Oracle’s second Critical Patch Update of 2020 addresses 450 CVEs across a record-breaking 397 security patches, including critical vulnerabilities in Oracle Fusion Middleware products.

Background

On April 14, Oracle released its Critical Patch Update (CPU) Advisory for April 2020 as part of its quarterly release of security patches. This update contains fixes for 450 CVEs in 397 security patches across multiple Oracle products. This quarter’s update smashes the previous records of 334 patches, with January 2020 and July 2018 in a tie for the previous record.

Analysis

This quarter’s CPU includes more than 30 critically rated CVEs across a wide range of Oracle products. The following is the full list of product families with vulnerabilities addressed in this month’s release along with the number of patches released.

Solution

Customers are advised to apply all relevant patches provided by Oracle in this CPU. Please refer to the April 2020 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Oracle Critical Patch Update Advisory - April 2020
• Oracle Advisory to CVE Map
• Oracle April 2020 CPU Risk Matrices

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

As remote work becomes the rule rather than an exception, organizations need new ways of thinking about IT. Here are some steps you can take to deliver on the promise of a distributed workforce.

Over the past several weeks, organizations have confronted the challenge of adapting their technical infrastructure to support a newly remote workforce. While many aspects of the COVID-19 response are certainly unprecedented, the global work-from-home experiment is accelerating trends that were already well underway in the world of IT. 

Unlike most business units, IT professionals are conditioned to anticipate the most unlikely or edge-case scenarios, in order to develop resilient technical systems. As Tenable’s first CIO, I’ve worked closely with teams across the organization to support a remote and agile workforce from day one.

Through the delicate alchemy of matching people, process and technology, we’ve found that IT can become its own competitive differentiator for a company, especially in the face of uncertain macroeconomic headwinds. Here are a few of the key components that enable us to deliver on this vision.

Run IT like a service

Upon joining Tenable in 2015, my goal was to rethink the traditional approach to IT. Too often, draconian policies create unnecessary delays that can stifle innovation and lead to rigid organizations. Instead, we strive to run our IT operations like a service for Tenable employees. Our mission is to continually simplify, streamline and standardize the working experience no matter where in the world our colleagues might be working, or what devices they are using. In other words, eliminate any technical barriers that get in the way of people doing their jobs.

Prioritize off-premises solutions

The rise of cloud-based services is crucial to delivering on the promise of distributed workforces. Thanks to software-as-a-service (SaaS) vendors that specialize in things like email and file storage, organizations no longer have to run their operations through bespoke data centers or on-premises file servers. But off-prem isn’t just a cost-saving measure, allowing you to focus more resources on core business competencies. These solutions also support greater agility and scale where traditional connections (e.g., wide-area network [WAN]) quickly become a bottleneck when large groups (not to mention your entire staff) begin to work remotely.

Limit access to virtual private networks

VPNs are another potential bottleneck for distributed workforces. The long-favored security tool acts as an encrypted “tunnel” that protects data running between remote computers and the company’s private network. But VPNs are limited by the same local network bandwidths, which strain as a greater portion of your employee base works from home. Wherever possible, restrict direct access to your corporate network to only the most critical functions and double-down on your SaaS protocols. Single sign-on (SSO) identity management facilitates ease of use and ongoing maintenance, while multifactor authentication provides a much-needed layer of additional security.

Encourage adoption of collaborative systems

Distributed workforces require new tools that foster collaboration in lieu of the social interactions that typically occur within a physical workplace. At Tenable, we support our teams with the most cutting-edge SaaS collaboration solutions, such as Google Docs and Slack messenger. We use Fuze, an IP telephony platform, to enable a phone number to ring anywhere in the world and not be tied to a single physical location. Sometimes these services are bundled into a single platform, or unified communications as a service (UCaaS), though many IT teams still use a selective mix of vendors.

Partner with internal and external peers

Since virtually every department relies on an organization’s technical infrastructure, it’s crucial for IT leaders to maintain a direct line to all areas of the business. Many CIOs work closely with security. At Tenable, I typically speak with our CSO, Bob Huber, twice a day about the latest changes in the attack landscape and how they affect our infrastructure. This same spirit should extend to other business leaders as well as your external vendors and industry peers. As CIO, my job is to continually ask if there’s a better way to do things, and that requires ongoing communication with all relevant stakeholders and the industry at large. 

Brace for more change

During my nearly 25 years as an IT professional, I’ve rarely done the same thing more than four years in a row. As the information ecosystem evolves, it’s crucial to keep your ear to the ground and surround yourself with people who challenge your orthodoxy. While switching costs might be high, so are the risks of not adapting your systems to keep pace with the times. Remain perpetually open to being proven wrong, for the only guarantee is that the next wave of IT solutions is just around the corner.

For more information on how to secure your business during the challenging COVID-19 response, visit our Tenable resource page on protecting your remote workforce.

This blog series will provide an in-depth discussion of vulnerability priority rating (VPR) from a number of different perspectives. Part one will focus on the distinguishing characteristics of VPR that make it a more suitable tool for prioritizing remediation efforts than the Common Vulnerability Scoring System (CVSS).

What is VPR?

Vulnerability priority rating (VPR), the output of Tenable Predictive Prioritization, helps organizations improve their remediation efficiency and effectiveness by rating vulnerabilities based on severity level – Critical, High, Medium and Low – determined by two components: technical impact and threat. 

Technical impact measures the impact on confidentiality, integrity and availability following exploitation of a vulnerability. It is equivalent to the CVSSv3 impact subscore. The threat component reflects both recent and potential future threat activity against a vulnerability. Some examples of threat sources that influence VPR are public proof-of-concept (PoC) research, reports of exploitation on social media, emergence of exploit code in exploit kits and frameworks, references to exploitation on the dark web and hacker forums and detection of malware hashes in the wild. Such threat intelligence is key in prioritizing those vulnerabilities that pose the most risk to an organization.

VPR is designed for vulnerability prioritization

The CVSS framework has long been criticized for its inability to prioritize vulnerability remediation effectively and efficiently. This is mainly due to the fact it was designed to measure the technical severity of vulnerabilities rather than the risk they pose. A report published by Carnegie Mellon University [CMU2019] points out:

The Common Vulnerability Scoring System (CVSS) is widely misused for vulnerability prioritization and risk assessment, despite being designed to measure technical severity.

One of the often criticized issues, when it is used for vulnerability remediation, is the large proportion of High and Critical vulnerabilities in the CVSS rating. At the time this blog post was written, there were more than 16,000 vulnerabilities rated as 9.0 or higher (per CVSSv2) – accounting for 13% of all vulnerabilities. CVSSv3, the latest major version of CVSS, does not improve on this issue. Over 60,000 vulnerabilities have been rated by CVSSv3 since its release in June 2015. Around 9,400 CVSSv3 vulnerabilities were rated as 9.0 or higher – accounting for 16% of all CVSSv3 vulnerabilities. When a large percentage of vulnerabilities are deemed critical, prioritization is cumbersome. 

Figure 1. Compare CVSSv3 and VPR vulnerability distributions by criticality ratings

VPR is designed to avoid this type of issue by incorporating threat information into its formula. The chart above compares the vulnerability distribution of VPR and CVSSv3. Due to the dynamic nature of threats, the number of VPR Criticals changes slightly every day. On an average day, VPR rates around 700 vulnerabilities as Critical, and fewer than 5,000 as High. These numbers account for less than 1% and 4%, respectively, of all vulnerabilities. With fewer Critical vulnerabilities to focus on, security teams can design vulnerability remediation plans more efficiently. 

A natural question to ask at this stage is that of efficacy: How many risky vulnerabilities can be captured by VPR? The remainder of this blog post will compare the efficacy of VPR and CVSSv3 in identifying risky vulnerabilities. But first, we will examine how VPR is generated.

VPR: Under the hood

At the heart of VPR are machine learning models working together to forecast threats. Specifically, the threat forecast seeks to answer the question: What is the appropriate level of near-term threat for a vulnerability based on the latest available data? To train VPR models to answer this question, it is fed with historical data sourced from various feeds: 

• Threat intelligence feeds provide information on exploits and attacks relating to vulnerabilities, such as observations of Indicators of Compromise (IoC), references to exploitation on the dark web, reports of exploitation on social media or code repositories and so on. They provide VPR with information about which vulnerabilities are potentially linked to exploitation and which have been under active attack.
• Exploit repositories/kits provide information on exploit code maturity. Different levels of maturity (from PoC to weaponized) contribute differently to the threat.
• Vulnerability repositories and security advisories provide intrinsic vulnerability characteristics that may also be correlated with the threat. 

Collectively, this raw data is fed to the VPR pipeline on a daily basis. The VPR score (9.6 in the example below) is generated by combining the predicted threat and the impact (taken from the CVSSv3 impact score) for each vulnerability. Figure 2 illustrates this process.

Figure 2. VPR Pipeline

Comparing VPR with CVSS for vulnerability remediation

Comparative analyses highlight that a remediation strategy based on VPR can have higher efficacy than a CVSS-based approach. 

VPR prioritizes vulnerabilities with emerging exploitation

Taking a proactive stance against emerging threats can help security teams attain a time buffer for hardening their attack surface. One example of proactive defense is to frequently scan the network and patch every vulnerability classified as CVSS Critical in the remediation window. This approach can lead to high efficacy in network hardening, but is usually difficult to execute due to the sheer volume of vulnerabilities falling into this category. 

VPR is designed to prioritize vulnerabilities with a higher likelihood of being targeted by threat actors in the near term while filtering out those deemed to be less risky. This is the predictive nature of VPR. At this point, one might be curious about how predictions are made. There is no magic here! VPR’s prediction is based on a simple rule: The evolution of the threat for a vulnerability in the wild will typically follow the same pattern as similar vulnerabilities have followed in the past. 

In the following tables, we show that remediation strategies designed to follow VPR can achieve the same level of efficacy as fixing all CVSS Criticals with much higher efficiency. Here, we use the ability to identify vulnerabilities with IoC in the next 28 days to benchmark VPR against CVSSv3. IoCs are artifacts that are often considered strong evidence of exploitation. They include malware hashes, IP addresses, URLs and so on. We obtain IoCs from commercial data providers such as ReversingLabs and VirusTotal.

Table 1. The number of vulnerabilities with IoC spotted in the wild in the next 28 days for VPR (left) and CVSSv3 (right)

False - No IoC spotted in the 28 days after VPR is calculated
True - IoC spotted in the 28 days after VPR is calculated

The above tables compare the performance of VPR (left) with CVSSv3 (right) for predicting vulnerabilities with threat in the next 28 days. The VPR scores used in this example are taken from January 2020 and the vulnerabilities’ IoCs are collected from the 28-day period after VPR was generated. VPR High and Critical have similar coverage as CVSSv3 for identifying vulnerabilities with IoC. In other words, both strategies capture a similar number of vulnerabilities with actual IoCs in the next four weeks: 365 out of 428 for VPR High and Critical, 376 for CVSS High and Critical.

However, VPR is far more efficient than CVSSv3 at predicting vulnerabilities with IoCs in the next 28 days. Comparing the two, there are 26% VPR Critical and 17% VPR High versus just 1% for both CVSSv3 Critical and High. Remediating the top 1,500 VPR scores is as efficacious as remediating the top 33,000 CVSSv3 scores – approximately 22 times more efficient.

