Tenable Blog

Microsoft addressed over 112 CVEs in its November release, including a zero-day vulnerability in the Windows kernel that was exploited in the wild as part of a targeted attack.

Microsoft patched 112 CVEs in the November 2020 Patch Tuesday release, including 17 CVEs rated as critical. This month's Patch Tuesday release includes fixes for Microsoft Windows, Microsoft Office and Microsoft Office Services and Web Apps, Internet Explorer, Microsoft Edge (EdgeHTML-based), Microsoft Edge (Chromium-based), ChakraCore, Microsoft Exchange Server, Microsoft Dynamics, Microsoft Windows Codecs Library, Azure Sphere, Windows Defender, Microsoft Teams, Azure SDK, Azure DevOps, and Visual Studio.

As part of this month’s release, Microsoft has made a significant change to their Security Update Guide, as they will no longer provide vulnerability descriptions for each vulnerability. Rather, they are relying on the CVSS vectors to provide the contextual information regarding vulnerabilities. Without descriptions, some vulnerabilities will lack key details and context that could be used by administrators when considering how to prioritize updates or determining when mitigations can be used until they are ready to apply patches to critical infrastructure within their network.

CVE-2020-17087 | Windows Kernel Local Elevation of Privilege Vulnerability

CVE-2020-17087 is an elevation of privilege vulnerability in the Windows kernel Cryptography Driver, cng.sys, that was exploited in the wild as part of a vulnerability chain with CVE-2020-15999, a buffer overflow vulnerability in the FreeType 2 library used by Google Chrome. CVE-2020-17087 was used to escape Google Chrome’s sandbox in order to elevate privileges on the exploited system. This is the second vulnerability chain involving a Google Chrome vulnerability and a Windows elevation of privilege vulnerability exploited in the last year.

Chaining vulnerabilities is an important tactic for threat actors. While both CVE-2020-15999 and CVE-2020-17087 were exploited in the wild as zero-days, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory with the FBI last month that highlighted threat actors chaining unpatched vulnerabilities to gain initial access into a target environment and elevate privileges. Now that Google and Microsoft have patched these flaws, it is imperative for organizations to ensure they’ve applied these patches before threat actors begin to leverage them more broadly.

CVE-2020-17051 | Windows Network File System Remote Code Execution Vulnerability

CVE-2020-17051 is a critical remote code execution (RCE) vulnerability affecting the Windows Network File System (NFS). NFS is a file system protocol used for file sharing across multiple operating systems on a network. According to the limited information provided by Microsoft, the vulnerability appears to impact all supported versions of Windows and can be exploited without authentication or user interaction based on the CVSSv3 score of 9.8. In a blog post by McAfee, there is speculation about combining CVE-2020-17051 with CVE-2020-17056, a remote kernel data read vulnerability in NFS, in order to bypass address space layout randomization (ASLR), which could increase the probability of a remote exploit. Additionally, the blog post notes that it’s possible for CVE-2020-17051 to be wormable, assuming NFS has been configured to allow for anonymous write access. With Microsoft labeling this vulnerability as “Exploitation More Likely” under its Exploitability Index, we suggest that the organizations prioritize patches for both of these CVEs.

CVE-2020-17083 and CVE-2020-17084 | Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2020-17083 and CVE-2020-17084 are both RCE flaws within Microsoft Exchange Server. CVE-2020-17083 is scored as a CVSSv3 5.5 while CVE-2020-17084has a CVSSv3 score of 8.5. While both flaws are labeled as “Exploitation Less Likely,” from reviewing the CVSS score, it’s likely these vulnerabilities could be exploited by enticing a user to open a crafted email. The vulnerabilities are credited to Steven Seeley of Source Incite. While unconfirmed, it’s likely that these fixes are related to a bypass Seeley found for CVE-2020-16875. Seeley has noted on Twitter that the CVSS score for CVE-2020-17083 is incorrect and should be 8.5.

Maybe some of you are wondering where that blog post is regarding CVE-2020-16875? Well, it turns out I managed to bypass the patch.
— ϻг_ϻε (@steventseeley) October 2, 2020

Microsoft Exchange has continued to be a valuable target for attackers over the years and slow patching of Exchange servers has led to successful attacks against organizations. Our readers may recall CVE-2020-0688, which saw active exploration shortly after the patch was released in February of this year.

CVE-2020-17061 | Microsoft SharePoint Remote Code Execution Vulnerability

CVE-2020-17061 is a RCE vulnerability in Microsoft SharePoint. A remote attacker could exploit this vulnerability to gain code execution privileges on the SharePoint server. According to the advisory, an attacker requires low level privileges in order to exploit the vulnerability.

In September and October, we saw a stream of patches for SharePoint RCE vulnerabilities. SharePoint is an attractive target for both researchers and threat actors. One of the most notable SharePoint vulnerabilities, CVE-2019-0604 has been actively exploited for well over a year now. While CVE-2020-17061 is not as severe as CVE-2019-0604, the regularity with which we’re seeing patches for SharePoint vulnerabilities should serve as a reminder for defenders to ensure they’re patching SharePoint regularly to reduce the potential attack surface for their organization.

CVE-2020-17042 | Windows Print Spooler Remote Code Execution Vulnerability

CVE-2020-17042 is an RCE vulnerability in the Windows Print Spooler. Despite receiving an Exploitability Index rating of “Exploitation Less Likely,” this vulnerability should be high up on any organization's patch priority list as it received a CVSSv3 score of 8.8. Although Microsoft does not provide any details on the flaw or conditions to exploit, it’s important to consider past flaws in the Windows Print Spooler. In August, CVE-2020-1337 was patched by Microsoft shortly after being discussed in presentations at both the Black Hat USA and DEF CON conferences. The presentations, A Decade After Stuxnet's Printer Vulnerability: Printing is Still the Stairway to Heaven from SafeBreach Labs discusses how a flaw in the Windows Print Spooler could be chained with additional vulnerabilities to compromise a host and further propagate across a network. With interest in the print spooler as an attack vector from security researchers, we anticipate to see further information on this in the near future.

Interestingly enough, this month brought a patch to CVE-2020-17001, an elevation of privilege flaw in the Windows Print Spooler reported to Microsoft by James Forshaw of Google’s Project Zero team. According to the details from Project Zero, this is a bypass of the patch for CVE-2020-1337. The vulnerability disclosure provides a proof-of-concept (PoC) and although the vulnerability received only a CVSSv3 score of 7.8, this vulnerability could be used in a chained attack scenario as evident by the abuse of CVE-2020-1337.

CVE-2020-17019, CVE-2020-17064, CVE-2020-17065, CVE-2020-17066 | Microsoft Excel Remote Code Execution Vulnerability

CVE-2020-17019, CVE-2020-17064, CVE-2020-17065, and CVE-2020-17066 are RCE flaws within Microsoft Excel. Each of these flaws received a CVSSv3 score of 7.8. The CVSS metrics call out that user interaction is required in order to exploit the flaws, however this is a common scenario for Microsoft Office related flaws. We speculate that the path to exploitation requires that a user open a crafted file with an affected version of Microsoft Excel. These vulnerabilities are likely to be exploited in phishing attacks. Despite a lower exploitation probability, these updates are important to apply.

CVE-2020-17091 | Microsoft Teams Remote Code Execution Vulnerability

CVE-2020-17091 is a RCE vulnerability in Microsoft Teams, a platform used by businesses, small teams and schools for collaboration and distance learning. The vulnerability is credited to Matt Austin, director of security research at Contrast Security. In November 2019, Austin tweeted that he discovered a “one click RCE” in Microsoft Teams that he submitted to Microsoft on September 1, 2018 that was still an open case one year later.

I wanted to fully test this “Responsible Disclosure” theory so I submitted a one click RCE in Microsoft Teams to #msrc on Sep 01, 2018. It is still open. The disclosure policy of @taviso and others gets bugs fixed. This does not.
— Matt Austin (@mattaustin) November 30, 2019

Austin also tweeted a proof-of-concept video showing successful exploitation.

https://t.co/8bZMahOdxh
— Matt Austin (@mattaustin) November 30, 2019

It is unclear if CVE-2020-17091 is the same vulnerability, but since it is credited to the researcher, we surmise this might be the case.

Because Microsoft Teams has seen a 50% increase in daily active users, from 75 million to 115 million over the last year, it is extremely important to ensure your organization or your schools apply this patch as soon as possible.

Tenable solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains November 2020.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example using March 2019 from Tenable.io:

A list of all the plugins released for Tenable’s November 2020 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Following the publication of proof-of-concept (PoC) code, Cisco released three advisories for multiple vulnerabilities silently patched in a recent update. Organizations should apply these patches immediately.

Background

On November 16, Cisco published advisories for three vulnerabilities in Cisco Security Manager, a tool to monitor and manage a variety of Cisco devices, including Cisco Adaptive Security Appliances, Cisco Integrated Services Routers, Firewall Services Modules, Catalyst Series Switches and IPS Series Sensor Appliances. The vulnerabilities were discovered and disclosed by security researcher Florian Hauser of Code White.

Hauser originally tweeted about these vulnerabilities on November 11, saying that he had disclosed “12 vulnerabilities” to Cisco that affect the “web interface” of Cisco Security Manager. He noted that all of the vulnerabilities he disclosed were unauthenticated and “almost all directly giving RCE (Remote Code Execution).”

120 days ago, I disclosed 12 vulnerabilities to @Cisco affecting the web interface of Cisco Security Manager. All unauthenticated, almost all directly giving RCE. #cisco #RCE #unauth
— frycos (@frycos) November 11, 2020

Five days later, on November 16, Hauser tweeted that because Cisco’s Product Security Incident Response Team (PSIRT) had become “unresponsive,” and because the alleged fixed version of Cisco Security Manager didn’t mention his disclosures, he decided to release his proof-of-concept (PoC) code for the 12 vulnerabilities.

Since Cisco PSIRT became unresponsive and the published release 4.22 still doesn't mention any of the vulnerabilities, here are 12 PoCs in 1 gist:https://t.co/h31QO5rmde https://t.co/xyFxyp7cJr
— frycos (@frycos) November 16, 2020

Three advisories reportedly cover at least 12 vulnerabilities

Despite Hauser’s tweet describing 12 vulnerabilities, it appears that two of the CVEs, CVE-2020-27130 and CVE-2020-27131, encompass multiple vulnerabilities, which is why there isn’t a direct one to one match as far as CVEs are concerned.

Analysis

CVE-2020-27125 is a static credential vulnerability in Cisco Security Manager. An unauthenticated, remote attacker could obtain the static credentials by viewing the source code of a file. Successful exploitation would allow an attacker to use these static credentials to “carry out further attacks.” This vulnerability received a CVSSv3 score of 7.4 out of 10.0.

CVE-2020-27130 is a critical path traversal vulnerability in Cisco Security Manager. An unauthenticated, remote attacker could send a specially crafted request containing directory traversal character sequences (e.g. “../../”) to a vulnerable device. Successful exploitation would allow the attacker to arbitrarily download and upload files to the device. This vulnerability received a CVSSv3 score of 9.1 out of 10.0.

CVE-2020-27131 addresses multiple vulnerabilities in the Java deserialization function in Cisco Security Manager. An unauthenticated, remote attacker could exploit this vulnerability by generating malicious serialized Java objects using a tool like ysoerial.net and sending them as part of a specially crafted request to the vulnerable device. Successful exploitation would grant the attacker arbitrary code execution privileges on the device as NT AUTHORITY\SYSTEM. This vulnerability received a CVSSv3 score of 8.1 out of 10.0.

Research cites previous disclosure from Tenable’s Zero Day Research team

As part of his PoC release for CVE-2020-27131, Hauser included a reference to TRA-2017-23, a vulnerability disclosure from Tenable’s Zero Day Research team from 2017 regarding a deserialization remote code execution vulnerability in Cisco Security Manager and Cisco Prime LAN Management Solution.

Proof of concept

On November 16, Hauser tweeted a link to a GitHub gist that contains PoCs for the vulnerabilities he disclosed to Cisco. These PoCs include examples of serialized Java objects generated using ysoserial.

Solution

Cisco has released patches for CVE-2020-27125 and CVE-2020-27130. However, a patch for CVE-2020-271131 is not yet available. The following table provides insight into the affected versions and available fixes.

