Vulnerability Management and more

Logo of telegram channel avleonovcom — Vulnerability Management and more
Topics from channel:
Maxpatrol
Vulristics
Tenable
Nessus
Offtopic
Yennysay
Pytouchok
Bleepingcomputernews
Phdays
Studio
All tags
Logo of telegram channel avleonovcom — Vulnerability Management and more
Topics from channel:
Maxpatrol
Vulristics
Tenable
Nessus
Offtopic
Yennysay
Pytouchok
Bleepingcomputernews
Phdays
Studio
All tags
Channel address: @avleonovcom
Categories: Technologies , Blogs
Language: English
Subscribers: 1.38K
Description from channel

Vulnerability assessment, IT compliance management, security automation and other beautiful stuff. Discussion group for this channel: @avleonovchat. PM me @leonov_av

Ratings & Reviews

2.00

2 reviews

Reviews can be left only by registered users. All reviews are moderated by admins.

5 stars

0

4 stars

0

3 stars

1

2 stars

0

1 stars

1


The latest Messages

2022-08-23 03:18:29 Hello everyone! In this episode, let’s take a look at the Microsoft Patch Tuesday August 2022 vulnerabilities. I use my Vulristics vulnerability prioritization tool as usual. I take comments for vulnerabilities from Tenable, Qualys, Rapid7, ZDI and Kaspersky blog posts. Also, as usual, I take into account the vulnerabilities added between the July and August Patch Tuesdays.

There were 147 vulnerabilities. Urgent: 1, Critical: 0, High: 36, Medium: 108, Low: 2.

There was a lot of great stuff this Patch Tuesday. There was a critical exploited in the wild MSDT DogWalk vulnerability, 3 critical Exchange vulnerabilities that could be easily missed in prioritization, 13 potentially dangerous vulnerabilities, 2 funny vulnerabilities and 3 mysterious ones. Let’s take a closer look.

01:02 MSDT RCE DogWalk CVE-2022-34713
02:38 3 Microsoft Exchange EOPs (CVE-2022-21980, CVE-2022-24516, CVE-2022-24477)
04:23 13 potentially dangerous vulnerabilities (PPP, SSTP, SMB, Visual Studio, AD, NFS, Print Spooler)
11:06 2 funny vulnerabilities (Edge CVE-2022-2623, Outlook CVE-2022-35742)
12:46 3 mysterious vulnerabilities (CryptoPro, Eurosoft, New Horizon Data Systems)

Video:


Video2 (for Russia): https://vk.com/video-149273431_456239098
Blogpost: https://avleonov.com/2022/08/23/microsoft-patch-tuesday-august-2022-dogwalk-exchange-eops-13-potentially-dangerous-2-funny-3-mysterious-vulnerabilities/
Full report: https://avleonov.com/vulristics_reports/ms_patch_tuesday_august2022_report_with_comments_ext_img.html

#microsoft #patchtuesday

@avleonovcom
510 views00:18
Open / Comment
2022-08-14 18:01:57 Hello everyone! This is the second episode of Vulnerability Management news and publications. This time there are fewer quotes from news articles, more of my thoughts. Looks better, what do you think?

The main idea of this episode. Microsoft is a biased company. In fact, they should now be perceived as another US agency. Does this mean that we need to forget about Microsoft and stop tracking what they do? No, it doesn't. They do a lot of interesting things that can at least be researched and copied. Does this mean that we need to stop using Microsoft products? In some locations (you know which ones) for sure, in some we can continue to use such products if it is reasonable, but it's necessary to have a plan B. And this does not only apply to Microsoft. So, it's time for a flexible approaches. Here we do it this way, there we do it differently. It seems that rather severe fragmentation of the IT market is a long-term trend and it's necessary to adapt to it.

