Following active exploitation against F5 BIG-IP devices, exploit attempts targeting newly disclosed vulnerabilities in Citrix products have begun, which include potential extraction of VPN sessions on vulnerable targets.

Background

On July 7, Citrix disclosed 11 new vulnerabilities in the Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliance devices. Following the disclosure of these vulnerabilities, Citrix published a blog post noting that there were some barriers to exploitation, but encouraged customers to apply the security fixes as soon as possible. Shortly after the disclosure, Dr. Ullrich of SANS Internet Storm Center (ISC) detected unidentified exploit attempts leveraging some of these vulnerabilities, which appeared to be probing for vulnerable devices.

Analysis

The following is the list of vulnerabilities that Citrix patched as part of their recent CTX276688 advisory:

Of the 11 vulnerabilities patched by Citrix, attackers are attempting to exploit the following CVEs in the wild:

CVE-2020-8193 is an authorization bypass vulnerability in the management interface on the device’s NSIP address. The NSIP address is a specific device IP address dedicated to the management interface for Citrix devices. An attacker could send a specially crafted request to the NSIP address that bypasses the administrator login and gain direct access to the device.

CVE-2020-8195 and CVE-2020-8196 are information disclosure vulnerabilities found in the management interface with either user access or after exploiting the auth bypass on the device. By sending a specially crafted HTTP request, an attacker could retrieve important device information like configuration files. At this time, it’s unknown which of these two vectors are specifically being used to target victims due to the similarities between the vulnerabilities.

These three CVEs were discussed in a technical writeup by Donny Massland, one of the researchers credited with reporting five of the 11 vulnerabilities, where Massland discusses the potential impact of exploitation of these vulnerabilities.

Well, since people wanted to know, here is my write-up for the Citrix vulnerabilities I found last January (including local file disclosure!):https://t.co/XkubhdVpv9

— Donny Maasland (@donnymaasland) July 8, 2020

Exploitation in the wild

On July 10, the NCC Group’s Research and Intelligence Fusion Team (RIFT) detected active exploitation of a subset of the vulnerabilities Massland disclosed.

On the Citrix ADC Vulnerabilities per @donnymaasland 's blog we've confirmed impact / replicated VPN session theft.https://t.co/2YgBBcv3DIpic.twitter.com/cZSnOhuyLO

— NCC Group Research & Technology (@NCCGroupInfosec) July 10, 2020

NCC Group subsequently published their own blog post about the flaws, detailing the detected exploitation alongside the information gathered by SANS and created a timeline showcasing disclosure to exploitation.

Image Source: NCC RIFT

The quick turnaround time from disclosure to exploitation from the detected threat group matches up with attacks by the same threat actor that NCC Group observed utilizing the F5 BIG-IP vulnerability that was disclosed on June 30. Within less than a week from disclosure, vulnerable assets were being successfully exploited.

Image Source:NCC RIFT

Proof of concept

Massland's Blog provides examples of exploitation for obtaining device configurations and active VPN sessions and several researchers have released PoC scripts to the general public on GitHub.

Solution

Citrix has released patches for these vulnerabilities, and lists the following versions as fixed:

Tenable strongly recommends applying these patches as soon as possible, especially now that active exploitation has been observed in the wild.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

Get more information

• CVE-2020-5902 : Tenable Blog covering a critical vulnerability in F5 BIG-IP
• Citrix Advisory CTX276688
• Citrix Blog providing additional context on CTX276688
• SANS ISC Exploitation Detection
• NCC Group RIFT Analysis Blog
• Donny Massland's Vulnerability Disclosure

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Take a look at key tools for your cybersecurity arsenal, including penetration testing, threat modeling and more.

Determining your organizational approach to cybersecurity — which tools you use, how you allocate personnel and financial resources to the task, where you harden your IT infrastructure the most — is not the easiest task when you're new to it. Truth be told, it's not necessarily easy when you've done it half a dozen times, either. 

As such, you'll need to review your options. These run the gamut from fairly well-known quantities like penetration testing and vulnerability assessments to newer practices like threat modeling and bug bounties. Regardless of which route you take, it will still be well worth your while to understand the available paths to a more secure network.

Before we begin, it’s important to explore the relationship between vulnerability assessment and penetration testing. While they are best used in tandem, they are often mistaken for one another. Vulnerability assessment is the process by which an organization enumerates all of the potential areas of weakness on their systems. During penetration testing, they are confirming the potential risks, putting the hypothetical weaknesses to the test to confirm whether and how they could lead to a successful cyberattack. 

Penetration testing: A valuable yet underutilized tool

The key point of penetration testing (sometimes shortened to "pen testing") is to actively identify dents in your network's armor.¹ Specifically, you do so by looking for them — and, when found, attack them the way an attacker would.

Some penetration testing tools are software-based, using automated scanners to find problems wherever they may be: in specific applications, within the network's firewall, embedded within your operational technology and so on. In other cases, the test will actively simulate an attack. This can mean putting excessive pressure on the network and specific operations within it (like a very mild version of a dedicated-denial-of-service attack).

No matter how they're executed, penetration tests should always be conducted with precise goals in mind. For example, you could deploy a series of tests in conjunction with reporting from a vulnerability assessment tool like Nessus. If the assessment identified issues with network security and your organization took measures to rectify them, pen testing would help assess if the remediation was effective.

Each of the tools we'll be discussing here will be most effective if you have an underlying and ongoing vulnerability assessment program in place.

Cybersecurity audits: For the sake of standards

All organizations are beholden to regulations created by government departments and leading industry organizations - some more so than others. The effectiveness of cybersecurity measures is, at times, part of such criteria. Cybersecurity audits are, in fact, centered primarily around compliance. They do involve examination of the protections a given organization has in place for certain aspects of its IT infrastructure, and Nessus Professional is one such tool that can assist with compliance auditing. However, audits can often be myopic, and thus should not ever be the sole cybersecurity framework that a company uses.

Consider PCI DSS compliance for a perfect example of a cybersecurity audit's characteristics and shortcomings. Some of its requirements are extremely important, like encrypting and maintaining a firewall configuration for clients' credit card data, using (and regularly updating) antivirus software and consistently testing security systems.² But there are organizations for whom PCI doesn't apply, and moreover, plenty of entry points for cyberattackers that don't involve financial data. The same goes for similarly sector-specific standards like HIPAA's cybersecurity requirements.

Audits centered around more comprehensive standards, like ISO 27001 or 27701, will be more efficacious. The 2019 update³ to 27701, in particular, involves particularly robust data protections, likely to keep up with the GDPR regulations that are often cited for their meticulousness. But the fact remains that if you orient your cybersecurity procedures around compliance and audits, your organization is setting a ceiling for how well-protected it can be. Audits must always be accompanied by ongoing vulnerability assessments and other cybersecurity best practices.

Threat modeling: Preemptive catastrophizing

Knowing how many vulnerabilities your network has and where they are is obviously critical. How else are you going to rectify these flaws? But in certain circumstances you may need to know much more.

Imagine that you knew a cyberattack on your organization was either imminent or highly likely. This wouldn't require clairvoyance on your part; perhaps you're part of an industry that's frequently targeted by malicious online actors. Or maybe a specific malware is bouncing around your city or region (the way WannaCry spread through multiple countries, and then crossed continents, in a matter of hours⁴).

Threat modeling can be extremely valuable in this situation. At its essence, this methodology entails envisioning the results of a specific cyberattack on your organization.⁵ Such projections should include monetary and data losses, time spent dealing with the attack's immediate and lasting consequences, estimates of how big a hit each department or business unit will take and other key performance indicators.

Using these bottom-line numbers about cyberattack impact can help impress the seriousness of the issue upon people in your organization who might not fully understand it otherwise. Threat modeling can also be applied as a preemptive tactic and built into the overall structure of your organizational cybersecurity strategy. 

Bug bounties: Bringing in the mercenaries

Penetration testing is a more conventional form of ethical hacking— especially if you commission a third party to handle it. On the (somewhat) less typical end of the spectrum lie bug bounties.

Instead of hauling in cattle thieves in the Wild West, ethical hackers who pursue bug bounties seek cash rewards from organizations who want their security flaws uncovered and patched. Sometimes these assignments are low-key affairs between one business and a white-hat security consultant; others are part of programs maintained by tech giants like Apple, Facebook and Google — and the U.S. military.⁶

Commissioning bug bounties may not be the right play for all organizations, but if you can afford it — and you find a trusted white-hat — it can be useful for tracking down vulnerabilities in the network that your IT team can't spot.

A balanced approach

There's no single right answer when it comes to developing a cybersecurity strategy. It all depends on the needs of your organization, which will probably fluctuate over time. By balancing a comprehensive vulnerability assessment program with savvy deployments of all of the methods described above, you give yourself and your business the best chance at a truly secure network and IT infrastructure.

Nessus Professional is the industry-leading vulnerability assessment solution. Try it today with a free 7-day evaluation.

Start Your Free Nessus Trial

_{1. TechTarget, "Pen Test (Penetration Testing)," October 2018
2. PCI Security Standards Council, "Maintaining Payment Security,"
3. ISO, "Security Techniques: Extension to ISO/IEC 27001 and ISO/IEC 27002," August 2019
4. BBC News, "Cyber-Attack: Europol Says It Was Unprecedented in Scale," May 2017
5. Daniel Miessler, "Information Security Assessment Types," December 2019
6. Tripwire, "10 Essential Bug Bounty Programs of 2020," June 2020}

Threat actors utilize publicly available proof of concept code and exploit scripts to target unpatched vulnerabilities within organizations and government entities.

Background

On June 19, the Australian Cyber Security Centre (ACSC) published Advisory 2020-008 in response to reports that threat actors were targeting Australian government agencies and companies. The full advisory includes information about multiple vulnerabilities the threat actors have been leveraging to target governments and organizations:

The advisory states that this threat actor is leveraging public proof of concept (PoC) code as part of their attacks. It also highlights the spear-phishing campaigns along with insights into the tools, techniques and procedures (TTPs) utilized by this particular threat actor.

Analysis

Telerik UI for ASP.NET AJAX

CVE-2019-18935 is an insecure deserialization vulnerability in Telerik UI, a tool to build forms for apps in ASP.NET AJAX. The vulnerability exists within RadAsyncUpload, a file handler in Telerik UI used for uploading files asynchronously. The discovery of the vulnerability was credited to Markus Wulftange, a senior penetration tester at Code White GmbH, and Paul Taylor, managing consultant at NCC Group, who was responsible for further development of exploit code for the vulnerability.

Researchers at BishopFox published a blog post in December 2019 on CVE-2019-18935. According to their post, CVE-2019-18935 was a continuation of work from Wulftange and Taylor, who were also credited with discovering CVE-2014-2217 and CVE-2017-11317, two vulnerabilities in RadAsyncUpload. Both of these previously discovered vulnerabilities allow for unrestricted file upload through two different attack vectors. Telerik took measures to address them, but each time they did, the vulnerability evolved further and eventually resulted in CVE-2019-18935.

CVE-2014-2217 is an absolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX. Telerik’s response to CVE-2014-2217 was to add encryption to “rauPostData,” the POST parameter in the file upload request that contains the file handling configuration details within a serialized object. The issue with the encryption implementation was that the encryption key in RadAsyncUpload's AsyncUploadHandler was hard-coded with a default value of PrivateKeyForEncryptionOfRadAsyncUploadConfiguration. The presence of this hard-coded encryption key was designated as CVE-2017-11317. This vulnerability allows for the modification of the TempTargetFolder variable within the configuration file to define the upload location anywhere on a vulnerable server where the application has write permissions.

