The SharePoint flaw first exploited in the wild in May continues to be exploited nine months after it was patched by Microsoft.

Background

On December 10, security researcher Kevin Beaumont published a tweet cautioning organizations to patch a Microsoft SharePoint flaw that’s been actively exploited in the wild since at least May, and has since remained a valuable asset to cybercriminals.

A reminder that all organisations should be patching SharePoint vulnerability CVE-2019-0604 (from February) as significant numbers of assets remain exposed, and the vulnerability is actively exploited in the wild.

— Kevin Beaumont (@GossiTheDog) December 10, 2019

Analysis

CVE-2019-0604 is a remote code execution (RCE) vulnerability in Microsoft SharePoint due to improper input validation in checking the source markup of an application package. Successful exploitation of the vulnerability by an attacker would grant them arbitrary code execution “in the context of the SharePoint application pool and the SharePoint server farm account.” The vulnerability was reported by security researcher Markus Wulftange, who shared a detailed write-up on his discovery in a blog for the Zero Day Initiative on March 13.

On May 9, security researcher Chris Doman published a tweet stating the flaw was being exploited in the wild based on reports from the National Cyber Security Centre in Saudi Arabia and the Canadian Centre for Cyber Security.

SharePoint CVE-2019-0604 now being exploited in the wild - reports by Saudi (https://t.co/m6VmF7n2Js) and Canadian (https://t.co/yhzY8qgxi8) National Cyber-Security Centres. Some additional IOCs @ https://t.co/gsGOoh6h9rpic.twitter.com/70LQCOmuTn

— chris doman (@chrisdoman) May 9, 2019

On May 28, Palo Alto Networks published a blog identifying the use of this vulnerability in the wild in targeted attacks by a threat actor known as Emissary Panda.

Additionally, CloudFlare published a blog about the vulnerability on May 28. CloudFlare confirmed the flaw could be exploited pre-authentication because “there were paths which could be reached without authentication.” As a result, they disputed the NVD score of 8.8 for the vulnerability, recommending it receive a 9.8 instead. They also found that proof-of-concept (PoC) code for the vulnerability “did not work out of the box,” requiring “weaponisation by a more skilled adversary.”

On November 25, Beaumont modified his BlueKeep honeypots, “BluePot,” to support SharePoint. One day later, Beaumont confirmed “the attackers arrived.” He reiterated the CVSS score for the vulnerability was wrong and should be a 9.8 because “it works without authentication.” He issued an additional reminder on December 10 because the flaw is still being exploited in the wild and a “significant numbers of assets remain exposed.”

Proof of concept

Initially, there was a GitHub repository published containing PoC code for the vulnerability in May. However, that repository has since been removed. There is another PoC for the vulnerability that was published to a GitHub repository back in June and a write-up detailing the use of this PoC was published to GitHub in the last few days.

In September, security analyst Mansour Al-Saeedi published his analysis of the vulnerability based on the initial work by the Zero Day Initiative, demoing a quick PoC. Al-Saeedi also published a packet capture analysis of the RCE exploit being carried out along with Snort and Sigma rules to detect it to his GitHub repository.

Solution

Microsoft initially patched the vulnerability on February 12 during Patch Tuesday. However, that patch was apparently incomplete, as Microsoft issued a follow-up release on March 12 to “comprehensively address” the flaw.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be found here.

Get more information

• Microsoft Advisory for CVE-2019-0604
• Detailed Write-Up for CVE-2019-0604 by Markus Wulftange
• Palo Alto Networks Blog on Exploitation of CVE-2019-0604 by Emissary Panda
• Cloudflare Blog on Stopping CVE-2019-0604
• Mansour Al-Saeedi’s Analysis of CVE-2019-0604

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Tenable’s Security Response Team reviews the biggest cybersecurity threats of 2019.

With 2019 coming to an end, the Tenable Security Response Team reflects on the vulnerabilities and threats that had a major impact over the last year. Data breaches, malware, new vulnerabilities and exploit techniques dominated the news, as attackers and defenders continue the perpetual cat and mouse game. After reviewing hundreds of events, the team zeroed in on four areas of interest that highlight the significant threats we observed in 2019:

• Remote Desktop Protocol Vulnerabilities
• Showstopper Zero Days
• Speculative Execution Flaws
• Ransomware

2019: The year of Microsoft Remote Desktop Protocol vulnerabilities

In May, Microsoft released a patch for one of the most widely discussed CVEs of the year, CVE-2019-0708. Dubbed BlueKeep, the remote code execution (RCE) vulnerability in the Microsoft Remote Desktop Protocol (RDP) could allow an unauthenticated, remote attacker to exploit and take complete control of a vulnerable host.

This flaw occurs prior to any authentication and requires no user interaction, making this vulnerability extremely dangerous. Due to the severity of the issue, Microsoft took the extraordinary measure of releasing patches for Windows XP and Windows Server 2003 despite these operating systems being long out of support. The flaw was eventually noted to affect systems as far back as Windows 2000 all the way up to Windows Server 2008 R2. Microsoft warned of BlueKeep’s potential impact, even suggesting the vulnerability could be wormable, gaining similar notoriety to the WannaCry ransomware attack from 2017. The flaw gained so much attention that both Microsoft and the U.S. National Security Agency urged administrators to patch systems or deploy mitigations immediately.

Seeing double with DejaBlue

In nearly every month since May, Microsoft’s Patch Tuesday or Update Tuesday included various patches related to RDP vulnerabilities, as the protocol faced increased scrutiny from the security community and Microsoft alike. In August, Microsoft patched four additional CVEs (CVE-2019-1181, CVE-2019-1182, CVE-2019-1222 and CVE-2019-1226) covering pre-authentication RCE vulnerabilities in Remote Desktop Services. These new vulnerabilities, dubbed DejaBlue, expanded the list of affected OS variants for Windows. Between BlueKeep and DejaBlue, all supported versions of Windows were affected.

As the security community speculated about widespread exploitation of these vulnerabilities, researchers pleaded for organizations to patch, knowing it was only a matter of time before an exploit would be released into the wild. In November, the first confirmed in-the-wild exploitation of BlueKeep was discovered. The attackers had repurposed a recently released exploit module to distribute a cryptocurrency miner, and the exploit attempt ended up crashing several machines in the honeypot network where the attacks were discovered.

A patch a day keeps attackers at bay

While some researchers suggest BlueKeep is unlikely to spread as a worm, many agree there is still major potential for the exploitation of these RDP vulnerabilities. In any case, RDP brute force attacks have increased since BlueKeep was announced, reminding us that attackers are opportunistic and take advantage of any technique available. With over 500,000 vulnerable hosts online as of November 2019, we expect BlueKeep will continue to be a problem for organizations as we head into 2020. While it is likely that new RDP exploits could be discovered next year, common tried-and-true methods such as brute forcing RDP credentials are still popular and often successful approaches attackers will continue to employ.

BinaryEdge results for internet-facing assets potentially affected by BlueKeep

Authored by Scott Caveza, Research Engineering Manager

Showstopper Zero Days: Vulnerabilities that Affected Everyone

Another trend in 2019 (and years prior) has been zero days and critical vulnerabilities, which can be overwhelming and difficult for businesses to keep up with. You need to find time outside your normal patch cycle – and potentially suspend other work – to get assets tested and updated. When vulnerabilities become so widespread or easy to exploit, mitigation becomes an organization-wide effort.

From hospitals to space, a look at real-time OS ubiquity

One such vulnerability this year was dubbed URGENT/11, a list of 11 RCE vulnerabilities in VxWorks, a real-time OS found in a staggering amount of critical infrastructure devices. When we covered URGENT/11 t in July, no proofs of concept (PoCs) were available. But, by the time the U.S. Food and Drug Administration released a Safety Communication in October, exploit scripts found their way into the public.

The severity of a device takeover through vulnerabilities like URGENT/11 can’t be understated. However, when it comes to URGENT/11 vulnerabilities, CISOs face further challenges. Mitigation depends on equipment manufacturers providing patches through device updates. Tenable released a group of plugins to identify vulnerable assets, and Armis released an URGENT/11 detection tool to help find devices that still need to be addressed.

It came out of nowhere, and then was suddenly everywhere

In addition to the URGENT/11 vulnerabilities, we also saw a critical vBulletin vulnerability (CVE-2019-16759) disclosed in a seclists.org post with no other advisory or public disclosure. The vulnerability itself was a pre-authentication RCE zero day that was exploited almost immediately after it was disclosed by attackers.

The next day, vBulletin released a patch for CVE-2019-16759. However, users in the vBulletin forums reported exploited forums and worked together to repair hijacked forums.

High-criticality vulnerabilities aren’t going away. The time it takes for threat actors to release public exploits for these kinds of vulnerabilities is shortening. As the technology landscape continues to expand, bugs like these will become even more commonplace. As always, we encourage organizations to create rapid detection and mitigation plans, and we’ll continue to provide detections for vulnerable assets as these threats emerge.

Authored by Ryan Seguin, Research Engineer

Let’s speculate, shall we?

As modern central processing units (CPUs) started to plateau in terms of clock rates, their manufacturers looked for other methods to enhance and optimize performance. One of these methods was speculative execution. Rather than the microprocessor sitting idle waiting to receive data, it would speculate what the next requests could be. Unbeknownst to CPU architects, this process would become a fundamental design flaw affecting the security of numerous modern processors spanning varying manufacturers and CPU architectures.

In January 2018, the first in a series of CPU side-channel attacks were announced with the disclosure of Meltdown and Spectre, a pair of critical side-channel vulnerabilities targeting the speculative execution technique in modern CPUs. In July 2019, Bounds Check Bypass Store, a sub-variant of Spectre was disclosed, followed by Netspectre, an implementation of one of the Spectre variants.

Microarchitectural data sampling: Just a taste of what was to come

Among the common cybersecurity predictions for 2019 was the expectation of “More Spectre-Like Flaws.” Just nine months after the Foreshadow vulnerability, this came to pass in May 2019 with the disclosure of a new family of CPU side-channel exploits, Microarchitectural Data Sampling (MDS). MDS included CVE-2018-12126 (microarchitectural store buffer data sampling), CVE-2018-12127 (microarchitectural load port data sampling), CVE-2018-12130 (microarchitectural fill buffer data sampling), and CVE-2019-11091 (microarchitectural data sampling uncacheable memory). While these are speculative execution side-channel vulnerabilities, they differed from Meltdown and Spectre, targeting CPU buffers rather than a CPU’s memory. These flaws were found to only affect Intel CPUs at the time this blog post was created.

The attack for CVE-2018-12127 and CVE-2019-11091 was dubbed RIDL, CVE-2018-12126 as Fallout and CVE-2018-12130 as ZombieLoad, probably three of the more relevant exploits this year. These flaws have been highlighted as being more critical than Meltdown and Spectre, accompanied by not just videos, but also PoC code for RIDL and ZombieLoad.

MDS, as the name would suggest, could result in the “sampling” of data from the previously highlighted buffers before they are written to memory or temporarily loaded into cache by inferring the date using complex side-channel analysis. Where it gets more interesting is, unlike Meltdown and Spectre, the user of the exploits has no direct control over the memory addresses they wish to siphon data from, but rather has to piece it together over time without any context on the collected data.

NetCAT declawed as Intel downplays new side-channel attack

Following MDS was the disclosure of CVE-2019-1125 in August 2019 from Bitdefender security researchers Andrei Lutas and Dan Lutas (no relation), which was also presented at Black Hat USA 2019 and named the “SWAPGS Attack.” What was interesting to see was the efforts continuing from 2018 into 2019 to highlight issues with modern processors. In this instance, 64-bit Intel processors from 2012 onward took advantage of the speculative execution of a specific CPU instruction, SWAPGS, to leak information much like Meltdown and Spectre.