CVE	Affected Versions	Fixed Versions	Fix Status
CVE-2020-27125	4.21 and earlier	4.22 and later	Available
CVE-2020-27130	4.21 and earlier	4.22 and later	Available
CVE-2020-27131	4.21 and earlier	4.23 and later	Not Available

On November 17, Hauser tweeted that the fixes were “indeed implemented” and that they “need some further testing” with a Service Pack release expected within “the next few weeks.”

Just had a good call with Cisco! The missing vulnerability fixes were indeed implemented as well but need some further testing. SP1 will be released in the next few weeks. We found a good mode of collaboration now. https://t.co/b8mNxnu11K
— frycos (@frycos) November 17, 2020

We will update this blog post once Cisco Security Manager 4.23 is available. Cisco has not provided any workarounds or mitigations for any of these vulnerabilities and notes that they are not aware of exploitation in the wild for these vulnerabilities at the time the advisories were published. The Security Response Team strongly encourages customers running Cisco Security Manager to upgrade to the most recent patched version as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

As customers increasingly recognize the value of vulnerability response, Tenable and ServiceNow are delivering market-leading vulnerability insights and greater flexibility to help IT and security teams prioritize critical risks for remediation.

Closing the remediation gap remains a key challenge for today’s security organizations. The typical enterprise attack surface is expanding in scope and constantly targeted with a growing number of vulnerabilities that threaten the security of critical business assets. Security and IT teams must not only be aligned in their workflows, but also possess the data to prioritize vulnerabilities based on business context when deciding which vulnerabilities to remediate first.

The name of the game isn’t remediating all vulnerabilities – it's about reducing risk by prioritizing the most critical items to patch first through orchestration and automation. However, the majority of security leaders (53%) still feel they lack the technologies, processes and data to accurately predict the likelihood of a cybersecurity threat impacting the business.¹ As many as 60% of organizations said that at least one recent data breach occurred because a patch was available for a known vulnerability but was not applied.² These data points show that security programs struggle with staffing and resource constraints when deciding where to focus their remediation efforts.

How vulnerability insights help security teams respond with precision

In recent years, Tenable and ServiceNow® Security Operations have been working together to bring common visibility to organizations by automatically discovering IT, cloud and IoT assets and displaying that information through the Vulnerability Response (VR) dashboard. This partnership enables customers to continually assess their systems for vulnerabilities, correlate vulnerabilities with the asset’s business criticality and prioritize remediation based on this data to accelerate closed-loop remediation.

Through our existing Tenable for Vulnerability Response app, customers can leverage all of Tenable’s proprietary threat intelligence, including our Vulnerability Priority Rating (VPR) which combines metrics such as vulnerability age, threat intensity and exploit maturity to reflect the risk posed by a given vulnerability and its likelihood of being exploited by attackers.

This integration, built and managed by Tenable, continues to support hundreds of customers and remains available for ServiceNow customers to leverage the power of our vulnerability insights in their IT and remediation workflows.

New option for ServiceNow integration provides greater flexibility

Given the growing interest for vulnerability response, Tenable and ServiceNow are offering an additional option for integrating Tenable’s data feeds into ServiceNow Vulnerability Response. The new application, Vulnerability Response for Tenable, developed and supported by ServiceNow, was built using ServiceNow best practices and validated by Tenable to meet complex customer requirements. The app provides our joint customers with a new option to establish and manage their security-IT workflows, while ensuring they still have the insights they need to execute on a risk-based approach to vulnerability management. It will be available November 19, 2020.

Watch this space

We are excited to offer this additional option to new customers as they evaluate which application best fits their workflows and organizational needs. Existing customers who are currently using the Tenable-built Vulnerability Response integration will likely benefit from maintaining their current implementation and are advised to reach out to both their Tenable and ServiceNow account contacts for guidelines or with any questions.

With this “better together” approach, Tenable and ServiceNow continue to help secure the most complex security programs across virtually every industry around the world. We’re dedicated to working together to continue serving our customers today and meeting evolving security needs in the future.

_{1. "The Rise of the Business-Aligned Security Executive," a commissioned study conducted by Forrester Consulting on behalf of Tenable, August 2020}_{2. "Costs and Consequences of Gaps in Vulnerability Response," an independent survey conducted by Ponemon Institute LLC on behalf of ServiceNow, October 2019}

ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries.

Key security metrics in Tenable Lumin reveal how effectively your team scans for vulnerabilities and remediates critical issues, so you can make process improvements where they matter most.

If you’ve made the move from legacy vulnerability management (VM) to a risk-based strategy, you already know the power of prioritizing your remediation efforts. The best way to start reducing risk across your attack surface is to stop wasting time on vulnerabilities that don’t pose any immediate risk. At Tenable, that means combining trillions of threat, vulnerability and asset data points to predict the 3% of vulnerabilities that are most likely to be exploited in the near future

While the ability to prioritize the vulnerabilities and assets that matter most is an essential step in maximizing your team’s efficiency and effectiveness, there are also next-level capabilities in Tenable Lumin that can help ensure your business processes are running at peak efficiency:

Assessment Maturity

Are you scanning often enough? Is your scan coverage broad enough? Are you assessing enough of your assets using authenticated scans? Your assessment maturity grade will let you know, so you can make necessary adjustments.

Assessment Maturity provides a high-level summary of how effectively you are scanning for vulnerabilities. To be effective, you must assess all your assets frequently and thoroughly. That means traditional, on-premises IT assets, as well as assets in cloud, container and operational technology (OT) environments. And while conventional wisdom assumes that a monthly scan is sufficient, Tenable recommends that you conduct a thorough scan of your entire environment two to three times per week to ensure that you’re taking action on the most current intelligence. At least 85% of your scans should be authenticated.

If your assessment maturity grade is low, Tenable Lumin will tell you what needs to be done to improve. It also compares your grade with industry peers and all Tenable customers for a vertical and global benchmark of assessment performance.

Remediation Maturity

Are you fixing issues quickly enough? How thoroughly do you fix your most critical vulnerabilities? The answers to these questions will be reflected in your remediation maturity grade.

Remediation Maturity is a high-level summary of how effectively you are protecting your assets. This grade comprises your remediation responsiveness, or the average time it takes you to remediate vulnerabilities; it also assesses your remediation coverage, which measures both the average percentage of vulnerabilities remediated on your assets and the average number of open vulnerabilities per asset. Tenable recommends that you prioritize assets with a high Asset Criticality Rating (ACR), and then remediate all associated vulnerabilities with a critical or high Vulnerability Priority Rating (VPR) within eight to 14 days.

Similar to your assessment maturity grade, Tenable Lumin will tell you what needs to be done to improve your remediation maturity grade, as well as how your grade compares with industry and global peers.

Mitigations

For some assets, remediation may not be feasible, due to technical constraints or excessive costs. In addition to discovering vulnerabilities, your authenticated agent scans can also detect and record the installed endpoint protection agents throughout your environment. The Mitigations feature in Tenable Lumin shows the percentage of your assets where one or more endpoint protection agents have been detected. This inventory of security controls provides you with a more complete picture of your overall cyber risk, so you can assess and validate that mitigation tactics are working as intended.

Tenable Lumin can help you make dramatic improvements to the efficiency and effectiveness of your security program. By adding Lumin, you can take your risk-based VM program from good to great, so you can reduce the greatest amount of risk with the least amount of effort.

Want to see how Lumin can help you take the next step in your risk-based VM program? Try Lumin for free for 30 days.

Whether you’re just beginning your cloud journey or have years of deployments under your belt, it’s worth taking the time to make sure you’re clear on which aspects of security in the cloud fall to your cloud service provider and which are the domain of your security organization.

As 2020 draws to a close, organizations worldwide are forced to grapple with the realization that quick changes made earlier in the year in response to the Covid-19 pandemic may be here to stay. For some, this could mean a strategic move to double down on their use of cloud services, including infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS).

The advantages of moving to the cloud are clear in today’s environment, in which providing employees with remote access to the critical tools and data they need to do their jobs is essential for keeping an organization up and running. Earlier this year, a commissioned global study conducted by Forrester Consulting on behalf of Tenable found that nearly two thirds of organizations (64%) have remote/work-from-home employees. The study also revealed a complex mix of technologies and services being managed by the 416 security executives surveyed, including public cloud (41%), private cloud (45%) and hybrid (39%). As the need for a fully functional remote workforce continues, we anticipate even more organizations adding to their cloud portfolios in 2021 and beyond.

Whether you’re just beginning your cloud journey or have years of deployments under your belt, it’s worth taking time to make sure you’re clear on which aspects of security in the cloud fall to your cloud service provider and which are the domain of your security organization. As with so much in information technology, the answers can vary widely depending on which flavor of cloud technology you’re deploying. Here’s a quick breakdown of what the shared responsibility model looks like for three main cloud computing tiers, based on guidance from the Cloud Security Alliance:

IaaS: In this tier, the security burden on the cloud service provider (CSP) includes virtualization security and infrastructure security. Areas such as data security, application security, middleware security and host security fall to the IaaS customer. Simply put: users are responsible for the guest OS and everything inside of it.
PaaS: In this tier, the CSP’s responsibilities are broader, including: security configuration, management, operating monitoring, and emergency response of infrastructure; security of virtual networks; security of the platform layer, such as the security of operating systems and databases; and security of application systems. The PaaS customer is responsible for data security and application security.
SaaS: In this tier, the CSP is responsible for security of the application and underlying components. The SaaS customer is responsible for data security and endpoint device protection.

The example below, from Microsoft, illustrates a typical shared responsibility model:

cloud security and the shared responsibility model

Image Source: https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility

While the shared responsibility model at a glance may look fairly straightforward, security professionals need to prepare for considerable nuance within each tier. For example, vulnerability management for IaaS deployment models can be particularly difficult and time consuming. Security teams require a full inventory of virtual private clouds (VPCs) and Elastic Compute 2 (EC2) image pipelines to get started. Scanners and agents need to be configured, installed and continuously managed to incorporate updates. New vulnerability detections can lag for several weeks. And if this weren’t challenging enough, security professionals have to account for numerous blind spots due to unknown cloud accounts and dynamic cloud environments that are constantly changing.

Another concern for security professionals is understanding that the security of the storage infrastructure is the responsibility of the CSP but users have a significant impact as well. Misconfigurations — whether in S3 buckets or EC2 instances — are a primary cause of breaches.

Further, the shared responsibility details can vary depending on whether your CSP is Amazon Web Services (AWS), Google Cloud Platform (GCP) or Microsoft Azure. In addition to the guidelines available from the Cloud Security Alliance, resources for understanding your security team’s role in the shared responsibility model are also available from the Center for Internet Security.

Shared Responsibility in the Cloud: 3 Things Cybersecurity Leaders Need to Know

IDG’s 2020 Cloud Computing Study, which polled 551 IT decision-makers (ITDMs), found that the vast majority of respondents (81%) are already using computing infrastructure or applications in the cloud and another 12% plan to adopt cloud-based applications in the next 12 months. If you’re among them, here are three things to keep in mind about the shared responsibility model:

Although it may seem equal on paper and in visuals, a significant amount of responsibility, implementation and attack surface defense (?) is still on the customer. Don’t underestimate the time and resources you’ll need to invest for each cloud deployment — including any necessary training to bring your team up to speed. 
Certain audit and compliance categories (control families) are made easier by shifting to the cloud via inherited controls from the cloud provider. Inherited controls can include patch management and configuration management and can translate to noticeable cost savings. While your infosec team should drive this strategy, it’s important to engage with other key groups in your organization, particularly the governance, risk and compliance (GRC) and legal departments. The internal audit team can prove especially helpful here. According to a 2018 Deloitte report, “while an organization’s information security group can build cloud monitoring capabilities, [the internal audit team] can assist and assess the effectiveness of the control environment and prevent the IT department being left out of the loop.”  
Don’t assume the cloud provider holds sole liability in the event of a breach. Even if a scenario were to happen where the cloud provider was found to be at fault, the fallout would still potentially extend to your customers and your organization could be named in and class action lawsuits. In many jurisdictions, legal liability falls to the data owner (ie. the organization using the cloud services) rather than the CSP itself. In short, don’t be complacent. Paying attention to your role in the shared responsibility model can do more than keep your data secure; it can protect your organization in the event of a lawsuit.

