Cisco releases ten advisories, including one critical advisory impacting Cisco IOS XE devices with the REST API Container enabled.

Background

On August 28, Cisco released 10 advisories to address vulnerabilities across multiple products, including Cisco NX-OS and FXOS, Nexus 9000 Series Fabric Switches and Unified Computing System (UCS) Fabric. The most severe vulnerability, which Cisco rates as critical, exists in the REST API Container for Cisco IOS XE.

Analysis

CVE-2019-12643 is an authentication bypass vulnerability in the REST API virtual service container for Cisco IOS XE software that received a CVSSv3 score of 10.0 from Cisco. The vulnerability could be exploited by an unauthenticated, remote attacker sending specially crafted web requests to a vulnerable device, resulting in the exposure of an authenticated users’ token-id. Obtaining a token-id for an authenticated user would enable an attacker to bypass authentication via the REST API, allowing them to “execute privileged actions” on the vulnerable device.

Despite the severity of this issue, Cisco notes that the following specific requirements need to be met for an attacker to be able to exploit this vulnerability:

• The device is running an affected Cisco IOS XE Software release
• The device has both installed and enabled an affected version of the Cisco REST API virtual service container.
• An authorized user with administrator credentials (level 15) is authenticated to the REST API interface.

The second point above is very important, as the REST API container is not available by default, and requires installation and activation.

Cisco’s advisory notes they’ve identified a number of devices potentially affected by this vulnerability.

If the REST API virtual service container is installed and enabled on a device, administrators can identify virtual service container name and version information by the following command:

show virtual-service version installed

The following is a list of affected virtual service containers for the Cisco REST API:

Proof of concept

CVE-2019-12643 was discovered by Cisco during internal testing, so no proofs-of-concept (PoCs) exist for it at this time. There was also no PoC code available for any of the remaining advisories released by Cisco on August 28.

Vendor response

Cisco published a blog on CVE-2019-12643, entitled Insights Regarding the Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability.

Solution

For the vulnerability in the REST API Container for Cisco IOS XE, Cisco released iosxe-remote-mgmt.16.03.03.ova, a fixed version of the virtual service container. They also released updates to IOS XE with additional safeguards to prevent a vulnerable open virtual format (OVA) package from being installed.

To determine if your version of Cisco IOS XE is affected, please use Cisco’s IOS Software checker tool.

Cisco also released software updates to address the other vulnerabilities reported in their advisories. Please refer to those individual advisories for specific details regarding affected and fixed versions as well as workarounds.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability
• Cisco PSIRT Blog for CVE-2019-12643

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Attackers are leveraging a vulnerability patched nearly three years ago to target Drupal sites.

Background

On September 4, Drupal published PSA-2019-09-04, a public service announcement (PSA) for a vulnerability in a third-party library in a Drupal module that’s being actively exploited in the wild.

Analysis

CVE-2017-9841 is a code injection vulnerability in PHPUnit, a PHP unit testing framework. The PHPUnit library is part of the Mailchimp and Mailchimp E-Commerce modules in Drupal which, according to their modules pages, are currently used by over 25,000 sites combined.

In June 2017, a Twitter account called “vulnbusters” was created and published an advisory for the vulnerability on their now-defunct website, which is available through the Internet Archive’s Wayback Machine here.

The advisory identifies the vulnerability within the /phpunit/src/Util/PHP/eval-stdin.php file through its use of the php://input wrapper. Patched versions of PHPUnit use the php://stdin wrapper instead. An unauthenticated attacker could exploit this vulnerability by sending an HTTP POST request to a web server containing the vulnerable eval-stdin.php file, leading to arbitrary code execution.

Previous versions of PHPUnit contained the code injection vulnerability which, according to the Vulnbusters advisory page, was unknowingly patched in November 2016 in PHPUnit version 4.8.28 and version 5.6.3 to address issues with insulated tests using phpdbg.

In February 2018, an issue was filed on the Mailchimp project on Drupal from a user who was contacted by their hosting provider, indicating that the eval-stdin.phpon their web server was malicious. A different user, who commented on the same issue in May 2018, also received the same feedback from their hosting provider. Separately, in February 2018, Kevin Beaumont (@GossiTheDog) found attackers were targeting a Drupal honeypot attempting to exploit CVE-2017-9841.

Ok, MailChimp API ships PHPunit, which as a remote unauthenticated code execution bug https://t.co/fAQjErb2ed - there’s no known exploit I can see but somebody has one.

— Kevin Beaumont (@GossiTheDog) February 26, 2018

Outside of Drupal, CVE-2017-9841 has also been found in WordPress plugins, such as the Jekyll Exporter plugin, as well as MediaWiki and open source learning platform Moodle.

Proof of concept

A proof-of-concept (PoC) was originally published in the Vulnbusters advisory from June 2017.

Solution

As previously mentioned, CVE-2017-9841 was patched in PHPUnit back in November 2016. The vulnerability affected specific versions of PHPUnit, which are referenced in the table below.

For the Mailchimp and Mailchimp E-Commerce modules, version 1.0.7 or below for the Mailchimp API for PHP is considered vulnerable. The Drupal Security team notes even if Drupal customers had previously installed these modules, there may still be artifacts left over from the installation on the web server. Vulnerable servers may have the eval-stdin.php. If the file exists and it references the php://input wrapper instead of the php://stdin wrapper, then the server is vulnerable to CVE-2017-9841.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Drupal Advisory for CVE-2017-9841
• Tenable CVE Summary: CVE-2017-9841
• Archive.org Entry for Vulnbusters 

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

CVE-2019-15846, a new unauthenticated remote code execution vulnerability in the Exim message transfer agent, has been patched in version 4.92.2. Users are encouraged to upgrade immediately.

Background

Exim Internet Mailer is a message transfer agent (MTA) for Unix hosts used to manage mail routing services for an organization. Exim is reportedly the most used MTA in the world, and has over 5 million internet-facing hosts, according to Shodan. Exploiting CVE-2019-15846 would allow a remote unauthenticated attacker to fully take control of a vulnerable Exim server.

Analysis

This vulnerability follows on the heels of CVE-2019-10149, another remote command execution (RCE) flaw which we blogged about in June. Exploitation attempts were seen one week later. 

The Exim advisory describes CVE-2019-15846 as: 

"The SMTP Delivery process in all versions up to and including Exim 4.92.1 has a Buffer Overflow. In the default runtime configuration, this is exploitable with crafted Server Name Indication (SNI) data during a TLS negotiation. In other configurations, it is exploitable with a crafted client TLS certificate."

As stated in the initial bug report by Zerons, an unauthenticated remote attacker could send a malicious SNI ending in a backslash-null sequence during the initial TLS handshake, which causes a buffer overflow in the SMTP delivery process. This would allow an attacker to inject malicious code that Exim then arbitrarily executes as root. This vulnerability does not depend on the TLS library in use, so both GnuTLS and OpenSSL are affected.

The default Exim configuration file does not have TLS enabled, but most organizations are required to enable it for standard internet traffic handling purposes. Some versions of Exim bundled with operating systems may have TLS enabled by default.

Proof of concept

A rudimentary proof-of-concept (PoC) exists, according to the Exim team, but has not been made public.

Solution

The Exim team has released version 4.92.2 to fix this vulnerability, and administrators are encouraged to upgrade as soon as possible. While the official security advisory notes that disabling TLS does mitigate the vulnerability, it is strongly recommended not to do so.

Identifying affected systems

As noted in Exim’s notification email: “We've indication that only versions starting with 4.80 up to and including 4.92.1 are affected.” It is also important to note that users running versions older than 4.80, while not vulnerable to CVE-2019-15846, are vulnerable to CVE-2018-6789, another critical RCE flaw. Additionally, the Exim project officially does not support versions prior to the current stable version, but does note in their advisory they will support package maintainers in backporting the fix where resources permit.

A list of Tenable plugins to identify this vulnerability can be found here.

Get more information 

• Exim Security Advisory for CVE-2019-15846

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Microsoft’s September 2019 Security Updates address 79 vulnerabilities, 17 of which are rated critical.

Microsoft’s September 2019 Patch Tuesday release contains updates for 79 CVEs, 17 of which are rated critical. In the wake of BlueKeep in May, and the four additional CVEs for Remote Desktop Services in August (DejaBlue), Microsoft has addressed four new CVEs for Remote Desktop Client. Additionally, Microsoft patched two elevation of privilege bugs which have been exploited in the wild this month. The following is a breakdown of the most important CVEs from this month’s release.

