Tag Archives: Vulnerability management

Rapid7 Now Available Through Carahsoft’s NASPO ValuePoint

Post Syndicated from Rapid7 original https://blog.rapid7.com/2023/01/24/rapid7-now-available-through-carahsofts-naspo-valuepoint/

Rapid7 Now Available Through Carahsoft’s NASPO ValuePoint

We are happy to announce that Rapid7’s solutions have been added to the NASPO ValuePoint Cloud Solutions contract held by Carahsoft Technology Corp. The addition of this contract enables Carahsoft and its reseller partners to provide Rapid7’s Insight platform to participating States, Local Governments, and Educational (SLED) institutions.

“Rapid7’s Insight platform goes beyond threat detection by enabling organizations to quickly respond to attacks with intelligent automation,” said Alex Whitworth, Sales Director who leads the Rapid7 Team at Carahsoft.

“We are thrilled to work with Rapid7 and our reseller partners to deliver these advanced cloud risk management and threat detection solutions to NASPO members to further protect IT environments across the SLED space.”

NASPO ValuePoint is a cooperative purchasing program facilitating public procurement solicitations and agreements using a lead-state model. The program provides the highest standard of excellence in public cooperative contracting. By leveraging the leadership and expertise of all states and the purchasing power of their public entities, NASPO ValuePoint delivers the highest valued, reliable and competitively sourced contracts, offering public entities outstanding prices.

“In partnership with Carahsoft and their reseller partners, we look forward to providing broader availability of the Insight platform to help security teams better protect their organizations from an increasingly complex and volatile threat landscape,” said Damon Cabanillas, Vice President of Public Sector Sales at Rapid7.

The Rapid7 Insight platform is available through Carahsoft’s NASPO ValuePoint Master Agreement #AR2472. For more information, visit https://www.carahsoft.com/rapid7/contracts.

Patch Tuesday – January 2023

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2023/01/10/patch-tuesday-january-2023/

Patch Tuesday - January 2023

Microsoft is starting the new year with a bang! Today’s Patch Tuesday release addresses almost 100 CVEs. After a relatively mild holiday season, defenders and admins now have a wide range of exciting new vulnerabilities to consider.

Two zero-day vulnerabilities emerged today, both affecting a wide range of current Windows operating systems.

CVE-2023-21674 allows Local Privilege Escalation (LPE) to SYSTEM via a vulnerability in Windows Advanced Local Procedure Call (ALPC), which Microsoft has already seen exploited in the wild. Given its low attack complexity, the existence of functional proof-of-concept code, and the potential for sandbox escape, this may be a vulnerability to keep a close eye on. An ALPC zero-day back in 2018 swiftly found its way into a malware campaign.

CVE-2023-21549 is Windows SMB elevation for which Microsoft has not yet seen in-the-wild exploitation or a solid proof-of-concept, although Microsoft has marked it as publicly disclosed.

This Patch Tuesday also includes a batch of seven Critical Remote Code Execution (RCE) vulnerabilities. These are split between Windows Secure Socket Tunneling Protocol (SSTP) – source of another Critical RCE last month – and Windows Layer 2 Tunneling Protocol (L2TP). Happily, none of these has yet been seen exploited in the wild, and Microsoft has assessed all seven as “exploitation less likely” (though time will tell).

Today’s haul includes two Office Remote Code Execution vulnerabilities. Both CVE-2023-21734 and CVE-2023-21735 sound broadly familiar: a user needs to be tricked into running malicious files. Unfortunately, the security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available, so admins with affected assets will need to check back later and rely on other defenses for now.

On the server side, five CVEs affecting Microsoft Exchange Server were addressed today: two Spoofing vulnerabilities, two Elevation of Privilege, and an Information Disclosure. Any admins who no longer wish to run on-prem Exchange may wish to add these to the evidence pile.

Anyone responsible for a SharePoint Server instance has three new vulnerabilities to consider. Perhaps the most noteworthy is CVE-2023-21743, a remote authentication bypass. Remediation requires additional admin action after the installation of the SharePoint Server security update; however, exploitation requires no user interaction, and Microsoft already assesses it as “Exploitation More Likely”. This regrettable combination of properties explains the Critical severity assigned by Microsoft despite the relatively low CVSS score.

Another step further away from the Ballmer era: Microsoft recently announced the potential inclusion of CBL-Mariner CVEs as part of Security Update Guide guidance starting as early as tomorrow (Jan 11). First released on the carefully-selected date of April 1, 2020, CBL-Mariner is the Microsoft-developed Linux distro which acts as the base container OS for Azure services, and also underpins elements of WSL2.

Farewell Windows 8.1, we hardly knew ye: today’s security patches include fixes for Windows 8.1 for the final time, since Extended Support for most editions of Windows 8.1 ends today.

Summary charts

Patch Tuesday - January 2023
Patch Tuesday - January 2023
Patch Tuesday - January 2023
Patch Tuesday - January 2023

Summary tables

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21780 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21781 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21782 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21784 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21786 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21791 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21793 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21783 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21785 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21787 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21788 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21789 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21790 3D Builder Remote Code Execution Vulnerability No No 7.8
CVE-2023-21792 3D Builder Remote Code Execution Vulnerability No No 7.8

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21531 Azure Service Fabric Container Elevation of Privilege Vulnerability No No 7

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21538 .NET Denial of Service Vulnerability No No 7.5
CVE-2023-21779 Visual Studio Code Remote Code Execution No No 7.3

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21762 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2023-21745 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2023-21763 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21764 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21761 Microsoft Exchange Server Information Disclosure Vulnerability No No 7.5

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21742 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-21744 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-21736 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2023-21737 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2023-21734 Microsoft Office Remote Code Execution Vulnerability No No 7.8
CVE-2023-21735 Microsoft Office Remote Code Execution Vulnerability No No 7.8
CVE-2023-21738 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.1
CVE-2023-21741 Microsoft Office Visio Information Disclosure Vulnerability No No 7.1
CVE-2023-21743 Microsoft SharePoint Server Security Feature Bypass Vulnerability No No 5.3

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21725 Windows Malicious Software Removal Tool Elevation of Privilege Vulnerability No No 6.3

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21676 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 8.8
CVE-2023-21674 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability Yes No 8.8
CVE-2023-21767 Windows Overlay Filter Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21755 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21558 Windows Error Reporting Service Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21768 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21724 Microsoft DWM Core Library Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21551 Microsoft Cryptographic Services Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21677 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability No No 7.5
CVE-2023-21683 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability No No 7.5
CVE-2023-21758 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability No No 7.5
CVE-2023-21539 Windows Authentication Remote Code Execution Vulnerability No No 7.5
CVE-2023-21547 Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability No No 7.5
CVE-2023-21771 Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability No No 7
CVE-2023-21739 Windows Bluetooth Driver Elevation of Privilege Vulnerability No No 7
CVE-2023-21733 Windows Bind Filter Driver Elevation of Privilege Vulnerability No No 7
CVE-2023-21540 Windows Cryptographic Information Disclosure Vulnerability No No 5.5
CVE-2023-21550 Windows Cryptographic Information Disclosure Vulnerability No No 5.5
CVE-2023-21559 Windows Cryptographic Information Disclosure Vulnerability No No 5.5
CVE-2023-21753 Event Tracing for Windows Information Disclosure Vulnerability No No 5.5
CVE-2023-21766 Windows Overlay Filter Information Disclosure Vulnerability No No 4.7
CVE-2023-21536 Event Tracing for Windows Information Disclosure Vulnerability No No 4.7
CVE-2023-21759 Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability No No 3.3

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-21549 Windows SMB Witness Service Elevation of Privilege Vulnerability No Yes 8.8
CVE-2023-21681 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-21732 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-21561 Microsoft Cryptographic Services Elevation of Privilege Vulnerability No No 8.8
CVE-2023-21535 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1
CVE-2023-21548 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1
CVE-2023-21546 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability No No 8.1
CVE-2023-21543 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability No No 8.1
CVE-2023-21555 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability No No 8.1
CVE-2023-21556 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability No No 8.1
CVE-2023-21679 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability No No 8.1
CVE-2023-21680 Windows Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21541 Windows Task Scheduler Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21678 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21765 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21746 Windows NTLM Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21524 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21747 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21748 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21749 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21754 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21772 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21773 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21774 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21675 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21552 Windows GDI Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21726 Windows Credential Manager User Interface Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21537 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21730 Microsoft Cryptographic Services Elevation of Privilege Vulnerability No No 7.8
CVE-2023-21527 Windows iSCSI Service Denial of Service Vulnerability No No 7.5
CVE-2023-21728 Windows Netlogon Denial of Service Vulnerability No No 7.5
CVE-2023-21557 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability No No 7.5
CVE-2023-21757 Windows Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability No No 7.5
CVE-2023-21760 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.1
CVE-2023-21750 Windows Kernel Elevation of Privilege Vulnerability No No 7.1
CVE-2023-21752 Windows Backup Service Elevation of Privilege Vulnerability No No 7.1
CVE-2023-21542 Windows Installer Elevation of Privilege Vulnerability No No 7
CVE-2023-21532 Windows GDI Elevation of Privilege Vulnerability No No 7
CVE-2023-21563 BitLocker Security Feature Bypass Vulnerability No No 6.8
CVE-2023-21560 Windows Boot Manager Security Feature Bypass Vulnerability No No 6.6
CVE-2023-21776 Windows Kernel Information Disclosure Vulnerability No No 5.5
CVE-2023-21682 Windows Point-to-Point Protocol (PPP) Information Disclosure Vulnerability No No 5.3
CVE-2023-21525 Remote Procedure Call Runtime Denial of Service Vulnerability No No 5.3

Year in Review: Rapid7 Vulnerability Management

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2023/01/09/year-in-review-vulnerability-management/

Year in Review: Rapid7 Vulnerability Management

For Rapid7’s vulnerability management team, 2022 began with a lot of introspection on how we can add more value and keep meeting our customer needs in the best possible ways.

Over the course of 2022, we launched many new features and improvements — some highly anticipated, many customer-requested. Log4J was difficult, but we learned from it, particularly when it comes to Emergent Threat Response.

Additionally, we recently refreshed our coordinated vulnerability disclosure (CVD) policy and philosophy. We found that we couldn’t treat every vulnerability equally and there was a need to be more agile with our CVD approach. So, we came up with six classes of vulnerabilities (and a meta-classification of “more than one”) and some broad strokes of what we intend to accomplish with our CVD for each of them.

We reimagined many of our internal processes and teams to drive better customer outcomes. For instance, we are making a significant investment in re-architecting the InsightVM/Nexpose database to ensure VM programs scale with the customers evolving IT environment.

We will continue to prioritize what really matters, even if it means making some hard decisions, and further improve communication with our customers. Here’s a snapshot of 2022 in InsightVM.

Key Product Improvements

Agent-based policy assessment

A robust vulnerability management program should assess IT assets for misconfigurations along with vulnerabilities. That’s why we were thrilled to introduce Agent-Based Policy in InsightVM. Customers can now use Insight Agents to conduct configuration assessments of IT assets against widely used industry benchmarks from the Center for Internet Security (CIS) and the U.S. Defense Information Systems Agency (DISA) to help prevent breaches and ensure compliance.