What's in this episode:

01:03 Microsoft released a propaganda report, what does this mean for us?
06:48 Microsoft released the Autopatch feature, is it a good idea to use it?
09:59 Ridiculous Vulnerability: Hardcoded Password in Confluence Questions
11:50 The new Nessus Expert and why it's probably Tenable's worst release
13:20 Rapid7 Nexpose/InsightVM features added in Q2 2022: what's good and what's weird
16:46 Palo Alto: Malicious scan 15 minutes after CVE is released. Oh really?
19:36 6 groups of vulnerabilities that are most often used in attacks, according to Palo Alto, and the end of IT globalization

Video:


Video2 (for Russia): https://vk.com/video-149273431_456239097
Blogpost: https://avleonov.com/2022/08/14/vulnerability-management-news-and-publications-2/

@avleonovcom #VMnews #Tenable #Nessus #Microsoft #Rapid7 #Nexpose #DefenderForEndpoint #Atlassian #Confluence #InsightVM #PaloAlto #Autopatch #NessusExpert #F5
579 viewsedited  15:01
Open / Comment
2022-08-09 23:25:53 In the same "Palo Alto 2022 Unit 42 Incident Response Report" there is one more interesting point. Groups of vulnerabilities that were most often used in attacks. "For cases where responders positively identified the vulnerability exploited by the threat actor, more than 87% of them fell into one of six CVE categories.".

CVE categories:

• 55% Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
• 14% Log4j
• 7% SonicWall CVEs
• 5% Microsoft Exchange ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
• 4% Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)
• 3% Fortinet CVEs

• 13% Other

On the one hand, this can be used to prioritize vulnerabilities. And also to identify software and software groups that need special monitoring. I would also like to look at the vulnerabilities in the Other category. But unfortunately they are not included in the report.

On the other hand, it shows how all these vulnerabilities and incidents depend on a particular region. Well of course Microsoft Exchange is used everywhere. Log4j has also affected almost every organization in one way or another. Perhaps in our region, I mean in Russia, some organizations use Fortinet. But SonicWall and Zoho look absolutely exotic. And in those locations where Unit 42 solves incident response cases, these are very important vendors and products.

Or we can remember last year's story with Kaseya VSA. Thousands of companies have been affected by the ransomware. But again, it was not in our region and therefore it was not particularly interesting for us.

Taking into account the exodus of Western vendors from the Russian IT market, the landscapes "here" and "there" will differ more and more. More and more incidents in Russia, will occur due to vulnerabilities in our local software. In software that Western information security vendors may never have heard of. BTW, have you heard about 1C (Odin-Ass )? And it works both ways. Does this mean that in Russia, we will need Vulnerability Management solutions focused on our Russian IT realities? Well apparently yes. And something tells me that this will not only happen in Russia.

It seems that the time of total globalization in IT is running out. And the ability of VM vendors to relatively easily take positions in new regions is also disappearing. The great fragmentation is coming. But it will be even more interesting that way.

Версия на русском

@avleonovcom #VMnews #PaloAlto
532 viewsedited  20:25
Open / Comment
2022-08-08 11:23:24 The "Palo Alto 2022 Unit 42 Incident Response Report" makes the amusing claim that attackers typically start scanning organizations' perimeters for vulnerabilities 15 minutes after a CVE is published.

Just like this:

"The 2021 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced."

They do not write how exactly they got these 15 minutes. Or I didn't find it. But apparently they could detect attempts to exploit some specific vulnerabilities. They could use honeypots or IDS for this. And then they could get the difference between the timestamp for exploitaition and the timestamp for vulnerability publication.

There is an example that 5 days after some vulnerability was published, they released a detection signature. And in 10 hours, they collected two and a half thousand attempts to exploit this vulnerability.

"For example, Palo Alto Networks released a Threat Prevention signature for the F5 BIG-IP Authentication Bypass Vulnerability (CVE-2022-1388), and within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts".

It's cool of course. But still, the signature was not released immediately. Therefore, it is difficult to say exactly when the malicious scans began.

But that's not the point. It is not so important whether the scans really start after 15 minutes or some time later. The fact is that attackers monitor the news flow about vulnerabilities. And the fact that they are motivated to scan your perimeter more often than you. And they are motivated to use non-standard checks for this. Not just the ones in your commercial vulnerability scanner.

Therefore, there are only two options. You can compete in speed with attackers. Or you may know and control your perimeter far better than any outside researcher can. This means that you must understand why a particular service is needed on the perimeter. And whenever possible, try to minimize the number of such services as much as possible. For such services, you should specifically monitor security bulletins and start responding even before detection checks appear in vulnerability scanners. And of course before the media starts screaming about this vulnerability.

Of course, it's easier said than done.