CVE-2019-0787, CVE-2019-0788, CVE-2019-1290 and CVE-2019-1291

Remote Desktop Client Remote Code Execution Vulnerability

This month, Microsoft appears to be proactively addressing flaws in Remote Desktop yet again. With four new critical remote code execution (RCE) flaws all attributed to Microsoft it’s clear they are committed to closing holes in the popular service. In the case of each of these CVEs, an attacker who is able to convince a user to connect to an attacker-controlled server can exploit the vulnerability to execute arbitrary code on the machine of the connecting client. While the attacker would have no way to force a user to connect to their malicious server, common techniques such as social engineering, DNS poisoning, or Man in the Middle (MITM) attacks could be used. Currently, Microsoft does not acknowledge any workarounds and notes that the update corrects how the Windows Remote Desktop Client handles connection requests.

CVE-2019-1214

Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2019-1214 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver. The flaw is caused by an improper handling of objects in memory and, when exploited, could allow an attacker to run a process as a more privileged user. It is important to note that Microsoft cautions that an attacker would first have to log onto the system and execute a specially crafted application in order to take control of an affected system. This vulnerability has reportedly been exploited in the wild and exploitation is more likely with older software releases. Microsoft has released patches for Windows 7 / 2008 R2 including and up to Windows 10 and Server 2016 / 2019.

CVE-2019-1215

Windows Elevation of Privilege Vulnerability

Another elevation of privilege bug that has been exploited in the wild, CVE-2019-1215, is a flaw in how the Winsock IFS Driver (ws2ifsl.sys) handles objects in memory. While an attacker would have to be locally authenticated in order to exploit this, successful exploitation would allow the attack to execute code with elevated privileges.

CVE-2019-1257, CVE-2019-1295 and CVE-2019-1296

Microsoft SharePoint Remote Code Execution Vulnerability

This month brings three RCE vulnerabilities in Microsoft SharePoint. CVE-2019-1257 is a flaw in how SharePoint checks the source markup of an application language. Exploiting this would require the attacker to upload a crafted SharePoint application package to a vulnerable version of SharePoint. Patches were released for SharePoint Foundation 2010 Service Pack 2, 2013 Service Pack 1, SharePoint Enterprise Server 2016 and SharePoint Server 2019.

CVE-2019-1295 and CVE-2019-1296 are both vulnerabilities in SharePoint application programming interfaces (APIs) not properly protected from unsafe user-supplied input. In order to exploit these vulnerabilities, an attacker would have to have access to a susceptible API on an affected version of SharePoint with specially formatted input. An attacker who successfully exploits one of these flaws would be able to execute arbitrary code. While Microsoft notes that exploitation is more likely, exploits for these flaws have not been publicly disclosed.

Additionally, Microsoft also patched several other vulnerabilities in SharePoint:

• CVE-2019-1259 Microsoft SharePoint Spoofing Vulnerability
• CVE-2019-1260 Microsoft SharePoint Elevation of Privilege Vulnerability
• CVE-2019-1261 Microsoft SharePoint Spoofing Vulnerability
• CVE-2019-1262 Microsoft Office SharePoint XSS Vulnerability

CVE-2019-1235

Windows Text Service Framework Elevation of Privilege Vulnerability

Microsoft released a patch for “another class of vulnerabilities” in the Windows Text Service Framework (TSF) that was publicly disclosed by Tavis Ormandy of the Google Project Zero research team in August. CVE-2019-1235 is an elevation of privilege vulnerability due to a lack of validation of inputs and commands sent to the TSF server process. Exploitation requires an attacker to have already logged onto a system before they can deploy a specially crafted application to take control of the system.

CVE-2019-1253

Windows Elevation of Privilege Vulnerability

CVE-2019-1253 is an elevation of privilege vulnerability due to an improper handling of junctions by the Windows AppX Deployment Server. Exploitation requires an attacker to gain the ability to execute an application on a vulnerable system first in order to run a crafted application to elevate privileges. This flaw was publicly disclosed, but, according to Microsoft, exploitation of this flaw is less likely and, given the attacker would need to gain access to a victim’s system first, it is unlikely to be widely exploited.

CVE-2019-1294

Windows Secure Boot Security Feature Bypass Vulnerability

CVE-2019-1294 is another publicly disclosed vulnerability which requires physical access to a system. A security feature bypass exists when Windows Secure Boot fails to properly restrict access to debugging functionality. By exploiting this flaw, an attacker could disclose protected kernel memory. While this exploit does require physical access and most readers might dismiss the flaw over this constraint, this highlights an often overlooked aspect of your organization's security plan: physical security. Proper patch management and regular scanning are every bit as important as making sure physical security controls are in place.

Tenable Solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name Contains September 2019.

With that filter set, click on the plugin families to the left, and enable each plugin that appears on the right side. Note that if your families on the left say Enabled then that means all of the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all of the plugins released for Tenable’s September 2019 Patch Tuesday update can be found here. As always we recommend patching systems as soon as possible and regular scanning of your environment to identify those systems that are yet to be patched.

As a reminder, Windows 7 support will be discontinued on January 14, 2020, so we strongly recommend reviewing what hosts remain and any action plans for migration. Plugin ID 11936 (OS Identification) can be useful for identifying hosts that are still running on Windows 7.

Get more information

• Microsoft’s September 2019 Security Updates
• Tenable plugins for Microsoft September 2019 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

By abusing the automatic event creation feature of integrated email calendars, spammers are finding ways to send you malicious links that are harder to ignore.

Background

In June, researchers at Kaspersky wrote a detailed blog post about phishing tactics involving calendar invite spam, wherein a spammer can automatically add events to your personal calendar, with no interaction on your part, simply by sending you an invitation. All the spammer needs is your email address, either from a stolen or auto-generated list. This isn’t a vulnerability; it’s a function of your calendar working as intended.

Analysis

You are likely already familiar with seeing new events pop up on your calendar as coworkers send invitations to new meetings, regardless of whether or not you’ve seen the email that triggered the invite. This is a feature that calendar apps have enabled by default to make team collaboration swift and efficient. It’s also enabled across both business and personal accounts for all integrated calendars by default. This feature is also becoming more popular with attackers, who are using it for malicious purposes.

As Brian Krebs pointed out in his own blog:

“Calendar invites from spammers run the gamut from ads for porn or pharmacy sites, to claims of an unexpected financial windfall or ‘free’ items of value, to outright phishing attacks and malware lures. The important thing is that you don’t click on any links embedded in these appointments. And resist the temptation to respond to such invitations by selecting ‘yes,’ ‘no,’ or ‘maybe,’ as doing so may only serve to guarantee you more calendar spam.”

Solution

Google is working on a solution for Google Calendar. In the meantime, we strongly advise educating staff to be vigilant and refrain from clicking on unsolicited links. Scammers are banking on the fact that users are likely to be enticed by their messages and will click on the malicious links.

Exchange admins have full control over calendar settings and can ensure that spam invites aren’t automatically added to a user’s calendar, reducing the risk of unwitting clicks on malicious links. Managing this setting should sync with Outlook users within your organization.

Since Apple Calendar doesn’t offer an enterprise version, individual users must manage the settings on their own devices.

Note: Black Hills published a blog in 2017 that details a bypass in Gmail they call MailSniper that ignores user’s attempts to block automatic invites. At the time of publication it seems that Google has yet to fix this flaw.

Identifying affected systems

Because many modern calendar applications are cloud based with little direct organizational control over specific user permissions, the only way we’ve found for an organization to maintain control over user settings against spam is through Exchange Server administration.

As with Apple Calendar, G Suite-dependent organizations must rely on user education to mitigate risk. At present there is no option in the G Suite to manage user calendar settings beyond simple sharing permissions.

Get more information

• Kaspersky Research Blog
• Krebs on Security Blog
• The Verge's Guide for Blocking Calendar Invites
• Google Community Support Thread
• Microsoft Exchange Management Documentation

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

While ransomware is a relatively new phenomenon, ransom-related crimes have been around for generations. Here are four lessons from the past which we believe will help state and local governments protect themselves in today’s digital world.

In 2018, there were 56 targeted ransomware attacks reported by state and local governments in the United States, a 40 percent increase over the number reported the previous year, according to a May 2019 Recorded Future report. In the first half of 2019 alone there were 55 documented attacks, nearly equaling the 2018 total and suggesting that this trend is accelerating. 

The increasing number of ransomware attacks in state and local government has resulted in an explosion of media coverage, most of which has focused on current causes and effects. We believe there’s value in looking at past instances of ransom-related crimes, such as skyjackings and kidnappings, and examining the actions taken to reduce them. These examples offer response tactics we believe can be applied to today’s digital world. 