Year in Review: Rapid7 Vulnerability Management

Remediation Project improvements

Remediation Projects help security teams collaborate and track progress of remediation work (often assigned to their IT ops counterparts). Here are our favorite updates:

  • Remediator Export – a new solution-based CSV export option, Remediator Export contains detailed information about the assets, vulnerabilities, proof data, and more for a given solution.
  • Better way to track project progress – The new metric that calculates progress for Remediation Projects will advance for each individual asset remediated within a “solution” group. This means customers no longer have to wait for all the affected assets to be remediated to see progress.
Year in Review: Rapid7 Vulnerability Management

Scan Assistant

Scan Assistant provides an innovative alternative to traditional credentialed scanning. Instead of account-based credentials, it uses digital certificates, which increases security and simplifies administration for authenticated scans.

  • Scan Assistant is now generally available for Linux
  • Automatic Scan Assistant credential generation – taking some more burden off the vulnerability management teams, customers can use the Shared Credentials management UI to automatically generate Scan Assistant credentials
  • Improved scalability – automated Scan Assistant software updates and digital certificate rotation for customers seeking to deploy and maintain a fleet of Scan Assistants.

Dashboards and reports

Customers like to use dashboards to visualize the impact of a specific vulnerability or vulnerabilities to their environment, and we made quite a few updates in that area:

  • New dashboard cards based on CVSS v3 severity – we expanded CVSS dashboard cards to include a version that sorts the vulnerabilities based on CVSS v3 scores (along with CVSS v2 scores).
  • Threat feed dashboard includes CISA’s KEV catalog – we extended the scope of vulnerabilities tracked to incorporate CISA’s KEV catalog in the InsightVM Threat Feed Dashboard to help customers prioritize faster.
  • 5 New Dashboard Cards – We launched a set of five new dashboard cards that utilize line charts to show trends in vulnerability severity and allow for easy comparison when reporting.
  • Distribute Reports via Email – Customers can now send InsightVM reports to their teammates through email.
Year in Review: Rapid7 Vulnerability Management

Agent improvements for virtual desktops

Pandemic fueled remote work and with it the use of virtual desktops. InsightVM can now identify agent-based assets that are Citrix VDI instances and correlate them to the user, enabling more accurate asset/instance tagging. This will create a smooth, streamlined experience for organizations that deploy and scan Citrix VDIs. Expect similar improvements for VMware Horizon VDIs in 2023.

Improved support

A new, opt-in feature eliminates the need for customers to attach logs to support cases and/or send logs manually, ensuring a faster, more intuitive support process.

Notable Emergent Threat Responses and Recurring Coverages

In 2022, we added support for enterprise systems like Windows Server 2022, AlmaLinux, VMware Horizon (server and client), and more to the recurring coverage list. Learn about the systems with recurring coverage.

Rapid7’s Emergent Threat Response (ETR) program is part of an ongoing process to deliver fast, expert analysis alongside first-rate security content for the highest-priority security threats. This year we flagged a number of critical vulnerabilities. To list a few:

That’s not all. We added over 21,000 new checks across close to 9000 CVEs to help customers understand their risk better and thus secure better.

Check out our past blogs – Q1, Q2, and Q3 – to get more information on product improvements and key vulnerability coverages.

Customer Stories and Resources

The past year, we had the privilege to share stories of how our customers are using Insight VM to secure their environment. Check out how your peers are leveraging InsightVM.Here’s what one customer had to say:

“That is one of the things we value most about InsightVM; it has the capacity to pinpoint actively-exploited vulnerabilities, so we can prioritize and direct our attention where it’s needed most.”

For customers looking to improve the utilization of the Vulnerability Management tool, check out this webcast series that covers the different phases of VM lifecycle – Discovery, Analyze, Communicate, and Remediate. Lastly, customers can always leverage Rapid7 Academy to participate in workshops and training to continue their learning journey.

Looking forward to 2023

We will maintain the customer-centricity in 2023 as we continue to deliver features and improvements in customers’ best interests. We will be holding a webinar on January 24 around configuration assessment in InsightVM agent-based policy. And, as always, be on the lookout for our annual vulnerability intelligence report coming soon to a Q1 near you (here’s last year’s)!

CVE-2022-27518: Critical Fix Released for Exploited Citrix ADC, Gateway Vulnerability

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2022/12/13/cve-2022-27518-critical-fix-released-for-exploited-citrix-adc-gateway-vulnerability/

CVE-2022-27518: Critical Fix Released for Exploited Citrix ADC, Gateway Vulnerability

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

On Tuesday, December 13, 2022, Citrix published Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 announcing fixes for a critical unauthenticated remote code execution (RCE) vulnerability that exists in certain configurations of its Gateway and ADC products. This vulnerability has reportedly been exploited in the wild by state-sponsored threat actors.

In a blog post, Citrix states that no workarounds are available for this vulnerability and that customers running an impacted version (those with a SAML SP or IdP configuration) should update immediately.

Citrix is a high-value target for any capable attacker; earlier today, the National Security Agency (NSA) published Citrix ADC Threat Hunting Guidance warning that Citrix ADC is being targeted by state-sponsored adversaries.

Affected products

The following customer-managed product versions are affected by this vulnerability so long as the ADC or Gateway is configured as a SAML SP or a SAML IdP:

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32
  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25
  • Citrix ADC 12.1-FIPS before 12.1-55.291
  • Citrix ADC 12.1-NDcPP before 12.1-55.291

Citrix’s blog post also contains information on how to determine if your configuration is a SAML SP or a SAML IdP.

Mitigation guidance

No workarounds are available; impacted organizations should update to one of the following versions on an emergency basis:

  • Citrix ADC and Citrix Gateway 13.0-58.32 and later releases of 13.0
  • Citrix ADC and Citrix Gateway 12.1-65.25 and later releases of 12.1
  • Citrix ADC 12.1-FIPS 12.1-55.291 and later releases of 12.1-FIPS
  • Citrix ADC 12.1-NDcPP 12.1-55.291 and later releases of 12.1-NDcPP

Rapid7 customers

InsightVM customers will be able to assess their exposure to CVE-2022-27518 with the content release scheduled for December 13, 2022.

Patch Tuesday – December 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/12/13/patch-tuesday-december-2022/

Patch Tuesday - December 2022

As far as Patch Tuesdays go, defenders have a relatively light month to close out the year with only 48 CVEs being published by Microsoft today. (This does not include the 24 previously disclosed vulnerabilities affecting their Chromium-based Edge browser.)

There are two zero-days in the mix today. CVE-2022-44698 is a bypass of the Windows SmartScreen security feature, and has been seen exploited in the wild. It allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web” despite being downloaded from untrusted sites. This means no Protected View for Microsoft Office documents, making it easier to get users to do sketchy things like execute malicious macros. Publicly disclosed, but not seen actively exploited, is CVE-2022-44710. It’s a classic elevation of privilege vulnerability affecting the DirectX graphics kernel on Windows 11 22H2 systems.

Administrators for SharePoint and Microsoft Dynamics deployments should be aware of Critical Remote Code Execution (RCE) vulnerabilities that need to be patched. Other Critical RCEs this month affect the Windows Secure Socket Tunneling Protocol (CVE-2022-44676 and CVE-2022-44670), .NET Framework (CVE-2022-41089), and PowerShell (CVE-2022-41076).

Happy holidays, and may your patching be merry and bright!

Summary charts

Patch Tuesday - December 2022
Patch Tuesday - December 2022
Patch Tuesday - December 2022
Patch Tuesday - December 2022

Summary tables

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-44702 Windows Terminal Remote Code Execution Vulnerability No No 7.8
CVE-2022-24480 Outlook for Android Elevation of Privilege Vulnerability No No 6.3

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-44699 Azure Network Watcher Agent Security Feature Bypass Vulnerability No No 5.5

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-44708 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 8.3
CVE-2022-41115 Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability No No 6.6
CVE-2022-44688 Microsoft Edge (Chromium-based) Spoofing Vulnerability No No 4.3
CVE-2022-4195 Chromium: CVE-2022-4195 Insufficient policy enforcement in Safe Browsing No No N/A
CVE-2022-4194 Chromium: CVE-2022-4194 Use after free in Accessibility No No N/A
CVE-2022-4193 Chromium: CVE-2022-4193 Insufficient policy enforcement in File System API No No N/A
CVE-2022-4192 Chromium: CVE-2022-4192 Use after free in Live Caption No No N/A
CVE-2022-4191 Chromium: CVE-2022-4191 Use after free in Sign-In No No N/A
CVE-2022-4190 Chromium: CVE-2022-4190 Insufficient data validation in Directory No No N/A
CVE-2022-4189 Chromium: CVE-2022-4189 Insufficient policy enforcement in DevTools No No N/A
CVE-2022-4188 Chromium: CVE-2022-4188 Insufficient validation of untrusted input in CORS No No N/A
CVE-2022-4187 Chromium: CVE-2022-4187 Insufficient policy enforcement in DevTools No No N/A
CVE-2022-4186 Chromium: CVE-2022-4186 Insufficient validation of untrusted input in Downloads No No N/A
CVE-2022-4185 Chromium: CVE-2022-4185 Inappropriate implementation in Navigation No No N/A
CVE-2022-4184 Chromium: CVE-2022-4184 Insufficient policy enforcement in Autofill No No N/A
CVE-2022-4183 Chromium: CVE-2022-4183 Insufficient policy enforcement in Popup Blocker No No N/A
CVE-2022-4182 Chromium: CVE-2022-4182 Inappropriate implementation in Fenced Frames No No N/A
CVE-2022-4181 Chromium: CVE-2022-4181 Use after free in Forms No No N/A
CVE-2022-4180 Chromium: CVE-2022-4180 Use after free in Mojo No No N/A
CVE-2022-4179 Chromium: CVE-2022-4179 Use after free in Audio No No N/A
CVE-2022-4178 Chromium: CVE-2022-4178 Use after free in Mojo No No N/A
CVE-2022-4177 Chromium: CVE-2022-4177 Use after free in Extensions No No N/A
CVE-2022-4175 Chromium: CVE-2022-4175 Use after free in Camera Capture No No N/A
CVE-2022-4174 Chromium: CVE-2022-4174 Type Confusion in V8 No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41089 .NET Framework Remote Code Execution Vulnerability No No 8.8
CVE-2022-44704 Microsoft Windows Sysmon Elevation of Privilege Vulnerability No No 7.8

Developer Tools Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41076 PowerShell Remote Code Execution Vulnerability No No 8.5

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41127 Microsoft Dynamics NAV and Microsoft Dynamics 365 Business Central (On Premises) Remote Code Execution Vulnerability No No 8.5

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-44690 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2022-44693 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2022-44694 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2022-44695 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2022-44696 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2022-44691 Microsoft Office OneNote Remote Code Execution Vulnerability No No 7.8
CVE-2022-44692 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-26804 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-26805 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-26806 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-47211 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-47212 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-47213 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-44713 Microsoft Outlook for Mac Spoofing Vulnerability No No 7.5

