Post Syndicated from Roshnee Mistry Shah original https://blog.rapid7.com/2023/09/29/whats-new-in-insightvm-and-nexpose-q3-2023-in-review/

A lot of new and exciting product updates this quarter to help customers continue driving better security outcomes. We are thrilled to launch a new vulnerability risk scoring strategy this quarter along with upgrades like improved UI for the Engine Pool page, more policy coverage, and more. Let’s take a look at some of the key updates in InsightVM and Nexpose from Q3.

[InsightVM and Nexpose] Introducing Active Risk

We’re excited to launch Active Risk in InsightVM and Nexpose Active Risk is Rapid7’s vulnerability risk-scoring methodology designed to help security teams prioritize vulnerabilities that are actively exploited or most likely to be exploited in the wild.

Our approach takes into account the latest version of the Common Vulnerability Scoring System (CVSS) available for a vulnerability and enriches it with multiple threat intelligence feeds, including proprietary Rapid7 research, to provide security teams with a threat-aware vulnerability risk score. Learn more here.

[InsightVM] Two new Active Risk dashboard cards

To help security teams communicate the risk posture cross-functionally by providing context on which vulnerabilities need to be prioritized and where the riskiest assets lie, we have launched two new dashboard cards in InsightVM:

• Vulnerability Findings by Active Risk Score Severity – indicates total number of vulnerabilities across the Active Risk severity levels and number of affected assets and instances. Ideal for executive reporting.
• Vulnerability Findings by Active Risk Score Severity and Publish Age – shows number of vulnerabilities across the Active Risk severity levels and by publish age. Ideal for sharing with remediation stakeholders to prioritize vulnerabilities for next patch cycle (ex: publish age is between 0-29 days) or identify critical vulnerabilities that may have been missed (ex: publish age is greater than 90 days for critical vulnerabilities).

[InsightVM and Nexpose] Engine Pool page update

In continuation with the Security Console user interface (UI) upgrades, Engine Pools is now located on its own page and has been updated with a new look. The updated UI can be accessed from the Administration page, and supports both light and dark modes for a more intuitive and consistent user experience.

[InsightVM and Nexpose] Containerized Scan Engine Kubernetes support

Customers are adopting modern, containerized infrastructure due to its ease of installation and  maintenance (OS upgrades). Containerized Scan Engine delivers the Scan Engine as a packaged or portable application that can easily be deployed to modern infrastructure. Rapid7 customers can now deploy containerized Scan Engine in popular cloud-hosted K8s platforms like Amazon EKS (Elastic Kubernetes Service) and Google GKE. Learn more here.

[InsightVM and Nexpose] Policy coverage for Palo Alto Firewall 10

Customers can now enable policy assessment for Palo Alto 10, a critical firewall technology, in their environments. Policy assessment in InsightVM helps security teams assess the configuration of IT assets against commonly used CIS or DISA STIG benchmarks, allowing them to better meet compliance mandates and proactively secure their environment. You can use the Palo Alto Firewall 10 policy as-is or customize it to meet your business needs. Learn more here.

[InsightVM] Quick Actions in InsightVM

Quick Actions are pre-configured automation actions you can run within InsightVM to automate some of your most frequent tasks like creating an incident with ServiceNow, searching for vulnerabilities with AttackerKB, and more. No configuration is required for leveraging Quick Actions; you don’t need to deploy an orchestrator or create a single connection. Learn more here.

Note: To use Quick Actions, you’ll need an InsightConnect license, which is included at all tiers of the Cloud Risk Complete package.

[InsightVM and Nexpose] Checks for notable vulnerabilities

We have been committed to providing swift coverage for the emergent threats Rapid7 responds to under our Emergent Threat Response (ETR) program. Since Q4 2022, we provided coverage the same day or within 24 hours for almost 30 emergent threats, which includes zero-day vulnerabilities. ETRs we responded to in the past quarter include:

Exploitation of Juniper Networks
On August 17, 2023, Juniper Networks published an out-of-band advisory on four different CVEs affecting Junos OS on SRX and EX Series devices. InsightVM and Nexpose customers can assess their exposure to all four CVEs with vulnerability checks. Learn more here.

CVE-2023-35078 – Critical API Access Vulnerability in Ivanti Endpoint Manager Mobile
CVE-2023-35078 is a remote unauthenticated API access vulnerability in Ivanti Endpoint Manager Mobile, which was previously branded as MobileIron Core. The vulnerability has a CVSS v3 base score of 10.0 and has a severity rating of Critical. An unauthenticated vulnerability check for CVE-2023-35078 is available to InsightVM customers. Learn more here.