Let’s start with skyjackings. In the 1970s, over 150 planes were hijacked and held for ransom in the United States alone. Fast-forward to 2018: there were none. So what changed? Three things: 

• More stringent airport screening; 
• Hardened cockpits on planes; and
• Aggressive responses by passengers and crew to potential threats. 

The response to political kidnappings can be equally instructive with regard to dealing with ransomware. The advent of “Kidnapping and Ransom (K&R)” insurance completely changed the calculus on these events by adding a risk reduction requirement to the policies. If you wanted K&R coverage you had to take precautions to actually reduce your risk of being kidnapped. 

Using Past Ransom Crises to Define Future Ransomware Response Strategies

What do the responses to these past threats have to do with today’s digital attacks? We see four lessons learned from past ransom crises which we believe can be applied to protecting state and local  governments from ransomware. 

• Change behaviors. In the skyjacking example, increased airport screening has affected air travel for all passengers, but they’ve adapted to it. Taking off your shoes and going through a metal detector are now accepted practices. Similarly, cities might consider adopting e-screening techniques as a requirement before the public can access digital services. This might include something as simple as making sure residents have updated the operating system software on their mobile devices before allowing them access to city websites. Or, it might mean changing internal practices to implement more stringent patch management on agency-owned assets, such as using tools to prioritize this type of mitigation. In addition, city employees could be required to connect to work-related applications only with city-owned assets or via proprietary VPN connections using two-factor authentication. 
• Harden the infrastructure. If a threat actor in a skyjacking scenario can’t get in the cockpit, they can’t take over the plane. Government IT infrastructure needs to be equally hardened. While information technology professionals understand the importance of implementing CIS controls and/or other standards, they often lack the budgetary influence to obtain the tools necessary to implement them. In the ongoing Deloitte-NASCIO Cybersecurity Study, which is based on biennial surveys of state CIOs, respondents have routinely cited a lack of sufficient funding as their No. 1 challenge in addressing states’ efforts to thwart threat actors. To address this, cities should transfer cybersecurity responsibility from IT to public safety. Public safety initiatives get funded because their work is visible to the public. More to the point, public safety leaders can acquire weapons and weapons systems — and cybersecurity tools could be branded as such. Here are three ways local governments can change the conversation when it comes to cybersecurity funding. 
• All for one and one for all. Behave threateningly on an airplane today and fellow passengers will take action. While we’re certainly not condoning vigilantism, we believe cities should empower their communities to respond quickly and assertively to all forms of cyberthreats, from phishing attacks to complex exploits by threat actors. First, mayors should install someone in uniform as the city CISO and address cyberthreats in the same manner as any other potential crimes. Tools like Tenable’s, which offer predictive prioritization of vulnerabilities, can stand alongside crime reporting, analysis and forecasting tools like CompStat to ensure appropriate resources are applied based on the probability of these crimes occurring. Second, public safety officials should set up Crime Stopper-type channels for reporting cyberthreats and vulnerabilities and make them publicly available. Finally, mayors should create a “cyber corps” of local experts who can be called on as advisors during a crisis and also serve as a sounding board for public comment regarding cyberthreats. 
• Use insurance as an instrument of change. Kidnapping and ransom insurance policies led to enhanced risk management requirements on behalf of the potential beneficiaries of these policies. The same will be true for cyber insurance. Cities will want to obtain the lowest rate possible for coverage and will therefore comply with similar risk management requirements. This will come with a cost, albeit a much lower one than a ransom. Mayors who choose to acquire cyber insurance can use this fact as a lever to gain increased budget for the acquisition of cyber tools and staffing to control the cost of premiums and further reduce the probability of future ransomware attacks. 

While it’s true that the challenges we’re facing in today’s digital world are unique, it’s helpful to consider these and other ways state and local governments have responded to other major public safety challenges. If you have other ideas on how we can use historical responses to guide our future strategy, email me at stsmith@tenable.com.

Learn more:

• Read the blog: Cybersecurity as a Public Service: 3 Ways Local Governments Can Change the Conversation
• Read the ebook: 3 Things to Know about Prioritizing VUlnerabilities
• Listen to Tenable’s Cyber Exposure Podcast: Episode 10, “Eternally Blue about Ransomware.” 

Vulnerability management tools should be behind every platform operating on the modern attack surface. Here’s why.

Vulnerability management (VM) is no longer a niche program; it is an essential enterprise solution. Why? Because it’s a fundamental first step in improving cyber hygiene and reducing cyber risk.

The recent hacks and ransomware attacks that have held organizations and governments hostage succeeded not because they involved sophisticated techniques; rather, it's because they were able to successfully exploit poor cyber hygiene. In fact, those of you who were able to attend our Edge or GovEdge user conferences this past spring would have heard Tenable’s CEO Amit Yoran speak about "The Cure for Cyber Helplessness." While organizations have been conditioned to believe they are helpless against cyberattacks, the vast majority of successful hacks are a result of bad actors exploiting known vulnerabilities. Indeed, in numerous media interviews, Amit  stresses the critical need for strong vulnerability management as a fundamental first line of defense against cyberthreats. 

Tenable CEO Amit Yoran takes the main stage Sept. 19 at the 2nd Annual National Cybersecurity Summit alongside FireEye President Travis Reese for a panel discussion, “Strategic Perspectives from the C-Suite,” moderated by Cyber Threat Alliance President and CEO Michael Daniel. 

The Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program demonstrates a successful VM program, providing continuous monitoring of the .gov network in real time while identifying and prioritizing vulnerabilities that could be exploited by bad actors. With more and more devices connected to networks, the attack surface continues to expand and organizations and the government have a responsibility to take stock of their cyber risk and address their Cyber Exposure gap. At Tenable, we support DHS and its ability to scan more of its infrastructure for vulnerabilities and we see CDM as a key example of how best to secure sensitive networks and manage those vulnerabilities. 

While DHS is excelling at effectively and efficiently managing vulnerabilities, other agencies still have work to do. A congressional report released in June 2019 illustrated that eight U.S. federal agencies, over two administrations, failed to address vulnerabilities in their IT infrastructure leaving sensitive and personal information vulnerable to theft.

Luckily, this summer Congress introduced the Advancing Cybersecurity Continuing Diagnostics and Mitigation Act in the House (H.4237) and the Senate (S.2318). This legislation is a critical step in the ongoing effort to better secure government networks from an onslaught of cyberthreats. The bill contains several important directives, including:

• codifying and expanding the CDM program to all civilian agencies as well as state, local, tribal and territorial governments; 
• establishing policies for reporting cyber risks and incidents; 
• requiring comparative assessments of cybersecurity risks for federal agencies; 
• requiring DHS to deploy new CDM technologies; and 
• developing a strategy to ensure the program continuously evolves and adjusts to the expanding threat landscape, including threats against operational technology (OT) assets. 

The CDM Act ensures Federal agencies have the tools needed to manage their vulnerabilities as well as the resources and guidance on how to most effectively use these tools. 

Vulnerability management tools come with a cost-savings advantage as well. There is tremendous value in the federal government allocating funds to allow for the General Services Administration (GSA) to examine how vulnerability management is affecting agencies and evaluate where to save dollars when it comes to federal cybersecurity spending. 

Vulnerability management is a practice that must be adopted widely as the foundation supporting the pillars of the government’s IT systems. Without visibility into the threats of today and tomorrow, organizations are at risk of a cyberattack with significant consequences.  We look forward to working with our government partners to address the Cyber Exposure gap and help with the prioritization of their most pressing cybersecurity threats.

Ballad Health’s network includes IT, internet of things and operational technology assets used by staff, practitioners and clients across 21 sites. Here’s how it’s using Tenable.sc to find and fix vulnerabilities. 

Ballad Health is an integrated healthcare system serving 29 counties of Northeast Tennessee, Southwest Virginia, Northwest North Carolina and Southeast Kentucky. The organization, formed in 2018 as the result of a merger, operates a family of 21 hospitals, medical centers, care facilities and pharmacies throughout the region.

The organization’s network accommodates some 19,000 employees plus guest users and spans a variety of IT, internet of things (IoT)  and operational technology (OT) assets, including biomedical devices and industrial control systems. Protecting these devices and applications falls to IT Security Engineer Michael Birchfield and his team.  

“There's a lot of different pieces to the puzzle,” said Birchfield in an interview with Tenable during the Edge 2019 User Conference in May. “It's one thing that you have servers, it's one thing that you have network equipment and another that you have endpoints — whether they be PCs, laptops, remote users — but there's also the IoT devices.” In addition, the organization provides connectivity for patients and visitors so they can use their devices in the facilities. 