Open Source Software Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-44689 Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability No No 7.8

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-44677 Windows Projected File System Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44683 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44680 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44671 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44687 Raw Image Extension Remote Code Execution Vulnerability No No 7.8
CVE-2022-44710 DirectX Graphics Kernel Elevation of Privilege Vulnerability No Yes 7.8
CVE-2022-44669 Windows Error Reporting Elevation of Privilege Vulnerability No No 7
CVE-2022-44682 Windows Hyper-V Denial of Service Vulnerability No No 6.8
CVE-2022-44707 Windows Kernel Denial of Service Vulnerability No No 6.5
CVE-2022-44679 Windows Graphics Component Information Disclosure Vulnerability No No 6.5
CVE-2022-44674 Windows Bluetooth Driver Information Disclosure Vulnerability No No 5.5
CVE-2022-44698 Windows SmartScreen Security Feature Bypass Vulnerability Yes No 5.4

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-44676 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1
CVE-2022-44670 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1
CVE-2022-44678 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44681 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44667 Windows Media Remote Code Execution Vulnerability No No 7.8
CVE-2022-44668 Windows Media Remote Code Execution Vulnerability No No 7.8
CVE-2022-41094 Windows Hyper-V Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44697 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41121 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41077 Windows Fax Compose Form Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44666 Windows Contacts Remote Code Execution Vulnerability No No 7.8
CVE-2022-44675 Windows Bluetooth Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2022-44673 Windows Client Server Run-Time Subsystem (CSRSS) Elevation of Privilege Vulnerability No No 7
CVE-2022-41074 Windows Graphics Component Information Disclosure Vulnerability No No 5.5

Webinar: 2023 Cybersecurity Industry Predictions

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2022/12/08/webinar-2023-cybersecurity-industry-predictions/

Webinar: 2023 Cybersecurity Industry Predictions

With 2022 rapidly coming to a close, this is the time of year where it makes sense to take a step back and look at the year in cybersecurity, and make a few critical predictions for what the industry could face in the year ahead.

In order to give the security community some insight into where we’ve been and where we are going, Rapid7 has put together a webinar featuring some of Rapid7’s leading thinkers on the subject — and an important voice from a valued customer — to discuss some of the lessons learned and give their take on what 2023 will look like.

Featured in the webinar are Jason Hart, Rapid7’s Chief Technology Officer for EMEA; Simon Goldsmith, InfoSec Director at OVO Energy, the United Kingdom’s third largest energy retailer; Raj Samani, Senior Vice President and Chief Scientist at Rapid7; and Rapid7’s Vice President of Sales for APAC, Rob Dooley.

2022 – “A Challenging Year”

It may seem like the pace of critical vulnerabilities has only increased in 2022, and to our panel, it feels that way because it has. Whereas in years past, the cybersecurity industry would deal with a major vulnerability once a quarter or so (Heartbleed came to mind for some on our panel), this year it seemed like those vulnerabilities were coming to the fore nearly every week. Many of those vulnerabilities appeared to be actively exploited, raising the urgency for security teams to address them as quickly as possible.

This puts the onus on security teams to not only sift through the noise to find the signal (a spot where automation can be key), it also requires expert analysis all at a pace that the industry really hasn’t seen before.

For some, the fast pace of these vulnerabilities were an opportunity to test the mettle of their security operations. Even if their organizations weren’t a victim of those attacks, they can serve as “a lesson learned” putting their incident response plans through their paces. This gives them the confidence to perform well during an actual attack and evangelizes the need for strong vulnerability management across their entire organization, not just within their security teams.

Prediction 1: Information Sharing and the Ever-Expanding Attack Landscape

To give some context for this first prediction, it is important to express that zero-day attacks are on the rise, the time to exploitation is getting shorter, and the social media giants — often a critical component of security community vulnerability information sharing — are becoming less and less reliable.

But the desire for the community to publish and share information about vulnerabilities is still strong. This form of asymmetry between threat actors and the security community has long existed and there is still the inherent risk of transparency on one side benefiting those who seek opacity on the other. Information sharing between the community will be as critical as ever, especially as the reliable avenues for sharing that information dwindle in the coming months.

The way to combat this is by operationalizing cybersecurity — moving away from the binary approach of “patch or don’t patch” — and instead incorporating stronger context through a better understanding of past attack trends in order to prioritize actions and cover your organization from the actual risks.

Another key component is instituting better security hygiene across the organization. What Simon Goldsmith called “controlling the controllables.” This also includes tech stack modernization and the other infrastructural improvements organizations can take to put them in a better position to repel and ultimately respond to an ever more present threat across their networks.

Prediction 2: Cybersecurity Budgets and the Security Talent Shortage

At the same time that threat actors are making it harder on security teams across nearly every industry, the stakes are getting higher for those that are caught up in a breach. Governments are levying hefty fines for organizations that suffer data breaches and there is a real shortage of well-rounded security talent in the newest generation of security professionals.

In some cases this is due to an increase in specialization, but to harken back to the previous prediction, there is some level of “controlling the controllables” at play wherein organizations need to better nurture security talent. There are perennial components to the talent churn and shortfalls (i.e., reduced budgets, a lack of buy-in across the organization, etc.). However, there are more ways in which organizations can bolster their security teams.  

Focusing on diversity and inclusion within your security team is one way to improve not only the morale of your security team, but the efficacy that comes from having wide-ranging viewpoints and expertise present on a team all working together.

Another way to strengthen your team is to help them get out of the cybersecurity bubble. Finding ways to work across teams will not only increase the amount of expertise thrown at a particular problem, but will open avenues for innovation that may not have been considered by a completely siloed infosec team. This means opening up communication with engineering or development teams, and often bringing in a managed services partner to help boost the number of smart voices singing together.

Finally, move beyond the search for the mythical unicorn and acknowledge that experience and expertise count just as much or more than having the right certifications on paper. This should mean fostering career development for more junior team members, engaging current teammates in ways that make the work they do more of a passion and less of a grind, and also ensuring that your team’s culture is an asset working to bring everyone together.

Prediction 3: Operationalizing Security

The gap between technical stakeholders and the business leaders within organizations is getting wider, and will continue to do so, if changes aren’t made to the ways in which the two sides of the house understand each other.

Part of this disconnect comes from the question of “whether or not we’re safe.” In cybersecurity, there are no absolutes; despite compliance with all best practices, there will always be some level of risk. And security operations can often fall into the trap of asking for more funding to better identify more risk, identifying that risk, and then asking for more money to address it. This is not a sustainable approach to closing the understanding gap.

Stakeholders outside of the SOC should understand the ways in which security teams reduce risk through clear metrics and KPIs that demonstrate just how much improvement is being made in infosec, thus justifying the investment. This operationalization of security — the demonstration of improvements — is critical.

Another component of this disconnect lies in which parts of the organization are responsible for different security actions and ensuring they are working together clearly, cohesively, and most importantly, predictably. Protection Level Agreements can go a long way in ensuring that vulnerabilities are handled within a certain amount of time. This requires security teams to provide the relevant information about the vulnerability and how to remediate it to other stakeholders within a predictable window after the vulnerability is identified, so that team can take the steps necessary to remediate it.

Conclusion: Uniting Cybersecurity

It may seem that this blog post (and its sister webinar) offer up doom, gloom, and tons of FUD. And while that’s not entirely untrue, there is a silver lining. The commonality between all three of these predictions is the concept of uniting cybersecurity. Security is integrated within every component of an organization and each group should understand what goals the security operation is striving for, how they will get there, how they themselves are accountable for moving that goal forward, and how that success will ultimately be measured. The cybersecurity community has an opportunity, and maybe even a mandate, to help bring these changes to their organizations as it will be one of the most critical components of a safer, cybersecurity operation.  

All of these points (and so many more) are eloquently made on the webinar available here.

Patch Tuesday – November 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/11/08/patch-tuesday-november-2022-2/

Patch Tuesday - November 2022

It’s a relatively light Patch Tuesday this month by the numbers – Microsoft has only published 67 new CVEs, most of which affect their flagship Windows operating system. However, four of these are zero-days, having been observed as exploited in the wild.

The big news is that two older zero-day CVEs affecting Exchange Server, made public at the end of September, have finally been fixed. CVE-2022-41040 is a “Critical” elevation of privilege vulnerability, and CVE-2022-41082 is considered Important, allowing Remote Code Execution (RCE) when PowerShell is accessible to the attacker. Both vulnerabilities have been exploited in the wild. Four other CVEs affecting Exchange Server have also been addressed this month. Three are rated as Important, and CVE-2022-41080 is another privilege escalation vulnerability considered Critical. Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched.

Three of the new zero-day vulnerabilities are:

  • CVE-2022-41128, a Critical RCE affecting the JScript9 scripting language (Microsoft’s legacy JavaScript dialect, used by their Internet Explorer browser).
  • CVE-2022-41073 is the latest in a storied history of vulnerabilities affecting the Windows Print Spooler, allowing privilege escalation and considered Important.
  • CVE-2022-41125 is also an Important privilege escalation vulnerability, affecting the Windows Next-generation Cryptography (CNG) Key Isolation service.

The fourth zero-day, CVE-2022-41091, was previously disclosed and widely reported on in October. It is a Security Feature Bypass of “Windows Mark of the Web” – a mechanism meant to flag files that have come from an untrusted source.

Exchange Server admins are not the only ones on the hook this month: SharePoint Server is affected by CVE-2022-41062, an Important RCE that could allow an attacker who has Site Member privileges to execute code remotely on the server. CVE-2022-41122, a Spoofing vulnerability that Microsoft rates as “Exploitation more likely” than not, was actually addressed in September’s SharePoint patches but not included in their Security Update Guide at the time.

This month also sees Microsoft’s third non-CVE security advisory of the year, ADV220003, which is a “defense-in-depth” update for older versions of Microsoft Office (2013 and 2016) that improves validation of documents protected via Microsoft’s Information Rights Management (IRM) technology – a feature of somewhat dubious value, meant to help prevent sensitive information from being printed, forwarded, or copied without authorization.