Forrester predicts that, in 2021, “cloud computing will power how companies adapt to the ‘new, unstable normal.’ ” Now is the time to closely evaluate any cloud solutions hastily put in place earlier this year and revisit services you’ve had in place for a while to ensure that you’re fulfilling all your security obligations under the shared responsibility model.

Learn More:

Attend the webinar: Frictionless Assessment of EC2 Assets 
Download the solution brief: Frictionless Assessment of AWS Assets

A new report from the U.S. government’s ICT Supply Chain Risk Management Task Force includes guidance on vulnerability management, mitigation and prioritization as key to understanding operational risk.

Information communications technology (ICT) — defined by the National Institute of Standards and Technology (NIST) as “the capture, storage, retrieval, processing, display, representation, presentation, organization, management, security, transfer and interchange of data and information— is critical to the day-to-day operations of the U.S. economy and to our national security. Our increased reliance on these systems in the COVID-19 pandemic-era work environment has fundamentally shifted the ICT threat landscape.

The U.S. government’s ICT Supply Chain Risk Management (SCRM) Task Force was established in 2018 under the Cybersecurity and Infrastructure Security Agency’s (CISA) National Risk Management Center (NRMC) to respond to cyberthreats to government and industry from foreign adversaries, hackers and cybercriminals. This public-private partnership, composed of members from the federal government as well as the commercial IT and communications sectors, aims to improve the country’s collective ability to assess and mitigate threats to the ICT supply chain and improve the security and resilience of its systems.

On December 1, 2020, the ICT SCRM Task Force approved its Year 2 Report, expanding on its first-year progress to advance meaningful partnerships around supply chain risk management. The Year 2 Report reflects on the progress of the Task Force and its respective working groups, including in areas of information sharing, cyberthreat assessments and qualified bidder and manufacturers lists, among others.

This year, a new working group, the Vendor SCRM Assurance Template Working Group (WG4) developed a standardized template questionnaire for both public and private organizations to assess the cybersecurity practices and supply chain risk posture of their vendors.

A key section of this questionnaire will help organizations understand vendor operational risk management practices from a cybersecurity perspective. It includes several key recommendations to improve cyber hygiene and align with the National Institute of Standards and Technology (NIST) cybersecurity framework and other risk management frameworks. Vulnerability management, mitigation and prioritization are key focus areas for enterprises seeking to understand the operational risk management practices of their suppliers. As such, the WG4 questionnaire properly highlights the importance of vulnerability management for both vendor product development and operational cybersecurity. Further, recognizing the expanding attack surface and changing threat dynamic, the questionnaire also addresses managing security risks between an organization’s IT and operational technology (OT) systems.

As chair of the IT Sector Coordinating Council, I’m especially proud that we are one of three chartering organizations of the ICT SCRM Task Force. We need information and guidance forged by public-private partnerships like the Task Force to help companies and organizations solve some of their most challenging ICT and OT challenges.

We know that most successful hacks and cyberattacks are a result of bad actors exploiting known vulnerabilities. For example, recent hacks and ransomware attacks against organizations, governments and hospitals were successful not because they involved sophisticated techniques, but because they successfully exploited poor cyber hygiene. Therefore, we are encouraged to see vulnerability management and prioritization throughout WG4’s guidance recommendations.

Vulnerability management is a critical practice that must be adopted widely as the foundation supporting the pillars of a secure ICT supply chain. Without visibility into the threats surrounding these intricate systems, organizations are at risk of cyberattacks with significant consequences.

At Tenable, we are proud to work with our government partners to address cyber exposure and prioritize their most pressing cybersecurity issues. We look forward to helping improve vulnerability management best practices for both public and private organizations to help keep the nation’s critical ICT supply chains operating in a secure fashion.

Learn More:

Read the blogs:

Download the Forrester Consulting study:
- The Rise of the Business-Aligned Security Executive

With cyberattacks on the rise, a new study shows how a disconnect between cyber and business executives is putting organizations in Mexico at risk.

The vast majority of organizations in Mexico (95%) suffered at least one business-impacting¹ cyberattack over the past year and nearly three quarters (74%) expect cyberattacks to increase over the next 24 months.

The data is drawn from The Rise of the Business-Aligned Security Executive — a Spotlight on Mexican Organizations. The commissioned study derives data from a survey of 104 business and security executives in Mexico conducted by Forrester Consulting on behalf of Tenable.

The study points to an alarming disconnect between security and business leaders which is challenging organizations in Mexico to effectively manage their cyber risk. For example, while nearly all of the security leaders surveyed (97%) had been asked by their organization's top executives or board to present on cyber risk, just five out of 10 said they could answer the question "how secure, or at risk, are we?" with a high degree of confidence. And fewer than half of security leaders in Mexico are framing the impact of cyberthreats within the context of a specific business risk.

Even more concerning: as organizations scrambled to adopt new remote working practices in response to the COVID-19 pandemic, cybercriminals seized the opportunity. Three out of 10 Mexican business and security leaders report having experienced COVID-19-related malware or phishing attacks; an unlucky 4% were victims of both. In fact, 75% of security leaders are very or extremely concerned that COVID-19-related workforce changes will increase their organizations' level of risk.

Yet, even when confronting a global pandemic, the study shows business and cybersecurity leaders failed to connect: 79% of respondents said their COVID-19 response strategies are, at best, only "somewhat" aligned. This misalignment has significant effects on organizations in Mexico, with respondents experiencing one or more of the following as a result of a cyberattack in the past two years:

Lost productivity (47%)
Identity theft (29%)
Loss of employee data (28%)
Financial loss or theft (27%)
Loss of customer data (25%)

Technological challenges contribute to the disconnect

Numerous organizational, operational and technological challenges contribute to the lack of business and cybersecurity alignment for organizations in Mexico. For example, over half of security leaders (53%) say their teams do not have good visibility into the state of security for their organization's most critical assets and only 51% report having a holistic understanding and assessment of the organization's entire attack surface.

Yet, there are actions security leaders can take today to help improve alignment with the business, including establishing a regular cadence of communication with business colleagues and working together to identify the organization's most business-critical assets. Once security leaders establish a clear understanding of which assets matter most to the business they're better equipped to assess risk and communicate using metrics that business executives can understand.

When business and security teams are aligned, the results are significant. For example, the study reveals:

Business-aligned security leaders are eight times as likely as their more siloed peers to be highly confident in their ability to report on their organizations' level of security or risk.
85% of business-aligned security leaders have metrics to track cybersecurity ROI and impact on business performance versus just 25% of their more reactive and siloed peers.
Business-aligned security leaders outpace their more reactive and siloed counterparts in automating key vulnerability assessment processes by margins of +49 to +66 percentage points.

With threats on the rise and workforce dynamics changing rapidly, it's clear that cybersecurity needs to evolve as a business strategy. Security leaders who understand their organization's current risk posture and are able to predict the greatest threats to the business are much better equipped to speak the language of business risk. These business-aligned security leaders are 8x as likely as their more siloed peers to be highly confident in their ability to answer the question, "How secure, or at risk, are we?"

Learn more

See additional study highlights in Spanish here
Download the study in Spanish: The Rise of the Business-Aligned Security Executive - a Spotlight on Mexican Organizations
Evaluate your own organization (tool is available in English language only): How Business Aligned Are You?

¹"Business-impacting" relates to a cyberattack or compromise that results in a loss of customer, employee or other confidential data; interruption of day-to-day operations; ransomware payout; financial loss or theft; and/or theft of intellectual property.

Learn More:

Read the blogs:

Download the Forrester Consulting study:
- The Rise of the Business-Aligned Security Executive

Security consultants can readily meet clients' specific needs and grow their businesses with help from Nessus Professional.

As a cybersecurity consultant, you're in a unique position: You encounter just about every type of cyberthreat out there – and, often enough, find brand-new dangers in the virtual wild.

You need to help protect all of your clients against these growing threats, while also building your business. And in the current economic environment, where cybersecurity is one of the few categories of corporate spending not going down,¹² there is still most definitely business out there for the taking.

Every client is different; so are their security needs. Some will be concerned about specific systems, applications, libraries, or vulnerabilities. Others will have broader concerns about the vulnerabilities across their entire network.

With features like dynamic vulnerability scanning, pre-built and custom templates and vulnerability grouping, Nessus Professional from Tenable helps information security consultants save time while meeting each client’s specific needs.

Unique dynamic scans for unique client needs

Nessus Professional allows you to configure scans according to extremely precise criteria as needed through the power of advanced dynamic scanning. This operation allows you to create dynamic plugin filters instead of manually selecting plugins (or families thereof) each time you scan. You can simply jump right to the dynamic criteria you selected– for example, vulnerabilities with high Common Vulnerability Scoring System (CVSS) scores, or new entries to the National Vulnerability Database (NVD) – and go from there. Each time Tenable releases plugins related to that dynamic scan, Nessus automatically updates the related policy accordingly. As complex as you can make the criteria of a dynamic assessment, the process itself is straightforward and delivers the clear results your clients need.

Balancing pre-built and custom templates
Efficiency is critical when you’re managing many different clients. Nessus Professional's template library further allows consultants to quickly run standard scans or tailor assessments to each client as needed.

To start, you can choose from a variety of pre-built scan templates. Some of these are configured to search for highly specific malware strains and exploits like DROWN, Spectre, Meltdown, WannaCry and Mirai. Others cover broader priorities, such as PCI DSS compliance and basic full-network scans.
If you need to modify any of those templates for any reason – e.g., to accommodate a client's desire to focus on (or exclude) certain hosts on the network – customization is a breeze. You can even create entirely unique scan policies from scratch when necessary.

Focusing on customer priorities
After completing a scan, you can present the results in the way that makes the most sense for the client’s needs (and your own). By categorizing vulnerabilities per numerous factors – severity level, plugin family, host and so on – you can focus on issues of greatest concern to the client. If certain flaws you uncover are notably less important than others, you can "snooze" them temporarily so that you don't see them in the results.

Building your business with proven results
Your prospective clients may not know much about you, vulnerability assessments or cybersecurity in general. But they do understand results. Leveraging industry-leading coverage and accuracy with Nessus Professional’s versatility, you can serve clients effectively – saving time and money and standing out from competitors in your field.

Want to dig deeper into the ways that Nessus Professional can help your consulting business? We focused on exactly that in our latest whitepaper, “How Security Consultants Win With Nessus” – now available for download.

To experience Nessus Professional for yourself, sign up for a free trial:

Start Your Free 7-Day Trial

_{1. Forbes, "2020 Roundup of Cybersecurity Forecasts and Market Estimates," April 5, 2020}_{2. McKinsey & Company, "COVID-19 crisis shifts cybersecurity priorities and budgets," July 21, 2020}

Tenable’s Zero-Day Research team found encouraging trends in how quickly software vendors are responding to our private disclosures, as well as how they’re addressing critical and high-severity vulnerabilities.

If someone told me at the start of the COVID-19 lockdown in March 2020 that software vendors would speed up the time they take to patch potential Zero Day* vulnerabilities, I would have chuckled and said it was wishful thinking. Clearly I was WRONG.

Tenable Research compared the number of patches issued by software vendors for critical and high-severity vulnerabilities in the first half of 2020 with the same periods in the prior four years. We also looked at the average response times to our own team’s Zero Day vulnerability disclosures in the first half of this year. In both cases, results are surprising. For example, in first-half 2020, the number of patches issued by software vendors for critical and high-severity vulnerabilities was about 25% higher than in first-half 2019. Likewise, we observed a dramatic reduction in the time it took vendors to respond to our own Zero Day disclosures.

What’s driving this increased activity? It’s difficult to prove empirically, but we believe the shift to work-from-home necessitated by the COVID-19 pandemic has not only led to a whole new set of challenges for employers worldwide, it has also created a breeding ground for cybercriminals looking to take advantage of the newly expanded attack surface. In this blog post, we explore key statistics related to vulnerability disclosure and patching in the first half of 2020, as well as how those efforts are helping to counteract these heightened threats.

Patches for Critical and High-Severity Vulnerabilities on the Rise

In first-half 2020, vendors patched 3,618 critical and high-severity vulnerabilities, a 25% increase over the 2,903 patched in first-half 2019. We chose to break the comparison out for the first-half of the year as this was our first foray into a large scale global event that is quite unprecedented in the last century.