In such a complex attack surface, the number one challenge is “knowing what you have versus knowing what you think you have,” said Birchfield. 

Ballad uses Tenable.sc (formerly SecurityCenter) to help resolve this challenge. Birchfield highlighted the platform’s discovery scanning functions, particularly the ability to scan actual subnets versus relying on manual entry. “You may see double the amount of stuff on your network than you thought you initially had from conversations with staff and your analysts,” he said.

For example, said Birchfield, “Say you had 30,000 devices you thought you were worried about and then you find out you have 60,000. That just shows you why you needed this product, because no one else thought you had that and this just generated a report showing it.”

The reporting available in Tenable.sc enables Birchfield to drill down into the data to see what those previously undiscovered things actually are. From there, he’s able to find out who owns the various assets. Hint: it’s not always IT. In some cases, the discovery turns up biomedical devices, IoT devices or even gadgets a staffer may have brought into their office without telling anyone. 

It can be too easy for these non-IT devices to be overlooked at remediation time. “If 20 percent of the stuff you didn't manage shows up on this report, who do you go to to solve that problem?” said Birchfield. “It may not be IT at all. It may be a totally different organization in the group or in the company … for us, it's very important to show that all of these things exist and, if it's not in IT, [to figure out] who does it belong to and are they responsible for patching it and keeping it up to date?”

‘It Makes Non-IT People Understand Why This Is Important’

Having detailed reports to point to has an added bonus: it “makes non-IT people understand why this is important,” Birchfield said. This is useful not only for communicating amongst teams but also for sharing information with the C-suite and the board. 

The reporting capabilities of Tenable.sc also help the IT team stay on track with patching, explained Birchfield. “If IT is managing this whole network infrastructure and everything plugged into it [and] you have a group of 20 percent of your assets out there are not IT and they're not in your vulnerability management program.” The question then becomes: who is responsible for the patch cycles for this portion of assets?

Tenable.sc gives the teams a source of clarification to resolve miscommunications that can arise when a practitioner claims they’ve patched something but it’s still showing up in a vulnerability report. “In the past, that would be a discussion where you just went back and forth [without resolution]” said Birchfield. “Well, today, in Tenable, you can actually go in and show, ‘yes you patched it, but the reason it's showing up is because of this piece right here.’ You can drill down into the vulnerability and it will tell you, ‘hey, you need to configure this. This is a registered change.’ So not only do you patch it, but you have to make this change to make it acceptable.”

Birchfield noted that, in most of these cases, it turns out that people did the right thing but didn't know there was a second step to the patch. “In the past, I don't think that was ever picked up on,” he said. “People applied the patch and moved on and [if there were] things that needed manual entry, they just didn't know what needed to be done, so they were still vulnerable.”

Customized Reports Help Improve Communication

The ability in Tenable.sc to customize reports and dashboards to different audiences is also an advantage for Birchfield. “I don't want to send somebody something that I know they're never going to look at. If it takes too long and it's too congested, they're not going to spend time on it,” said Birchfield. “But if I give them something that really tells them what they need to focus on, and it only takes two or three minutes for them to figure that out, that's important and that's powerful because they can see right away where they are, where they need to be and what exactly it is they need to fix in order to address that issue. That's very important for me because I know they'll do it if it's something I can give them that's easy to read.”

Birchfield said he’s not yet used the Vulnerability Priority Rating in Tenable.sc but it “looks fantastic.” VPR, a new capability introduced this year in Tenable.sc and Tenable.io, is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability. 

“Today, I'm showing people what all needs to be done, and they're looking at it going … ‘Which ones do I start with?’ ” said Birchfield. “Well, now I can tell you.”

Watch Now:

Tenable interviews Michael Birchfield, IT Security Engineer with Ballad Health, at our Edge 2019 user conference:

Learn More:

• Visit our Predictive Prioritization webpage here.
• Learn more about Tenable.sc here.

Path traversal flaw in Jira Service Desk can be used by attackers to view protected information in Jira projects.

Background

On September 18, Atlassian published a security advisory for a vulnerability in Jira Service Desk, an IT ticketing application used by over 25,000 organizations to accept, manage and track requests from customers and employees through a web portal.

Tenable Research has identified many publicly accessible Jira Service Desk instances belonging to organizations in healthcare, government, education and manufacturing in the United States, Canada and Europe. The following is a screenshot of search engine results listing publicly accessible Jira Service Desk portals.

In related news, Atlassian has also released a security advisory for CVE-2019-15001, an authenticated template injection vulnerability in the Jira Importers Plugin for Jira Server reported by security researcher Daniil Dmitriev. Dmitriev discovered and reported another template injection vulnerability, CVE-2019-11581, back in July.

Analysis

CVE-2019-14994 is a URL path traversal vulnerability in Jira Service Desk and Jira Service Desk Data Center. By default, the ticketing system restricts customers’ or employees’ access to certain privileges, such as opening new requests or viewing existing requests without accessing the company’s Jira instance directly.

According to the advisory, an attacker with access to the web portal can send a specially crafted request to the Jira Service Desk portal to bypass these restrictions and view protected information. In order to exploit the vulnerability, the Customer Permissions settings for who can raise a request must be set to “Anyone can email the service desk or raise a request in the portal,” which may be a common configuration because the other two options limit who can open requests. In addition to viewing protected information within Jira Service Desk, an attacker could also view protected information from Jira Software and Jira Core if the “Browse Project” permission is set to Group - Anyone.

While full details about the vulnerability are not public at this time, Sam Curry, the researcher who discovered the vulnerability, tweeted that he plans to publish more details, including a proof-of-concept (PoC), soon. Curry also credited DEVCORE researcher Orange Tsai’s previous work, which stems from a Black Hat and DEFCON presentation from 2018 called “Breaking Parser Logic! Taking Your Path Normalization off and Pop 0days Out.”

Researcher Sam Curry responds to Orange Tsai on Twitter

Curry confirmed to Tsai his findings are linked to Tsai’s example of accessing Uber’s internal Jira server, appending “..;” to the URL path parameter, which gets treated as a parent directory. Atlassian appears to confirm this in its knowledgebase article for the vulnerability.

Slide deck from Orange Tsai’s Black Hat presentation on accessing Uber’s internal Jira server

Proof of concept

While there was no PoC available when this blog was published, the researcher plans to release a PoC soon.

Solution

Atlassian has released updated versions of Jira Service Desk Server and Jira Service Desk Data Center to address this vulnerability. The following table contains the list of vulnerable versions with the associated fixed versions.

Fixed versions can be retrieved from Atlassian’s Service Desk update page.

If upgrading to a patched version of Jira Service Desk Server or Service Desk Center is not feasible at this time, Atlassian has also provided temporary workarounds to thwart attacks.

Organizations using Jira Service Desk Server or Service Desk Center should consider patching as soon as possible ahead of the release of a PoC and exploit attempts from attackers.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Jira Service Desk Security Advisory 2019-09-18
• Jira Security Advisory 2019-09-18

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Zero-day memory corruption vulnerability in Internet Explorer has been observed in attacks in the wild

Background

On September 23, Microsoft released an out-of-band patch for a zero-day vulnerability in Internet Explorer that has been exploited in the wild.

Analysis

CVE-2019-1367 is a memory corruption vulnerability in Internet Explorer’s scripting engine in the way that objects in memory are handled. Exploitation of this vulnerability could result in the attacker gaining arbitrary code execution under the same privileges as the current user. In the event that the current user has administrative privileges, an attacker could perform various actions on the system, from creating a new account with full privileges to installing programs or even modifying data.

To exploit the vulnerability, an attacker would have to host the exploit on a malicious website and socially engineer a user into opening that website in Internet Explorer. In the case of a targeted attack, an attacker could include a link to the malicious website in an email or in a malicious email attachment (HTML file, PDF file, Microsoft Office document) that supports embedding the scripting engine content.

The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG). Earlier this year, Lecigne discovered and reported two zero-day vulnerabilities: a use-after-free vulnerability in Google Chrome (CVE-2019-5786) and an elevation of privilege vulnerability in Microsoft Windows (CVE-2019-0808) that were exploited together in the wild.

Additional details about the in-the-wild exploitation of this vulnerability have not yet been made public by Lecigne and Google’s TAG, though we anticipate such details will be disclosed in a blog post in the near future.

Proof of concept

At the time this blog was published, no proof-of-concept (PoC) was available.

Solution

Microsoft released an out-of-band patch for this vulnerability due to the report that it has been exploited in the wild. Please refer to the Security Updates section for additional information on the IE Cumulative Update or relevant Security Updates.