Summary charts

Patch Tuesday - November 2022

Patch Tuesday - November 2022

Patch Tuesday - November 2022

Patch Tuesday - November 2022

Summary tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41051 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8
CVE-2022-41085 Azure CycleCloud Elevation of Privilege Vulnerability No No 7.5
CVE-2022-39327 GitHub: CVE-2022-39327 Improper Control of Generation of Code (‘Code Injection’) in Azure CLI No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41119 Visual Studio Remote Code Execution Vulnerability No No 7.8
CVE-2022-41120 Microsoft Windows Sysmon Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41064 .NET Framework Information Disclosure Vulnerability No No 5.8
CVE-2022-39253 GitHub: CVE-2022-39253 Local clone optimization dereferences symbolic links by default No No N/A

ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41044 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2022-41116 Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability No No 5.9

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41128 Windows Scripting Languages Remote Code Execution Vulnerability Yes No 8.8
CVE-2022-41047 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2022-41048 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2022-41039 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability No No 8.1
CVE-2022-38023 Netlogon RPC Elevation of Privilege Vulnerability No No 8.1
CVE-2022-41109 Windows Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41073 Windows Print Spooler Elevation of Privilege Vulnerability Yes No 7.8
CVE-2022-41057 Windows HTTP.sys Elevation of Privilege Vulnerability No No 7.8
CVE-2022-37992 Windows Group Policy Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41095 Windows Digital Media Receiver Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41045 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41118 Windows Scripting Languages Remote Code Execution Vulnerability No No 7.5
CVE-2022-41058 Windows Network Address Translation (NAT) Denial of Service Vulnerability No No 7.5
CVE-2022-41053 Windows Kerberos Denial of Service Vulnerability No No 7.5
CVE-2022-41056 Network Policy Server (NPS) RADIUS Protocol Denial of Service Vulnerability No No 7.5
CVE-2022-37967 Windows Kerberos Elevation of Privilege Vulnerability No No 7.2
CVE-2022-41097 Network Policy Server (NPS) RADIUS Protocol Information Disclosure Vulnerability No No 6.5
CVE-2022-41086 Windows Group Policy Elevation of Privilege Vulnerability No No 6.4
CVE-2022-41090 Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability No No 5.9
CVE-2022-41098 Windows GDI+ Information Disclosure Vulnerability No No 5.5
CVE-2022-23824 AMD: CVE-2022-23824 IBPB and Return Address Predictor Interactions No No N/A

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41080 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 8.8
CVE-2022-41078 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2022-41079 Microsoft Exchange Server Spoofing Vulnerability No No 8
CVE-2022-41123 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 7.8

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41066 Microsoft Business Central Information Disclosure Vulnerability No No 4.4

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41062 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8
CVE-2022-41061 Microsoft Word Remote Code Execution Vulnerability No No 7.8
CVE-2022-41107 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8
CVE-2022-41106 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2022-41063 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2022-41122 Microsoft SharePoint Server Spoofing Vulnerability No No 6.5
CVE-2022-41060 Microsoft Word Information Disclosure Vulnerability No No 5.5
CVE-2022-41103 Microsoft Word Information Disclosure Vulnerability No No 5.5
CVE-2022-41104 Microsoft Excel Security Feature Bypass Vulnerability No No 5.5
CVE-2022-41105 Microsoft Excel Information Disclosure Vulnerability No No 5.5

Open Source Software Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-38014 Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulnerability No No 7
CVE-2022-3786 OpenSSL: CVE-2022-3786 X.509 certificate verification buffer overrun No No N/A
CVE-2022-3602 OpenSSL: CVE-2022-3602 X.509 certificate verification buffer overrun No No N/A

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2022-41088 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1
CVE-2022-41092 Windows Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41113 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41054 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41101 Windows Overlay Filter Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41102 Windows Overlay Filter Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41052 Windows Graphics Component Remote Code Execution Vulnerability No No 7.8
CVE-2022-41050 Windows Extensible File Allocation Table Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41125 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability Yes No 7.8
CVE-2022-41100 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41093 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41096 Microsoft DWM Core Library Elevation of Privilege Vulnerability No No 7.8
CVE-2022-41114 Windows Bind Filter Driver Elevation of Privilege Vulnerability No No 7
CVE-2022-38015 Windows Hyper-V Denial of Service Vulnerability No No 6.5
CVE-2022-41055 Windows Human Interface Device Information Disclosure Vulnerability No No 5.5
CVE-2022-41091 Windows Mark of the Web Security Feature Bypass Vulnerability Yes Yes 5.4
CVE-2022-41049 Windows Mark of the Web Security Feature Bypass Vulnerability No No 5.4
CVE-2022-41099 BitLocker Security Feature Bypass Vulnerability No No 4.6

Common questions when evolving your VM program

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/11/02/common-questions-when-evolving-your-vm-program/

Common questions when evolving your VM program

Authored by Natalie Hurd

Perhaps your organization is in the beginning stages of planning a digital transformation, and it’s time to start considering how the security team will adapt. Or maybe your digital transformation is well underway, and the security team is struggling to keep up with the pace of change. Either way, you’ve likely realized that the approach you’ve used with traditional infrastructure will need to evolve as you think about managing risk in your modern ecosystem. After all, a cloud instance running Kubernetes clusters to support application development is quite different from an on-premise Exchange server!

A recent webinar led by two of Rapid7’s leaders, Peter Scott (VP, Product Marketing) and Cindy Stanton (SVP, Product and Customer Marketing), explored the specific challenges of managing the evolution of risk across traditional and cloud environments. The challenges may be plentiful, but the strategies for success are just as numerous!

Over the course of several years, Rapid7 has helped many customers evolve their security programs in order to keep pace with the evolution of technology, and Peter and Cindy have noticed some themes of what tends to make these organizations successful. They advise working with your team & other stakeholders to find answers to the following questions:

  • What sorts of resources does your organization run in the cloud, and who owns them?
  • What does “good” look like when securing your cloud assets, and how will you measure success?
  • Which standards and frameworks is your company subject to, compliance or otherwise?

Gathering answers to these questions as early as possible will not only aid in the efficacy of your security program, it will also help to establish strong relationships & understanding amongst key stakeholders.

Establishing Ownership



Common questions when evolving your VM program

Proactively identifying teams and individuals that own the assets in your environment will go a long way towards ensuring speed of resolution when risk is present. Peter strongly suggests working with your organization’s Product or Project Development teams to figure out who owns what and get it documented. This way, when you see a misconfiguration, vulnerability or threat that needs to be dealt with, you know exactly who to talk to to get it resolved, saving important time.

The owners that you identify will not only have a hand to play in fixing problems, they can help make the necessary changes to “shift left” and prevent problems in the first place. The sooner you can identify these stakeholders and build relationships with them, the more successful you’ll be in the long run.

Defining “Good” and Tracking Achievement



Common questions when evolving your VM program

Since we’ve established that securing traditional environments is not the same as securing modern environments, we can also agree that the definition of success may not be the same either! After you’ve established ownership, Cindy notes that it’s also important to define what “good” looks like, and how you plan to measure & report on it. Once you’ve created a definition of “good” within your immediate team, it’s also important to socialize that with stakeholders across your organization and track progress towards achieving that state. Tracking & sharing progress is valuable whether your organization meets, exceeds or falls short of your goals; celebrating the wins is just as important as seeking to understand the losses!

Aligning to Standards and Frameworks



Common questions when evolving your VM program

Every industry comes with its own set of compliance and regulatory standards that must be adhered to, and it’s important to understand how security fits in. Your team can use these frameworks as a North Star of sorts when considering how to secure your environment, and the cloud aspects of your environment are no exception. Ben Austin, the moderator of the webinar, provides some perspective on the utility of compliance as a method for demonstrating progress in risk reduction. If your assets are more compliant today than they were 3 months ago, that’s a win for every stakeholder involved. If assets are getting less compliant, then you can work with your already-identified asset owners to make a plan to turn the ship around, and contextualize the importance of remaining compliant with them.

Check out our two previous blogs in the series to learn more about Addressing the Evolving Attack Surface and Adapting your VM Program to Regain Control, and watch the full webinar replay any time!

Adapting existing VM programs to regain control

Post Syndicated from Ryan Blanchard original https://blog.rapid7.com/2022/10/24/adapting-existing-vm-programs-to-regain-control/

Adapting existing VM programs to regain control

Stop me if you’ve heard this before. The scale, speed and complexity of cloud environments — particularly when you introduce containers and microservices — has made the lives of security professionals immensely harder. While it may seem trite, the reason we keep hearing this refrain is because, unfortunately, it’s true. In case you missed it, we discussed how cloud adoption creates a rapidly expanding attack surface in our last post.

One could argue that no subgroup of security professionals is feeling this pain more than the VM team. From elevated expectations, processes, and tooling to pressured budgets, the scale and complexity has made identifying and addressing vulnerabilities in cloud applications and the infrastructure that supports them a seemingly impossible task. During a recent webinar, Rapid7’s Cindy Stanton (SVP, Product and Customer Marketing) and Peter Scott (VP, Product Marketing) dove into this very subject.

Cindy starts off this section by unpacking why modern cloud environments require a fundamentally different approach to implementing and executing a vulnerability management program. The highly ephemeral nature of cloud resources with upwards of 20% of your infrastructure being spun down and replaced on a daily basis makes maintaining continuous and real-time visibility non-negotiable. Teams are also being tasked with managing exponentially larger environments, often consisting of 10s of thousands of instances at any given moment.



Adapting existing VM programs to regain control

To make matters worse, it doesn’t stop at the technical hurdles. Cindy breaks down how ownership of resources and responsibilities related to addressing vulnerabilities once they’re identified has shifted. With traditional approaches it was typical to have a centralized group (typically IT) that owned and was ultimately responsible for the integrity of all resources. Today, the self-serve and democratized nature of cloud environments has created a dynamic in which it can be extremely difficult to track and identify who owns what resource or workload and who is ultimately responsible to remediate an issue when one arises.



Adapting existing VM programs to regain control

Cindy goes on to outline how drastically remediation processes need to shift when dealing with immutable infrastructure (i.e. containers) and how that also requires a shift in mindset. Instead of playing a game of whack-a-mole in production workloads trying to address vulnerabilities, the use of containers introduces a fundamentally new approach centered around making patches and updates to base images — often referred to as golden images — and then building new workloads from scratch based off of the hardened image rather than updating and retaining the existing workload. As Cindy so eloquently puts it, “the ‘what’ I have to do is relatively unchanged, but the ‘how’ really has to shift to adjust to this different environment.”



Adapting existing VM programs to regain control

Peter follows up Cindy’s assessment of how cloud impacts and forces a fundamentally different approach to VM programs by providing some recommendations and best practices to adapt your program to this new paradigm as well as how to operationalize cloud vulnerability management across your organization. We’ll cover these best practices in our next blog in this series, including shifting your VM program left to catch vulnerabilities earlier on in the development process. We will also discuss enforcing proper tagging strategies and the use of automation to eliminate repetitive tasks and accelerate remediation times. If you’re interested in learning more about Rapid7’s InsightCloudSec solution be sure to check out our bi-weekly demo, which goes live every other Wednesday at 1pm EST. Of course, you can always watch the complete replay of this webinar anytime as well!

Addressing the Evolving Attack Surface Part 1: Modern Challenges

Post Syndicated from Bria Grangard original https://blog.rapid7.com/2022/10/17/addressing-the-evolving-attack-surface-part-1-modern-challenges/

Addressing the Evolving Attack Surface Part 1: Modern Challenges

Lately, we’ve been hearing a lot from our customers requesting help on how to manage their evolving attack surface. As new 0days appear, new applications are spun up, and cloud instances change hourly, it can be hard for our customers to get a full view of risk into their environments.

We put together a webinar to chat more about how Rapid7 can help customers meet this challenge with two amazing presenters Cindy Stanton, SVP of Product and Customer Marketing, and Peter Scott, VP of Product Marketing.