Critical Zero-Day Vulnerability in Citrix NetScaler ADC and NetScaler Gateway
Citrix published a security bulletin warning users of three new vulnerabilities affecting NetScaler ADC and NetScaler Gateway. CVE-2023-3519 is known to be exploited in the wild. This product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly. Rapid7 strongly recommends updating to a fixed version on an emergency basis, without waiting for a typical patch cycle to occur. Learn more here.

Active Exploitation of Multiple Adobe ColdFusion Vulnerabilities
Adobe ColdFusion, an application server and a platform for building and deploying web and mobile applications, was affected by multiple CVE this month, including a Rapid7-discovered vulnerability (CVE-2023-29298). Learn more about the vulnerabilities and mitigation guidance here.

15 CVEs Affecting SonicWall
SonicWall published an urgent security advisory warning customers of 15 new vulnerabilities affecting on-premise instances of their Global Management System (GMS) and Analytics products.While these vulnerabilities are not known to be exploited in the wild,  they could allow an attacker to view, modify, or delete data that they are not normally able to retrieve, causing persistent changes to the application’s content or behavior. Learn more here.

Post Syndicated from Roshnee Mistry Shah original https://blog.rapid7.com/2023/06/29/whats-new-in-insightvm-and-nexpose-q2-2023-in-review/

The past few weeks have been extraordinary for the global threat landscape with zero-day vulnerabilities like MOVEit (CVE-2023-34362) and Barracuda’s Email Security Gateway (ESG) (CVE-2023-2868). Rapid7’s security research team was one of the first to detect exploitation of Progress Software’s MOVEit Transfer solution—four days before the vendor issued public advisory. From there, the team moved quickly to provide prompt remediation guidance to InsightVM and Nexpose customers.

With continued focus to drive better customer outcomes, this quarter is filled with product upgrades like improved UI for the Console, custom policy for Agent-Based assessment, an updated dashboard card, and more. Let’s take a look at some of the key updates in InsightVM and Nexpose from Q2.

[InsightVM] Agent-Based Policy supports custom policy assessment

Guidelines from Center for Internet Security (CIS) and Security Technical Implementation Guides (STIG) are widely used industry benchmarks for configuration assessment. However, a benchmark or guideline alone may not meet the unique needs of every business.

So, Agent-Based Policy assessment now supports Custom Policies. Global Administrators can now customize built-in policies, upload policies, or enable a copy of existing custom policies for agent-based assessments. Learn more here.

[InsightVM] Top Riskiest Asset Locations dashboard card provides even more details

The Top Riskiest Asset Locations dashboard card previously showed site location and risk score. This card was enhanced, on customer request, to also include total assets and total vulnerabilities in the card preview. This provides customers additional context around why a location has a large risk score and helps alert users to sites requiring additional attention.

[InsightVM and Nexpose] A new look for the Users section of the Console Administration

This quarter, we also continued updating the user interface (UI) of the Console Administration to facilitate a more intuitive and consistent user experience across the Console and the Insight Platform, including InsightVM.

The latest section to be updated is the Users section of the Console Administration. The update improves accessibility and the overall user experience of the Users page. We also made some cool new additions like light mode, a wizard to make adding new users under “Add Users” section more intuitive, and the ability to Manage columns displayed on the Users overview section.

[InsightVM and Nexpose] Support for Ubuntu 22.04 LTS

Security Console and Scan Engine now support Ubuntu 22.04 Operating System. Ubuntu is one of the most popular Linux distributions. Version 22.04 of Ubuntu will receive long term support from the vendor for hardware and maintenance updates as well as extended security maintenance. Customers on the previous versions of Ubuntu can now upgrade to 22.04!

[InsightVM and Nexpose] Containerized scan engine – continuous release

Containerized Scan Engine delivers the Scan Engine as a packaged or portable application that can easily be deployed to modern infrastructure. Now a new Containerized Engine image is automatically created and posted to Docker Hub with every InsightVM Product or Content update. This ensures you’re continuously working with the latest release. Prior versions are also available, denoted by tag. Learn more about containerized scan engines.

[InsightVM and Insight Platform] New retention setting for tracking Insight Agents

You can now configure the retention period that determines how long Insight Agents are tracked in your Agents table. In addition to the default 30 day period, this new setting allows you to set retention periods of 7 and 15 days. See our updated Agent management settings documentation for configuration instructions and more details.

[InsightVM and Nexpose] Checks for notable vulnerabilities

We have been committed to providing swift coverage for the emergent threats Rapid7 responds to under our Emergent Threat Response (ETR) program. Since Q4 2022, we provided coverage the same day or within 24 hours for over 20 emergent threats, which includes zero-day vulnerabilities.