Additionally, Microsoft has provided workarounds for both 32-bit and 64-bit systems by restricting access to the JScript.dll file. An administrator can do so by entering specific commands into the command prompt; the commands are available at the end of the security advisory page. However, these workarounds should only be used as a temporary measure until patching is feasible. Commands to revert the workarounds are also available on the Microsoft security advisory page linked above.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Microsoft Security Advisory for CVE-2019-1367

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

New critical zero-day pre-auth RCE exploit code published on Full Disclosure mailing list for 5.x versions of vBulletin (CVE-2019-16759).

Background

A preauthentication remote code execution (RCE) zero-day exploit was recently disclosed anonymously for vBulletin 5.x. This zero-day does not seem to have followed coordinated disclosure procedures and we have not yet seen a response from vBulletin on this vulnerability.

Analysis

Tenable Research has analyzed and confirmed that this exploit works on default configurations of vBulletin. Based on the public PoC, an unauthenticated attacker can send a specially crafted HTTP POST request to a vulnerable vBulletin host and execute commands. These commands would be executed with the permissions of the user account that the vBulletin service is utilizing. Depending on the service user’s permissions, this could allow complete control of a host.

Proof of concept

The published exploit code returns its successful execution in a JSON formatted response.

Solution

At the time of publication, this vulnerability remains a zero-day without an official mitigation or fix. Tenable does, however, expect vBulletin to respond with an advisory or patch soon.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Full Disclosure publication of Exploit Code

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

Availability of proof-of-concept code for vulnerability in Jira poses a challenge, as the Jira 7.x branch did not appear to contain a fix for the flaw

Background

On September 9, Atlassian released version 8.4.0 for Jira Core and Jira Software, which included a fix for an important security issue reported in August 2019.

Analysis

CVE-2019-8451 is a pre-authentication server side request forgery (SSRF) vulnerability found in the /plugins/servlet/gadgets/makeRequest resource. The vulnerability exists due to “a logic bug” in the JiraWhitelist class. An unauthenticated attacker could exploit this vulnerability by sending a specially crafted web request to a vulnerable Jira server. Successful exploitation would result in unauthorized access to view and potentially modify internal network resources.

The vulnerability was first introduced in Jira Core and Jira Software versions 7.6.0, an enterprise release in November 2017, and affects Jira Core and Software versions from 7.6.0 through 8.3.4.

Shortly after a patch was released, a GitHub repository was created on September 16 containing a proof-of-concept (PoC) for CVE-2019-8451. On September 23, security researcher Henry Chen published a tweet showing exploitation of the vulnerability in an animated GIF and referenced previous work around SSRF vulnerabilities from DEVCORE researcher Orange Tsai’s Black Hat talk, “A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!” from 2017.

Dino A. Dai Zovi, Head of Security at Square’s CashApp, retweeted Chen’s tweet saying “If you’re running JIRA on AWS consider this SSRF to be RCE.” This exposure to a Jira asset within Amazon Web Services (AWS) could provide access to the AWS Instance Metadata service, which has been previously identified in research from 2017.

An SSRF can provide attackers with the ability to query the cloud provider’s APIs, enumerating permissions and extracting data or executing API commands for other cloud services. Our example above simply aims to get the security credentials from the environment.

This Instance Metadata service, located at 169.254.169.254, provides information about Amazon Elastic Compute Cloud (EC2) instances. This SSRF vulnerability could conceptually allow an unauthenticated attacker access to any cloud computing privileges which that instance contains by querying the instance’s API metadata service.  

In this AWS use-case, an exploitation of the CVE would provide an attacker the ability to query the instance metadata service for security credentials. AWS’s security-credentials endpoint  “/latest/meta-data/iam/security-credentials/” returns a rolename. Querying the security-credentials endpoint with the rolename provides us with the AWS API AccessKeyID, Secret Access Key, and Token w/ Expiration date.

The attacker could use these credentials to execute any action associated with the role of the instance. For example, in a supply chain breach scenario, more deceptive attackers could use this access to query the user-script of the EC2 instance, obtain configurations of Amazon Elastic Container Service (ECS) (Docker container) assets and even retrieve Docker images, plant a backdoor, then push the image back into the registry. Conceptually, any exposed JIRA asset residing on any cloud provider (AWS, Azure, Google Cloud, Alibaba, Digital Ocean) is a target and capable of causing a potentially devastating breach for your organization.

Proof of concept

As noted above, a PoC for CVE-2019-8451 has been available since September 16, with further examples being referenced in tweets on September 23.

Solution

Atlassian addressed this vulnerability in Jira Core and Jira Software versions 8.4.0. Many of the releases under the Jira 7.x branch are on a path towards end of life (EOL). Jira 7.13, the most recent enterprise release version, will reach EOL in November 2020. Jira 7.6, however, will reach its EOL in November 2019. Until their respective EOL dates, these Jira versions receive bug fixes. However, it does not appear that CVE-2019-8451 was addressed in any recent release under the Jira 7.0 branch. Outside of upgrading to Jira 8.4.0, there is no specific workaround designed to prevent attackers from utilizing this vulnerability. The only known solution would be to ensure that Jira instances aren’t publicly accessible.

In the context of AWS, we encourage administrators to utilize strong Role and Profile management of AWS assets, restricting API access by following the principle of least privilege, and enabling logging for detection to identify malicious activity.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information 

• Jira Issue Tracker for CVE-2019-8451
• Abusing AWS Metadata Service

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

CVE-2019-16928, a critical heap-based buffer overflow vulnerability in Exim email servers, could allow remote attackers to crash Exim or potentially execute arbitrary code.

Background

Exim Internet Mailer, the popular message transfer agent (MTA) for Unix hosts found on nearly 5 million systems, is back in the news. Earlier this month, CVE-2019-15846, a critical remote code execution (RCE) flaw, was patched in Exim 4.92.2. In June, we blogged about CVE-2019-10149, another RCE, which saw exploit attempts within a week of public disclosure.

On September 28, Exim maintainers published an advance notice concerning a new vulnerability in Exim 4.92 up to and including 4.92.2. From our analysis of Shodan results, over 3.5 million systems may be affected.

Analysis

CVE-2019-16928 is a heap-based buffer overflow vulnerability due to a flaw in string_vformat() found in string.c. As noted in the bug report, the flaw was a simple coding error where the length of the string was not properly accounted for, leading to a buffer overflow condition. The flaw can be exploited by an unauthenticated remote attacker who could use a large crafted Extended HELO (EHLO) string to crash the Exim process that receives the message. This could potentially be further exploited to execute arbitrary code on the host. The flaw was found internally by the QAX A-Team, who submitted the patch. However, the bug is trivial to exploit, and it’s likely attackers will begin actively probing for and attacking vulnerable Exim MTA systems in the near future.

Proof of concept

As part of the patch, a proof of concept (PoC) is available which can be used to exploit the flaw and cause a denial of service (DoS) condition in an affected Exim server.

Solution

The Exim team released version 4.92.3 on September 29 to address CVE-2019-16928. Administrators are encouraged to upgrade as soon as possible. No mitigations exist at this time.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Exim Security Advisory for CVE-2019-16928
• Exim Bug Report for CVE-2019-16928

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

With Tenable Lumin, we’re giving customers a bridge between the language of vulnerability management and the language of business. 

In our work here at Tenable, we often hear from our CISO customers about the dual challenges they face: how to help business executives and the board understand their organization’s cyber risk; and how to help their IT colleagues prioritize patching to address the vulnerabilities representing the greatest risk to the organization.

CISOs are, essentially, expected to be multilingual. They need to transition seamlessly from the business language of the C-suite to the technical, process-led language of their IT colleagues. The challenge? Most of the data they’re able to access from common vulnerability management tools is available only in their native tongue: the language of vulnerabilities. 

Indeed, a survey of more than 2,400 cybersecurity and IT leaders conducted by Ponemon Institute reveals that 58 percent of respondents say traditional KPIs or metrics for evaluating business risks cannot be used to understand cyber risks. Further, less than a third of respondents (30 percent) report they can adequately prioritize their efforts.

At Tenable, we’re committed to helping CISOs and cybersecurity professionals communicate effectively across their organizations. And, with Tenable Lumin, we’re giving you a bridge between the language of vulnerability management and the language of business. 

Tenable.io customers can use Lumin today to transform raw technical data into business insights by combining inputs such as threat intelligence, vulnerability data and asset criticality into a single platform to accurately measure and benchmark cyber risk. This risk-based approach to cybersecurity enables CISOs and their teams to prioritize remediation efforts, effectively communicate cyber risk to internal stakeholders and make data-driven decisions to reduce risk. 

