Quantcast
Channel: Tenable Blog
Viewing all 2072 articles
Browse latest View live

Dealing with the Attack Surface Beyond Vulnerabilities

$
0
0

A good understanding of the attack surface is of prime importance in measuring and prioritizing risk. Here's how Tenable's data can allow security professionals to have a more realistic view of their exposure.

Standardized taxonomies have dominated the way cybersecurity professionals describe and talk about systems' security. Common Vulnerabilities and Exposures (CVE) severity scores have become the primary methods of measuring the security of a system and its attack surface. We believe a focus on CVEs and severity ratings fails to account for all the services, ports, and features in a system that remains broadly open to attack, as well as any future potential attack opportunities.

Reducing the exposure and attack surface of an environment involves not only patching relevant vulnerabilities but also being aware of the features of the environment. This broadly translates into running services and their configurations, and then hardening or turning them off if necessary, to reduce the chances of them becoming an attack vector. Measuring the attack surface is also particularly useful when trying to answer questions about the level of exposure of two states of a given environment over time.

In addition to enriched vulnerability data using threat intelligence, security professionals need wider visibility beyond vulnerability IDs and their scores, to include other critical aspects of the system that an attacker will attempt to compromise. Tenable's wide range of findings enables a more accurate representation of the attack surface, and related risk to the environment that cannot be expressed by vulnerabilities alone. This blog post explains what defines an attack surface and presents an example of how Tenable's data allows security professionals to have a more realistic view of their exposure.

What is an Attack Surface?

Most descriptions of the attack surface come down to defining those properties of the system which are most likely to be of potential interest to an attacker, counting what is countable, and then potentially mapping to the defensive measures most likely to minimize it. The phrase was introduced by Michael Howard in an MSDN Magazine article in 2003 in which he calculated the relative attack surface of different versions of the Windows operating system and discussed why users should install only the needed features of a product in order to reduce the amount of code left open to future attack. 

The properties of the attack surface are generally considered within a set of dimensions or themes. These represent the focus and interpretation under which the attack surface is measured. For instance, in the 2011 paper An Attack Surface Metric, the authors measured what they called the system's attackability, i.e., the likelihood of the system being successfully attacked, along three dimensions: method, channel, and data. The attack surface measurement would require the identification of the set of entry points and exit points (internal and external methods), the set of open communication channels, and the set of data items that the attacker can send into or receive from the system.

There are a variety of other definitions and interpretations of the attack surface. In the 2018 paper Attack surface definitions: A systematic literature review, the authors carried out a systematic literature review (SLR) on the use of the phrase “attack surface.” In addition to a sampling of some of the existing definitions, they identified six themes representing all of the interpretations of the attack surface in the literature; which are:

  • methods; 

  • adversaries;

  • flows;

  • features;

  • barriers; and 

  • reachable vulnerabilities. 


The theme of 'reachable vulnerabilities,' which focuses on the exposure associated with known vulnerabilities attackers can exploit in a system, dominates the way security professionals describe the security of their environments. The SLR study found, however, that the 'methods' and 'adversaries' themes are the most prevalent in the literature, while the 'vulnerabilities' theme is one of the least cited, along with the 'barriers' theme, which focuses on the security controls an attacker must overcome to breach a system.

Despite the different ways to reason about and measure the attack surface, what is constant in all studies is the way the community thinks about it; i.e., in terms of attack opportunities. Ultimately, the attack surface is best thought of as the nexus of those resources or features within a system — along any of the aforementioned dimensions — which can be seen as both potentially benefiting users and, conversely, aiding attackers, combined with their reachability or relevance to the environment in question. The next section will discuss the importance of non-CVE data produced by Tenable, and how it can help in reasoning about the attack surface.

Attack vectors

Cyberthreats do not rely solely on software vulnerabilities. There are many additional attack vectors that are merely features of the system but can lead to a breach through further enumeration, data leaks, errors (in configuration or human errors), etc. For instance, according to the 2020 Verizon Data Breach Investigations Report (DBIR), two-thirds of breaches featured either hacking or error actions, and 80 percent of hacking actions involve either stolen passwords or brute-forcing. Exploitation of vulnerabilities (within malware and hacking actions) had a lower prevalence, and it's on a downward trend according to DBIR data (in both the 2020 and the 2021 reports). Using incident data as a proxy, and mapping Tenable's findings into threat actions and attack vectors, help defenders with their risk calculation and provides clearer insight of their exposure and attack surface.

Incident and breach actions would highlight the exposure of specific services, e.g., a brute-force attack would be linked to remote login services, or any other service or API exposed to potential credentials/key attack. Such services are also open to attack in case of future (still undiscovered) vulnerabilities and weaknesses, and can facilitate the attacker's post-exploitation activities. They are possible attack points and should be part of the attack surface measurement regardless of their current vulnerability status. Table 1, below, presents examples of features that are found in environments across the board, which constitute potential attack vectors. 

An example of incident data is the VERIS community database (VCDB), which is an effort to capture security incidents that are publicly disclosed and shared by the community. It is based on the VERIS framework, which is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner.

Table 1. Example of system data relevant in measuring the attack surface.

Attack stagesFindingsPossible action categories in VCDB

Reconnaissance


Initial entry

  • Remote login services (e.g., vnc, rdp)
  • Remote file sharing (e.g., ftp)
  • Services/APIs with potential credentials/key attack
  • Null Sessions to pipes and shares
  • Anonymous FTP
  • SNMP community string
  • SMTP/POP/IMAP exposed
  • VBA/OLE enabled
Public-facing web applications:
  • Dynamic web pages (which underlying technology? E.g., php, asp)
  • Other web technologies (e.g., jscript, vbscript/activex, flash)
  • Web framework or CMS (e.g., drupal, laravel, django)
  • Other Web portals

Action.<category>.Variety.Brute force


Action.Social.Variety.Phishing

Action.Hacking.Vector.WebApplication

Elevation of privileges


Expansion of control

  • Insecure or weak permissions ACLs
  • Path interception (e.g., unquoted path)
  • Services running as root/system (e.g., which one and how many?)
Action.Hacking.Vector.Command

Source: Tenable, May 2021.

Measuring an attack surface

Most security operations teams use labeling of alerts and incidents. This might be  based on metrics similar to the ones used in the VERIS framework, in order to create better insight or help with automation. Context around the incident — especially answering the question "what action affected the asset?" — is what helps in risk calculation by deducing the prevalence of the threat action and associated attack vector. Each attack vector will then have a weight. For instance, based on the global prevalence noted in both the 2020 and 2021 DBIR, we can presume that externally exposed services would have a high weight in the attack surface calculation given the prevalence of brute-forcing and the use of leaked credentials. 

The mapping of all findings, including the broader functionality found on the system, into threat actions present in incident reports, provides a more accurate measurement of risk than if we consider only vulnerabilities. This is also important in the identification of the different parts of the system that need prioritized mitigation or further protection. The overall measure of the attack surface can be a simple weighted sum, where the weight (based on the prevalence) is multiplied by a simple count of the features of the system exposed to the attack vector.

Example of how Tenable data can be used to measure the attack surface

The following example of measuring the attack surface is based on an analysis of anonymized aggregated data from 20 environments and considers four attack vectors (see Table 2). 

Each attack vector shown below is associated with activity identified around a set of Tenable plugins. For example, hits from plugins associated with a VNC service are linked to the first attack vector (remote login services). Each attack vector is given a weight. Both incident data and the severity of the risk scenario can be used to deduce the attack vector weight. For instance, remote login services will have the highest weight given that it is a primary candidate for attack. Note that the weights have been set manually for this example and can be changed, along with the attack vectors, if the incident/breach data shows that certain vectors are more relevant than others within a given environment. 

Table 2. Example attack vectors and possible threat actions.

Four attack vectorsPossible threat actions
1. Remote login servicesBrute force, leaked credentials, or a weakness that could allow authentication bypass, information leakage, or code execution.
2. Other remote services, e.g., file sharing, mail, DB, etc.
Information leakage, brute force, sniffing, or injections that can lead to code execution.
3. Web applications, e.g., CMS framework
Brute force, weak access control, injection.
4. Phishing/spear phishing attachments
Code execution.

Source: Tenable, May 2021.

Figure 1. Absolute attack surface.

Figure 2. Normalized attack surface — by the number of considered assets.

Source: Tenable, May 2021.

Conclusion

To achieve meaningful and practical risk and security measurement, it's essential to take into account knowledge from the attacker landscape as well as the defender landscape. While standardized taxonomies provide a useful way for presenting and sharing information, they provide little flexibility, making it difficult to achieve a complete view of all aspects of a system an attacker could attempt to compromise. 

We believe it's important for cybersecurity professionals to rethink how the attack surface is defined. In addition to considering the impact of known vulnerabilities, defenders also need to take a wider view of all possible attack points and use a data-driven approach to measuring the importance of each one within their environments to improve prioritization of remediation efforts and reduce cyber risk. 

Learn more


Zero Day Vulnerabilities in Industrial Control Systems Highlight the Challenges of Securing Critical Infrastructure

$
0
0

The disclosure of zero day vulnerabilities in several Schneider Electric industrial control systems highlights the need to revamp cybersecurity practices in operational technology environments. 

A zero day disclosure of multiple vulnerabilities in Schneider Electric’s industrial control systems (ICS) exemplifies the real-world struggles facing the critical infrastructure ecosystem. 

The vulnerabilities — which affect the company’s EcoStruxure Control Expert, EcoStruxure Process Expert, SCADAPack REmoteConnect x70 and Modicon M580 and M340 control products — pose several risks, including the possibility of complete authentication bypass, arbitrary code execution and loss of confidentiality and integrity. 

Tenable’s Zero Day Research is one of several vendors to have disclosed vulnerabilities to Schneider via standard disclosure practices and you can view our technical report here. Although we are strong proponents of full disclosure, in this case we have chosen to withhold certain specific technical details from our public disclosure documents. Operational Technology (OT) systems have yet to advance their security posture to be on par with their IT counterparts, and as such this is a rare situation where full disclosure shouldn’t be followed. In our view, the risk of successful in-the-wild exploitation was too great and the critical infrastructure at risk was too sensitive for us to proceed with full disclosure with patches months away from being released by the vendor.

The factors surrounding the Schneider disclosure highlight the many challenges involved in securing critical infrastructure. Industrial control systems and other technologies used in the operational technology environment are notoriously difficult to develop patches for and deploy. Why? Because systems have to be taken down and thoroughly tested each time an update is made. Yet, the existing operating models for most OT environments, such as power plants, gas pipelines, manufacturing plants, leave little margin for downtime. It’s clear that more discussion industry wide is needed to determine whether the vendor parameters used for zero day disclosures in IT environments are appropriate for critical infrastructure.

In a typical IT environment, the workstreams and processes for patching digital business systems are well established and time-tested. In most OT environments, on the other hand, there’s no clear workstream to update the software that is the underbelly of our critical infrastructure. There is an ongoing battle between the production side of the house and the security side, each of which is held to different success metrics around uptime and system performance. 

In an OT environment, it’s common for software-dependent systems to be placed into service and never touched again for the next 10 years. Regular software updates for OT technologies are simply not incorporated into standard processes in most critical infrastructure organizations. 

We believe it’s incumbent on the broad range of international stakeholders — including government bodies, law enforcement agencies, researchers, vendors and the owners and operators of critical infrastructure facilities — to prioritize global collaboration with an eye toward developing best practices for securing OT systems that can be applied regardless of geography. 

We believe these discussions need to recognize that OT vendors and operators have much to learn from their IT counterparts and need to become more adept at developing and managing the software underpinning crucial systems. Make no mistake — the onus does not fall solely on the owners and operators of critical infrastructure environments. Vendors need to be held responsible for continually bug hunting and doing quality assurance on their own software, dedicating resources to effectively managing vulnerability disclosures and speeding up update release times. 

The challenges are as much about people and process as they are about technologies. Operators of critical infrastructure environments need to revamp their cybersecurity governance, risk and compliance practices. The management and remediation of software vulnerabilities in OT systems must be as routine a part of plant maintenance as the mechanical servicing of hardware is today.

In the U.S., we’ve already seen positive movement in the form of the May 12 Executive Order on Improving the Nation’s Cybersecurity from the Biden administration, which calls for software supply chain security guidance to incorporate vulnerability disclosure programs, and the May 18 White House fact sheet, which states “[c]ybersecurity is a core part of resilience and building infrastructure of the future.”

At the same time, we recognize the need for more immediate actions owners and operators of critical infrastructure environments can implement today. Below, we provide three high-level actions as well as two tactical steps organizations can take to protect themselves in the wake of the Schneider disclosure.