A month later, CVE-2019-11184 was disclosed. Dubbed Network Cache Attack or NetCAT (not to be confused with the popular networking tool netcat), this attack targeted another CPU enhancement technology, Data-Direct I/O Technology (DDIO), which allows the reading and writing to and from fast (last-level) cache in Intel Xeon E5, E7 and SP server-grade processors.

The researchers from VUSec demonstrated in a PoC video that an attacker using this vulnerability could potentially capture keystrokes leaking from a victim’s SSH session. To exploit this flaw, an attacker would need authenticated access to the server and a direct network connection to the system. Intel further downplayed the vulnerability, stating, “In scenarios where Intel DDIO and RDMA are enabled, strong security controls on a secured network are required, as a malicious actor would need to have read/write RDMA access on a target machine using Intel DDIO to use this exploit.”

ZombieLoad v2: Should have gone for the head

At the time of writing this blog post, one more side-channel vulnerability had been made public in 2019 with the disclosure of CVE-2019-11135 in November. Dubbed Zombieload Variant 2 by the researchers, or Transactional Asynchronous Abort (TAA) vulnerability by Intel, this exploit takes advantage of Intel’s Transactional Synchronization Extensions (TSX) Asynchronous Abort operand by either creating a conflicting memory operand or exceeding the amount of read/write data above that of the LLC or L1 cache in a transaction forcing a rollback, leading to leaked data. The researchers updated their original ZombieLoad research paper to reflect this new variant, adding it “works on machines with hardware fixes for Meltdown, which we verified on an i9-9900K and Xeon Gold 5218.”

CPU vulnerabilities: Life finds a way

When it comes to the CPU side-channel vulnerabilities disclosed this year, despite there being PoC code freely available for some, there’s a lack of evidence pointing to exploits in the wild or a full virtual machine escape. CPU architectures are complex, as the attacks require a significant amount of time, skill and code running on the machine, which may also require privilege escalation to execute. One PoC demonstrates this perfectly. RIDL leaking root password hash in a lab environment shows the only user interaction repeatedly trying to authenticate a user with the root password – which took 24 hours to achieve. A CPU in a normal environment or cloud provider would have data moving or being cleared from these buffers and memory locations, making these attacks impractical.

Based on the research seen in 2019, we expect more side-channel CPU-based vulnerabilities to be identified in 2020. It is possible there are newly discovered flaws not yet released due to disclosure policies or embargos, as was the case with ZombieLoad v2. The patches and mitigations released to address these vulnerabilities were designed to reduce the attack surface rather than eliminate it completely. The VERW instruction set to mitigate MDS was an example of this. The release of new CPUs will surely see new improvements and security features. However, as the last two years have shown, these updates are not likely to be perfect as attackers have continued to identify new ways to exploit architectural features and vulnerability mitigations.

Authored by Rody Quinlan, Research Engineer

Ransomware everywhere

In 2019, it seemed as though every week brought new reports of ransomware infections around the world. Ransomware, a type of malicious software (or “malware”), is the most recent incarnation of a type of threat known as scareware. Historically, scareware was designed to trick users into believing their computers were infected with malware, and that they needed to purchase fraudulent security software to address it. Ransomware took scareware to a new, more nefarious level by encrypting files on an infected system and demanding a ransom payment to provide decryption tools. Ransomware has become a money-making success for cybercriminals, and it shows no signs of stopping.

What’s old is new

Ransomware isn’t a new phenomenon. The first recorded instance of ransomware happened in 1989 and was delivered via a floppy disk. However, ransomware has become a useful tool for cybercriminals over the last several years. In 2019, in particular, cybercriminals targeted a variety of industries, such as healthcare, oil and gas, local governments and educational institutions.

Ransomware infections take hold in many ways. In October 2019, the U.S. Federal Bureau of Investigation (FBI) published an alert on high-impact ransomware attacks threatening U.S. businesses and organizations highlighting these three common methods of delivery, which include secondary threats as part of malicious spam emails, targeting RDP flaws and software vulnerabilities, in general. This alert was published as a companion to an alert from three years prior that urged ransomware victims to inform law enforcement.

Zero day exploited in the wild to deliver ransomware

In April 2019, cybercriminals utilized CVE-2019-2725, a deserialization vulnerability in a WebLogic server that can be exploited by a remote, unauthenticated attacker to gain remote code execution. It was used by attackers to distribute ransomware named Sodinokibi. The flaw was fixed by Oracle as part of an out-of-band patch at the end of April, soon after it was publicly disclosed. In June 2019, Oracle released another out-of-band patch for CVE-2019-2729, another deserialization flaw in WebLogic, this time in the XMLDecoder. It appears this flaw was a bypass of CVE-2019-2725 and had also been observed being exploited in the wild.

Patched flaws: A valuable staple for cybercriminals

Not all ransomware attacks rely on zero-day vulnerabilities, although the lack of mitigation or fixes does make vulnerable targets highly useful to cybercriminals. However, patched vulnerabilities are also valuable. For instance, CVE-2019-3396, a path traversal vulnerability in Atlassian’s Confluence Server and Data Center Widget Connector, was used to distribute the GandCrab ransomware. GandCrab was a popular and lucrative ransomware family that shut down its operations in June 2019. So while much attention may be paid to the use of zero-day flaws in ransomware attacks, it’s the unpatched vulnerabilities that pose a greater threat to businesses and organizations around the world.

Ransomware: A neverending threat

In August 2019, Ars Technica reported on a “rash of ransomware” attacks, mostly affecting schools. The article quotes statistics from Armor, which said at the time that there were 149 publicly reported ransomware attacks. The key phrase there is the “publicly reported” part of the equation. While we do not know how many ransomware attacks have gone unreported, it is safe to say many of these attacks go unreported, so the true scope of these ransomware attacks is unknown.

Ransomware is a force to be reckoned with. We expect ransomware to maintain its stronghold as one of the major threats affecting organizations going into 2020, as cybercriminals continue to refine their methods, including equipping themselves with new software vulnerabilities to leverage in their attacks.

Authored by Satnam Narang, Senior Research Engineer

Conclusions

Among the hundreds of stories we’ve observed throughout the last year, our reflections led us to identify four areas of interest in the threat landscape. RDP-centric threats have always been important to monitor, but the revelation of BlueKeep added even more fuel to the fire, sounding an alarm bell on the importance of securing RDP.

While there are tens of thousands of vulnerabilities disclosed each year, a few notable, showstopper vulnerabilities emerged, primarily due to the sheer volume of devices left vulnerable in the case of URGENT/11 or the relative ease of identifying and exploiting flaws like the vBulletin RCE vulnerability.

Over a year after the discovery of Meltdown and Spectre, CPUs remain haunted by speculative execution vulnerabilities, as researchers are keen on discovering side-channel attacks, and in some cases, resurrecting previously disclosed side-channel attacks mere months after they were originally reported.

Finally, ransomware attacks have become more and more pervasive throughout the last year, as attackers continue to enjoy massive success targeting organizations of all shapes and sizes using a number of tactics. This success has emboldened cybercriminals as they look to refine their attacks, from zero-day vulnerabilities to patched flaws, malicious spam emails and weaknesses in Remote Desktop Protocol – and we expect this trend to remain prominent in the coming year.

Get more information

• May 2019 Patch Tuesday: BlueKeep
• August 2019 Patch Tuesday: DejaBlue
• Tenable blog post on URGENT/11
• Tenable blog post on CVE-2019-16759 (vBulletin Vulnerability)
• Tenable blog post on Microarchitectural Data Sampling (MDS) Flaws
• Information on ZombieLoad V2
• Information on the Architecture Affected by MDS
• Article on First Ransomware Event in 1989
• Oracle WebLogic Zero Day Exploited in Wild (CVE-2019-2725)
• Rash of Ransomware Attacks (13 New Victims, Mostly Schools)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Did you know litigation can emerge over vulnerabilities – before a security breach occurs? That’s why it’s essential for security to work with legal when a vulnerability is discovered. 

So far, I’ve explored the legal aspects of cybersecurity as they relate to vulnerability management. See previous posts in this series:

• Why Security and Legal Need to Work Together
• 5 Questions to Ask Legal About Vulnerability Disclosure

For the third and final part of the series, I’ll discuss recent litigation that has emerged over vulnerabilities – even before a security breach occurred. 

Let’s look at recent legal trends, which can inform your vulnerability management plans.

Vulnerability litigation in the news

Before a security breach even occurs, organizations can be held liable for vulnerabilities in their products or systems. In 2016, Samsung was sued by the Dutch Consumers’ Association (DCA) for failure to provide timely software updates for their smartphones after the discovery of the Stagefright bug. In the same year, in the first class action suit of its kind, a Chicago law firm was sued for malpractice and negligence after security vulnerabilities created risk for clients’ personal data. Law firms, in particular, with their access to confidential client information, are often scrutinized for their security practices. Although the court eventually ruled in favor of the firm, this lawsuit resulted in reputational damage and triggered an in-depth examination of law firm security across the board. In 2017, litigation was brought against ADT for failing to disclose system vulnerabilities to their customers. 

Lawsuits related to Meltdown and Spectre

More recently, Intel found themselves facing at least 30 class action lawsuits and two securities class action lawsuits following the disclosure of Meltdown and Spectre. These two vulnerabilities were found in the company’s microchips and received sensational news coverage. Three major cases that provide insight into the legal aspects of these vulnerabilities emerged out of California, Oregon and Indiana. These lawsuits accuse Intel of breach of implied warranty, negligence, unfair competition and deceptive practices. In their factual allegations, these cases cited that Intel knew about the vulnerabilities, yet intentionally continued to advertise their microchips without disclosing the flaws. 

The cases mentioned here are some of the first of their kind. But, as vulnerabilities grow year after year, it’s likely this type of litigation will continue. So, remember to evaluate your vulnerability management plans through the lens of legal and regulatory compliance. 

The ripple effect of headline-making vulnerabilities

One possible explanation for the rise in litigation over vulnerabilities is the increasing media coverage that vulnerabilities receive once disclosed. When top media outlets report on vulnerabilities, people outside cybersecurity become aware of the potential risks and are more likely to take legal action. Meltdown and Spectre were two of the most publicized vulnerabilities, garnering coverage from The New York Times, CNN, The Washington Post and other top media outlets. 

The growth of IoT

Meanwhile, as IoT adoption continues to spread, we can likely expect to see litigation emerging over IoT vulnerabilities, too. IoT devices have exploded into the market over the past few years, and are just as susceptible to vulnerabilities and hacking. It has been estimated that by next year, there will be 200 billion objects in the IoT. This complicates things, with many third parties potentially having access to more data than ever before, thanks to IoT data storage. In fact, OWASP released the ten top vulnerabilities IoT devices are susceptible to. The list includes weak passwords, insecure network services, insecure data transfer and other simple vulnerabilities – many of which could be found and exploited by a novice hacker. 

IoT vulnerabilities are also being reported by the mainstream and tech media. In 2017, vulnerabilities were discovered on implantable cardiac devices that, if exploited, would allow a hacker to access the device, monitor patient heart rates and even administer shocks. Smart TVs have also made headlines for insufficient security. In 2018, Roku devices were found to have a vulnerability that would allow hackers to stream content and obtain user data. Additionally, Tenable has disclosed vulnerabilities in IoT devices like Arlo and other cameras. 

Following these trends, it’s imperative to involve legal in the vulnerability disclosure process early. The way an organization handles the vulnerability disclosure process may limit its risk exposure and influences whether a suit is even filed.

What happens when a vulnerability leads to a security breach?