At the beginning of this webcast, Cindy highlights where the industry started from traditional vulnerability management (VM) which was heavily focused on infrastructure but has evolved significantly over the last couple of years. Cindy discusses this rapid expansion of the attack surface having been accelerated by remote workforces during the pandemic, convergence of IT and IoT initiatives, modern development of applications leveraging containers and microservices, adoption of the public cloud, and so much more. Today, security teams face the daunting challenge of having so many layers up and down the stack from traditional infrastructure to cloud environments, applications, and beyond.They need a way to understand their full attack surface. Cindy, gives an example of this evolving challenge of increasing resources and complexity of cloud adoption below.



Addressing the Evolving Attack Surface Part 1: Modern Challenges

Cindy then turns things over to Peter Scott to walk us through the many challenges security teams are facing. For example, traditional tools aren’t purpose-built to keep pace with cloud environment, getting complete coverage of assets in your environment requires multiple solutions from different vendors that are all speaking different languages, and no solutions are providing a unified view of an organization’s risk. These challenges on top of growing economic pressures often make security teams choose between continued  investment in traditional infrastructure and applications, or investing more in securing cloud environments. Peter then discusses the challenges security teams face from expanded roles, disjointed security stacks, and increases in the threat landscape. Some of these challenges are highlighted more in the video below.



Addressing the Evolving Attack Surface Part 1: Modern Challenges

After spending some time discussing the challenges organizations and security teams are facing, Cindy and Peter dive deeper into the steps organizations can take to expand their existing VM programs to include cloud environments. We will cover these steps and more in the next blog post of this series. Until then, if you’re curious to learn more about Rapid7’s InsightCloudSec solution feel free to check out the demo here, or watch the replay of this webinar at any time!

Patch Tuesday – October 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/10/11/patch-tuesday-october-2022/

Patch Tuesday - October 2022

The October batch of CVEs published by Microsoft includes 96 vulnerabilities, including 12 fixed earlier this month that affect the Chromium project used by their Edge browser.

Top of mind for many this month is whether Microsoft would patch the two Exchange Server zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) disclosed at the end of September. While Microsoft was relatively quick to acknowledge the vulnerabilities and provide mitigation steps, their guidance has continually changed as the recommended rules to block attack traffic get bypassed. This whack-a-mole approach seems likely to continue until a proper patch addressing the root causes is available; unfortunately, it doesn’t look like that will be happening today. Thankfully, the impact should be more limited than 2021’s ProxyShell and ProxyLogon vulnerabilities due to attackers needing to be authenticated to the server for successful exploitation. Reports are also surfacing about an additional zero-day distinct from these being used in ransomware attacks; however, these have not yet been substantiated.

Microsoft did address two other zero-day vulnerabilities with today’s patches. CVE-2022-41033, an Elevation of Privilege vulnerability affecting the COM+ Event System Service in all supported versions of Windows, has been seen exploited in the wild. CVE-2022-41043 is an Information Disclosure vulnerability affecting Office for Mac that was publicly disclosed but not (yet) seen exploited in the wild.

Nine CVEs categorized as Remote Code Execution (RCE) with Critical severity were also patched today – seven of them affect the Point-to-Point Tunneling Protocol, and like those fixed last month, require an attacker to win a race condition to exploit them. CVE-2022-38048 affects all supported versions of Office, and CVE-2022-41038 could allow an attacker authenticated to SharePoint to execute arbitrary code on the server, provided the account has “Manage List” permissions.

Maxing out the CVSS base score with a 10.0 this month is CVE-2022-37968, an Elevation of Privilege vulnerability in the Azure Arc-enabled Kubernetes cluster Connect component. It’s unclear why Microsoft has assigned such a high score, given that an attacker would need to know the randomly generated external DNS endpoint for an Azure Arc-enabled Kubernetes cluster (arguably making the Attack Complexity “High”). That said, if this condition is met then an unauthenticated user could become a cluster admin and potentially gain control over the Kubernetes cluster. Users of Azure Arc and Azure Stack Edge should check whether auto-updates are turned on, and if not, upgrade manually as soon as possible.

Summary charts

Patch Tuesday - October 2022
Patch Tuesday - October 2022
Patch Tuesday - October 2022
Patch Tuesday - October 2022

Summary tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-37968 Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vulnerability No No 10 Yes
CVE-2022-38017 StorSimple 8000 Series Elevation of Privilege Vulnerability No No 6.8 Yes
CVE-2022-35829 Service Fabric Explorer Spoofing Vulnerability No No 6.2 Yes

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-41035 Microsoft Edge (Chromium-based) Spoofing Vulnerability No No 8.3 Yes
CVE-2022-3373 Chromium: CVE-2022-3373 Out of bounds write in V8 No No N/A Yes
CVE-2022-3370 Chromium: CVE-2022-3370 Use after free in Custom Elements No No N/A Yes
CVE-2022-3317 Chromium: CVE-2022-3317 Insufficient validation of untrusted input in Intents No No N/A Yes
CVE-2022-3316 Chromium: CVE-2022-3316 Insufficient validation of untrusted input in Safe Browsing No No N/A Yes
CVE-2022-3315 Chromium: CVE-2022-3315 Type confusion in Blink No No N/A Yes
CVE-2022-3313 Chromium: CVE-2022-3313 Incorrect security UI in Full Screen No No N/A Yes
CVE-2022-3311 Chromium: CVE-2022-3311 Use after free in Import No No N/A Yes
CVE-2022-3310 Chromium: CVE-2022-3310 Insufficient policy enforcement in Custom Tabs No No N/A Yes
CVE-2022-3308 Chromium: CVE-2022-3308 Insufficient policy enforcement in Developer Tools No No N/A Yes
CVE-2022-3307 Chromium: CVE-2022-3307 Use after free in Media No No N/A Yes
CVE-2022-3304 Chromium: CVE-2022-3304 Use after free in CSS No No N/A Yes

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-41034 Visual Studio Code Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-41083 Visual Studio Code Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-41032 NuGet Client Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-41042 Visual Studio Code Information Disclosure Vulnerability No No 7.4 Yes

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-41038 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-41036 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-41037 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-38053 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-41031 Microsoft Word Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-38048 Microsoft Office Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-38049 Microsoft Office Graphics Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-38001 Microsoft Office Spoofing Vulnerability No No 6.5 Yes
CVE-2022-41043 Microsoft Office Information Disclosure Vulnerability No Yes 3.3 Yes

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-37971 Microsoft Windows Defender Elevation of Privilege Vulnerability No No 7.1 Yes

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-38016 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2022-38045 Server Service Remote Protocol Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2022-37984 Windows WLAN Service Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38003 Windows Resilient File System Elevation of Privilege No No 7.8 Yes
CVE-2022-38028 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38039 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37995 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37979 Windows Hyper-V Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37970 Windows DWM Core Library Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37980 Windows DHCP Client Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38050 Win32k Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37983 Microsoft DWM Core Library Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37998 Windows Local Session Manager (LSM) Denial of Service Vulnerability No No 7.7 Yes
CVE-2022-37973 Windows Local Session Manager (LSM) Denial of Service Vulnerability No No 7.7 Yes
CVE-2022-38036 Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability No No 7.5 No
CVE-2022-38027 Windows Storage Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-38021 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-37974 Windows Mixed Reality Developer Tools Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-38046 Web Account Manager Information Disclosure Vulnerability No No 6.2 Yes
CVE-2022-37965 Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerability No No 5.9 Yes
CVE-2022-37996 Windows Kernel Memory Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-38025 Windows Distributed File System (DFS) Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-38030 Windows USB Serial Driver Information Disclosure Vulnerability No No 4.3 Yes

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-37982 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-38031 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-38040 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-37976 Active Directory Certificate Services Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2022-30198 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-22035 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-24504 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-33634 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-38047 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-38000 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-41081 Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-37986 Windows Win32k Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37988 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38037 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38038 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37990 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37991 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37999 Windows Group Policy Preference Client Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37993 Windows Group Policy Preference Client Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37994 Windows Group Policy Preference Client Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37975 Windows Group Policy Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38051 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37997 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-33635 Windows GDI+ Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-37987 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37989 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-41033 Windows COM+ Event System Service Elevation of Privilege Vulnerability Yes No 7.8 Yes
CVE-2022-38044 Windows CD-ROM File System Driver Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-33645 Windows TCP/IP Driver Denial of Service Vulnerability No No 7.5 No
CVE-2022-38041 Windows Secure Channel Denial of Service Vulnerability No No 7.5 No
CVE-2022-34689 Windows CryptoAPI Spoofing Vulnerability No No 7.5 Yes
CVE-2022-37978 Windows Active Directory Certificate Services Security Feature Bypass No No 7.5 Yes
CVE-2022-38042 Active Directory Domain Services Elevation of Privilege Vulnerability No No 7.1 Yes
CVE-2022-38029 Windows ALPC Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-38033 Windows Server Remotely Accessible Registry Keys Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-35770 Windows NTLM Spoofing Vulnerability No No 6.5 Yes
CVE-2022-37977 Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability No No 6.5 No
CVE-2022-38032 Windows Portable Device Enumerator Service Security Feature Bypass Vulnerability No No 5.9 Yes
CVE-2022-38043 Windows Security Support Provider Interface Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-37985 Windows Graphics Component Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-38026 Windows DHCP Client Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-38034 Windows Workstation Service Elevation of Privilege Vulnerability No No 4.3 Yes
CVE-2022-37981 Windows Event Logging Service Denial of Service Vulnerability No No 4.3 Yes
CVE-2022-38022 Windows Kernel Elevation of Privilege Vulnerability No No 2.5 Yes

What’s New in InsightVM and Nexpose: Q3 2022 in Review

Post Syndicated from Roshnee Mistry Shah original https://blog.rapid7.com/2022/09/28/whats-new-in-insightvm-and-nexpose-q3-2022-in-review/

What’s New in InsightVM and Nexpose: Q3 2022 in Review

Another quarter comes to a close! While we definitely had our share of summer fun, our team continued to invest in the product, releasing features and updates like recurring coverage for enterprise technologies, performance enhancements, and more. Let’s take a look at some of the key releases in InsightVM and Nexpose from Q3.

[InsightVM and Nexpose] Recurring coverage for VMware vCenter

Recurring coverage provides ongoing, automatic vulnerability coverage for popular enterprise technology and systems. We recently added VMware vCenter to our list.

VMware vCenter Server is a centralized management platform used to manage virtual machines, ESXi hosts, and dependent components from a single host. Last year, vCenter was a significant target for bad actors and became the subject of a number of zero-days. Rapid7 provided ad hoc coverage to protect you against the vulnerabilities. Now, recurring coverage ensures fast, comprehensive protection that provides offensive and defensive security against vCenter vulnerabilities as they arise.

[InsightVM and Nexpose] Tune Assistant

The Security Console in InsightVM and Nexpose contains components that benefit from performance tuning. Tune Assistant is a built-in feature that will calculate performance tuning values based on resources allocated to the Security Console server, then automatically apply those values.

Tuning is calculated and applied to all new consoles when the product first starts up, and customers experiencing performance issues on existing consoles can now easily increase their own resources. For more information, read our docs page on configuring maximum performance in an enterprise environment.