Tenable Lumin enables organizations to effectively measure and benchmark their cyber exposure internally and externally against peer organizations. To accomplish this, vulnerability data is correlated with other risk indicators, such as threat intelligence and asset criticality, to automatically score, trend and benchmark an organization’s cyber risk. Lumin transforms technical data into business insights for better strategic decisions.

CISOs can use Tenable Lumin to quickly and accurately assess the organization’s cyber exposure risk and compare their health and remediation performance to that of other enterprises.

Lumin uses a variety of metrics to help users understand the following: 

• where they are exposed;
• where to prioritize remediation;
• how the organization is reducing risk; and
• how these efforts compare to others'.

With Tenable Lumin, users receive a Cyber Exposure Score for their own organization, an average score for peers within the same industry as well as the general population. This allows users to compare their organization to others and provides additional context around the score. The higher the score, the higher the risk. 

Users can use Tenable Lumin to access the data most relevant for a particular audience. For example:

• The Cyber Exposure Score trend view provides trending data about the organization’s score over time. Users can also see whether their peers and the greater population are improving over time.
• The Cyber Exposure Score by business context view allows users to map a group of assets to a Cyber Exposure Score.

Gathering current, accurate data is critical to assessing your risk. Learn more about what’s available in the Tenable Lumin dashboard here:

Gaining Fresh Insights Into Your Cyber Risk with Tenable Lumin

Lumin uses several metrics to help you assess your cyber risk:

• Vulnerability Priority Rating (VPR)
• Asset Criticality Rating (ACR)
• Cyber Exposure Score 

Here’s what each score reveals:

• Vulnerability Priority Rating. A dynamic companion to the static data provided by the vulnerability’s CVSS score and severity, the VPR is generated dynamically per vulnerability. Tenable’s algorithms update the VPR to reflect the current threat landscapes. Values range from .1 to 10. A higher value represents higher likelihood of exploit. 
• Asset Criticality Rating. Tenable assigns an ACR to each asset on your network to represent the asset’s relative risk as an integer from 1 to 10. A higher ACR value indicates higher risk. Tenable assesses scan output and measures asset risk based on the following: exposure due to the location on your network and proximity to the internet, device type and device capabilities.
• Cyber Exposure Score. The score is automatically generated through machine learning algorithms which combine the Tenable Vulnerability Priority Rating (VPR), for the likelihood of exploitability, with the Tenable Asset Criticality Rating (ACR), for the business criticality of the impacted asset. This score represents the organization’s overall cyber exposure risk as an integer between 0 and 1,000, based on asset exposure score values for assets scanned in the past 90 days. A higher CES value indicate higher risk.

Learn more about Tenable Lumin metrics here:

Additional resources

• Visit the Tenable.io Product Education channel on Youtube for more about Tenable Lumin
• Read the eBook: Cyber Risk Benchmarking: What the Business Needs to Know

• Download the on-demand webinar: Lumin Briefing: Calculate, Communicate and Compare Your Cyber Exposure

The new Solutions view page in Tenable.sc 5.12 helps you unlock the power of Predictive Prioritization and the Vulnerability Priority Rating. Here’s how.

The National Vulnerability Database has analyzed nearly 13,000 vulnerabilities so far in 2019. Patching each of those vulnerabilities requires time, effort and resources. But where does one start? How do you identify those vulnerabilities with the highest likelihood of causing a business-disrupting event in your unique environment? Which do you fix first? 

Here’s how Tenable.sc 5.12 can help. 

Tenable.sc 5.12 takes Predictive Prioritization and the Vulnerability Priority Rating to the next level with a new Solutions view page. 

Predictive Prioritization, introduced in February 2019, combines Tenable-collected vulnerability data with third-party vulnerability and threat data and analyzes them together using an advanced data science algorithm developed by Tenable Research. The resulting Vulnerability Priority Rating (VPR) is calculated nightly for over 130,000 vulnerabilities. Since releasing Predictive Prioritization in Tenable.sc, one of our key areas of focus has been helping customers best utilize VPR to reduce risk and understand what VPR means for their organizations. Earlier this year, we added capabilities such as VPR sorting and VPR Key Drivers to give you more insight into your environment and the vulnerabilities on it. 

Solutions view in Tenable.sc

The new Solutions view page helps you manage the overwhelming number of vulnerabilities and answers the fundamental question of “Where do I start?” 

This page gives you a snapshot view of the most important patches to apply. You’re able to quickly see the percentage of risk reduction associated with applying each patch, as well as the number of hosts affected by the vulnerability, the VPR score and CVSS score. 

From the Solutions view page, you have the capability to drill down into each specific patch to understand critical information about the vulnerabilities and hosts affected. 

The Solutions view page enables customers to focus remediation efforts on taking as much cyber risk out of the organization as possible to improve their overall security posture and reduce the likelihood of a business-disrupting event. 

But wait, there’s more!

Tenable.sc 5.12 includes other exciting new benefits and features, including the ability to:

• Easily understand the state of your installation with the new Systems/License Healthcheck page. You will see a variety of statistics related to system and license usage to help with speed improvements, security and usability.
• Increase efficiency by pulling Nessus logs directly into Tenable.sc with Nessus log retrieval. 
• Ensure compliance with STIG and CSPN frameworks.

Learn more

• Download Tenable.sc 5.12 here.

Sanmina’s information security team needed an effective way for hundreds of IT colleagues worldwide to access vulnerability data — while also keeping senior management informed. Here’s how the organization is using Tenable.sc and the Vulnerability Priority Rating.

Sanmina designs, manufactures and repairs complex and innovative optical, electronic and mechanical products for original equipment manufacturers (OEMs) across a range of industries, including communications networks, computing and storage, medical, defense and aerospace, industrial and semiconductor, automotive and clean technology sectors.

The organization has approximately 45,000 employees worldwide. Matt Ramberg, Sanmina’s VP of Information Security, and his three-member team are responsible for securing an expanding mix of assets across some 70 locations worldwide. 

“My top challenge [is] managing a global footprint of nearly 50,000 assets with a small team, all centrally located in the U.S.,” said Ramberg  in an interview with Tenable during the Edge 2019 user conference in May.

While traditional IT assets make up the bulk of Sanmina’s portfolio, Ramberg said the organization is moving toward Industry 4.0 and his team is preparing to accommodate operational technology (OT) such as industrial control systems (ICS), supervisory control and data acquisition (SCADA) software and heating, ventilation and air conditioning (HVAC) systems.

Sanmina uses Tenable.sc (formerly SecurityCenter) with the Vulnerability Priority Rating (VPR) to regularly scan those 50,000 assets and provide vulnerability prioritization data to the company’s field IT teams, which are responsible for remediation. 

“We used to, actually, with our previous tool, generate reports manually and send them to each IT department,” said Ramberg, noting that hundreds of people were receiving the reports. 

“With Tenable.sc we've been able to separate the data into distinct facilities across the organization,” said Ramberg. “It allows each individual team to log in and see their vulnerabilities that need to be remediated. It allows them to prioritize. Tenable will prioritize that data accordingly so they can prioritize and remediate the critical systems, the key systems that need to be tackled first and then react to the other items as necessary.”

VPR, a capability introduced this year in Tenable.sc and Tenable.io, is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability. 

“In our previous set up, we didn't have the ability to prioritize vulnerabilities, so these facilities and these IT personnel were just inundated with sheer volumes of data,” said Ramberg. “Now, we can direct them on prioritization — using features such as ‘is the vulnerability exploitable or not?’ — which Tenable provides.” Ramberg noted the IT teams also use Tenable.sc for specific examples of what needs to be done to patch each vulnerability. 

The tool helped the organization achieve a more complete view of its attack surface than was previously possible. “You don't know what you don't know, and Tenable.sc exposed that to us so we knew what to tackle and what we needed to focus on,” said Ramberg. “It's allowed us to identify critical issues that we didn’t know existed until the Tenable scan occurred. We were able to focus our efforts and go tackle those issues before they became widespread throughout the organization.”

How Tenable.sc helps with reporting to the C-suite, the board and customers

Ramberg said he also turns to Tenable.sc when he’s asked to provide metrics to to Sanmina’s CIO and to the board. 

“Prior to Tenable.sc, everything was ad hoc,” said Ramberg. “I didn't have a concise platform to tell me our vulnerabilities and how we're doing within our specific divisions throughout the organization. With Tenable.sc, I now have that data at my fingertips in a single dashboard. Senior management's now able to see the impact of our Cyber Exposure [practice].” 

