/ application criticality.

Under this modeling, the defender is able to reason about the attackers’ ability, not only to find an initial entry point, but also to do further reconnaissance, enable persistence, escalate privileges, move laterally and so on, which could be aligned with the MITRE ATT&CK framework. 

Ideally, a threat model is enhanced by emulating TTPs used by adversaries and carried out by red teams. This can also be done by mapping those TTPs along the attack surface without necessarily carrying out real-world campaigns. The main advantage to real-world campaigns, however, is taking into account the human factor (employees’ skill gaps) and how the company and blue teams react (mainly reflected by metrics such as Time to Detect and Time to Mitigate). 

The appearance of a new vulnerability might not carry any weight on the overall model, in terms of scenarios and risks. If it does, however, the available description and severity, combined with threat intelligence activity, will estimate attack likelihood and impact factors to update the model. It is then imperative for security teams, responsible for assessing security postures, to have a good understanding of how attacks work, keep an open eye on the latest reports and make sure they understand how adversaries are operating and changing their attacks.

Most vulnerability management practitioners understand the importance of risk-centric vulnerability prioritization and remediation. The main focus currently is on imminent (and most of the time, commoditized) attacks, which, in fact, should be the first priority. A more efficient threat model, based on the steps above, will take defenders further by including relevant advanced attacks and continuously assessing the threat landscape for more effective overall risk reduction.

Learn more:

• Read the SecureITSource article Beware of This New “As-a-Service"
• Get up to speed on the MITRE ATT&CK framework
• Visit Tenable’s Predictive Prioritization webpage at https://www.tenable.com/predictive-prioritization

How can CISOs and their cybersecurity teams incorporate Tenable’s Predictive Prioritization capability and the Vulnerability Priority Rating into their vulnerability management strategy? The Tenable team offers some best practices.

Throughout the course of 2019, the Tenable team has been talking about the benefits of Predictive Prioritization— the process of re-prioritizing vulnerabilities based on the probability they will be leveraged in an attack. 

This new capability, introduced in February 2019, combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a Vulnerability Priority Rating (VPR) for each vulnerability. 

Predictive Prioritization is now available in Tenable.sc and Tenable.io to help security teams focus on what matters most. But what are the best practices for implementing Predictive Prioritization and VPR?

During a recent webinar entitled “Putting Predictive Prioritization To Work,” Kevin Flynn, a senior product marketing manager at Tenable, joined senior security consultants Brian Baumgarten and John Vasquez to discuss Predictive Prioritization and VPR. They explored how CISOs, their security teams and even third-party vendors and service providers can incorporate these capabilities into their vulnerability management plans.

Setting Vulnerability Management KPIs

As with any good security project, one of the best ways to start is by establishing reasonable Key Performance Indicators (KPIs) to guide the security team and create realistic goals. Tenable recommends these five KPIs to get you started:

1. Scan frequency: How often does your enterprise conduct assessments?
2. Scan intensity: How many different scans are launched on a given scan day?
3. Asset authentication: How does your enterprise measure assessment depth? 
4. Asset coverage: What proportion of the licensed assets are scanned in a 90-day period?
5. Vulnerability coverage: What proportion of total vulnerability plugins are used in a 90-day period?

Once these KPIs are established, here are three ways security teams can start applying Predictive Prioritization and VPR to their vulnerability management process.

1. In the discovery phase, VPR can assist in classifying assets within the network by improving accuracy and helping to discover new IP addresses that have been added.
2. When scanning, VPR can be automatically applied. As the security team scans the network more frequently, the threat intelligence improves because there’s more data to analyze in real-time. 
3. During the patching process, VPR helps security teams provide much-needed context to the IT professionals responsible for patching, improving their ability to prioritize and allocate resources based on real-world risk.

Frequent scanning is crucial. “The more you scan frequently, the more you are going to know of the current potential,” Vasquez said. For example, Vasquez said, when the WannaCry ransomware attacks started in 2017, the malware was released several months before the incidents began in earnest. Better scanning might have helped security professionals identify the potential to do harm and could have prompted more urgent patching.   