When a vulnerability is exploited and leads to a security breach, the scenario gets a lot more complicated. Following a breach, IT should immediately involve legal, so the parties can determine:

• What data was breached?
• Who needs to be notified?

Federal, state and international laws may apply, along with contractual obligations an organization may have made to its customers or vendors. 

While this post will not delve into the complexities of breach notification law, it’s imperative to learn from some of the more notorious breaches – such as the 2017 Equifax breach. 

The Equifax breach: What not to do

Involving the data of almost half of the U.S. population, the Equifax breach is widely thought to be one of the most egregious breaches of all time. And while Equifax’s response to the security breach was deemed highly inadequate, it can be used as a lesson as to what not to do in the case of a security breach. Equifax had known about the stolen information weeks before the breach was disclosed, pointing to one of the most important legal lessons to learn about security breaches: notification. 

Notification is key

The notification requirement is also one of the most prominent aspects of recent legislation. Under Europe’s GDPR, organizations have only 72 hours to notify individuals about stolen data. In the U.S., the state-by-state breach laws often include the condition of timely notification without unreasonable delay. 

When developing and updating your vulnerability management plan:

• Consider the minimum requirements of various laws
• Incorporate lessons learned from other organizations’ incidents 

Security and privacy law is complex. This post does not intend to serve as legal advice, nor to explain the law in any in-depth measure. Rather, it seeks to point out how important it is to keep your legal team closely involved with your security program in this era of vulnerabilities and security breaches. 

As recent trends in litigation demonstrate, the law will continue to adapt to the changing tech environment. While security and law may operate from different perspectives, both have similar goals of maintaining a space where data is safely stored and consumer privacy is protected.

Penetration testing provides essential visibility into IT vulnerabilities. Here's a look at why it matters and common methods for completing assessments.

Penetration testing is a critical, yet often underutilized, cybersecurity practice that helps businesses gain a more concrete understanding of the strengths and limitations of their configurations. At its core, penetration testing boils down to a simple principle – identifying cybersecurity vulnerabilities by attempting to penetrate the configuration. As such, a penetration testing framework can take many forms, with options to support different use cases and solve various problems. However, the common thread in all of these penetration testing tools is the ability to reduce manual work and quickly assess large amounts of data to better identify vulnerabilities that may slip through the cracks.

Before diving into specific penetration testing tools and methodologies, let’s delve into the context behind the practice.

The importance of penetration testing

The scale and frequency of data breaches is escalating. What's more, breaches are highly variable and target a wide range of business types. According to the Verizon Data Breach Investigations Report that analyzed nearly 42,000 cybersecurity incidents and 2,013 data breaches, breaches are targeting organizations across just about every industry, and they are doing so regardless of the size of the business.

A study we commissioned from the Ponemon Institute found that 91% of respondents have been hit by a cyberattack. What's more, 58% of those said they lack adequate staff to keep up with cybersecurity demands. 

Penetration testing can automate key security analysis tasks and drive efficiency within your infosec team. 

A penetration test shouldn't be a one-time project. As enterprise IT configurations constantly shift with new cloud services, device authorizations and other changes, companies must develop a consistent cybersecurity practice and regularly revisit their strategies in remediating vulnerabilities to ensure their tactics remain viable.

The purpose of penetration testing

At its simplest point, penetration testing is designed to identify vulnerabilities. However, a TechTarget report highlighted that the breadth of penetration testing makes it applicable for a wide range of more specific, nuanced purposes. For example, some penetration tests can be used to identify flaws within security policy.

Different penetration testing methods may focus on varied purposes. As such, businesses should consider a wide range of penetration testing methods.

Common penetration testing methods

Organizations can perform a diverse array of tests, from targeted assessments to blind tests. Penetration tests can analyze application vulnerabilities or security policies, mimic attacks from insiders, evaluate a network configuration or put an operating system under stress to determine weak points.

Here's a closer look at some of those test methods:

Software-based tests

Many penetration testing methods use software as the penetration tester, evaluating anything from network security to application vulnerabilities. Software can use automated scanners to perform vulnerability tests across just about any component of an IT system. Whether it's analyzing a web browser for a data caching error that causes information to be written to the wrong location or assessing security vulnerabilities in a soon-to-be-released app, software can automatically evaluate a wide range of system types.

Of course, there isn't just one software system out there to do all of this. Different vendors specialize in varied test types, creating software that can automatically identify, report on and suggest solutions for different types of vulnerabilities, including analysis of your operational technology (OT). 

Bug-bounty programs

A somewhat unconventional option, but by no means revolutionary in terms of technique, bug-bounty programs involve paying white-hat hackers a bounty if they identify a vulnerability within a system. White-hat hackers as part of penetration testing is a longstanding practice. These security experts attempt to hack into a company's systems, but do so with good intentions, notifying businesses of the vulnerability. It's most common in identifying application or software vulnerabilities. Bug-bounty programs take this test format to another level by formalizing the reporting process and offering rewards for finding bugs, making it a more systematic solution.

How to establish a solid penetration testing framework

Where individual penetration testing methods are the ways you perform assessments, a framework represents your overarching strategy. It should encompass:

• The goals of your penetration testing program
• Key performance indicators, benchmarks and metrics you are measuring through your tests
• Details on the methods you are using and which parts of your configuration each method evaluates
• Guidelines for how frequently you will perform different tests
• Regulations for how to report the results of the study

A penetration testing framework is, in essence, a complete guide to how penetration tests should be completed within your organization. The key is to develop a cohesive, detailed framework that covers what you are testing and how.

Unlocking penetration testing's full potential

Penetration testing is a highly varied practice. However, automated, software-based tools can dramatically improve your ability to understand your systems, identify vulnerabilities and monitor weak points. Tenable can help you through this process by providing complete exposure analysis, even extending into your cloud configurations. 

Citrix urges customers to apply mitigation steps for CVE-2019-1978, a remote code execution vulnerability exploitable through specially crafted HTTP requests to vulnerable devices.

Background

Citrix has released an advisory for CVE-2019-1978, a vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway that could allow an unauthenticated attacker to execute code on the affected devices. Users are encouraged to apply the provided mitigation steps as quickly as possible.

Analysis

While Citrix does not detail the exact nature of the vulnerability in the advisory, the recommended mitigation steps seem to block HTTP based VPN requests with additional components that could potentially contain code. This implies that there is unsanitized code in the VPN handler for these devices. The mitigation, therefore checks for incoming HTTP-based VPN requests, and sends a 403 FORBIDDEN response whenever requests with the exploit format are detected.

According to Citrix, the following devices are identified as vulnerable:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Solution

Depending on an organization's device setup, mitigation options are listed for each Citrix device configuration to mitigate this vulnerability. Citrix has stated that an update will be available at a later date, at which time users can remove the mitigation and upgrade.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Citrix Advisory for CVE-2019-19781
• Mitigation Steps for CVE-2019-19781

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

The Cisco Adaptive Security Appliance and Firepower Appliancevulnerability patched over a year ago continues to be targeted by attackers in the wild, as exploitation attempts have increased in frequency over the past several weeks.

Background

On December 20, researchers at Cisco Talos published a blog post warning that a previously patched flaw in Cisco Adaptive Security Appliance (ASA) and Firepower Appliance has seen “a sudden spike in exploitation attempts.”

Analysis

CVE-2018-0296 is an improper input validation vulnerability in the ASA web interface. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable ASA or Firepower device. This results in unexpected reloads of the device, causing a denial of service (DoS) condition. However, in certain software versions of the ASA or Firepower Threat Defense (FTD), a reload will not occur, but an attacker could view sensitive information by sending a specially crafted HTTP request containing directory traversal sequences.

The vulnerability was originally patched on June 6, 2018, after it was disclosed by security researcher Michal Bentkowski of Securitum, who published a blog post detailing his findings soon after. Roughly translated, Bentkowski noted the following in his post, “The error was reported to Cisco just on the example as above, i.e. the possibility of obtaining information about logged in users.” This differed from Cisco’s public description of the vulnerability, which focused on DoS and mentioned the possibility of directory traversal in some instances, the latter potentially related to Bentkowski’s findings. Cisco updated the advisory for the flaw on June 22, 2018, announcing they had observed public exploitation of the vulnerability.

In March 2019, Cisco updated the advisory once again, and in April 2019, the vulnerability was identified as one of the flaws used in a DNS hijacking campaign called Sea Turtle.

Cisco issued a final update to their advisory on September 24, 2019, elevating the vulnerability to critical after observing more exploitation attempts.

Proof of concept

The first proof of concept (PoC) for the vulnerability was published to GitHub on June 21, 2018, and was regularly updated, accepting pull requests all the way up until March 2019. The repository has not been updated since June 2019.

There have been other PoCs for CVE-2018-0296 published to GitHub, including an exploit script to enumerate usernames from vulnerable devices and another exploit script called the Cisco Pillager.

Solution

As previously mentioned, the vulnerability was patched back in June 2018. The following devices running Cisco ASA or FTD software are potentially vulnerable:

The devices may be vulnerable depending on the ASA or FTD software features and configuration. For a detailed breakdown of the features and configurations, please refer to the affected products section under Cisco’s advisory.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be found here.

Get more information

• Cisco Talos Blog Post on Recent Spike in Exploit Attempts for CVE-2018-0296
• Cisco Advisory for CVE-2018-0296
• Michał Bentkowski's Blog Post on CVE-2018-0296
• Yassine Aboukir's PoC for CVE-2018-0296

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

One year and one week after the disclosure of the Magellan series of vulnerabilities in 2018, Magellan 2.0 is disclosed, bringing five new vulnerabilities with it.

Background

On December 23, 2019, the Tencent Blade Team published an advisory regarding “Magellan 2.0,” a new set of SQLite vulnerabilities discovered by researcher Wenxiang Qian differing from the original Magellan vulnerabilities disclosed last year.

Analysis

Information relating to Magellan 2.0 at present is limited to what has been disclosed in the advisory and the assignment of CVE IDs CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752 and CVE-2019-13753 on December 10, 2019. The Tencent Blade Team states that the impact of these vulnerabilities includes the leaking of program memory, causing program crashes and remote code execution.

The vulnerability in SQLite occurs when the SQLite database is passed a maliciously crafted SQL command that it executes on behalf of the attacker, exploiting the vulnerabilities highlighted by the Tencent Blade Team. Remote attacks like this against SQLite databases would require direct and improperly handled input between the SQLite database and the internet-facing application.

These vulnerabilities are remotely exploitable in Google Chrome as it comes with Web SQL Database installed by default, an API that translates JavaScript code into SQL commands to be executed by Google Chrome’s internal SQLite database, which is used to store user data and browser settings.

All applications implementing SQLite as a component and supporting SQL are affected if the latest patches are not applied. Chrome/Chromium users with versions prior to v79.0.3945.79 are also vulnerable. The Tencent Blade Team also noted that these vulnerabilities affect smart devices using an older version of Chrome/Chromium, browsers built using an older version of Chrome/Webview, Android apps using older versions of Webview and software that uses older versions of Chromium. The Tencent Blade Team states that they are working with vendors to address the issue and notes that, at present, there is no evidence of abuse in the wild.

No need to worry: SQLite and Google have already confirmed and fixed it and we are helping other vendors through it too. We haven't found any proof of wild abuse of Magellan 2.0 and will not disclose any details now. Feel free to contact us if you had any technical questions! https://t.co/3hUro9URWf

— Tencent Blade Team (@tencent_blade) December 24, 2019

Proof of concept

At the time this blog post was published, there was no proof of concept (PoC) available, but one may be released in the future. When asked if they will be releasing a PoC, the Tencent Blade Team stated, “Not yet. We follow the responsible vulnerability disclosure process and will not disclose the details of the vulnerability in advance 90 days after the vulnerability report.” They initially disclosed these vulnerabilities to Google and SQLite on November 16, 2019.