Three action items for securing critical infrastructure environments

There is no magic bullet for securing OT environments. Just as with IT security, it comes down to nailing the basics. And we’re well aware that the simplicity of the guidance belies the complexity of actually implementing the recommendations. Nonetheless, we believe these action items bear repeating, as they are foundational to any sound cybersecurity strategy, particularly when systems cannot be updated:

  1. Implement a defense-in-depth posture. Critical infrastructure environments cannot rely on the security of any given device. Organizations need to implement a robust security architecture with compensating controls to protect the devices that are most at risk.

  2. Develop strong governance and disaster recovery policies. These are essential for dealing with ransomware and other forms of cyberattack, and must take into account not just the technologies but also the people and processes in place in any given organization. Exercise and test your backup plans before you need them. Because the cyber skills shortage is particularly acute in OT environments, achieving this level of governance remains challenging for many organizations.

  3. Choose technologies wisely. Without the right people and policies in place, it’s impossible to get the full value out of any technology you purchase. At the same time, there are certain capabilities to seek out in your technology choices. For example, the OT environment requires the same level of real-time, continuous analysis as can be found in the IT world. OT operators need to implement technologies that give them the kind of detection and recovery capabilities necessary to circumvent sophisticated threat actors. 


Two action items for users of the affected Schneider systems

If your organization uses the Schneider systems affected by this zero-day disclosure, here are two action items you can take immediately:

  1. Review and follow the vendor recommendations detailed in the Schneider disclosure here.

  2. Tenable customers can learn more here about how to detect the affected systems in their environment.


Conclusion

It’s imperative for researchers, governments, private-sector organizations and technology vendors to take immediate tactical action as well as long-term strategic action to address the considerable cybersecurity challenges facing our critical infrastructure. Likewise, it’s essential to dismantle the IT, OT and infosec silos that exist in most organizations and rethink how these teams are incentivized to make sure cybersecurity is prioritized. 

Learn more

Microsoft’s July 2021 Patch Tuesday Includes 116 CVEs (CVE-2021-31979, CVE-2021-33771)

$
0
0

Microsoft highlights 116 CVEs including two which were addressed by April patches.

  1. 12Critical
  2. 103Important
  3. 1Moderate
  4. 0Low

Microsoft patched 116 CVEs in the July 2021 Patch Tuesday release, including 12 CVEs rated as critical, 103 rated as important and one rated as moderate. It’s only the second time in 2021 that Microsoft has included more than 100 vulnerabilities in Patch Tuesday, while it passed that milestone eight times in 2020.

This month's Patch Tuesday release includes fixes for:

  • Common Internet File System
  • Dynamics Business Central Control
  • Microsoft Bing
  • Microsoft Dynamics
  • Microsoft Exchange Server
  • Microsoft Graphics Component
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft Scripting Engine
  • Microsoft Windows Codecs Library
  • Microsoft Windows DNS
  • Microsoft Windows Media Foundation
  • OpenEnclave
  • Power BI
  • Role: DNS Server
  • Role: Hyper-V
  • Visual Studio Code
  • Visual Studio Code - .NET Runtime
  • Visual Studio Code - Maven for Java Extension
  • Windows Active Directory
  • Windows Address Book
  • Windows AF_UNIX Socket Provider
  • Windows AppContainer
  • Windows AppX Deployment Extensions
  • Windows Authenticode
  • Windows Cloud Files Mini Filter Driver
  • Windows Console Driver
  • Windows Defender
  • Windows Desktop Bridge
  • Windows Event Tracing
  • Windows File History Service
  • Windows Hello
  • Windows HTML Platform
  • Windows Installer
  • Windows Kernel
  • Windows Key Distribution Center
  • Windows Local Security Authority Subsystem Service
  • Windows MSHTML Platform
  • Windows Partition Management Driver
  • Windows PFX Encryption
  • Windows Print Spooler Components
  • Windows Projected File System, Windows Remote Access Connection Manager
  • Windows Remote Assistance
  • Windows Secure Kernel Mode
  • Windows Security Account Manager
  • Windows Shell
  • Windows SMB
  • Windows Storage Spaces Controller
  • Windows TCP/IP
  • Windows Win32K

Remote code execution (RCE) vulnerabilities accounted for 37.1% of the vulnerabilities patched this month, followed by Elevation of Privilege (EoP) at 27.6%.

Important

CVE-2021-31979 and CVE-2021-33771 | Windows Kernel Elevation of Privilege Vulnerability

CVE-2021-31979 and CVE-2021-33771 are EoP vulnerabilities in the Windows kernel. Both vulnerabilities received a CVSSv3 score of 7.8 and have been exploited in the wild as zero-days, according to Microsoft’s Threat Intelligence Center and Security Response Center. A local, authenticated attacker could exploit these vulnerabilities to run processes with elevated permissions. Similar zero-day vulnerabilities were patched in April 2020, which were observed under active exploitation by Google Project Zero.

Important

CVE-2021-31196, CVE-2021-31206 and CVE-2021-34473 | Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-31196, CVE-2021-31206 and CVE-2021-34473 are RCE vulnerabilities in Microsoft Exchange Server. CVE-2021-34473 is the highest rated, receiving a CVSSv3 score of 9.1 and is more likely to be exploited according to Microsoft’s Exploitability Index. It was also patched as part of the April 2021 Patch Tuesday release, though Microsoft says the CVE was “inadvertently omitted” from the security update guide despite being patched. Exchange Server has become a very popular target since March, when Microsoft patched four zero-day vulnerabilities, including CVE-2021-26855 (ProxyLogon) in an out-of-band release. In fact, CVE-2021-31196 was disclosed to Microsoft by Orange Tsai of the DEVCORE team, who was also responsible for disclosing ProxyLogon and other Exchange Server vulnerabilities earlier this year. For organizations that run Exchange Server on-prem, it is important to apply available patches sooner rather than later, especially with the increased targeting of vulnerable servers.

Important

CVE-2021-33768, CVE-2021-34470 and CVE-2021-34523 | Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2021-33768, CVE-2021-34470 and CVE-2021-34523 are EoP vulnerabilities in Microsoft Exchange Server. CVE-2021-34523 is the highest rated Exchange Server EoP, receiving a CVSSv3 score of 9.0, though it is less likely to be exploited according to Microsoft’s Exploitability Index, as an attacker would need to have already established a presence on the vulnerable Exchange Server first before they could elevate privileges. Just like CVE-2021-34473, CVE-2021-34523 was patched as part of the April 2021 Patch Tuesday release and is another vulnerability that Microsoft says was omitted from its release notes inadvertently. CVE-2021-33768 was also disclosed to Microsoft by Orange Tsai. For organizations that run Exchange Server on-prem, it is important to apply available patches sooner rather than later, especially with the increased targeting of vulnerable servers.

Important

CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34494 and CVE-2021-34525 | Windows DNS Server Remote Code Execution Vulnerability

CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34494 and CVE-2021-34525 are RCE vulnerabilities found in Windows DNS Server. While CVE-2021-33746 and CVE-2021-33754 were given CVSSv3 scores of 8.0, the remainder were scored as 8.8 because user interaction is not required. Based on the scores provided, exploitation of these flaws would require a low privileged account, presumably with the ability to send crafted DNS requests across the network, to target an affected DNS Server. Microsoft specifically calls out in the advisories for CVE-2021-33780 and CVE-2021-34494 that a host is only affected if it is configured as a DNS server, though the remaining CVEs do not provide this clarity. Even without the clarification on these CVEs, we recommend applying the necessary cumulative patches to all applicable hosts.

Critical

CVE-2021-34450 | Windows Hyper-V Remote Code Execution Vulnerability

CVE-2021-34450 is an RCE vulnerability in Windows Hyper-V, which would allow an attacker who is authenticated to a guest virtual machine (VM) to send crafted requests to execute arbitrary code on the host machine. While Microsoft rates this as “Exploitation Less Likely,” it is important to consider that malware variants commonly look to escape VMs and infect the host machine, so patching this flaw should remain a priority despite Microsoft’s risk assessment.

Critical

CVE-2021-34464 and CVE-2021-34522 | Microsoft Defender Remote Code Execution Vulnerability

CVE-2021-34464 and CVE-2021-34522 are RCE vulnerabilities in the Microsoft Malware Protection Engine. Both of these vulnerabilities received CVSSv3 scores of 7.8 and are rated as “Exploitation Less Likely,” but we chose to highlight them due to in-the-wild exploitation of a similar flaw, CVE-2021-1647, in January. While CVE-2021-1647 was a zero-day, the ubiquity of Microsoft Defender makes this a noteworthy vulnerability. Fortunately, Microsoft Defender automatically updates in most configurations, limiting the impact of this vulnerability. Microsoft does recommend, and provide guidance for, confirming that automatic updates are working.

Critical

CVE-2021-34448 | Scripting Engine Memory Corruption Vulnerability

CVE-2021-34448 is a memory corruption vulnerability in the Microsoft Scripting Engine which has been exploited in the wild as a zero-day, according to Microsoft. An attacker would need to entice a victim into visiting a malicious website in order to successfully exploit this vulnerability. Because exploitation requires user interaction, this vulnerability only received a CVSSv3 score of 6.8.

Tenable solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains July 2021.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all the plugins released for Tenable’s July 2021 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Cut Through the Marketing Hype: Determine Which Vulnerability Assessment Tool Is Right for Your Organization


$
0
0

Not all scanning solutions are created equal…

The vulnerability assessment market has changed dramatically over the past several years. A growing number of vendors who once provided scan tools that merely identified vulnerabilities across your network now enable you to proactively assess those vulnerabilities in terms of the risk they pose to your business.

And it doesn't just stop at scanning vendors. Many vendors offering tools such as security information and event management (SIEM), endpoint detection and response (EDR) and managed detection and response (MDR) have added vulnerability assessment capabilities to their offerings, as well.

The problem is, there's no one clear definition of what it means to assess and manage vulnerabilities. Not all vendors take a risk-based approach. And of those that do, there's certainly no universal agreement on the best way to quantify that risk, which leads to muddled attempts to effectively prioritize remediation efforts. As a result, many security professionals struggle to navigate the wide range of vendor offerings, and to separate the marketing hype from what will truly make them more efficient and effective.

When evaluating any of these products, it's essential to understand how each will help you prioritize the vulnerabilities that pose the greatest risk to your organization. Are they simply taking and repackaging Common Vulnerability Scoring System (CVSS) base scores, or are they adding context using a variety of sources? Do they use data science and machine learning to automate the process of analyzing vast amounts of security data to arrive at a conclusion? Do they take asset criticality into account — and if so, to what extent? The goal is to help you more efficiently manage cyber risk across your attack surface, so you want a solution that can help you get there.

To help you determine what to look for, there's a Gartner research report that we think you'll find valuable: Market Guide for Vulnerability Assessment.

As the report points out, Vulnerability Prioritization Technology (VPT) "saves significant time over trying to do this analysis manually. It also provides better insight and context because acting on these prioritized results will substantially reduce an organization's attack surface, with the least amount of time and the most efficient use of staff resources."

Of course, the vulnerability assessment solution, itself, isn't enough. You want it to integrate with other critical components of your security stack. By integrating with your IT services module (ITSM), configuration management database (CMDB), ticketing and workflow management systems, and even your SIEM and security orchestration, automation, and response (SOAR) solutions, your entire security program can run far more efficiently and maximize your team's effectiveness.

And, finally, the vulnerability assessment solution you choose should be built to support new, emerging and even future technologies. Think of it this way: If your vulnerability assessment tool can only discover and assess physical, on-premises assets today, what use will it be moving forward? Even if you add visibility into cloud assets, you're still behind the curve when it comes to the most dynamic aspects of your network, including containers, web apps, and operational technology environments. You need the ability to expand your scanning program to future environments and asset types, as technology and business needs evolve.

According to the Gartner report, "prioritization by a VA vendor can be a good starting point for small and midsize clients using a homogeneous environment of a VA vendor for security testing. Also, buying an add-on product from the same vendor helps vendor consolidation, and sometimes cost, with less effort placed on new training and tool deployment. This is a key area of innovation that end users are strongly advised to seek out in their procurement cycles and prioritize in the future." We believe that Tenable's comprehensive family of solution offerings, including Tenable.ep, Tenable.io, Tenable Lumin, Tenable.ad and Tenable.ot deliver the breadth of coverage you need to assess your entire attack surface, and the depth of vulnerability prioritization technology to help you reduce the greatest amount of risk with the least amount of resources.

We believe that the 2021 Gartner Market Guide for Vulnerability Assessment can help provide the information you need to make a more informed decision. 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

Gartner Market Guide for Vulnerability Assessment, Shilpi Handa, Craig Lawson, Mitchell Schneider, 25 June, 2021

CVE-2021-35211: SolarWinds Serv-U Managed File Transfer Zero-Day Vulnerability Exploited in Targeted Attacks

$
0
0

Following a patch for a zero-day vulnerability in SolarWinds’ Serv-U Managed File Transfer, researchers share new details about the attacks, as over 8,000 systems remain publicly accessible and potentially vulnerable.

