All posts by Drew Burton

CVE-2023-35078: Critical API Access Vulnerability in Ivanti Endpoint Manager Mobile

Post Syndicated from Drew Burton original https://blog.rapid7.com/2023/07/26/etr-cve-2023-35078-critical-api-access-vulnerability-ivanti-in-endpoint-manager-mobile/

CVE-2023-35078: Critical API Access Vulnerability in Ivanti Endpoint Manager Mobile

CVE-2023-35078 is a remote unauthenticated API access vulnerability in Ivanti Endpoint Manager Mobile, which was previously branded as MobileIron Core. The vulnerability has a CVSS v3 base score of 10.0 and has a severity rating of Critical.

Ivanti has reported that they have received information from a credible source indicating active exploitation of CVE-2023-35078. A vendor supplied patch to remediate CVE-2023-35078 was released on July 24, 2023.

Background

Ivanti Endpoint Manager Mobile (EPMM) is used to configure and manage mobile devices and enforce security policies on those devices. According to Ivanti’s advisory, if exploited, CVE-2023-35078 enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server.

On July 24, 2023, the Norwegian National Security Authority (NSM) released a statement that CVE-2023-35078 was used in a zero-day attack to successfully compromise the Norwegian Security and Service Organization (DSS). Additionally, the US Cybersecurity & Infrastructure Security Agency (CISA) has also released an advisory for the vulnerability as well as adding the vulnerability to their Known Exploited vulnerabilities (KEV) catalog.

According to CISA’s advisory, the vulnerability allows a remote unauthenticated attacker to access personally identifiable information (PII) and add an administrator account on the affected EPMM server, to allow for further system compromise.

The Shadowserver project has listed 2,729 IP addresses on the internet that remain vulnerable to the issue (as of July 24, 2023).

Currently, no known public exploit code is available (as of July 26, 2025). If public exploit code becomes available, we expect more broad exploitation of vulnerable internet-facing systems. Organizations running the affected software are advised to apply the vendor patch as soon as possible.

Affected Products

Please note: Information on affected versions or requirements for exploitability may change as we learn more about the threat.

CVE-2023-35078 affects all supported versions of Ivanti Endpoint Manager Mobile (EPMM) prior to the vendor patch:

  • 11.10
  • 11.9
  • 11.8

Product versions no longer receiving support are also affected, and Ivanti has released a workaround as part of their response.

Ivanti has released the following patches to remediate the issue:

  • 11.10.0.2
  • 11.9.1.1
  • 11.8.1.1

Rapid7 Customers

Instructions to install the patch or workaround are available on Ivanti’s KB article (which requires a free login to access).

An unauthenticated (remote) check will be available to InsightVM customers in tonight’s (July 26, 2023) content release.

CVE-2023-27997: Critical Fortinet Fortigate Remote Code Execution Vulnerability

Post Syndicated from Drew Burton original https://blog.rapid7.com/2023/06/12/etr-cve-2023-27997-critical-fortinet-fortigate-remote-code-execution-vulnerability/

CVE-2023-27997: Critical Fortinet Fortigate Remote Code Execution Vulnerability

On July 9, 2023, Fortinet silently patched a purported critical remote code execution (RCE) vulnerability in Fortigate SSL VPN firewalls. According to Lexfo Security’s Charles Fol, who discovered the vulnerability, the flaw is heap-based and reachable pre-authentication on every SSL VPN appliance. Fortinet is expected to publish their advisory for CVE-2023-27997 tomorrow, June 13, 2023. The company has a history of issuing security patches prior to disclosing critical vulnerabilities. Presumably, this policy is meant to give customers time to update their devices before threat actors exploit flaws, but in practice, it gives attackers a head start on attack development while keeping vulnerable organizations in the dark.

Rapid7 is not aware of any exploitation of this vulnerability at time of writing. We do expect CVE-2023-27997 will be leveraged by attackers, but heap-based exploits are notoriously tricky, and it’s unlikely that we’ll see automated exploitation at scale. Nevertheless, we recommend that Fortigate customers update immediately as a matter of habit, despite the fact that Fortinet’s advisory is not yet available. According to reports, security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.

As of June 12, there were roughly 210,700 Fortigate devices with the SSL VPN component exposed to the public internet, the majority of which are in the United States, followed by Japan and Taiwan.