In examining overall vulnerability trends from 2017 – 2019, we find that vendors patched, on average, 2,802 critical and high-severity vulnerabilities in the first half of each year (2,903 in first-half 2019; 3,095 in first-half 2018; and 2,409 in first-half 2017); looked at in this way, we find an approximately 30% increase in the number of critical and high-severity vulnerabilities patched in first-half 2020 compared with the first-half average of the three prior years.

The increase can be attributed, in part, to greater awareness all around. Year after year, we’ve seen more proactive findings as vendors adopt Secure Development Lifecycle best practices, more attackers look to exploit an expanding attack surface, and more researchers hunt for critical flaws, all of which result in an increase in the number of vulnerabilities reported.

Yet, we believe the increase in the first half of 2020 amounts to more than just a continuation of established trendlines. We believe the work-from-home policies enacted by organizations around the world in response to the global pandemic have vastly altered the attack surface. We’re seeing more endpoints outside the “perimeter,” more cloud infrastructure and applications being leveraged, more video conferencing and collaboration tools being embraced, more VPN servers in use, and more consumer-grade WiFi networks being put to use for business purposes, all in the interest of keeping organizations up and running while employees move to work from home.

If we extrapolate this data into a full-year projection for 2020, we believe vendors will likely patch at least 275 more critical and high-severity vulnerabilities this year than they did in full-year 2019. Despite the unique challenges of 2020, the number of critical and high-severity vulnerabilities that will be patched this year continues to grow.

Tweet screenshot from Sean Gallagher - "CVE Season, updated"

The month of July, in particular, was what some might call “CVE season,” considering both the sheer number of patches issued for CVEs and the severity of them. Microsoft’s July Patch Tuesday included fixes for over 123 CVEs, while Oracle’s Quarterly Critical Patch Update in July included fixes for 284 CVEs.

If keeping up with the cadence of regularly scheduled patch updates from vendors like Microsoft and Oracle wasn’t enough, disclosures of high-severity vulnerabilities in networking solutions and web applications ensured that July 2020 was an exhausting month for defenders. At least five high-profile vulnerabilities received a CVSSv3 score of 10.0 in early July, including those in F5’s BIG-IP solution, SAP NetWeaver, Palo Alto Networks PAN-OS and Microsoft’s Windows DNS Server. In total, patches were issued for 753 critical and high-severity vulnerabilities in July.

Tweet screenshot from The Hacker News - "Happy Patch Week, Everyone"

A Closer Look at Zero-Day Response Times

Tenable Research also examined two distinct blocks of time in 2020, revealing some key differences in Zero Day response activity as organizations around the world enacted their pandemic response strategies.

We compared the time to public disclosure (TtD) in weeks 1 – 12 of 2020 (roughly Jan. 1 through March 21, when widespread lockdowns were just starting to be enacted in many parts of the world) against weeks 13 – 33 (roughly March 22 through August 15, during which pandemic response strategies were fully enacted). In weeks 13 – 33, we found that TtD — the average time between our first contact with a vendor alerting them to a potential vulnerability and when the vendor released an updated version of their product containing a fix— was about 30% faster than in weeks 1 – 12.

And the increased speed isn’t due to a reduction in volume. Tenable Research disclosed 14 vulnerabilities in the first 12 weeks of 2020 compared with 27 in weeks 13 – 33 (roughly 15% more on a per week basis than the first time period). Weeks 34 onwards have intentionally not been considered for the scope of this blog post, even though the TtD is further lower for those weeks, as not all vulnerabilities reported to vendors have been patched yet or publicly disclosed.

Time to public disclosure for vulnerabilities reported to vendors in first-half 2020

In weeks 1 – 12 of 2020, the average time from our first contact to the vendor’s patch release was 72 days. As the global pandemic began to rage, many instances of the disclosure process were interrupted. However, the average TtD during this period saw a negligible increase. On the other hand, in weeks 13-33, TtD drastically declined to 51 days. Based on publicly available data from similar Zero Day programs, we observed similar trends, with response times holding steady or improving despite the unique challenges of 2020. We believe accelerating TtD benefits enterprise software users. Rapid turnaround from initial vendor contact to the release of a patch greatly aids vulnerability management efforts as it minimizes the time period during which a deployment is vulnerable to exploitation.

Given the ever-expanding attack surface, it is critical for organizations to identify potential cyberthreats and mitigate them quickly. The numbers presented here hopefully offer encouragement for researchers and vendors to work on coordinated disclosures, helping to elevate the security posture of the entire ecosystem. This process works best when security researchers and software vendors work together to release effective mitigation rather than stopping collaboration after a bug bounty has been fulfilled. Expediting the disclosure-to-patch process for any given Zero Day vulnerability will only become more crucial as more and more CVEs threaten increasingly distributed work environments.

Tenable’s Conor O’Neill, Pablo Ramos and James Sebree contributed to this report.

Learn more

Catch up on our latest advisory, “Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities”
Download the report, “Persistent Vulnerabilities: Their Causes and the Path Forward”
Read the blog post, “Writing Security Advisories: 5 Best Practices For Vendors”

Methodology: The analysis in this blog post draws from Tenable's dataset of over 20 trillion aspects of threat, vulnerability and asset data, collected from over 10 different sources, including open-source, anonymized scan telemetry and commercial intelligence feeds. Data was sourced from the data lake for purposes of analysis.

Zero Day* data calculation: Only those vulnerabilities that have been disclosed to vendors in 2020 and also publicly disclosed either by Tenable’s Zero Day Research or similar programs as of November 20, 2020 have been considered in the data set. References include: Tenable Zero Day, ZDI, Project Zero (note: change in disclosure policy not accounted for as TtD didn’t change materially for the time periods considered)

*New vulnerabilities found by researchers and disclosed to vendors privately to enable coordinated disclosures

Criteria for data collection of critical and high severity vulnerabilities: Critical and High severity vulnerabilities published in the year where the CVE ID has the same year. Example: For 2020, all CVE IDs that start with CVE-2020-xxxx. Note: We do see similar results when we loosen the criteria above to include CVEs from previous years patched in the next year but for comparison purposes, since this data is not available for 2020 vulnerabilities that will be patched in 2021, we used the normalizing factor mentioned above to facilitate a more even comparison between the years. Sample NVD references: 2020 1H Critical, 2020 1H High, 2019 1H Critical, 2019 1H High

The final Patch Tuesday of 2020 includes fixes for 58 CVEs, including workaround details for a severe vulnerability in Windows DNS Resolver called SAD DNS.

Microsoft patched 58 CVEs in the December 2020 Patch Tuesday release, including 9 CVEs rated as critical.

This month's Patch Tuesday release includes fixes for Microsoft Windows, Microsoft Edge (EdgeHTML-based), Microsoft Edge for Android, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere.

This is a book-end to a year that began with Microsoft addressing 49 CVEs in January of 2020, followed by eight consecutive months with over 90 CVEs addressed. In 2020, Microsoft released patches for over 1,200 CVEs, exceeding 2019’s total of 840.

This month’s release did not include any vulnerabilities that were exploited in the wild and no vulnerability was assigned a CVSSv3 score of 9.0 or higher.

Nearly 40% of the vulnerabilities patched this month were remote code execution (RCE) flaws, followed by elevation of privilege vulnerabilities, which represented approximately 24%. The chart below breaks down the release based on the types of vulnerabilities patched.

The following is a breakdown of some of the notable vulnerabilities addressed this month.

CVE-2020-25705 | Windows DNS Resolver Spoofing Vulnerability

CVE-2020-25705 is a spoofing vulnerability in the Windows DNS Resolver, a component of the Windows TCP/IP stack that is included in each Windows release. As its name implies, the DNS resolver is responsible for resolving DNS queries, such as when browsing to a website like google.com and fetching its IP address because it is easier for users to remember a name like google.com instead of its IP address, which is 142.250.64.78. Since websites like google.com are visited often, it wouldn’t make sense for the DNS resolver to constantly request the IP address for it. To reduce the overhead on these requests, a local copy of the responses to these DNS queries are stored in the DNS cache, which is the crux of this vulnerability.

The vulnerability, dubbed Side-channel AttackeD DNS (or SAD DNS) by researchers at Tsinghua University and the University of California Riverside (UC Riverside), was disclosed at the ACM Conference on Computer and Communications Security in November.

Image Source: UC Riverside

The vulnerability is detailed on the UC Riverside website for associate professor Zhiyun Qian, who was an advisor on this project. The researchers call this a “revival of the classic DNS cache poisoning attack,” which has not been possible since 2008, when it was revealed by security researcher Dan Kaminsky at the Black Hat conference.

For a full breakdown of the vulnerability, we recommend reading this blog post published by Marek Vavruša and Nick Sullivan of Cloudflare.

The researchers have linked to proof-of-concept code for SAD DNS on GitHub, though the resource is currently inaccessible at the time this blog post was published. However, they also shared a YouTube video demonstrating exploitation.

Microsoft released guidance for SAD DNS as part of ADV200013, though they did not explicitly call out the vulnerability by its CVE identifier, which is CVE-2020-25705. Microsoft did not provide patch information, though they did provide a workaround that sets the maximum UDP packet size to 1221.

CVE-2020-17117, CVE-2020-17132, CVE-2020-17141, CVE-2020-17142 and CVE-2020-17144 | Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2020-17117, CVE-2020-17132, CVE-2020-17141, CVE-2020-17142 and CVE-2020-17144 are remote code execution (RCE) vulnerabilities in Microsoft Exchange. All of these have been labeled by Microsoft as “Exploitation Less Likely” with the exception of CVE-2020-17144, which has been labeled as “Exploitation More Likely.”

The vulnerabilities exist in Microsoft Exchange due to the improper validation of cmdlet arguments. To exploit these vulnerabilities, an attacker would need to be authenticated to the vulnerable Exchange server in order to exploit the flaw.

CVE-2020-17132 is credited to Steven Seeley, a researcher at Source Incite, who is frequently acknowledged for his disclosure of vulnerabilities during Patch Tuesday.

In September’s Patch Tuesday release, Seeley was credited with discovering CVE-2020-16875, which he intended to blog about until he discovered a patch bypass for the flaw. Seeley has now confirmed that CVE-2020-17132 addresses this patch bypass.

CVE-2020-17132 patches the patch bypass apparently https://t.co/BKw0IKSFoB
— ϻг_ϻε (@steventseeley) December 8, 2020

Microsoft Exchange Server remains a valuable target for threat actors with the National Security Agency (NSA) including CVE-2020-0688 as an entry in their list of vulnerabilities known to be exploited by state-sponsored actors. CVE-2020-0688, which was released as part of Microsoft’s February 2020 Patch Tuesday release, has seen continued interest with the development of proofs-of-concept (PoCs) shortly after its release and actively exploited soon after.

CVE-2020-17122, CVE-2020-17123, CVE-2020-17125, CVE-2020-17127, CVE-2020-17128 and CVE-2020-17129 | Microsoft Excel Remote Code Execution Vulnerability

CVE-2020-17122, CVE-2020-17123, CVE-2020-17125, CVE-2020-17127, CVE-2020-17128 and CVE-2020-17129 are RCE vulnerabilities in Microsoft Excel. All six of these vulnerabilities were assigned a CVSSv3 score of 7.8 and labeled as “Exploitation Less Likely” by Microsoft.

Details about CVE-2020-17123, which is credited to Marcin Noga of Cisco Talos Intelligence Group, have been published on the Talos blog. According to their description, the CVE-2020-17123 is a use-after-free vulnerability in Microsoft Excel. Exploitation of this flaw requires an attacker to socially engineer their victim into opening a malicious XLS file, either via email or hosting the file on a website and convincing the user to download and open it. Successful exploitation would result in remote code execution in the context of the current user. If the user has administrative privileges, it would result in a full system compromise.

While there are no further details for the five remaining Excel vulnerabilities, if they echo CVE-2020-17123 and past Excel flaws, the attack vector could be similar, requiring a user to open a malicious XLS file either via email or by convincing them to download and execute the file from a website. However, Microsoft notes that the Outlook Preview Pane is not affected by these vulnerabilities, which means a victim would need to open the XLS file directly to trigger the exploit.

CVE-2020-17096 | Windows NTFS Remote Code Execution Vulnerability

CVE-2020-17096 is an RCE in Windows NT File System (NTFS), the file system used in Microsoft Windows and Microsoft Windows Server. No user interaction is required to exploit this vulnerability. Depending on the attacker’s position, there are a few avenues for exploitation. For an attacker that has already established a local position on the vulnerable system, executing a malicious application that exploits the flaw would result in an elevation of privileges. Alternatively, a remote attacker could exploit the flaw by sending malicious requests to a vulnerable system, so long as they could access it over the Server Message Block version 2 protocol (SMBv2). Successful exploitation in this context would grant the attacker arbitrary code execution.