Solution

Tenable strongly advises organizations and individuals to upgrade to patched versions as soon as possible. On December 10, 2018, Google released 79.0.3945.79 ( Stable Channel Update for Desktop) for Chromium users. SQLite addressed the bugs on December 13, 2019, but has yet to release patches in a stable branch. We advise committing to this branch as soon as it is available.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

Get more information

• Tencent Blade Team: Magellan 2.0
• Chrome Releases: Stable Channel Update for Desktop
• Latest Version of SQLite
• Tencent Blade Team: Magellan
• Tenable Magellan Blog

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Cisco kicks off 2020 with 12 CVEs in Cisco Data Center Network Manager, including three critical authentication bypass vulnerabilities.

Background

On January 2, Cisco published a series of advisories for Cisco Data Center Network Manager (DCNM), a platform for managing Cisco’s data center deployments equipped with Cisco’s NX-OS. A total of 12 vulnerabilities were found and reported to Cisco, 11 of which were discovered by Steven Seeley of Source Incite.

Uninstall or patch you Cisco DCNM now!https://t.co/P0oBRvgg4f

— ϻг_ϻε (@steventseeley) January 2, 2020

Analysis

Of the 12 vulnerabilities patched by Cisco, the most severe include a trio of critical authentication bypass flaws, two of which reside in DCNM API endpoints.

CVE-2019-15975 and CVE-2019-15976 are authentication bypass vulnerabilities in the REST API and SOAP API endpoints for Cisco DCNM due to the existence of a static encryption key shared between installations. A remote, unauthenticated attacker could gain administrative privileges through either the REST API or SOAP API by sending a specially crafted request that includes a valid session token generated using the static encryption key.

CVE-2019-15977 is an authentication bypass vulnerability in the web-based management interface for Cisco DCNM because of the use of static credentials. A remote, unauthenticated attacker could use these static credentials to extract sensitive information from the vulnerable device, enabling them to perform additional attacks.

Utilizing these authentication bypass vulnerabilities, attackers could leverage the remaining flaws patched by Cisco, which include command injection vulnerabilities (CVE-2019-15978, CVE-2019-15979), SQL injection vulnerabilities (CVE-2019-15984, CVE-2019-15985), path traversal vulnerabilities (CVE-2019-15980, CVE-15981, CVE-2019-15982) and an XML external entity vulnerability (CVE-2019-15983).

Seeley’s discovery of these vulnerabilities in Cisco DCNM was inspired by four flaws reported back in June 2019 by security researcher Pedro Ribeiro, including CVE-2019-1619, an authentication bypass flaw in the DCNM’s web-based management interface.

Your work inspired me my friend :->

— ϻг_ϻε (@steventseeley) January 2, 2020

Additionally, Cisco patched CVE-2019-15999, a vulnerability in the DCNM’s JBoss Enterprise Application Platform (EAP) reported by Harrison Neal of PatchAdvisor. This flaw exists because the authentication settings on the EAP were incorrectly configured.

Proof of concept

At the time this blog post was published, no proof-of-concept code has been released for any of the reported vulnerabilities.

Solution

Cisco released updates to correct each of the specified vulnerabilities. Affected versions of Cisco DCNM software include releases earlier than 11.3 (1). We recommend reviewing the linked advisories under the “Get more information” section below.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
• Cisco Data Center Network Manager SQL Injection Vulnerabilities
• Cisco Data Center Network Manager Path Traversal Vulnerabilities
• Cisco Data Center Network Manager Command Injection Vulnerabilities
• Cisco Data Center Network Manager XML External Entity Read Access Vulnerability
• Cisco Data Center Network Manager JBoss EAP Unauthorized Access Vulnerability

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Recent rash of ransomware attacks are leveraging an eight-month-old flaw in a popular SSL VPN solution used by large organizations and governments around the world.

Background

On January 4, security researcher Kevin Beaumont (@GossiTheDog) observed two "notable incidents" in which a vulnerability in a Secure Socket Layer (SSL) Virtual Private Network (VPN) solution was used to breach two organizations and install targeted ransomware.

New by me: Pulse Secure VPN flaw being used to deliver targeted ransomware to large organisations https://t.co/h4rrzbPOWG

— Kevin Beaumont (@GossiTheDog) January 4, 2020

In his blog, Beaumont says this vulnerability was used to gain access to the vulnerable networks, followed by a similar pattern: obtaining domain administrator access, installing Virtual Network Computing (VNC) using PsExec for lateral movement, disabling endpoint security tools and installing the Sodinokibi ransomware, also known as Sodin or REvil.

Scott Gordon, Chief Marketing Officer for Pulse Secure, issued the following statement regarding Beaumont’s blog:

“Threat actors will take advantage of the vulnerability that was reported on Pulse Secure, Fortinet and Palo Alto VPN products -- and in this case, exploit unpatched VPN servers to propagate malware, REvil (Sodinokibi), by distributing and activating the Ransomware through interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers.”

Analysis

Pulse Secure Vulnerability

CVE-2019-11510 is a critical arbitrary file disclosure vulnerability in Pulse Connect Secure, the SSL VPN solution from Pulse Secure. Exploitation of the vulnerability is simple, which is why it received a 10.0 rating using the Common Vulnerability Scoring System (CVSS). The flaw could allow a remote, unauthenticated attacker to obtain usernames and plaintext passwords from vulnerable endpoints.

While Pulse Secure issued an out-of-cycle patch for the vulnerability in April 2019, it garnered more attention after a proof of concept (PoC) for the flaw was made public in August 2019. Shortly after the PoC was released, reports began to surface that attackers were probing for vulnerable endpoints and attempting to exploit the flaw.

At the time, Troy Mursch, Chief Research Officer at Bad Packets, identified over 14,500 Pulse Secure VPN endpoints that were vulnerable to this flaw. Mursch has been working to notify affected organizations to patch the flaw while also publishing weekly reports on Twitter of scan results for vulnerable endpoints. According to the most recent scan result from January 3, 2020, Mursch detected 3,825 endpoints that remain vulnerable, with over 1,300 of those endpoints residing in the United States.

Sodinokibi (REvil) Ransomware

Sodinokibi (or REvil) first appeared in April 2019 as part of attacks utilizing a zero-day exploit for an unauthenticated remote code execution vulnerability in Oracle WebLogic identified as CVE-2019-2725. Additional research in July 2019 found that Sodinokibi also exploits CVE-2018-8453, an elevation of privilege flaw in Win32k, which the researchers called “rare among ransomware.”

Sodinokibi has been linked to the creators of the GandCrab ransomware, which shuttered its operations in May 2019 after earning a reported $2 billion in ransom payments.

Big Game Hunting Ransomware

The use of the term “Big Game Hunting” references a Crowdstrike blog from 2018 regarding the electronic crime group dubbed INDRIK SPIDER pivoting from banking trojans to targeted ransomware attacks using the BitPaymer ransomware. The “big game” component refers to threat actors shifting to “targeted, low-volume, high return” activity.

In the case of Sodinokibi, it appears this tactic has been fruitful. Security researcher Rik Van Duijn identified at least seven cases of Sodinokibi ransomware infections in the first six days of 2020 demanding over $10 million based on analyzed malware samples, underscoring just how much potential value there is in these big game hunting ransomware attacks.

REvil is starting the year strong, asking for some serious cash. We are working on a blog describing just how bad it is, hoping to launch end of the month.

cc @GossiTheDogpic.twitter.com/0Katzxd7aW

— rik van duijn (@rikvduijn) January 6, 2020

While Sodinokibi has been linked to various vulnerabilities mentioned above, it is important to note that ransomware in general spreads through a variety of methods, including unpatched software vulnerabilities, malicious emails and exposed remote desktop systems.

Proof of concept

The first PoC published for CVE-2019-11510 was released on August 20 to Exploit Database by security researchers Alyssa Herrera and Justin Wagner. There are also multiple PoCs to identify and/or exploit CVE-2019-11510 published to GitHub repositories.

Solution

As previously noted, Pulse Secure released patches for CVE-2019-11510 back in April 2019. If your organization utilizes Pulse Connect Secure in your environment, it is paramount that you patch as soon as possible. Additionally, because Sodinokibi uses CVE-2018-8453, it is also extremely important to ensure the appropriate security updates from Microsoft’s October 2018 Patch Tuesday have been applied.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be found here, which includes a direct exploit check, identified as Plugin ID 127897.

Get more information

• Kevin Beaumont's Blog on Big Game Ransomware Exploiting CVE-2019-11510
• Out-of-Cycle Advisory for Multiple Vulnerabilities in Pulse Connect Secure
• Troy Mursch's Blog on 14,500 Vulnerable Pulse Secure VPN Endpoints
• Cisco Talos' Blog on Sodinokibi Ransomware Exploiting CVE-2019-2725
• Kaspersky's Blog on Sodinokibi Ransomware Using CVE-2018-8453

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Mozilla releases patch to address Firefox flaw being used as part of targeted attacks.

Background

On January 8, Mozilla Foundation released a security advisory to address a critical zero-day flaw in Mozilla Firefox, which has been exploited in targeted attacks.

Analysis

CVE-2019-17026 is a type confusion vulnerability in IonMonkey, the JavaScript Just-In-Time (JIT) compiler for SpiderMonkey, Mozilla’s JavaScript engine. According to Mozilla’s advisory, the flaw exists in the JIT compiler due to “incorrect alias information for setting array elements,” specifically in StoreElementHole and FallibleStoreElement.

The vulnerability was reported to Mozilla by researchers at Qihoo 360 ATA. Mozilla’s advisory states they are “aware of targeted attacks in the wild abusing this flaw.” Based on this note in the advisory, it appears the vulnerability was exploited in the wild as a zero-day. Further information about the exploitation was not available at the time this blog post was published.

This advisory follows the release of Firefox 72 and Firefox Extended Support Release (ESR) 68.4 on January 7, which included the following security advisories:

• Firefox 72: Mozilla Foundation Security Advisory 2020-01
• Firefox ESR 68.4: Mozilla Foundation Security Advisory 2020-02

Last year, Mozilla patched CVE-2019-11707, another type confusion flaw that was used in conjunction with CVE-2019-11708, a sandbox escape vulnerability in targeted attacks.

Proof of concept

At this time, no proof of concept is available for this vulnerability.

Solution

To address CVE-2019-17026, Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1. While this vulnerability was exploited in targeted attacks, Firefox users are advised to upgrade as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Mozilla Foundation Security Advisory for CVE-2019-17026

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

So, your boss asked you to do a vulnerability assessment. You hardly remember anything about the topic from your security classes. Since it is about finding vulnerabilities in your infrastructure, it must be something like penetration testing…or is it?

Formally, vulnerability assessment is the process of identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures. It helps the organization doing the assessment understand the threats to its environment and react appropriately.

But, where do you start the vulnerability assessment process? Here are five tips on how to conduct a successful vulnerability assessment – as well as pitfalls and how to avoid them.

1. Learn the difference between vulnerability assessment and penetration testing

Penetration testing is usually something that happens once a year and results in a nice report showing weaknesses in your infrastructure. Vulnerability scanning is an essential part of penetration testing. Unfortunately, for this very reason, many people are focused only on vulnerability scanning when asked to do a vulnerability assessment.

Ideally, vulnerability assessment goes beyond a single scan. It is a continuous process, which provides you with the knowledge about vulnerabilities and the associated risk to your organization at any given time. In other words, think of having a database containing all your assets and their vulnerabilities that is always up-to-date. If a new vulnerability makes the front page of The New York Times, you know the data you need is already there. No need to do ad hoc vulnerability scanning under extreme time pressure.