Fortinet device vulnerabilities are historically popular with attackers of all skill levels, though exploitability varies on a vuln-by-vuln basis. The U.S. government recently released a security bulletin that highlighted state-sponsored threat actors gaining access to networks via Fortigate devices. Fortinet vulnerabilities are also popular with initial access broker groups that sell access to potential victims’ networks to ransomware groups.

Affected Products

To date these are the reported affected versions of the Fortigate devices configured as SSL VPNs :

  • 7.0.12
  • 7.2.5
  • 6.4.13
  • 6.2.15

Remediation

Update FortiOS firmware to version 6.0.17, 6.2.15, 6.4.13, 7.0.12, or 7.2.5 as soon as possible.

Rapid7 customers

An authenticated check for CVE-2023-27997 is in development and expected to be available to InsightVM and Nexpose customers in today’s (June 12, 2023) content release.

Widespread Exploitation of Zyxel Network Devices

Post Syndicated from Drew Burton original https://blog.rapid7.com/2023/05/31/etr-widespread-exploitation-of-zyxel-network-devices/

Widespread Exploitation of Zyxel Network Devices

Rapid7 is tracking reports of ongoing exploitation of CVE-2023-28771, a critical unauthenticated command injection vulnerability affecting multiple Zyxel networking devices.

The vulnerability is present in the default configuration of vulnerable devices and is exploitable in the Wide Area Network (WAN) interface, which is intended to be exposed to the internet. A VPN does not need to be configured on a device for it to be vulnerable. Successful exploitation of CVE-2023-28771 allows an unauthenticated attacker to execute code remotely on the target system by sending a specially crafted IKEv2 packet to UDP port 500 on the device.

Zyxel released an advisory for CVE-2023-28771 on April 25, 2023. On May 19, Rapid7 researchers published a technical analysis of the vulnerability on AttackerKB, underscoring the likelihood of exploitation.

As of May 19, there were at least 42,000 instances of Zyxel devices on the public internet. However, as Rapid7 researchers noted, this number only includes devices that expose their web interfaces on the WAN, which is not a default setting. Since the vulnerability is in the VPN service, which is enabled by default on the WAN, we expect the actual number of exposed and vulnerable devices to be much higher.

As of May 26, the vulnerability is being widely exploited, and compromised Zyxel devices are being leveraged to conduct downstream attacks as part of a Mirai-based botnet. Mirai botnets are frequently used to conduct DDoS attacks.

While CVE-2023-28771 is currently garnering large-scale threat actor attention, Zyxel published an advisory for two additional vulnerabilities — CVE-2023-33009 and CVE-2023-33010 — on May 24, 2023. CVE-2023-33009 and CVE-2023-33010 are buffer overflow vulnerabilities that can allow unauthenticated attackers to cause a DoS condition or execute arbitrary code on affected devices.

We strongly recommend that users of the affected Zyxel products update to the latest firmware on an emergency basis. At time of writing, the latest firmware version is 5.36 Patch 2, or 4.73 Patch 2 for ZyWALL/USG. See Zyxel’s advisory for additional details.

Rapid7 Customers

For InsightVM and Nexpose customers, a remote vulnerability check for CVE-2023-28771 has been available since the May 19, 2023 content release.

Additional remote vulnerability checks for CVE-2023-33009 and CVE-2023-33010 are expected to ship in the May 31, 2023 content release.

ICYMI: 10 cybersecurity acronyms you should know in 2023

Post Syndicated from Drew Burton original https://blog.rapid7.com/2022/12/20/icymi-10-cybersecurity-acronyms-you-should-know-in-2023/

ICYMI: 10 cybersecurity acronyms you should know in 2023

Cybersecurity is acronym-heavy to say the least. If you’re reading this, you already know. From CVE to FTP, we in IT love our abbreviations, FR FR. Truthfully though, it can be a bit much, and even the nerdiest among us miss a few. So, In Case You Missed It, here are 10 cybersecurity acronyms you should know IRL, err in 2023.

HUMINT

Peppermint on a sticky day? How dare you. HUMINT is short for Human Intelligence. This abbreviation refers to information collected by threat researchers from sources across the clear, deep and dark web. Real people doing real things, you might say. These folks are out there hunting down potential threats and stopping them before they occur. Pretty cool stuff, TBH.