Background

On July 9, SolarWinds published a security advisory for a significant security vulnerability in its Serv-U Managed File Transfer Server software, used for secure file transfers and file sharing.

CVEDescriptionCVSSv3
CVE-2021-35211Serv-U Remote Memory Escape VulnerabilityUnavailable

In its initial advisory, SolarWinds credited Microsoft with discovering the vulnerability, adding that it had been exploited in the wild in “a limited, target” set of attacks.

On July 13, Microsoft published a blog post providing additional insight into their discovery of the flaw and the exploitation activity associated with it.

Analysis

CVE-2021-35211 is a memory escape vulnerability in SolarWinds Serv-U Managed File Transfer Server. The flaw exists due to the way Serv-U has implemented the Secure Shell (SSH) protocol and can only be exploited if an organization has made the Serv-U SSH protocol externally accessible. Microsoft says that, if exploited, an attacker would be able to “remotely run arbitrary code with privileges,” which may include but is not limited to installing or executing malicious code, as well as accessing or altering data on the system.

In-the-wild exploitation linked to an unidentified threat actor

In its blog post, Microsoft says they attribute the exploitation of the flaw to a group they are calling DEV-0322. The terminology, DEV, is used to describe a “development group” along with a unique number. This is similar to the methodology used by researchers at FireEye/Mandiant, who refer to uncategorized threat actors using the acronym UNC along with a group number.

Despite the unidentified nature of the group, Microsoft says the attackers have targeted software companies as well as the U.S. Defense Industrial Base Sector, which the Cybersecurity and Infrastructure Security Agency (CISA) says is responsible for researching, developing, designing, producing, delivering and maintaining military weapons systems.

Over 8,000 Serv-U SSH Servers publicly accessible

According to a search on BinaryEdge, there are over 8,000 Serv-U SSH Servers publicly accessible on the internet, with the majority of those systems residing in China, followed by the United States and Germany.

It is unclear from the banner results which of these systems have applied the patch thus far. Considering the volume of publicly accessible systems, once a proof-of-concept (PoC) becomes available, we anticipate attackers will begin targeting these systems indiscriminately.

Proof of concept

At the time this blog post was published, there were no PoC exploit scripts publicly available.

Solution

SolarWinds says that Serv-U versions 15.2.3 Hotfix 1 (HF1) and prior are affected by this vulnerability. To address the flaw, SolarWinds has released Serv-U 15.2.3 Hotfix 2 (HF2). They’ve provided a list of upgrade paths depending on the current version of Serv-U that is being used.

Affected Serv-U VersionUpgrade Instructions
15.2.3 HF11. Apply the 15.2.3 HF2 patch
15.2.31. Apply the 15.2.3 HF1 patch
2. Apply the 15.2.3 HF2 patch
Below 15.2.31. Upgrade to 15.2.3
2. Apply the 15.2.3 HF1 patch
3. Apply the 15.2.3 HF2 patch

In Microsoft’s blog post, they’ve shared a series of indicators of compromise and guidance on how to identify potential compromise through examining the Serv-U log file, DebugSocketLog.txt, for exception messages.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

You Can't Modernize Critical Infrastructure Without Cybersecurity

$
0
0

Will bipartisan legislation in the U.S. make securing IT and operational technology a priority?

U.S. lawmakers have an unprecedented opportunity to vastly improve the cybersecurity posture of the nation's critical infrastructure this week as they negotiate a massive infrastructure package. The bipartisan legislation aims to transform and modernize the nation's infrastructure for generations to come — but only if it prioritizes cybersecurity of the IT and operational technology (OT) upon which such facilities rely. 

Unfortunately, many lawmakers still seem unclear about how ransomware attacks against operators of critical infrastructure, such as the recent hacks of Colonial Pipeline and JBS, could undermine any such modernization efforts. Without clear, strong language addressing cybersecurity, we believe any such legislation would fall short. Criminal groups, foreign adversaries and even lone hackers have shown a strong appetite to target everything from the pipelines that carry fuel to the meatpacking facilities that provide food and even the water treatment plants that supply our most basic needs. And they're making use of flaws in IT and OT technologies in order to accomplish their goals.

As the White House and lawmakers debate the Bipartisan Infrastructure Framework, its scope and what should be considered "infrastructure," cybersecurity must be prioritized. Any legislation should, at a base level, require any infrastructure project receiving funding from the infrastructure plan to assess its cybersecurity risk, identify gaps and outline a plan to address those gaps through cybersecurity risk mitigation practices and technology.

For example, if a state wants to use funding from the legislation to modernize a water treatment plant, or a municipality wants to acquire smart cities capabilities, or a power utility wants to deploy new technologies in its facilities, they must first show their cybersecurity plans. This should not be controversial — why spend money upgrading the backbone of our society if we're going to leave the door open for digital adversaries? Why update the power grid to be able to handle more extreme weather, only for it to be taken down by hackers instead?

Cybersecurity standards for critical infrastructure

Any infrastructure legislation should also provide guidelines for how to secure our critical infrastructure systems. Anne Neuberger, White House deputy national security advisor for cyber and emerging technology, was spot on when she called out the need for basic cyber hygiene practices in a recent memo to organizations across the country

Lawmakers debating the current package can look to the Senate Committee on Energy and Natural Resources for ways to guide infrastructure operators. Section 1106 of the Senate Committee on Energy and Natural Resources energy infrastructure bill allows the secretary of energy to require recipients of grants or funding under the bill to submit a cybersecurity plan. Such cybersecurity plans are required to:

  • Outline how the recipient will maintain and improve cybersecurity throughout the life of the project;

  • Demonstrate how the recipient plans to maintain cybersecurity between the networks, systems, devices, applications or components within the proposed solution and at external interfaces; and 

  • Indicate how the recipient will leverage applicable cybersecurity programs of the department, including cyber vulnerability testing.  


Section 1106 also calls on funding recipients to maximize the use of open guidance and standards, including the Department of Energy Cybersecurity Capability Maturity Model and the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity.

These are excellent provisions and Tenable urges Secretary of Energy Jennifer Granholm to leverage this authority to drive stronger cybersecurity outcomes across the energy sector. The same provisions should apply to the nation's other critical infrastructure sectors as well.

What we need from the upcoming infrastructure modernization package is, at its core, quite simple: language requiring any organization providing these essential services to focus on the cybersecurity basics — including cyber risk assessments, asset management and vulnerability prioritization.  Anything less would be negligent.

We recognize the details of critical infrastructure security are complex and unique. We believe this legislation presents a vital, common-sense place to start, as Congress works towards a final infrastructure plan. While our nation's electric grid and other critical infrastructure facilities are in dire need of physical updates, leaving them open to the barrage of cyberattacks is simply not an option. Congress must include cybersecurity provisions and requirements as it finalizes its infrastructure modernization plan.

Learn more

How to Measure the Efficacy of Your Cybersecurity Program: 5 Questions to Ask

$
0
0

When it comes to measuring the efficacy of your security efforts, understanding how your program stacks up against peers can reveal where key improvements or investments are needed. 

Proving success in cybersecurity has always been a challenge: If you’re playing defense and nothing bad happens, was it because you’re smart or lucky? Gaining perspective on your organization’s effectiveness is a vital step in improving your cyber hygiene. 

While new exploits or zero-day attacks make headlines, the most common root causes of breaches are familiar and predictable. According to Tenable Research’s 2020 Threat Landscape Retrospective these include:

  • Old, unpatched vulnerabilities

  • Poor administrative and configuration processes

  • Insufficient asset tracking


Understanding your vulnerability management process is foundational to assessing cyber risk

Scanning your environment and addressing unacceptable risks in a prioritized manner are the twin pillars of any effective security program.  But organizations oftentimes don’t have a complete understanding of these processes. Two critical measurements you need to have at your fingertips are:

  • Assessment Maturity: This metric gives you Insight into your scanning processes to ensure your team is operating with a complete and accurate picture of your evolving attack surface

  • Remediation Maturity: This metric enables you to evaluate how timely and proactive your are in mitigating critical risks


Peer benchmarks reveal where key investments are needed

By themselves, these vulnerability management process metrics don’t tell you all that you need to know — you need a sense of perspective to understand how they stack up within the context of your peer group. No matter your industry, you don’t want to be at the bottom of the barrel. But, without peer benchmarking, it’s difficult to know how well you’re really doing.

When you think about your cyber hygiene fundamentals — assessment and remediation — you need to know: 

  1. How am I doing?

  2. How do I compare to my peers? 

  3. What specific actions do I need to take to improve? 


The answers to these questions will help you request budget and allocate resources by enabling you to  understand and communicate how you’re doing across internal business units and compared to external peers. Think of it like a professor grading you on a curve and telling you exactly what you need to do to get an “A” in the class.

Five questions to size up the maturity of your security program

1. How often do you scan the majority of your assets?


This is where your journey to maturity begins.  Answering this question with precision begins to take you down the road of understanding what resources you have internally, what’s reasonable to accomplish and what critical metrics you can obtain.


  • 
With scanning in place, you can ask additional questions such as: 
  • How much of your environment are you regularly scanning?

  • Approximately how much time passes between scans?

  • Do these behaviors vary across business units or geographies? 

  • Are those areas broken out by the criticality of the asset to your business, the type of asset, geolocation of the asset, or any other factors? 

  • What is the SLA requirement for each of those categories? 



The longer the scan cycle (time between scans), the longer vulnerabilities remain unidentified and unpatched.  You not only need to quantify risk, you also have to identify those risks quickly. To give you some perspective, the average organization scans their assets approximately every four days, according to Tenable Research.

2. What percentage of open vulnerabilities are you capturing?



Authentication is the first point of triage. You can’t quantify what you can’t see. With risk reduction as your goal, authenticating wherever and whenever you can is critical. At the end of the day, getting as deep and broad of an assessment on an asset as possible is a fundamental step in being able to know where risks are, what assets/business functions are impacted and what you’ll need to do to remediate and lower risk. Without knowing the scope, criticality, impact and work requirements, there’s simply no way to effectively manage risk and build toward a more mature program that can properly address and reduce risk going forward. Tenable Research shows that credentialed scans detect on average 45x more vulnerabilities per asset than non-credentialed scans; yet, nearly 60% of enterprise assets are scanned without local credentials, yielding false negatives. 



3. How quickly are you addressing high-risk vulnerabilities?


According to the Tenable 2021 Vulnerability Intelligence Report, 18,358 new vulnerabilities were identified in 2020. But only 5.2% had a publicly available exploit. You need to fix first what matters most. Reducing risk in the most efficient and effective manner requires understanding how quickly you're addressing vulnerabilities which you’ve identified to be high-risk on assets which are highly or critically important to your business functions. Understanding the nature of the threat posed by a vulnerability involves insight into the characteristics of the vulnerability that make it attractive to attackers along with threat intelligence for insight into the in-the-wild activity surrounding that particular vulnerability. You can’t afford to waste valuable resources on vulnerabilities that pose little or no threat.

4. What percentage of assets have endpoint protections in place?


Endpoint security is one necessary layer of defense among many.  You need to know if your systems have required security programs installed and you are aware of any unauthorized or potentially dangerous software installed on those assets. But this is not just an issue of malware; for example, this could involve such policy violations as having telnet open, when telnet is not allowed to be available on any corporate system. The risk of not asking this question is simply that you may not know if controls are in place everywhere you expect it to be. This is an all too common problem. Only 44% of infosec leaders say their organization has good visibility into the security of their most critical assets, according to a commissioned study conducted by Forrester Consulting on behalf of Tenable.


5. Are you reducing cyber risk across key business functions?


The Forrester study also revealed that just four in 10 security leaders can answer the question “How secure or at risk are we?” with a high level of confidence. It’s a simple question, but one that can be maddeningly difficult to answer without the right intelligence and metrics. 
At an executive level, understanding if risk is being reduced across business functions (teams, geolocations, asset types etc.) aligns with the goals of the overall business and demonstrates value and return on investment for the budget given to the security program. At a strategic level, answering this question helps the day-to-day leadership make better decisions about where the program is working best (and thus, how to replicate that to other areas) and where it’s not working so well. At the tactical level, those responsible for remediating and patching need to understand how their efforts are moving the needle in the right direction for their particular business function, as well as how their efforts are communicated up the chain all the way to the executive level. 

Without precise answers to these questions you may not know if you’re actually reducing risk or not. Further, you may miss areas of the organization which are struggling to reduce risk or are putting the rest of the organization at risk due to their inability to drive risk downward. 

Level up your security program to reduce your cyber exposure

By honestly answering these five questions, you can set your program up for success with a baseline of security intelligence, cyber risk and process integrity metrics from which to measure improvement over time. Then, by comparing your metrics across internal teams and against external peers, you can identify where key improvements are needed — e.g., your accounting department might have inadequate authenticated scan coverage; or, your overall program might not be fixing critical issues quickly enough compared to industry peers.