Besides regular vulnerability scans, technologies like real-time vulnerability monitoring and Nessus Live Results can help you get an always up-to-date view of your infrastructure.

2. Think from a business perspective when defining the scope of your vulnerability assessment

If you’re reading this blog post, there is a good chance that you are a security engineer and security engineers, of course, deal with technical matters. However, for a successful vulnerability assessment, you need to take a step back and look at the company’s assets from a business perspective. Which assets does the company rely on for revenue? Where is critical data, such as customer or personally identifiable information (PII), stored? Which systems are publicly available (e.g., web apps)? These are important assets when defining the scope of your assessment. 

Also, be sure to consider:

• Desktops and laptops: Even if you have a golden image, you will be surprised how diverse your clients are and what you will find on them.
• Assets like test systems, connected devices (TV screens, projectors, IoT, etc.) or cloud assets: They might not be the actual target of an attack, but could be the weakest link, allowing an attacker to break into your network.

In practice, it will not be enough to have a single vulnerability scanner to cover all these assets. You will need sensors in many parts of the network to cover the entire attack surface. All these sensors will then send their data to a central instance, where the data is aggregated, deduplicated and prioritized.

3. Master asset management

Technically speaking, a vulnerability assessment provides vulnerabilities against a list of IP addresses or host names. We all tend to get to the actual vulnerabilities as fast as possible. After all, it is a vulnerability assessment. But it’s worth it to take the time to first transform these anonymous IP addresses into assets by adding context. This context will vary but here are a couple of guidelines: 

• Divide IP addresses into meaningful groups, such as: workstations, web servers, business-critical systems, hosts in the DMZ, Windows or Linux machines, etc.
• Add information, such as stakeholders, system owners, geographical location, etc.
• Consider business criticality. Add information mentioned in the previous section to organize the priority with which the assets should be assessed and fixed. 

This context will help you make sense of the wealth of information delivered after an assessment – and save you a lot of time.. You will be able to immediately see what system it is, how important it is and who is responsible for it ( i.e., who will mitigate the vulnerabilities).

4. Plan when to use credentialed versus non-credentialed scans

There are two kinds of vulnerability scans: credentialed and non-credentialed. In the first case, the vulnerability scanner has credentials for the system to be scanned and thus gets an inside view of it. In the latter case, the scanner has an outside view of it, which is the same a potential attacker would have. While both scan types have their merits, credentialed scans are more accurate and complete. 

Think about this: A scanner which has access to a system can see what system it is, what software is installed, what processes are running, which ports are open and much more. A scanner that sees the system only from the outside has to work with the limited information available. If the system in question has many open ports and many services running, the resulting information may be quite accurate. But, if this is not the case, the scanner may have to guess (e.g., what kind of system it could be). By taking the guesswork out of scanning, you will get more accurate information in every respect and add value to the information as your asset classification (see point number three) will be complete and precise.

If credentialed scans are not an option, agents are an alternative that delivers the same information. Unlike an antivirus scanner, it will hardly generate any system load at all and normally only do so for a couple of minutes per day. 

5. Develop a smart scanning strategy

Vulnerability scans can’t be both fast and comprehensive at the same time. You either do a fast scan, which delivers less data (e.g., the system is up and its operating system) or an in-depth scan, which takes some time, but delivers all the information you ever wanted to know. However, by defining a good scanning strategy, you get the best of both worlds. 

A useful starting point is to define daily discovery scans, which show – as the name suggests – which devices on the network are up and running. The best practice is to do this scan against all IP address ranges in your network, but leave out all the hosts known from previous scans. 

Secondly, define a full vulnerability scan against all systems from the discovery scan, plus all previously known systems on a weekly basis. This scan will result in the actual system information and vulnerability data. This means only doing time-consuming port-scanning for up-and-running hosts, since this scan is done against known targets, not  entire IP address ranges. This massively reduces the time required for the scan while delivering complete and precise results.

Using a passive vulnerability monitor in addition to active scanning can further help to fill in the gaps between the scans with real-time vulnerability information. 

If scans take too long, consider adding more scanners to load-balance the scans between them.

Keeping these steps in mind will ensure that the result will be an effective and successful vulnerability assessment process. 

To get started with Nessus Start your free trial now

Attackers are actively probing for vulnerable Citrix Application Delivery Controller (ADC) and Gateway hosts, while multiple proof-of-concept scripts are released, emphasizing the importance of mitigating this flaw immediately.

Background

On December 17, Citrix published a support article for CVE-2019-19781, a path traversal flaw in Citrix ADC and Citrix Gateway, both of which were formerly known as NetScaler ADC and NetScaler Gateway. Citrix cautioned that successful exploitation could result in an unauthenticated attacker gaining remote code execution. Citrix did not provide a patch for the vulnerability, but instead strongly urged customers to apply mitigation steps to thwart exploitation attempts. In the weeks since, attackers have begun scanning for vulnerable hosts for reconnaissance, with some reports suggesting attackers may have already exploited this vulnerability in the wild.

On January 3, SANS Internet Storm Center (ISC) tweeted that they had observed the “first exploit attempt” for this vulnerability in the wild.

Just saw the first exploit attempt for Citrix ADC/Gateway CVE-2019-19781 hit one of our honeypots from 223.167.22.29. More details shortly. #cve201919781#citrix#netscaler

— SANS ISC (@sans_isc) January 3, 2020

According to Shodan, there are over 125,000 Citrix ADC or Gateway hosts publicly accessible. Nate Warfield from Microsoft’s Security Response Center found that every system he “spot checked” was vulnerable to CVE-2019-19781.

If you run Citrix in your network you *really* need to read this. A decent @shodanhq dork to find systems is here:https://t.co/YP0yILjXED

Every single system I've spot checked so far has been vulnerable; this will burn people for a while. Take steps to defend yourself ASAP. https://t.co/hmmfUxfe8f

— —(÷[ Nate Warfield ]÷)— (@n0x08) January 9, 2020

Analysis

The information Citrix provided in their mitigation steps offers clues into the vulnerable component of ADC and Gateway, referencing requests containing the “/vpns/” path. Because this is a path traversal flaw, identifying a vulnerable ADC or Gateway host requires confirming the presence of files located outside the original path requested.

On January 7, SANS ISC published a blog with more details about attackers scanning their honeypots and attempting to exploit the flaw. In the blog, they reference requests looking for a file called smb.conf in the “/vpns/cfg/” path. Requesting this file from a vulnerable Citrix ADC or Gateway will successfully return a configuration file. Systems that have applied Citrix’s recommended mitigations will return an HTTP 403 FORBIDDEN response.

On January 8, Craig Young, principal security researcher on Tripwire’s Vulnerabilities and Exposures Research Term (VERT), published a blog discussing how he achieved “arbitrary command execution” on a vulnerable ADC host. According to Young, there are Perl scripts located in the “/vpns/” path of the Citrix appliances, which can be targeted to allow for limited file writing on the vulnerable host.

On January 10, Rio Sherri, senior security consultant at MDSec, published a blog with additional insight into the limited file writing, highlighting code in the ‘csd’ function of the UserPrefs perl module that “builds a path from the NSC_USER HTTP header without any sanitisation” and will be triggered by any script that calls the function. Sherri found that nearly “all the scripts used this function,” but highlighted one script in particular, newbm.pl. This file accepts parameterized information and builds it into an array stored in an XML file on the vulnerable host. However, code execution is still not feasible at this point. That’s where the research from Young comes into play. He mentions an undocumented feature in the Perl Template Toolkit that “allowed arbitrary command execution when processing a crafted directive.” Sherri saw this as a “potential avenue for exploitation.” By inserting arbitrary code into the XML file, the only remaining step to get code execution would be to get the template engine to parse the file. Sherri achieved this by issuing a specially crafted HTTP request for the XML file stored on the vulnerable host.

All the security researchers opted not to share specific details about the vulnerability due to the fact that Citrix has not yet released a patch for this vulnerability. However, as of January 10, there are exploit scripts in circulation that can achieve code execution.

Proof of concept

Recently, there have been several repositories created on GitHub referencing CVE-2019-19781, including exploit scripts that could lead to code execution by a remote, unauthenticated attacker.

Solution

While Citrix has provided detailed mitigation steps, currently, there is no patch available despite the advisory being released nearly a month ago. With the availability of exploit scripts for this vulnerability, users are strongly encouraged to apply these mitigation steps as soon as possible. Additionally, we would recommend reviewing your logs for requests to determine if active scanning or exploitation may have already occurred. These requests may include paths, such as:

• /vpns/
• /vpn/../vpns/cfg/smb.conf
• /vpn/../vpns/portal/scripts/newbm.pl

Identifying affected systems

Tenable Research has released a direct check plugin (ID 132752) to identify vulnerable assets in addition to the our version check plugin, which can be found here. Note that the version check plugin requires enabling 'paranoid mode'.

Get more information

• Citrix Security Advisory for CVE-2019-19781 (CTX267027)
• Citrix Mitigation Steps for CVE-2019-19781 (CTX267679)
• Tenable’s Previous Notice in December for CVE-2019-19781

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

We’re excited to take vulnerability prioritization to the next level with the introduction of Tenable Lumin for Tenable.sc. 

Tenable.sc customers have long enjoyed a rich array of tools for getting the visibility and context they need into the assets and vulnerabilities on their network. And with the introduction of the Vulnerability Priority Rating and the Solutions view page over the past 12 months, we made it easier to prioritize patching and focus on the vulnerabilities posing the greatest risk. 

With the release of Tenable.sc 5.13, customers can use Tenable Lumin to up their prioritization game with the ability to calculate, communicate and compare cyber risk – helping security and IT zero in on the vulnerabilities to remediate first. With this integration, customers send their vulnerability data from Tenable.sc to Tenable Lumin for analysis. Tenable Lumin then transforms the vulnerability data into meaningful insights to help measure and manage cyber risk.

Let’s take a closer look at what the Tenable.sc and Tenable Lumin integration provides: 

Advanced prioritization

Tenable Lumin takes Tenable.sc’s prioritization capabilities to the next level by providing clear recommended actions that help security know where to focus – the critical vulnerabilities affecting your most critical assets. Advanced risk-based Cyber Exposure analysis and scoring weighs vulnerabilities, threat data and asset criticality, showing you where to concentrate remediation efforts. In addition to the VPR and CVSS scores already available in Tenable.sc, Tenable Lumin provides the Asset Critically Rating (ACR) and Cyber Exposure Score. ACR is an objective measure of the criticality of an asset to an organization. 

Risk rating 

Tenable Lumin analyzes the vulnerability data from Tenable.sc and combines it with other inputs (e.g., threat intelligence and asset criticality context) to calculate a Cyber Exposure Score. The Cyber Exposure Score gives customers an indication of their organization's cyber risk in the form of a simple score they can report and measure against over time as a rating of security program effectiveness. 

Industry benchmarking

With Tenable Lumin, customers can learn how their overall cyber risk compares to their industry peers, providing insight into industry standards and where different gaps and shortcomings exist. Tenable Lumin also helps you see how your assessment and remediation processes stack up against peers, so you can improve your overall effectiveness. This can also help you make a case for more investment in your security program and prove to the board that your program is following best practices and meeting industry standards. 

Get more information about Tenable Lumin

Want to learn more about Tenable Lumin? Reach out to your account representative or check out the following resources:

• Set up an eval for Tenable Lumin (for Tenable.sc customers)
• Tenable Lumin webpage
• Tenable.sc 5.13 release notes

Microsoft kicks off the first Patch Tuesday of 2020 with the disclosure of CVE-2020-0601, a highly critical flaw in the cryptographic library for Windows.