CVE-2020-17118 and CVE-2020-17121 | Microsoft SharePoint Remote Code Execution Vulnerability

CVE-2020-17118 and CVE-2020-17121 are RCE vulnerabilities in Microsoft SharePoint, which are labeled as “Exploitation More Likely” by Microsoft.

For CVE-2020-17121, Microsoft notes that the attack is network-based and, provided the targeted user has the required privileges, an attacker could gain access to SharePoint to craft a site and in turn remotely execute arbitrary code within the kernel.

The Zero Day Initiative (ZDI) is credited with reporting CVE-2020-17121 and offers additional details about the vulnerability in their summary blog. They note that exploitation would allow the execution of arbitrary .NET code in the context of the SharePoint Web Application service account. In SharePoint’s default configuration, it allows authenticated users to create sites with the required permissions to launch the attack which lines up with Microsoft’s FAQ.

Microsoft SharePoint is another valuable target for threat actors, as was highlighted by CVE-2019-0604, an RCE in Microsoft SharePoint that continued to be exploited nine months after it was patched in the May 2019 Patch Tuesday.

Tenable solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains December 2020.

A list of all the plugins released for Tenable’s December 2020 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

The National Security Agency warns that Russian state-sponsored threat actors are exploiting an important VMware vulnerability in the wild.

Background

On December 7, the National Security Agency (NSA) published a cybersecurity advisory regarding in-the-wild exploitation, by Russian state-sponsored threat actors, of a vulnerability in several VMware products.

The vulnerability was disclosed by the NSA to VMware, which published details in a security advisory, VMSA-2020-0027.2, on November 23. At the time, no patches were available, though VMware did provide a set of workarounds.

Analysis

CVE-2020-4066 is a command injection vulnerability in the administrative configurator component in certain versions of VMware products. The affected products include:

VMware Workspace One Access (Access)
VMware Workspace One Access Connector (Access Connector)
VMware Identity Manager (vIDM)
VMware Identity Manager Connector (vIDM Connector)
VMware Cloud Foundation
vRealize Suite Lifecycle Manager

There are two prerequisites required to exploit the vulnerability:

First, an attacker needs to establish network access in order to connect to the administrative configurator, which is typically accessible over port 8443
Second, an attacker needs to have valid administrator credentials in order to log in to the configurator

While these prerequisites may seem like a hindrance to potential exploitation, the NSA has reported that Russian state-sponsored actors have successfully exploited this vulnerability in the wild as a zero-day.

Exploiting CVE-2020-4006 to access protected data

According to the NSA advisory, Russian state-sponsored threat actors utilized this vulnerability to install a web shell, a malicious script that can be used to enable remote administration, onto vulnerable systems. Through this access, threat actors could further access protected data by sending forged Security Assertion Markup Language (SAML) authentication assertions to Microsoft Active Directory Federation Services (ADFS).

Conflicting CVSSv3 score assignment

VMware assigned a CVSSv3 score of 9.1 when their advisory was first published on November 23. However, in a subsequent update, they revised the CVSSv3 score down to 7.2, due to a change in the scope metric. Their initial assessment of the vulnerability led to the conclusion that exploitation would change the scope (C), meaning it could affect resources outside of the scope of the administrative configurator. However, upon further review, it appears the scope would be unchanged (U) upon exploitation.

Second NSA advisory related to Russian state-sponsored activity in 2020

This latest vulnerability in VMware products marks the NSA’s second advisory this year regarding Russian state-sponsored threat actor activity. In May, the NSA published a cybersecurity advisory highlighting threat actor usage of CVE-2019-10149, a remote command execution vulnerability in Exim — a popular open-source mail transfer agent — that was quickly exploited in the wild soon after its disclosure.

Second vulnerability credited to the NSA in 2020

CVE-2020-4066 also marks the NSA’s second disclosure to a vendor in 2020. The year began with the NSA disclosing CVE-2020-0601, a critical spoofing vulnerability in a core cryptographic module in Microsoft Windows, crypt32.dll, which enables the certificate and cryptographic messaging function in the CryptoAPI. Some researchers began referring to the flaw as “CurveBall” or “Chain of Fools” when describing it as part of proofs of concept and blog posts.

Proof of concept

At the time this blog post was published, there was no proof-of-concept code available for this vulnerability. However, based on the NSA advisory, threat actors are in possession of working exploit code that they’ve used as part of attacks in the wild.

Solution

VMware has released patches to address CVE-2020-4006 in the administrative configurator. The following table contains the affected VMware products and versions:

VMware Product	Affected Versions	Operating System
Workspace ONE Access	20.01, 20.01	Linux
VMware Identity Manager	3.31, 3.32, 3.3.3	Linux
VMware Identity Manager Connector	3.31, 3.32	Linux
VMware Identity Manager Connector	3.31, 3.32, 3.33	Windows
VMware Identity Manager Connector	19.03, 19.03.0.1	Windows

Before applying the patches for the affected versions below, VMware recommends backing up specific folders on both Linux and Windows installations as a precautionary measure.

Linux versions:

/opt/vmware/horizon/workspace/webapps/cfg

/opt/vmware/horizon/workspace/webapps/hc

Please note that Workspace ONE Access versions 20.01 and 20.10 do not require backing up the /webapps/hc folder.

Windows versions:

INSTALLLOCATION\opt\vmware\horizon\workspace\webapps\cfg

INSTALLLOCATION\opt\vmware\horizon\workspace\webapps\hc

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

For many global policymakers, the transformative impact of the COVID-19 pandemic has reinforced the need to adopt new cybersecurity and privacy policies. Here's a look at what we can expect in the year ahead.

The COVID-19 pandemic and resulting global economic downturn represent new challenges for government security leaders. Indeed, the massive shift to remote work for both the public and private sectors has forced businesses, governments and other organizations to adapt security practices, processes and policies to account for the significant range of new devices and assets which are now connected to enterprise networks. Both governments and enterprises have seen increases in COVID-19 related phishing and other cyberattacks against employees during the pandemic. Unpatched hardware, software and configuration vulnerabilities in home devices can now be exploited and leveraged to attack enterprise networks.

For many global policymakers, the transformative impact of the pandemic has reinforced the need to adopt new cybersecurity and privacy policies, many of which were under consideration before the pandemic, in order to strengthen trust in the digital economy. These include efforts to promote data privacy and protection, raise baseline security standards of care, and implement cybersecurity certification regimes.

At Tenable, we've identified the following global privacy and cybersecurity policy challenges and expected developments that cybersecurity professionals need to monitor in 2021:

European Union Network and Information Systems (NIS) Directive review and implementation of the EU Cybersecurity Act

Since the current NIS Directive entered into force in 2016, the cyberthreat landscape has been evolving. The EU Commission has launched a public consultation on a proposed revision of the Directive. This will be an opportunity to clarify minimum cyber hygiene standards, consider the expanded threat landscape of cloud computing and operational technology (OT) risks and harmonize security standards across the EU. Much of this harmonization will likely come through implementation of the cybersecurity certification schemes under the EU Cybersecurity Act. While the cybersecurity authorities of the member state — including BSI in Germany and ANSSI in France — will play lead roles in driving these certifications in their respective countries, we also expect them to work closely with the European Commission and the European Agency for Network and Information Security (ENISA) in order to drive towards greater convergence. Certifications under consideration in 2021 include new E.U.-wide certification standards for EU Common Criteria for critical infrastructure, as well as certification regimes for cloud services, artificial intelligence, and 5G.

Brazil data security and Latin America regional influence

It has been more than two years since the European General Data Protection Regulation (GDPR) came into effect and changed the landscape of global data security. The “data protection by default” approach of the GDPR is now being mirrored in Brazil with the Lei Geral de Proteção de Dados Pessoais (LGPD), with some key differences. The LGPD, which went into effect in August 2020, has a broad scope and applies to any organization that processes Brazilian citizen data. With digital transformation underway at many of the organizations which routinely process Brazilian citizens' data, it will be critical to understand these new requirements and to avoid penalties. The Brazilian government is expected to clarify some of the provisions of this law in 2021. Brazil is influential across the Americas and its minimum security standards will be impactful for data security practices.

Continued development of minimum data security standards

Japan, Brazil, Canada, India and New Zealand all made updates in 2020 on regulations impacting data security standards. All of these countries moved closer to the EU model of minimum cybersecurity standards and substantial fines for non-compliance. This trend is likely to continue, with governments reviewing their basic cybersecurity standards in light of the changing threat landscape and concerns for data privacy. Expect to see more extraterritorial reach for these laws as governments mandate basic cybersecurity requirements and leverage fines to organizations who ignore security.

Focus on critical infrastructure and operational technology standards in APAC

Because there is a wide range of maturity for OT security policy across APAC, there is a need for developing and harmonizing security best practices. Regional industry groups are likely to drive alignment with international, consensus-driven standards. As an example, the ASEAN Ministerial Conference on Cybersecurity (AMCC) agreed in 2018 to subscribe in principle to 11 voluntary, non-binding norms as well as to focus on regional capacity-building in implementing these norms. These norms include critical infrastructure protection and OT protection. In 2018 Singapore published its Master Plan for Operational Technology standards. These efforts are likely to grow across APAC in 2021 as 5G technology is adopted and the OT threat landscape risk grows. Additional country-specific activity in the region includes:

Australia: Earlier this year, Australia launched a consultation on a proposed enhanced regulatory framework for operators of critical infrastructure and systems of national significance. This focus on critical infrastructure stems from Australia's Cyber Security Strategy 2020, where the government noted that highly sophisticated nation states and state-sponsored actors continue to target governments and critical infrastructure providers. In response, the strategy calls for critical infrastructure businesses to improve baseline security, and states that the government will invest funds in cyber situational awareness, research on cyberthreats, and vulnerability assessment. 
India: Government leaders in India have been increasingly focused on the security of their industrial technology infrastructure against cyberattacks. Critical infrastructure cybersecurity will therefore likely be a major focus area in India's National Cyber Security Strategy 2020 and early implementation of the strategy is expected in 2021.  
Japan: Japan continues to implement provisions of the Cyber Physical Security Framework, released by the Ministry of Economy, Trade and Industry (METI) in 2019 and focused on security for consumer and industrial IoT. As part of this implementation, METI released a draft IoT Security Safety Framework earlier this year, focusing on security for the layer of mutual connections between physical devices and cyberspace. METI will likely develop further guidance on Cyber Physical Security in 2021, especially as the Tokyo Summer Olympics, which constitute a prime target for cyber attackers, have been rescheduled for next summer.

Brexit and data security

As Brexit is finalized with the U.K., there will continue to be concerns about data privacy standards and enforcement across borders. This will be tested with new reviews and examination of data privacy enforcement and adherence to agreed upon standards. While the UK has committed to implementing both the GDPR and the NIS Directive, data security remains a sensitive issue that the EU and U.K. governments will continue to review.

Regulatory Harmonization of Cybersecurity Regulations for Financial Services

This year, we saw further progress in the U.S. regarding efforts to harmonize the regulatory requirements for cybersecurity in financial services and the growing acceptance of a risk profile model that could be examined across multiple regulatory agencies. The framework is largely based on the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. There is also continued discussion of harmonization in Europe and APAC. And we expect additional review of these requirements in Europe in the year ahead as banks seek to reduce duplication across national agencies and limit burdensome regulatory requirements. This is hopefully an opportunity to focus on critical risks and maintaining harmonized standards for cybersecurity.