CSPM

Cloud Security Posture Management tools include use cases for compliance assessment, operational monitoring, DevOps integrations, incident response, risk identification, and risk visualization. Good posture: so hot RN.

IAM

Not the guy with the green eggs, this IAM stands for Identity and Access Management. CSO online says IAM is a “set of processes, policies, and tools for defining and managing the roles and access privileges of individual network entities (users and devices) to a variety of cloud and on-premises applications’. Green Eggs and Ham didn’t age well IMO, Sam was kind of a bully. JK JK.

ICYMI: 10 cybersecurity acronyms you should know in 2023

XDR

AKA Extended Detection and Response. Forrester calls XDR the “evolution of endpoint detection and response”. Gartner says it’s integrating “multiple security products into a cohesive security operations system”. Essentially, XDR is about taking a holistic approach to more efficient, effective detection and response. It’s definitely not an Xtreme Dude Ranch. That’s just absurd.

XSPM

According to Hacker News, “Extended Security Posture Management is a multilayered process combining the capabilities of Attack Surface Management (ASM), Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Purple Teaming to continuously evaluate and score the infrastructure’s overall cyber resiliency.” Yes, that definition includes three additional acronyms. Plus, one of them is CART, SMH.

RASP

Runtime application self-protection tools can block malicious activity while an application is in production. If RASP detects a security event such as an attempt to run a shell, open a file, or call a database, it will automatically attempt to terminate that action, NBD.

MDR

Managed Detection and Response providers deliver technology and human expertise to perform threat hunting, monitoring, and response. The main benefit of MDR is that it helps organizations limit the impact of threats without the need for additional staffing. In other words, they are free to TCB instead of worrying about security stuff.

MSSP

A Managed Security Service Provider provides outsourced monitoring and management of security devices and systems. MSSPs deliver managed firewall, intrusion detection, virtual private network, vulnerability scanning, and other services. Oh BTW, sometimes MSSPs partner with MDR vendors to deliver services to their customers.

DAST

Dynamic Application Security Testing is the process of analyzing a web application to find vulnerabilities through simulated attacks. DAST is all about finding vulnerabilities in web applications and correcting them before they can be exploited by threat actors. A dastardly deed conducted with no ill will … if you will.

WAF

A Web Application Firewall is a type of firewall that filters, monitors, and blocks HTTP traffic to and from a web service. It is designed to prevent attacks exploiting a web application’s known vulnerabilities, such as SQL injection, cross-site scripting, file inclusion, and improper system configuration. Proper WAF definition there, zero Cardi B jokes. Those are NSFW.

ISO 27001 Certification: What it is and why it matters

Post Syndicated from Drew Burton original https://blog.rapid7.com/2022/12/06/iso-27001-certification-what-it-is-and-why-it-matters/

ISO 27001 Certification: What it is and why it matters

Did you know that Rapid7 information security management system (ISMS) is ISO 27001 certified? This certification validates that our security strategy and processes meet very high standards. It underscores our commitment to corporate and customer data security.

What is ISO 27001?

ISO 27001 is an internationally recognized standard for information security management published by the International Standards Organization (ISO). It details requirements for establishing, implementing, maintaining and continually improving an ISMS.

ISO 27001 is focused on risk management and taking a holistic approach to security. Unlike some standards and frameworks, ISO 27001 does not require the implementation of specific technical controls. Instead, it provides a framework and checklist of controls that can be used to develop and maintain a comprehensive ISMS.

It is one of more than ten published standards in the ISO 27000 family. It is the only standard among them that an organization can be certified against.

To become ISO 27001 certified, an organization must:

  • Systematically examine its information security risks, taking account of the threats, vulnerabilities, and impacts.
  • Design and implement a coherent and comprehensive suite of information security controls and risk avoidance measures.
  • Adopt an overarching management process that ensures the information security controls continue to meet the organization’s information security needs over time.

Then, the ISMS must be audited by a third party. This is a rigorous process, which determines whether the organization has implemented applicable best practices as defined in the standard. Certified organizations must undergo annual audits to maintain compliance. Rapid7’s ISMS was audited by Schellman.

Why does ISO 27001 certification matter?