VPR prioritizes vulnerabilities with known exploit code

Having highly mature exploit code increases the likelihood that cybercriminals will use the vulnerability in a cyberattack. Hence, it is important for VPR to prioritize vulnerabilities with publically available exploit code. Note that our classification of exploit code maturity used in this analysis follows the convention of CVSS. In summary, high maturity means functional, autonomous exploit code exists. Functional means exploit code is weaponized and PoC means the exploit code works, in theory. More details can be found on CVSSv3 specs [CVSSv3]. We source exploit code from multiple repositories and exploit kits, such as Metasploit, Core Impact, Exploit DB, D2 Elliot, Packet Storm, just to name a few. 

Figure 3 compares the proportion of vulnerabilities with known exploit code available for VPR and CVSSv3. More than half of VPR Critical vulnerabilities (54%) have public exploit code (i.e., high, functional and PoC) versus 15% for CVSS Critical vulnerabilities. This shows that prioritizing vulnerabilities using VPR will reduce the risk posed by vulnerabilities with exploit code on the web.

Figure 3. Proportion of vulnerabilities in each criticality band broken out by exploit code maturity for VPR (top) and CVSSv3 (bottom)

The next question to ask is: What proportion of vulnerabilities with high and functional exploit code is captured by VPR? In other words, what is the coverage of VPR for vulnerabilities with highly mature exploit code? Figure 4 compares the proportion of VPR and CVSS criticalities for all levels of exploit code maturity: 

• Vulnerabilities with higher exploit code maturity (high and functional) are mostly captured by Critical and High vulnerabilities in VPR. This is similar to CVSS. But, considering the large number of CVEs being rated as Critical and High in CVSSv3, VPR is more effective at prioritizing vulnerabilities with known exploit code. 
• The distribution of VPR criticality is very different for vulnerabilities with higher maturity exploit code (i.e., high and functional) than lower maturity (i.e., PoC and unproven). Most vulnerabilities with PoC exploit code are rated as Medium VPR. And, VPR scores vulnerabilities with unproven exploit code as Low. On the other hand, CVSSv3 has a more even distribution across all exploit code maturity levels. This shows from a different angle that VPR High and Critical are more strongly correlated to high/functional exploit code maturity than CVSS High and Critical.

Figure 4. Proportion of vulnerabilities in each exploit code maturity band broken out by vulnerability criticality levels: VPR (top) and CVSSv3 (bottom)

VPR prioritizes vulnerabilities with escalated exploit code maturity

IoCs provide direct evidence of exploitation, but are not the only sign of threats. Another signal is when there is active research for how to exploit a vulnerability: Exploit code of a vulnerability becomes available or has escalated maturity. 

Table 2. The number of vulnerabilities with escalated maturity of exploit code in the next 28 days by VPR (top) and CVSSv3 (bottom)

Table 2 compares the efficacy of VPR with CVSS for capturing vulnerabilities where exploit code maturity escalated to PoC, functional or high, respectively, in the 28 days after VPR scoring. These are the vulnerabilities under active research of exploitation in this period. The rows in the tables relate to vulnerability criticality. The columns relate to exploit code maturity. The values in the cells represent the number of vulnerabilities with escalated or maturing exploit code in the 28 days after VPR scoring. For example, four vulnerabilities rated as VPR Critical have their exploit code maturity escalated to high in the next 28 days. Here’s our analysis:

• VPR has a higher hit rate than CVSSv3 when predicting vulnerabilities for which exploit code maturity will escalate to high in the 28 days after the VPR scoring. Of the eight vulnerabilities in this category, VPR rated four as Critical compared to two for CVSS. 

• Not all levels of exploit code maturity are treated equally by VPR. VPR Critical emphasizes vulnerabilities with higher maturity levels: 
• 50% (four out of eight) of the vulnerabilities escalated to high are rated as VPR Critical.
• 30% (two out of six) of the vulnerabilities escalated to functional are rated as VPR Critical.
• Only 4% (one out of 24) of the vulnerabilities escalated to PoC are rated as VPR Critical. 

• Contrast this with CVSSv3 Critical, which contains a mix of maturity levels: 25% for high, 50% for functional and 21% for PoC. 

• CVSSv3 has higher coverage in capturing vulnerabilities with escalating exploit code: More vulnerabilities rated CVSSv3 Critical and High have higher exploit code maturity than VPR Critical and High: 
• In total, 31 vulnerabilities with escalating exploit code maturity are rated CVSSv3 Critical or High. Among them, exploits of seven vulnerabilities are escalated to high maturity, four to functional and 20 to PoC. 
• In total, 11 vulnerabilities with escalating exploit code maturity are rated VPR Critical or High. Among them, exploits of five vulnerabilities are escalated to high maturity, two to functional and four to PoC.

So, in circumstances where patching vulnerabilities with escalating exploit code is the goal, a good strategy would be to first prioritize based on VPR Critical to get a high hit rate, and secondly by CVSS High and Critical, in turn, to increase coverage. 

Summary

In this post, we have discussed VPR and what makes it more than just another CVSS. In summary:

• VPR is designed for vulnerability remediation prioritization. Its scoring formula takes into account both technical characteristics and threat intelligence.
• VPR is more efficient than CVSSv3 at predicting vulnerabilities under threat:
• For hardening your network against emerging exploitation in the wild, prioritizing vulnerabilities based on ~400 VPR Critical can reach the same level of efficacy as ~9,000 CVSSv3 Critical. 
• For hardening your network against vulnerabilities with known exploit code, prioritizing vulnerabilities based on ~1,500 VPR Critical and High can reach the same level of efficacy as 33,000 CVSSv3 Critical and High. 
• For hardening your network against vulnerabilities with escalating exploit code maturity, first prioritize using VPR Critical vulnerabilities to get a high hit rate, and then by CVSS High and Critical to increase coverage. 

Get more information

• Start your free trial now to see VPR in action – available in Tenable.io (in the cloud) and Tenable.sc (on-premises)
• Learn more about Tenable Predictive Prioritization and VPR

References

[CMU2019] J.M. Spring, E. Hatleback, A. Householder, A. Manion, D. Shick, Towards Improving CVSS, White Paper, 2019
[CVSSv3] Common Vulnerability Scoring System version 3.1: Specification Document

Nessus Agents are essential to help secure remote endpoints against dangerous vulnerabilities and misconfigurations. This post offers guidance on how to streamline agent deployment at scale.

As organizations respond to the COVID-19 pandemic by enabling vast numbers of employees to work from home, security teams need to ensure their computing devices aren’t introducing excessive risks when they connect to corporate networks. Agent-based scanning is an essential capability to gain visibility into vulnerabilities, misconfigurations and other security issues on remote devices. However, one common challenge that security and IT teams face is how best to configure and deploy agents without physical access to the actual device. 

Fortunately, you can overcome this hurdle with Nessus Agents, which are fully scriptable to easily deploy across multiple systems with minimum effort. Tenable Professional Services published a comprehensive deployment guide to provide you with best practices for deploying Nessus Agents in a distributed environment, including example scripts you can use for common configuration and deployment platforms. Since remote employees rarely have root- or admin-level account privileges on their devices, deployment scripts are essential to automate the agent installation and deployment process without any user intervention.

Three tips to deploy Nessus Agents to remote endpoints

Here are three tips to streamline Nessus Agent deployment to remote endpoints:

1. Carefully stage agent rollouts. If endpoints are connected to corporate VPNs, mass deployment of agents may saturate bandwidth during the initial download and subsequent plugin updates. It is important to stage the agent rollout to avoid possible network performance issues.

2. Take advantage of command-line syntax. Nessus Agents support command-line instructions to enable unattended agent installs. You can link agents, specify agent groups and even install plugins before linking to reduce network congestion during a mass installation. You can find command-line syntax examples in the Nessus Agent user guide (Windows, Linux and Mac OS X).

3. Deploy agents through orchestration platforms. Nessus Agent deployment and configuration can be fully scripted, so that you can deploy across multiple systems and endpoints with minimal effort. All this can be done without needing to create additional administrator or service accounts on the network. Going forward, Nessus Agents can also be proactively deployed as part of a base image, so that agent installation is bundled with new OS deployments.

Get more information

New to agent scripting? Tenable Professional Services has published several articles for deploying agents via commonly used configuration and deployment platforms. Please note that Tenable does not provide support for any third-party software mentioned below. The examples should be used as guidelines only and amended to comply with your organization’s operational procedures.

• Nessus Agent Deployment for Microsoft System Center Configuration Manager (SCCM)
• Nessus Agent Deployment for Group Policy Object (GPO)
• Nessus Agent Deployment for Amazon Web Services (AWS)
• Nessus Agent Deployment for Microsoft Azure
• Nessus Agent Deployment for Ansible
  

For more information, download the Nessus Agent Professional Services Deployment Guide.

Planning a large-scale deployment (>10,000 hosts or endpoints)? Read the Nessus Agent Large-Scale Deployment Guide.

You can also learn more about remote workforce security considerations and access product education resources in our Protecting Your Remote Workforce solution center.

Identifying software vulnerabilities is essential in protecting your business against cybersecurity threats. From ransomware to data heists, a wide range of attack types use software vulnerabilities as an entry point into IT configurations.

Dealing with security vulnerabilities requires identifying them in the first place. Before you can start to develop strategies for identifying weak points in your configuration, it's important to first assess the different types of weak points that commonly emerge and how you can stay on top of them.

Common large-scale vulnerabilities (and how to deal with them)

There's a great deal that can go wrong with software, giving attackers an opportunity to access data or get into your network. A few of the most common vulnerabilities include:

Zero-day threats

These are often the most challenging of the common vulnerabilities to deal with, but the good news is that it isn't up to you to discover zero-day threats. These vulnerabilities are exploitable problems within an application or software system that can be used to penetrate a network or access data a person isn't permitted to retrieve.

While this is typical to most software vulnerabilities, a zero-day threat is unique because it is not yet fully understood. A zero-day vulnerability is a weak point in an asset that has just been discovered by the security community. Attackers may already be exploiting it or could be capable of using it before security teams have a chance to resolve the issue.

The challenge comes when a zero-day threat is a software vulnerability that requires an update or patch to address. In these instances, you need to wait for the software provider to solve the problem and release an update. Then, you have to patch the vulnerability before attackers recognize the weakness and take advantage of it.

Working with cybersecurity providers that identify zero-day threats, alert you to the weaknesses, and provide guidance on the risk level can help you make an informed decision about how to deal with the problem.

Bugs/glitches

In the case of bugs or glitches, the software performs a behavior different than what it is meant to do when a user takes an action. This can happen because of problems in the code that cause a different action to be completed than what is indicated in the user interface. Problems with code can be difficult to identify, especially as individuals trying to fix them need to replicate the specific actions a user took prior to experiencing the bug to confirm the problem.

Vulnerability scanners are critical in addressing bugs and glitches because they can analyze assets to identify flaws. 

Configuration errors

Software can become vulnerable if it is misconfigured. For example, if a database is designed to follow a specific workflow to publish data to an internal server where users can access it, but an infrastructure change alters the port setup on host systems, it may incorrectly attach that database to a public website. In this case, the software becomes a point of vulnerability because it is sending data to a place that compromises its security.

This is another area where penetration testing and vulnerability assessment solutions are vital. These technologies can automatically track how data moves between systems when used by software and recognize when a problem arises. Nessus accomplishes this task by supporting specific configuration scans based on industry-standard benchmarks such as Center for Internet Security (CIS), Defense Information Systems Agency (DISA) and similar compliance benchmarks.