Additionally, VPR scores can also be used to help structure service-level agreements (SLAs) with third-party service providers. For firms that outsource patching and remediation, VPR gives the service provider and client a way to prioritize and evaluate remediation efforts, improving outcomes and overall security posture. 

Vulnerability Priority Rating: Practical Results 

Flynn, Baumgarten and Vasquez shared two examples of how organizations can put VPR to use. 

First, VPR can assist in prioritizing fixes and patches to systems that are internet-facing, where unpatched applications can be exploited using common rootkits. Using VPR in combination with Tenable’s Nessus Network Monitor, security teams can create a dynamic asset list using filters as well as certain key terms, such as “Adobe” or other software frequently targeted in attacks. 

Second, if an attacker is able to penetrate the network through an internet-facing system in an attempt to escalate privileges and move laterally through the network, the VPR score can be used to identify which vulnerabilities might be exploited first. This enables teams to be more strategic about deploying patches to stop the attack.

Learn More:

• Access the on-demand webinar: Putting Predictive Prioritization To Work
• Read the blog: 16 Predictive Prioritization Questions Answered
• Learn about our products: Predictive Prioritization in Tenable.io and Predictive Prioritization in Tenable.sc.

Out-of-band security advisory addresses second Oracle WebLogic Server vulnerability in two months.

Background

On June 18, Oracle published an out-of-band security advisory to address a critical vulnerability in Oracle WebLogic Server.

Analysis

CVE-2019-2729 is a deserialization vulnerability in the XMLDecoder in Oracle WebLogic Server Web Services. An unauthenticated attacker could remotely exploit this vulnerability to gain remote code execution (RCE) on vulnerable systems. This vulnerability follows another deserialization vulnerability, CVE-2019-2725, that was reported as a zero-day on April 17, 2019 and patched on April 26, 2019.

On June 15, researchers from the KnownSec 404 Team published a blog stating they were able to bypass the patch that addressed CVE-2019-2725 in April. The researchers said they found “a new oracle webLogic[sic] deserialization RCE 0day vulnerability” that “is being actively used in the wild” and they had contacted Oracle to inform them of these new developments.

Oracle said in a blog post that,while both CVE-2019-2725 and CVE-2019-2729 are deserialization flaws, CVE-2019-2729 is “a distinct vulnerability.” Following the advisory from Oracle, KnownSec have since updated the June 15 blog to confirm that CVE-2019-2729 addresses the vulnerability they discovered in the wild. 

Attackers moved quickly to incorporate CVE-2019-2725 into campaigns for the Sodinokibi ransomware and GandCrab ransomware and XMRig cryptocurrency miner. Nearly two months later, it continues to be utilized by attackers in another Monero cryptocurrency mining campaign and as part of a new variant of Mirai, the internet-of-things (IoT) malware’s tool kit of exploits. We believe that once proofs-of-concept (PoCs) are available for CVE-2019-2729 it will become another favorite among attackers.

Proof of concept

At the time this blog was published, there was no known PoC code available for CVE-2019-2729. However, the KnownSec 404 Team reports seeing exploitation of this vulnerability in the wild. Tenable anticipates updated PoCs will become available soon.

Solution

Oracle has released fixes for Oracle WebLogic Server versions 10.3.6.0.0 and 12.1.3.0.0. At the time this blog was published, fixes for WebLogic Server 12.2.1.3.0 had not been released.

If patching is not currently feasible, previous mitigations for CVE-2019-2725 are applicable to CVE-2019-2729. These workarounds are:

• Delete the wls9_async_response.war, wls-wsat.war packages from the WebLogic server, and restart the Weblogic service
• Restrict access to, or disable, the “/_async/*” and “/wls-wsat/” URL paths on the WebLogic server  

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information 

• Oracle Security Alert Advisory - CVE-2019-2729
• KnownSec 404 Team's CVE-2019-2725 Bypass Blog

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io.