Wherever your program is in its maturity journey, Tenable can help by automatically tracking these key process metrics and highlighting gaps where additional investments can have the greatest impact on reducing risk. Once you have this full picture, you can begin to prioritize your efforts and play offense by actively addressing the lowest hanging fruit that attackers are most likely to exploit. 

Learn More 

Focus on the Fundamentals: 6 Steps to Defend Against Ransomware

$
0
0

Ransomware is the monetization of poor cyber hygiene. Here are 6 steps you can take to improve your security defenses.

Ransomware attacks have become a boardroom issue for nearly every organization. In 2020 alone, there were more than 300 million ransomware attacks recorded, an increase of more than 60% from 2019. There are many contributing factors to this trend, such as the steady rise in cryptocurrency, a sophisticated ransomware value-chain network and a proven business model with double extortion. However, one of the most important drivers of ransomware today is the vast number of software vulnerabilities and misconfigurations threat actors are able to feast on to gain a foothold inside organizations and propagate their attacks. 

Ransomware is dependent on attackers exploiting vulnerabilities

With work from home as the new normal, attackers are preying on remote access infrastructure and web application flaws for entry points into the network. REvil/Sodinokibi, the largest ransomware syndicate today, has increasingly targeted vulnerabilities in VPN (CVE-2019-11510), web server (CVE-2019-2725), remote desktop (CVE-2019-19781), and, just recently, remote IT management (CVE-2021-30116) infrastructure. Conti ransomware strains have also frequently targeted VPN systems and Remote Desktop Protocol (RDP) to gain access to victims' networks. Software vulnerabilities have become the fastest growing ransomware attack vector because of the sheer volume of CVEs published each year and the lack of any user interaction requirements to deploy the payload.

But it isn't just traditional CVE vulnerabilities that security teams should worry about. Misconfigurations play a huge role in ransomware propagation across the organization. Ransomware exploits have been targeting Active Directory (AD) weaknesses to escalate privileges and move laterally to higher value targets. The Ryuk ransomware group was able to propagate an attack from a single email to complete domain-wide infection in just over 24 hours using common AD misconfigurations. AD is often referred to as the "Keys to the Kingdom" because it is the center of the organization's authentication, authorization and access control. Once AD has been compromised, attackers can use AD — and its group policy attribute — to deploy ransomware to the entire enterprise.

Understanding where to shore up your ransomware defenses

There is both good news and bad news when it comes to defending against ransomware. 

First, the bad news: there is no silver bullet to protect your organization. There is no shiny Artificial Intelligence (AI)-based technology, advanced behavioral analytics or real-time detection/response solution that will magically solve this problem. Cyber defenders looking for a single ransomware point solution will be sorely disappointed. 

And, the good news: there is a path forward by focusing on the security fundamentals. I know what you're thinking: cyber hygiene isn't sexy or exciting. But it works. Fundamentals are essential to prevent successful ransomware attacks. Cyber experts such as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Centre (NCSC) continuously stress the fundamentals, such as:

  • Conducting cybersecurity awareness training sessions to decrease phishing attacks

  • Segmenting your networks to separate various business units and resources to contain an intrusion

  • Enabling Multi-factor Authentication (MFA) everywhere

  • Maintaining frequent, encrypted backups of data and system images

  • Performing continuous Risk-based Vulnerability Management and AD assessment of your entire attack surface


6 steps for defending against ransomware 

To help you with that last fundamental, Tenable advises taking the following six steps to improve your security defenses against ransomware. 

  1. Scan often, scan everything

  2. Harden AD to protect your crown jewels

  3. De-escalate privilege escalation

  4. Prioritize using prediction

  5. Remediate like your organization depends upon it

  6. Measure to improve your game


More details on each of the above steps can be found in our handy guide, 6 Steps for Defending Against Ransomware. This resource covers best practices you can implement across the ransomware attack path to make it more difficult for attackers to gain an initial foothold and move laterally across the network. Use this guide to help turn ransomware attacks into ransomware attempts. Tenable is here to help you at each step along your journey. 

Learn More 


Oracle July 2021 Critical Patch Update Addresses 231 CVEs

$
0
0

Oracle addresses 231 CVEs in its third quarterly update of 2021 with 342 patches, including 49 critical updates.

Background

On July 20, Oracle released its Critical Patch Update (CPU) for July 2021, the third quarterly update of the year. This CPU update contains fixes for 231 CVEs in 342 security updates across 26 Oracle product families. Out of the 342 security updates published this quarter, 13% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 45.5%, followed by high severity patches at 36.8%.

This quarter’s update includes fixes for 49 critical issues across 30 CVEs.

SeverityIssued PatchedCVEs
Critical4930
High15885
Medium123105
Low1211
Total342231

Analysis

This quarter, the Oracle Fusion Middleware product family contained the highest number of patches at 48, which accounts for 14% of the total patches. It is unsurprising, considering that Oracle Fusion Middleware is one of the most consistently patched pieces of software that Oracle produces. So far in 2021, Fusion Middleware has received 153 patches.

Of the 48 Fusion Middleware patches this quarter, 35 are remotely exploitable without authentication.

A full breakdown of the patches for this quarter can be seen in the following table:

Oracle Product FamilyNumber of PatchesRemote Exploit without Auth
Oracle Fusion Middleware4835
Oracle MySQL4110
Oracle Communications Applications3322
Oracle Communications2623
Oracle Retail Applications2315
Oracle Financial Services Applications2217
Oracle E-Business Suite173
Oracle Database Server161
Oracle PeopleSoft148
Oracle Commerce118
Oracle Systems119
Oracle Construction and Engineering105
Oracle Essbase98
Oracle JD Edwards98
Oracle Enterprise Manager88
Oracle Food and Beverage Applications60
Oracle Hyperion64
Oracle Java SE65
Oracle Siebel CRM64
Oracle Virtualization61
Oracle Supply Chain55
Oracle Insurance Applications43
Oracle Big Data Graph22
Oracle Hospitality Applications10
Oracle Policy Automation11
Oracle Support Tools11

Oracle Patches CVE-2019-2729 in Hyperion Infrastructure Technology

As part of the July 2021 CPU, Oracle released a patch for CVE-2019-2729, a critical deserialization vulnerability in Oracle WebLogic Server that was originally patched in an out-of-band update in June 2019. The vulnerability in Hyperion Infrastructure Technology exists within the Installation and Configuration component. Organizations that use the Hyperion Infrastructure Technology should apply the available patch as soon as possible.

Additional WebLogic Server vulnerabilities patched this quarter

Because WebLogic has previously been a favorite initial access vector for attackers, including ransomware groups like REvil (also known as Sodinokbi), we parse Oracle’s CPUs with a focus on WebLogic vulnerabilities. This quarter, there were six vulnerabilities patched within Oracle WebLogic Server (not including those in third party libraries).

CVEComponentCVSSv3Remotely Exploitable without Auth
CVE-2021-2382Security9.8Yes
CVE-2021-2394Core9.8Yes
CVE-2021-2397Core9.8Yes
CVE-2021-2376Web Services7.5Yes
CVE-2021-2378Core7.5Yes
CVE-2021-2403Core5.3Yes

Three of the six vulnerabilities in WebLogic Server were assigned a CVSSv3 score of 9.8 out of 10, which classifies them as critical. According to its advisory, Oracle says that CVE-2021-2397 also addresses CVE-2020-14756, which was another critical WebLogic Server vulnerability that was originally patched as part of the January 2021 Critical Patch Update.

Proof of concept

At the time this blog post was published, there were no proof-of-concept (PoC) exploits for any of the new WebLogic server vulnerabilities, though we anticipate that researchers may share details in the future. However, there are six PoCs for CVE-2019-2729.

Solution

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the July 2021 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

How to Improve Your Cybersecurity Decision-Making to Reduce Business Risk

$
0
0

Increase your program efficacy by identifying the metrics that offer the right context to aid decision making across the executive, strategic and tactical levels of your organization.

The challenges for security teams continue to increase in the face of ever-changing environments and attackers leveraging the speed and scalability of modern IT environments. The pace and complexity of these changes ushers in a new chapter in the evolution of information security teams; today, security teams must also become risk management experts. Whether you're a team of one or many, you're faced with making decisions across multiple levels of your organization in order to more effectively mitigate risk. 

In our latest whitepaper, 3 Levels of Security Strategy for Business Risk Decisions, we dive into the three levels of decision-making strategies security teams need to perform: 

  • executive;

  • strategic;  and 

  • tactical 


The decision-making process across each of these levels involves much nuance and can be complex. Here, we'll show you some examples of the types of decisions required at each level and how the right metrics and tools can help you improve decision-making across all three levels in order to uplevel your security program efficacy. 

Executive-level decisions

At the executive level, security leaders deal with two different sub-areas of decision-making support: relaying information and metrics about the organization's security and risk posture to their C-suite business counterparts; and for their own executive-level decisions to provide direction and support for their security team. 

In support of their C-suite peers, security executives will typically ask their security teams for a wide variety of information to help guide business, revenue and liability decisions that affect the entire organization. To improve decision making at this level, the metrics provided by the security team must be risk based and framed in a way that aligns with business drivers.

For example, because business leaders need security information to be communicated within the broader context of the organization's goals, they won't find much value looking at the raw number of malware programs blocked by endpoint protection software or the total number of vulnerabilities patched this month. These represent a total volume number without any business context. Instead, security leaders should consider looking at the percentages of discovered critical risk vulnerabilities eliminated within the established Service Level Agreement (SLA) timeframe or the trend of risk reduction broken out by a major business function, such as the organization's primary e-commerce website, or the main data center in New York.

Viewing security performance through a broader lens enables security leaders to provide valuable context to business executives, so they can see how the security program is being effective and decide if there are areas where they must invest more resources to further mitigate and reduce risk within the business.

How to Improve Your Cybersecurity Decision-Making to Reduce Business Risk_1

These same metrics, when viewed through the lens of solely the security team's perspective, represent the amalgam of all the efforts being driven by all members and decision-making levels of the team. In this way, CISOs and other executive-level security leaders can measurably determine if the vision for the security team is being successfully realized by other team members and that the strategic- and tactical-level decisions are effective in reducing risk in a tangible way. Of course, if these metrics are showing a downward trend, this allows for security leaders to course correct and identify areas that need more management support in order to clear obstacles, acquire more resources, hire more staff or bring in additional, outside assistance. 

Strategic-level decisions

As you move down the org chart within the security team, the strategic-level decision makers (commonly directors, team leads or other mid-tier managers, but can also be senior technical experts or analysts) must support the executive-level teams to make better decisions for the overall direction of the business while also helping the tactical-level teams be more efficient and effective in their remediation efforts to reduce risk. 

Prioritization of risk is key to best support the tactical-level teams, where the day-to-day operational decisions are critical to ensure the organization is focusing resources on the most critical areas where remediation will have the biggest impact. As you work to translate the business requirements to operational execution, asset criticality is key to understand not only where to reduce the most critical risks to the business overall, but to help operational teams prioritize their work efforts more efficiently and effectively. 

By understanding the business criticality of assets in your organization, whether by location of the asset, exposure to the internet, the type of device, what business function it supports, or any number of other factors, you can apply a more risk-based approach to your remediation workflows.    

How to Improve Your Cybersecurity Decision-Making to Reduce Business Risk_2

For the overall management of your security program, it's also important to understand whether or not the policies, processes and procedures are working as expected and are helping increase maturity over time. It's important that strategic-level decisions support the other two levels of decision making. By constantly refining and improving the security program through better strategic decisions, one can demonstrate that the program is effective and that it is continuing to improve, which is an important indication of business value for executive-level decision makers. Having executives understand that there is business value in what you're doing to improve the security program is not just critical to the team's success, but can be used to support requests for additional budgetary and staffing allotments. It's here, then, that measuring the effectiveness of your assessment and remediation processes from a maturity standpoint not only allows for the strategic-level decision maker to shuffle resources where needed to improve these workflows, but also supports the overall business requirements to continuously reduce risk and drive more ROI through efficiency and process optimizations.

How to Improve Your Cybersecurity Decision-Making to Reduce Business Risk_3

Tactical-level decisions

Whether or not the security team is directly involved in the operational execution of active remediation efforts, they still play a critical role in helping execute these day-to-day patching and remediation tasks effectively and efficiently. 

By translating security findings into specific recommendation steps, the security team can make it easier for the operations teams to quickly understand what needs to be done and efficiently build the proper workflow to perform the necessary remediation steps. A more seamless integration between the security and operational processes here means improved program efficacy overall, which creates better value and reduces more tangible risk to the organization.