In 2019, Wulftange discovered CVE-2019-18935 when he noticed the rauPostData parameter contains not just the serialized configuration object but also the object’s defined type. This defined type is used by AsyncUploadHandler to “prepare .NET's JavaScriptSerializer.Deserialize() method to properly deserialize the object.”

During deserialization, the JavaScriptSerializer class calls on a setter method to define the object type. If an attacker were to specify the object type as a remote code execution (RCE) gadget rather than the expected Telerik.Web.UI.AsyncUploadConfiguration type, it would allow for special properties during deserialization that could facilitate the execution of arbitrary code.

An attacker could combine the previously mentioned unrestricted file upload vulnerability to upload a malicious file with CVE-2019-18935 to define an object type that could execute this code during deserialization. An example of this would be the uploading of a malicious mixed mode assembly DLL followed by setting a deserialization of object type System.Configuration.Install.AssemblyInstaller and defining the path to the malicious file.

Citrix Application Delivery Controller (ADC) and Gateway

CVE-2019-19781 is a path traversal vulnerability in Citrix Application Delivery Controller (ADC) and Gateway that was patched by Citrix in December 2019. At the time, little was known about the exploitability of this vulnerability, but the flaw was severe enough that Tenable Security Response posted a blog post around the vulnerability. In mid-January 2020, Tenable Security Response wrote another blog post detailing active exploitation attacks that had been detected by the security community, which was identified by SANS Internet Storm Center (ISC). At the end of January, another Tenable Security Response blog post was written detailing an increase in attacks observed in the wild.

SANS ISC detected exploitation attempts and detailed the indicators of compromise (IoCs) of the exploit script. These exploits were leveraged by attackers to deploy ransomware on vulnerable targets. In the May 2020 Cybersecurity Infrastructure Security Agency (CISA) top 10 report, CVE-2019-19781 received a mention as one of the most exploited vulnerabilities of 2020.

Sophisticated attackers have created simple exploit scripts that, with little modification, can exploit the directory traversal vulnerability to establish a reverse shell. Once established, an attacker can target additional assets that are otherwise unexposed to the internet.

Microsoft SharePoint

CVE-2019-0604 is an RCE vulnerability in Microsoft SharePoint due to improper input validation in checking the source markup of an application package. At the time the patch was initially released in February 2019, it was assigned a CVSSv3 score of 8.8. Tenable Security Response published a blog post for this vulnerability in December 2019 noting its active exploitation in the wild, which at the time was over nine months after it had been initially patched by Microsoft.

Security researcher Chris Doman published a tweet in May 2019 highlighting reports from the Canadian Centre for Cyber Security (Cyber Centre) and National Cyber Security Centre (NCSC) in Saudi Arabia of active exploitation in the wild.

SharePoint CVE-2019-0604 now being exploited in the wild - reports by Saudi (https://t.co/m6VmF7n2Js) and Canadian (https://t.co/yhzY8qgxi8) National Cyber-Security Centres. Some additional IOCs @ https://t.co/gsGOoh6h9rpic.twitter.com/70LQCOmuTn

— chris doman (@chrisdoman) May 9, 2019

The initial CVSSv3 score of 8.8 was increased to 9.8 after additional analysis from researchers at Cloudflare and security researcher Kevin Beaumont. Cloudflare researchers recommended an increase in the CVSSv3 score based on the findings which was published on their blog in late May 2019. The blog post highlighted that the flaw could be exploited without authentication as “there were paths which could be reached without authentication.” Kevin Beaumont further backed Cloudflare’s evidence of pre-authenticated exploitation in a tweet he published in November 2019, after observing attacks against his honeypots that were modified to support SharePoint.

Yesterday I modified BluePot to support SharePoint honeypots. Today, the attackers arrived. Organisations should put serious focus on patching CVE-2019-0604. Also, the CVE is scored wrong, it should be CVSS 9.8 as it works without authentication. pic.twitter.com/SV5Oq61Ftr

— Kevin Beaumont (@GossiTheDog) November 26, 2019

Over a year later, CVE-2019-0604 continues to be actively exploited in the wild. This flaw has been the source of some prominent and high profile breaches. The Initial reports by the NCSC and the Canadian Centre for Cyber Security both noted the attackers deploying a version of the China Chopper web shell to compromise SharePoint servers. Researchers at Palo Alto Networks have linked attacks exploiting CVE-2019-0604 to APT27 (Emissary Panda), a hacking group reportedly associated with the Chinese government. APT27 would use the SharePoint vulnerability to first compromise a server followed by the installation of a web shell, a trend that was observed by other organizations. The web shells implemented by APT27 included vulnerability scanners, tools to steal credentials, and backdoors. Once APT27 gained the initial foothold on a server they would exfiltrate data, scan the network for vulnerable systems and attempt to pivot to other systems. In May 2020, CVE-2020-0604 was also featured in the CISA top 10 report as one of the top vulnerabilities exploited between 2016 and 2019.

Proof of concept

The following is a list of PoCs for each of these three vulnerabilities.

Solution

The “Copy Paste Compromises” advisory from ACSC highlights the fact that attackers are literally copy-pasting proof of concept code and exploit scripts for known vulnerabilities to launch their attacks against unpatched systems. This underscores the importance of applying patches as soon as possible, as attackers will exploit flaws months after patches become available.

Below is a list of patches available for the three vulnerabilities listed in the ACSC advisory.

Identifying affected systems

A list of Tenable plugins to identify these three vulnerabilities can be found here.

Please note that plugin ID 135970, Telerik UI for ASP.NET AJAX RadAsyncUpload .NET Deserialization Vulnerability, may require “Show false alarms” (also known as Paranoid Mode) to be enabled in your scan configuration. This plugin does not check for an opt-in configuration in Telerik UI for ASP.NET, which prevents the application from being exploitable. Because certain versions may have this workaround enabled, the Nessus scan configuration “Show false alarms” setting is required in order to report on versions of the application which are vulnerable based solely on the version identified.

To enable Paranoid Mode in your scan policy, navigate to “Policies,” select the policy you would like to configure, then navigate to ”Settings,” ”Assessment” and ”General.” Under the “Accuracy” section, select “Override normal accuracy” and then select “Show potential false alarms."

Get more information

• Advisory 2020-008 from Australian Cyber Security Centre
• CISA: Top 10 Routinely Exploited Vulnerabilities
• Bishop Fox blog for CVE-2019-18935
• Tenable's Initial Blog for CVE-2019-19781
• Tenable's Initial Blog for CVE-2019-0604
• CloudFlare: Stopping SharePoint’s CVE-2019-0604
• Palo Alto Unit 42: Emissary Panda Attacks Middle East Government SharePoint Servers
• TrustedSec blog for CVE-2019-19781
• Tenable Blog for Continued Exploitation of CVE-2019-19781
• Tenable Community Instructions for Scanning for CVE-2019-19781

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

After Cisco disclosed a serious vulnerability in its Adaptive Security Appliance and Firepower Threat Defense, one of the security researchers credited with its discovery released proof of concept code for the flaw.

Background

On July 22, Cisco published an advisory for a highly rated vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software used by the ASA family of devices that “protects corporate networks and data centers of all sizes.”

Discovery of the vulnerability is independently credited to three researchers: Mikhail Klyuchnikov of Positive Technologies, and Abdulrahman Nour and Ahmed Aboul-Ela of RedForce.

Analysis

CVE-2020-3452 is a read-only path traversal vulnerability in Cisco ASA and FTD software. A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable system. Successful exploitation would allow the attacker to view sensitive information contained within files on the web services file system.

Cisco notes that an attacker would only be able to access these files when WebVPN or AnyConnect has been configured on the system. It is important to note that an attacker would not be able to read files from the ASA, FTD or underlying operating system, which limits the impact of this vulnerability and explains why it received a CVSSv3 score of 7.5.

Previously disclosed path traversal vulnerabilities

Klyuchnikov, who is one of the researchers credited with discovering CVE-2020-3452, has a history of discovering notable path traversal vulnerabilities. He previously discovered CVE-2019-19781, a critical vulnerability in Citrix Application Delivery Controller and Gateway devices, and more recently CVE-2020-5902, a critical vulnerability in the traffic management user interface (TMUI) of F5 BIG-IP devices.

As part of a news release for CVE-2020-3452 on the Positive Technologies website, Klyuchnikov calls this vulnerability “highly dangerous,” noting that an attacker would be able to “gain access to the file system (RamFS), which stores data in RAM.” As a result, an attacker could gain read-only privileges for WebVPN files, which include “the WebVPN configuration of Cisco ASA users, bookmarks, cookies, web content, and HTTP URL addresses.”

Proof of concept

Ahmed Aboul-Ela, one of the other researchers independently credited with discovering this vulnerability, published a series oftweets that included two proof-of-concept (PoC) code snippets for this flaw.

The first PoC targets the ASA translation table endpoint:

Here is POC of CVE-2020-3452, unauthenticated file read in Cisco ASA & Cisco Firepower.

For example to read "/+CSCOE+/portal_inc.lua" file.

https://<domain>/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../

Happy Hacking! pic.twitter.com/aBA3R7akkC

— Ahmed Aboul-Ela (@aboul3la) July 22, 2020

The second PoC targets the ASA oem-customization endpoint:

I would also like to mention that there is another endpoint that's vulnerable to the same path traversal issue.

POC #2:
https://<domain>/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua

Enjoy! :) pic.twitter.com/ivBEaXFyDq

— Ahmed Aboul-Ela (@aboul3la) July 23, 2020

In both PoCs, Aboul-Ela exploits the vulnerability to read the “"/+CSCOE+/portal_inc.lua" file.

Solution

Cisco has released the following patches for both ASA and FTD:

Please note that Cisco ASA 9.5 and earlier and 9.7 have reached end of life and are no longer receiving security updates. Customers are advised to upgrade to a fixed version of ASA noted in the table above.

Cisco has also specified that hotfixes for affected FTD versions are available or will soon become available. They recommend customers running the affected versions of FTD could:

• Migrate to a newer version of FTD
• Apply the available or upcoming hotfixes
• Wait until the next FTD release is scheduled to be published

For more in-depth information, please visit the “Fixed Releases” section under Cisco’s advisory for CVE-2020-3452.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Cisco Advisory for CVE-2020-3452
• Positive Technologies News Release for CVE-2020-3452
• Proof of Concept #1 for CVE-2020-3452
• Proof of Concept #2 for CVE-2020-3452

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Today’s joint alert from the NSA and CISA about malicious activity targeting operational technology (OT) and critical infrastructure should be taken very seriously. Don’t be fooled — this isn’t a warning about the possibility of attacks. This is a warning that attacks have occurred and are ongoing as we speak. 

OT is foundational to absolutely everything we do — from the energy we rely on, to the factories manufacturing medical devices, to the water we drink. The country runs on OT.  And while our reliance on OT has only increased, so too has the convergence of IT and OT. Internet accessible OT devices are significantly more exposed to outside threats than the near-extinct air-gapped systems of old.

Earlier this year, MITRE updated their framework for Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) to include ICS and OT Systems. And it is not surprising. Increasingly, OT systems are being targeted by attacks that sometimes originate on the OT side of the house and in other cases traverse from IT to OT as was the case with some of the more recent attacks.

A sample of notable OT attacks over the last decade

The agencies advised that there has been an increase in activity by cyber actors targeting critical infrastructures by exploiting OT assets. The DHS enumerates 16 critical infrastructure (CI) verticals,  often referred to as the “DHS-16” in which OT assets play a key role in the operating of these systems. They also play a key role with the Department of Defense (DoD), Defense Industrial Base (DIB) and National Security Systems (NSS).