Discovering and isolating specific vulnerabilities

Other flaws are much more specific to particular aspects of your IT infrastructure. However, the damage they can cause makes them loom large:

SQL and OS command injection vulnerabilities

Lines of SQL code and OS commands exist to tell an application where to move information or when to trigger a specific action. When vulnerabilities exist in these codes, attackers can inject replacement code into the system, telling the application to reroute data to the attacker or take a specific action counter to the base programming.

Vulnerability scanners will identify SQL or OS command injection vulnerabilities in the same way they handle most bugs or glitches.

Buffer overflow

Applications are typically designed with a buffer that allows for a certain amount of data to be stored in a cached format. This attack overloads that buffer, causing data to be lost or stolen, and potentially compromising the system.

Dealing with buffer overflow vulnerabilities is a matter of identifying the compromised code causing the issue and resolving it. Using a vulnerability assessment solution that can analyze the software for you will make the process much easier.

Vulnerability assessment is essential for cybersecurity

The wide range of vulnerability types – not to mention the diverse ways attackers can target them – make vulnerability assessment a critical component of any cybersecurity practice. Continually assessing your network for security vulnerabilities can help you with everything from preventing unauthorized access to applications to identifying underlying software flaws that expose sensitive data.

Vulnerability scanners help you identify flaws or weaknesses, making it easier to figure out if your systems have common vulnerabilities or rare flaws that need to be addressed. Either way, consistent vulnerability assessments promote stronger security and help you get ahead of zero-day threats.

Tenable is committed to advancing vulnerability assessments. We have identified more than 100 zero-day threats in the last year and release new plugins to provide key information on vulnerabilities within 24 hours of their disclosure.

With Nessus, you can gain control over your software systems and identify security weaknesses and flaws quickly – so you can address issues before attackers can take advantage of these vulnerabilities. 

With industry-leading vulnerability assessment capabilities available, Tenable can help you take your cybersecurity to the next level.

Start Your Free Nessus Trial

Learn how to take advantage of the newest features in Nessus 8.10 to get greater control over your Nessus experience. 

Manual or automated – that is the question. Nessus Professional 8.10 offers system administrators a bit of both.

From new update options that allow you to align Nessus updates with your risk stance to the ability to back up your license and customized settings, the latest features give you greater control of your Nessus experience. 

How to manage Nessus software updates

In Nessus Professional, there are three options for automating updates:

1. General Availability– Update to the latest general availability (GA) release. This default mode automatically updates to the new GA release, providing you an easy way to keep Nessus up-to-date. 
2. Early Access– Opt in to early access (EA) releases, which are usually available two weeks before GA. If you want a jump start using the latest features and fixes, this is the choice for you.
3. Delayed Updates– Delay updates and stay on an older release. This option will keep you one GA release behind. Since this setting is new in 8.10.0, it won’t take effect until the next GA release. For example, if 8.11.0 is the next GA release, you would stay on 8.10.0. Subsequently, if we put out 8.12.0, you would be upgraded to 8.11.0. Should there be an error in 8.12.0, you would either remain on 8.10.0 or possibly upgraded to a version that is patched, such as 8.11.1. 

Downgrading to a previous version

You also have the option to downgrade from the current GA or EA. If you select option 1 or 2, you can change it to option 3 and downgrade the version of Nessus. Note: You cannot downgrade to a version prior to 8.10.0.

How to backup and restore Nessus

Nessus admins can use the command-line interface (Nessuscli) to manually back up all licenses and settings on demand (scan results aren’t part of the backup). With these backups, you can recover from disasters or migration issues and even support system relocations more easily – without having to rebuild Nessus settings from scratch.

These features give Nessus administrators more control over their product – combining simple automation and manual operation when necessary.

Learn more about what’s new in Nessus

Read more about these features and other changes in Nessus 8.10:

• Nessus 8.10.0 release notes
• Nessus user guide

To learn more about Nessus Professional, start your free 7-day trial.

Microsoft responds to a recent security advisory from Autodesk by publishing an out-of-band advisory for Office products integrating the Autodesk library.

Background

On April 15, Autodesk released a security advisory, ADSK-SA-2020-0002, to address six vulnerabilities in the Autodesk Filmbox (FBX) Software Development Kit, which “allows application and content vendors to transfer existing content into the FBX format with minimal effort.”

In response to Autodesk’s advisory, Microsoft issued an out-of-band advisory, ADV200004, on April 21, as the FBX library is integrated into specific versions of Microsoft Office, Office 365 ProPlus and Paint 3D.

Analysis

In ADSK-SA-2020-0002, Autodesk patched the following six vulnerabilities:

*Please note that the CVSSv3.x scores referenced in the table above were available at the time this blog post was published and may be subject to change.

Though not all the vulnerabilities had CVSSv3.x scores assigned in their U.S. National Vulnerability Database entries, Autodesk collectively rated their advisory as High.

Exploitation of these vulnerabilities requires an attacker to convince their victim to open a malicious Microsoft Office, Office 365 ProPlus or Paint 3D file that contains specially crafted 3D content which takes advantage of the vulnerabilities in the FBX library.

Proof of concept

F-Secure researcher Max Van Amerongen, credited with the discovery of CVE-2020-7085, has tweeted a proof-of-concept video demonstrating the heap overflow vulnerability:

My Autodesk FBX Heap Overflow (CVE-2020-7085) has now been disclosed at https://t.co/jvumWcCZE7

Works on FBX SDK < 2019.5

PoC video from disclosure: pic.twitter.com/vayCIomgaP

— maxpl0it (@maxpl0it) April 17, 2020

Solution

Microsoft’s advisory states that it has addressed these vulnerabilities in the following products:

However, at the time this blog post was published, there were no new updates to the articles listed above. The last time these articles were updated was on April 14, which coincided with April’s Patch Tuesday release. It is unclear if Microsoft plans to release its updates as part of this out-of-band release, or if the fixes will be included as part of May’s Patch Tuesday release.

Since FBX is an included library in these versions of Office and Paint 3D and Microsoft released an out-of-band advisory for these flaws, we strongly encourage organizations to apply these patches as soon as they are available.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Autodesk Advisory ADSK-SA-2020-0002
• Microsoft Out-of-Band Advisory (ADV200004)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Patches for a pair of critical iOS vulnerabilities are currently in beta, as users are strongly encouraged to disable accounts in their Mail app until the fixes are generally available.

Background

On April 20, researchers at ZecOps published a blog post about their discovery of multiple zero-day vulnerabilities in the iOS Mail app. According to the researchers, the vulnerabilities were discovered during a digital forensics and incident response (DFIR) investigation. The DFIR led the researchers to discover the flaws had been exploited in the wild against a variety of targets, including employees at a Fortune 500 company in North America, a Japanese carrier executive, a VIP from Germany, managed security service providers in Saudi Arabia and Israel, and a European journalist.

The vulnerabilities have reportedly existed within iOS going as far back as iOS 6, which was released in September 2012. However, the researchers say they identified these vulnerabilities being exploited in the wild as early as January 2018 against iOS 11.2.2.

Analysis

The researchers at ZecOps identified two specific vulnerabilities being exploited in the wild, both of which did not have a CVE identifier assigned to them at the time of publication. We expect the CVE identifiers to be available once Apple releases iOS 13.4.5 to the general public.

The first vulnerability is an out-of-bounds write flaw, while the second vulnerability is a heap overflow flaw. Both flaws originate from the implementation of the MFMutableData interface in the Multipurpose Internet Mail Extensions (MIME) framework in iOS. These vulnerabilities exist because MFMutableData does not handle errors from the ftruncate() system call.

Additionally, researchers believe the attackers unintentionally discovered the first vulnerability while trying to exploit the second one.

For the full set of technical analyses, please read the ZecOps blog.

An attacker could exploit these vulnerabilities by sending a specially crafted email to their victim. Most notable about these vulnerabilities is that on iOS 13, the heap overflow vulnerability can be triggered without interaction (zero-click), while on iOS 12, the vulnerability requires the victim to click the email. However, if the attacker has control of the mail server the user is connected to, they could achieve zero-click exploitation on iOS 12 devices. The out-of-bounds write requires the implementation of an additional vulnerability that allows the calling of an arbitrary selector in order to trigger remotely.

Successful exploitation of these vulnerabilities would only grant an attacker the capability to perform actions in the context of the Mail app, such as leaking, modifying or deleting emails. To gain full control over the device, researchers say that an attacker would need to incorporate a kernel vulnerability into the exploit chain. ZecOps suspects attackers had a kernel vulnerability in these attacks, but they’ve not yet identified one during their investigation.

Proof of concept

While a proof-of-concept (PoC) for this vulnerability was not publicly available on GitHub or Exploit-DB, the ZecOps blog provides enough information that can be used to craft a PoC.

Solution

Apple has released fixes for these vulnerabilities as part of iOS 13.4.5 beta 2, which was released on April 15. We anticipate Apple will release iOS 13.4.5 into general availability in the coming weeks. Until then, users seeking to patch these flaws immediately can participate in the Apple Beta Software Program. However, for production devices, utilizing beta software is not recommended, as it can lead to the loss of data integrity and create device instability.

As an interim solution for these vulnerabilities, users can disable their accounts connected to Apple’s iOS Mail app and switch to an alternative application, such as Microsoft Outlook for iOS and iPadOS or Google’s Gmail for iOS and iPadOS.

Identifying affected systems

Tenable products offer integration with mobile device management (MDM) solutions to identify mobile devices missing vendor updates. Once a patch is available, a list of our MDM plugins to identify vulnerable devices will appear here as they’re released.

Get more information

• ZecOps Blog Post on Two iOS Zero-Day Vulnerabilities Exploited in the Wild

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Last month, the U.S. Cyberspace Solarium Commission provided recommendations to help prepare for major cyberattacks on our critical infrastructure and economic system. Here are our thoughts.

In March, the Cyberspace Solarium Commission released its final report, outlining substantive recommendations for a cyber strategy designed to help prepare the U.S. for major cyberattacks on our national critical infrastructure and economic system. If there’s one thing we have learned from the current health crisis, it’s that the worst-case scenario can happen and the best time to prepare for it is now.

The need to harmonize standards for vulnerability disclosure and patch management

We know that one of the best ways that organizations can protect themselves from cyberattacks is to maintain strong cyber hygiene. They need insights into their networks to understand their cyber risk and a strong process for patching their systems. 

One of the recommendations in the Cyber Solarium Commission report is that the U.S. National Institute of Standards and Technology (NIST) should be resourced to develop and harmonize standards for vulnerability and patch management. NIST, which works closely with industry and other key stakeholders, has the credibility and expertise to fill this role. Indeed, NIST can leverage its partnership with industry on enterprise patch management through the National Cybersecurity Center of Excellence to help inform these standards.

Driving accountability and transparency

Developing patches isn’t effective if organizations don’t use them. According to the report, the U.S. government should study the effectiveness of incentivizing companies to better patch their systems, including placing a cap on insurance payouts for incidents that involve known, unpatched vulnerabilities. The idea certainly merits exploration. 

The report also recommends that Congress amend the Sarbanes-Oxley Act to explicitly account for cybersecurity among the other corporate accountability requirements currently enforced by the Securities and Exchange Commission on publicly traded U.S. companies. The step would increase transparency and drive better behavior without dictating specific technologies or practices.