How to Improve Your Cybersecurity Decision-Making to Reduce Business Risk_4

Each level brings its own unique challenges when it comes to decision making. But armed with the right insights and perspectives, you can make — and demonstrate — tangible improvements in program efficacy.

Learn more 

New In Nessus: Find and Fix These 10 Active Directory Misconfigurations

$
0
0

Let's face it: Active Directory is a feeding frenzy for hackers. Here's how our updated Nessus scan engine can help you disrupt attack paths.

Active Directory (AD) has been the leading identity and access management solution for organizations over the past 20 years. It's an impressive lifespan for a product that hasn't fundamentally evolved since its first release.

Such stability is commendable and has allowed Active Directory users — a whopping 90% of the Global Fortune 1000— to implement longlasting authentication and authorization strategies rooted in solid ground. 

On the downside, this stability gave plenty of time for threat actors to skill-up and design equally solid AD-centric attacks from external and internal positions alike. The situation is compounded by the fact that most organizations designed their AD implementations years ago and rarely revisit them with an eye toward present-day security threats.. 

Today, let's face it: AD is a feeding frenzy for hackers

Behind every headline-grabbing breach or critical infrastructure-crippling ransomware attack is a misconfigured AD deployment. Ok, maybe not all of them, but the vast majority of attacks — whether sophisticated or by-the-book — require flaws in AD which allow an attacker to move laterally and gain those all-important admin privileges.

If cybercrime is an existential threat to our society, then all organizations need to be informed immediately of the state of (in)security of their AD. Only then will they be able to truly align their security tactics with the reality of their threat landscape.

This is why Tenable recently acquired Alsid and released Tenable.ad. We understand how AD plays a critical role in managing single sign-on processes and the level of access users are granted once authenticated. Tenable.ad provides holistic AD security enabling you to find and fix existing weaknesses and detect ongoing attacks in real time without the need to deploy agents or use privileged accounts. And when combined with our industry-leading Risk-based Vulnerability Management solution, Tenable.ad can disrupt the attack path, ensuring attackers struggle to find a foothold and have no next step if they do.

Today, we're going a step further in our AD security journey. We have incorporated 10 foundational AD checks directly in Nessus. Now, users of Nessus Essentials, Nessus Professional, Tenable.sc, Tenable.io and Tenable.ep can detect commonly exploited weaknesses to help protect credentials and prevent privilege escalation. These plugin checks generally fall into two categories:

  1. Password and credential protection to help prevent attackers from implementing brute-force attacks on credentials and impersonating other users or accounts.
  2. Privilege escalation and lateral movement to limit the ability for attackers to obtain excessive rights or privileges to move across domains.

The full list of AD plugins are as follows:

Password and Credential Protection

Plugin nameDescription
KerberoastingA Domain admin or Enterprise admin account is vulnerable to the Kerberoasting attack.
  • Kerberoasting is a password-cracking attack that eventually allows threat actors to impersonate legitimate users. Attackers typically leverage this method against admin accounts to achieve lateral movement and domain domination.
  • This check ensures no admin account is vulnerable to such attacks.
Weak Kerberos encryptionThe Kerberos encryption is too weak on one user account leading to potential credential theft.
  • Kerberos still accommodates older encryption protocols that are vulnerable to brute force attacks. Attackers systematically look for such deprecated protocols so they uncover users' credentials.
  • This check ensures no vulnerable encryption protocols are leveraged for Kerberos authentication.
Kerberos pre-authentication validationThe Kerberos pre-authentication is disabled on one user account leading to potential credential theft.
  • Attackers routinely target accounts with disabled pre-authentication with AS-REP roasting attacks to guess their passwords.
  • This check uncovers accounts which do not implement pre-authentication handshakes and are susceptible to password theft.
Non-expiring account passwordA user account may never renew its password.
  • AD accounts can be configured to escape global password renewal policies, thus breaching the most elementary hygiene best practice and allowing attackers to execute password-guessing scenarios at will.
  • This check identifies users and administrators matching this non-expiring password attribute.
Unconstrained delegationUnconstrained delegation is allowed on a computer account allowing potential credential theft.
  • When a user authenticates on a server that is trusted for delegation, a copy of the user's credentials is sent to the server by the domain controller. Attackers routinely hunt for weak servers with trusted delegation so they can compromise them and eventually get sent all the credentials they need to achieve domain dominance.
  • This check verifies this trusted delegation property is only allowed on trusted servers such as domain controllers.
Null sessionsThe Anonymous or Everyone group is part of the "Pre-Windows 2000 Compatible Access " allowing null session attacks.
  • The Pre-Windows 2000 Compatible Access group is a backward-compatibility mechanism with read permissions on most of the domain data. By default, this group allows unauthenticated users, including attackers, to perform target discovery and to carry out brute-force attacks.
  • This check verifies the Pre-Windows 2000 Compatible Access usages, in accordance with security best practices.

Privilege Escalation and Lateral Movement Prevention

Plugin nameDescription
Kerberos KRBTGTThe Kerberos master key is too old and could be used as a backdoor.
  • Every AD domain harbors a special, all-powerful account called KRBTGT. This account is literally the key to everything in the domain and is therefore an invaluable target for attackers.
  • This check ensures this master key is set to be renewed at least once every two years, as best practices recommend.
Dangerous trust relationshipNo security mechanism has been activated on a trust relationship allowing lateral movement across AD domains.
  • Trust relationships are integral to the way AD operates, and are meant to allow legitimate lateral movement. Threat actors typically try — and succeed — to exploit this mechanism to their advantage to achieve lateral movement.
  • This check verifies the feasibility of two common attack scenarios aimed at exploiting legitimate trust relationships: SID History Injection and Printer Bug Exploit.
Primary Group ID integrityA potential backdoor using the Group ID has been found on a user account.
  • Primary Group ID is an AD feature that was created to support legacy UNIX applications which didn't support more traditional group membership settings. Primary Group ID is often overlooked by admins and tools and can allow attackers to escalate their rights without being formally members of a privileged group.
  • This check uncovers Primary Group ID mechanism usages, in accordance with security best practices.
Blank passwordsA user account may use a blank password to authenticate on the domain.
  • Accounts without a password are obvious targets for attackers seeking to elevate their privileges.
  • This check verifies no such account exists.

In addition to the new AD plugins, we have also created a new scan template (Active Directory Starter Scan) and a preconfigured dashboard (Getting Started with Active Directory Security) to help you easily discover and analyze these basic AD weaknesses. The new AD plugins and scan template are available in Nessus Essentials, Nessus Professional, Tenable.sc, Tenable.io and Tenable.ep. The new preconfigured AD security dashboards are available in Tenable.sc, Tenable.io and Tenable.ep.

How to find and fix 10 Active Directory Misconfigurations using Nessus_1

Tenable has created a new scan template to support AD security.

How to find and fix 10 Active Directory Misconfigurations using Nessus_2

Example of the new pre-configured Tenable dashboard for getting started with AD security.

These new AD security capabilities in the Nessus scan engine are a great first step toward disrupting attack paths before you are ready to embark on a more comprehensive AD security program. 

While we're on the topic of AD security, we're excited to announce the release of Tenable.ad 3.1 with a number of enhancements to help you detect critical Indicators of Attack (IoA) faster. New filters and visualizations help threat hunters accelerate their efforts to isolate malicious behavior and turn attacks into attempts.

Learn more

How Risk-based VM Can Help Address the Most Commonly Exploited Vulnerabilities Today

$
0
0

Tenable's analysis of the 29 vulnerabilities highlighted in a recent CISA alert reveals key differences between CVSS and our Vulnerability Priority Rating.

Attackers continue to exploit known and prevalent vulnerabilities. Last year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Federal Bureau of Investigation (FBI) issued a joint alert identifying the top 10 most commonly exploited software vulnerabilities between 2016-2019. On July 28, CISA and the FBI teamed up with the Australian Cyber Security Centre (ACSC) and the United Kingdom's National Cyber Security Centre (NCSC) to issue a joint Cybersecurity Advisory providing details on the top 29 vulnerabilities routinely exploited by threat actors in 2020 and the first half of 2021. While 30 vulnerabilities are referenced in the alert, one vulnerability (CVE-2018-13379) is listed twice for both 2020 and 2021. This alert reinforces long-known cybersecurity best practices, while also providing specific intelligence about the current threat landscape. It underscores the levels of cyber risk organizations face due to critical vulnerabilities that are left unpatched.

A close look at these vulnerabilities highlights the benefits of taking a risk-based approach to vulnerability management utilizing the Tenable Vulnerability Priority Rating (VPR) found in Tenable.io, Tenable.sc and Tenable Lumin. VPR helps organizations improve their remediation efficiency and effectiveness by rating vulnerabilities based on severity level determined by two components: 

  1. The technical impact of the vulnerability if successfully exploited. 

  2. The predicted threat landscape over the next 28 days. 


At the heart of VPR are machine learning-based algorithms working together to forecast threats using 20 trillion aspects of asset, vulnerability and threat data points along with intelligence reflecting changes in the threat landscape. Specifically, VPR seeks to answer the question: What is the near-term threat level of a vulnerability based on the latest available data? The result is a more precise measurement of risk that organizations can use to prioritize their remediation efforts.

We analyzed the vulnerabilities contained in the joint advisory and compared the associated CVSSv3 ratings to the VPR score as of July 28, 2021. It's important to note that individual VPR scores may change over time as they reflect changes in the threat environment. The results are shown in the table below:

CVSS vs VPR scoring comparison: top exploited vulnerabilities (as of July 28, 2021)

Vulnerability severityCVSSv3 number of CVEsVPR number of CVEs
Critical (>9.0)1824
High (7.0-8.9)101*
Medium (>7.0)14*

* Note that while there is currently one CVE rated as High and four CVEs rated as Medium today based on VPR, all five were rated as Critical at various times within the past six months.  

Prioritize based on actual cyber risk 

A close reading of the July 28 CISA alert sheds light on a number of issues facing organizations as they seek to remediate vulnerabilities and protect themselves from attack. 

  • A Critical rating for a vulnerability suggests to security practitioners that it be prioritized for remediation. Since 11 out of the 29 vulnerabilities in the CISA alert are rated as High or Medium, rather than Critical, organizations using  CVSS scores for prioritizing their remediation efforts may be slow to patch more than 33% of these vulnerabilities. In comparison, using Tenable's VPR, 24 of the 29 vulnerabilities flagged by CISA are rated as Critical. For example, the vulnerability in Accellion (CVE-2021-27102) has a High CVSS score (7.8) while the VPR score is Critical (9.4) due to high threat intensity and elevated chatter on the Dark Web.  

  • The threat landscape is dynamic, and a vulnerability severity rating needs to reflect that reality. Yet, CVSS scores are static, while VPR scores change over time based on changes to the threat landscape. A great example of the value of a dynamic approach to severity ratings can be seen with the four CVEs rated today as Medium by VPR. As recently as June 2021, three out of the four in this group —(CVE-2021-22894, CVE-2021-22899 and CVE-2021-22900) which are Pulse Connect Secure vulnerabilities— had a Critical VPR. The fourth (CVE-2019-5591) is a Fortinet vulnerability rated as Critical by VPR from April through June 2021. Organizations need to take into account the changing threat landscape for individual vulnerabilities as they prioritize their mitigation efforts to reflect the current state of the risk posed by each vulnerability.



  • The report highlights the problem of persistent vulnerabilities that are well-known, remain undetected and/or unpatched and are attractive to bad actors. One third of the vulnerabilities in the CISA alert have been known for two or more years, including one dating back to 2017. The four-year-old vulnerability, CVE-2017-11882 (memory corruption vulnerability in Microsoft Office), has a CVSS score of 7.8 (High) and a VPR score of 9.9 (Critical) because of the high threat recency, threat intensity and numerous threat events. Ineffective remediation and patching practices allow attackers to continue exploiting these publicly known and dated vulnerabilities.


In addition to the VPR severity analysis, our analysis of the CISA alert reveals a few other interesting findings:.

  • The vulnerabilities listed in the report highlight the impact of COVID-19 on the work environment and the resultant security issues that have arisen from the pandemic. The alert discusses malicious actors targeting "perimeter-type devices," highlighting Microsoft Exchange, Pulse Secure, Accellion and Fortinet. There's a detailed blog post about critical vulnerabilities affecting the remote workforce here.



  • The most exploited flaw is an unauthenticated remote code execution vulnerability in Citrix ADCs and Gateways. Exploit scripts for the Citrix vulnerability exist in the wild. If successful, attackers can obtain LDAP passwords and cookies from vulnerable hosts. You can read more about this Citrix vulnerability in this Tenable blog.  



  • Tenable customers should be aware that plugins exist for all the vulnerabilities listed in the report. The plug-ins can be found here. In the vast majority of cases, Tenable releases plug-ins on average within 24 hours for high profile vulnerabilities.