The evolution of attack surfaces and the  increase in attack vectors due to converging IT and OT networks and the rapid adoption of IoT technology has exposed OT networks to cyber exposure in ways they were never designed to defend against. Combining that with a more decentralized workforce and increased targeting of OT systems by criminals, nation states and miscreants puts OT in the crosshairs for attacks. 

Some of the more common attack methods include spearfishing, ransomware, and unauthorized changes to PLC logic amongst others. 

The alert goes on to recommend specific mitigation techniques broken into 6 key areas:

• Have a resilience plan for OT
• Exercise your incident response plan
• Harden your network
• Create an accurate “as-operated” OT network map immediately
• Understand and evaluate cyber-risk on “as-operated” OT assets
• Implement a continuous and vigilant system monitoring program

To address all of these requirements can sound pretty daunting. The good news is that large portions of the attack surface identified in the alert can be easily addressed with the right OT security system in place. Check out the attached document where we break down the key elements of this directive and show how compliance is within reach.

Michael Rothschild, contributing author

SC Media recently conducted comprehensive product reviews of Tenable.io and Tenable Lumin, assessing them based on SC Labs’ standards of overall performance, ease of use, features, documentation, support and value for the money.

We’re proud to announce that SC Media awarded Tenable.io and Tenable Lumin their 5-star rating — the highest possible — after testing the products against approximately 50 individual criteria. Tenable received high marks in every category and the reviewer highlighted the value of Tenable going beyond CVSS-only scoring to include extensive contextual data.

From SC Media. ©2020 CyberRisk Alliance, LLC.  All rights reserved.  Used under license.

In addition to CVSS, Tenable correlates and analyzes other essential security data to determine the vulnerability priority rating (VPR) for each vulnerability, based on the full context surrounding those vulnerabilities. In addition, the asset criticality rating (ACR) determines the importance of each affected asset to the organization, so security teams can understand each vulnerability in terms of the specific risk they pose to their business.

SC Media’s review highlights numerous Tenable advantages, including:

• Dynamic discovery. “[Tenable.io and Tenable Lumin] continuously assess converged attack surfaces to communicate what assets exist in an environment and where such assets are located.”

• Full-context assessment. “Instead of using only CVSS-based scoring, Tenable combines Asset Criticality Rating (ACR) and Vulnerability Priority Rating (VPR) to reprioritize assets according to business risk and each flaw’s potential for exploitation.”

• Risk-based prioritization. “[The Tenable] solution specializes in risk prediction that then prioritizes and automates asset criticality on a broad scale.”

The reviewer also called out Tenable’s capabilities that help teams prioritize the vulnerabilities that matter most. Not only is this one of our key strengths, it’s really at the core of everything we do. We’re all about helping teams focus on the assets and vulnerabilities that matter most, so they can reduce the greatest amount of business risk with the least amount of effort. To that end, we employ machine learning models that automatically combine vulnerability data with threat and exploit intelligence, as well as asset criticality, to predict each vulnerability’s impact on the organization. With all of this, security teams know exactly which vulnerabilities pose the most risk, so they can focus on those first while deprioritizing the vulns that are unlikely to ever be exploited.

And finally, the piece the reviewer mentioned that is too frequently overlooked in a vulnerability management solution is reporting. It’s arguably one of the most important aspects, yet too many VM vendors don’t do it very well. Without rock-solid reporting capabilities, you have no way to effectively communicate the team’s efficiency – to gain and maintain management’s confidence in your abilities. This helps keep you out of firefighting mode so you can focus on the vulnerabilities that pose the most risk to the organization.

Read the review to learn more about SC Media’s assessment of Tenable.

See the Full Review

Build a comprehensive defense of against cyberattacks with a strong information security framework that leverages the world's best standards and infosec tools. 

A term like "information security framework" can be interpreted in many different ways, and as such, there are a number of overlapping standards throughout the infosec field. 

Some of these are required for legal compliance — which must be followed to the letter if they apply to you — while others are technically voluntary but highly regarded throughout the industry. It’s wise to learn about all of these mandatory and voluntary standards and decide how best to adopt them alongside the right set of vulnerability assessment and interdiction tools. 

ISO standards: Firm foundations

Given that the International Organization for Standardization (ISO) has guidelines covering all major industries, it's little surprise that they created several focused on infosec: ISO 27001¹ and 27701.² Both were created alongside the International Electrotechnical Commission. 

ISO 27001: Developed around a risk-based approach to information security, in which you continuously identify hazards and select controls to properly address them. ISO 27001's "controls" for infosec are divided into categories including a written security policy, HR security, asset management, access control, cryptography, physical and environmental security, incident management, business continuity management and compliance with government regulations.³

ISO 27701: Focused more on the specific issue of data privacy. In fact, its 2019 update was a direct response to the European Union's implementation of the General Data Protection Regulation (GDPR) the previous year. It requires organizations to factor protection of personally identifiable information (PII) into all information security risk assessments, and demands that data processors or controllers make PII protections their highest priority.⁴

Whether you're a small business or an enterprise with facilities in multiple countries, you're responsible for safeguarding not only customer PII but also that of your workforce. The international standards shouldn't comprise the whole of your infosec practice — in fact, in some cases that would mean being noncompliant - but receiving ISO certification makes a solid foundation for any business's information security program. (Combining the practices of ISO 27001 with a tool like Tenable.sc makes for a particularly potent defense against infosec threats.) 

CIS benchmarks: The infosec professional's infosec guidelines

The Center for Internet Security (CIS), a nonprofit dedicated to promoting sound infosec practices, refers to its Controls and Benchmarks⁵ as "the global standard … for securing IT systems and data against the most pervasive attacks." ⁶

To call CIS Benchmarks "detailed" would be a major understatement: The manual for Windows 10 Enterprise's latest version, for example, is 1,312 pages and covers every single facet of that operating system. It'd be wise to take a look through CIS's library of Benchmarks, find the documents most closely related to your operations and spend some time poring over them as you work to develop the ideal information security framework for your organization's unique needs. 

Industry- and government-mandated standards

All of the following may be required by either industry governing bodies or the government itself, with penalties applying for noncompliance. If your organization falls under their purview, their rules have to be part of your information security program.

HIPAA: If you handle personal health information in the U.S. for any reason, whether as a health care provider or as tertiary material (like employee health data for benefits administration purposes), you must follow the Health Insurance Portability and Accountability Act's (HIPAA) Security Rule.⁷ This mandates the establishment of "administrative, physical and technical safeguards" for any electronically stored PII.

HIPAA doesn't list specific infosec practices to abide by or tools to use. (This is why leveraging multiple standards is necessary to create an information security framework.) One thing that isn't vague, however, is HIPAA's penalty system: Violations can mean penalties ranging from $100 to $1.5 million, depending on an organization's level of culpability.⁸

PCI DSS: Any business, government department or nonprofit that processes debit or credit card payments is subject to the Payment Card Industry Data Security Standards (PCI DSS) created by Visa, MasterCard and American Express.⁹ PCI DSS has more specific requirements for organizations, such as around firewall configurations and encryption. Like HIPAA, violations incur fines — for government and private-sector organizations alike¹⁰— but instead of being one-time payments, they accrue monthly until the noncompliant party corrects its practices. 

NIST: If you want a lucrative federal contract for your business, you'd better be ready to adopt and maintain the National Institute of Standards and Technology's (NIST) unique Cybersecurity Framework.¹¹ But NIST's basic phases of information security are also an undeniably solid foundation for any organization: identifying cybersecurity risks, preemptively implementing appropriate protections, searching for and detecting anomalous network activity, and enacting immediate response and containment efforts in breaches' wake and data recovery.¹²

DISA: Although the requirements outlined in the Defense Information Systems Agency's (DISA) Security Technical Implementation Guides¹³ are only mandatory for the Defense Department, they're updated more frequently than almost any other infosec protocol, making them an excellent resource for developing your own framework. 

GDPR: These requirements affect any organization that collects or processes personal data from residents of EU member states.¹⁴ Almost all modern organizations will need to implement GDPR standards to at least some extent.

Security framework development 

The first step to any security framework is to get full visibility into your assets. Regardless of which framework you decide to go with, you can’t secure what you can’t see. A vulnerability assessment or vulnerability management solution can help you get a full picture of what’s on your network. 

Once you are ready to create the ideal information security framework, you obviously must start with standards you're legally obligated to follow (HIPAA, GDPR, NIST) and those for which noncompliance is fiscally devastating (PCI DSS). But beyond them, you should consider the value other standards can bring. 

For example, maybe ISO 27001 covers your infosec needs pretty well, but you appreciate CIS's exhaustive guidance for safeguarding the assets you host on Amazon Web Services. Adopting the relevant CIS standards can't hurt your cloud operations and will almost certainly help. Other voluntary certifications may not apply directly to your business, but it's still worthwhile to understand them before deciding whether to follow their guidelines. It's also critical to use vulnerability scanning, penetration testing and threat modeling to project how damaging attacks would be handled under different configurations. 

You need the right tools to help along the way - and at Tenable, we've got them. Nessus Pro, the industry-leading vulnerability assessment solution, is the ideal complement to many information security frameworks, including custom approaches. Alternatively, we offer solutions to help observe specific protocols, such as Tenable.sc's support for ISO 27001 compliance and Tenable.io's PCI ASV variant. 

Learn more and choose the product that’s right for you.

Start Your Free Nessus Trial

_{1. ISO, "ISO/IEC 27001 Information Security Management"
2. ISO, "ISO/IEC 27701:2019 Security Techniques," August 2019
3. IT Governance Blog, "ISO 27001: The 14 Control Sets of Annex A Explained," July 2020
4. IT Governance USA, "ISO 27701: Privacy Information Management Systems"
5. Center for Internet Security, "CIS Benchmarks"
6. Center for Internet Security, "About Us," July 2020
7. American Medical Association, "HIPAA Security Rule & Risk Analysis," December 2019
8. Modern Healthcare, "HHS to Cap HIPAA Fines Based on 'Culpability'," April 2019
9. PCI Security Standards Council, "Maintaining Payment Security"
10. FivePoint Payments, "Do Governments Need to Maintain PCI Compliance?", February 2018
11. National Institute of Standards and Technology, "NIST Cybersecurity Framework"
12. IT Governance USA, "What is the NIST Cybersecurity Framework?"
13. DoD Cyber Exchange, "Security Technical Implementation Guides (STIGs)"
14. GDPR.eu, "Does the GDPR apply to companies outside of the EU?"}

Recently disclosed vulnerability in GRUB2 bootloader dubbed “BootHole” could allow an attacker to gain silent malicious persistence by attacking the GRUB2 config file, grub.cfg.

Background

On July 29, researchers at Eclypsium disclosed a high severity vulnerability in the GRand Unified Bootloader (GRUB) version 2. Dubbed “BootHole,” the flaw affects the GRUB2 bootloader in Windows and Linux devices using Secure Boot.

Image Source: Eclypsium

Analysis

CVE-2020-10713 is a buffer overflow vulnerability in GRUB2, a piece of software that loads an Operating System (OS) into memory when a system boots up. The flaw exists due to the way GRUB2 parses a configuration file, grub.cfg. GRUB2 is the default boot loader for Red Hat Enterprise Linux (RHEL) and many other *nix distributions.