What’s New in InsightVM and Nexpose: Q3 2022 in Review

[InsightVM and Nexpose] Windows Server 2022 Support

We want to ensure InsightVM and Nexpose are supported on business-critical technologies and operating systems. We added Windows Server 2022, the latest operating system for servers from Microsoft, to our list. The Scan Engine and Security Console can be installed and will be supported by Rapid7 on Windows Server 2022. Learn more about the systems we support.

[InsightVM and Nexpose] Checks for notable vulnerabilities

With exploitation of major vulnerabilities in Mitel MiVoice Connect, multiple Confluence applications, and other popular solutions, the threat actors definitely did not take it easy this summer. InsightVM and Nexpose customers can assess their exposure to many of these CVEs for vulnerability checks, including:

  • Mitel MiVoice Connect Service Appliance | CVE-2022-29499: An onsite VoIP business phone system, MiVoice Connect had a data validation vulnerability, which arose from insufficient data validation for a diagnostic script. The vulnerability potentially allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution. Learn more about the vulnerability and our response.
  • “Questions” add-on for Confluence Application | CVE-2022-26138: This vulnerability affected “Questions,” an add-on for the Confluence application. It was quickly exploited in the wild once the hardcoded password was released on social media. Learn more about the vulnerability and our response.
  • Multiple vulnerabilities in Zimbra Collaboration Suite: Zimbra, a business productivity suite, was affected by five different vulnerabilities, one of which was unpatched, and four of which were being actively and widely exploited in the wild by well-organized threat actors. Learn more about the vulnerability and our response.
  • CVE-2022-30333
  • CVE-2022-27924
  • CVE-2022-27925
  • CVE-2022-37042
  • CVE-2022-37393

We were hard at work this summer making improvements and increasing the level of protections against attackers for our customers. As we head into the fall and the fourth quarter of the year, you can bet we will continue to make InsightVM the best and most comprehensive risk management platform available. Stay tuned for more great things, and have a happy autumn.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

The 2022 SANS Top New Attacks and Threats Report Is In, and It’s Required Reading

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2022/09/14/the-2022-sans-top-new-attacks-and-threats-report-is-in-and-its-required-reading/

The 2022 SANS Top New Attacks and Threats Report Is In, and It's Required Reading

The latest Top New Attacks and Threat Report from the cybersecurity experts at SANS is here — and the findings around cyberthreats, attacks, and best practices to defend against them are as critical for security teams as they’ve ever been.

If you’re unfamiliar with the SysAdmin, Audit, Network, and Security Institute, or SANS, they’re among the leading cybersecurity research organizations in the world, and their annual Top New Attacks and Threat Report is required reading for every security professional operating today.

What’s new for 2022

This year’s report is a little different from previous years. Rather than focusing on threat statistics from the year before (i.e., 2021 data for the 2022 report), SANS opted to focus on data from the first quarter of 2022, providing a more recent snapshot of the state of play in the threat landscape. The reason for this is probably something you could have guessed: the pandemic.

Typically, the TNAT report (we love coming up with acronyms!) is built out of a highly anticipated presentation from SANS experts at the annual RSA conference. Since the pandemic delayed the start of the RSA event this year, the folks at SANS thought it better to focus on more up-to-the-minute data for their report.

What they found is interesting — if a little concerning.

Smaller breaches, bigger risks?

In the first quarter of 2022, the average breach size was down one-third from the overall breach size in 2021 (even adjusted for seasonal shifts in breach sizes). What’s more, there are signs of a trend in breach size decline, as 2021’s overall breach size average was 5% lower than that of 2020. SANS believes this is indicative of attackers focusing on smaller targets than in previous years, particularly in the healthcare sector and in state and local government agencies.

A lower average breach size is good news, no doubt, but what it says about the intentions of attackers should have many on edge. Going after smaller — but potentially more vulnerable — organizations means those groups are less likely to have the resources to repel those attackers that larger groups would, and they pose dangers as partner organizations.

The SANS experts suggest shoring up supplier compliance by following two well-established security frameworks: the Supply Chain Risk Management Reporting Framework provided by the American Institute of Certified Public Accountants (AICPA), and the National Institute of Standards and Technology’s (NIST’s) updated SP 800-161 Supply Chain Risk Framework.

The SANS report also provided telling and important data around the ways in which attackers enter your environment (phishing was the root of 51% of all breaches), as well as the success rate of multi-factor authentication — 99% — in combating phishing attacks.

The RSA panel discussion (and the subsequent report we’re sharing) also look into specific trends and best practices from some of SANS’s experts. In years past, they’ve looked at some key takeaways from the SolarWinds breach, ransomware, and machine learning vulnerabilities. This year, they’ve turned their attention to multi-factor authentication, stalkerware, and the evolution of “living off the land” attacks as they pertain to cloud infrastructure. Each of these sections is worth reading in its own right and can provide some thought-provoking resources as your security team continues to grapple with what comes next in the cloud and attacker spaces.

One space where the SANS experts chose to focus has particular importance to those seeking to mitigate ransomware: attacks on backups. Backups have long been considered your best defense against ransomware attacks because they allow your organization to securely resume use of your data should your environment become compromised (and your data be locked down). However, as backup infrastructure moves into the cloud, SANS experts believe unique attacks against these backups will become more common, because backup solutions are often quite complex and are vulnerable to specific types of threats, such as living-off-the-land attacks.

The annual SANS report is a reliable and instrumental resource for security teams which is why we are proud to be a sponsor of it (and offer it to the security community). You can dive into the full report here.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Patch Tuesday – September 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/09/13/patch-tuesday-september-2022/

Patch Tuesday - September 2022

This month’s Patch Tuesday is on the lighter side, with 79 CVEs being fixed by Microsoft (including 16 CVEs affecting Chromium, used by their Edge browser, that were already available). One zero-day was announced: CVE-2022-37969 is an elevation of privilege vulnerability affecting the Log File System Driver in all supported versions of Windows, allowing attackers to gain SYSTEM-level access on an asset they’ve already got an initial foothold in. Interestingly, Microsoft credits four separate researchers/organizations for independently reporting this, which may be indicative of relatively widespread exploitation. Also previously disclosed (in March), though less useful to attackers, Microsoft has released a fix for CVE-2022-23960 (aka Spectre-BHB) for Windows 11 on ARM64.

Some of the more noteworthy vulnerabilities this month affect Windows systems with IPSec enabled. CVE-2022-34718 allows remote code execution (RCE) on any Windows system reachable via IPv6; CVE-2022-34721 and CVE-2022-34722 are RCE vulnerabilities in the Windows Internet Key Exchange (IKE) Protocol Extensions. All three CVEs are ranked Critical and carry a CVSSv3 base score of 9.8. Rounding out the Critical RCEs this month are CVE-2022-35805 and CVE-2022-34700, both of which affect Microsoft Dynamics (on-premise) and have a CVSSv3 base score of 8.8. Any such systems should be updated immediately.

SharePoint administrators should also be aware of four separate RCEs being addressed this month. They’re ranked Important, meaning Microsoft recommends applying the updates at the earliest opportunity. Finally, a large swath of CVEs affecting OLE DB Provider for SQL Server and the Microsoft ODBC Driver were also fixed. These require some social engineering to exploit, by convincing a user to either connect to a malicious SQL Server or open a maliciously crafted .mdb (Access) file.

Summary charts

Patch Tuesday - September 2022
Patch Tuesday - September 2022
Patch Tuesday - September 2022
Patch Tuesday - September 2022

Summary tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-38007 Azure Guest Configuration and Azure Arc-enabled servers Elevation of Privilege Vulnerability No No 7.8 Yes

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-38012 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 7.7 Yes
CVE-2022-3075 Chromium: CVE-2022-3075 Insufficient data validation in Mojo No No N/A Yes
CVE-2022-3058 Chromium: CVE-2022-3058 Use after free in Sign-In Flow No No N/A Yes
CVE-2022-3057 Chromium: CVE-2022-3057 Inappropriate implementation in iframe Sandbox No No N/A Yes
CVE-2022-3056 Chromium: CVE-2022-3056 Insufficient policy enforcement in Content Security Policy No No N/A Yes
CVE-2022-3055 Chromium: CVE-2022-3055 Use after free in Passwords No No N/A Yes
CVE-2022-3054 Chromium: CVE-2022-3054 Insufficient policy enforcement in DevTools No No N/A Yes
CVE-2022-3053 Chromium: CVE-2022-3053 Inappropriate implementation in Pointer Lock No No N/A Yes
CVE-2022-3047 Chromium: CVE-2022-3047 Insufficient policy enforcement in Extensions API No No N/A Yes
CVE-2022-3046 Chromium: CVE-2022-3046 Use after free in Browser Tag No No N/A Yes
CVE-2022-3045 Chromium: CVE-2022-3045 Insufficient validation of untrusted input in V8 No No N/A Yes
CVE-2022-3044 Chromium: CVE-2022-3044 Inappropriate implementation in Site Isolation No No N/A Yes
CVE-2022-3041 Chromium: CVE-2022-3041 Use after free in WebSQL No No N/A Yes
CVE-2022-3040 Chromium: CVE-2022-3040 Use after free in Layout No No N/A Yes
CVE-2022-3039 Chromium: CVE-2022-3039 Use after free in WebSQL No No N/A Yes
CVE-2022-3038 Chromium: CVE-2022-3038 Use after free in Network Service No No N/A Yes

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-26929 .NET Framework Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-38013 .NET Core and Visual Studio Denial of Service Vulnerability No No 7.5 No
CVE-2022-38020 Visual Studio Code Elevation of Privilege Vulnerability No No 7.3 Yes

ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-37964 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 No

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-35805 Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34700 Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability No No 8.8 Yes

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-38008 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-38009 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-37961 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35823 Microsoft SharePoint Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-37962 Microsoft PowerPoint Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-38010 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-37963 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8 Yes

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-35828 Microsoft Defender for Endpoint for Mac Elevation of Privilege Vulnerability No No 7.8 Yes

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-35841 Windows Enterprise App Management Service Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-30196 Windows Secure Channel Denial of Service Vulnerability No No 8.2 Yes
CVE-2022-37957 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37954 DirectX Graphics Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38019 AV1 Video Extension Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35838 HTTP V3 Denial of Service Vulnerability No No 7.5 No
CVE-2022-38011 Raw Image Extension Remote Code Execution Vulnerability No No 7.3 Yes
CVE-2022-26928 Windows Photo Import API Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-34725 Windows ALPC Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-37959 Network Device Enrollment Service (NDES) Security Feature Bypass Vulnerability No No 6.5 Yes
CVE-2022-35831 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34723 Windows DPAPI (Data Protection Application Programming Interface) Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-23960 Arm: CVE-2022-23960 Cache Speculation Restriction Vulnerability No Yes N/A Yes

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-34718 Windows TCP/IP Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-34721 Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-34722 Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-35834 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35835 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35836 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35840 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34731 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34733 Microsoft OLE DB Provider for SQL Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34726 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34727 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34730 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34732 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34734 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-33679 Windows Kerberos Elevation of Privilege Vulnerability No No 8.1 Yes
CVE-2022-33647 Windows Kerberos Elevation of Privilege Vulnerability No No 8.1 Yes
CVE-2022-35830 Remote Procedure Call Runtime Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-38005 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30200 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-37956 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37955 Windows Group Policy Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-34729 Windows GDI Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-38004 Windows Fax Service Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-34719 Windows Distributed File System (DFS) Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-37969 Windows Common Log File System Driver Elevation of Privilege Vulnerability Yes Yes 7.8 Yes
CVE-2022-35803 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35833 Windows Secure Channel Denial of Service Vulnerability No No 7.5 No
CVE-2022-34720 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability No No 7.5 No
CVE-2022-34724 Windows DNS Server Denial of Service Vulnerability No No 7.5 No
CVE-2022-37958 SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Information Disclosure Vulnerability No No 7.5 Yes
CVE-2022-30170 Windows Credential Roaming Service Elevation of Privilege Vulnerability No No 7.3 Yes
CVE-2022-38006 Windows Graphics Component Information Disclosure Vulnerability No No 6.5 Yes
CVE-2022-34728 Windows Graphics Component Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-35832 Windows Event Tracing Denial of Service Vulnerability No No 5.5 No
CVE-2022-35837 Windows Graphics Component Information Disclosure Vulnerability No No 5 Yes

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

InsightVM: Best Practices to Improve Your Console

Post Syndicated from Shane Queeney original https://blog.rapid7.com/2022/09/12/insightvm-best-practices-to-improve-your-console/

InsightVM: Best Practices to Improve Your Console

Over the years, our recommendations and best practices for the InsightVM console have changed with the improvements and updates we’ve made to the system. Here are some of the most common improvements to help you get the most out of your InsightVM console in 2022.