What to do next

Pay even greater attention to risk: now's the time to take a risk-based approach to managing vulnerabilities. Unlike legacy vulnerability management, Risk-based Vulnerability Management (RBVM) goes beyond just discovering vulnerabilities; RBVM is a process that helps you understand vulnerability risks with threat context and insight into potential business impact. It helps you cut through vulnerability overload so you can focus on the relatively few vulnerabilities that pose the most risk to your enterprise.

Armed with the data found in the advisory, scan your attack surface immediately and make sure your vulnerability management solution can detect all of the listed vulnerabilities. For those who have not yet taken a risk-based approach, we recommend the RBVM best practices of scanning everything (using authenticated scans whenever possible) and prioritize your remediation by taking into account threat intelligence and machine learning techniques that prioritize vulnerabilities based on the risk they pose. It's all about fixing first what matters the most.

Learn More

 

How to Strengthen Active Directory and Prevent Ransomware Attacks

$
0
0

Ransomware attacks do not always follow the same steps, but addressing these three trends will allow you to secure Active Directory and disrupt attacks.

Attacks are plaguing organizations around the world every day. New ransomware variants, new exploits, more tactics … it seems the attackers come up with something new every week. But, there is a silver lining. Every new attack and breach offers an opportunity to analyze the process the attacker took. From this analysis, we see three distinct trends emerging. By analyzing these trends and securing the tools an attacker is mostly likely to rely on to be successful, security professionals can reduce risk.

Trend 1: vulnerabilities and misconfigurations

Ransomware attackers are initially compromising enterprises by one of two attack methods:

  • Attackers are exploiting vulnerabilities within the hardware, operating systems, software, applications, etc. of the devices they target. We all know that patching is essential, but it can be like remembering to take our vitamins: we often forget or can't be bothered because we don't see the benefits until it is too late. So, we'll say it again: patch your systems (and take your vitamins, too!).
  • Attackers are leveraging misconfigurations related to hardware, operating systems, software, applications, etc. Just as there are thousands of vulnerabilities to patch, there are thousands of security settings to be configured, many of which are not secured correctly. With simple queries, an attacker can determine what is running on the device they've compromised, allowing them to know exactly which misconfigurations to look for. Securing these configurations before the attacker can ever see them is essential.

Trend 2: gaps in existing tools and practices

Current security tools and practices are not sufficient to secure our networks. The following is a list of common tools and practices. While each of these is useful, they all leave security teams with major gaps in coverage:

  • Pen testing
  • Assessments
  • Audits
  • Active Directory monitoring
  • SIEM solutions
  • User Behavior Analytics
  • Artificial Intelligence
  • Endpoint Detection and Response (EDR) and antivirus (AV)

Many of these solutions offer point-in-time visibility, meaning the results are quickly outdated. Other solutions might be more continuous, but they are not digging into the depths of the network infrastructure to give information at the level the attacker sees.

Trend #3: Active Directory is a pathway

Regardless of the entry point a ransomware attacker targets, Active Directory is always involved as a next step in the attack. Over and over again we see forensic proof that Active Directory was leveraged to move laterally and gain privileges in order to deploy ransomware.

For example, RYUK and XingLocker (a variant of MountLocker) specifically need Active Directory to be involved, otherwise these attacks fail. Attackers know how to enumerate and analyze Active Directory, so they rely on it for a successful breach and deployment of their malicious software. Active Directory is at the center of authentication and resource access for most organizations, which is another key reason attackers love to leverage it.

The solution: three steps for reducing ransomware risk

Bucking these three trends, and addressing the key tools in your infrastructure that are most likely to gain the focus of the attackers, will help you see and target what the attackers are targeting. The following three steps are foundational for securing Active Directory and managing vulnerabilities to reduce the risk of ransomware.

  1. All of the environment needs to be secured, immediately. Easy to say, not so easy to do. The existing hardware, operating systems, applications, software and Active Directory itself all need to be secured. Security professionals should expect an attacker to enumerate and analyze any and all aspects of the network and prepare accordingly.
  2. The work invested in securing your network and all devices should not go to waste. Once you have patched and secured configurations throughout the network, including Active Directory, these efforts need to be maintained constantly. That means 24X7 continuous and automatic analysis of all vulnerabilities and configurations needs to occur. Think of it as continuously keeping your attack surface as small as possible.
  3. The ability to detect attacks is vital. Simpler attacks, such as password spraying and guessing, need to be detected as soon as they are started, so they can be shut down immediately. Likewise, even more advanced attacks, like DCSync, DCShadow and Golden Ticket, which are all used to leverage Active Directory, need to be detected as they occur. Due to the nature of these attacks, many commonly available tools cannot correctly detect them. Yet, these advanced attacks are used for persistence and backdoors, as well as to open up new attack paths. Sophisticated solutions are needed to fill these gaps in monitoring and detection.

Learn more

Unpacking the U.S. National Security Memorandum on Improving Cybersecurity for Critical Infrastructure

$
0
0

Recent activity from the Biden Administration represents a watershed moment in the establishment of baseline standards for preparing, mitigating and responding to attacks that impact the critical infrastructure we all rely on.

On July 28, the Biden Administration issued the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. Given the recent increase in attacks on critical infrastructure and industrial operations, this is a much-needed step to protect U.S. critical infrastructure from cyberattacks, and comes on the heels of the Cybersecurity and Infrastructure Security Agency (CISA) guidance on Ransomware for OT issued in June 2021.

In the July 28 memorandum, the White House calls for a "whole-of-nation" effort to secure critical infrastructure from "growing, persistent, and sophisticated cyber threats" that could have "cascading physical consequences [and] . . . a debilitating effect on national security, economic security, and the public health and safety of the American people."   

The memorandum and the earlier CISA guidance on ransomware for OT represent a watershed moment in the establishment of baseline standards for preparing, mitigating and responding to attacks that can emanate from a variety of attack paths. With the rapid convergence of IT and OT infrastructures, new paths for attacks are emerging and have already been proven to directly impact the critical infrastructure we all rely on.  

What it means

The most substantive thrust of these government actions is recognizing and acting on the accelerated trend of reconnaissance and attack by establishing the Industrial Control Systems (ICS) Cybersecurity Initiative. The ICS Initiative is a voluntary, collaborative effort between the federal government and the critical infrastructure community to protect U.S. critical infrastructure "by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks," with a primary goal of "greatly expand[ing] deployment of these technologies across priority critical infrastructure."

Under the Initiative, the federal government will work with industry to share threat information for priority control system critical infrastructure, and sector risk management agencies will work with critical infrastructure stakeholders to implement the principles and policy outlined in the July 28 memorandum. 

The Initiative began in mid-April with an electricity subsector pilot. Over 150 electricity utilities representing almost 90 million residential customers are either deploying or have agreed to deploy control system cybersecurity technologies, a move that will be instrumental in stopping future attacks on our critical infrastructure.  In light of some of the most recent global attacks targeting oil and gas pipelines, a new action plan for natural gas pipelines is underway, and additional initiatives for other sectors will follow later this year.  The pilot plan for the electricity subsector could serve as an effective model. 

The bar is set

The memorandum calls for the creation of cyber performance goals for critical infrastructure companies, including the establishment of baseline cybersecurity performance standards and goals consistent across all critical infrastructure sectors that would be  jointly developed by CISA and the National Institute of Standards and Technology (NIST). Looking into the immediate future, the U.S. Department of Homeland Security (DHS) will issue preliminary goals for control systems across critical infrastructure sectors by September 22, 2021, followed by final cross-sector control system goals, and sector-specific goals, by July 28, 2022. 

In summary

Tenable encourages CISA and the U.S. government to take an open, technology-neutral, standards-based approach in the development of these goals. Core elements for consideration as the most appropriate and successful methods of disrupting attack paths and securing critical infrastructure and OT environments revolve around three key pillars:

  • Visibility: Gain full visibility and deep situational awareness across your converged IT/OT environment.

  • Security: Protect your industrial infrastructure from advanced cyberthreats and risks posed by hackers and malicious insiders.

  • Control: Take full control of your operations network by continuously tracking ALL changes to any ICS device.


Security professionals tasked with protecting critical infrastructure should use government guidance, such as the most recent memos, to proactively address new and emerging risks that can impact their OT environment and core mission of their organization. 

Learn more 

CVE-2021-1609: Critical Remote Code Execution Vulnerability in Cisco Small Business VPN Routers

$
0
0

Cisco releases patches for Critical vulnerabilities in its line of Small Business VPN Routers.

Background

On August 4, Cisco released several security advisories, including an advisory for two vulnerabilities in a subset of its line of Small Business VPN Routers.

CVEDescriptionCVSSv3
CVE-2021-1609Web Management Remote Code Execution and Denial of Service Vulnerability9.8
CVE-2021-1610Web Management Command Injection Vulnerability7.2

The table below lists which routers in the Small Business line are vulnerable:

Cisco Small Business Router ModelStatus
RV340 Dual WAN Gigabit VPN RouterVulnerable
RV340W Dual WAN Gigabit Wireless-AC VPN RouterVulnerable
RV345 Dual WAN Gigabit VPN RouterVulnerable
RV345P Dual WAN Gigabit POE VPN RouterVulnerable
RV160 VPN RouterNot Vulnerable
RV160W Wireless-AC VPN RouterNot Vulnerable
RV260 VPN RouterNot Vulnerable
RV260P VPN Router with PoENot Vulnerable
RV260W Wireless-AC VPN RouterNot Vulnerable

Analysis

CVE-2021-1609 is a critical-rated vulnerability in Cisco’s web management interface for Cisco Small Business routers that was assigned a CVSSv3 score of 9.8. According to Cisco, the flaw exists due to improper validation of HTTP requests. A remote, unauthenticated attacker could exploit the vulnerability by sending a specially crafted HTTP request to a vulnerable device, resulting in arbitrary code execution as well as the ability to reload the device, resulting in a denial of service.

CVE-2021-1610 is a high-rated command injection vulnerability in the same web management interface. While both flaws exist due to improper validation of HTTP requests and can be exploited by sending specially crafted HTTP requests, CVE-2021-1610 can only be exploited by an authenticated attacker with root privileges. Successful exploitation would grant an attacker the ability to gain arbitrary command execution on the vulnerable device’s operating system.

Cisco is careful to note that both of these vulnerabilities can be exploited independently of each other, and that some versions of the Small Business VPN Router software may only be affected by one of the two vulnerabilities.

Web management interface default exposure is limited

Cisco’s advisory clarifies that the web management interface for its small business VPN routers is available by default through local area network connections and can’t be disabled. Under this default configuration, a local attacker could potentially gain arbitrary code execution. However, Cisco notes that remote management of these devices is disabled by default.

Example of a remotely accessible Small Business VPN Router login page

Over 8,800 devices publicly accessible

Despite the remote management feature being disabled by default, Tenable’s Security Response Team found over 8,800 devices publicly accessible according to BinaryEdge. The table below lists the publicly accessible devices.

Affected DevicePublicly Accessible
RV3405,679/5,673
RV340W684/685
RV3451,845
RV345P642
Total8,850

Cisco VPN routers historically targeted

In January 2019, Cisco published advisories for two different vulnerabilities in its RV320 and RV325 WAN VPN routers. A few days after the advisories were published, proof-of-concept exploit scripts for these flaws were published, which was followed by active scanning for vulnerable devices. Because of this historical precedent, we believe it is important that organizations patch these latest vulnerabilities as soon as possible.

Proof of concept

At the time this blog post was published, there were no proofs-of-concept (PoC) available for either CVE-2021-1609 or CVE-2021-1610.

Solution

Cisco says that firmware version 1.0.03.22 and later fixes these vulnerabilities in the affected versions of its Small Business VPN Routers. Organizations are strongly encouraged to patch these routers as soon as possible.

If patching is not feasible at this time, a way to mitigate the threat of remote exploitation would be to disable the remote management feature on these devices.

Under the Firewall section, select the Basic Settings menu option then ensure that “Remote Web Management” is unchecked. As mentioned previously, this setting is unchecked — disabled — by default. If it has been enabled, uncheck it and press Apply to update the configuration.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.


CVE-2021-22937: Remote Code Execution Patch Bypass in Pulse Connect Secure

$
0
0

Pulse Secure has patched CVE-2021-22937, a patch bypass for CVE-2020-8260, in its Connect Secure products.

Background

On August 2, Pulse Secure published an advisory and patches for several vulnerabilities, including CVE-2021-22937, a post-authentication remote code execution (RCE) vulnerability in Pulse Connect Secure virtual private network (VPN) appliances. Richard Warren with NCC Group has published a technical advisory for this flaw, explaining it is a patch bypass for CVE-2020-8260 which he disclosed in October 2020.