Unified Extensible Firmware Interface (UEFI) Secure boot is a verification mechanism for ensuring that code launched by firmware is trusted. Normally, Secure Boot verifies the integrity of a file by checking its signature against known keys. However, the grub.cfg in the GRUB2 boot loader is not signed, and therefore not checked by Secure Boot. By specially modifying this file, an attacker could gain a form of persistent exploitation past the point of boot, which is the exact thing that Secure Boot is meant to prevent.

It is important to note that successful exploitation of this vulnerability would require an attacker to have administrator or elevated privileges, or local access to a vulnerable device, which limits the impact of this vulnerability.

Extension of previous GRUB research

BootHole is actually an extension of research into Secure Boot bypass previously conducted by Yuriy Bulygin and Alex Bazhaniuk, founders and CEO and CTO respectively of Eclypsium, and security researcher Andrew Furtak.

New GRUB vulnerability: https://t.co/sQAmq5a3ip
A new iteration on our 2013 secure boot bypass (https://t.co/MYtjlful2R): In addition to implementation flaws, this overflow in GRUB2 affects almost every UEFI Secure Boot system and shows a systemic issue that is very hard to fix. pic.twitter.com/ioaJQN4O4M

— Alex Bazhaniuk (@ABazhaniuk) July 29, 2020

More Vulnerabilities Unearthed by Canonical

After Eclypsium disclosed BootHole to multiple vendors, Canonical’s security team did their own research into potential new vulnerabilities in GRUB2, and discovered the following flaws:

A larger effort investigation was conducted by multiple security teams from Oracle, Red Hat, Canonical, VMware and Debian which identified several additional vulnerabilities in the code base which have not yet received individual CVE numbers.

Affected Vendors

Eclypsium’s advisory notes the following vendors are confirmed to be affected by BootHole, and as new affected vendors are identified, the list will be updated on its advisory page:

• Microsoft
• Oracle
• Red Hat
• Canonical
• SuSE
• Debian
• Citrix
• VMware

Proof of concept

At the time this blog post was published, there was no proof of concept code to demonstrate exploitation against a target. However, the Eclypsium team has released scripts to help administrators scan and identify certificates revoked by different OS vendors as part of the security updates for CVE-2020-10713.

Solution

Eclypisum mentions that addressing this vulnerability will involve a multi-step process that is not a normal patch style fix. This process includes:

• Vendors providing updates to GRUB2 to fix and secure the bootloader
• Microsoft’s 3rd party UEFI Certificate Authority will need updates to their certificates
• Organizations will then need to update their affected hosts and potential backups as well.

Microsoft has released an advisory with instructions on applying an untested patch to the Secure Boot DBX (the forbidden signature database) to include the vulnerable modules that Microsoft has revoked, blocking these modules from loading even if compromised. Windows hosts are only vulnerable if the host’s Unified UEFI Certificate Authority (CA) trusts third party certificates.

As this process will require coordinated effort from multiple vendors, we expect patches to slowly be released over time, and may not be available for all platforms immediately.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Eclypsium Advisory
• CERT CC Advisory

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

In the latest blog from Engineering@Tenable, we explore how the goal of readable code can help engineering teams minimize errors and expedite software updates.

It’s probably a safe assumption that most software engineers, on multiple occasions, have opened an old code base and had to divine the intentions of the author. This can lead to much head-scratching (and, sometimes, mumbled expletives). But it doesn’t have to be that way, and a strong focus on code readability is the key.

Of all the qualities code can be judged on, readability may be the most important and the hardest to automate because evaluation is at least partially subjective. Consider the idea of pseudocode, an informal description of algorithmic rules that more closely resemble English than any particular programming language. It can be used to quickly discuss ideas and designs without needing specific syntax. Here’s an example for a simple algorithm to calculate the average test score for a class:

Across all levels of technical skill, pseudocode is a generally well-understood, common language for describing how a problem can be solved. How closely actual code resembles pseudocode is one way to measure readability. Obviously, specific language syntax will impose some limits, or expose some freedoms. 

For those using the functional programming paradigm, the concept of point-free style (aka tacit programming) may be familiar. You might see some JavaScript like this in a video game store application:

Composing functions without explicit arguments, so that the output of one is the implicit input of the next, can result in pleasantly readable code. In this article, I’d like to show an example of how Kotlin’s extension functions can facilitate the same improved readability.

We use Kotlin extensively at Tenable. Much of our product runs in the Java virtual machine (JVM), so interoperability with Java and Groovy were important. Kotlin is a more modern and concise language with numerous features at the language and compiler levels that make it preferable to its predecessors, yet still similar enough to Java that learning it is easy.

A Real-World Example: Normalizing Vulnerability Scan Results

Within Tenable.io, we do a lot of stream processing. The power of the tools we build for our customers comes directly from the data flowing through those streams. For the sake of this example, I will use the stream within Tenable.io which processes results from vulnerability scanners. A rough approximation of this workflow looks something like this:

Each scan result contains information about the scan host which was discernible by the sensor, as shown here in an example from our hypothetical customer “Stark Industries”:

The goal of the scan normalization application consuming the stream of scan results is twofold. First, it provides the required data to downstream processors which build specialized data stores for APIs, dashboards and reports. Second, it limits resource demands by reducing the volume of data sent through the “pipeline.” To achieve those goals, the application needs to transform and aggregate the data in the input stream of scan results, then output a second stream of normalized scan host findings. 

For our application, there are a few relatively simple steps. As each item in the stream is processed, it is mapped from the data model of the input stream to the data model of the output stream. Whenever consecutive records appear in the stream for the same plugin, on the same port of the same scan host, they are grouped together. For each group of records (most of which are groups of one), a single record is compiled which contains the concatenated output of all the individual records in the group. If the final size of the output text is larger than 1MB, the output is stored externally, and the final item has its output value replaced with the URI of the stored resource.

Pseudocoding a simple algorithm design for the application might look something like this:

Improving Code Readability With Kotlin Extensions

At Tenable, we often use reactive programming. Continuing with the real-world example, you will see use of the Flux class, which is basically a streaming collection of records of the templated type. The first pass at implementing this logic without the use of extension functions looked something like this:

Each function in the chain corresponds to one of the steps in the algorithm. The first step takes a stream of ScanResult records and outputs a stream of NormalizedHostFinding records. The second step buffers the stream and outputs a stream of pairs, where each pair consists of a key (including the common scan host, plugin, and port), and a collection of the NormalizedHostFinding records which have that key. The third step consumes that stream of pairs and again outputs a stream of single NormalizedHostFinding records by concatenating the output of all records in the collection. The last step outputs the same stream it received, sometimes moving the output to an external location before passing through the NormalizedHostFinding record.

The code above is not overly complex, but with the goal of improving readability, it could be refactored to appear more like the high-level pseudocode above. That can be achieved by introducing four extension functions, one for each step’s output stream type. Kotlin extensions are great as they allow you to add methods to a class without having to inherit or use design patterns such as Decorator:

Adding these extensions then allows our main function to be rewritten as:

A noticeable improvement, and with not too much extra effort. In general, using descriptive names for functions instead of lambdas may seem like overkill, but can go a long way.

As I’m sure many can attest, digging into new code can be overwhelming. Sometimes, even our own code can seem foreign after too much time has passed. With readability as a goal instead of an afterthought, we can reduce barriers to productivity and even prevent mistakes due to misunderstandings.

Are you an engineer looking for your next career opportunity? Visit our Tenable Careers page to see which open engineering positions might be right for you.

The digital “air gap” is no longer a viable strategy when it comes to securing industrial environments. Here are the safeguards you need to protect against threats across the converged IT/OT landscape.

Modern-day industrial and critical infrastructure organizations rely heavily on the operational technology (OT) environment to produce their goods and services. Many organizations are opting to converge their IT and operational technology (OT) environments, a decision that can yield many benefits, while also producing new attack vectors. Recent high-profile industrial attacks show that breaches can laterally creep from IT to OT, and vice versa. 

While some organizations embrace intentional convergence, others have decided against converging their IT and OT operations, for a variety of strategic, technical and business factors. By keeping IT and OT systems separate, these organizations are implementing an “air gap” security strategy. Operating as a “closed loop” without any interfaces to the outside world, the OT infrastructure is physically sequestered from any external environment. 

In practice, the notion of air-gapping is nearly impossible to maintain. Securing industrial operations requires more than building a digital moat around the OT infrastructure. Even under the most favorable of circumstances, the introduction of one seemingly benign variable – a personal laptop or contractor’s thumb drive – can permanently destroy the most stringently enforced air gap. This is known as “accidental convergence.”

The threat of OT-targeted attacks is not just theoretical, but an actual and ongoing occurrence, as evidenced by the recent NSA/CISA advisory. Setting the appropriate safeguards are necessary to ensure secured IT/OT operations. So, what should you consider?

Visibility that extends beyond traditional borders

Modern-day attacks are amorphous and travel across the traditional IT and OT security borders without regard. Our ability to track these types of propagation routes requires the de-siloing of traditional visibility parameters. Being able to gain a “single pane of glass” view of IT and OT gear, along with the conversations happening between the two worlds, is essential to illuminating potential attack vectors and asset blind spots that may have eluded traditional security strategies.

Deep situational analysis of OT assets

Whether or not a planned convergence initiative is in the works, it is important to recognize the significant difference in IT and OT life cycles. While IT infrastructures update regularly, OT infrastructures often persist for years, even decades, and are often as old as the plant itself. As a result, your full inventory of assets, along with maintenance and change management records, may not be current. Since it is impossible to secure assets you don’t know exist, you’ll need a detailed and automatically updated inventory of your OT infrastructure to effectively protect your industrial operations.

Multi-detection methods to reduce cyber risk

Since cyberthreats can originate from anywhere and travel everywhere, it is important to utilize as many capabilities and methodologies as possible to find and mitigate exposure risk. This includes network-based detection that leverages allow/deny list policies, anomaly-based capabilities, and community-sourced threat intelligence. 

Since most attacks target devices rather than networks, it is also essential to utilize a solution that actively queries and provides security at the device level. Because OT device protocols can vary widely, security and health checks must be unique to the make and model of the device, including its native language. These deep checks should not scan but rather be precise in query nature and frequency.

Security that contributes to the ecosystem of trust

While it is important to identify and leverage the best IT and OT security products for your environment, it is even more important that the products work together. The age-old notion of a layered and cooperative security approach, where point products can work together, creates an impermeable layer—the totality of the solution becomes greater than the sum of its parts. This not only enhances security monitoring and response, but also unlocks greater value and practical utility from existing security investments.

Accidental convergence, intentional security

IT and OT teams must find common ground to eliminate the substantial risk factors of both planned and accidental IT/OT convergence. But the mission does not end there. OT security solutions that work in conjunction with IT security solutions can be the catalyst that not only provides the visibility, security and control needed to thwart new cyberthreats, but also brings these once separate teams together for the common security every manufacturing, critical infrastructure and industrial organization needs to fulfill its core mission efficiently and securely.

To learn more about key threat factors and best practices for protecting your converged attack surface, download our whitepaper on “Accidental Convergence - A Guide to Secured IT/OT Operations.”

Download the Full Whitepaper

A partnership between Tenable and JSOF continues to uncover additional devices vulnerable to Ripple20.

Background

On June 16, researchers from JSOF research lab disclosed a set of 19 vulnerabilities, dubbed “Ripple20”, which could impact millions of operational technology (OT), Internet of Things (IoT), and IT devices. The vulnerabilities exist within an embedded TCP/IP software library developed by Treck Inc., a developer of embedded internet protocols. The Tenable Security Response Team first wrote a blog post about the Ripple20 vulnerabilities on the day of its disclosure, which evoked memories of URGENT/11, a group of eleven vulnerabilities in the real-time operating system VxWorks, that were disclosed in 2019.