A carrot or a stick?

While greater accountability is important, it is equally important to continue to incentivize innovation and best practices. Therefore, while the report calls for liability for organizations that release products with known, unpatched vulnerabilities, we believe a better approach would be for Congress to pass legislation that shields organizations from increased liability if they can demonstrate that they follow a risk-based standard of care. This includes risk-based vulnerability management practices, secure development lifecycle processes and practices and other cyber hygiene practices.

Better data, better outcomes

The Commission also recommends the creation of a Bureau of Cyber Statistics, in the Department of Commerce, which would help collect actionable data that could be used to develop quantifiable metrics around cybersecurity. Organizations must understand how their cyber investments are helping them reduce their overall business risk. Better cybersecurity and risk management data can help inform organizational priorities and decisions, as well as help the cybersecurity insurance landscape evolve.

We know what needs to be done to protect us against a national cybersecurity crisis. We need strong cyber hygiene and smart insights into the networks to enable organizations to protect themselves. The Cyber Solarium Commission’s recommendations help create the scaffolding to scale these best practices for greatest effect. There are steps we can and should take now to protect against cyberattacks that could affect the nation in the future. With everything from our electric grid and transportation to our military systems relying on connected devices and networks, we can’t afford to wait.

Learn more about the Cyber Solarium Commission recommendations

For more discussion on where we go from here with the Cyber Solarium Commission recommendations, join me and fellow panelists Adam Sedgewick of NIST and Trevor Rudolph of Schneider Electric on Wednesday, April 29, at 2 p.m. EST for a webinar hosted by Ari Schwartz and the Cyber Coalition, which will also include keynote remarks from Solarium Commission member, Congressman Jim Langevin (D-RI).

Register for webinar

Web apps are the most common attack vector causing data breaches today. Here’s how Tenable.io Web Application Scanning, built by Tenable Research, can help security teams protect their web app estate.

It’s not an exaggeration to say that web applications power the world. Web apps provide critical news and information to key stakeholders, run marketing campaigns and transact sales, and help you engage and interact more effectively with your customers. As businesses become more digital, especially in the midst of current times, we’re seeing a sharp rise in the importance of web apps with numerous examples ranging from primary care providers deploying new telemedicine portals to local grocery stores standing up ecommerce services. To understand just how pervasive web apps are: We’re quickly approaching 2 billion unique web apps across the world.¹

Because most web apps are easily accessible to external users by design, its pervasiveness is also its primary downfall. Web apps are notoriously vulnerable. In aggregate, we’re talking about tens of billions of high-risk web app vulnerabilities that threat actors can attack with exploits. It should be no surprise that web apps consistently remain the most common attack vector causing data breaches today.²

Modern web apps change constantly, making it very difficult for security teams to keep pace with continuous updates and newly disclosed vulnerabilities. Unfortunately, most organizations do not have adequate application security resources.³ On top of that, many solutions are cost-prohibitive and difficult to use without extensive expertise. Too few security teams have a holistic process to secure web applications alongside their IT assets, which creates even more complexity.

The result is the vast majority of web apps are not assessed for critical vulnerabilities that could bring a business to its knees and halt all customer transactions or lead to a loss of confidential customer data.

You don’t need a PhD to secure PHP

One of the easiest ways to cut through application security complexity is to extend existing platforms you have in place today to protect your web applications. Not only does this simplify your security tech stack, but you can also take advantage of workflows you are already familiar with to launch new scans, analyze scan results, prioritize vulnerabilities and customize reporting. This is especially critical for security organizations that don’t have a team of appsec PhDs at the ready. 

This is why we created Tenable.io Web Application Scanning. The product is designed by security practitioners for security practitioners. Users can quickly configure scans in minutes, instead of spending hours or days of manual tuning to yield meaningful results. It was built by Tenable Research– the largest vulnerability research team in the industry – to deliver comprehensive and accurate vulnerability coverage of your web apps. 

As new dangerous web app vulnerabilities are discovered by our Security Response Team, vulnerability detections are quickly added to Tenable.io Web App Scanning, so that users can detect and remediate them. In the case of a recent WordPress plugin attack, new vulnerability detections were released within hours. And, all web apps assessed by Tenable.io Web App Scanning integrate into the Tenable.io asset view alongside your traditional IT and cloud assets for unified visibility across your attack surface. 

Announcing exciting, new capabilities in Tenable.io Web App Scanning

Tenable.io Web App Scanning just got a whole lot better. Starting on April 30 for new Tenable.io Web App Scanning customers, we’re releasing several important, new product enhancements. If you’re an existing Tenable.io Web App Scanning customer, you’ll be able to take advantage of these new capabilities in just a few short weeks to ensure you have a seamless product experience. The new capabilities include:

• Fully integrated dashboards for unified visibility. Tenable.io Web App Scanning data is now fully integrated into Tenable.io dashboards and widget library. Create new customized dashboards and widgets to combine IT, cloud and web application vulnerability data into a single unified view. This helps you analyze and drill into web applications as you would with other assets across your attack surface to find and fix the vulnerabilities that matter most. 

• Single-page app support for enhanced detections. A new state-of-the-art scanning engine now supports dynamic, JavaScript-based single-page applications invisible to many web app scanners. Additional vulnerability detections include support for Apache Solr, new plugins for source-code-leakage vulnerabilities, and dozens of component vulnerabilities in PHP, Joomla and Drupal.
• Fast discovery of common web app flaws. Predefined scan templates enable you to quickly identify common web app cyber hygiene issues related to SSL/TLS certificates and HTTP header misconfigurations. These scans take seconds to configure and minutes to get results for quick insights.

And, because it is built by Tenable Research, Tenable.io Web App Scanning gains all the benefits this world-class research organization provides: number one in CVE coverage, number one in scan accuracy and speed of new vulnerability detections. This gives you confidence that your development teams aren’t wasting time remediating false positives or missing vulnerabilities that could be leveraged by an attacker.

Try Tenable.io Web App Scanning for free

Beginning on April 30, we are providing all Tenable.io customers access to Tenable.io Web App Scanning for free for 30 days, even if you had previously evaluated it in the past. Customers will receive evaluation invites and be able to opt in directly in Tenable.io. See firsthand how web application security data integrates into your existing dashboards and workflows for unified visibility.

Not yet a Tenable.io customer? No problem. You can still try Tenable.io Web App Scanning for free to see how easy it is to quickly configure new web app scans and analyze results.

Learn more about Tenable.io Web App Scanning

Looking to learn more before starting your free eval? Join us for an upcoming webinar,“RCEs and Remote Employees. How Vulnerable Are Your Web Apps?” on May 20. We’ll share the latest research insights into web app vulnerabilities and threats, along with an in-depth demo of Tenable.io Web App Scanning. Save your spot. Register now.

Start free trial

_{1. https://www.internetlivestats.com/total-number-of-websites/
2. 2019 Data Breach Investigations Report, Verizon, 2019
3. The Life and Times of Cybersecurity Professionals 2018, ESG, 2019}

Sophos pushes a hotfix to address an SQL injection vulnerability in Sophos XG Firewall that was exploited in the wild

Background

On April 22, Sophos published a knowledge base entry on the Sophos Community regarding the discovery of a zero-day vulnerability in the Sophos XG Firewall that was exploited in the wild. According to Sophos, they were able to identify “an attack against physical and virtual XG Firewall units” after reviewing the report of a “suspicious field value” in the XG Firewall’s management interface. The attack targets the XG Firewall administration interface, which is accessible via the user portal, over HTTPs, or on the WAN zone. They discovered that this also affected systems when the port used for the administration interface or user portal was also used to expose a firewall service, such as the SSL VPN.

Analysis

CVE-2020-12271 is a pre-authentication SQL injection vulnerability that exists in the Sophos XG Firewall/Sophos Firewall Operating System (SFOS). Further information about this vulnerability has not been made public. However, Sophos did confirm that exploitation of this flaw would allow an attacker to exfiltrate “XG Firewall-resident data,” which depending on the configuration, could include local user account credentials, such as usernames and hashed passwords. As for Active Directory and LDAP passwords, Sophos says these were not compromised during the attacks. On April 26, Sophos published a separate article, “Asnarök Trojan targets firewalls” which analyzes the components and intent of the attack in greater detail and provides a better understanding of the malware used in one of the attacks.

Source: "Asnarök" Trojan targets firewalls

Proof of concept

There was no proof-of-concept (PoC) available for this vulnerability at the time this blog was published.

Solution

All versions (physical and virtual) of XG Firewall firmware are affected by this vulnerability. A hotfix for XG Firewall and Sophos Firewall Operating System (SFOS) has been deployed to customers. If customers are running an unsupported version of SFOS, Sophos recommends they upgrade to a support version immediately.

Affected XG Firewalls that receive this hotfix will see an alert within the management interface, notifying them that the hotfix has been applied and whether or not the vulnerability has been exploited.

If the automatic application of hotfixes has been disabled for the XG Firewall, Sophos has provided instructions on how to enable them.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Fixing SQL injection vulnerability and malicious code execution in XG Firewall/SFOS
• Sophos XG Firewall: Automatic Installation of Hotfixes
• “Asnarök” Trojan targets firewalls

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Most cybersecurity teams rely on the Common Vulnerability Scoring System (CVSS) to prioritize their vulnerability remediation efforts. But, they fail to realize that CVSS is an outdated, ineffective method that causes them to waste the majority of their valuable time on vulnerabilities that pose little to no risk. Here’s what to do instead.

For the past 20 years, security professionals have conducted scans of their business networks to find the vulnerabilities located throughout their IT infrastructures. The scans have been pretty effective at finding these vulns. But, the problem is they discover more vulnerabilities than they can actually handle – and new vulns are discovered more quickly than IT can remediate them. Since they know they’ll never be able to fix everything, the teams end up having to prioritize which vulns to remediate first.

CVSS is failing you

The most common method used for prioritizing remediation efforts is to employ the Common Vulnerability Scoring System (CVSS), an industry standard for assessing the severity of cybersecurity vulnerabilities. CVSS assigns a severity rating between zero and 10, with 10 being the most severe. The score is based on how easily the vulnerability can be exploited and the level of impact if a successful exploit were to occur.

This is all based on the fact that CVSS was never actually intended to be used for prioritization. Instead, it was developed simply to give a sense of each vuln’s severity. But, as organizations faced greater and greater numbers of vulns, they had the overwhelming need to prioritize. And, since there was nothing (at the time) to do that, they latched on to CVSS as at least something they could use. But, since it was never intended to be used in this way, the model doesn’t work particularly well for this purpose, and quickly falls apart.

A theoretical vs actual view of risk

The problem with using CVSS to prioritize remediation efforts stems from the fact that the CVSS base score is typically assigned within two weeks of the vulnerability being discovered – and almost never revisited following that initial assessment – and is therefore limited to a theoretical view of the risk a vulnerability could potentially introduce, rather than an understanding of the actual threat landscape. 

As a result, according to Tenable Research, 56% of all vulnerabilities are scored as High (CVSS score of 7.0–8.9) or Critical (CVSS score of 9.0–10.0), regardless of whether they are likely to ever be exploited. And, since more than 75% of all vulnerabilities with a score of 7 or above have never had an exploit published against them, security teams using CVSS to prioritize their efforts are wasting the majority of their time chasing after the wrong issues.