Ensure everything is up to date

The first step to ensuring the health of your console is ensuring it is up to date. For InsightVM product updates, the typical release schedule is weekly on Wednesday, with the occasional out-of-band update. To stay on the latest version, you can set the update frequency to every 24 hours and set it to off-hours to perform that check. This will ensure the latest update is being applied and the console isn’t rebooting in the middle of the workday.

The InsightVM content updates include new vulnerabilities updated every 2 hours. As these don’t require a system reboot, it is recommended to leave them set to automatically update.

Make sure your scan engines are properly updated as well. As long as the scan engine has enough storage space and can reach the InsightVM console, it should be able to receive the latest update.

Unless you are on a Rapid7-hosted console, you are also in charge of updating the underlying operating system. That means not just applying the latest security patch, but also making sure the OS version itself is not end-of-life.

Lastly, you want to make sure you’re running the latest version of the InsightVM postgreSQL database — version 11.7. If you are still running version 9.4, this can cause some potential issues with the database, as well as general slowdown in the console and running reports.

With the latest InsightVM product updates, we also have a database auto-tune feature which automatically tunes based on the amount of RAM on the console server. This feature does not work if you are still on version 9.4. If you are on version 11.7, to activate it, go to Administration -> Run and then run the command tune assistant to make sure everything is tuned correctly. This will have a greater impact if you have 64GB RAM or above.

Check out this doc on tuning the PostgreSQL database for more detail. If you don’t feel comfortable tuning your own database, you can always contact Rapid7 support for assistance.

Reduce the number of sites

One of the largest improvements to the console is the increase in scan efficiency. Before October 2020, the discovery portion of the scan would only hit 1,024 assets simultaneously. Now, we are running discovery against 65,535 IPs at once. This leads to much faster discovery of larger IP ranges. Because of this, we recommend having fewer sites with larger IP scopes, such as /16 or /8 CIDR ranges.

The best way to organize these new, larger sites is based around function or geographical region – for example, having a separate site for all stores and one for all corporate ranges. Another example would be to break up the sites based on continents, or as large of a geographical region as possible.

Having fewer sites with a larger scope will help reduce the micromanagement of schedules and allow for ease of scalability when scanning more devices. For granular reporting, use asset groups, which are much more flexible than IP ranges and are designed to let you set the scope for reports and access management.

Prevent scan overlap

Besides having too many sites, the next-largest problem most consoles face is when scans overlap on the same scan engine. Having fewer sites helps with having fewer scheduled scans, but you should still be aware what scan engine is being used for those sites. Running a scan uses up RAM on the scan engine, and having too many scans running at once can cause scan slowdown or potentially engine crashes due to lack of memory.

The best-case scenario is to have one scan engine per site. That way, your sites can be scanned at the same time without any chance of them overloading a single engine. If you have some sites or locations that are much larger than others, you can always deploy more engines to that location and pool them together for even greater scan efficiency.

And remember, if you’re scanning more than 2,000 devices or have a segmented network, you should not be using the local scan engine, as that takes away resources from the console and PostgreSQL database.

Optimize scan templates

After making sure your scans aren’t overlapping on the same engine, the next step is to speed up the scans by optimizing your scan template. My colleague Landon Dalke wrote a great blog post documenting the best practices for your scan templates. Here are a few highlights from his post:

Assets scanned simultaneously per scan engine: Please use the following table for reference depending on how much CPU and RAM your scan engines have. Make sure your engines have a 1:4 ratio of CPU to memory for the best performance. Also, if your scan engines are virtual, make sure to reserve the allocated memory to avoid insufficient memory issues.

InsightVM: Best Practices to Improve Your Console

Send UDP packets to ports: We recommend disabling. It’s unlikely a device will be reachable that doesn’t respond to ICMP, ARP, or TCP but is somehow found only using UDP.

Do not treat TCP reset responses as live assets: We recommend enabling. This will help prevent “ghost assets” with no hostname or operating system from appearing, as some routers or IDS/IPS send TCP reset responses.

Nmap Services Detection: We recommend disabling this, as it can cause scans to take five to 10 times longer to run. Having a credential or agent on a device gives the same information.

Skip checks performed by the Insight Agent: We recommend enabling. If the agent is detected on a device, it will skip the vulnerability checks the agent is already performing, reducing scan time.

If all of your scan engines have the same resources, you can get away with needing one optimized scan template, reducing potential confusion and further simplifying your scan configurations.

After following these steps, your console should be in a much better place to reduce micromanagement and improve overall efficiency. If you need continued help and support, don’t hesitate to reach out to Rapid7 Support or your Customer Success Manager.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

5 Steps for Dealing With Unknown Environments in InsightVM

Post Syndicated from John Hartman original https://blog.rapid7.com/2022/09/06/5-steps-for-dealing-with-unknown-environments-in-insightvm/

5 Steps for Dealing With Unknown Environments in InsightVM

Trying to deal with a large network can be difficult. All too often, engineers and admins don’t know the full scope of their environment and have trouble defining the actual subnets and the systems that exist on those subnets. They know of a couple /24 subnets here or there, but it’s very possible they’re missing a few. Once you get over a couple thousand assets, it can get fairly unruly pretty quick. Different teams own different servers and different network ranges. With regards to InsightVM, how do you know what sites create if you don’t even know what you own?

Luckily, in InsightVM, we can use a little bit of SQL, an overarching site with a ping sweep, and a nifty little tag to help get a handle on things – all outside any third-party software or  other management tools you may acquire to help you wrangle in your IP space. This method in InsightVM lets you find all live assets and identify all network spaces being used in your environment. Then, we can correlate this list against our known subnets and begin building out defined sites for scanning. As we create our known sites, we can start whittling down the number of unknown or undefined subnets.

1. Ping Sweep template

The first step is to create a new scan template dedicated solely to a ping sweep. This template isn’t scanning for any other services or ports, fingerprinting, or performing any other action –  it is simply sending pings to see what is alive. If we get a response back, we assume there is a live asset there, and this will help build out our known networks.

Create your template using these screenshots as guidance. Note that pretty much everything is off except ICMP and ARP pings, and we’re not treating TCP resets as live assets (we don’t want firewalls throwing us off). This scan should take just a few minutes to complete, as it’s not doing all the other functions that a typical scan can do.

5 Steps for Dealing With Unknown Environments in InsightVM

5 Steps for Dealing With Unknown Environments in InsightVM

5 Steps for Dealing With Unknown Environments in InsightVM

5 Steps for Dealing With Unknown Environments in InsightVM

2. Overarching site

The second step in this process is to create an overarching site. Give it a simple name like “Full Network” or whatever floats your boat. What’s important is that, within this site, you define as large of a network range as you know of. Think /16 here, or even a couple /16 networks. I don’t know your network, so use your judgment as to what you think exists. The idea is to be as broad as possible.

Now, within this site, set the default scan template as your “.Ping Sweep” template, as in my example above. Set your default scan engine or pool, and then save and scan.

What you should get back now is a full list of every live IP that exists within the defined network. If your defined network includes all the possible IP space, and we are assuming that all assets are online and able to respond, then you should have a pretty robust list of found assets.

3. Known Networks report

The next step is to go to the Reports tab and create a SQL Query Export. Throw the following SQL query in the definition, and scope the query from the GUI to your “Full Network” site.

WITH a AS (
SELECT
asset_id,
CONCAT(split_part(ip_address,'.',1),'.',split_part(ip_address,'.',2),'.',split_part(ip_address,'.',3),'.0/24') AS Network
FROM dim_asset
)
 
SELECT DISTINCT Network
FROM a
ORDER BY Network ASC

5 Steps for Dealing With Unknown Environments in InsightVM

Save and run this report, and you will get a CSV output of all the /24 networks that have at least one live IP in them. You can use this CSV to compare to your known list of networks and start defining the actual sites within your environment. For example, if this report lists out 10.0.0.0/24 and you know that network as your main corporate server’s VLAN, then you can include that network into a separate site for vulnerability scanning.

4. Dynamic tagging

Now that we’ve started defining our known networks into sites, we need to create a dynamic tag that gets applied to all assets within any site. Now, in my example, I exclude the Rapid7 Insight Agents site, because depending on your environment and whether people are working from home, the Insight Agent may report the IP of their computer when logged onto their home network. We obviously can’t scan home networks, so we want to exclude this site to deter any of that bad data.

Create a dynamic tag with several lines to include each site. Note that if your site structure is large enough that you have hundreds of sites, you may want to use the API for this part, but we won’t go into that here – that’s a whole other conversation.

In my example below, I only have four sites – keep in mind I did not select the Rapid7 Insight Agents or my Full Network site. Make sure the operator is set to match ANY of the specified filters. Apply a tag called “Defined Network” to this criteria to tag all assets within a defined site.

5 Steps for Dealing With Unknown Environments in InsightVM

You could also optionally create a secondary tag for “Undefined Networks,” but it’s not exactly necessary for this process. The below query would get you the Undefined Network assets. Basically, the query is just looking for any assets that don’t have the Defined Network tag and are not in the Rapid7 Insight Agents sites.

5 Steps for Dealing With Unknown Environments in InsightVM

5. Undefined Networks report

Now, we can set up our secondary SQL report to show us all networks that are not defined within the scope of a site. Once again, go to the Reports tab, create a SQL Query Export report, and throw this query into the definition.