Background

On January 14, Microsoft released its first Patch Tuesday of 2020, which contains an update for a critical vulnerability in the cryptographic library used in newer versions of Windows, including Windows 10 and Windows Server 2016/2019. CVE-2020-0601 was disclosed to Microsoft by the National Security Agency (NSA) via Microsoft’s Coordinated Vulnerability Disclosure process.

Widespread speculation about a severe vulnerability in Microsoft Windows began to circulate on January 13 when Will Dormann, senior vulnerability analyst with the CERT Coordination Center (CERT/CC), hinted in a tweet that people should “pay very close attention” to the updates in Microsoft’s January 2020 Patch Tuesday.

I get the impression that people should perhaps pay very close attention to installing tomorrow's Microsoft Patch Tuesday updates in a timely manner. Even more so than others.
I don't know… just call it a hunch?
¯_(ツ)_/¯

— Will Dormann (@wdormann) January 13, 2020

Shortly thereafter, investigative journalist Brian Krebs tweeted a warning about “an extraordinarily scary flaw in all Windows versions,” specifically mentioning the flaw was in a core cryptographic component.

Sources say Microsoft on Tuesday will fix an extraordinarily scary flaw in all Windows versions, in a core cryptographic component that could be abused to spoof the source of digitally signed software. Apparently DoD & a few others got an advance patch https://t.co/V6PByhjTNR

— briankrebs (@briankrebs) January 13, 2020

Krebs later released a blog post with additional details on the event. According to Krebs, the flaw exists in crypt32.dll, the Microsoft Cryptographic Application Programming Interface (CryptoAPI) used for certificate and cryptographic messaging functions. The post also indicates that branches of the U.S. military and other high-value customers received advance notice and patches from Microsoft under non-disclosure agreements (NDAs).

On January 14, Krebs tweeted more information after a media call with the NSA’s director of cybersecurity, Anne Neuberger. According to the tweets, the critical cryptographic vulnerability was discovered by the NSA and reported to Microsoft. The tweet further explains that the vulnerability exists in Windows 10 and Windows Server 2016 and the flaw “makes trust vulnerable.”

NSA's dir. of cybersecurity Anne Neuberger says the critical cryptographic vulnerability resides in Windows 10 and Windows Server 2016, and that the concern about this particular flaw is that it "makes trust vulnerable."

— briankrebs (@briankrebs) January 14, 2020

Analysis

CVE-2020-0601 is a spoofing vulnerability in crypt32.dll, a core cryptographic module in Microsoft Windows responsible for implementing certificate and cryptographic messaging functions in Microsoft’s CryptoAPI.

According to the NSA (credited with the discovery of this vulnerability), successful exploitation of this vulnerability would allow attackers to deliver malicious code that appears to be from a trusted entity. The analysis notes some examples of where validation of trust would be impacted:

• HTTPs connections
• Signed files and emails
• Signed executable code launched as user-mode processes

Because CVE-2020-0601 reportedly bypasses Windows’ capability to verify cryptographic trust, an attacker could pass malicious applications off as legitimate, trusted code, putting Windows hosts at risk. An attacker would need to compromise a system in another fashion to deploy malware that exploits this vulnerability. They would likely either use common phishing tactics to trick a trusted user into interacting with a malicious application or use a man-in-the-middle attack through another compromised device in the environment to spoof an intercepted update and replace it with malware.

Proof of concept

At the time this blog post was published, no proof of concept has been released for this vulnerability.

Vendor response

Microsoft has stated that they’ve seen no active exploitation of this vulnerability so far. However, the vulnerability is labeled as ‘Exploitation More Likely’ in Microsoft’s Security Advisory.

Solution

Microsoft has released software updates to address CVE-2020-0601. If patching the vulnerability enterprisewide is not possible, the NSA has advised “prioritizing patching systems that perform Transport Layer Security validation, or host critical infrastructure like domain controllers, Domain Name System servers, Virtual Private Network servers, etcetera.” Additionally, Tenable suggests patching endpoints directly exposed to the internet or systems regularly used by privileged users.

Users can create scans that focus specifically on this vulnerability. From a new advanced scan, in the plugins tab, set an advanced filter for CVE is equal to CVE-2020-0601.

Identifying affected systems

A list of Tenable plugins to identify CVE-2020-0601 will appear here as they’re released.

A list of all the plugins released for Tenable’s January 2020 Patch Tuesday update can be found here.

Get more information

• Microsoft advisory for CVE-2020-0601
• Microsoft blog post on CVE-2020-0601
• National Security Agency bulletin on CVE-2020-0601
• Tenable webinar on the Microsoft CryptoAPI

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Microsoft kicks off 2020 by patching 49 CVEs, eight of which are rated as critical.

Microsoft rang in 2020 with 49 CVEs addressed in the January 2020 Patch Tuesday release. This update contains 12 remote code execution flaws and eight vulnerabilities that are rated as critical. This month’s updates include patches for Microsoft Windows, Microsoft Office, Internet Explorer, .NET Framework, NET Core, ASP.NET Core and Microsoft Dynamics. The following is a breakdown of the most important CVEs from this month’s release.

CVE-2020-0601 | Windows CryptoAPI spoofing vulnerability

CVE-2020-0601 is a spoofing vulnerability in crypt32.dll, a core cryptographic module in Microsoft Windows responsible for implementing certificate and cryptographic messaging functions in Microsoft’s CryptoAPI. For a more detailed examination of this vulnerability, check out our blog post here.

CVE-2020-0609 and CVE-2020-0610 | Windows Remote Desktop Gateway (RD Gateway) remote code execution vulnerability

In the wake of critical pre-authentication flaws from 2019, including BlueKeep (CVE-2019-0708) and DejaBlue (CVE-2019-1181, CVE-2019-1182, CVE-2019-1222CVE-2019-1226), Microsoft has patched two new remote desktop flaws, this time in the Windows Remote Desktop Gateway (RD Gateway). CVE-2019-0609 and CVE-2019-0610 are both pre-authentication remote code execution vulnerabilities, which can be exploited when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. Microsoft notes these flaws have not yet been exploited in the wild, but rates these both as ‘Exploitation More Likely.’ Patches have been released for Server 2012, Server 2012 R2, Server 2016 and Server 2019.

CVE-2020-0611 | Remote Desktop Client remote code execution vulnerability

CVE-2020-0611 is a remote code execution vulnerability that exists in the Windows Remote Desktop Client. Exploitation of this flaw would allow an attacker to execute arbitrary code on the machine of the connected client. To successfully exploit this flaw, an attacker would have to convince a user to connect to a malicious server, making exploitation of this flaw less likely. While this flaw is only scored as a CVSS 7.5, Microsoft still rates this as critical severity.

CVE-2020-0605, CVE-2020-0606 and CVE-2020-0646 | .NET Framework remote code execution vulnerability

CVE-2020-0605, CVE-2020-0606, and CVE-2020-0646 are remote code execution vulnerabilities in .NET Framework. Exploitation of these vulnerabilities requires that a user open a specially crafted file with an affected version of .NET Framework. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.

CVE-2020-0603 | ASP.NET Core remote code execution vulnerability

CVE-2020-0603 is a remote code execution vulnerability in ASP.NET. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of ASP.NET Core. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.

CVE-2020-0650, CVE-2020-0651 and CVE-2019-0653 | Microsoft Excel remote code execution vulnerability

This month, Microsoft released 3 CVEs for remote code execution vulnerabilities in Microsoft Excel: CVE-2020-0650, CVE-2020-0651 and CVE-2020-0653. These flaws exist due to a flaw in properly handling objects in memory. Successful exploitation of these vulnerabilities would allow an attacker to execute arbitrary code in the context of the current user. To exploit these flaws, an attacker would need to convince a logged-in user to open a specially crafted file with an affected version of Microsoft Excel.

Windows 7 and Server 2008 R2 end of support

As a reminder, Windows 7 and Server 2008 support was discontinued on January 14, 2020, so we strongly recommend identifying and upgrading end-of-life systems. Plugin ID 11936 (OS Identification) can be used to identify the OS running on a target to assist in identifying end-of-support devices.

Tenable solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name Contains January 2020.

With that filter set, click the plugin families to the left, and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all the plugins released for Tenable’s January 2020 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

• Microsoft's December 2020 Security Updates
• Tenable plugins for Microsoft December 2020 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Oracle rings in the new year with its first Critical Patch Update of 2020 addressing 255 CVEs across 334 security patches, including critical vulnerabilities in Oracle WebLogic Server.

Background

On January 14, Oracle released its Critical Patch Update (CPU) for January 2020 as part of its quarterly release of security patches. This update contains fixes for 255 CVEs in 334 patches across multiple Oracle products. The following is the full list of product families with vulnerabilities addressed in this month’s release:

• Oracle Database Server
• Oracle Communications Applications
• Oracle Construction and Engineering
• Oracle E-Business Suite
• Oracle Enterprise Manager
• Oracle Financial Services Applications
• Oracle Food and Beverage Applications
• Oracle Fusion Middleware
• Oracle GraalVM
• Oracle Health Sciences Applications
• Oracle Hospitality Applications
• Oracle Hyperion
• Oracle iLearning
• Oracle Java SE
• Oracle JD Edwards
• Oracle MySQL
• Oracle PeopleSoft
• Oracle Retail Applications
• Oracle Siebel CRM
• Oracle Systems
• Oracle Supply Chain
• Oracle Utilities Applications
• Oracle Virtualization

Analysis

This quarter’s CPU included 43 critical vulnerabilities across 25 unique CVEs, 41 of which can be remotely exploited without authentication. The most widely patched product families include Oracle Enterprise Manager (50 patches), Oracle Fusion Middleware (38 patches), Oracle Communications Applications (25 patches), Oracle E-Business Suite (23 patches) and Oracle MySQL (19 patches). Here we describe in more detail some of the critically scored CVEs.

Oracle E-Business Suite | CVE-2020-2586, CVE-2020-2587

CVE-2020-2586 and CVE-2020-2587 were the highest-scoring CVEs in Oracle’s January 2020 CPU, with an Oracle assigned CVSSv3 base score of 9.9. These unspecified vulnerabilities in the Hierarchy Diagrammers component of Oracle Human Resources have been described by Oracle as “easily exploitable.” The vulnerabilities allow attackers with network access via HTTPS and low-level privileges to compromise Oracle Human Resources with successful attacks resulting in the unauthorized access, creation, deletion and modification of Oracle Human Resources accessible data. Access to this data may also allow an attacker to cause a partial denial-of-service (DoS). Versions of Oracle Human Resources affected are 12.1.1–12.1.3 and 12.2.3–12.2.9.

Oracle Fusion Middleware | CVE-2020-2555, CVE-2020-2551, CVE-2020-2546

CVE-2020-2555 is an unspecified vulnerability described as “easily exploitable” in the Caching, CacheStore, Invocation component of Oracle Coherence that allows an unauthenticated attacker network access via Oracle’s T3 protocol complete takeover of Oracle Coherence.

CVE-2020-2551 and CVE-2020-2546 are unspecified vulnerabilities described as “easily exploitable” in the WLS Core Components (CVE-2020-2551) and Application Container - JavaEE (CVE-2020-2546) components of Oracle WebLogic Server. An unauthenticated attacker with network access via Internet Inter-Orb Protocol (IIOP) can compromise and take over the Oracle WebLogic Server.

Oracle MySQL | CVE-2019-8457

CVE-2019-8457 is a heap out-of-bounds read vulnerability in the SQLite component of Oracle MySQL that could allow an unauthenticated attacker to compromise and take over MySQL Cluster. Versions of Oracle MySQL affected are 7.3.27 and prior, 7.4.25 and prior, 7.5.15 and prior as well as 7.6.12 and prior.