CVSS scores do not reflect the current threat landscape

Also, since CVSS base scores are static, the score remains exactly the same for years, regardless of changes in the threat landscape. That means that if a vulnerability was initially assigned a base score of 6.0, even if 90 days later it’s successfully exploited in the wild, and even becomes a prolifically exploited vulnerability that leads to billions of dollars in data exfiltration, the CVSS score will remain at the initial 6.0 score.

Conversely, vulnerabilities that receive a low CVSS score will be ignored by teams who are only looking at those with a CVSS score of 7 and above, potentially leaving dangerous vulnerabilities in their environment. In fact, according to Tenable Research, there are nearly as many vulnerabilities with exploit code available that have a CVSS base score between 4 and 6 as there are with a CVSS base score of 7 and above – yet, by policy, those using a CVSS 7+ strategy would ignore these lower-scored vulns, therefore missing many of the most critical vulnerabilities that pose the greatest risk to their business. Consider the example given above with the billions of dollars in data exfiltration. Since the vulnerability was assigned a CVSS base score of 6.0, few organizations would have ever even looked at that vulnerability to assess it for themselves, allowing themselves to fall prey to the cyberattacks that we’d only know in retrospect – after the damage is done. 

CVSS creates a false sense of security

The bottom line is, CVSS has been the industry standard for so long that many security professionals believe it’s the best, if not only, way to prioritize their vulnerability remediation efforts. But, considering the many downfalls of CVSS, it’s easy to see that CVSS is an outdated, ineffective method.

A better way: The need for risk-based vulnerability management

To be effective, security teams need to understand vulnerabilities in the context of business risk, and then use that data to prioritize their remediation efforts. By taking a risk-based approach to vulnerability management, security teams can focus on the vulnerabilities and assets that matter most, so they can address the organization’s true business risk instead of wasting their valuable time on vulnerabilities that have a low likelihood of being exploited. To truly understand the full context of each vulnerability, and therefore make the best decisions, security teams need to correlate the following security data:

• Dozens of essential characteristics of the vulnerability, including the age of the vuln, its potential for harm, the degree to which it’s exploitable and how frequently we’re seeing the threat
• An assessment of current and predicted future attacker activity
• Threat and exploit intelligence from multiple sources
• An assessment of how important the affected asset is to the organization

Of course, parsing through all this data can’t be accomplished by a human being – or even a team of human beings – so automating its correlation and analysis using machine learning algorithms is absolutely essential. Not only is machine learning more accurate, but within seconds, it can effectively deliver a vulnerability priority rating (VPR) for every one of the organization’s vulnerabilities based on the risk each poses to the business.

Taking a risk-based approach to vulnerability management is a far more effective solution because it enables security teams to focus on what matters most – so they can make the biggest impact on risk with the least amount of effort.

To learn more about how risk-based vulnerability management can help you focus your remediation efforts on the vulnerabilities and assets that matter most, visit: https://www.tenable.com/solutions/risk-based-vulnerability-management

Working from home poses distinct challenges for engineers who rely on sustained periods of focus. Here are some survival tips from one of Tenable’s senior software engineers for staying productive in a busy household.

Tenable has embraced remote work culture for many years now. Most of the positive direction has come from our constant evaluation of work processes and iteratively improving over the years. With the advent of COVID-19, more and more companies are implementing optional or even mandatory work-from-home policies.

Since I've been with the Tenable engineering team for several years now and working from home the entire time, I've had the fortune of working with folks all over the world, from Ireland and Singapore to India and virtually every timezone across the U.S. and Canada. With that said, I’d like to share some valuable guidance for my fellow engineers who are now finding themselves navigating this new frontier of sequestered productivity.

Establish your work area 

Try your hardest to set up a designated “office” area. This space, if possible, should not include any distracting devices or material, such as a TV, games, or even your favorite books. Consider setting up blinders, such as curtains or display boards, behind your work computer to block the sight of dirty laundry or dishes, anything that needs organizing and might cause you to think, "Oh, that'll only take five minutes. Let's knock it out." I can promise you that, most of the time, you’ll soon find yourself doing more than you originally planned. 

I’ve set up my home office in the workshop behind my house. I’ll admit there are a couple of items that one might consider distracting – for example, the Mario plush toy. However, I’ve made an exception in this case since my daughter placed it there, and little tokens that remind me of my family and why I work so hard, in my opinion, don’t count as distractions.

It’s also important to limit background noise, especially loud non-rhythmic sounds, which can be detrimental to your focus. If you’re stuck working in an area like the kitchen (worst case scenario), try to avoid cranking the volume up too high on your headset. Save your hearing by using earplugs (not earbuds) and over-the-ear headphones. You can dull the sound with the earplugs and increase the volume on the headphones without harming your hearing. It's the best of both worlds. 

Maintain a daily schedule

Working from home means you can lounge around all day in your pajamas while at the same time being a productivity powerhouse. Right? Well, maybe for some, but I've always found it better to adhere to a daily structure. I typically wake up by 6 a.m. to help get the kids ready for school (or, now, homeschooling). I enjoy a cup of coffee and try to do something – reading, meditating, going on a short walk – that doesn’t involve a computer. Then, I shower and get dressed for work, which helps get me into work mode. As a bonus, you'll look nice and professional on camera.

With more people working from home during the quarantine, it’s also imperative to align your schedule with other members of the household. For those of you with children, you must involve your partner, or if braving the perils of child-rearing on your own, speak to the kids directly. Others within your household need to know when you should be left alone to get your work done, and vice versa. Sharing work calendars with my wife has proven very helpful in this regard. While we can’t see the details of each other’s work events, we know the general blocks of time during which to limit interruptions.

Use timers to avoid rabbit holes

Most software engineers I know tend to be extremely persistent. We cannot stand to see a problem go unsolved once we start working on it. This can lead to us going “down the rabbit hole” fairly often, which can be a huge time sink if you’re working from home (and lucky enough to be free of distractions).

I’ve found a timer to be an effective hedge in this regard. When working on code or design, I typically set my Horo for Mac timer for 30 to 45 minute increments. Once it goes off, I check Slack and email messages for anything urgent or time-sensitive. These scheduled breaks replicate those interruptions that come naturally in a physical office, when a coworker might walk by your desk and ask what you’re up to. By temporarily breaking my train of thought, I can reflect from a higher level on what I’m doing and, more importantly, why I’m doing it.

Prioritize team channels over direct messages

In a physical office, a lot of communication happens effortlessly. You cross paths with a coworker in the hall or pass by their desk on the way to the kitchen. When working remotely, you need the discipline to keep that information flowing as often as you can to the right audiences. 

When it comes to messaging channels like Slack, I’ve found that a direct message to someone is almost always an inferior communication pathway. Instead, use team chat rooms relentlessly (while tagging your target coworker) so that the whole team receives the benefits of your conversation. This is a far better emulation of a physical office setting. It allows others to easily provide insights you may not have even thought to ask about, and it shows everyone (including your manager) that you are actively engaged with work.

Your manager is the one person with whom to maintain a direct line. I’ve found it useful to update my manager at least once a day. You don’t have to be extremely detailed since you don’t want to encourage micromanaging. But it’s important to share the things you are currently working on and your progress on those tasks (especially unplanned ones). Without information on what you’re doing, your manager will have no way to balance the workload across the team or even offload some tasks onto another team entirely.

Set achievable goals for the next day

At the end of the workday, I look at what I’ve accomplished and then prioritize tasks for the next day. Pick one or two (or three, if you're brave) goals that you want to achieve. Doing this will motivate you to accomplish them for the simple satisfaction of marking them complete. I prefer doing this at the end of the day because it functions as a sort of "brain dump.” I can lay out what I hope to achieve the following day, along with summing up what has happened on the current day, then forget about it and go enjoy time with my family. 

Since mornings with kids can be busy, I also use those evening hours to prepare certain things that can be done preemptively, which helps to lighten the morning load. This includes prepping the coffeemaker, making sure my clothes and the kids’ clothes are selected, the kids’ homework and school notices are fully attended to, and snacks are ready to go. I add to this list any time I find something new that can be done in the evening. Every little bit adds up to save a lot of time in the morning.

Find a way to transition into downtime

Since you no longer have a commute, going directly from your work area to your family can be a bit of a jolt. Try taking a brief walk or exercising right after work. You can also join a few coworkers for a virtual happy hour, which can help people loosen up and strengthen your team bonds. We’ve found online gaming to be an extremely helpful way to break the ice socially, and you don’t have to be a hardcore gamer to participate. There are plenty of online versions of traditional card and board games – from RISK and UNO to Texas Hold'em Poker and Ticket to Ride – that are fun and free to play, with a very low learning curve.

No matter what you choose, it’s important to find something that can help mark the boundary of the workday and transition your mental state into family time or simply relaxing in the evening. Everyone needs regular periods of mental rest, now more than ever, whether that’s playing with the kids, cooking together with your partner or simply watching TV.

As our daily routines become fraught with change and uncertainty, hopefully, these steps help add some structure and maintain a healthy separation between work and home, even as both increasingly occur under the same roof. Next time a moment of tension arises, try to reset your frame of mind and remember the unprecedented nature of this period. We'll get through this adventure together, and we may even pick up some better working (and living) habits along the way.

For more information on adapting your business during the challenging COVID-19 response, visit our Tenable resource page on protecting your remote workforce.

Adjusting to the new normal, state and local governments need to be more vigilant and streamlined in protecting their environments against cyber predators. What tactics can help provide high levels of security while also meeting restrictive budget and resource requirements?

Even before the COVID-19 pandemic struck, state and local governments were struggling to secure a quickly expanding cyberattack surface with available resources. Now, ransomware purveyors and other cyber hackers are licking their chops to take advantage of any signs of weakness as governments react to this worldwide crisis. They will not let up once the storm has passed. In such a dangerous environment, business as usual is not an option. Implementing a new approach that enables governments to “do more with less” is imperative. 

We examine two approaches that have the potential – whether implemented together or separately – to deliver greater security across all levels of government while decreasing the cost and workload required to achieve that goal. 

Approach #1: A new focus on teamwork – taking a “whole of state” approach 

Every government organization has unique characteristics and requirements, but if they can come together on a common security approach to achieve a common objective, with the flexibility to tailor that approach to meet unique needs, they can all reap benefits in lower costs and improved cybersecurity posture.

Over the past seven years, the U.S. federal government has been moving in that direction through its Continuous Diagnostics and Mitigation (CDM) program, which brings the entire federal .gov domain together. There have been lessons learned along the way that have driven program improvements. As a result, significant benefits are starting to emerge. For example:

• Economies of scale have enabled enterprise licensing and other creative purchasing options to lower software and hardware costs to participating agencies.
• An “Approved Product List” process and standards have simplified the process of selecting cybersecurity tools, enabled new technology options to be added efficiently and provided assurance that tools selected will meet requirements.
• A flexible services contracting approach has allowed government agencies to select the tools, and design the cybersecurity solution, that best meet their unique needs – and implement those solutions expeditiously. 

CDM aside, the more a state can take a team approach, get buy-in at all levels to the concept of collective defense, and even go a step further to include academia and the private sector, the better all organizations within that state can defend against cyberattacks to any one of them. As ransomware and other cyber threats continue to attack state and local governments, a “circling the wagons” approach that brings state, local and private sector partners together to fight common enemies will become increasingly essential.