Версия на русском

@avleonovcom #VMnews #PaloAlto #F5
492 viewsedited  08:23
Open / Comment
2022-08-05 16:02:18 I looked at the new features in Rapid7 Nexpose/InsightVM added in Q2 2022. Some changes are like "OMG, how did they live without it?!"

They just added support for CVSS v3 severity in dashboards. CVSS v3 was released in June 2015. CVSS v3 data has been available in NVD since 2017. And now, 5 years after that, Rapid7 decided to take into account these data as well? Well, ok.

Or that they used to have such weird patching dashboards that progress on the Remediation Project was only visible when the patches were applied to all assets. And now it's better: "Yes, this means customers no longer have to wait for all the affected assets to be remediated to see progress". Indeed, better late than never.

Rapid7 just added support for AlmaLinux and Rocky Linux. Although stable versions of these distributions appeared more than a year ago and are already actively used in enterprise businesses as a replacement for CentOS. It turns out that Rapid7 clients have just now got the opportunity to scan these distributions.

Rapid7 use the term "recurring coverage" for supported software products. And they have a public list of such products. "The following software list encompasses those products and services that we are specifically committed to providing ongoing, automated coverage". The list is not very big, but it's cool that it's public.

On the other hand, there are cool features. At least one, Scan Assistant. This feature was introduced in December last year, but now it has been improved. This is an agent that does not collect or analyze data, but is only needed for authentication. It solves the problems of using system accounts for scanning, which can be very risky if the scanner host or one of the targets is compromised. This way you can install Scan Assistant on hosts and Vulnerability Scanner will authenticate to hosts using certificates rather than real system accounts.

"Scan Assistant, a lightweight service deployed on an asset that uses digital certificates for handshake instead of account-based credentials; This alleviates the credential management headaches VM teams often encounter."

This is a cool and useful feature. As far as I know, other VM vendors do not have this. In Q2, Rapid7 added some automation for updating this Scan Assistant and rotating certificates. It's cool that the functionality is evolving. But for now, it's only for Windows.

And there are updates that did not cause any special emotions in me. These are, for example, Asset correlation for Citrix VDI instances and vulnerability detection for Oracle E-Business Suite and VMware Horizon. They added and it's good.

Версия на русском

@avleonovcom #VMnews #Rapid7 #InsightVM #Nexpose
512 viewsedited  13:02
Open / Comment
2022-08-04 02:34:39
Nessus Professional and Nessus Expert
533 views23:34
Open / Comment
2022-08-04 02:34:39 Tenable introduced Nessus Expert. They have Nessus Professional, and now there will be Nessus Expert with new features:

1) Infrastructure as Code Scanning. In fact, they added Terrascan (acquired this year) to Nessus. So far, it looks very sloppy. This is a separate independent tab in the menu and scan results cannot be viewed in the GUI and can only be download as Json file.
2) External attack surface scanning. They took these features from Bit Discovery (also acquired this year). You can run a scan that will look for subdomains for a domain. But only for 5 domains per quarter. If you want more, you need to pay extra. Not to say that this is some kind of exclusive feature. The results can be viewed in the GUI. But that's all. There is no synergy with the usual functionality of Nessus.

The press release recalls how Renaud Deraison released first Nessus 24 years ago. But under him, and even more so under Ron Gula, there were no such terrible releases with freshly bought functionality, attached to the main product "with blue electrical tape". And such a Frankenstein monster could never be presented as a new product. Sadness and marketing. Let's see if it gets better with time.

Версия на русском

@avleonovcom #VMnews #Tenable #Nessus #NessusExpert
531 viewsedited  23:34
Open / Comment
2022-08-01 00:17:49 There has been a lot of news about Confluence vulnerabilities this week. Atlassian has released three of them.

CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities (Authentication bypass, XSS, Cross-origin resource sharing bypass). Many Atlassian products are vulnerable. Not only Confluence and JIRA, but also Bitbucket for example. Everything is clear here, such installations need to be patched. And, ideally, it's time to stop using Atlassian products if you live and work in certain locations, because this vendor is unstable.

CVE-2022-26138: Hardcoded password in Confluence Questions. This vulnerability is now the most hyped and ridiculous. If you install the optional Confluence Questions app, this will create a disabledsystemuser user with a hardcoded password. And this user is not disabled! The password is already publicly available. If you are logged in as this user, you can read the pages accessible by the confluence-users group. Well, isn't it funny? This can be fixed by patching or blocking/deleting the user.

