Vulnerability Management and more

2022-03-04 09:31:21 PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034) #QualysBlog "The Qualys Research Team has discovered a memory corruption vulnerability in polkit's pkexec, a SUID-root program that is installed by default on… Open / Comment

2022-03-01 00:31:57 Hello everyone! This episode will be about Microsoft Patch Tuesday for February 2022. I release it pretty late, because of the my previous big episode about the blindspots in the Knowledge Bases of Vulnerability Scanners. Please take a look if you haven’t seen it. Well, if you are even slightly interested in the world news, you can imagine that the end of February 2022 in Eastern Europe is not the best time to create new content on Vulnerability Management. Let’s hope that peace and tranquility will be restored soon. And also that geopolitical confrontation between the largest nuclear powers will de-escalate somehow.

But let’s get back to information security. While working on Microsoft Patch Tuesday report for February 2022, I made a lot of improvements to my open source project for vulnerability prioritization Vulristics. I want to start with them.

Video:


Blogpost: https://avleonov.com/2022/02/28/microsoft-patch-tuesday-february-2022/
Report: https://avleonov.com/vulristics_reports/ms_patch_tuesday_february2022_report_with_comments_ext_img.html Open / Comment

2022-02-20 14:32:52 Today is your last chance to cast a vote for Vulners! Open / Comment

2022-02-18 20:10:11 Hello everyone! Finally I made a blogpost and video about "blind spots" in English. The first video of #VMconf22. Have a great weekend!

Potential customers rarely worry about the completeness of the Knowledge Base when choosing a Vulnerability Scanner. They usually trust the VM vendors’ claims of the “largest vulnerability base” and the total number of detection plugins. But in fact the completeness is very important. All high-level vulnerability prioritization features are meaningless unless the vulnerability has been reliably detected. In this presentation, I will show the examples of blindspots in the knowledge bases of vulnerability management products, try to describe the causes and what we (as customers and the community) can do about it.

Video:


Blogpost: https://avleonov.com/2022/02/18/vmconf-22-blindspots-in-the-knowledge-bases-of-vulnerability-scanners/
Video in Russian from #TenableSecurityDay 2022:


All reports: https://t.me/avleonovcom/972 Open / Comment

2022-02-09 22:38:38 Information Security Automation pinned a photo Open / Comment

2022-02-09 22:38:27 Tomorrow I will be speaking at Tenable Security Day. My presentation is called "Blind spots in the Knowledge Bases of Vulnerability scanners". Now I want to present the full reports that I generated so that you can have a look. I compared knowledge bases of Nessus and OpenVAS (GVM + GCF).

1. I took 352 CVEs from the CISA Known Exploited Vulnerabilities Catalog and used VulnKBDiff to see which ones are in Nessus and OpenVAS [1]. Not all CVEs from the сatalog are covered.

2. I took 20131 CVEs published in 2021 and used VulnKBDiff to see which ones are in Nessus and OpenVAS [2] . Nessus can't detect 14606 [3] vulnerabilities, so I decided to take a closer look at them.

3. Using Vulristics, I identified 1389 [4] of 14606 vulnerabilities that have a public exploit and made a full Vulristics report [5] (3,6 mb) for them based on Vulners data. Open / Comment

2022-02-09 13:52:06 Hello everyone! Let's support the Vulners Team and Kirill Ermakov at the HighLoad++ award. HighLoad++ is a major conference in Russia dedicated to various aspects of highload application development, including security.

From February 18 to February 20, go to https://awards.highload.ru/vote (upd. the organizers say that it’s better not to do it earlier - votes may be lost), authenticate using your facebook account, find "vulners.com" on the page and vote for Kirill.

I use Vulners very extensively. Both in main work to make vulnerability assessment of Linux infrastructure, and in my open source projects: Vulrisitcs, Scanvus, VulnKBDiff. Daily exploits posts for my news channel @avleonovnews are also generated based on data from vulners.com. Vulners is a very cool tool that has changed the work with vulnerabilities. Long live Vulners! Open / Comment

2022-02-07 14:39:43 February 7th. Nothing new. The problem still exists. But I got a response from NVD. They write that CVE Assignment Team at MITRE are to blame for the situation. Open / Comment

2022-02-03 01:56:34 I don't know what's going on with NVD, but it's kind of a shame. The security bulletin for Samba "Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution" was released on 31 January 2022. The first news about the vulnerability "New Samba Bug Allows Remote Attackers to Execute Arbitrary Code as Root" were published on 1 February 2022. Today is 3 February 2022, CVE-2021-44142 ** RESERVED ** on Mitre and "CVE ID Not Found" on NVD. The idea with CVE Numbering Authorities was strange from the very beginning. But with such terrible delays, NVD simply ceases to be an adequate source of information about vulnerabilities. Open / Comment

2022-01-30 00:44:10 OMG, Renaud Deraison is leaving Tenable. The Nessus Project was started by Renaud Deraison in 1998. Open / Comment