U.S. Energy and Critical Infrastructure Security

Over the last year, the U.S. Congress has worked on the American Energy Innovation Act, which contains numerous cybersecurity provisions to strengthen the cybersecurity of the nation's energy infrastructure through public-private partnerships, rate incentives for cybersecurity investments and advanced cybersecurity technology and application research and development. While this bill is unlikely to pass before the end of this Congress, we expect to see similar legislative efforts on strengthening energy sector cybersecurity in 2021. The U.S. Department of Energy (DoE) and Department of Homeland Security (DHS) will also continue to prioritize energy grid and industrial cybersecurity through policy guidance and updated standards. Questions regarding whether these approaches will take a more voluntary or regulatory approach in 2021 may depend on presidential and congressional election outcomes. Additional U.S. activity includes:

Supply chain protections: With a COVID-19 vaccine expected by 2021, the U.S. and other global governments will continue to focus on supply chain security to protect the manufacturing and distribution of vaccines. 
Transportation and infrastructure: Congress is also expected to consider a major transportation and infrastructure package in 2021. This legislation is expected to include provisions on smart, digital infrastructure. Therefore, critical infrastructure and OT cybersecurity considerations will need to be addressed as well. 
Vendor certifications: Implementation of the U.S. Department of Defense (DoD) Vendor Cybersecurity Certification Program The Cybersecurity Maturity Model Certification (CMMC), part of the DoD unified standard for implementing cybersecurity across the defense industrial base (DIB), will become more impactful in defense acquisition processes in 2021. As before, contractors will remain responsible for implementing critical cybersecurity requirements to protect sensitive defense information. However, the CMMC requires third-party assessments of contractors' compliance with mandatory practices, procedures and capabilities to prevent cyberattacks from new and evolving threats. Due to the size and complexity of the defense industrial base, it's likely that the CMMC will face technical and logistical hurdles as it is implemented on a much larger scale. However, it also represents an important opportunity for the DoD to improve its cybersecurity posture and close the cyber exposure gap for the DoD and its contractors by creating incentives for stronger cybersecurity processes and practices.

Conclusion

Understanding the policy landscape helps security and business leaders to stay prepared for new trends and requirements. In the modern connected world, policy trends in one region often influence government actions in another region. Governments are increasingly scrutinizing data privacy and security. This trend is likely to continue. Awareness of the above trends can help leaders to stay aware of government concerns and this helps avoid costly fines and regulatory problems.

Learn more:

To learn more about the issues covered in this blog, watch the Tenable webinar, 5 Global Trends That Will Impact Your Security Program in 2021. 
For additional insights, listen or subscribe to the Tenable Research Podcast. Check out the latest episode here or on your favorite podcasting platform.  
Get help with your 2021 initiatives. Please contact your authorized Tenable representative or click here to request a call back.

The vulnerabilities disclosed affect millions of Operational Technology, IoT and IT devices and include multiple remote code execution flaws.

Background

On December 8, researchers at Forescout published a report for 33 vulnerabilities that reportedly impact millions of devices. Dubbed AMNESIA:33, the vulnerabilities exist within four open TCP/IP libraries that are embedded in a number of Operational Technology (OT) and Internet of Things (IoT) devices as well as routers and printers. The four TCP/IP libraries affected by AMNESIA:33 include:

uIP (integrated into Continki)
FNET
picoTCP
Ethernut (Nut/Net)

Forescout estimates over 150 vendors that have implemented these libraries are affected by AMNESIA:33.

Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) issued its own advisory for AMNESIA:33.

The 33 vulnerabilities include mostly Denial of Service and Information Leak vulnerabilities along with multiple remote code execution (RCE) flaws.

Analysis

The following is a breakdown of the 33 vulnerabilities, including the affected library, vulnerability type, common weakness enumeration, impact and CVSSv3 scores.

CVE	Affected Library	Vulnerability Type	Common Weakness Enumeration	Impact	CVSSv3
CVE-2020-13984	uIP	Infinite Loop	CWE-835	Denial of Service	7.5
CVE-2020-13985	uIP	Integer Wraparound	CWE-190	Denial of Service	7.5
CVE-2020-13986	uIP	Integer Loop	CWE-835	Denial of Service	7.5
CVE-2020-13987	uIP	Out-of-Bounds Read	CWE-125	Denial of Service, Information Leak	8.2
CVE-2020-13988	uIP	Integer Overflow	CWE-190	Denial of Service	7.5
CVE-2020-17437	uIP	Out-of-Bounds Write	CWE-787	Denial of Service	8.2
CVE-2020-17438	uIP	Out-of-Bounds Write	CWE-787	Denial of Service	7
CVE-2020-17439	uIP	Improper Input Validation	CWE-20	DNS Cache Poisoning	8.1
CVE-2020-17440	uIP	Improper Input Validation	CWE-20	Denial of Service	7.5
CVE-2020-24334	uIP	Out-of-Bounds Read	CWE-125	Denial of Service	8.2
CVE-2020-24335	uIP	Out-of-Bounds Read	CWE-125	Denial of Service	7.5
CVE-2020-24336	uIP	Out-of-Bounds Read	CWE-125	Remote Code Execution	9.8
CVE-2020-25112	uIP	Out-of-Bounds Write	CWE-787	Remote Code Execution	8.1
CVE-2020-17441	picoTCP	Improper Input Valiation	CWE-20	Denial of Service, Information Leak	7.5
CVE-2020-17442	picoTCP	Integer Overflow	CWE-190	Denial of Service	7.5
CVE-2020-17443	picoTCP	Integer Overflow	CWE-190	Denial of Service	8.2
CVE-2020-17444	picoTCP	Out-of-Bounds Read	CWE-125	Denial of Service	7.5
CVE-2020-17445	picoTCP	Out-of-Bounds Read	CWE-125	Denial of Service	7.5
CVE-2020-24337	picoTCP	Infinite Loop	CWE-835	Denial of Service	7.5
CVE-2020-24338	picoTCP	Out-of-Bounds Write	CWE-787	Remote Code Execution	9.8
CVE-2020-24339	picoTCP	Out-of-Bounds Read	CWE-125	Denial of Service	7.5
CVE-2020-24340	picoTCP	Out-of-Bounds Read	CWE-125	Denial of Service, Information Leak	8.2
CVE-2020-24341	picoTCP	Out-of-Bounds Read	CWE-125	Denial of Service, Information Leak	8.2
CVE-2020-17467	FNET	Out-of-Bounds Read	CWE-125	Information Leak	8.2
CVE-2020-17468	FNET	Out-of-Bounds Read	CWE-125	Denial of Service	7.5
CVE-2020-17469	FNET	Out-of-Bounds Read	CWE-125	Denial of Service	5.9
CVE-2020-17470	FNET	Improper Input Validation	CWE-20	DNS Cache Poisoning	4
CVE-2020-24383	FNET	Improper Null Termination	CWE--170	Denial of Service, Information Leak	6.5
CVE-2020-25107	Nut/Net	Out-of-Bounds Read	CWE-125	Denial of Service	7.5
CVE-2020-25108	Nut/Net	Out-of-Bounds Write	CWE-787	Denial of Service	7.5
CVE-2020-25109	Nut/Net	Out-of-Bounds Read	CWE-125	Denial of Service	8.2
CVE-2020-25110	Nut/Net	Out-of-Bounds Read	CWE-125	Denial of Service	8.2
CVE-2020-25111	Nut/Net	Out-of-Bounds Write	CWE-787	Remote Code Execution	9.8

Remote Code Execution

Three out of the four TCP/IP libraries are affected by a RCE vulnerability, which means attackers could potentially execute code and gain full control over the devices.

CVE-2020-24336 is an out-of-bounds read vulnerability in the way the uIP library parses DNS records, as it does not perform any validation of the length field in the response, which could result in memory corruption.

CVE-2020-24338 is an out-of-bounds write vulnerability in the way the picoTCP library parses the domain name within DNS packets. Unlike CVE-2020-24336, which occurs when the uIP library attempts to read past the allocated memory buffer, CVE-2020-24338 occurs when the picoTCP library attempts to write past the allocated memory buffer, which could also result in memory corruption.

CVE-2020-25111 is an out-of-bounds write vulnerability in the Ethernut (Nut/Net) library due to multiple issues in the way the DNS handles queries and responses and lacks proper checks on null termination, data lengths and the number of queries and responses. Because of the lack of checks, these queries and responses may attempt to write past the allocated memory buffer, resulting in memory corruption.

DNS Cache Poisoning

In addition to the three RCE vulnerabilities outlined above, two of the libraries, uIP and FNET, are affected by DNS Cache Poisoning attacks. These are attacks that target the DNS cache, which stores requests made to certain resources locally to reduce latency. If an attacker is able to poison the cache, the next time a request is made to a legitimate resource (e.g. google.com), it would redirect the requester to a malicious resource (e.g. badwebsite.com) instead.

Denial of Service and Information Leak

The remaining flaws are primarily Denial of Service or Information Leak vulnerabilities.

Following in the footsteps of Ripple20 and URGENT/11

AMNESIA:33 follows in the footsteps of Ripple20 (disclosed in 2020) and URGENT/11 (disclosed in 2019).

Ripple20 is a set of 19 vulnerabilities in the TCP/IP library created by Treck, while URGENT/11 is a set of 11 vulnerabilities in VxWorks, a Real-Time Operating System (RTOS). Like AMNESIA:33, Ripple20 and URGENT/11 each reportedly affected millions of OT, IoT and IT devices.

Proof of concept

A section of the AMNESIA:33 report includes a proof-of-concept (PoC) for exploiting one of the three RCE vulnerabilities, CVE-2020-25111. At this time, no other PoCs have been shared publicly for the remaining vulnerabilities.

Solution

The researchers coordinated with the ICS-CERT and CERT/CC along with the Github Security team to attempt to address these vulnerabilities. According to the report, the following subset of the libraries received patches:

TCP/IP Library	Fixed Version
FNET	4.7.0 and later
uIP-Contiki-NG	4.6.0 and later
picoTCP-NG	Contact for update
Nut/Net	5.1 and later

Additionally, open-iscsi, which implements some uIP code in its stack, has issued its own patches for it.

However, the original versions of uIP, Contiki and picoTCP did not receive patches as they have reached end-of-life.

CISA shares advisories from 13 vendors

In its own advisory, CISA shared advisories from the following 13 vendors that have implemented these TCP/IP libraries into their products:

Lessons learned from Ripple20 and URGENT/11

One of the overarching lessons learned from the disclosures of Ripple20 and URGENT11 is that the broad usage of open source TCP/IP libraries across a number of devices means that these vulnerabilities will persist for quite some time. The researchers collaborate with entities like ICS-CERT and the CERT Coordination Center (CERT/CC) to aid in the identification and notification process, but this is an extensive process. Knowing which devices are impacted will be a continuous effort, but if you’re a vendor that has implemented one of these libraries, it is imperative that you seek out the developers of those libraries and implement these patched versions immediately to protect your customers.

Identifying affected systems

Tenable is working to implement product coverage for the AMNESIA:33 vulnerabilities across our suite of products, including Tenable.ot. A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

As industrial cyberattacks become more sophisticated, security leaders can use attack vectors to identify weak points in their OT infrastructure and stop attacks before they start.

Operational technology has been around for decades, controlling the valves, pumps, transmitters and switches that keep our modern infrastructure humming. Protecting these critical functions has historically been a matter of physical security and safety. But as new connected devices populate modern plants and factories, OT infrastructures are increasingly vulnerable to cyberthreats— and the pace of attacks continues to grow.

Even if you’ve taken the most stringent measures to secure your OT assets, recent high-profile cyberattacks — from LockerGoga to Ripple20— reveal the interconnected nature of modern industrial environments. Malware can easily traverse from IT devices to OT networks, and vice versa. Something as benign as a USB flash drive can provide a pathway to your most critical industrial control systems (ICS).

Convergence is increasingly playing a central role in ICS and thus must be at the core of any effective industrial security strategy. This begins with mapping the full extent of your modern OT environment, including every attack vector that a cyberthreat actor could potentially exploit.

Look beyond OT for a complete picture of your industrial attack surface

Mapping your full attack surface requires an adaptive approach to assessment. In addition to OT assets, industrial security leaders need visibility into IT and internet-of-things (IoT) devices, which comprise anywhere from 20-50% of modern industrial environments. They also need active querying technology capable of discovering the roughly 30% of dormant OT assets that are invisible to network- or passive-only detection. Seeing the full extent of your converged attack surface is key to eliminating blind spots across your environment.

Drill into situational data for every device and communication pathway

Finding “at risk” devices is the key goal of any reconnaissance effort. To defend your full asset inventory, you’ll need a deep understanding of each device’s build and current health, in order to harden it against attack. This includes information such as make, model, firmware, backplane details, open vulnerabilities and more.

You’ll also want to understand each device’s orientation within your network, including the communication pathways between alike assets — such as controllers or workstations — which can become attack vectors if a malicious actor infiltrates your systems.