Hi, my name is Mark Lloyd and I run the University Recruiting Program here at Tenable. I’m also gay.

Being able to make this statement in a public forum, much less at my place of employment, is something that wouldn’t have been feasible for me 10 years ago. So, when people asked me what my experience working at Tenable is like being part of the LGBTQ+ community, it prompted me to take stock of where we are as a company and what Tenable is doing to support me and other members of my community.  

Before addressing this question, I think it’s important to set the stage, so to speak, with regard to what Pride is even about. Everyone sees the pictures of revelers at parades, companies throwing their support behind LGBTQ+ causes and organizations, and let’s not forget the MULTITUDE of rainbows on…well, just about everything. What not everyone knows is WHY we celebrate and what we’re commemorating. A brief select history:

• 1924 – The Society of Human Rights is founded in Chicago, the first documented gay rights organization.
• 1952 – The American Psychiatric Association’s diagnostic manual lists homosexuality as a “sociopathic personality disturbance.”
• 1953 – President Eisenhower signs an executive order banning homosexuals from working for the federal government.
• 1969 – Police raid the Stonewall Inn in New York City (a known underground gay bar), a violent encounter involving bar patrons, the police, and scores of area residents. This was the tipping point.
• 1970 – Community members in New York City march through the local streets to recognize the one-year anniversary of the Stonewall riots, often considered the first gay pride parade.

What followed the events at the Stonewall Inn has been a slow march toward equality for members of the LGBTQ+ community, marked by victories along the way. Victories such as Harvey Milk being the first openly gay man elected to public office in San Francisco in 1978, and a litany of legal decisions supporting non-discrimination policies, all culminating in the national legalization of gay marriage some 45 years later in 2015. THIS is why we celebrate.

There is still work to be done, however, and that work continues to this day. For example, there are 17 states where a person can be fired simply for being part of the LGBTQ+ community. 

Now that I’ve set the stage … what does it mean to be a Tenable employee and part of this community? One of the most important things I look for in a company is the ability to bring my “whole self” to work every day. Feeling comfortable putting a picture of my partner and me on my desk, being authentic in my communications with co-workers, even communicating on Slack with Ru Paul’s Drag Race GIFs. It seems trite, but for this community of people…it is everything.

Tenable offers me this freedom and feeling of comfort. The month of June is traditionally regarded as Pride month across the nation, and appropriately, a group of LGBTQ+ employees and allies has formed an employee resource group, Pride at Tenable, to support community members and offer a sense of community and inclusion to those who identify with the community or support it. With the support of the company's Diversity & Inclusion Council, we have launched a Pride at Tenable Slack channel, built a Pride at Tenable employee resource page (stocked with resources for the community as well as ways to get involved/volunteer) and Tenable is sponsoring the inaugural Howard County Pride Festival on June 29 at Centennial Park here in our home base of Columbia, MD.  

This is what it’s like for me to be gay and work for Tenable. It’s empowering, it’s feeling supported, it’s knowing that WHOEVER I am, I am accepted and valued for my diverse thoughts and opinions. Not only do I have Pride at Tenable, I have pride IN Tenable.  

Learn more:

• Coming out at work
• Seven LGBTQ+ tech groups to know about
• Out and Equal — a nonprofit devoted to workplace equality
• Six ways to be a better straight ally at Pride events

Instagram accounts claiming to donate meals to Sudanese civilians are a ruse to gain followers in order to pivot to personal accounts or sell them for a profit.

In the wake of the Sudan crisis that has been in national headlines over the last several weeks, and as social media users go #BlueForSudan by changing their profile pictures to honor the death of a prominent protester, scammers have unsurprisingly seized the opportunity to gain followers by capitalizing on the movement’s growing interest on social media, specifically on Instagram.

Emergence of Sudan Meal Project

The Sudan Meal Project Instagram account appears to have emerged during the week of June 10, boldly claiming to donate “100,000 meals to Sudanese civilians.” 

The account contained a single post that promoted the message, “For every person who follows and shares this on their story, we will provide one meal to starving Sudanese children.”