A Complex Supply Chain

Treck’s TCP/IP library has been widely adopted by numerous device vendors that have reused and repurposed it for more than two decades. This includes a split-off library known as Kasago, now managed by Elmic Systems as well as many rebranded names for the library such as QuadNet, GHNet V2, Net+ OS, KwikNet and others. This has resulted in a very complex supply chain problem. JSOF worked closely with multiple vendors and agencies including the CERT Coordination Center (CERT/CC) and the Cybersecurity and Infrastructure Security Agency (CISA) to help track down and notify vendors about these vulnerabilities. With potentially hundreds of vendors affected, identification and notification was naturally going to be a challenge. Adding to this complexity is the fact that each device may have divergent code due to unique implementation necessary for their specific use case and a multitude of configurable compilation options, which could alter how the device might respond to specific network requests. Because of this, each potentially vulnerable device requires a different method to confirm exploitability.

More Vulnerable Devices Identified by Tenable

When the Ripple20 advisory was published, Tenable Research contacted JSOF to collaborate on the discovery of affected devices. During the initial disclosure, several vendors had been notified, and many were evaluating their product lines to determine if any devices they offered were affected. Because of the myriad ways in which vendors likely repurposed the Treck library, identification, correction, and patch availability will require an extensive amount of time. In some cases, device vendors may no longer be in business, meaning those affected devices will not receive patches or support.

With guidance from JSOF on various detection methods, the Tenable Research team was able to help identify 34 additional vendors and 47 additional devices that were potentially affected. The findings were reported to JSOF who continues to work with CERT/CC on the disclosure process with the affected vendors.

Affected Vendors

Tenable has adopted multiple vendor-agnostic approaches to detecting the Treck stack while trying to ensure the detection methods used are not destructive to the assets being scanned. Using multiple approaches for detection, helps enhance Tenable's ability to provide coverage for the diverse Treck libraries used by various devices. The vendors in the following list have been contacted by JSOF or CERT/CC, in cooperation with other CERT entities including CERT-IL. In some cases, the products below may still be under evaluation to determine if they may be affected. It’s important to note that this is not an exhaustive list and we anticipate uncovering additional devices that may be affected, which we will determine as our testing efforts continue.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here and will be updated as additional plugins are released. Additionally, several plugins to identify the Treck and Kasago Network stacks have been released and can be found here.

Tenable.ot customers should contact their CSM to get access to Suricata rules that can be used for detection. These rules will be fully integrated in the next service pack of the current release and later versions.

Get more information

• Ripple20 Disclosure Page
• Tenable Ripple20 Blog

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

The bad news? There's a disconnect between business and cybersecurity. The good news? Aligning them can make all the difference.

If you’ve served as a CISO, CSO or other cybersecurity leader for any length of time, you’ve likely had a CEO, board member or other senior executive ask you “how secure are we?” on a fairly frequent basis. And you also know answering that question is not as easy as it might seem.

At a time when enterprise risks are rapidly shifting — enter pandemics, economic downturns and remote work — the cyberattacks and threats thriving around the globe not only amplify each risk, they have elevated cybersecurity to a topic of board-level scrutiny. Yet, those of us on the frontlines grapple with a host of challenges making it difficult to provide our business leaders with a clear picture of our organization’s cybersecurity posture.

With an eye toward surfacing some of these key challenges and helping security leaders initiate a meaningful dialog with their business counterparts, Tenable commissioned Forrester Consulting to conduct an online survey of 416 security and 425 business executives and a study from the findings to examine cybersecurity strategies and practices at midsize to large enterprises. The resulting study, The Rise of the Business-Aligned Security Executive, reveals a disconnect between the expectations of the business and the realities facing security leaders. But it also reveals perhaps the single-biggest opportunity facing digital enterprises today — elevating the role of the CISO to equal stature as other executive roles.

The future belongs to the business-aligned cybersecurity leader

The study reveals four key themes:

• Cybersecurity threats thrive amidst a climate of uncertainty, making it a topic worthy of board-level visibility. The vast majority of organizations (94%) have experienced a business-impacting¹ cyberattack or compromise within the past 12 months. Roughly two-thirds (65%) said these attacks involved operational technology (OT) assets.

• Business leaders want a clear picture of their organizations’ cybersecurity posture, but their security counterparts struggle to provide one. Just four out of 10 security leaders say they can answer the question, “How secure, or at risk, are we?” with a high level of confidence.

• There is a disconnect in how businesses understand and manage cyber risk. Fewer than 50% of security leaders are framing the impact of cybersecurity threats within the context of a specific business risk. Only half of security leaders (51%) say their security organization works with business stakeholders to align cost, performance, and risk reduction objectives with business needs. Only four in 10 security leaders (43%) report they regularly review the security organization’s performance metrics with business stakeholders.

• Cybersecurity needs to evolve as a business strategy. This can’t happen until security leaders have better visibility into their attack surface. Just over half of security leaders report that their security organization has a holistic understanding and assessment of the organization's entire attack surface and fewer than 50% of security organizations are using contextual threat metrics to measure their organizations’ cyber risk. This means their ability to analyze cyber risks and prioritize and execute remediation based on business criticality and threat context is limited.

The study shows that when security and business leaders are aligned around agreed-upon business risk data, they deliver significant, demonstrable results. The business-aligned security leader is eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations’ level of security or risk. Even more notable in today’s economic climate, with a global economic downturn causing organizations to re-evaluate their spending: 85% of business-aligned security leaders have metrics to track cybersecurity ROI and impact on business performance versus just 25% of their more reactive and siloed peers.

As Dan Bowden, the CISO of Sentara Healthcare, noted in an interview with Tenable last year: “In the climate today, there's so much focus from society about companies doing better managing risk, every leadership team and every board in every organization wants to be part of the story of fixing the problem. If you can give them good data about exposure, which things do we really need to do, they understand the data, they can relate to the data. They want to be part of the story to help you solve the problem and manage risk better.”

In order to achieve alignment, CISOs and other security and risk management leaders need the right combination of technology, data, processes and people. For example, the vast majority of business-aligned organizations (80%) have a Business Information Security Officer (BISO) or similar title, compared with only 35% of their less-aligned counterparts. The study also reveals that business-aligned security leaders outpace their more reactive and siloed counterparts in automating key vulnerability assessment processes by margins of +49 to +66 percentage points.

Over the next several weeks, we’ll continue to explore these and other findings from the study in a series of blog posts. In our next post, we’ll take a deeper dive into the many challenges security leaders face in answering the question, “How secure are we?” Subsequent posts will explore COVID-19 response strategies and the challenges of finding and implementing the right technology, data and processes for your organization. We’ll also discuss what a business-aligned cybersecurity practice looks like — and how you can get started building one in your organization — and provide our tips and recommendations for transforming your own role into that of a business-aligned cybersecurity leader.

¹”Business-impacting” relates to a cyberattack or compromise that resulted in a loss of customer, employee, or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.

Learn more

• See additional study highlights here
• Visit our webpage for more information here
• Download the full study, The Rise of the Business-Aligned Security Executive, here
• Read about Sentara Healthcare’s efforts to drive more meaningful discussions with the C-suite and the board here.

Researcher identifies a zero-day vulnerability that bypasses a fix for CVE-2019-16759, a previously disclosed remote code execution vulnerability in vBulletin. Attacks have already been observed in the wild.

Update August 10, 2020: The Solutions section has been updated to reflect the availability of patches to address this vulnerability. Please note the vulnerability still does not have a CVE identifier associated with it.

Background

On August 9, vulnerability researcher Amir Etemadieh published details about a zero day remote code execution (RCE) vulnerability in vBulletin, a popular forum software used by nearly 20,000 websites.

Today I released my research on vBulletin5 including a new pre-auth 0day RCE exploit https://t.co/m7pd527lCr

POC: curl -s http://SITE/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=echo%20shell_exec("id"); exit;' pic.twitter.com/JjThUBVTmc

— Amir Etemadieh (@Zenofex) August 9, 2020

This is the second notable vBulletin vulnerability for which Etemadieh has developed a proof of concept (PoC) this year. In May, Etemadieh conducted a patch analysis for CVE-2020-12720, an unauthenticated SQL injection vulnerability that was disclosed by security engineer, Charles Fol.

Analysis

The vulnerability disclosed by Etemadieh, which did not have a CVE identifier at the time this blog post was published, is a bypass for CVE-2019-16759, a critical pre-authentication vulnerability in vBulletin that was disclosed anonymously in September 2019. CVE-2019-16759 is a vulnerability in vBulletin’s ajax/render/widget_php route by injecting malicious code via the widgetConfig parameter.

In a blog post, Etemadieh found that the patch for CVE-2019-16759 was insufficient and did not account for issues present in the ‘widget_tabbedcontainer_tab_panel’ template. According to Etemadieh, the tabbedcontainer_tab_panel template widget is capable of loading “a user controlled child template,” which places a value into the widgetConfig variable, effectively bypassing the patch for CVE-2019-16759.

Tenable Research has tested the proof of concept from Etemadieh and confirmed successful exploitation using the latest version of vBulletin.

Image Source: Tenable Research

In-the-wild exploitation has begun

According to Jeff Moss, founder of the Black Hat and DEF CON conferences, attackers targeted the DEF CON forums“within three hours” of the vulnerability being disclosed.

A new VBulletin Zero Day got dropped yesterday by @Zenofex that revealed the CVE-2019-16759 patch was incomplete - within three hours https://t.co/LwbPuEoL5b was attacked, but we were ready for it. Disable PHP rendering to protect yourself until patched! https://t.co/7JtmEzcTFGpic.twitter.com/R4AcCoZt1B

— Jeff Moss (@thedarktangent) August 10, 2020

CVE-2019-16759 was also quickly utilized by attackers soon after it was made public. Attackers managed to breach the Comodo forums at the end of September 2019. Because this latest zero-day is a bypass for CVE-2019-16759, we anticipate attackers will be able to easily leverage it against vulnerable sites until a patch is made available. Even once a patch is available, we expect many sites will remain vulnerable for quite some time.

Proof of concept

A PoC for this vulnerability was shared in Etemadieh’s blog post. However, the code snippet is so small that it also fits in Etemadieh’s tweet about his discovery.

Solution

At the time this blog post was published, there was no patch available for this vulnerability. However, vBulletin have since published patches for this vulnerability. The patches include fixes for the following versions of vBulletin:

• 5.6.2
• 5.6.1
• 5.6.0

All other versions of vBulletin prior to the 5.6.x branch are considered vulnerable. Users should migrate over to a patched version as soon as possible.

If patching is not feasible at this time, there are a few interim solutions. The first is to disable PHP widgets in vBulletin. This can be achieved by toggling the “Disable PHP, Static HTML, and Ad Module rendering” option to “Yes” in the administrator control panel.

This setting can be found under the “General Settings” option under the “Settings” menu by selecting the “Options” dropdown menu item.

Additionally, the initial vBulletin discussion thread about this vulnerability includes another solution to mitigate this vulnerability. Wayne Luke, a technical support lead at vBulletin recommended removing the widget_php module altogether. This can be done by setting the vBulletin site into debug mode and navigating to the Style Manager. From there, you can edit the "MASTER" style template and remove the widget_php module. This suggestion also applies to vBulletin users running the 5.6.3 beta.

Image Source:vBulletin Forum Post

Please note that the suggested mitigations could impact certain functionality on your vBulletin sites. This is why it is recommended to upgrade to a patched version as soon as possible.

The advisory for this vulnerability notes that the PHP module will be “removed from the software completely in 5.6.4.”