Rapid7 is committed to helping our customers reduce risk to their organizations. ISO 27001 certification is one way that we demonstrate that commitment. It is worth noting that certification is not a legal requirement, rather, it is proof that an organization’s security strategy and processes meet very high standards. Rapid7 believes that maintaining the highest standards of information security for ourselves and our clients is essential.

As noted above, ISO 27001 provides a framework to meet those standards. That framework is based on three guiding principles to help organizations build their security strategy and develop effective policies and controls: Confidentiality, Integrity, and Availability.

  • Confidentiality means that data should be kept private, secure, and accessible only by authorized individuals.
  • Integrity requires that organizations ensure consistent, accurate, reliable, and secure data.
  • Availability means systems, applications, and data are available and accessible to satisfy business needs.

Rapid7’s security strategy reflects these principles. Our platform and products are designed to fit securely into your environment and your data is accessible when you need it—with full visibility into where it lives, who has access to it, and how it is used. When you partner with Rapid7, your data stays safe. Period.

For more information about the policies and procedures Rapid7 has in place to keep our data, platform, and products secure, visit the Trust section of our website.

ISO 27002 Emphasizes Need For Threat Intelligence

Post Syndicated from Drew Burton original https://blog.rapid7.com/2022/07/25/iso-27002-emphasizes-need-for-threat-intelligence/

ISO 27002 Emphasizes Need For Threat Intelligence

With employees reluctant to return to the office following the COVID-19 pandemic, the concept of a well-defined network perimeter has become a thing of the past for many organizations. Attack surfaces continue to expand, and as a result, threat intelligence has taken on even greater importance.

Earlier this year, the International Organization for Standardization (ISO) released ISO 27002, which features a dedicated threat intelligence control (Control 5.7). This control is aimed at helping organizations collect and analyze threat intelligence data more effectively. It also provides guidelines for creating policies that limit the impact of threats. In short, ISO 27002’s Control 5.7 encourages a proactive approach to threat intelligence.

Control 5.7 specifies that threat intelligence must be “relevant, perceptive, contextual, and actionable” in order to be effective. It also recommends that organizations consider threat intelligence on three levels: strategic, operational, and tactical.

  • Strategic threat intelligence is defined as high-level information about the evolving threat landscape (information about threat actors, types of attacks, etc.)
  • Operational threat intelligence is information about the tactics, tools, and procedures (TTPs) used by attackers.
  • Tactical threat intelligence includes detailed information on particular attacks, including technical indicators.

ISO 27002 is intended to be used with ISO 27001, which provides guidance for establishing and maintaining information security management systems. Many organizations use ISO 27001 and 27002 in conjunction as a framework for showing compliance with regulations where detailed requirements are not provided, for example Sarbanes-Oxley Act (SOX) in the US and the Data Protection Directive in the EU.

How Rapid7 can help

In addition to our threat intelligence and digital risk protection solution Threat Command, there are several Rapid7 products and services that can help you address a variety of controls recommended in ISO 27002.

InsightVM identifies and classifies assets, audits password policies, and identifies and prioritizes vulnerabilities. Metasploit can be used to validate vulnerability exploitability, audit the effectiveness of network segmentation, and conduct technical compliance tests. InsightAppSec tests the security of web applications. InsightIDR monitors user access to the network, collects and analyzes events, and assists in incident response.

Additionally, Rapid7 can provide security consulting services, perform an assessment of your organization’s current state of controls against the ISO 27002 framework, and identify gaps in your security program. We can also develop and review security policies, conduct penetration tests, respond to security incidents, and more.

Addressing ISO 27002 Control 5.7

A dedicated threat intelligence and digital risk protection solution like Rapid7 Threat Command can greatly ease the process of addressing Control 5.7.

Threat Command is designed to simplify the collection and analysis of threat intelligence data — from detection to remediation. It proactively monitors thousands of sources across the clear, deep, and dark web and delivers tailored threat intelligence information specific to your organization. Even better, Threat Command helps reduce the information overload with comprehensive external threat protection from a single pane of glass.

Threat Command enables you to make informed decisions, rapidly detect and mitigate threats,  and minimize exposure to your organization. Simply input your digital assets and properties, and you’ll receive relevant alerts categorized by severity, type of threat, and source. Fast detection and integration with SIEM, SOAR, EDR, and firewall allow you to quickly turn threat intelligence into action.

To learn more about how Threat Command fits into your organization’s security strategy, schedule a demo today.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.