The post was accompanied by a message claiming that for “every STORY REPOST this post gets, we will provide one meal to Sudanese children, and you will help spread awareness on what’s happening in Sudan.” The post also provided instructions on how to repost the message as an Instagram story.

Over the course of several days, Sudan Meal Project’s account would continue to grow. When I first observed the account, it had just over 150,000 followers. 

At the time this blog was written, the account had over 370,000 followers and the sole post was liked over 1.6 million times.

All other red flags aside, unlike likes, comments and followers, there is no way to identify when a post is reposted to an Instagram story, which makes this premise implausible. This is based on individual experience using Instagram. It is possible that some celebrity/influencer accounts on Instagram may have such information provided to them, but for the average user, this doesn’t appear to be the case.

Copycat Sudan Meal Project accounts

Observing the rapid success of the original Sudan Meal Project account, other scammers quickly began to follow the same blueprint by creating similarly named accounts, using the same images and post text with the same goal in mind: capitalize on the crisis to gain more followers.

Not every copycat account followed the blueprint completely. For instance, a viral Indian meme account renamed itself, and changed its bio and profile image hoping nobody would notice.

Another account said all other accounts are fake and inadvertently spilled the tea by saying “Every one [sic] is making these account [sic] for followers.” 

Another account used the same blueprint of offering donations, but used the flag of Sudan as its profile image and included a link to the Sudan Knowledge website.

Another account calling itself Sudan Meal Foundation followed the same blueprint but used a different color scheme and a different image.

I also found a “care_for_sudan” account promoting itself on one of the copycat Sudan Meal Project accounts.

Unlike the Sudan Meal Project accounts, the “care_for_sudan” account linked to a GoFundMe page that claimed funds are needed to help send missionaries to Sudan. This fundraiser has not been verified and I do not know if the fundraiser itself was put together by the Instagram account owner, or was just merely an effort to seem legitimate. The account still promoted the Sudan Meal Project message along with a “1 Share = 1 Meal” message.

I found another Instagram account that followed the Sudan Meal Project blueprint, but took it a step further by adding a PayPal link on its profile, in an effort to scam users out of money, not just a follow.

Another account offering to “Help Sudan” said it would donate $10 for every repost received to charities helping in Sudan. 

Sudan Awareness Accounts

While investigating the Sudan Meal Project copycats, I discovered another account called “sudanawarenesshelp” that appeared to have run its course, as it had no posts, but managed to amass 245,000 followers over an unknown period of time. It is possible this account preceded or was operating at the same time as the Sudan Meal Project account.

There are other Sudan Awareness accounts, some that follow a similar approach to the Sudan Meal Project’s message. It’s possible that the negative association with Sudan Meal Project may have prompted some of the scammers to change their messaging.

The Sudan Awareness Project claimed for every story repost, it would donate $1 USD to the Sudanese Relief Fund, which references the Sudan Relief Fund, a 501(c)(3) nonprofit organization that has been around for over two decades.

Another account called “blue.sudan.official,” which has over 1,000 followers, itself claimed to be a 501c3 and is associated with the website sudanawareness.org. I can confirm this website does not exist. 

Pivoting Away From Sudan Meal Project and Awareness Accounts

The end goal behind these Sudan Meal Project and Sudan Awareness accounts is simple: amass enough followers to ultimately perform an account pivot. This means the account owners change the username, full name, profile image and posts. This can be done either from scratch with no followers, or by taking an existing account and trying to increase its existing follower counts by trying to masquerade as a Sudan Meal Project type of account before pivoting back to the original account. A pivoted account is valuable because it has amassed more followers, and while not every account gains thousands of followers, to some, even a modest increase of hundreds of followers helps them increase their audience. Operators of an account that is able to gain thousands of followers can pivot the account for themselves or put it up for sale on an underground forum, where it can be sold to someone who needs an Instagram account with a built-in following. 

Not all accounts get fully pivoted. For instance, I observed one account called “sudansafteyproject” pivot to an account called “iggaazaleaa,” but it didn’t remove the Sudan Meal Project image or text.