As noted earlier, while the DEF CON forums were recently targeted by attackers, they proactively disabled PHP rendering until a patch became available. Tenable’s Security Response Team strongly encourages forum administrators and website owners to consider applying this mitigation until the patches can be applied.

Some forum administrators and website owners chose to take down their forums entirely until a patch became available, as the person running the Black Sabbath Fans forum was “paranoid” enough to preemptively take down their forum for this reason.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. The following image contains sample output from a vulnerable target using our Nessus plugin.

Get more information

• Etemadieh's Blog Post on the CVE-2019-16759 Bypass
• Tenable Blog Post for CVE-2019-16759 (September 2019)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Microsoft patched 120 CVEs in August, marking the sixth month in a row of addressing over 100 CVEs

Microsoft, for the sixth month in a row, patched over 100 CVEs in the August 2020 Patch Tuesday release, including 17 CVEs rated critical. For the first time in three months, this update includes patches for two vulnerabilities that were observed being actively exploited in the wild. This month’s update includes patches for Microsoft Windows, Microsoft Edge, Microsoft ChakraCore, Internet Explorer, Microsoft Scripting Engine, SQL Server, Microsoft Jet Database Engine, .NET Framework, ASP.NET Core, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Windows Codecs Library and Microsoft Dynamics.

CVE-2020-1337 | Windows Print Spooler Elevation of Privilege Vulnerability

CVE-2020-1337 is an elevation of privilege vulnerability that exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. This vulnerability was found as a bypass of the patch for CVE-2020-1048 (also known as PrintDemon), a previous Windows Print Spooler Elevation of Privilege Vulnerability, both of which were identified by researchers Peleg Hadar and Tomer Bar of SafeBreach Labs. The pair recently presented at both the Black Hat USA and DEF CON conferences, where they discussed this new zero-day vulnerability as part of their talk, A Decade After Stuxnet's Printer Vulnerability: Printing is Still the Stairway to Heaven. While an attacker must have the ability to execute an application on a host to exploit this vulnerability, their research demonstrates how this vulnerability could be chained with additional vulnerabilities to further compromise a device and propagate across a network. A proof-of-concept (PoC) is expected to be released soon on their GitHub page.

CVE-2020-1464 | Windows Spoofing Vulnerability

CVE-2020-1464 is a spoofing vulnerability that exists when Windows improperly validates file signatures. An attacker who exploits this flaw could bypass security features intended to prevent improperly signed files from being loaded. According to Microsoft, this vulnerability has been observed to be exploited in the wild. Microsoft's patch corrects the issue by addressing how Windows validates file signatures.

CVE-2020-1494, CVE-2020-1495, CVE-2020-1496, CVE-2020-1498 and CVE-2020-1504 | Microsoft Excel Remote Code Execution Vulnerability

CVE-2020-1494, CVE-2020-1495, CVE-2020-1496, CVE-2020-1498, and CVE-2020-1504 are remote code execution vulnerabilities in Microsoft Excel. An attacker would need to convince a user to open a maliciously crafted Excel file in order to exploit this vulnerability. Successful exploitation would allow an attacker to execute code as the current user.

CVE-2020-1539, CVE-2020-1540, CVE-2020-1541, CVE-2020-1542, CVE-2020-1543, CVE-2020-1544, CVE-2020-1545, CVE-2020-1546, CVE-2020-1547, CVE-2020-1551 | Windows Backup Engine Elevation of Privilege Vulnerability

CVE-2020-1539, CVE-2020-1540, CVE-2020-1541, CVE-2020-1542, CVE-2020-1543, CVE-2020-1544, CVE-2020-1545, CVE-2020-1546, CVE-2020-1547, and CVE-2020-1551 are elevation of privilege vulnerabilities in Windows Backup Engine. An attacker with the ability to execute code on a system would be able to exploit this vulnerability to elevate privileges on a vulnerable host with specially crafted code. In a likely scenario, an attacker could exploit a different vulnerability that gives them restricted user access, and then exploit this vulnerability to gain elevated privileges.

CVE-2020-1568 | Microsoft Edge PDF Remote Code Execution Vulnerability

CVE-2020-1568 is a remote code execution vulnerability that exists when Microsoft Edge PDF Reader improperly handles objects in memory. Successful exploitation of this vulnerability would allow an attacker to corrupt memory in such a way that they could execute arbitrary code in the context of the current user. To exploit this vulnerability, an attacker could host a website with specially crafted PDF content and convince a victim to visit the website. Alternatively, an attacker could upload a specially crafted PDF to websites that accept or host user-provided content, still requiring them to convince a victim to visit said websites.

CVE-2020-1473, CVE-2020-1557, CVE-2020-1558 and CVE-2020-1564 | et Database Engine Remote Code Execution Vulnerability

CVE-2020-1473, CVE-2020-1557, CVE-2020-1558, and CVE-2020-1564 are remote code execution vulnerabilities that exist when the Windows Jet Database Engine improperly handles objects in memory. Successful exploitation of these vulnerabilities would allow an attacker to execute arbitrary code on an affected system. To exploit this vulnerability, an attacker must convince a victim to open a specially crafted file or visit a malicious website.

CVE-2020-1380 | Scripting Engine Memory Corruption Vulnerability

CVE-2020-1380 is a remote code execution vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer. Successful exploitation of this vulnerability would allow an attacker to corrupt memory in such a way that they could execute code in the context of the current user. According to Microsoft, this vulnerability has been observed to be exploited in the wild. Exploitation of this vulnerability requires an attacker to convince a victim to visit a specially crafted website or compromised website containing malicious code that exploits this vulnerability in Internet Explorer. Alternatively, an attacker could convince a victim to open a crafted document containing a malicious embedded ActiveX control marked as “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

CVE-2020-1472 is an elevation of privilege vulnerability in Netlogon when an attacker establishes a secure channel connection to a domain controller. An unauthenticated attacker could use MS-NRPC to connect to a domain controller as a domain administrator. Microsoft adds an important note to their advisory that this patch is only the first of two patches to fix this vulnerability, and the second patch is slated to be released in Q1 2021.

CVE-2020-1509 | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability

CVE-2020-1509 is an elevation of privilege vulnerability in the Local Security Authority Subsystem Service (LSASS). A remote authenticated attacker could use a malicious authentication request to elevate privileges on a vulnerable system.

CVE-2020-1585 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability

CVE-2020-1585 is a remote code execution vulnerability in Microsoft Windows Codecs Library. Exploitation of this vulnerability would require a program to access a crafted image file which could allow the attacker to take control of the system. While this would require user interaction in order to exploit, Microsoft still rates this as critical.

CVE-2020-1554 | Media Foundation Memory Corruption Vulnerability

CVE-2020-1554 is a memory corruption vulnerability in Windows Media Foundation. Exploitation of this vulnerability would require a user to interact with a malicious document or web page. Successful exploitation would grant the attacker full administrative rights over the affected system.

CVE-2020-1555 | Scripting Engine Memory Corruption Vulnerability

CVE-2020-1555 is a remote code execution vulnerability that exists in the way that the scripting engine handles objects in memory in Microsoft Edge (HTML-based). Successful exploitation of this vulnerability would allow an attacker to corrupt memory in such a way that they could execute code in the context of the current user. To exploit this vulnerability, an attacker would need to convince a victim to visit a website that contains malicious code to exploit this vulnerability through Microsoft Edge (HTML-based). Alternatively, an attacker could host the exploit code on websites that accept or host user-provided content or advertisements, convincing their victim to visit one of these websites.

Tenable solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains August 2020.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all the plugins released for Tenable’s August 2020 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

• Microsoft's August 2020 Security Updates
• Tenable plugins for Microsoft August 2020 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Apache published two security bulletins to address a potential remote code execution vulnerability and a denial of service vulnerability. Public proof of concept code is available.

Background

On August 13, Apache published security bulletins to address two vulnerabilities in Apache Struts version 2. Apache Struts is an open source model-view-controller (MVC) framework used to create Java web applications.

Analysis

CVE-2019-0230 is a forced double Object-Graph Navigation Language (OGNL) evaluation vulnerability that occurs when Struts tries to perform an evaluation of raw user input inside of tag attributes. An attacker could exploit this vulnerability by injecting malicious OGNL expressions into an attribute used within an OGNL expression. According to Apache, exploitation of this vulnerability could result in remote code execution (RCE).

An example of vulnerable tag attributes was provided in Apache’s security bulletin, S2-059:

In Struts 2, Apache has given developers the ability to use forced double evaluation with “certain tag attributes.” While Struts contains mitigations to address potential injected expressions, Apache notes that Struts versions “before 2.5.22 left an attack vector open” which they say is now addressed via this update. This vulnerability was reported to Apache by Matthias Kaiser, a vulnerability researcher at Apple.

CVE-2019-0233 is a denial of service (DoS) vulnerability which results from an access permission override during a file upload. According to the S2-060 security bulletin, an attacker may be able to modify a request during a file upload operation in a way that results in the uploaded file set to read-only access. Once the file is uploaded, any further actions on the file will fail. Exploiting this flaw could also result in the failure of any subsequent file upload operations, either of which could result in a denial of service condition for an affected application. The DoS vulnerability was found and reported to Apache by Takeshi Terada of Mitsui Bussan Secure Directions, Inc. who is also credited in several additional vulnerability reports to the Apache Struts team, including S2-042 and S2-021.

The ghost of CVE-2017-5638

It is certainly natural for developers and organizations alike to express concern at the prospect of a new vulnerability in Apache Struts. After all, the aftermath of CVE-2017-5638, a critical RCE vulnerability in Apache Struts 2, led to one of the most notable breaches in recent history.

Unlike CVE-2017-5638, which was rated as critical at the time of its disclosure, CVE-2019-0230 is currently rated as important according to Apache. While no CVSS score has been assigned at the time of publication, it does not appear that CVE-2019-0230 is as critical as the vulnerability from 2017. However, there is still not enough information about the potential impact of this vulnerability under real world conditions, but caution is certainly warranted regarding this flaw.

Proof of concept

We have identified multiple proof of concept (PoC) examples on GitHub for CVE-2019-0230. However, it’s important to note that because each Struts application is unique, the actual payload needed to exploit it will differ from application to application. Additionally, the application would need to be developed in such a way that it allows an attacker to supply unvalidated input into an attribute used inside of an OGNL expression.

Apache Struts RCE: S2-059 / CVE-2019-0230https://t.co/m6z3jqRsj4

Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. pic.twitter.com/6JwZCozTeB

— Henry Chen (@chybeta) August 13, 2020

Solution

Apache Struts versions 2.0.0 through 2.5.20 are affected by both CVE-2019-0230 and CVE-2019-0233. They are addressed in Apache Struts version 2.5.22. Developers and site owners are strongly encouraged to upgrade to the latest version as soon as possible. In the case of the CVE-2019-0230, Apache notes that upgrading to 2.5.22 limits the malicious effects of double evaluation and closes the reported attack vector.

Apache also strongly encourages developers to avoid using raw expression language and use Struts tags instead. Their security tips guide provides a helpful set of recommendations for developers on how best to secure their applications, which includes guidance on protecting applications from OGNL expression injection attacks.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

• Apache Struts S2-059 Advisory for CVE-2019-0230
• Apache Struts S2-060 Advisory for CVE-2019-0233
• Apache Struts Security Announcement

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

With IT assets comprising 20-50% of modern industrial environments, OT security leaders need technology that can deliver visibility across the converged IT/OT attack surface.