Oracle Retail Applications | CVE-2019-2904, CVE-2016-5019, CVE-2019-12419

CVE-2019-2904 is an unspecified vulnerability affecting a series of Application Development Framework (ADF) components, including the Application Core component in Oracle Retail Assortment Planning, the Dataset component in Oracle Retail Clearance Optimization Engine, the Common Component Integration component in Oracle Retail Markdown Optimization and the Operational Insights component in Oracle Retail Sales Audit. An unauthenticated attacker with network access via HTTP could exploit this vulnerability with crafted HTTP requests resulting in the compromise and takeover of the ADF.

CVE-2016-5019 is a deserialization attack vulnerability in the Dataset and General Application components of Oracle Retail Clearance Optimization Engine. An attacker could submit an untrusted, specially crafted serialized view state string with the potential to inflict DoS or execute arbitrary code on the target upon it being deserialized.

CVE-2019-12419 is a vulnerability in the token access services in the Order Broker Foundation component of Oracle Retail Order Broker that allows for authentication bypass, as it does not validate the authenticated principal of the clientId parameter in the request. If an attacker obtains a victim’s authorization code, they could obtain a valid access token for said victim. According to the CPU advisory, only version 15 of Oracle Retail Order Broker is affected.

Oracle System | CVE-2019-9636, CVE-2019-2729, CVE-2019-2725, CVE-2016-1000031

CVE-2019-9636 is a vulnerability caused by the improper handling of Unicode encoding (with an incorrect netloc) during Normalization Form Canonical Composition (NFKC) normalization in the Operating System Image component of Sun ZFS Storage Application Kit. An attacker could pass a specially crafted URL that could be incorrectly parsed, potentially disclosing information such as cookies, credentials and authentication data, which could then be passed to a different host when parsed correctly. Only version 8.8.6 of the Sun ZFS Storage Application Kit is affected, according to the January 2020 CPU Advisory.

CVE-2019-2729 and CVE-2019-2725 are unspecified vulnerabilities in the WebLogic Server component of Tape Library Automated Cartridge System Library Software (ACSLS) highlighted as “easily exploitable.” An unauthenticated attacker could exploit this vulnerability requiring only network access via HTTP to compromise and take over the server. Only version 8.5 of the Sun ZFS Storage Application Kit is affected, according to the January 2020 CPU Advisory.

CVE-2016-1000031 is a remote code execution vulnerability found in Apache Commons FileUpload library in the Software component of Tape Library ACSLS. This vulnerability, which has historically been patched for other Oracle products, is easily exploitable, allowing an attacker to compromise the Tape Library ACSLS using HTTP requests.

Solution

Customers are advised to apply all relevant patches provided by Oracle in this CPU. Please refer to the January 2020 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Oracle Critical Patch Update Advisory - January 2020
• Oracle Advisory to CVE Map
• January 2020 CPU Risk Matrix Page

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Following the release of exploit scripts for a critical flaw in Citrix Application Delivery Controller (ADC) and Gateway, attackers launch attacks against vulnerable hosts, while Citrix announces release date for patches

Background

Attacks Increase After Exploit Scripts Released

On January 10, Tenable Security Response observed exploit scripts for CVE-2019-19781, a critical vulnerability in Citrix ADC and Gateway (formerly known as NetScaler ADC and NetScaler Gateway) had been published to GitHub. Soon after, reports of increased exploitation attempts against vulnerable hosts emerged.

#Citrix ADC Exploits are Public / Heavily Used (some attempt to install #backdoor). #cve201919781https://t.co/5TN4mfpdThpic.twitter.com/WDN6wUm4Km

— SANS ISC (@sans_isc) January 11, 2020

According to SANS Internet Storm Center, the released exploit scripts have been “heavily used,” as they observed a spike in exploitation attempts against their honeypots.

Citrix Updates Support Article with Patch Release Dates

On January 11, Citrix updated their support article for the vulnerability, announcing plans to release patches for Citrix ADC and Gateway near the end of January.

Thousands of Citrix ADC and Gateway Endpoints Remain Vulnerable

On January 12, Troy Mursch, chief research officer at Bad Packets published a blog with statistics showing that over 25,000 Citrix ADC and Gateway endpoints were vulnerable to CVE-2019-19781. Mursch used BinaryEdge to scan over 60,000 endpoints. Vulnerable endpoints included those in government agencies, education, healthcare, utilities, banking, and “numerous” Fortune 500 companies.

At that time, Mursch found that there were vulnerable hosts in over 122 countries, which were outlined in a graphic:

Source: Over 25,000 Citrix (Netscaler) Endpoints Vulnerable to CVE-2019-19781 (Troy Mursch)

Attackers Can Obtain LDAP Passwords, Cookies from Vulnerable Hosts

On January 13, Rich Warren, principal security consultant at NCC Group, identified additional avenues of exploitation for attackers targeting vulnerable ADC and Gateway hosts. According to Warren, attackers have the capability to read the/flash/nsconfig/ns.conf file, which could contain hashed Active Directory/Lightweight Directory Access Protocol (LDAP) credentials, including SHA512 passwords which are “easily crackable” using hashcat.

CVE-2019-19781 post-exploitation notes:

If you are seeing attackers reading your /flash/nsconfig/ns.conf file then you need to change all passwords. The SHA512 passwords are easily crackable with hashcat. pic.twitter.com/mNMaTT1oCE

— Rich Warren (@buffaloverflow) January 13, 2020

Additionally, Warren notes that attackers could access authenticated cookies from the path “/var/stmp/sess_*”which according to Warren can be reused by attackers.

If you see the attacker reading /var/nstmp/sess_* then they just stole authenticated cookies which can be re-used

— Rich Warren (@buffaloverflow) January 13, 2020

On January 14, security researcher dozer published a blog detailing how one could decrypt values obtained from the Citrix configuration files, along with providing a Python script to perform the decryption.

On the same day, hashcat was updated with support for cracking the SHA512 hashes obtained from Citrix Netscaler in version 6.0.0.

Support added to crack Citrix NetScaler (SHA512) hashes with hashcat 6.0.0: https://t.co/OtKRrGuzX4pic.twitter.com/Qr9nc2Avy4

— hashcat (@hashcat) January 14, 2020

Dutch Cybersecurity Centre Advises Shutting Down ADC and Gateway Servers, As Mitigation Steps Ineffective In Some Instances

On January 14, the Dutch National Cybersecurity Centre (NCSC) warned that many Dutch Citrix servers were vulnerable to attacks. On January 16, they published a follow-up saying the measures recommended by Citrix are “not always effective” as some of the mitigation steps don’t appear to work for certain devices.

Doubling down, the NCSC stressed that until a patch is available “there is currently no good, guaranteed reliable solution for all Citrix ADC and Citrix Gateway servers.” As a result, the NCSC made the recommendation to consider “switching off the Citrix ADC and Gateway servers” if the impact is acceptable. If not, they advise close monitoring for “possible abuse.”

Vigilante Applies Mitigation to Vulnerable ADC and Gateway Hosts, Maintains Backdoor

On January 16, researchers at FireEye published a blog regarding a peculiar observation in exploitation attempts against vulnerable ADC and Gateway hosts. According to FireEye, they’ve identified a threat actor that is blocking attempts to exploit the vulnerability, cleaning up previous malware infections on affected hosts, while also deploying their own backdoor called NOTROBIN.

The blog mentions that during one engagement, FireEye observed multiple threat actors had launched successful attacks against a vulnerable host. However, once NOTROBIN was installed on the host, they identified “more than a dozen exploitation attempts were thwarted by NOTROBIN.” FireEye concludes that the actor behind NOTROBIN compromising these devices may be doing so as they “prepare for an upcoming campaign.”

Proof of concept

There are currently several exploit scripts available on GitHub from TrustedSec, ProjectZeroIndia, and mpgn, as well as a script to check for vulnerable hosts from the United States Cybersecurity and Infrastructure Security Agency (CISA).

Vendor response

Since the publication of exploit scripts, Citrix has updated their support article multiple times, providing a timeline for patches, as well as additional information about newly affected products and a bug in certain releases of ADC that impacts the mitigation steps.

Following an investigation, Citrix says that CVE-2019-19781 also affects “certain deployments of Citrix SDWAN,” specifically the Citrix SD-WAN WANOP because they package it with Citrix ADC “as a load balancer.”

In addition to the newly affected product, Citrix has identified a bug affecting version 12.1 of Citrix ADC and Gateway that prevents their mitigation steps from blocking exploit attempts. According to Citrix, version 12.1 builds prior to 51.16/51.19 and 50.31 contain a bug that “affects responder and rewrite policies bound to VPN virtual servers.” If packets match policy rules the bug will prevent these systems from processing the packets. For those customers running a build of 12.1 prior to 51.16/51.19 or 50.31, it is recommended to update to a newer build in order to apply the mitigation steps until the patch is released on January 27.

Solution

At the time this blog was published, patches were still not available for this vulnerability. However, Citrix says they plan to release patches for Citrix ADC, NetScaler Gateway and SD-WAN WANOP before the end of January 2020.

The following table contains expected release dates of “refresh builds” for Citrix ADC and Gateway:

Separately, the following table contains expected release dates of the NetScaler releases for Citrix SD-WAN WANOP:

Identifying affected systems

Tenable Research has released a direct check plugin (ID 132752) to identify vulnerable assets in addition to the our version check plugin, which can be found here. Note that the version check plugin requires enabling 'paranoid mode'.

Get more information

• Tenable's Previous Blog on Availability of Exploit Scripts for CVE-2019-19781
• Citrix Security Advisory for CVE-2019-19781 (CTX267027)
• Citrix Mitigation Steps for CVE-2019-19781 (CTX267679)
• Dozer blog on Decrypting Values from ADC and Gateway Configurations
• FireEye Blog on Threat Actor "NOTROBIN" Exploiting CVE-2019-19781

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Zero-day remote code execution vulnerability in Internet Explorer has been observed in attacks.

Background

On January 17, Microsoft released an out-of-band advisory (ADV200001) for a zero-day remote code execution (RCE) in Internet Explorer that has been exploited in the wild.

Security Advisory - Microsoft Guidance on Scripting Engine Memory Corruption - for more information please visit: https://t.co/C3W9Y6saTu

— Security Response (@msftsecresponse) January 17, 2020

Analysis

CVE-2020-0674 is an RCE vulnerability that exists in the way the scripting engine handles objects in memory in Internet Explorer. Exploitation of this vulnerability could allow an attacker to corrupt memory and execute arbitrary code with the same level of privileges as the current user. If the current user has administrator-level privileges this would grant the attacker control of the system with the ability to view, edit or delete data, install programs or create accounts with privileges of their choosing.

To exploit this vulnerability an attacker would be required to host a maliciously crafted website designed to take advantage of this Internet Explorer vulnerability and then require a target to visit the website. A target could be convinced to visit the website via social engineering by embedding a link to it in an email, compromising a legitimate website or forum, or alternatively the link could be embedded in a file that supports the execution of scripts when opened, such as Microsoft Office Documents, PDF files, or HTML files.

This vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG) and Ella Yu from Qihoo 360. In 2019 Clément also discovered a pair of zero-day vulnerabilities exploited together in the wild in Google Chrome (CVE-2019-5786) and Microsoft Windows (CVE-2019-0808), as well as a zero-day memory corruption vulnerability in Internet Explorer exploited in the wild (CVE-2019-1367).

Earlier this month, Qihoo 360 was credited with discovering a zero-day vulnerability in Mozilla Firefox exploited in the wild in targeted attacks. At the same time, reports emerged that Qihoo 360 also discovered an Internet Explorer zero-day based on a now deleted tweet. No information was available at that time, but it appears that this was the vulnerability that had been referenced.

At the time this blog was published, no details had been made public regarding the in-the-wild exploitation of this vulnerability, though Microsoft says they are “aware of limited targeted attacks.”