I’ve primarily seen accounts pivoted to meme-based accounts as well as some personal accounts. For instance, one of the accounts tagged in a Sudan Meal Project copycat account included an account named “rawann[redacted].”

The account had nearly 5,000 followers and just one photograph. It has since been removed.

Another account that pivoted from a Sudan Meal Project copycat back to a meme account was called out by a commentator. The account owner responded to the commenter saying “report me then.”

Sudan Meal Project’s Pivot

This activity culminated in the eventual pivot by the original Sudan Meal Project account from the Sudan Meal Project to the Sudan Plan.

The previous post, with nearly 2 million likes, was removed and replaced with a post claiming the account owner was “working with multiple organizations and donors to help Sudan privately.” The account owner added “We realized it was not a good idea to relate this issue with shares and followers.” The new goal? To “raise awareness.”

Opportunistic Scammers on Social Media

Based on the data that I collected on just over 100 Sudan Meal Project and Awareness scam accounts, the accounts had nearly 900,000 followers with 1.7 million likes on photos, the majority of which came from the Sudan Meal Project’s original photo.

During the course of my research for this blog post, the Sudan Plan account was removed by instagram. Despite its removal, many of the copycat accounts remain active. While this trend is by no means a new one, it serves as a reminder of the opportunistic nature of scammers on social media services like Instagram. Despite many users questioning the accounts or reporting them to Instagram, the accounts still managed to amass followers. 

Be skeptical of accounts claiming to donate food or supplies or fundraising for the crisis in Sudan. If you’re looking to donate, seek out charitable organizations with a verifiable history.

Learn More:

• Read the BBC article: Sudan Crisis: What You Need to Know
• Read about the social media campaign: #BlueforSudan: social media users show solidarity for protester

We hear a lot these days about critical infrastructure, and the importance of protecting it. But what exactly is “critical infrastructure,” what are the greatest threats to it, and what are the best ways to protect it from those threats? 

What is Critical Infrastructure? 

According to the U.S. Department of Homeland Security (DHS), which is the federal agency charged with oversight of its protection, critical infrastructure consists of “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” 

Substitute any other nation for “United States” and the definition remains equally applicable — for any nation to assure the safety, health and welfare of its citizens, that nation must make critical infrastructure protection a top priority. DHS lists 16 critical infrastructure sectors and assigns primary sector-specific responsibility to each sector. For a complete list of the sectors, and the agencies assigned to each, visit the DHS website.

What are the primary threats facing critical infrastructure?

Now that we have our working definition of critical infrastructure, let’s look at the primary threats to it. 

A generation or two ago, those threats were pretty much all tangible, physical threats that could be countered with tangible, physical defenses. Think old war movies — blowing up or defending bridges and railroad tracks, etc. Those kinds of tangible, physical threats continue today, as do natural disasters, such as hurricanes, floods and wildfires, and they can cause serious harm to people and nations.

The inclusion of “virtual” infrastructure in the DHS definition is a relatively new phenomenon, and the primary threats to that infrastructure are even more difficult to counter. Sometimes the virtual infrastructure combines with the physical — attackers may attempt to use virtual control systems to deliver physical threats or make virtual threats to physical infrastructure — creating the need for a multi-faceted response. This combination of virtual and physical is growing exponentially today, as virtual connections to physical infrastructure, aka the internet of things (IoT), become increasingly mainstream.

How do we protect critical infrastructure?

With that definition and understanding of what critical infrastructure is, and what types of threats endanger it, let’s examine how we should protect it. 

The Cybersecurity and Infrastructure Security Agency (CISA), created by Congress in November 2018, is the DHS agency charged with primary critical infrastructure protection responsibility. 

CISA, according to its website, “leads the coordinated national effort to manage risks to the nation's critical infrastructure and enhance the security and resilience of America's physical and cyber infrastructure.” Breaking down this summary statement, CISA identifies three key elements of critical infrastructure protection: 

• managing risk to that infrastructure; 
• enhancing security of that infrastructure; and 
• enhancing resilience of that infrastructure. 