Think back to a recent security incident that impacted the manufacturing or critical infrastructure community. Whether you are thinking of one that was in the news, one that a colleague relayed to you or perhaps one that you may have experienced yourself, you need not look very far. In almost every instance, the affected organization echoes the all-too-common refrain – “I had no idea it was happening until it was too late.”

This is particularly common in operational technology (OT) environments where gear is not swapped out as frequently as in IT environments. The typical approach of “set it and forget it” is common in OT and results in devices that remain in operation for more than a decade. The “forget it” part of this mantra produces a critical visibility problem: it is hard to protect what you do not know you have.

While visibility may be the single most important and obvious competency when it comes to achieving organizational security, its execution has never been quite as trivial. Here are three practices to help gain the visibility you need in order to apply the security and control piece of the puzzle that is needed to avoid attacks. 

• Choose coverage that scales: Ensure that the security you choose can support the environment you administer. Too often, organizations will buy an OT security product or solution only to realize that it does not support the protocols being used or the programmable logic controllers (PLCs) on which their OT operations run. This can easily be addressed by ensuring during a proof of concept (POC) that the vendor has the coverage you need along with a broad range of support from other PLC manufacturers you may consider down the road. This allows the product to grow with your needs rather than locking you into a product that is not forward-compatible.
• Remember that OT is not just OT: In a typical OT environment, 20% of the infrastructure can easily contain IT devices, and this number can quickly rise to 50% in a converged environment. Point OT security products may adequately support OT assets, yet they are completely blind to the IT devices in the OT environment. As seen in recent attacks such as Lockergoga, EKANS and Ripple, which traversed IT and OT, only having partial visibility can introduce a false sense of security and substantial cyber exposure. To achieve the visibility you need, your OT security solution must not only provide you with deep network and OT device intelligence, but also extend beyond OT to IT in order to provide uninterrupted visibility across a converged environment. 
• Apply prioritization to the data deluge: Now that you have the visibility you need, you’ll likely have a lot more data to consume. How should you triage alarms, alerts and investigations? A prioritized risk score is essential to determine which alarms carry the greatest risk to your organization based on type of attack, asset criticality, availability of exploit code and other key factors. This helps focus security personnel on the cyber exposure incidents that present a clear and present risk, while minor or less significant alarms can be addressed later. 

The only way to arrest the proliferation of attacks in critical infrastructure and manufacturing environments is to illuminate the proverbial dark corners of OT environments where security incidents can form. With the right OT security tools, we can gain the visibility we need to no longer fly blind. 

Recently, we released Tenable.ot 3.7 which incorporates the three best practices noted above. We cover more than 90% of industrial controllers on the market today, with more being added each month. We added Nessus into Tenable.ot to address both the IT and OT parts of your industrial operation, providing the domain expertise in both areas that you’ll need to address ALL of your security incidents. We also added our Vulnerability Priority Rating (VPR) to Tenable.ot which can triage incidents based on which vulnerabilities contain the most risk for your organization. 

There is a whole lot more we added to address converging environments and evolving security threats that can put your organization at risk. You can check out our press release for more details about the product update. With the right visibility, security and control in place, you can take advantage of all of the benefits of new technology without being exposed to unacceptable risk.

Independent business risk study shows cybersecurity is seldom fully integrated into business strategy – and it needs to be.

Picture this: a headline-grabbing vulnerability has been disclosed. It’s all over the news and social media. It involves software being used by nearly every business on the planet. The board is demanding answers and your C-level executives are running around with their hair on fire. Your CEO calls an emergency meeting. The first question she asks you is: “How secure are we?” 

Are you prepared to answer?

If so, you’re one of the lucky ones. According to a study conducted by Forrester Consulting on behalf of Tenable, only four out of 10 security leaders say they can answer the question, “How secure, or at risk, are we?” with a high level of confidence. 

If you’ve spent more than a minute in cybersecurity, you know why answering this question is far more challenging than it might seem. 

Sure, you can provide data about how many systems are affected and how quickly your team can remediate. But all this data isn’t going to give your CEO the answers she is looking for. What she really wants to know is: Will our ability to deliver on our core business value be negatively impacted as a result of this vulnerability? 

The commissioned Forrester study — which is based on a survey of 416 security and 425 business executives in 10 countries — reveals a disconnect in how businesses understand and manage cyber risk. According to the study, The Rise of the Business-Aligned Security Executive, an alarming 66% of business leaders are – at most – only somewhat confident in their security team's ability to quantify their organization’s level of risk or security. The study also reveals that:

• Fewer than 50% of security leaders are framing the impact of cybersecurity threats within the context of a specific business risk. 
• Only half of security leaders (51%) say their security organization works with business stakeholders to align cost, performance and risk reduction objectives with business needs.
• Only 43% of security leaders report they regularly review the security organization’s performance metrics with business stakeholders.
• Less than half of security leaders (47%) consult business executives with a high level of frequency when developing their cybersecurity strategy. On the flip side, four out of 10 business executives (42%) rarely — if ever — consult with security leaders when developing their organizations’ business strategies.
• Just 54% of security leaders and 42% of business executives say their cybersecurity strategies are completely or closely aligned with business goals. 

“The biggest challenge when talking to business leaders is trying to keep it non-technical and business focused, or being able to translate tech-speak to business-speak,” said Kevin Kerr, CISO of Oak Ridge National Laboratory in Oak Ridge, TN, in an interview with Tenable. “If you don't understand the business, you can't do that. You need to understand where their fears lie, what they think the threats are and what they think is important. If you understand their business, you know what they're trying to do, what they're trying to protect, what they're trying to monetize; you present them the best way to do that securely to meet the standards you’re supposed to be held accountable to [while also] allowing them to have the freedom to do their business.”

Understanding business context

Getting to the business context of cyber risk isn’t easy, and the answers will differ from one organization to the next. 

“Risk is a term that business executives know and fear, and it is also well known in cybersecurity,” said Cesar Garza, CISO of Home Depot Mexico in San Pedro, Mexico. “We cybersecurity professionals deal with risks every minute: vulnerabilities, code flaws, the human factor, broken processes, deprecated technology, misconfigurations, etc. Risk is the common factor between the language of cybersecurity and business executives. It is the common ground. But still, it is a challenge to translate cybersecurity risks into business risks that need to be understood by executives. In some cases, we need to picture the worst-case scenario, talk about concerns such as fines, brand damage and losing customer loyalty to truly send the message. So, I like to say: ‘let’s talk about risks so we can understand our cybersecurity investments.’ “

In order to provide business context, security and risk management leaders must first be able to answer two key questions:

1. What is your organization’s core value creation? In manufacturing, the answer may be to make and sell widgets for profit. In healthcare, the answer may be to provide medical care to patients. In government, the answer may be to provide a service to the public, such as issuing driver’s licenses or taking care of trash disposal. 
2. Which of your IT assets are crucial to delivering on that core value creation? For example, is there an ERP system or medical records app or database which, if taken offline, would cause your business operations to grind to a halt? Are there groups of users whose computers, if compromised, would expose key intellectual property or sensitive data that could prevent the organization from delivering on that core value? Is there a cloud environment which, if taken offline, could derail an important customer-facing web service, such as a banking or ecommerce site?

“It's really having good business partnerships or check-ins with the various business leaders to understand what are the initiatives that are going on with the business,” said Rick Vadgama, VP and CISO for a global travel platform in Needham, MA, in an interview with Tenable. “If they lost a system or a function, how would that impact the revenue stream? Based on that, we’d know from a security perspective where we should be spending effort and time in making sure that we have a good readout of all the assets that make up that [system] and understand what the vulnerabilities are. As infosec leaders, our environments are very vast. By really working with the business leaders, you hear firsthand what they understand are the key systems they can’t live without and [you can] then place the efforts around that.”

While improving your understanding of business context is crucial, it’s also important to recognize that, even with such understanding, existing asset management and configuration databases can only take us so far. For starters, asset inventories and configuration management are fairly static operations. In my experience, most organizations are limited to conducting an annual risk assessment or business impact analysis on critical business functions. Such a static approach is hardly sufficient to capture the realities of the modern attack surface, which comprises a dynamic mix of on-premises and cloud-based IT, internet of things (IoT) and operational technology. 

For example, in most large organizations, cloud services are spun up and down every day on an as-needed basis. Computing assets are added and removed constantly as employees join or leave an organization. Applications and software are continuously implemented and upgraded as business needs change. And, in response to the COVID-19 pandemic, vast numbers of employees around the globe have shifted to a work-from-home model that is likely to set a new paradigm for how businesses operate. With today’s business moving at the pace of digital commerce, asset inventories are unable to keep pace. Security leaders are left to use the tools at their disposal to develop as comprehensive an understanding of asset criticality as possible. 

“The pace of growth being experienced, which is especially relevant in an industry that normally grows inorganically, together with the portion of ambiguity when performing qualitative risk assessments, are among our biggest challenges as security professionals,” said Jose Maria Labernia Salvador, head of IT security and internal control at LafargeHolcim IT EMEA in Madrid, in an interview with Tenable.

Along with doing the work of identifying your critical business assets, you also have to be able to prioritize which of the tens of thousands of threats and vulnerabilities facing your organization each year actually pose the greatest risk to those core assets. Security leaders need to balance the threat from a vulnerability or attack method with the business impact of remediation or mitigation. Basically, you need to understand how exposed you are to the issue, how quickly you can address it using the robust processes in place and what effect it would have on your core business value to do nothing versus addressing the issue.

When the next headline vulnerability lights up your C-suite, will you be ready?

At the end of the day, your C-level executives are most likely not cybersecurity experts and they are most certainly not vulnerability experts. All they really want to know is: What impact does our cybersecurity practice have on the business of value creation? A business-aligned approach — in which you can confidently evaluate how many vulnerabilities are critical to the assets that have the greatest effect on your core areas of business — enables you to develop a clear answer to the question “how secure, or at risk, are we?” 

Earlier this month, we explored findings from the Forrester study that highlight the disconnect between cybersecurity and business leaders. Over the next several weeks, we’ll continue to explore report findings about the technology, process and data challenges facing cybersecurity leaders and provide guidance on how you can become a business-aligned executive. In our next installment, we’ll discuss COVID-19 response strategies as a real-world example of the cyber-business disconnect.

Learn more:

• See additional study highlights here
• Visit our webpage for more information 
• Download the full study, The Rise of the Business-Aligned Security Executive
• Read the blog, Aligning Cybersecurity and the Business: Nobody Said It Was Easy
• Download the white paper, What It Takes to Be a Business-Aligned Cybersecurity Leader

As CISOs seek to consolidate vendors and reduce costs, building effective relationships with key security vendors can be the foundation for security program success.

Many security leaders take a “check the box” approach to purchasing technology. With today’s average enterprise using upwards of 20 security technology vendors, perhaps this isn’t surprising. Unfortunately, this approach fails to leverage all of the benefits that can be obtained by building a strong “human” relationship with these vendors. This not only assures the vendor will know the CISO’s business needs, but can also greatly improve success. Vendors have the ability to be more responsive if there are existing, clear lines of communication with the customers they are serving. 

In a recent Harvard Business Review article, two security leaders used the analogy of an automobile noting that, “technology is a critical piece of the cybersecurity puzzle, but just as with a car containing all the latest safety technology, the best defense remains a well-trained driver.” It seems clear that skilled security leaders are critical to an effective defense. Technology has not replaced human beings. However, the automobile analogy illustrates the need for a cooperative approach between the vendor and the customer. The best automobile is worthless without a good driver, but it is equally true that the best driver will not be successful driving a poor performing or slow race car.