States that look to approach cyber defense from a team perspective will also find an increasing amount of federal resources and support dedicated to helping them on their cyber journey as part of a collective defense approach.

Approach #2: A new risk-based approach to vulnerability management 

Moving to a “whole of state” approach is a long-term undertaking. The benefits, though potentially significant, will not be fully realized for some years in the future. Taking a risk-based approach to vulnerability management, however, can deliver immediate and significant benefits in security, efficiency and communication of cyber risk to non-cyber leaders.

Focus first on what matters most

One of the key elements in basic cyber hygiene is doing timely updates – patching software vulnerabilities. The problem is that more connections – and connections are exploding since COVID-19 created an entirely new remote workforce, teleworking and remotely accessing sensitive systems – mean more vulnerabilities to patch.

Even in the best of times, patching every vulnerability in every network device is an impossible dream. In the current environment, with networks expanding and resources being strained to the breaking point, many vulnerabilities are likely to remain unpatched for prolonged periods of time. But, here’s the good news: You don’t have to patch every vulnerability to secure your network. You just need to patch the vulnerabilities that matter.

Predictive Prioritization can help you become more secure by guiding you to the small percentage of vulnerabilities that matter most. Predictive Prioritization is a data science–based process that goes beyond CVSS and reprioritizes each vulnerability based on the likelihood it will be leveraged in a cyberattack. Predictive Prioritization assigns a vulnerability priority rating (VPR) to every vulnerability, including vulnerabilities that have yet to be published in the U.S. National Vulnerability Database (NVD), and updates the ratings daily based on threat intelligence and other data inputs.

The Tenable data science team estimates that, on average, only 3% of vulnerabilities are actually exploited. Putting this into perspective, the NVD reported approximately 17,300 new vulnerabilities in 2019, of which 56%, or about 9,700 were rated “critical” or “high.” If you based your patching on CVSS scoring, you would have a major patching requirement with no assurance that you were actually lowering the risk of an exploit. If, however, you were guided by VPR to the 3% that truly posed a risk, you would only need to patch about 500 of those 17,300 to eliminate all vulnerabilities that posed a risk of exploit. 

Deliver actionable cyber risk data to enable informed decision-making

Through the CDM dashboard ecosystem, the federal government is seeking to deliver its version of what Tenable provides through Predictive Prioritization. The CDM program is also building on that capability to deliver actionable risk-scoring information through the dashboard’s AWARE (Agency-Wide Adaptive Risk Enumeration) algorithm. AWARE scores agencies’ risk postures numerically and provides guidance to agencies on steps to improve AWARE scores. Each federal agency sees its own AWARE score and a federal average score, providing a benchmark for measuring effectiveness. 

While something on the scale of a CDM dashboard ecosystem might seem out of reach for most state or local governments, implementing a solution that delivers actionable risk-scoring data does not require such a massive undertaking. Any government agency can do it today with the Tenable Risk-Based Vulnerability Management Solution, which builds on Predictive Prioritization to deliver measurable data to support effective risk-based decisions. 

In addition to VPR, which prioritizes vulnerabilities based on external criteria, the Tenable Risk-Based Vulnerability Management Solution adds an asset criticality rating (ACR), which provides organizational context by taking more of an internal look to derive the criticality of an asset. ACR is based on several factors/rules derived from scan output. The ACR is derived by an algorithm that pulls from scan data, but the result can also be customized based on particular organizational priorities. The ACR algorithm scores each asset based on:

• Where the asset is located and its exposure to the internet
• The type of device for a given asset
• Device functionality

Tenable’s Risk-Based Vulnerability Management Solution combines VPR and ACR scoring to calculate a Cyber Exposure Score, which provides an objective measure of an asset, business unit or whole organization’s cyber risk, depending on the desired view. This measure enables organizational decision-makers to make informed decisions on risk acceptance and reduction. Vulnerabilities are a part of the equation, to be sure, but the scoring the Tenable solution presents is a comprehensive picture of cyber risk that informs decisions about how to reduce risk and measures progress in reducing risk against meaningful internal and external benchmarks.

Get more info

• Visit our solution page to learn more about risk-based vulnerability management.
• Read about North Carolina’s state-level adoption of the DHS CDM model. 

Running remote vulnerability scans of your network? This three-part blog series will equip you with tips on how to keep your scanning credentials safe.

Assessing systems remotely on a network has been a tried-and-true method of open-source and commercial vulnerability scanning since its inception over 20 years ago. External assessments like this are excellent for automatically testing visible network services and finding vulnerabilities or misconfigurations that may expose sensitive information.

A default scan is a remote, unauthenticated test. Unless you’re missing a patch to an exposed network service (e.g., EternalDarkness), this type of scanning won’t provide much detail on missing OS or third-party patches or compliance-related benchmarks (e.g., CIS Benchmarks or DISA STIGs) because they cannot look into the system being scanned and run the proper tests.

Actual results will vary, but it’s not uncommon to see a 10x increase in the number of vulnerabilities reported between an authenticated and unauthenticated scan (Tenable.io and Tenable.sc customers can use Predictive Prioritization and VPR to help manage this vulnerability overload). These vulnerabilities always existed; authenticated assessments provide visibility that an unauthenticated one cannot.

Thus, a question we often get is: “How do I ensure credentials used for vulnerability scanning are protected?” This is a great thought process for analysts to work through, and there are several things that organizations can do across the board to ensure credentials are secure.

5 ways to protect scanning credentials

1. Use a unique account for vulnerability assessments.
   There is no reason to share the account used for vulnerability assessments. Create a new one dedicated to this purpose, or have multiple accounts, depending on the complexity of your organization. Accounts should only exist on the systems they apply to (with applicable permissions). Tenable allows you to specify as many accounts as needed to run assessments.
   
2. Store credentials in encrypted data stores and/or with appropriate user access (i.e., use privileged access management).
   Storing network passwords in a text file or spreadsheet is definitely a bad idea. Instead, use a system built and designed to store this data securely. Tenable integrates with a variety of solutions to enable customers to use these types of tools.
3. Only use secure protocols to authenticate to systems on your network.
   There are lots of ways to authenticate to a system in today's networks. Some protocols are clear-text or have known vulnerabilities that make them trivial to compromise. Don’t use these protocols to authenticate to your systems. Though it can use plain-text protocols, Nessus defaults to only using secure protocols to authenticate to target systems.
4. Restrict when and how accounts are allowed to be used.
   If you’re scanning your network with Nessus every Sunday morning, then there should never be a reason your scanning account is used on a Tuesday from the intern’s laptop. Some platforms also allow accounts to be restricted to only use certain (e.g., secure) protocols. If you can restrict usage of your scanning account(s) to when they’re actually expected, how they authenticate to the targets, and from what systems, then definitely do so.
   
5. Monitor accounts used for anomalies.
   If you’re using a dedicated account for scanning or only scanning at certain times, then the usage of that account should be predictable, be it the source of the login attempts (Nessus) or the times of authentication attempts. Don’t overlook the verification component of control implementation.

3 things to avoid

1. Do not reuse accounts between scanning and users or other IT operations.
   There is no reason to reuse accounts for vulnerability assessments. Accounts should be single-use.
2. Do not use memorable or recycled passwords.
   Because these passwords won’t ever be typed in manually by a human, they don’t need to be memorable or reused. They should be complex, long and unique.
   
3. Don’t change passwords too frequently.
   Unless automated, changing scanning passwords too frequently can lead to scan errors and frustration. Where possible, only manually change passwords due to organizational policy or incident.

Next time, we’ll discuss Windows credentialed assessments and how you can secure them.

Note: There are alternatives to credentialed network scanning, such as agents and passive assessments.

Learn more

Read the online documentation:

• Tenable.io Credentialed Scans
• Tenable.sc Credentialed Scans
• Nessus Credentialed Scans

Explore related webinars:

• Automate Your Credentialed Vulnerability Assessments
• Overcoming the Challenges of Credentialed Scanning

Watch how-to videos:

• Launch a Credentialed Scan with Nessus Professional
• Launch a Credentialed Scan in Tenable.sc
• Launch a Credentialed Scan in Tenable.io

Request a demo or free trial

How do VPR and CVSS compare when assessing the most dangerous CVEs in 2019? Let’s find out.

Two weeks ago, we kicked off a blog series on vulnerability priority rating (VPR), with a post focused on the characteristics of VPR that differentiate it from CVSS. In this post, we will demonstrate how VPR can be used to target the most dangerous vulnerabilities that exist in your network.

The riskiest vulnerabilities based on industry reports

It is common for organizations to publish lists of the most dangerous vulnerabilities based on their own telemetry and analysis. For this analysis, we examine the most dangerous CVEs of 2019 based on publications by Recorded Future, SonicWall and Verint. Their respective ratings capture different aspects of threats: threats from advanced persistent threat (APT) activities, threats from attacks in the wild and threats captured from the web. 

We will look at how VPR could have helped target the riskiest vulnerabilities in the threat landscape. First, a quick note on the industry reports:

• Recorded Future applies analytics algorithms to a variety of web-based threat content. Their rating of the most dangerous vulnerabilities in 2019 represents a broad assessment of threat. 
• Sonic Wall discussed the top 10 most exploited CVEs based on analytics of attack signatures. 
• Verint identified a list of the most exploited old CVEs by APT in 2019.

Overview: A look at the data

The three reports highlight the 31 most dangerous CVEs in 2019, affecting 76 products from 18 vendors. Around 40 percent relate to Microsoft products while the remainder are split across 17 other vendors (see Figure 1). 

Figure 1. Most dangerous CVEs in 2019 by vendors

Table 1 lists all the CVEs included in the three reports, ordered by VPR score. The RF (Recorded Future), SW (SonicWall) and VT (Verint) columns indicate the report where each CVE is listed. In general, VPR is better at reflecting the threat of the CVEs than CVSS:

• 28 (90%) of the vulnerabilities are rated VPR Critical with a 9.6 minimum score – this VPR score would typically win a spot in the top 100 highest-priority vulnerabilities for remediation. CVSS rates 14 vulnerabilities as Critical, including 11 by CVSSv3 and three by CVSSv2 (which have no CVSSv3 score). The minimum CVSSv3 score for these vulnerabilities is 9.8. Technically, this is a high CVSSv3 score, but not enough to stand out from the crowd of 8,700 CVEs with the same and higher CVSSv3 score.
• Some vulnerabilities from these lists were not rated Critical by VPR or CVSS. Of these, three are rated VPR High and 15 are rated CVSS High. None are categorized as VPR Medium and two are rated CVSS Medium. The last section of this post is dedicated to the discussion of the reason and methods for mitigation.

Table 1. Most dangerous CVEs of 2019

Do not overlook local vulnerabilities

A common misconception is that the most exploited vulnerabilities are associated with remote attacks (attack vector = network [AV:N]). The statistics, however, tell a slightly different story. Nearly a third of these vulnerabilities are exploited locally (attack vector = local [AV:L]) via phishing campaigns or spam emails, for example. See Figure 2.