Let’s look at these  three elements in the context of the growing virtual threats to physical and virtual infrastructure.

Managing risk to critical infrastructure

The National Risk Management Center (NRMC), an entity within CISA that also came into existence in 2018, leads the charge when it comes to the agency’s risk management guidance. NRMC identifies itself as “a planning, analysis, and collaboration center working to identify and address the most significant risks to our nation’s critical infrastructure.” 

We point to the words “most significant” as the central theme of risk management. No defense plan will provide absolute protection against all risks; the cornerstone of effective risk management is prioritization — identifying the most significant risks and taking actions to mitigate those risks. 

Risk-based prioritization is one of the primary components of effective cyber risk management. It is also a key component of the discipline of Cyber Exposure. Cyber Exposure recognizes that the modern attack surface reflects the increasing convergence of the virtual and the physical, and that as connectivity increases, so does the risk of cyber attack. Managing that risk is essential to the protection of critical infrastructure today, and will become even more essential in the future. 

Enhancing security for critical infrastructure

Enhancing security is, perhaps, the most fundamental component of critical infrastructure protection. 

In the physical world, doing so involves basic actions such as locking doors, putting up fences and similar steps to address physical vulnerabilities. Similarly, in the cyber realm, security means identifying virtual vulnerabilities and addressing those vulnerabilities.

Practicing good cyber hygiene is Step 1 in enhancing cybersecurity. Lapses in basic cyber hygiene are the primary cause of security breaches. Bad actors are able to get through cyber “doors” when device owners do the following: use poor locks (think weak passwords); leave doors open (think unpatched vulnerabilities); or unwittingly give them the keys (think phishing scam). 

Protecting critical infrastructure presents some unique challenges. For instance, Industrial Control Systems (ICS), which govern the operation of large industrial plants, cannot be actively scanned for vulnerabilities the way a virtual-only Information Technology (IT) environment can be scanned because such scans can knock the industrial systems offline, grinding operation of a major plant to a halt. 

The overarching category for these types of systems is Operational Technology (OT). OT systems, many of which pre-date the internet, have historically been standalone, “air gapped” systems, which minimized their vulnerability to cyber threats. In today’s connected world, however, that is quickly becoming the exception rather than the rule. 

Adapting cyber defenses to protect these systems requires a different approach. Tenable is addressing these challenges by leveraging its passive monitoring capabilities to deliver a solution that enables safe monitoring of OT assets in a converged IT-OT environment.      

Enhancing resilience of critical infrastructure 

To be resilient, in the parlance of the iconic Timex watch ads, is “to take a licking and keep on ticking.” 

As more formally defined in Presidential Policy Directive 21, the governing federal critical infrastructure protection authority, resilience is “the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions.” In cyber-centric environments, resilience builds on security to round out a comprehensive cyber defense program that addresses all phases of preparation and implements steps to prepare for, and respond to, any cyber threats. 

To guide organizations in developing and implementing effective, comprehensive critical infrastructure protection programs, the National Institute of Standards and Technology (NIST) has published the Cybersecurity Framework. According to NIST, a “prioritized, flexible and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.”

DHS offers an additional resilience-focused resource, the Cyber Resilience Review (CRR). This free resource can provide insight into an organization’s cyber resilience status and recommend areas for improvement. It includes a “NIST Framework crosswalk” feature to guide alignment and ensure comprehensive program implementation. A fact sheet is available with instructions for conducting a CRR and requesting DHS CRR support. 

Learn more:

• Download the report: Cybersecurity in Operational Technology: 7 Insights You Need to Know
• Visit Tenable's IT/OT Convergence web page: https://www.tenable.com/solutions/it-ot
• Download the data sheet: Tenable Industrial Security

This spring brought a number of security updates from major tech players such as Oracle, Microsoft and Cisco. Which ones affect your enterprise? The Tenable Research team breaks it all down.