Creating a successful vendor-customer partnership means syncing the security team “drivers” with a high-performing technology “race car.” Below are four key ways security leaders can build a successful vendor relationship to maximize the value of a true partnership.

Select a quality vendor based on leading indicators

Select a vendor that is recognized by peers and independent trade groups (i.e., Gartner, IDC, Forrester) as leaders in their specific area. It is important to have a single harmonized platform where vendor consolidation can create efficiency. However, be sure not to pursue consolidation at the risk of poor security performance.

Selecting market leaders who have a proven history of delivering results is imperative because security leaders need good tools. Meet with the vendor’s team, not just the sales representatives, and ask yourself if the vendor is readily available, if they are transparent, and whether they provide clear communication with you and your teams. Are expectations clearly set? Is the vendor a good fit for your organization’s culture and needs? If you’re confident in your answers to these questions, then these are all good indicators of a positive, successful and enhanced partnership with the vendor.

Set clear expectations early and often

This imperative step should be done as early as possible in order to establish a good working relationship. The vendor contract will set out deliverables, but it’s important to have a group meeting that sets step-by-step project plans and long-term and short-term goals. Many times a security team may purchase a new technology but never share how this fits into their overall and cumulative strategy. If a vendor understands the intended use and goal, they can better support the objectives. There may be features or methods that should be added, or perhaps taken away to save costs if they are not needed. Professional services can also be tuned to support the use objectives and long-term program plan. 

A good security vendor will want to be clear about the features of their product and how it addresses the issues that will be conquered with the deployment. The vendor should also explain the process for raising concerns, expectations for response time and the resources available to customers. It is also the vendor’s responsibility to help the customer connect with key leaders within their organization who can fully support the set client goals. 

Establish clear communications channels

In a time of crisis, a security leader does not have time to figure out how to reach a vendor for support. It is critical at the start of any relationship to establish a cadence of open communication channels and know who is available for support, or to resolve concerns. Smart vendors have customer liaisons on their staff who can be extremely helpful in quickly resolving any issues. These liaisons are focused on ensuring customer success and building strategic partnerships with their customer base. It is also important to be transparent about goals and intended use for technology. As noted above, this can help the vendor better focus on the unique needs or goals of the customer.

Engage with customer advisory groups

Many vendors have advisory groups of customers that are intended to provide feedback and improve products. Being involved in these groups is a small investment of time with potentially big rewards. As a customer, it is an opportunity to provide direct input into the features and capabilities you want to see developed. It may also provide you with additional communication and influence opportunities to promote your company needs. This is like having your own development team building the tools you really want. Don’t miss this opportunity to influence your products and services. You will also have an opportunity to meet and network with your peers as part of this advisory board. This provides an opportunity to share ideas and learn new approaches which can be very valuable.

Navigating cybersecurity risk can be challenging. Without the right tools to understand how and where the business is at risk, there can be security blind spots. New and increasing threats are identified every day. Staying ahead of cyber risks can feel like treading water, and to be successful, CISOs need to be strategic, invest resources in the right places and get the right team of vendors in place to support their security program. It is important to consider whether a vendor fits your needs and team culture. Investing time at the start of a vendor relationship can save many hours of frustration later. By setting clear expectations and open communication, the CISO can receive better service and improve overall security.

Kimberly Connor, contributing author

Observing these best practices for credentialed scanning will help you paint the clearest picture of your network's potential vulnerabilities.

Vulnerability scanning represents one of the most important tools for a modern organization to include in its information security arsenal. But as is true of many cybersecurity practices, it has its variations, chief among them being credentialed and non-credentialed scanning.

We don't want to take up too much of your time explaining why credentialed scanning is superior, which specifically stems from its comprehensiveness and accurate analysis. Instead, let's focus on how you can most effectively carry out credentialed scans and thus always remain fully aware of your organizational network's potential points of weakness. 

Delegate (and revoke) credentials appropriately

Credentialed scanning entails conducting a vulnerability assessment through the use of a tool that's been granted a certain level of account access to look through hosts and program files containing sensitive information. Said credentials can technically belong to any authenticated account on the system. They don't have to be associated with the identity and position of the individual overseeing or authorizing the scan (or anyone else in the organization, for that matter). In fact, it will be most effective to create a dummy account with the appropriate permissions that solely exists to conduct credentialed scans, rather than granting the vulnerability assessment software the credentials of an actual high-ranking staff member.¹

It's essential that vulnerability scanning tools always have the appropriate credentials for the nature and scope of the scan in question. (For Windows and Linux scans, they should be at the administrator or root level - although for Linux, root level is not always needed.) This allows scanners to access as many areas of the network as necessary, and root out common vulnerabilities and exposures (CVEs) wherever they may be hiding. That said, it's perfectly reasonable to alter credentials when scans aren't taking place, either by deleting the dummy account or disabling its access during these periods of inactivity. 

Debunk the bandwidth myth

By virtue of its increased access, credentialed scanning's effectiveness in discovering vulnerabilities dwarfs that of non-credentialed scanning. Yet, there are still some IT administrators who are leery of credentialed scanning because they fear service interruptions as a result of increased traffic or are hesitant about how intrusive this type of assessment can be. 

However, while it's important to limit the operational obtrusiveness of a scan as much as possible, the amount of traffic created in terms of packets sent is fairly low – often less than 1,000 packets – and much lower than that of a non-credentialed scan. A scan performed without appropriate credentials may send hundreds of thousands of packets while making queries necessary to find vulnerabilities.² In stark contrast, credentialed scans generate far fewer packets because the tools executing such functions already have access permissions that a non-credentialed scan needs to "ask for."

That's why obtaining the right credentials for every scan is essential, so excess traffic isn't generated due to avoidable permission requests. 

Scan in connection with patch releases

Research from Tenable has found that infosec and IT professionals discover a new CVE roughly every 90 minutes. On a broader scale, thousands of vulnerabilities of “high” and “critical” severity are disclosed every year. This is why applying patches as soon as they become available – and as quickly as possible – has become a fairly standard practice in infosec.

But if you allow personnel to manually patch rather than relying largely on automated updates, you may become concerned about certain departments falling behind on patches. Running a credentialed scan will quickly determine if any CVEs have slipped through any cracks resulting from missed patching opportunities and let you know what risks you've been exposed to. It also makes for an immediate action you can take in response to pressure from the C-suite about a new CVE that's made the tech headlines and raised concerns among senior staff. As a best practice, conduct vulnerability scans at least once a week - or ideally, twice.

Troubleshoot scanning issues quickly and appropriately

When a credentialed scan comes to its conclusion, you should have comprehensive results outlining the landscape of your network (or any section thereof) and detailing any CVEs or flaws discovered. From there you can start thinking about getting rid of those weaknesses and fortifying your network architecture against cyberattacks as much as possible. But what if there were problems with the scan? Results won't be as thorough and accurate as your organization needs. 

Applying Occam's-razor logic to the problem leaves you with the likely answer: credentials weren't properly set up. Nessus Professional's authentication failure alert – plugin 21745 – quickly alerts you of this issue, so you can reconfigure permissions properly and run another scan. Proper management of your vulnerability scanning tools and credentials will ensure you always remain informed of (and prepared for) the latest, most alarming CVEs. 

Start running credentialed scans today with Nessus Professional. Sign up now to get your free 7-day trial.

Start Your Free Trial

_{1. Security Boulevard, " 5 Best Practices for Credentialed Scanning," April 2018
2. Sikich, "Why You Should Perform Credentialed Scanning," July 2019}

Tenable Research discovers multiple vulnerabilities in the MAGMI Magento plugin that could lead to remote code execution on a vulnerable Magento site.

Background

On September 1, we published TRA-2020-51, a Tenable Research Advisory for two vulnerabilities in the Magento Mass Import (MAGMI) plugin. These vulnerabilities were discovered by Enguerran Gillier of the Tenable Web Application Security Team. MAGMI is a Magento database client written in PHP, which is used to perform raw bulk operations on the models of an online store. Our research into these vulnerabilities follows an FBI flash security alert that became public in May 2020 regarding in-the-wild exploitation of CVE-2017-7391, a cross-site scripting vulnerability in MAGMI that was used to target vulnerable Magento sites.

Analysis

CVE-2020-5776 is a cross-site request forgery (CSRF) vulnerability in MAGMI for Magento. This flaw exists because the GET and POST endpoints for MAGMI don’t implement CSRF protection, such as random CSRF tokens. An attacker could exploit this vulnerability to perform a CSRF attack by tricking a Magento Administrator into clicking on a link while they are authenticated to MAGMI. The attacker could hijack the administrator’s sessions, allowing them to execute arbitrary code on the server where MAGMI is hosted.

CVE-2020-5777 is an authentication bypass vulnerability in MAGMI for Magento version 0.7.23 and below due to the presence of a fallback mechanism using default credentials.

MAGMI uses HTTP Basic authentication and checks the username and password against the Magento database’s admin_user table. If the connection to the Magento database fails, MAGMI will accept default credentials, which are magmi:magmi. As a consequence, an attacker could force the database connection to fail due to a database denial of service (DB- DoS) attack, then authenticate to MAGMI using the default credentials.

The impact of this attack is remote code execution (RCE) on the server where MAGMI is hosted. During our testing, we successfully performed a Magento DB- DoS attack only when the following condition was true: the maximum number of concurrent MySQL connections was greater than the maximum number of concurrent Apache HTTP connections (or another HTTP or PHP server). By sending a large number of concurrent connection requests that exceed the MySQL connections limit, but not the maximum Apache HTTP connection limit, attackers could temporarily block access to the Magento database and simultaneously make an authenticated request to MAGMI using the default credentials.

The MySQL connections limit can be found in a variable called “max_connections,” which is 151 by default. You can check this value by connecting to the MySQL instance and executing the following database query: SHOW VARIABLES LIKE "max_connections";

The Apache HTTP connections limit is located in a directive called “MaxRequestWorkers” (or MaxClients or pm.max_children) in the Apache Multi-Processing Module (MPM) configuration.

In our testing, we found that at least since Apache version 2.4.10, the default value is either 400 or 250. In prior versions of Apache, the default value was 150, which is smaller than the MySQL default max_connections. For more information about MaxRequestWorkers please check your Apache server documentation.

Proof of concept

A proof of concept (PoC) for these vulnerabilities can be found under the poc folder on Tenable’s GitHub page.

Vendor response

Tenable Research reached out to the developer of the MAGMI plugin on June 3. After follow-up communications on June 17 and July 6, we received acknowledgement on July 6 that the issues we identified were in the process of being fixed. We have since sent requests for updates and have not received any. However, the developers released a new version of the plugin on August 30 to address one of the two vulnerabilities (CVE-2020-5777). A summary of the disclosure process can be found in the Tenable Research Advisory, TRA-2020-51.

Solution

A patch has been published for CVE-2020-5777 in MAGMI version 0.7.24 on August 30. This patch should be applied as soon as possible. At the time this blog post was published, however, there was still no patch available for CVE-2020-5776. To reduce your risk in the meantime, we recommend disabling or uninstalling the plugin altogether until a patch is available, as well as refraining from active web browsing while authenticated to MAGMI.

It should also be noted that there is a fork of MAGMI for Magento 2 that is also vulnerable to these flaws. Because it is a fork of the original MAGMI plugin, users of the Magento 2 plugin should disable or uninstall the plugin until patches are available for the Magento 2 version.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• TRA-2020-51: Tenable Research Advisory for MAGMI Plugin Vulnerabilities
• FBI Flash Alert MU-000127-MW for MAGMI vulnerabilities (May 2020)
• ZDNet Article about FBI Flash Alert (May 2020)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.