Rapid7’s Emergent Threat Response (ETR) program flagged multiple CVEs this quarter. InsightVM and Nexpose customers can assess their exposure to many of these CVEs with vulnerability checks, including:

• MOVEit Transfer solution CVE-2023-34362: Rapid7’s research team saw the first instances of compromise in Progress Software’s MOVEit Transfer solution. This was four days before the vendor issues public advisory. Since then our team has been tracking this critical zero-day vulnerability. Rapid7 has remote and authenticated vulnerability checks available to InsightVM and Nexpose customers for both MOVEit Transfer vulnerabilities. Learn more here.
• Widespread Exploitation of Zyxel Network Devices CVE-2023-28771: Added to the Known Exploited Vulnerabilities (KEV) list by CISA, this vulnerability impacted the Zyxel networking devices. The vulnerability is present in the default configuration of vulnerable devices and is exploitable in the Wide Area Network (WAN) interface, which is intended to be exposed to the internet. Learn more about Rapid7’s response here.
• PaperCut Remote Code Execution Vulnerability CVE-2023-27350: an unauthenticated remote code execution vulnerability in PaperCut MF/NG print management software that allows attackers to bypass authentication and execute arbitrary code as SYSTEM on vulnerable targets. InsightVM customers have an authenticated check available for the CVE on Windows and MacOS systems. Learn more about Rapid7’s response here.
• Barracuda ESG Appliances CVE-2023-2868: The Email Security Gateway (ESG) appliances of Barracuda Networks were impacted by a remote command injection vulnerability that the firm said had been exploited in the wild by threat actors since at least October 2022. Learn more about the CVE and mitigation guidance here.
• Fortinet’s Fortigate Firewall CVE-2023-27997: A critical remote code execution (RCE) vulnerability was discovered in Fortigate SSL VPN firewalls. Fortinet device vulnerabilities are historically popular with attackers of all skill levels, though exploitability varies on a vuln-by-vuln basis. An authenticated vulnerability check is available for Rapid7 customers to assess their exposure. Learn more here.

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2021/11/03/insightvm-scan-diagnostics-troubleshooting-credential-issues-for-authenticated-scanning/

Have you ever tried to figure out why a vulnerability or policy scan isn’t showing you the results you expect, even though you’ve provided credentials? If so, you’ll be pleased to hear that the November 3rd release of Nexpose and InsightVM (version 6.6.111) will introduce a new check category designed to help troubleshoot issues with credentialed scanning: Scan Diagnostics.

No more combing through scan logs to get answers! These checks will be disabled by default, but you can configure them to run by adjusting your scan templates. When enabled, Scan Diagnostics checks will report a “vulnerable” result against assets when the Scan Engine is supplied with credentials but unable to gather local information.

The challenge of finding the right fix

For complete and accurate coverage, the InsightVM Scan Engine requires local access to systems being scanned. Most Microsoft checks are based on values found in the Windows Registry. Checks for Linux distributions typically require access to the package manager, which is important for vulnerability correlation (cutting down on noise due to backported fixes).

This means that for many types of scans, you need to tell the engine how it should authenticate by configuring credentials. When things go smoothly, the engine will collect all the data it needs for vulnerability or policy assessments. But when results aren’t as expected, it can be challenging to understand what went wrong.

The way the Security Console currently indicates authentication status results is rather coarse-grained. Credential Success means it’s all good, but a Credential Failure (or the puzzling “Partial Credential Success”) can often leave a VM analyst scratching their head about how to fix things.

Bringing greater visibility to your scanning environment

Our new Scan Diagnostics checks provide more detailed visibility into where things fell apart. Because the results are written as vulnerability checks, you’ll be able to use a lot of familiar product functionality to work with them. They can be enabled or disabled via scan templates, and you can report on them like any other category. We’ll also be providing solution information to make it easier to resolve issues, and you can look at the proof the scanner provides to get additional context.

Another advantage of using check results for Scan Diagnostics is that they are built atop the expert system at the core of the scanner. This helps Scan Diagnostics target the most precise cause of an error and provide guidance accordingly. No more going through a laundry list of checkboxes to make sure your sites and assets are configured correctly.

Here is the initial set of Scan Diagnostics we’ll be releasing:

Note that these “vulnerabilities” carry the lowest possible severity and will not increase your risk score. However, they may increase overall vulnerability counts, so we’re leaving them turned off by default for now. If you do scan with them, you can adjust the scope of generated reports to exclude these results if you don’t want them to get passed through to remediation teams.

The existing status shown in the Authentication column of Scan Results and Node pages will remain the same for the time being, so that it is available regardless of whether this new Scan Diagnostics check type is enabled and won’t adjust anything on the corresponding dashboard card.

We’d love to hear any feedback on this new feature! Please reach out to your Customer Success Manager to let them know how it’s working out in your scans.