What can be said here:
1. Plugins and extensions are evil and usually the most vulnerable. Try to avoid them.
2. This is how backdoors in software can look like. The exploitation is very simple, and the vendor can always say that "oh, sorry, that was a bug".
3. Those who make Confluence and similar services available on the network perimeter are their own enemies.

Версия на русском

@avleonovcom #VMnews #Atlassian #Confluence
621 viewsedited  21:17
Open / Comment
2022-07-31 04:06:10 Continuing the topic of Microsoft security services. In mid-July, Microsoft released the Autopatch feature for Windows 10/11 with Enterprise E3 and E5 licenses (not regular, but more expensive licenses). Also Hybrid Azure Active Directory must be configured. But if everything is purchased and configured properly, then updates for MS products, drivers and other software (in perspective) can be automatically installed from the MS cloud. And it will be more often than once a month. And in the correct way. If you install all updates on all hosts at the same time, there will be a high risk of mass failures. Therefore, patches will be installed gradually. If a failure is detected, the system administrator will be able to react and roll back the problematic patch.

"The 'test ring' contains a minimum number of devices, the 'first ring' roughly 1% of all endpoints in the corporate environment, the 'fast ring' around 9%, and the 'broad ring" the rest of 90% of devices.
The updates get deployed progressively, starting with the test ring and moving on to the larger sets of devices after a validation period that allows device performance monitoring and pre-update metrics comparison.
Windows Autopatch also has built-in Halt and Rollback features that will block updates from being applied to higher test rings or automatically rolled back to help resolve update issues."

Is it convenient? Yes, of course it's convenient. Is it dangerous? Well, it depends on trust in the vendor, faith in vendor's stability and security. Speaking of Microsoft, this can be very controversial for many organizations in many locations.

But in general, along with Defender for Endpoint (EDR, VM) and Intune this Autopatch feature looks like a step in the right direction for the OS vendor. At least if we're talking about desktops. If you trust your OS vendor, it makes sense to trust that vendor's services to make life easier for system administrators and security guys. I don't know if vendors of commercial Linux distributions, including Russian ones, are thinking about this, but it seems it makes sense to take such concepts from MS.

On the other hand, such Autopatch is not a panacea of course. Everything is not so trivial with updating third-party software. But MS seems to have a lot of resources to gradually move in this direction. Vulnerability detection for third-party software in Defender for Endpoint works quite well, which is also not an easy task. Therefore, I think they will be able to update such software in future. If Qualys can, then MS will handle this as well.

Версия на русском

@avleonovcom #VMnews #Microsoft #Autopatch
524 viewsedited  01:06
Open / Comment
2022-07-29 00:23:20 And it would be fair to ask: "Weren't you, Alexander, promoting Microsoft's security services? And now you've turned against them?"

And it's easy to point to some posts from my blog:

1. Microsoft security solutions against ransomware and APT (the best business breakfast I've ever had - the catering was top notch )
2. Microsoft Defender for Endpoint: Why You May Need It and How to Export Hosts via API in Python
3. Getting Hosts from Microsoft Intune MDM using Python
4. How to get Antivirus-related Data from Microsoft Defender for Endpoint using Intune and Graph API
5. Microsoft Defender for Endpoint: The Latest Versions of Antivirus Engine & Signatures

It's paradoxical, but I don't have a post about exporting vulnerabilities from Defender for Endpoint. I was going to make a post about it, but there were always more important topics.

What can I say. I still think that Defender for Endpoint is a cool and user-friendly solution. Although sometimes it may be buggy. I also think it's logical to use your OS vendor's security services. Just because you already have complete trust in your OS vendor. Right? Аnd other OS vendors should provide security services, as Microsoft does. But the question is what to do if it has become very difficult to trust your OS vendor? To put it mildly.

Not to say that I did not write about such risks at all:

"It will be a difficult decision to store this critical data in Microsoft cloud. Even with Microsoft’s guarantees that all the data is stored securely and they touch it with AI only."

But of course this was not enough. And 5 years ago, things looked very different.
¯\_(ツ)_/¯

Версия на русском

@avleonovcom #VMnews #Microsoft #DefenderForEndpoint
517 viewsedited  21:23
Open / Comment