Spring 2019 brought with it a string of security updates plus a new directive from the U.S. Department of Homeland Security requiring federal agencies to speed up the time it takes to patch critical vulnerabilities from 30 days to 15 days.

As with all vulnerabilities, knowing which ones could actually affect your infrastructure can help save time and resources when it comes to patching. The question is: With all the vulnerabilities coming out each week, which ones are most likely to be exploited? 

These were among the topics discussed during a recent Tenable Research webinar hosted by Product Marketing Manager Claire Tills, and featuring Pablo Ramos, Research Engineering Manager, and Satnam Narang, Senior Security Response Manager.

Alerts, Alerts and More Alerts

Microsoft’s April Patch Tuesday alert addressed 74 vulnerabilities. The same month, Oracle’s quarterly Critical Patch Update contained nearly 300 different alerts and notifications affecting a wide range of the company’s products. And, for good measure, Cisco released a string of security alerts this spring as well.

With each alert and update, the Tenable Research team digs deep into the details to analyze how potential vulnerabilities might affect your business. For example, the team explored an Oracle update addressing a possible zero-day vulnerability, which could have affected unpatched versions of the company’s WebLogic servers — a type of middleware that sits between the front end and back end of large-scale web applications.

During the webinar, the team discussed the news of a zero-day vulnerability in Oracle WebLogic that was first reported through China’s National Vulnerability Database (CNVD) on April 17. Shortly after it was reported, researchers began to experiment with developing proof-of-concept (PoC) code based on the information in the CNVD report, most of which were not fully functional. 

“It wasn’t until Oracle almost released the patch that we started to see actual functioning proof-of-concept code,” said Narang. “That’s when we started working with the [Tenable] Vulnerability Detection Team to make sure we had something in place, and we did our own tests and we actually even tweaked one of the proof-of-concepts that we had seen out there to make sure it worked.” Around this time, Tenable’s Security Response Team observed chatter that attackers were utilizing working PoC code in attacks in the wild.

Malicious Sea Turtle

Another issue capturing the team’s attention originated with a report from Cisco Talos. It’s a DNS hijacking attack targeting organizations in the Middle East and North Africa, which originated with a previously unknown advanced persistent threat (APT) group called Sea Turtle.

During the webinar, the research team discussed how these types of attacks are designed to spoof websites to steal credentials and passwords. The goal? According to the Cisco Talos analysis, it’s about gaining access to the networks of organizations targeted by Sea Turtle as part of a fairly widespread espionage campaign.

In these types of DNS attacks, threat actors — especially those with connections to nation-states — take advantage of one of the older internet protocols. Many of these protocols were designed and built before modern cybersecurity concerns were a factor. 

The Tenable Research team discussed their interest in the background of this attack. Sea Turtle took advantage of a series of older vulnerabilities — some dating back to 2009 — including the Shellshock vulnerabilities found in the Unix Bash shell and bugs still found in Apache Tomcat.

The lesson here is obvious but worth repeating: patching, especially older flaws and bugs that linger, still matters.

DHS Directive: “Patch Faster”

Finally, the Research Team took note of a new directive issued from the U.S. Department of Homeland Security requiring federal agencies to speed up the time it takes to patch vulnerabilities in the software they use.

Under the new rules, security teams must patch software vulnerabilities deemed critical within 15 calendar days and fix high severity vulnerabilities within 30 days. Under previous rules, established in 2015, critical vulnerabilities needed remediation within 30 days and there were no specific guidelines for vulnerabilities deemed high.

Knowing which vulnerabilities are the most critical to patch is an ongoing challenge for cybersecurity professionals everywhere. Earlier this year, Tenable unveiled Predictive Prioritization to help teams improve their ability to prioritize vulnerabilities based on risk to the business. Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat data and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a Vulnerability Priority Rating (VPR) for each vulnerability. VPR scores are now available in Tenable.sc and Tenable.io to help security teams improve their vulnerability management process.

The ability to zero in on those vulnerabilities that are actually being exploited enables security teams to focus their resources on patching the vulnerabilities posing the greatest threat to the network.