Figure 2. Most dangerous CVEs in 2019 by attack vectors

As shown in Table 2, the average CVSSv3 score for CVEs with a local attack vector is 7.3, but 9.0 for the remotely exploitable vulnerabilities. This difference is due to the fact that the CVSS scoring formula gives a lower weight to AV:L than AV:N. This can result in locally exploited vulnerabilities being excluded from remediation plans based on their CVSS score. In fact, there is only one configuration that could generate a Critical CVSSv3 score for a locally exploited CVE: AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Table 2. Comparing average VPR with CVSS for the most dangerous CVEs in 2019, broken out by attack vector

On the other hand, VPR does not penalize vulnerabilities with local attack vectors. Notice that there’s little difference in the average scores based on the attack vector. This means, VPR can bubble up the most threatening vulnerabilities irrespective of attack vector.

CVE-2017-11882: Microsoft Office vulnerability

One example is the Microsoft Office vulnerability, CVE-2017-11882, which was selected as one of the most dangerous CVEs in 2019. Exploitation of this CVE is often associated with phishing emails. Successful exploitation can run scripts to download, execute and persist backdoor trojans on the target host. Although a patch was released in 2017, this CVE remains under constant threat. In June 2019, it was reported as being under active exploitation by cybercriminals targeting European countries. IBM researchers have also found evidence of it being actively targeted in their honeypot systems in 2019. This year, there are reports of it being used in phishing campaigns in the pandemic of COVID-19. Based on Tenable scan telemetry, we estimate that eight percent of our customers are still affected by this vulnerability. 

Considering the persistent threat against it, this CVE should be one of the first patched following detection in your network. CVSSv3 rates this CVE as 7.8 because successful exploitation needs to be performed locally and requires user interaction. As a result, such a CVSSv3 score would rank CVE-2017-11882 behind 18410 other CVEs for remediation. On the flip side, the VPR for this CVE is 9.9, flagging it as a top priority.

Threat is more than being popular on the web

Not all these CVEs came under the spotlight in 2019. Google Trends is a great tool for assessing the popularity of search terms. It provides weekly popularity scores for search terms you input. The scoring is relative, with the most popular term scoring 100 at its peak. The other search terms are scaled between 0 and 99.

We pulled Google Trends popularity scores for all the 31 most dangerous CVEs. The Top 5 most popular CVEs based on Google Trends were:

• CVE-2019-0708
• CVE-2019-2725
• CVE-2019-0604
• CVE-2019-10149
• CVE-2018-12130

Figure 3a compares their weekly popularity scores during 2019. CVE-2019-0708 (BlueKeep), Microsoft’s Remote Desktop Protocol vulnerability, received widespread attention following disclosure in mid-May. 

Figure 3a. The top 5 most popular CVEs based on Google Trends 

The popularity of CVE-2019-0708 (BlueKeep) was so great in 2019 that it dominates Figure 3a, making the trend lines of other CVEs become hardly distinguishable from zero. To better illustrate the trend of popularity for other CVEs, we excluded the top three most popular CVEs from the search and redid the chart (see Figure 3b). CVE-2019-10149 and CVE-2018-12130 are included in Figure 3b as references for scale between the two charts. 

Figure 3b. CVE popularity by Google Trends excluding the top 3 most popular CVEs

These CVEs fall into two groups:

• Group 1: CVEs with noticeable spikes during 2019, corresponding to lots of hype on the web.
• Group 2: CVEs that went under the radar in 2019 (lost in the noise at the bottom of Figure 3b). Six CVEs belong to this group: CVE-2012-0158, CVE-2019-0752, CVE-2017-17215, CVE-2018-0802, CVE-2017-8750 and CVE-2015-2419. These are the vulnerabilities to watch out for. They face constant attacks from threat actors in the wild, but manage to escape widespread recent media attention. These vulnerabilities are usually highly weaponized and can be exploited relatively easy by cybercriminals. All six of these vulnerabilities are rated as VPR Critical. But, only four of the six are rated Critical based on CVSSv3. 

Dangerous CVEs not rated to be VPR Critical

Three of the most dangerous vulnerabilities in 2019 did not receive a VPR Critical rating:

• CVE-2018-12130 (VPR 8.6)
• CVE-2017-5715 (VPR 8.3)
• CVE-2017-10271 (VPR 7.5)

In part 1 of the blog series, we explained that VPR is composed of a technical impact component, which is taken from the CVSSv3 impact score, and a threat component generated from our machine-learning-based threat model. In this case, all three vulnerabilities were assigned low impact subscores. The low impact component essentially anchors the VPR score to be below 9 based on the scoring model.

As VPR is a composite score, the weights assigned to the various components is an ongoing topic. So, while VPR on its own can be used as filtering criteria for vulnerability remediation efforts, it is not the only factor to consider. Sometimes, when considering other factors, there might be a trade-off: 

• What is the impact score of the vulnerability? 
• How mature is the exploit code? 
• Has there been recent threat activity? 
• What were the threat sources? 

The VPR drivers, which we’ll explore later in this blog series, can help refine the decision- making process. 

Key takeaways

In this post, we compared VPR with CVSS scores for the most dangerous 31 CVEs reported by Recorded Future, SonicWall and Verint in 2019. VPR rated 28 as Critical while CVSS rated 14 as Critical. 

Looking at these CVEs from different angles, we saw that vulnerabilities with a local attack vector are as dangerous as those with a network attack vector, but could get neglected if you follow CVSSv3 scores alone for remediation. VPR allows these locally attacked dangerous vulnerabilities to be prioritized as Critical vulnerabilities based on high threat against them. 

Moreover, dangerous vulnerabilities are not always the ones that make the headlines. By looking at Google Trends, we noticed six dangerous CVEs did not come under the spotlight in 2019. Hence, identifying and remediating the most dangerous CVEs based on web popularity is not reliable. These CVEs might have had their taste of the limelight, but would require security researchers to spend time digging into their history. Instead, the use of multiple threat sources and exploit code maturity allows VPR to identify vulnerabilities with stealth threats. 

Finally, we talked about the importance of using VPR scores with other criteria, like those offered as VPR drivers, for better decision making.

Get more information

• Start your free trial now to see VPR in action – available in Tenable.io (in the cloud) and Tenable.sc (on premises)
• Learn more about Tenable Predictive Prioritization and VPR

Several flaws in popular WordPress E-Learning plugins LearnPress, LearnDash and LifterLMS could allow for cheating, students gaining teacher privileges and exposure of sensitive personal information.

Background

On April 29, 2020, Check Point researchers Omri Herscovici and Sagi Tzadik published research into three popular WordPress learning management system (LMS) plugins: LifterLMS, LearnDash and LearnPress. These LMS plugins can be used to deliver training programs and educational courses to businesses and educational institutions remotely, a capability that has become essential due to the COVID-19 pandemic.

Check Point highlighted that there were 80,000 active installations of LearnPress, 10,000 active installations of LifterLMS and 33,000 installations of LearnDash at the time their research was published. The vulnerabilities include an arbitrary file write flaw in LifterLMS, an SQL injection flaw in LearnDash, an escalation of privilege and an SQL injection in LearnPress.

Analysis

CVE-2020-6008 is an arbitrary file write vulnerability in LifterLMS versions below 3.37.15. Of all of the LMS plugin vulnerabilities discovered, this ranks as the most serious. The vulnerability exists due to an AJAX request failing to validate a file extension during upload, which allows the creation of PHP files without permissions, resulting in no control over its content in an arbitrary location.

A registered user can check which course ID they are registered to and submit it in the original AJAX request, which will output their name into a PHP file. This user can embed malicious PHP code into the change name option in their profile, which will output into the PHP file that was created. From there, the user can simply navigate to the generated file, execute the code within and achieve remote code execution.

CVE-2020-6009 is an unauthenticated second-order vulnerability in LearnDash versions below 3.1.6. The flaw exists in the learndash_get_course_groups function in the ld-groups.php file, which fails to correctly sanitize the user-supplied data by implementing prepared statements before using it in an SQL query. Exploitation could result in the exfiltration of data, such as usernames, passwords, names, e-mail addresses and other personally identifiable information (PII).

CVE-2020-6010 is an authenticated time-based SQL injection vulnerability in LearnPress versions 3.2.6.7 and below. Check Point noted in their research that this flaw was “very trivial to identify and exploit.” The vulnerability exists in the _get_items method within the LP_Modal_Search_Items class, which fails to correctly sanitize user-supplied data, specifically, the GET/POST parameter current_items before using it in an SQL query. The exploitation of this vulnerability results in the same ramifications as CVE-2020-6009, resulting in the exfiltration of sensitive data and PII.

CVE-2020-11511 is a privilege escalation flaw in LearnPress versions 3.2.6.7 and below. This flaw exists due to the presence of the learn_press_accept_become_a_teacher function. This function can be requested by anyone, as it fails to check the permissions of the requesting user, allowing the elevation of privilege to the teacher role. Access to the teacher role would allow access to course content, tests, and personal information such as grades.

Proof of concept

The researchers at Check Point composed a video demonstrating the exploitation of each of these vulnerabilities:

Solution

LearnPress developer ThimPress has addressed both of its vulnerabilities and users are advised to update to the latest version, 3.2.7. Users of LifterLMS are advised to update to the latest available version, 3.38.0, while LearnDash users are advised to update to version 3.1.6.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• Check Point Research
• WordPress Plugin Page for LearnPress
• WordPress Plugin Page for LifterLMS
• LearnDash Website

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Shortly after the public disclosure of critical vulnerabilities in the Salt framework, exploitation attempts were observed, as two open source projects were breached using these flaws.

Background

On April 30, F-Secure Labs published an advisory for two vulnerabilities in the open-source and commercial Salt management framework, which is used in data centers and cloud environments as a configuration, monitoring, and update tool. Salt utilizes a “master” server that controls “minion” agents that collect data for the system and carries out tasks. All versions prior to 2019.2.4 and 3000.2 are vulnerable.

Analysis

CVE-2020-11651 is an authentication bypass in two methods of the ClearFuncs class. The first method, _send_pub(), is unintentionally exposed, allowing an attacker to queue messages on the master server that can be used to cause minion agents to execute arbitrary code. The second method, _prep_auth_info() allows for the remote execution of commands on the master server as an attacker can obtain the “root key,” which is used to authenticate commands on the master server from a local machine.

CVE-2020-11652 is a directory traversal security flaw in the “wheel” module that is used to read and write files. The get_token() method of the salt.tokens.localfs allows for the insertion of “..” path elements, and in turn the reading of files outside of the intended directory. This occurs due to the failure to correctly sanitize the token input parameter, which is used as a filename with the only limitation being that “the file has to be deserializable by salt.payload.Serial.loads().”

Both of these vulnerabilities are exploitable by a remote, unauthenticated attacker. Combining these two vulnerabilities could result in “full remote command execution as root on both the master and all minions that connect to it" and could be used to configure new resources on cloud instances. F-Secure also noted in their advisory that a “scan revealed over 6,000 instances of this service exposed to the public Internet” and that “any competent hacker will be able to create 100 percent reliable exploits for these issues in under 24 hours."

LineageOS breached as active exploitation attempts begin

On May 2, LineageOS, a free and open-source android OS, published a tweet that an attacker used a SaltStack vulnerability to gain access to their infrastructure. LineageOS noted that signing keys, builds and source code were unaffected, but this incident resulted in some downtime. LineageOS says they will continue to update their status here.

Around 8PM PST on May 2nd, 2020 an attacker used a CVE in our saltstack master to gain access to our infrastructure.

We are able to verify that:
- Signing keys are unaffected.
- Builds are unaffected.
- Source code is unaffected.

See https://t.co/85fvp6Gj2h for more info.