A list of operating systems and Internet Explorer versions affected by this zero-day vulnerability can be identified in the table below:

Proof of concept

At the time this blog was published, no proof-of-concept (PoC) was available.

Solution

Microsoft has noted “Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.” While Microsoft, at the time this blog was published, has no plans to release an out-of-band patch for this vulnerability, it would not be unheard of for them to do so, as was the case in September 2019 with the Internet Explorer memory corruption zero-day vulnerability, CVE-2019-1367.

Microsoft has highlighted mitigation for websites that users have not added to the Internet Explorer Trusted site zones, which reduces the likelihood but does not completely prevent a user from downloading and running content from a maliciously crafted website. This mitigation is accomplished by the Internet Explorer Enhanced Security Configuration, a group of preconfigured settings that runs by default in versions of Internet Explorer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019.

Additionally, Microsoft has highlighted a workaround by restricting access to JScript.dll on websites that utilize JScript.dll as its scripting engine, doing so may impact the functionality of components that rely on this. By default, Internet Explorer 11, Internet Explorer 10, and Internet Explorer 9 use Jscript9.dll, which is not impacted by this vulnerability. These workarounds can be found towards the end of Microsoft’s security advisory page. If implemented, it is advised to revert this workaround prior to installing the patch upon its release.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Microsoft Security Advisory for CVE-2020-0674

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Ethical hacking, in which an organization uses the tools and practices of cyberattackers against their own systems, can be a valuable part of your cybersecurity strategy. 

Cybersecurity has been important, in some form or another, since the birth of the internet. In the early days, data breaches and hacks were relatively rare occurrences. But, now they are risks that impact all businesses, government agencies and nonprofit foundations. As a result, it's essential for all organizations to employ a variety of tactics to protect the integrity of their data and digital assets. 

Some of these strategies are standard operating procedure at this point – antivirus software, firewalls, encryption, vulnerability assessments, patch management and so on. Others are on the more unconventional end of the spectrum, yet they can be just as effective as their more standard counterparts in helping organizations bolster the efficacy of their cybersecurity. Ethical hacking, firmly belongs in the latter category, and can have great value as part of your network security strategy.

Ethical hacking 411: From the Wild West to consulting gigs

According to the Infosec Institute, ethical hacking represents any effort by an organization's IT and team (or third-party consultants) to replicate the actions attackers undertake to gain unauthorized access to the primary network. In so doing, the organization can discover and catalogue any vulnerabilities found in their security architecture and begin determining the best strategies for addressing those weak points. The practice is sometimes called white-hat hacking, as opposed to the malicious black-hat activities of those breaking into networks to get their hands on data, steal money or simply cause chaos. 

If an ethical hacker suspected weak spots in a company's network and wanted to point them out altruistically, they would be expected to let the organization know well in advance and seek their approval. Simply put: For hacking to be ethical, it should be done legally. Many of those holding this vocation have earned the Certified Ethical Hacker designation, awarded by the International Council of Electronic Commerce Consultants, and maintain compliance with numerous corporate and government compliance requirements.  

The majority of modern white-hat hacking takes place in highly controlled settings. In addition to receiving expressly communicated permission from the organization to be ethically hacked, those engaging in such infiltration activities are expected to:

• Immediately report on all flaws they uncover. 
• Respect the privacy of the organization, its staff and customers or clients (or, in the case of a government or nonprofit, individuals benefiting from the organizations' services). 
• Close any loopholes they open or exploit. 

The difference between penetration testing and ethical hacking

Ethical hacking is sometimes confused with penetration testing. Both are white-hat techniques that can provide major value in vulnerability assessments and cybersecurity upgrades. But, it's important to point out their primary distinction. The key difference is that penetration testing is largely focused on discovery and isolation of vulnerabilities, whereas ethical hacking, in stark contrast to what its name implies, is a process that makes room for what happens well after vulnerabilities are found:

• In penetration testing, an engineer, coder or other expert attempts every possible method of breaking into the network of the organization they're working on behalf of, directly attacking all cyberdefenses currently in place (that are within scope). The point is to determine exactly where vulnerabilities are and what damage can be done once they're exploited. It's often conducted on a quarterly or annual basis.
• Meanwhile, an ethical hacker - most likely called a cybersecurity/infosec consultant, or something along those lines - works not only to find weaknesses in the network architecture but also to develop new strengths within it to aid its future. Ethical hackers help determine the best practices for safeguarding whatever vulnerabilities are discovered and implement them as regular behaviors going forward. 

Key advantages of ethical hacking operations

As noted in Tenable Research's report Cyber Defender Strategies: What Your Vulnerability Assessment Practices Reveal, there's a disproportionate amount of research regarding cyberattackers' behavior, as opposed to insight into how security practitioners are responding. Thus, the biggest advantage of ethical hacking is it allows you to understand both the attacker and defender perspective. You can examine the anatomy of a cyberattack from both sides and gain a better sense of perspective. It can help an infosec team develop tools and strategies its members might not have thought of otherwise.

Include ethical hacking as part of a bigger toolbox

Ethical hacking is likely to become more prevalent in the future. The Black Hat Security Conference – a key gathering of white-hat hackers and cybersecurity experts, its name notwithstanding – celebrated its 20th anniversary two years ago. The prevalence of bug bounties further exemplifies the entrenchedness and value of white-hat tactics. For example, companies are offering tens of thousands of dollars to ethical hackers who can find vulnerabilities before cyberattackers wreak havoc. Even more notably, they are increasingly hiring white hats for lucrative security gigs.

Bringing on a white hat as a full-time consultant or offering bounties to independent bug hunters shouldn’t be the only component of your cybersecurity strategy. Instead, make ethical hacking part of your larger toolbox, used in conjunction with periodic penetration tests and ongoing vulnerability assessment and management practices. 

Vulnerability scanning tools, such as Nessus Professional,  are a critical element to an effective cybersecurity strategy, helping identify and carefully diagnose flaws in network security architecture.

The vast majority of respondents to the World Economic Forum’s Global Risks Perception Survey expect cyberattacks against infrastructure and cybertheft of money/data to increase in 2020. Here’s why you should care.

It’s no small irony that the publication of the Global Risks Report 2020 from the World Economic Forum (WEF) on January 15 happened to follow closely on the heels of one of the most alarming Microsoft Patch Tuesday announcements we’ve ever seen. 

The Microsoft disclosure of CVE-2020-0601 on January 14 hits at the very trust we have in today's digital computing environments — trust to authenticate binaries and trust that our ciphered communications are properly protected. The flaw would enable an attacker to exploit how Windows verifies cryptographic trust, enabling them to deliver executable code and making it look like it came from a trusted source. You can imagine its use in ransomware and phishing attacks on unpatched systems. 

Given the proliferation of ransomware and phishing attacks in 2019, it comes as no surprise to see the WEF report rank data fraud/theft at No. 6 and cyberattacks at No. 7 in its list of top 10 long-term risks in terms of likelihood over the next 10 years. These risks outrank water crises, global government failures and asset bubbles as causes of concern for WEF survey respondents. In terms of potential impact, the top 10 list ranks information infrastructure breakdown at No. 6 and cyberattacks at No. 8, with the latter cited as the second most concerning risk for doing business globally over the next 10 years.

The report is based on the WEF’s Global Risks Perception Survey, which reflects responses from 800 members of the Forum’s diverse communities. The report identifies two specific types of cyberattacks in its list of top 10 short-term global risks: attacks against infrastructure and theft of money/data. More than three quarters of respondents (76.1 percent) expect cyberattacks against infrastructure to increase this year, while 75.0 percent expect cybertheft of money/data to increase.  

Image: The World Economic Forum Global Risks Report 2020

Attacks on critical infrastructure are particularly concerning when we consider how the convergence of IT and operational technology is expanding the attack surface. Norsk Hydro reported that it lost more than $50 million in its first quarter of 2019 following the LockerGoga attack. In recent years, losses from Shamoon, WannaCry and NotPetya were in the billions. If the financial losses aren’t enough, attacks on critical infrastructure also bring the potential for enormous human costs. The loss of power or water services have obvious consequences for human life, but we also need to consider how malicious tampering of operational controls across public and private sectors can change ingredients in medications, foods, beverages or manipulate critical components like automobile airbags or transportation logistics.

The WEF Global Risk Report, which was first issued in 2007, can be seen as a reflection of the evolving importance business leaders place on cyber risk. Between 2012 — when cyberattacks first appeared in the list of top five risks in terms of likelihood — and 2017, cyberattacks and data theft dropped in and out of the top five lists in terms of likelihood. This is the first year since 2017 that neither concern made the top five list of likely risks. We interpret this year’s top five as a reflection of the seriousness of climate issues, rather than an indication of any improvements in global cybersecurity since last year’s report. 

Image: The World Economic Forum Global Risks Report 2020 

CVE-2020-0601, the critical Microsoft CryptoAPI flaw, serves as a timely case in point. This is a serious vulnerability and, with POCs shared within hours of the announcement, we fully expect to see it exploited in the wild in the coming weeks and months. While we applaud the disclosure process followed by the U.S. National Security Agency and the rapid response to the vulnerability from Microsoft, we nonetheless expect to see continued attacks over the course of the year among organizations that do not patch their systems quickly. 

We hear time and again from our infosec customers about the difficulties they have in getting their business leaders to prioritize cybersecurity and take the necessary steps to treat cyberattacks as an existential threat, ranking just below total environmental collapse. We hope this blog post gives you the ammunition you need to make a case for implementing a risk-based approach to cyber exposure management.

If the WEF report findings aren’t enough, here are some other data points to consider:

• For the first time, cyber incidents are ranked as the most important business risk globally among the 2,700 experts surveyed in 100 countries for the 9th annual Allianz Risk Barometer, supplanting business interruption as the No. 1 concern.  Seven years ago, cyber risk ranked 15th, with only 6 percent of survey respondents citing it as an important business risk.
• Nearly two thirds (62 percent) of global executives rank cyberattacks and threats as one of their organization’s highest risk-management priorities in 2020, according to the 2019 Marsh & McLennan Global Cyber Risk Perception survey of 1,500 business executives.
• Cybersecurity ranks second only to the cloud when it comes to digital transformation investment priorities, according to Altimeter’s State of Digital Transformation 2018-2019 report, which is based on a survey of 554 business and IT professionals in North America, Europe and China. 

Yet, even as cyber risk has become more of a priority for organizations in recent years, the Marsh & McLennan report finds that confidence in an organization’s ability to manage the risk has declined. In addition, fully half of respondents said cyber risk is almost never a barrier to the adoption of new technology, even though 23 percent said that, for most new technologies, the risk outweighs potential business benefits.

The WEF 2020 Global Risks Report demonstrates how crucial it is for organizations to approach cyber risk with the same degree of analysis and consideration they apply to other existential threats. To that end, it’s incumbent upon all of us to learn what it means to take a cyber-first approach to all major business decisions. 

Efforts like the Microsoft Cybersecurity Tech Accord are an important step toward fostering a cyber-savvy future for organizations around the world. None of these issues can be solved in a vacuum. As with climate change, addressing the existential threat of cyberattacks requires a concerted and sustained effort across the public and private sectors. I’m honored to have had the opportunity to discuss these challenges and more on a Cybersecurity Tech Accord panel session today during the World Economic Forum in Davos, Switzerland. It served as an open forum to discuss industry responsibility and how we must collectively work together to solve 21st century cybersecurity challenges.

Learn more:

• Download the WEF Global Risks Report 2020
• See what the Cybersecurity Tech Accord is all about
• Read the blog CVE-2020-0601: NSA Reported Spoofing Vulnerability in Windows CryptoAPI