Address cyber exposure to stop attacks before they start

Traditional OT security has typically relied on a reactive security posture, essentially waiting for an attack to occur and only then addressing it. “Attack vectoring” — or investigating the potential routes that an attacker might take — makes possible a more proactive approach to securing your organization, by addressing the weak points in your OT infrastructure. By identifying high-risk pathways, open ports, unpatched vulnerabilities and much more, you’ll be able to identify how an attack may behave if introduced into your OT environment.

Attack vectoring redefines your ability to address OT attacks before they occur. Running simulations can reveal weak points and specific devices or sectors that require special attention or security interventions. In the figure below, you can see how an industrial security solution like Tenable.ot uses attack vectors to pinpoint the areas of your environment that put your most critical assets at risk:

Attack Vector view of industrial controllers within Tenable.ot

In addition to hardening your devices, you’ll also want to cover your bases if and when an attack does occur. This means establishing alarms — based on policy, anomalies or attack signatures — at entry points across your network to warn of high-risk activity before any damage occurs.

Start playing offense today to prevent damage tomorrow

As cyberattacks continue to target critical infrastructure, security leaders need a proactive approach to defend their industrial environments from the next emerging threat. To learn more about how OT attack vectors can fit into your industrial security strategy, download our whitepaper, “Prediction of an OT Attack,” or request a free Tenable.ot demo.

Nation-state threat actors breached the supply chain of a popular IT management software provider in order to infiltrate government agencies and private companies.

Update December 16: The Solution and Identifying Affected Systems sections have been updated to reflect the availability of Hotfix 2 and a new Tenable plugin.

Background

On December 13, several news outlets, including Reuters, The Washington Post and The Wall Street Journal, reported that multiple U.S. government agencies were the victims of a significant breach reportedly linked to hackers associated with a nation-state. Additional reporting has since confirmed a direct connection between this breach and last week's breach of cybersecurity firm FireEye.

According to a tweet from Dustin Volz, reporter for The Wall Street Journal, the source of the breach was "a flaw in IT firm SolarWinds."

Russia has hacked several govt agencies including Treasury and Commerce as part of a widespread attack that also hit FireEye. They got in through a flaw in IT firm SolarWinds, which has 100s of thousands of customers, including military and Fortune 500.https://t.co/l6pC9vwvs6
— Dustin Volz (@dnvolz) December 13, 2020

Following the publication of these news articles, additional information about the breach has since been made public.

Kim Zetter, a cybersecurity and national security journalist, tweeted details from a Threat Analyst Report (TAR) published by Microsoft. Microsoft is one of the firms tapped to assist in the FireEye breach investigation. Microsoft nicknamed the attack "Solorigate."

I have report from Microsoft about SolarWinds hack, including IoCs. Excerpts in this thread: "Microsoft security researchers recently discovered a sophisticated attack where an adversary inserted malicious code into a supply chain development process.... 1/
— Kim Zetter (@KimZetter) December 14, 2020

Additionally, FireEye has published a blog post providing a more detailed account regarding how the breach occurred, which includes a set of countermeasures that contains indicators of compromise (IOCs) such as a list of hashes, as well as Snort and YARA rules. FireEye refers to the backdoor as "SUNBURST."

New Blog from us at FireEye: Writeup of UNC2452, a highly sophisticated attacker who distributed malware via a software supply chain attack. Blog contains descriptions of how it happened, what they do post compromise and suggested mitigations.https://t.co/0J7kzPt1ti
— Ben Read (@bread08) December 14, 2020

On December 14, SolarWinds filed a Form 8-K with the U.S. Securities and Exchange Commission that sheds light on the potential impact from this incident. In the 8-K, SolarWinds says it believes the number of customers with an active installation of Orion products containing this backdoor is "fewer than 18,000."

Analysis

According to the Microsoft TAR and the FireEye blog post, a "highly sophisticated" adversary managed to breach the supply chain of SolarWinds, a company that develops IT infrastructure management software, resulting in the placement of malicious code inside of the company's Orion Platform software builds.

The backdoor resides in a dynamic-link library (DLL) file named SolarWinds.Orion.Core.BusinessLayer.dll. The file was digitally signed by SolarWinds with a valid certificate on March 24, meaning it would be trusted by the underlying operating system and would not raise any alarms.

The backdoored DLL file was seeded as part of SolarWinds software builds between March and June 2020, which are accessible via the SolarWinds website. Once an organization installed the malicious software update, the backdoored DLL file would remain in hibernation for a period of two weeks before beginning its operation. This is one of the stealthy elements of this operation. FireEye says in its blog post that the backdoor also managed to "blend in with legitimate SolarWinds activity" in order to evade detection.

For a detailed teardown of the DLL file, including the associated IOCs and network activity, we strongly encourage you to read FireEye's comprehensive blog post about the incident.

Reportedly, this operation has remained under the radar until last week. However, FireEye notes that the activity is "currently ongoing" and that it is "widespread, affecting public and private organizations around the world."

While details have only just emerged, we encourage organizations using the SolarWinds Orion Platform to assume their networks have been compromised and activate existing incident response plans, work with your in-house information security teams or partner with an organization that conducts incident response to identify the impact to your organization.

Solution

SolarWinds has published a security advisory regarding this incident. According to the company, the following build versions of its Orion Platform software are affected.

Versions	Release Date
2019.4 HF 5 through 2020.2 with no hotfix	March 2020 through June 2020
2020.2 HF 1	June 2020 through July 2020*

* SolarWinds did not specify which versions of 2020.2 Hotfix 1 were affected, so we have provided the entire release date window for all versions of 2020.2 Hotfix 1.

SolarWinds specifically calls out the following products in its Orion Platform that are known to be affected:

Application Centric Monitor (ACM) 
Enterprise Operations Console (EOC) 
High Availability (HA)
IP Address Manager (IPAM)
Log Analyzer (LA)
Network Automation Manager (NAM)
Network Configuration Manager (NCM)
Network Operations Manager (NOM)
Network Performance Monitor (NPM)
Network Traffic Analyzer (NTA)
Server & Application Monitor (SAM)
Server Configuration Monitor (SCM)
Storage Resource Monitor (SCM)
User Device Tracker (UDT)
Virtualization Manager (VMAN)
VoIP & Network Quality Manager (VNQM)
Web Performance Monitor (WPM)

As part of its advisory, SolarWinds recommends organizations using its Orion Platform upgrade to version 2020.2.1 HF 1. However, SolarWinds notes that it plans to release a second hotfix, 2020.2.1 HF 2 on Tuesday, December 15. This version is now available and can be obtained from the SolarWinds customer portal.

This second hotfix will replace the compromised DLL component with the genuine DLL component as well as include "several additional security enhancements."

If upgrading to the latest hotfix version is not feasible for your organization, SolarWinds has provided a link to a document about securing the configuration for the Orion Platform.

Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01 on December 13, which provides guidance to Federal Civilian Executive Branch agencies regarding this incident.

Identifying affected systems

Tenable customers can utilize our existing detection plugin to identify all of the SolarWinds Orion assets in your environment. We have also released a local, agent compatible detection plugin.

Additionally, a new version check plugin was released to help identify impacted versions of SolarWinds in your environment.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

The new, exclusive integration between Tenable.io and Splunk Mission Control enables security teams to consolidate vulnerability insights and expedite their remediation efforts.

It's no surprise that the attack surface becomes increasingly complex when managing hybrid and cloud environments. The harsh reality is the more assets you have in your infrastructure, the more difficult it is to manage security events and alerts from your disparate security tools. Security teams often spend too much time consolidating and prioritizing alerts, when they could be using their limited time and resources to take actionable steps towards remediation. But there is still hope for security teams to help keep track of these various security events.

Recently, we launched our exciting new integration between Tenable.io and Splunk Mission Control that helps security teams streamline their risk-based vulnerability management program and expedite remediation efforts. The Tenable® Plugin for Splunk Mission Control features:

Tenable as the only risk-based VM partner to integrate with Splunk’s new Unified Security Operations Platform
A comprehensive dashboard that consolidates all critical vulnerabilities for a given Notable Event
Tenable’s proprietary Vulnerability Priority Rating (VPR) which isolates the 3% of threats that pose the greatest actual risk to your business

In this blog, we’ll look at how the integration can help security teams at all levels of the organization, from analysts and security operations center (SOC) managers on the front lines to CISOs in the corner office. Taking this ground-up approach, we’ll aim to understand the daily challenges and goals for each position, while looking at how this new integration alleviates those key problems in different ways.

Security teams can view and organize vulnerabilities by severity or VPR score within their Splunk Mission Control dashboard.

Security analysts: Consolidated events help prioritize remediation efforts

Security analysts have an “in the trenches” view of all the security tools, alerts and environments needed to protect modern organizations. To say that they are busy hopping from one security platform to the next is at best an understatement. On any given day, they might find themselves triaging security events, coordinating with team members across multiple workflows, and ultimately deciding which vulnerabilities are critical and require urgent remediation. Searching, correlating and coordinating security events take up most of analysts’ time, when in reality this work could be done in a more efficient manner. Consolidation is key to making life easier for security analysts, and having one place to view all alerts is half the battle.

The Tenable plug-in for Splunk Mission Control consolidates this work and provides security analysts with a central view to easily monitor vulnerability context for a given Notable Event — including VPR and severity rating — and use that context to make more informed decisions about which actions to prioritize. By providing analysts with a single, risk-based view of key vulnerability data, they can focus their efforts on remediation activities rather than the tedious effort of jumping back and forth between different applications and data sets.

SOC managers: Vulnerability insights align resources with critical threats

Analyst groups typically report into the SOC manager, who is responsible for managing the team’s daily operations and determining the optimal resource alignment. This not only means managing the workload, but ensuring that your team can move quickly even when dealing with disparate security tools that require complex workflows. The goal of the SOC manager is to streamline and orchestrate these workflows and make sure the team is focused on remediating the right security events.

To help alleviate these challenges, Splunk’s Mission Control framework enables security partners like Tenable to integrate with their key workflows. The SOC manager can optimize team resources by combining Tenable’s vulnerability insights into key parts of Splunk’s unified workflow, eliminating confusion about which vulnerabilities are most critical and enhancing team efficiency when executing steps to remediate.

CISOs: High-level metrics to report on security progress

While analysts and SOC managers contend with the daily flow of security alerts, the chief information security officer (CISO) is tasked with managing the overall security strategy for the organization. The CISO’s role is multi-faceted, and one of its broad mandates is to communicate the team’s effectiveness and efficiency to the board and other leaders within the organization.

With the integration between Tenable and Splunk Mission Control, CISOs now have an extensive dashboard that provides both Tenable’s vulnerability insights as well as a high-level synopsis of the organization’s security progress. CISOs and other security leaders can use this dashboard to monitor daily metrics such as total, active and fixed vulnerabilities. This dashboard also informs stakeholders about the 10 most critical vulnerabilities and their associated hosts at any point in time, which helps security teams determine which vulnerabilities they need to tackle first to reduce their overall cyber risk.

Screenshot of the Tenable Vulnerability Center within the Splunk Mission Control dashboard.

This Splunk Mission Control dashboard, powered by Tenable, is a simple, intuitive and powerful way for CISOs to monitor and communicate the overall efficiency and effectiveness of their security program.

Get started with a unified view of your attack surface

The integration between Tenable and Splunk Mission Control influences security personnel at every level of the organization, from the CISO down to the front-line security analysts. But at the end of the day, the common denominator between these roles is having an understanding and unified view of security events across the attack surface. For more information about the integration, please view the Tenable for Mission Control Solution Overview.

Splunk is a featured partner within Tenable’s Technology Ecosystem, which contains over 75 partners and 100+ unique integrations. The breadth and depth of Tenable’s ecosystem helps joint customers improve their security programs by combining Tenable’s market-leading risk-based vulnerability management solutions with other security applications in their environment. This “better together” approach helps serve and strengthen security programs of all sizes around the world.

As Tenable's chief security officer I'm simultaneously protecting our own systems while addressing the concerns of our customers around the world. Here's what I've learned so far.

The most profound fallout from the SolarWinds hack can't be measured by the number of companies affected or the number of records stolen. The hack, which reportedly involved malicious code embedded in what appeared to be legitimate updates to SolarWinds Orion software, rightfully creates doubts about the security of software supply chains.