Analysis

CVE-2021-22937 is an uncontrolled archive extraction vulnerability in the Pulse Connect Secure appliance that allows an authenticated administrator to write arbitrary executable files to the "/home/runtime/tmp/tt/" directory. It received a CVSSv3 score of 9.1. This unrestricted file upload vulnerability is due to a flaw in the way that archive files are extracted in the administrator web interface. Successful exploitation would give attackers root privileges on the targeted appliance.

This vulnerability is a patch bypass for CVE-2020-8260 which Pulse Secure addressed in October 2020 with version 9.1R9. The vulnerability received a CVSSv3 score of 7.2 and has been actively targeted by attackers. Adjusting the available proof-of-concept (PoC) for CVE-2020-8260 to exploit CVE-2021-22937 is trivial, as Warren explains in his advisory. Pulse Secure added validation to ensure archives only contain “expected files” to address CVE-2020-8260, but this validation does not apply to all archives, leaving an opening for attackers.

An attacker needs access to an administrator account to exploit this vulnerability which may normally lower the severity of a vulnerability like this. Given how simple it is to modify the exploit code for CVE-2020-8260, we expect to see attackers adopt CVE-2021-22937 quickly.

Proof of concept

While there is no direct PoC for CVE-2021-22937, Warren included a screenshot of the changes he made to his PoC for CVE-2020-8260 in his technical advisory for CVE-2021-22937, so we expect to see modified exploit scripts soon.

Solution

Pulse Secure released PCS 9.1R12 to address this and several other vulnerabilities. VPNs in general and Pulse Secure specifically have been persistently targeted by attackers. If your organization deploys these devices, we recommend updating as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

ProxyShell: Attackers Actively Scanning for Vulnerable Microsoft Exchange Servers (CVE-2021-34473)

$
0
0

Three vulnerabilities from DEVCORE researcher Orange Tsai could be chained to achieve unauthenticated remote code execution. Attackers are searching for vulnerable instances to exploit.

Background

Last week at the Black Hat USA and DEF CON security conferences, DEVCORE researcher Orange Tsai presented a talk titled “ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server!” In his Black Hat presentation, he walked through three vulnerabilities in Microsoft Exchange Server:

CVEDescriptionCVSSv3VPR*
CVE-2021-34473Microsoft Exchange Server Remote Code Execution Vulnerability9.19
CVE-2021-34523Microsoft Exchange Server Elevation of Privilege Vulnerability9.08.4
CVE-2021-31207Microsoft Exchange Server Security Feature Bypass Vulnerability6.68.4

Source: Tenable, August 2021

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 9 and reflects VPR at that time.

Orange Tsai is a prolific researcher who has found many high-severity vulnerabilities in a wide range of products. Most relevant is CVE-2021-26855, aka ProxyLogon, which Tsai reported to Microsoft in January (Volexity and Microsoft Threat Intelligence Center also received credit for discovering this vulnerability). Despite this, ProxyLogon was exploited as a zero-day by the threat group HAFNIUM and other advanced persistent threat actors. Even after Microsoft issued an out-of-band patch for ProxyLogon, it continues to be exploited by threat actors for various types of attacks from cryptomining and creating botnets to ransomware.

Analysis

CVE-2021-34473 is a remote code execution vulnerability and the highest rated, receiving a CVSSv3 score of 9.1. CVE-2021-34523 and CVE-2021-31207 were both initially rated as “Exploitation Less Likely” according to Microsoft’s Exploitability Index because of their independent features, but when chained together, they have significant value to attackers. By chaining these vulnerabilities, an attacker could execute arbitrary commands on vulnerable Exchange servers on port 443. Two of the three ProxyShell vulnerabilities, CVE-2021-34473 and CVE-34523, were patched as part of the April 2021 Patch Tuesday release, though Microsoft says they were “inadvertently omitted” from that security update guide. CVE-2021-31207 was patched in May.

Attackers are actively scanning for Exchange Servers vulnerable to ProxyShell

On August 6, security researcher Kevin Beaumont reported attempts to exploit this vulnerability chain in the wild.

Over the following days, several Computer Security Incident Response Teams issuedalerts about attackers scanning for vulnerable Microsoft Exchange Servers. Because of how widely exploited the ProxyLogon and other Exchange Server vulnerabilities have been so far this year, we recommend organizations patch immediately. Attackers are already finding vulnerable servers to exploit and it may be prudent to initiate incident response procedures if you know you have unpatched servers on your network.

Proof of concept

After Tsai’s presentations last week, two other researchers published their reproduction of Tsai’s work which included more technical details on how to exploit the vulnerability chain. One of the researchers, Jang, also published a proof-of-concept for ProxyLogon earlier this year.

Vendor response

Microsoft has patched all of these vulnerabilities in its April and May Patch Tuesday releases. CVE-2021-34473 and CVE-2021-34523 were patched in April 2021 but Microsoft did not publish advisories until July.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Microsoft’s August 2021 Patch Tuesday Addresses 44 CVEs (CVE-2021-26424, CVE-2021-36948)

$
0
0

Microsoft addresses 44 CVEs in its August Patch Tuesday release, including two vulnerabilities publicly disclosed, and one zero-day exploited in the wild.

  1. 7Critical
  2. 37Important
  3. 0Moderate
  4. 0Low

Microsoft patched 44 CVEs in the August 2021 Patch Tuesday release, including seven CVEs rated as critical and 37 rated as important. This is the second time in 2021 that Microsoft has patched less than 50 vulnerabilities in a Patch Tuesday release.

This month’s update includes patches for:

  • .NET Core & Visual Studio
  • ASP .NET
  • Azure
  • Azure Sphere
  • Microsoft Azure Active Directory Connect
  • Microsoft Dynamics
  • Microsoft Graphics Component
  • Microsoft Office
  • Microsoft Office SharePoint
  • Microsoft Office Word
  • Microsoft Scripting Engine
  • Microsoft Windows Codecs Library
  • Remote Desktop Client
  • Windows Bluetooth Service
  • Windows Cryptographic Services
  • Windows Defender
  • Windows Event Tracing
  • Windows Media
  • Windows MSHTML Platform
  • Windows NTLM
  • Windows Print Spooler Components
  • Windows Services for NFS ONCRPC XDR Driver
  • Windows Storage Spaces Controller
  • Windows TCP/IP
  • Windows Update
  • Windows Update Assistant
  • Windows User Profile Service

Elevation of privilege (EoP) vulnerabilities accounted for 38.6% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 29.5%.

Critical

CVE-2021-26424 | Windows TCP/IP Remote Code Execution Vulnerability

CVE-2021-26424 is an RCE vulnerability in the Windows implementation of TCP/IP. It received a CVSSv3 score of 9.9 and is more likely to be exploited according to Microsoft’s Exploitability Index. An attacker could remotely exploit this vulnerability by sending a specially crafted TCP/IP packet to a vulnerable Hyper-V host using the TCP/IP protocol stack to process packets. Despite Microsoft naming Hyper-V as the attack vector for this vulnerability, it has issued patches for products that do not use Hyper-V. This may indicate wider impact.

Microsoft patched two similar TCP/IP RCEs in February. CVE-2021-24074 and CVE-2021-24094 both received CVSSv3 scores of 9.8 and were labeled “Exploitation More Likely.” However, in a blog post, Microsoft indicated that exploits would be difficult to develop for these vulnerabilities. They’ve provided no additional context for CVE-2021-2624.

Critical

CVE-2021-34535 | Remote Desktop Client Remote Code Execution Vulnerability

CVE-2021-34535 is an RCE vulnerability in the Remote Desktop Client. The flaw has received a CVSSv3 score of 8.8 and is considered to be more likely to be exploited. According to the advisory, exploitation is possible in at least two scenarios. One scenario involves a victim making a remote desktop connection to an attacker-controlled server — the attacker could achieve RCE once the victim makes an initial connection with an affected version of the Remote Desktop Client. In the other scenario, a guest virtual machine (VM) on a Hyper-V server could achieve “guest-to-host RCE” after a victim on the Hyper-V host makes a connection to a malicious VM. As this vulnerability lies within the Remote Desktop Client and is not a server-side flaw, this bug is not likely wormable in an attack scenario.

Critical
Important

CVE-2021-36936 and CVE-2021-36947 | Windows Print Spooler Remote Code Execution Vulnerability

CVE-2021-36936 and CVE-2021-36947 are RCE vulnerabilities in Windows Print Spooler. Over the past few months, Print Spooler bugs have received significant attention, starting with CVE-2021-1675 in June, followed by an out-of-band patch for CVE-2021-34527 (also known as PrintNightmare) in July.

Microsoft rates both CVE-2021-36936 and CVE-2021-36947 as “Exploitation More Likely.” CVE-2021-36936 is one of two vulnerabilities this month that Microsoft says were publicly disclosed, which may be related to several bugs in Print Spooler that were identified by researchers over the past few months.

In addition to these patches, Microsoft has also introduced significant changes to the default Point and Print behavior, more information is available in this knowledge base article. Because of the ubiquity of Windows Print Spooler, we strongly encourage organizations to apply these patches as soon as possible.

Important

CVE-2021-36948 | Windows Update Medic Service Elevation of Privilege Vulnerability

CVE-2021-36948 is an EoP vulnerability in the Windows Update Medic Service (WaaSMedicSVC.exe). It received a CVSSv3 score of 7.8. The Windows Update Medic Service was introduced in Windows 10 to address damaged or corrupted components from the Windows Update process to ensure future Windows Updates can be received. This vulnerability was reported internally by Microsoft’s Security Response Center and Microsoft’s Threat Intelligence Center. It is the only vulnerability exploited in the wild as a zero-day this month. While RCE vulnerabilities are often the most damaging, EoP vulnerabilities are quite valuable for attackers, especially in post-compromise situations when they are looking to elevate privileges on the compromised system.

Important

CVE-2021-36942 | Windows LSA Spoofing Vulnerability

CVE-2021-36942 is a spoofing vulnerability in Windows Local Security Authority (LSA) which could allow an unauthenticated attacker using New Technology LAN Manager (NTLM) to trick a domain controller into authenticating with another server. Microsoft encourages prioritizing patching domain controllers first and notes that further action, found in KB5005413, is required after applying the security update. While this vulnerability on its own received a CVSSv3 score of 7.5, Microsoft makes special mention that when combined with an NTLM Relay Attack, the combined score is a 9.8. Along with the update, ADV210003 is also available to provide additional guidance on “Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)” in light of the recent PetitPotam NTLM Relay Attacks.

Tenable Solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains August 2021.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:

A list of all the plugins released for Tenable’s August 2021 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

One Year Later: What Can We Learn from Zerologon?

$
0
0

In a year of headline-making vulnerabilities and incidents, Zerologon (CVE-2020-1472) stands out due to its widespread adoption by threat actors and its checkered disclosure timeline.

In our Threat Landscape Retrospective (TLR) published earlier this year, the Tenable Security Response Team (SRT) highlighted CVE-2020-1472, aka Zerologon, as one of the Top Five Vulnerabilities of 2020.

However, Zerologon had humble beginnings: It received limited mention in most Patch Tuesday analyses when it was initially fixed in August 2020 but, by the end of the year, Zerologon was featured in several government alerts and had been adopted by threat actors of various motivations and capabilities. Zerologon was one of the top exploited vulnerabilities of 2020, according to a recent joint cybersecurity alert from international government agencies.

If vulnerabilities had Cinderella stories, this might be one. How did this vulnerability initially get lost in the shuffle and what can security professionals learn from this to avoid any future scrambles like the one experienced at the end of summer 2020?

Priority overload: 2020’s vulnerability season

You might have blocked it from your memory, or it may have been overwritten by the many other major news cycles we’ve experienced since, but the summer of 2020 was an exhaustingly busy few months. Just in the scheduled, recurring security releases from Oracle, Microsoft and Adobe, over 800 vulnerabilities were added to prioritization queues between July 14 and September 10, 2020. But, of course, it’s never just the scheduled releases. In the months surrounding the disclosure of CVE-2020-1472 and the publication of Secura’s white paper, the Security Response Team reported on a dozen notable vulnerabilities.

July 14CVE-2020-6287: Critical Vulnerability in SAP NetWeaver Application Server JAVA Disclosed (RECON)
July 14CVE-2020-1350: Wormable Remote Code Execution Vulnerability in Windows DNS Server Disclosed (SIGRed)
July 14CVE-2020-8193, CVE-2020-8195, and CVE-2020-8196: Active Exploitation of Citrix Vulnerabilities
July 22Copy-Paste Compromises: Threat Actors Target Telerik UI, Citrix, and SharePoint Vulnerabilities (CVE-2019-18935)
July 23CVE-2020-3452: Cisco Adaptive Security Appliance and Firepower Threat Defense Path Traversal Vulnerability
July 29CVE-2020-10713: “BootHole” GRUB2 Bootloader Arbitrary Code Execution Vulnerability
August 10CVE-2020-17496: Zero-Day Remote Code Execution Vulnerability in vBulletin Disclosed
August 14CVE-2019-0230: Apache Struts Potential Remote Code Execution Vulnerability
September 1CVE-2020-5776, CVE-2020-5777: Multiple Vulnerabilities in the MAGMI Magento Mass Import Plugin
September 1CVE-2020-3566, CVE-2020-3569: Zero-Day Vulnerabilities in Cisco IOS XRSoftware Targeted in the Wild
September 2CVE-2020-25213: Critical Vulnerability in File Manager WordPress Plugin Exploited in the Wild
September 10CVE-2020-2040: Critical Buffer Overflow Vulnerability in PAN-OS Devices Disclosed

Source: Tenable, August 2021

To get a more detailed overview of the 2020 Vulnerability Season and how it fits into the larger security landscape, read the TLR.