Meeting the cybersecurity expectations of its customers was a key driver for Sanmina. The organization is often asked to complete cybersecurity questionnaires for existing or prospective clients, noted Ramberg. “When we mention that we use Tenable as our solution for vulnerability management, everybody knows Tenable. It's a very highly respected company. And the questions generally go smoothly…once they know that's in place.”

Asked if he had any advice for peers who may be considering a similar deployment, Ramberg said: “Tenable is a leader in this field. We do a lot of research before we purchase any solutions [and] Tenable came out as the clear choice. It provides actionable results from vulnerability scans and allows the individual facilities to prioritize and remediate as they deem fit based on the vulnerabilities that are discovered in their particular facilities.”

Watch now

Tenable interviews Mark Ramberg, VP of Information Security with Sanmina, at our Edge 2019 user conference:

Learn More:

• Visit our Predictive Prioritization webpage here.
• Learn more about Tenable.sc here.

Administrators rejoice: only nine of the 59 vulnerabilities in Microsoft's October 2019 Security Update are rated critical.

Microsoft’s October 2019 Patch Tuesday contains updates for 59 CVEs, nine of which are rated critical. Administrators may rejoice this month with a smaller than usual Patch Tuesday. The following is a breakdown of the most important CVEs from this month’s release.

CVE-2019-1333 | Remote Desktop Client Remote Code Execution Vulnerability

CVE-2019-1333 is a remote code execution vulnerability in the Windows Remote Desktop Client. In order to exploit the vulnerability, an attacker would need to entice a user to connect to an attacker-controlled server. While an attacker cannot influence a user to connect to their malicious server, common techniques such as social engineering, DNS poisoning, or Man in the Middle (MiTM) techniques may be used.

CVE-2019-1372 | Azure App Service Remote Code Execution Vulnerability

CVE-2019-1372 is a remote code execution vulnerability in the Azure App Service. This is due to not checking the length of a buffer prior to copying the buffer into memory. An attacker could exploit this vulnerability to allow an unprivileged function to execute code outside the sandbox with NT AUTHORITY\system privileges. The security update addresses this flaw by adding additional sanitization to user-supplied inputs.

CVE-2019-1060 | MS XML Remote Code Execution Vulnerability

CVE-2019-1060 is a remote code execution vulnerability in MS XML. The flaw exists when the Microsoft XML Core Services MSXML parser improperly processes user-supplied input. A remote attacker could exploit the vulnerability by enticing a user to browse to a crafted webpage, designed to invoke MSXML in order to run malicious code and take control of the user’s system.

CVE-2019-1238 & CVE-2019-1239 | VBScript Remote Code Execution Vulnerability

CVE-2019-1238 and CVE-2019-1239 are both remote code execution vulnerabilities in the way the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. In order to exploit the issue, an attacker would need to entice a user to visit a specially crafted website in Internet Explorer. The attacker could also host the content on an already compromised website, including websites that host user-provided advertisements. Alternatively, an attacker could embed an ActiveX control in an Office document in order to attempt to exploit these vulnerabilities. While Microsoft says exploitation is less likely, both flaws are rated critical.

Windows 10 1703 End of Life

This month marks the end of life for Windows 10, version 1703 for Enterprise and Education editions. Microsoft’s Windows Lifecycle Fact Sheet notes that support for Home, Pro and Pro for Workstations support ended a year ago on October 9, 2018. However Enterprise and Education editions are now marked as end of service as of today. Plugin ID 118716 can be used to identify the unsupported operating system in your environment.

Tenable Solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name Contains October 2019.

With that filter set, click on the plugin families to the left, and enable each plugin that appears on the right side. Note that if your families on the left say Enabled then that means all of the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all of the plugins released for Tenable’s October 2019 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems that are yet to be patched.

As a reminder, Windows 7 support will be discontinued on January 14, 2020, so we strongly recommend reviewing what hosts remain and any action plans for migration. Plugin ID 11936 (OS Identification) can be useful for identifying hosts that are still running on Windows 7.

Get more information

• Microsoft’s October 2019 Security Updates
• Tenable plugins for Microsoft October 2019 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.

At Tenable, we’ve always seen our Research team as a key differentiator. Our deep investment in R&D makes all the difference in delivering the data customers need to do their jobs well and keep their organizations secure. Today’s third-party research report validates our rigorous commitment to customers and our resulting leadership in the market. 

According to this new report, Tenable is positioned as the clear leader in unique CVE coverage compared to our major competitors. The report shows that we are a trusted and committed VA leader, consistently beating the competition year over year in unique CVE coverage. We are:

• No. 1 in coverage, with unmatched depth and breadth
• No. 1 in accuracy, with the industry’s lowest false positives and six-sigma accuracy
• No. 1 in zero-day discoveries (93 and counting for 2019 to date)

The numbers are impressive at face value. But when you consider that for each and every CVE, Tenable's research team needs to assess different detection options across multiple platforms, then you quickly realize the numbers are exponentially bigger — and therefore even more awesome — than at first glance.

Our deep investment in vulnerability research and product development matters to us because we’ve seen, firsthand, that it matters to our customers. It makes all the difference in delivering the data customers need to do their jobs well and keep their organizations safe. 

Learn more:

Download the third-party research report here.

As vulnerability management evolves, organizations are seeing increased need for prioritization, benchmarking and flexible reporting. Here are five things to keep in mind when choosing a VM solution.

Vulnerability management is once again rising to the top of the security agenda — driven by the risks from new technologies, speed of new threats and greater board attention on cybersecurity. As a result, many organizations are now modernizing their VM programs.

What’s out: CVSS-based prioritization, blind spots, inflexible reporting.

What’s in: Risk-based prioritization, benchmarking, complete visibility, flexible reporting with powerful APIs.

The importance of vulnerability management and the evolution of risk-based VM — which are fundamental to the discipline of Cyber Exposure— are driving accelerated spending. Gartner forecasts the worldwide risk-based vulnerability management market to grow 51.52 percent annually (CAGR) from 2018 to 2023¹. We believe this makes it one of the most dynamic markets in all of cybersecurity.

Why is risk-based VM being adopted so fast? We believe it provides a massive risk reduction opportunity for organizations of all sizes — but don’t take our word for it.

According to Gartner, “By 2022, organizations that use the risk-based vulnerability management method will suffer 80% fewer breaches.”²

Here are five key considerations to help you improve the efficiency and effectiveness of your program today while planning for future needs — as well as key questions to ask of any prospective vendor. This post builds on our our Vulnerability Management Fundamentals series by highlighting key purchase criteria for your next VM solution.

1. Continuous and Complete Discovery

“VA [Vulnerability Assessment] is a function that can be delivered via active scanning, agents and passive monitors. Gartner recommends a combination of agent, network scanners and passive monitoring for complete coverage.” — Gartner³

For asset discovery and vulnerability assessment, breadth of coverage is essential. Achieving continuous discovery and complete visibility into your environment is vital for preventing blind spots. To make this happen you need a portfolio of data collection technologies purpose-fit to each asset and scenario. Ideally, these include:

• Network scanners for IT assets on the corporate network
• Agents for endpoints that are frequently off-network, like employee laptops
• Passive network monitors for continuously discovering rogue and unknown assets and passively detecting vulnerabilities in systems like operational technology (OT)
• Cloud connectors and pre-authorized cloud scanners for tracking and assessing cloud instances
• Image scanners for assessing static container images before deployment
• Web application scanners for discovering and assessing web apps
• Integrations with cloud, CMDB, CI/CD, ticketing/SOAR and other technologies to unify asset visibility

Ask vendors:

• Do you provide passive network monitors for continuously discovering assets?
• Do you provide agents that work with cloud-based and purely on-premises deployments?
• Do you provide cloud connectors for live visibility into AWS, Azure and GCP environments?

2. Assessment: Beyond Just Running a Scan

“Review your existing VA solution and look for better prioritization, support for new assets like cloud, containers, IoT. If not, augment or replace the solution.” — Gartner⁴

Assessing assets for vulnerabilities and misconfigurations is no longer about just running a scan. It’s about using a range of data collection technologies to identify diverse security issues. Consider:

• DevOps pipelines require container assessment before deployment, seamlessly integrated with developer workflows.
• Cloud workload assessment calls for real-time, API-based visibility into cloud instances.
• IoT and OT add a different twist, requiring passive detection to avoid impacting system performance and availability.