I'm acutely aware of how anxiety-inducing this is. My role as chief security officer for Tenable requires me to simultaneously lead the charge to protect our own internal operations while also addressing the concerns we're hearing from customers around the world about our products and the infrastructure behind them. Let me first address the latter.

Tenable does not use the SolarWinds Orion platform. However, we have actioned all indicators of compromise and artifacts, and updated our detections and protections related to this activity. In addition, we are closely monitoring our own software development practices.

The security and availability of our systems, products and customer data is of the utmost importance to us. We understand that you must trust and have confidence in the resiliency of our infrastructure, which is why we deploy and maintain a rigorous security program. Tenable has implemented a robust information security management system with a specific focus on providing secure products and services for employees, customers and partners.

As part of our secure software development lifecycle (SSDLC) and quality processes, Tenable performs peer code reviews of all source code, static application security testing, dynamic application security testing, third party dependency reviews and vulnerability scans. We have implemented a strict roles-based access control model around our code repositories, technology stack and environments. Furthermore, we have deployed automation to enforce these settings while constantly reviewing token and credential usage. In addition, our program and several Tenable products are undergoing or have completed third-party reviews for certification and accreditation, including our recently completed ISO 27001:2013 and National Information Assurance Partnership (NIAP) compliance.

Now, let's talk about that supply chain. Like most CSOs, I'm responsible for securing and managing upwards of 40 distinct software products our organization uses in the course of business. The sophistication of the SolarWinds breach immediately raises questions about whether the same tactics are being deployed in any of the products we use. The thought that any apparently trustworthy, vendor-issued updates to any of those products could, in fact, be spoofed easily triggers a downward spiral of doubt and suspicion. Like you, I've been inundated with questions from my business leaders, our governance risk and compliance committee and many colleagues, including:

How do we know any of the other software we're using to manage and secure our infrastructure hasn't been compromised? 
What are we doing to ensure that our third-party vendors are engaging in optimal cyber hygiene practices to reduce our risk? 
How will this breach change the way we're managing and securing our infrastructure?

These queries, in turn, are spurring me to ask some tough questions of the third-party vendors we use. Below are some of the key questions I've been asking; I share these in hopes that they will aid you in understanding the right questions to ask of your own third-party vendors:

Tell us how you integrate security into your software development process.  
What does your code-review process look like? Describe your organization's practices for performing the following:

code reviews; 
static application security testing; 
dynamic application security testing; 
third-party dependency reviews;  
vulnerability scans; and 
penetration tests.

Do you employ a strict roles-based access control model and separation of duties around your code repositories, technology stack and environments? 
Have you deployed automation to enforce roles-based access control settings while constantly reviewing token and credential usage? 
Have you established security gates in your software development processes? 
When was the last time your organization completed third-party security reviews for certification and accreditation?

There's no panacea for the scourge of attacks on the software supply chain. The ripple effects of the SolarWinds breach will be felt across our industry for some time to come. At Tenable, we remain deeply committed to the security and protection of our customers, our products and the broader community.

Learn more

Read the blog: Solorigate: SolarWinds Orion Platform Contained a Backdoor Since March 2020 (SUNBURST) 
Watch the on-demand webinar: Security Alert - SolarWinds Orion Platform Backdoor

Establishing the right configurations and settings can improve Nessus scan results when scanning through firewalls.

Of all the factors that can inhibit a successful Nessus scan — busy systems, congested networks, legacy systems, hosts with large amounts of listening services — firewalls (and other types of filtering devices) are one of the major causes of slow or inaccurate scans. Network-based firewalls are essential for an organization’s perimeter protection and internal network segregation, while host-based firewalls are common on both Linux and Windows systems.

Scanners can sometimes be placed on network segments behind a firewall to avoid these problems, but this may not be feasible in all situations, creating an extra burden when moving a scanner around. This approach is also ineffective against host-based firewalls: Even if you allow the scanner's IP address through the firewall, connection tracking and stateful inspection can interfere with the scan and negatively impact performance on the firewall.

In a typical modern environment, it’s unlikely that these configurations will be needed. However, organizations often have older equipment or infrastructure lying around which may require modifications to compensate for these types of devices. Or, if you’re required to run a full port scan against your environment for auditing purposes, understanding the potential impact that could occur is key. Read on to learn about multiple strategies you can use to deal with firewalls when using Nessus to perform internal or external vulnerability scans.

Tuning a network scan

The first approach is to configure the number of vulnerability checks to run concurrently for each host. These controls are located under the “Advanced” policy setting in Nessus:

Performance Menu Options - Advanced Policy Settings in Nessus

The default for this setting is 4 or 5, depending on the scan policy used. This is reasonable for most systems; however, systems connected over low-bandwidth links, older systems, or ones with less robust networking stacks may benefit from setting this to 2 or even 1. Note: As with most of the configuration changes detailed in this post, lowering the number of simultaneous checks per host can increase your scan times, sometimes significantly.

Most modern host firewalls are stateful, thus, they keep track of the connections made to them. If Nessus makes too many connections at once, the firewall may become overwhelmed and drop connections, causing the scan to miss open ports and/or vulnerabilities or causing the target to experience issues with other connections. By limiting Nessus to only 1 or 2 checks at a time, we can reduce the number of simultaneous connections per host, as well as the resources on the target taken by responding to the scanner’s queries.

Other settings, such as the maximum number of concurrent TCP sessions per host or per scan, can help control the number of total sessions created for a given host, which encompasses service detection and vulnerability checks. These can be helpful when extremely fine granularity is required, especially with older network infrastructure. Note: These settings do not directly impact the default SYN port scanner as its TCP session control.

Tuning the port scanner

You can also tune the port scanner to be more sensitive when it encounters a firewall, by adjusting the “Discovery - Port Scanning” setting of the scan policy:

Nessus Scan Policy - Network Port Scanners

It may also be beneficial to review which port scanner your policy is using. While the SYN scanner is the default, and works well in most situations, it can cause connections to be “left open” in the state table of the firewalls you’re scanning through. The TCP scanner will attempt a full 3-way handshake, including closing the connection. This can entail more overall target and network overhead, but can be useful in situations where your network firewall can’t be upgraded or re-configured to support a larger state table or decrease the timeout.

Impact of full port scanning on a network firewall

Some users may need to perform full port scanning for network audit purposes. If the scanning traffic will pass through a network firewall, please make sure you plan carefully and monitor the session and resource utilization of your infrastructure.

For example, if we are assessing 30 hosts simultaneously, the potential half-open sessions that will be generated is 30 times 65,535, or the maximum number of TCP ports on a single host; this equates to 1.96 million sessions. Additionally, some of the network firewalls maintain state on both the ingress and egress interface, resulting in the requirement to maintain 3.9 million sessions in its state table.

As a mitigation, Tenable recommends configuring the network firewall with a more aggressive timeout for dropping half-open sessions or reducing the number of hosts that are scanned simultaneously. If these are not sufficient, the number of SYN packets sent by the scanner can be controlled by editing the "nessus_syn_scanner.global_throughput.max" configuration in the Nessus scanner advanced settings. Please contact your Tenable representative for additional guidance on scanner placement if this is a requirement.

Configuring a credentialed scan

A Nessus scan with credentials avoids most of the problems encountered with a network scan of a firewall-protected host because it uses local port enumeration versus externally trying thousands of different ports to see what’s open. Local port scanners are enabled by default, and will run as long as Nessus can successfully authenticate to the target.

Nessus Settings - Local Port Enumerators

We also get much more accurate port scan results, as it provides a complete list of open TCP and UDP ports in a fraction of the time. For more information on how to configure credentialed checks for Windows versus Linux, you can visit our Nessus documentation page.

Conclusion

Nessus works great for both unauthenticated network scans and credentialed assessments. Although scanning through firewalls may take longer, tuning your settings can ensure safer, more accurate results. And to further improve accuracy, scanning with credentials is the best way to reduce the load and assess through firewalls.

Lastly, you can explore our enterprise solutions to address this challenge. Within Tenable.io and Tenable.sc, Nessus Agents provides visibility into hard-to-scan endpoints, and Nessus Network Monitor provides a continuous view of managed and unmanaged assets on your network. Tenable.ot is also available for further visibility across operational technology environments.

In its first Patch Tuesday of 2021, Microsoft patched 83 CVEs including 10 critical vulnerabilities

Microsoft patched 83 CVEs in the January 2021 Patch Tuesday release, including 10 CVEs rated as critical and 73 rated as important.

Compared to Microsoft’s January 2020 Patch Tuesday release, which included fixes for 49 CVEs, this represents a 69% increase in CVEs patched. If that’s any indication, it means 2021 will be another banner year for Patch Tuesday vulnerability disclosures.

This month's Patch Tuesday release includes fixes for Microsoft Windows, Microsoft Edge (EdgeHTML-based), Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Windows Codecs Library, Visual Studio, SQL Server, Microsoft Malware Protection Engine, .NET Core, .NET Repository, ASP .NET and Azure.

Elevation of privilege vulnerabilities accounted for 41% of the vulnerabilities patched this month, followed by remote code execution (RCE) flaws at nearly 29%.

CVE-2021-1647 | Microsoft Defender Remote Code Execution Vulnerability

CVE-2021-1647 is an RCE vulnerability in Microsoft Defender, Microsoft’s flagship antivirus and antispyware solution. The vulnerability exists within the Microsoft Malware Protection Engine, a core component of Microsoft Defender that addresses malicious software. According to Microsoft, CVE-2021-1647 was exploited in the wild as a zero-day. Details about the in-the-wild exploitation are not yet known. However, considering Microsoft Defender enjoys a 50% market share that represents over 500 million systems worldwide, it provides attackers with a significant attack surface.

CVE-2021-1648 | Microsoft splwow64 Elevation of Privilege Vulnerability

CVE-2021-1648 is an out-of-bounds (OOB) read vulnerability in Microsoft’s printer driver host, splwow64.exe. The flaw exists due to improper validation of user-supplied data. According to Maddie Stone, a researcher at Google Project Zero credited with identifying this vulnerability, CVE-2021-1648 is a patch bypass for CVE-2020-0986, which was exploited in the wild as a zero-day.

Microsoft initially planned to patch this vulnerability as part of its November and December 2020 Patch Tuesday releases under a CVE identifier of CVE-2020-17008. However, due to testing issues, it was pushed back to January 2021. Because it slipped into 2021, Microsoft scrapped CVE-2020-17008 and now identifies it as CVE-2021-1648.

Successful exploitation would allow an attacker to read data outside of an allocated buffer, access that could be leveraged to elevate privileges and, if chained with other vulnerabilities, could result in arbitrary code execution on the vulnerable system in the context of the current user. This could result in a complete takeover of the system if the current user has administrative permissions. In addition to Stone, this vulnerability is credited to Elliot Cao via Trend Micro’s Zero Day Initiative, and k0shl of Qihoo 360’s Vulcan Team.

CVE-2021-1674 | Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability

CVE-2021-1674 is a security feature bypass vulnerability in Windows Remote Desktop Protocol (RDP) which can be exploited by an attacker with a low-level privileged account and network access. The flaw has not been publicly disclosed or exploited, however RDP has been a favored entry point for ransomware actors in 2020 and this trend is likely to continue in 2021.

CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700 and CVE-2021-1701 | Remote Procedure Call Runtime Remote Code Execution Vulnerability

CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700 and CVE-2021-1701 are RCE vulnerabilities in the remote procedure call (RPC) runtime in Windows. All nine of the CVEs received CVSSv3 scores of 8.8 and were reported to Microsoft by Yuki Chen, head of 360 Vulnerability Research Group and 360 Vulcan team. Microsoft assesses that exploitation is less likely for these flaws, based on the CVSSv3 score, an attacker would need network access and a low privileged account in order to exploit the vulnerability.

Flash Player End of Life (EOL)

Adobe announced that support for Flash Player ended after December 31, 2020 and that Adobe will begin blocking Flash content from running in Flash Player beginning on January 12. Flash’s history of security vulnerabilities spans more than a decade and has been a popular avenue for attackers. While an end to this popular attack vector is welcome news, we anticipate attackers will continue to find new and creative attack vectors in other popular and widely used applications.

Tenable solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains January 2021.

A list of all the plugins released for Tenable’s January 2021 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Additionally, you can use plugin ID 59196 to identify systems that have Adobe Flash Player installed now that it has reached its end of life and is no longer supported by Adobe.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.