Patch Tuesday: August 2020

So that’s everything that was happening around August Patch Tuesday. Let’s take a moment to examine that release itself. Microsoft patched 120 CVEs, breaking 100 CVEs for the sixth month in a row. Seventeen of the CVEs were rated Critical, seven as “Exploitation More Likely” and two vulnerabilities (CVE-2020-1464 and CVE-2020-1380) were under active exploitation. More than half (61) of the CVEs were Elevation of Privilege (EoP), though the actively exploited vulnerabilities received the bulk of the attention in third-party analysis of the Patch Tuesday release.

Now that we have a better understanding of the context surrounding the initial release of CVE-2020-1472, let’s examine the vulnerability itself and how its disclosure proceeded.

About CVE-2020-1472: sneaky updates cause problems

Source: Tenable, August 2021

CVE-2020-1472 is an elevation of privilege vulnerability in Microsoft's Netlogon Remote Protocol (MS-NRPC). This protocol is used to maintain relationships of domain controllers (DCs) within and across domains. Critically, MS-NRPC is also used to manage account changes for DCs, like passwords. The flaw exists because of a flaw in how MS-NRPC implements AES-CFB8 encryption. Because this is a local privilege escalation flaw, an attacker needs to be on the same local area network (LAN) as their target.

Active Directory (AD) is a target of serious concern with Zerologon. If an attacker was able to exploit it against AD, they could impersonate any machine on the network, reset the domain controller’s administrator password or launch ransomware attacks against the entire network.

Initially, CVE-2020-1472 was published with a CVSSv3 score of 8.8 and “Exploitation Less Likely” designation, according to the Microsoft Exploitability Index. TrendMicro Zero Day Initiative did point out that a critical rating for an EoP is “rare” and that might have been our first and only hint that something was up. However, two other EoP vulnerabilities in this release (CVE-2020-1509, CVE-2020-1585) also received 8.8 CVSSv3 scores. The same day of the Patch Tuesday release, Microsoft updated the CVSSv3 score for CVE-2020-1472 to 10.0 and upgraded it to “Exploitation More Likely.”

This surreptitious update is likely a major reason CVE-2020-1472 flew under the radar initially. You can see in the image below that the update on Microsoft’s Security Update Guide is listed before the information was published. Version 1.1 is listed as preceding version 1.0. Analysts and reporters jump on Patch Tuesday as quickly as possible looking for the next “big” vulnerability and likely missed this important revision.

Source: Microsoft, retrieved August 2021

It wasn’t until September, when researchers at Secura published more details about the vulnerability and gave it a name, Zerologon, that the community at large took notice. The additional information from Secura allowed analysts and researchers to understand the full scope and impact of the vulnerability. This is also where we began to see the 10.0 CVSSv3 score included in coverage. Several proofs-of-concept (PoC) were published for Zerologon that improved upon the initial test tool released by Secura. By October, news broke that advanced persistent threat actors and ransomware groups were leveraging Zerologon in attack chains.

Tom Tervoot of Secura recently spoke at Black Hat USA 2021 about his discovery of Zerologon and Microsoft’s patch. In this presentation, he alluded to the fact that the one month delay in publishing his whitepaper and testing tool was decided in agreement with Microsoft and implied it was intended to give defenders time to patch.

Coverage of CVE-2020-1472

Overall, CVE-2020-1472 wasn’t prominently featured in Patch Tuesday coverage by vendors and the media. It was mostly included as an “also patched” later in analyses. It appears much of the initial coverage for CVE-2020-1472 was driven by commentary from Trend Micro Zero Day Initiative.

Based on the information available at the time, it’s reasonable that most of us focused attention on CVE-2020-1464 and CVE-2020-1380 while basically putting a pin in CVE-2020-1472 until more information became available.

Secura didn’t offer any rationale for its delayed publication date until last week and Microsoft made no mention of the CVSS score change beyond the somewhat confusing version history of the Security Update Guide. Had accurate and complete information about Zerologon been available from the beginning, the industry would have likely sounded a louder alarm much earlier.

Takeaways

What can we learn from this situation? Can we extract useful actions to take in the future to avoid an apparent oversight?

I'd love to offer a magic, quantitative solution based on this vulnerability: if [list of factors], then exploit. Unfortunately that is not possible; this all as much an art as it is a science. Without accurate information, it's nearly impossible to predict exactly which vulnerabilities out of the thousands disclosed every year will be widely, or even narrowly exploited. Attackers are often creatures of habit but they have so many vulnerabilities from which to choose.

Publicly available PoCs are a strong indicator that a given vulnerability will be adopted by attackers because attackers are opportunistic and will happily gain value off someone else’s work. However, we've seen lately that some won't hesitate to develop zero-days if the price is right. PoCs can arrive significantly after a patch, as we've seen, and defenders waiting for a public PoC is the opposite of ideal.

One thing that we can derive from this, though it’s not groundbreaking, is the value EoP vulnerabilities may have, and a consideration for which vulnerabilities can be chained to elevate privileges or move laterally within target networks. This is not new, we’ve written about it before. Based on sources like government alerts on threat actor activity, we know that remote code execution (RCE) vulnerabilities still dominate, but Zerologon was specifically called out for being used in several campaigns, regardless of initial access methods.

From this incident we know to look out for:

    • Unpatched vulnerabilities with widely publicized PoCs
    • Ubiquitous programs/functions (a la Print Spooler)
      • Microsoft dominates the vulnerabilities used by threat groups because it is so widely deployed.
    • Elevation and lateral movement

Nothing cutting-edge here.

Unfortunately, the main action I can see here isn’t for defenders, it’s for the vendors. The primary reason for this situation was the scoring discrepancy of CVE-2020-1472 when it was initially disclosed. Had Microsoft been more communicative about the score change, defenders would have had accurate information with which to perform initial prioritization. At first analysis, based on the information provided initially by Microsoft, this appeared to be a fairly average EoP vulnerability. The surreptitious update meant that most people didn’t reexamine the advisory until a month later. The early birds got inaccurate information, unfortunately, thereby missing the metaphorical worm.

This case illustrates another side of the “coordinated disclosure” coin. Researcher blog posts, white papers, and even tweets, can provide helpful context missing from vendor advisories. They may even point out where a vendor advisory was inaccurate.

We saw a similar issue with the Print Spooler vulnerabilities this summer.

Source: Tenable, August 2021

Microsoft’s initial advisory for CVE-2021-1675 didn’t accurately describe the vulnerability, listing just an EoP when it was actually RCE. It even followed the same delayed PoC to wide scale exploitation to government alert timeline pretty closely. There were other complicating factors, but those aren’t as relevant here.

Conclusion

The lack of transparency from Microsoft in these situations is an ongoing issue, we can only speculate about how and why things transpired as they did. Confusion like this may only be more likely now that Microsoft has removed Executive Summaries from the Security Update Guides. Defenders rely on accurate, timely information from vendors in order to make effective prioritization decisions. The less information they receive or the more inaccurate it is, the harder it gets for the industry to defend from attackers.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability can be found here. Tenable released a remote check plugin for Zerologon that can be used against DCs to test whether or not they’re exploitable. Please note that this plugin requires disabling the “Only use credentials provided by the user” option under Assessment Settings.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

The PrintNightmare Continues: Another Zero-Day in Print Spooler Awaits Patch (CVE-2021-36958)

$
0
0

Microsoft continues to work on securing Windows Print Spooler after several vulnerabilities have been disclosed. One remains unpatched, despite new limitations on Point and Print functionality.

Background

Over the last few months, Microsoft has been reckoning with a series of vulnerabilities in the Windows Print Spooler, a service that provides printer functionality on domain controllers — where it is enabled by default — desktops and servers.

In its August Patch Tuesday release, Microsoft patched several vulnerabilities in Windows Print Spooler, following months of public scrutiny on the service. Microsoft also introduced major changes to the Point and Print functionality of Print Spooler.

Since June, Microsoft has announced seven vulnerabilities in Print Spooler as researchers have continued to analyze the service and reverse engineer the patches, finding more flaws. To date, none of the solutions from Microsoft have fully addressed the issues in the Print Spooler service.

CVEImpactCVSSv3VPR*
CVE-2021-1675Windows Print Spooler Remote Code Execution Vulnerability8.89.8
CVE-2021-34527Windows Print Spooler Remote Code Execution Vulnerability (“PrintNightmare”)8.89.8
CVE-2021-34481Windows Print Spooler Remote Code Execution Vulnerability8.89.4
CVE-2021-36936Windows Print Spooler Remote Code Execution Vulnerability8.89.2
CVE-2021-36947Windows Print Spooler Remote Code Execution Vulnerability8.89.0
CVE-2021-34483Windows Print Spooler Elevation of Privilege Vulnerability7.86.7
CVE-2021-36958Windows Print Spooler Remote Code Execution Vulnerability7.39.6
Source: Tenable, August 2021

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 18 and reflects VPR at that time.

Analysis

The situation began in June with CVE-2021-1675 and quickly spiraled out to encompass more than half a dozen vulnerabilities with rumors of more to come. There was confusion when researchers published a proof-of-concept (PoC) called “PrintNightmare,” stating it was for CVE-2021-1675 when it was actually a distinct vulnerability. That vulnerability, the real PrintNightmare, later received the CVE identifier CVE-2021-34527 and an out-of-band patch. Both vulnerabilities are remote code execution flaws (RCE) and have since been exploited in the wild by ransomware groups like Magniber and Vice Society.

Second out-of-band advisory for Print Spooler vulnerability disclosed in July

CVE-2021-34481 is another RCE but, like CVE-2021-1675, was originally labeled an elevation of privilege (EoP) vulnerability. It was disclosed as a zero-day in an out-of-band informational advisory on July 15. Jacob Baines, credited with discovering CVE-2021-34481, presented his work at DEF CON 29 and published an exploit tool on GitHub. This vulnerability allows a low privilege user to install vulnerable print drivers to a target system which can then be exploited to achieve SYSTEM privileges.

August Patch Tuesday release addresses three more Print Spooler vulnerabilities

CVE-2021-36936 and CVE-2021-36947 are RCE vulnerabilities in Windows Print Spooler that were patched as part of the August Patch Tuesday release. Neither of these vulnerabilities were credited to researchers, implying that Microsoft found them internally. CVE-2021-34483 is an elevation of privilege vulnerability, also patched in August. It was credited to Victor Mata with FusionX at Accenture Security and Thibault van Geluwe. Mata states that he originally reported CVE-2021-34483 to Microsoft in December and did not publish details per Microsoft’s request.

Third out-of-band advisory for Print Spooler vulnerability disclosed in August

CVE-2021-36958 is another vulnerability disclosed as a zero-day in an out-of-band informational advisory on August 11. As of August 18, it has not been patched. According to Microsoft’s advisory, it is an RCE, but there is confusion as to whether it is a local privilege escalation. Microsoft states they are investigating the vulnerability and working on a patch. CVE-2021-36958 is also credited to Mata, who stated that he will release a full write-up on this vulnerability and CVE-2021-34483 once Microsoft releases a patch for CVE-2021-36958. This flaw was publicly disclosed by Benjamin Delpy on Twitter in July.

Microsoft changes default behavior for Point and Print function on Windows systems

Alongside the patches released in August, Microsoft introduced changes to the default behavior of Point and Print, a key function in several of the exploits circulating. According to the knowledge base article announcing the change, installing or updating print drivers will now require administrators permissions. This means that non-administrator users cannot add a new printer to their systems. This change is specifically called out in the advisory for CVE-2021-34481.

Proof of concept

There are several PoCs circulating, many from Benjamin Delpy, on Twitter and GitHub for these various vulnerabilities.

Solution

The Print Spooler service is enabled by default on most systems, including domain controllers and is therefore an attractive target to threat actors. Because Microsoft has yet to fully address the known vulnerabilities, organizations should consider disabling Print Spooler. If that is not feasible, ensure systems have the latest updates.

Identifying affected systems

A list of Tenable plugins to identify the vulnerabilities that have been patched can be found here.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Viewing all 2072 articles
Browse latest View live