— LineageOS (@LineageAndroid) May 3, 2020

On May 3, reports of active exploitation of these vulnerabilities surfaced, with Kevin Breen of Immersive Labs posting to his Twitter feed evidence of attacks against his SaltStack honeypots. Kevin followed up on his original tweet stating that “this was against 3 geographically dispersed honeypots. So its internet-wide scan and exploit“ to run this payload on all of the connected minions rather than the salt master.

Seeing active exploit attempts for CVE-2020-11651 in the wild @SaltStack@FSecureLabspic.twitter.com/4v1zN8q3Ux

— KevTheHermit (@KevTheHermit) May 3, 2020

Ghost blogging platform breached using these vulnerabilities

On May 3, Ghost, an open-source blogging platform, was a victim of a cyberattack. An investigation was started and is being tracked here. Ghost since confirmed attackers exploited “a critical vulnerability in our server management infrastructure (Saltstack, CVE-2020-11651 CVE-2020-11652)” to breach their systems. They first became aware when the attackers used these vulnerabilities in an attempt to mine cryptocurrency on their servers, resulting in a spike in CPU usage and eventually overloaded their systems.

Hey there!

Unfortunately some sites on Ghost(Pro) are currently having problems due a critical security vulnerability which is affecting many services around the world today.

We're working as quickly as we can to resolve it, and sharing updates here:https://t.co/0rnXw9Ux6d

— Ghost (@Ghost) May 3, 2020

Proof of concept

While F-Secure has stated in their advisory they will not be releasing their proof of concept (PoC), Ollie Whitehouse, chief technical officer at NCC Group published a PoC on a Github gist.

Solution

The SaltStack engineers patched these vulnerabilities in versions 2019.2.4 and 3000.2, which were released on April 29. If it is not possible to patch at this time, it is advised to add “network security controls that restrict access to the salt master (ports 4505 and 4506 being the defaults) to known minions, or at least block the wider Internet.”

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

Get more information

• F-Secure Advisory for CVE-2020-11651, CVE-2020-11652
• Ollie Whitehouse Github gist for Salt Stack vulnerabilities

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

As grocery delivery services have seen an increase in traffic from users during the coronavirus pandemic, Tenable Research identified an SMS spoofing flaw that could have allowed an attacker to send spoofed messages to any mobile number.

Background

On May 1, Instacart, the popular grocery delivery and pickup service that saw a ten-fold boost in sales growth in March 2020, patched an SMS spoofing vulnerability that could have been exploited by attackers to send malicious links to arbitrary phone numbers by abusing a feature on Instacart’s website. This vulnerability was identified and reported to Instacart by Jimi Sebree, staff engineer with Tenable’s Zero Day Research Team.

Downloading mobile applications via text

Users who visit popular services via a web browser may be prompted to download the mobile application on their device as a more user-friendly alternative. Some websites offer users the option to send themselves a text message with a link to download the application.

On Instacart, after a user has placed an order via the company’s website, they’re directed to a page offering them the ability to “upgrade” their experience using the Instacart mobile app. Users are asked to provide their mobile number to receive a short message service (SMS) message with a link to download the mobile app.

While this feature seems harmless, it is ripe for exploitation. Researchers at Check Point disclosed a similar vulnerability through TikTok’s website earlier this year.

Analysis

Investigating the vulnerable “request_invite” endpoint

When a user provides their mobile number using this feature on Instacart’s website, a request is made to Instacart’s “request_invite” endpoint.

The request contains parameters such as the warehouse_id and zone_id, which are associated with a store’s ID and regional location. The actual payload of the request includes the phone number entered into the field, as well as a unique link to download the Instacart mobile application.

In analyzing this endpoint, we found that we could re-purpose the existing request to send an SMS to anyone by modifying the phone number and link parameters, and it would appear as though the message originated from Instacart.

Modifying parameters in the request

In this spoofing scenario, the end user receives an SMS message asking them to download the Instacart App from a fake website.

The message sent to users through this form always includes the “Download the Instacart App:” message at the beginning, but the attacker would be able to control the link and any text included after it.

Capturing request information after placing an order 

In order to leverage this flaw in the request_invite endpoint, the attacker would need to place an order using the Instacart website first. Once the order has been placed, the attacker will be able to capture the request information, including the required security headers, such as the x-csrf-token and HTTP cookie. These headers are needed in order to replay the modified request back to the vulnerable endpoint.

Unintended mitigation: Session limitation

In our research, we found that this information was valid only for a limited period of time, so an attacker would need to utilize this window of opportunity in order to send their malicious messages. However, they could cancel their existing order and simply place a new order every time they wanted to capture the request from an active session.

SMS messages and the real-world impact of this vulnerability

Exploitation of this vulnerability would allow an attacker to send SMS messages to unsuspecting users, attempting to convince them to install malware or imposter applications onto their mobile device, or direct them to phishing websites designed to steal their credentials. As the attacker can control the URL sent to a victim, they could point to a host under their control and embed code within the target URL to attempt various exploits determined by the user-agent passed by the victim’s web browser.

Unsolicited SMS messages aren’t new, but they create a unique problem for end users as there’s no way to validate the links they’ve received are, in fact, legitimate. This is further complicated by the use of URL shortening services, which ensure attackers can disguise links to malicious websites.

Impact

At the time of this writing, there is no evidence that this flaw has been used by malicious actors. However, if exploited, an attacker could have used this vulnerability to distribute malware or attempt phishing campaigns. 

Vendor response

Tenable notified Instacart of this vulnerability on April 28. Instacart quickly responded to our disclosure, acknowledging and fixing the issue on May 1.

Tenable reviewed additional endpoints on Instacart’s website and found they functioned as expected, and were not susceptible to tampering like the request_invite endpoint.

Solution

As of May 1, this issue has been fixed. Since the flaw was server-side on Instacart’s infrastructure, no updates or action is required by users of their service.

Instacart’s fix simply removes the link parameter from the request so that it cannot be tampered with.

Despite the lack of the link parameter, the user will still receive a link to download the Instacart mobile application.

Protecting against SMS spoofing vulnerabilities

Other services are likely affected by similar SMS spoofing flaws. Until those services address them, the only recourse end users have is to be wary of unsolicited links sent to their mobile devices, even if they originate from a trusted number for a service they’ve used before.

Get more information 

• Tenable Research Advisory (TRA-2020-30)
• Tenable Research Advisories
• Tenable Vulnerability Disclosure Policy

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 30-day trial of Tenable.io Vulnerability Management.

Network vulnerabilities can manifest in many forms. It's critical that you remain on the lookout for some of their most notable signs and work to address them sooner rather than later.

There's no denying the severity of the threat posed by cyberattacks and breaches to organizations of all kinds, across both the public and private sectors: 

• According to data compiled by the Identity Theft Resource Center, 1,272 data breaches have affected U.S. private-sector organizations in 2019 (as of November 13), exposing more than 163 million confidential records.¹
• The majority of breaches (71%) are financially motivated, per Verizon's 2019 Data Breach Investigations Report. Meanwhile, according to a joint IBM-Ponemon Institute report, the average cost of a single breach worldwide is $3.9 million.²
• Ransomware attacks are particularly and increasingly prevalent, especially against health care facilities and state or local government agencies.³ And the types of ransomware deployed are more complex than ever.

These facts all point to the big-picture existential threat posed by cyberattacks and network security threats. It's apparent that the possibility of sustaining such an attack is far too big to ignore. But, how do you determine the level of danger your organization is in? It's time for you to look for key signs of network vulnerabilities and begin working to address them as rapidly as possible, based on the risk they pose to your business:

4 key signs that vulnerability assessment is necessary 

Let's go over the key signs that you can identify as clear indicators of potential network and software vulnerabilities: 

#1. It's been a while since you’ve performed an assessment
We'll start with this one because it's the simplest to recognize and one of the most important: If more than a month has passed since the last audit of your organization's IT security architecture, now is a good time to begin a new assessment. And if you don't remember when your last security check-up was, it's definitely been too long. 

Malicious online actors alter and advance their tactics at breakneck speed – faster than the cybersecurity experts who are working on the other side of the line. As such, there's a chance the countermeasures you previously approved – or recently added to the system – aren't capable of appropriately monitoring for the most cutting-edge cyberattacks.

#2. The IT budget is short on security
Every segment of every organization is responsible to the bottom line in one way or another. This can mean some aspects of operations are emphasized, from a budgetary and resourcing perspective, while others fall by the wayside. Although it varies by industry, cuts often occur – not surprising, considering the average company spends just 3.28% of revenue on its tech resources.⁴

The reporting capabilities of a comprehensive network vulnerability assessment solution like Nessus can amass data to help make the case for allocating more funding and resources to cybersecurity. Evidence of potential vulnerabilities and their concrete impact will also be valuable. 

#3. Observable unawareness of cybersecurity among staff
All successful cyberattacks are breaches, because hackers had to defeat your network's defenses (or circumvent ordinary channels, as in social engineering-based hacks) to introduce malware to your system. But not all breaches are cyberattacks. If confidential information accidentally falls through the crack due to human error, that's a breach, even if it's quickly contained. (Only 31% of employees receive regular cybersecurity training,⁵ so it's not exactly a matter of assigning blame.)

If a review of employees' network activity reveals signs of unsafe practices, a vulnerability assessment will suss out how compromised you are and reveal what segments of security architecture most need improvement.

#4. Disorganized accounts
Managing account access is a fundamental cybersecurity task. And, a quick look at the inventory of user accounts on your network can reveal the need for a vulnerability scan. Old accounts of former employees that aren't instantly deactivated represent a clear point of potential exploit (either by the ex-staffer or someone who hacks them). 

Not dissimilarly, accounts that don't look genuine are a major sign of unscrupulous activity: Hackers often use fake network accounts to disguise whatever harm they're doing to a network, be it the installation of spyware or something more nefarious like a rootkit providing complete control of one or more computers. 

Of course, the signs depicted above aren't the only indicators of trouble in the network – or the possibility thereof – and the need for a vulnerability assessment. But as some of the easiest signals to detect, uncovering them can go a long way toward developing a more comprehensive portrait of your organization's Cyber Exposure. 

Choosing the right vulnerability scanner

Once you've determined you need a vulnerability assessment, how do you go about it the right way? And, how can you be sure you're using the best possible tool? Here are some key things to look for:

• Comprehensive coverage: You effectively hamstring an assessment if it examines some facets of your network meticulously, but doesn't showcase issues in others. The platform you use should allow for complete discovery, whether physical, virtual or cloud assets. 
• Accurate analysis: Some vulnerabilities will be more pressing than others, so establishing a hierarchy of which threats to address first is critical. 
• Ease of use: Using a solution that's accessible to non-experts can help facilitate better awareness of cybersecurity throughout the organization.
• Reporting and analytics: Quantifying the state of your network's security through use of pertinent key performance indicators and detailed reporting of assessment findings is an absolute must.

Nessus Professional has the strength and comprehensive functionality to thoroughly assess your organization's vulnerabilities.

_{1. 2019 Data Breach Report, Identity Theft Resource Center
2. 2019 Report: Cost of a Data Breach, IBM
3. Ransomware attacks on US local governments and healthcare providers are on the rise, CNN, October 8, 2019
4. Technology Budgets: From Value Preservation to Value Creation, Deloitte Insights, November 2017
5. 2019 Cyber Risk Survey, Chubb}