Learn more:

• Access the on-demand webinar: Tenable Research Update — May Day 2019
• Read the blog: Oracle Critical Patch Update for April Contains 297 Fixes

Tenable Research Release Highlights are posted for significant new releases or updates to existing plugins or audit files that are important for early customer notification. Here, we discuss new audit guidance for Microsoft Exchange.

Microsoft Exchange remains one of the most widely adopted email and calendar solutions. Establishing a secure baseline configuration for Exchange, based on industry leading guidance, is essential but the complexity in deployments can present a challenge. The Center for Internet Security (CIS) and Defense Information Systems Agency (DISA) have issued guidance on hardening and auditing these deployments. Tenable released plugin enhancements and audits to help customers implement this guidance on July 1. 

CIS Benchmarks for Microsoft Exchange

• CIS Microsoft Exchange Server 2016 Benchmark v1.0.0
• CIS Microsoft Exchange Server 2013 Benchmark v1.1.0

DISA STIGs for Microsoft Exchange

• Microsoft Exchange 2013 Client Access STIG - Ver 1, Rel 2
• Microsoft Exchange 2013 Edge Transport Server STIG - Ver 1, Rel 5
• Microsoft Exchange 2013 Mailbox STIG - Ver 1, Rel 4
• Microsoft Exchange 2016 Edge Transport Server STIG Ver 1, Rel 2
• Microsoft Exchange 2016 Mailbox Server STIG Ver 1, Rel 2

Usage Overview

Tenable customers can audit an MS Exchange server with all of the same check types as in our Windows Compliance Plugin, as well as with a new check type, AUDIT_EXCHANGE. This new check type leverages the Exchange-specific cmdlets suggested for use in the audit steps of DISA and CIS recommendations.

The following is an example check using AUDIT_EXCHANGE:

The powershell_args tag contains the core of the audit functionality, with the plugin itself connecting and exposing Exchange specific cmdlets. As a result, the EMS/Exchange cmdlet import is seamless to the user, who can instead focus on writing good powershell.

How to get started

A byproduct of the session setup and cmdlet import is that we need to work with powershell credential objects. In order to avoid unintended disclosure of credential information via powershell logs, users are required to use a pregenerated encrypted password string for each target of the audit as part of what we require in the Exchange Auditing scan setup.

Password/Secure String Generation

In order to generate an encrypted password for use with our Exchange audits, run the following powershell while logged in on the target with the account that will be used for scanning:

Read-Host -AsSecureString | ConvertFrom-SecureString

While logged into the account you’ll be using to scan, type in the password for the account. The output will look like this:

01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ad58de852cc4646b0d9dfa96c67f2100000000002000000000003660000c0000000100

00000d8b09ba7e13918c19d776cc7dfcac82a0000000004800000a0000000100000003654a47ae8a4da017657d57f0706989e180000004acd2fe799

0e1243ed84c380e5d0e8a95a01f12f5662574714000000e5b4783976f1ad76065cf6f91a3b1bebbcf4b169

Reminder: An encrypted password is required for each target being scanned. 

After creating the string from the instructions, make sure to select the audit under the Windows category and populate the secure string variable (separating multiple targets with commas). The plugin will determine which string to use on which target. Add your usual credential information on the credential tab and save the policy.

Once the configuration is saved, run the scan and review the results. 

Example Scan output

Below is a closer view of one of the results. This page shows:

• Pass/fail status
• Remediation steps, if necessary
• Individual results from the systems scanned

Summary

Auditing an Exchange Environment with Tenable.io and Nessus requires a little bit of extra setup but allows for a secure and automated method for evaluating your organization’s compliance. Exposing Exchange specific cmdlets allows for much more accurate auditing of the environment, with a direct correlation to industry guidance. At Tenable, we regularly update our policy compliance audits to match the newest versions by CIS and DISA to ensure our customers are able to keep pace with the latest best practices.

Follow Tenable Research Release Highlights on the Tenable Community.