Ask vendors:

• Does your container image scanning reduce false positives by considering layer hierarchy?
• Do you provide passive monitoring for OT and IoT vulnerability detection?
• How many zero-day vulnerabilities has your research team discovered in the last 12 months? (reflects depth of vulnerability expertise)

3. Advanced Prioritization: A Game Changer for Risk Reduction

“VA solutions should be able to incorporate asset scores into risk scoring for an effective and comprehensive risk-based prioritization.” — Gartner⁵

“A risk-based approach to prioritizing the remediation focuses efforts on those vulnerabilities for which there are imminent threats prevailing ‘in the wild’ for a business-critical asset. Gartner, therefore, recommends the threat-centric model for tackling risk in the context of VM as the most pragmatic use of your time and effort.” — Gartner⁶

Modern VM solutions analyze a much broader and more timely set of data than ever before. This exacerbates the problem of vulnerability data overload, increasing the need for effective prioritization.

By leveraging machine learning, advanced solutions can spot hidden patterns in data that correlate with future threat activity. As a result, you can see which vulnerabilities are predicted to have the highest likelihood of near-term exploitation. This helps you answer the question, “What’s the actual risk of my vulnerabilities — based on historical trends, current threat activity and the business value of my assets?”

Look for vendors that clearly explain their prioritization approach and how it works. Evaluate the data inputs they use for prioritization — and the depth of their research and data science teams. Focus on whether asset scoring is automated (since manual processes don’t scale) and look at the level of transparency provided around vulnerability scoring and prioritization.

Ask vendors:

• Does your vulnerability scoring automatically incorporate real-time intelligence about current threats — or does it primarily look at historical data, like the existence of exploits?
• Do you leverage machine learning in your vulnerability scoring?
• Do you provide automated asset criticality scoring?

4. Flexible, Automated Reporting and Benchmarking

“Gartner recommends that organizations benchmark their performances against the industry, and globally, to evaluate the effectiveness and efficiency of their programs. Gartner also recommends doing internal benchmarking by comparing a department’s performance against another to increase the overall security posture and performance.” — Gartner⁷

Look for solutions that provide both out-of-the-box reporting for your most critical questions and easy report customization for meeting the unique needs of teams, business units or compliance frameworks. You shouldn’t have to export data to Excel every time you want to answer a question or communicate information. You should also expect a powerful and well-documented API, making it possible to automate custom business processes. Lastly, look for a solution that provides external (peer) benchmarking for metrics like cyber risk, vulnerability age and scan frequency, as well as internal benchmarking that compares VM program performance and cyber risk across organizational units.

Ask vendors:

• Can you show me how I can easily customize reporting for my specific needs?
• Do you provide external benchmarking of VM and cyber risk metrics?
• Do you provide internal benchmarking of those metrics for my organizational units?

5. Simplified Pricing and Licensing

When it comes to pricing, look for a simple and straightforward model. You shouldn’t be penalized for deploying scanners and agents across your environment, using the API to integrate with other systems or utilizing threat intelligence in prioritization.

Ask vendors:

• Is there an additional cost for unlimited scanners and agents?
• Is there an additional cost for API usage?
• Is there an additional cost for threat-centric prioritization?

Learn More

As vulnerability management undergoes a dramatic transformation, it’s once again a top priority on the security agenda. With advances in technology, VM and risk-based VM solutions have the potential to reduce breaches by as much as 80 percent while freeing your security team from tedious manual work.

To better inform your evaluation process, we encourage you to download Gartner’s recent report: A Guide to Choosing a Vulnerability Assessment Solution

Footnotes

 ¹Gartner, “Forecast Analysis: Risk-Based Vulnerability Management, Worldwide,” Dale Gardner, 14 June 2019

 ²Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019

 ³Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019

⁴Gartner Security & Risk Management Summit - Sydney, Australia, Presentation, “Gartner’s Strategic Vision for Vulnerability Management,” Craig Lawson, 19-20 June 2019

⁵Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019

⁶Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019

⁷Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019

Oracle addresses 180 CVEs across 219 security patches in October’s Critical Patch Update, including a critical vulnerability in Oracle NoSQL Database.

On October 15, Oracle released its Critical Patch Update (CPU) for October 2019 as part of its quarterly release of fixes for vulnerabilities. This update contains fixes for 180 CVEs in 219 patches across several Oracle products. The following is the full list of product families with vulnerabilities addressed in this month’s release:

• Oracle Construction and Engineering
• Oracle Database Server
• Oracle E-Business Suite
• Oracle Enterprise Manager
• Oracle Financial Services Applications
• Oracle Food and Beverage Applications
• Oracle Fusion Middleware
• Oracle GraalVM
• Oracle Health Sciences Applications
• Oracle Hospitality Applications
• Oracle Hyperion
• Oracle JD Edwards
• Oracle Java SE
• Oracle MySQL
• Oracle NoSQL Database
• Oracle PeopleSoft
• Oracle Policy Automation
• Oracle Retail Applications
• Oracle Siebel CRM
• Oracle Supply Chain
• Oracle Support Tools
• Oracle Systems
• Oracle Virtualization

Analysis

This quarter’s CPU also contains 18 CVSS 9+ vulnerabilities; exploitation of these vulnerabilities can either result in unauthenticated access or full takeover of vulnerable assets. Here we describe in more detail some of the CVSS 9+ scored CVEs:

Oracle NoSQL Database | CVE-2018-14721

One of the most notable patches this month addresses CVE-2018-14721, a vulnerability in Oracle NoSQL Database affecting all versions prior to 19.3.12. The vulnerability exists within the jackson-databind NoSQL component. An unauthenticated attacker with network access via HTTP could exploit this vulnerability to take over an Oracle NoSQL Database. This vulnerability has been addressed before in other Oracle products, including in Oracle’s January 2019 CPU.

Oracle MySQL | CVE-2019-8457

CVE-2019-8457 is a heap out-of-bounds read vulnerability in the SQLite component of Oracle MySQL which could allow an unauthenticated attacker to compromise and take over MySQL Workbench. Versions of Oracle MySQL 8.0.17 and prior are affected.

Oracle Enterprise Manager | CVE-2016-4000

CVE-2016-4000 is a vulnerability in Oracle Enterprise manager which could allow an unauthenticated attacker to send a malicious HTTP request to fully take over a vulnerable host. The flaw exists in the Jython component of Oracle Enterprise Manager and could allow an attacker to execute arbitrary code using a crafted serialized PyFunction object.

Oracle Construction and Engineering | CVE-2017-6056, CVE-2019-14379, CVE-2019-14379, and CVE-2019-3020

CVE-2017-6056 relates to Instantis Enterprise, while the remaining CVEs are vulnerabilities found in Primavera. For each of these CVEs, an unauthenticated attacker could send a malicious HTTP request to the vulnerable components and fully take over or perform admin actions on exploited targets. The Primavera products affected include Primavera P6, Primavera Gateway and Primavera Unifier.

Oracle Middleware | CVE-2016-1000031 & CVE-2019-2904

CVE-2016-1000031 is a remote code execution vulnerability found in Apache Commons FileUpload library, which has been no stranger to Oracle CPUs. This month the flaw is getting patched in the Virtual Directory Server component of Oracle Fusion Middleware. The CVE was first discovered by Tenable Research in 2016 and has since been patched in multiple Oracle Products. This easily exploitable vulnerability can allow an attacker to compromise Oracle Virtual Directory using HTTP requests.

CVE-2019-2904 is an unspecified vulnerability in the ADF Faces component of Oracle JDeveloper and ADF product of Oracle Fusion Middleware. The flaw is described as ‘easily exploitable’ and can allow a remote, unauthenticated attacker to compromise and take over Oracle JDeveloper and ADF with crafted HTTP requests.

Oracle PeopleSoft | CVE-2016-0729, CVE-2019-3862

CVE-2016-0729 are multiple critical buffer overflow vulnerabilities in the XML Parser library in Apache Xerces-C that was originally patched in 2016. This vulnerability exists in the Integration Broker in Oracle PeopleSoft. It could allow a remote, unauthenticated attacker to cause a denial of service.

CVE-2019-3862 is an out-of-bounds read vulnerability in libssh2 due to improper parsing of exit status messages with no payload in SSH_MSG_CHANNEL_REQUEST packets. The vulnerability was patched in March 2019. This vulnerability exists in the File Processing function of Oracle PeopleSoft.

Solution

Customers are advised to apply all relevant patches provided by Oracle in this CPU. Please refer to the October 2019 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Oracle Critical Patch Update Advisory - October 2019
• Oracle Advisory to CVE Map
• October 2019 CPU Risk Matrix Page

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 60-day trial of Tenable.io Vulnerability Management.