WITH a AS (
SELECT
asset_id,
CONCAT(split_part(ip_address,'.',1),'.',split_part(ip_address,'.',2),'.',split_part(ip_address,'.',3),'.0/24') AS Network
FROM dim_asset
)
 
SELECT DISTINCT Network
FROM a
 
WHERE a.asset_id NOT IN (
SELECT DISTINCT asset_id
FROM dim_asset
LEFT JOIN dim_tag_asset USING (asset_id)
LEFT JOIN dim_tag USING (tag_id)
WHERE tag_name = 'Defined Network'
)
 
ORDER BY Network ASC

Save and run this report, and you will get a new CSV that lists out all /24 networks where there was at least one live asset found but the assets are within a /24 that has not been defined within the scope of a created site. You can use this CSV to work your way through those networks to determine what they are and who owns them and then ensure they are included in future or current sites.

Large environments with unknown network components can be difficult to manage and monitor for vulnerabilities. These five steps in InsightVM help make the process easier and more intuitive, so you can maintain better oversight and a stronger security posture within your environment.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Patch Tuesday – August 2022

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2022/08/09/patch-tuesday-august-2022/

Patch Tuesday - August 2022

It’s the week of Hacker Summer Camp in Las Vegas, and Microsoft has published fixes for 141 separate vulnerabilities in their swath of August updates. This is a new monthly record by raw CVE count, but from a patching perspective, the numbers are slightly less dire. 20 CVEs affect their Chromium-based Edge browser, and 34 affect Azure Site Recovery (up from 32 CVEs affecting that product last month). As usual, OS-level updates will address a lot of these, but note that some extra configuration is required to fully protect Exchange Server this month.

There is one 0-day being patched this month. CVE-2022-34713 is a remote code execution (RCE) vulnerability affecting the Microsoft Windows Support Diagnostic Tool (MSDT) – it carries a CVSSv3 base score of 7.8, as it requires convincing a potential victim to open a malicious file. The advisory indicates that this CVE is a variant of the “Dogwalk” vulnerability, which made news alongside Follina (CVE-2022-30190) back in May.

Publicly disclosed, but not (yet) exploited is CVE-2022-30134, an Information Disclosure vulnerability affecting Exchange Server. In this case, simply patching is not sufficient to protect against attackers being able to read targeted email messages. Administrators should enable Extended Protection in order to fully remediate this vulnerability, as well as the five other vulnerabilities affecting Exchange this month. Details about how to accomplish this are available via the Exchange Blog.

Microsoft also patched several flaws affecting Remote Access Server (RAS). The most severe of these (CVE-2022-30133 and CVE-2022-35744) are related to Windows Point-to-Point Tunneling Protocol and could allow RCE simply by sending a malicious connection request to a server. Seven CVEs affecting the Windows Secure Socket Tunneling Protocol (SSTP) on RAS were also fixed this month: six RCEs and one Denial of Service. If you have RAS in your environment but are unable to patch immediately, consider blocking traffic on port 1723 from your network.

Vulnerabilities affecting Windows Network File System (NFS) have been trending in recent months, and today sees Microsoft patching CVE-2022-34715 (RCE, CVSS 9.8) affecting NFSv4.1 on Windows Server 2022.

This is the worst of it. One last vulnerability to highlight: CVE-2022-35797 is a Security Feature Bypass in Windows Hello – Microsoft’s biometric authentication mechanism for Windows 10. Successful exploitation requires physical access to a system, but would allow an attacker to bypass a facial recognition check.

Summary charts

Patch Tuesday - August 2022
Patch Tuesday - August 2022
Patch Tuesday - August 2022
Patch Tuesday - August 2022

Summary tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-35802 Azure Site Recovery Elevation of Privilege Vulnerability No No 8.1 Yes
CVE-2022-30175 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-30176 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-34687 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35773 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35779 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35806 Azure RTOS GUIX Studio Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35772 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-35824 Azure Site Recovery Remote Code Execution Vulnerability No No 7.2 Yes
CVE-2022-33646 Azure Batch Node Agent Elevation of Privilege Vulnerability No No 7 Yes
CVE-2022-35780 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35781 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35799 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35775 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35801 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35807 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35808 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35782 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35809 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35784 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35810 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35811 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35785 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35786 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35813 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35788 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35814 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35789 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35815 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35790 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35816 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35817 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35791 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35818 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35819 Azure Site Recovery Elevation of Privilege Vulnerability No No 6.5 Yes
CVE-2022-35776 Azure Site Recovery Denial of Service Vulnerability No No 6.2 Yes
CVE-2022-34685 Azure RTOS GUIX Studio Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34686 Azure RTOS GUIX Studio Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-35774 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-35800 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-35787 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.9 Yes
CVE-2022-35821 Azure Sphere Information Disclosure Vulnerability No No 4.4 Yes
CVE-2022-35783 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.4 Yes
CVE-2022-35812 Azure Site Recovery Elevation of Privilege Vulnerability No No 4.4 Yes

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-33649 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability No No 9.6 Yes
CVE-2022-33636 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 8.3 Yes
CVE-2022-35796 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 7.5 Yes
CVE-2022-2624 Chromium: CVE-2022-2624 Heap buffer overflow in PDF No No N/A Yes
CVE-2022-2623 Chromium: CVE-2022-2623 Use after free in Offline No No N/A Yes
CVE-2022-2622 Chromium: CVE-2022-2622 Insufficient validation of untrusted input in Safe Browsing No No N/A Yes
CVE-2022-2621 Chromium: CVE-2022-2621 Use after free in Extensions No No N/A Yes
CVE-2022-2619 Chromium: CVE-2022-2619 Insufficient validation of untrusted input in Settings No No N/A Yes
CVE-2022-2618 Chromium: CVE-2022-2618 Insufficient validation of untrusted input in Internals No No N/A Yes
CVE-2022-2617 Chromium: CVE-2022-2617 Use after free in Extensions API No No N/A Yes
CVE-2022-2616 Chromium: CVE-2022-2616 Inappropriate implementation in Extensions API No No N/A Yes
CVE-2022-2615 Chromium: CVE-2022-2615 Insufficient policy enforcement in Cookies No No N/A Yes
CVE-2022-2614 Chromium: CVE-2022-2614 Use after free in Sign-In Flow No No N/A Yes
CVE-2022-2612 Chromium: CVE-2022-2612 Side-channel information leakage in Keyboard input No No N/A Yes
CVE-2022-2611 Chromium: CVE-2022-2611 Inappropriate implementation in Fullscreen API No No N/A Yes
CVE-2022-2610 Chromium: CVE-2022-2610 Insufficient policy enforcement in Background Fetch No No N/A Yes
CVE-2022-2606 Chromium: CVE-2022-2606 Use after free in Managed devices API No No N/A Yes
CVE-2022-2605 Chromium: CVE-2022-2605 Out of bounds read in Dawn No No N/A Yes
CVE-2022-2604 Chromium: CVE-2022-2604 Use after free in Safe Browsing No No N/A Yes
CVE-2022-2603 Chromium: CVE-2022-2603 Use after free in Omnibox No No N/A Yes

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-35777 Visual Studio Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35825 Visual Studio Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35826 Visual Studio Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35827 Visual Studio Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-34716 .NET Spoofing Vulnerability No No 5.9 Yes

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-30133 Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-35744 Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-34691 Active Directory Domain Services Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2022-34714 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-35745 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-35752 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-35753 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-34702 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-35767 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-34706 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-34707 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35768 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35756 Windows Kerberos Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35751 Windows Hyper-V Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35795 Windows Error Reporting Service Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35820 Windows Bluetooth Driver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35750 Win32k Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-34713 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability Yes Yes 7.8 Yes
CVE-2022-35743 Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35760 Microsoft ATA Port Driver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30194 Windows WebBrowser Control Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-35769 Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability No No 7.5 No
CVE-2022-35793 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.3 Yes
CVE-2022-34690 Windows Fax Service Elevation of Privilege Vulnerability No No 7.1 Yes
CVE-2022-35759 Windows Local Security Authority (LSA) Denial of Service Vulnerability No No 6.5 No
CVE-2022-35747 Windows Point-to-Point Protocol (PPP) Denial of Service Vulnerability No No 5.9 Yes
CVE-2022-35758 Windows Kernel Memory Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34708 Windows Kernel Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34701 Windows Secure Socket Tunneling Protocol (SSTP) Denial of Service Vulnerability No No 5.3 No

Exchange Server vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-21980 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 8 Yes
CVE-2022-24516 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 8 Yes
CVE-2022-24477 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 8 Yes
CVE-2022-30134 Microsoft Exchange Information Disclosure Vulnerability No Yes 7.6 Yes
CVE-2022-34692 Microsoft Exchange Information Disclosure Vulnerability No No 5.3 Yes
CVE-2022-21979 Microsoft Exchange Information Disclosure Vulnerability No No 4.8 Yes

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-34717 Microsoft Office Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-33648 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35742 Microsoft Outlook Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-33631 Microsoft Excel Security Feature Bypass Vulnerability No No 7.3 Yes

System Center Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-33640 System Center Operations Manager: Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability No No 7.8 Yes

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score Has FAQ?
CVE-2022-34715 Windows Network File System Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2022-35804 SMB Client and Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2022-35761 Windows Kernel Elevation of Privilege Vulnerability No No 8.4 Yes
CVE-2022-35766 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-35794 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2022-34699 Windows Win32k Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-33670 Windows Partition Management Driver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-34703 Windows Partition Management Driver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-34696 Windows Hyper-V Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2022-35746 Windows Digital Media Receiver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35749 Windows Digital Media Receiver Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-34705 Windows Defender Credential Guard Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35771 Windows Defender Credential Guard Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35762 Storage Spaces Direct Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35763 Storage Spaces Direct Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35764 Storage Spaces Direct Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35765 Storage Spaces Direct Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-35792 Storage Spaces Direct Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2022-30144 Windows Bluetooth Service Remote Code Execution Vulnerability No No 7.5 Yes
CVE-2022-35748 HTTP.sys Denial of Service Vulnerability No No 7.5 Yes
CVE-2022-35755 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.3 Yes
CVE-2022-35757 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.3 Yes
CVE-2022-35754 Unified Write Filter Elevation of Privilege Vulnerability No No 6.7 Yes
CVE-2022-35797 Windows Hello Security Feature Bypass Vulnerability No No 6.1 Yes
CVE-2022-34709 Windows Defender Credential Guard Security Feature Bypass Vulnerability No No 6 Yes
CVE-2022-30197 Windows Kernel Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34710 Windows Defender Credential Guard Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34712 Windows Defender Credential Guard Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34704 Windows Defender Credential Guard Information Disclosure Vulnerability No No 5.5 Yes
CVE-2022-34303 CERT/CC: CVE-20220-34303 Crypto Pro Boot Loader Bypass No No N/A Yes
CVE-2022-34302 CERT/CC: CVE-2022-34302 New Horizon Data Systems Inc Boot Loader Bypass No No N/A Yes
CVE-2022-34301 CERT/CC: CVE-2022-34301 Eurosoft Boot Loader Bypass No No N/A Yes

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

What’s New in InsightVM and Nexpose: Q2 2022 in Review

Post Syndicated from Randi Whitcomb original https://blog.rapid7.com/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/

What’s New in InsightVM and Nexpose: Q2 2022 in Review

The Vulnerability Management team kicked off Q2 by remediating the instances of Spring4Shell (CVE-2022-22965) and Spring Cloud (CVE-2022-22963) vulnerabilities that impacted cybersecurity teams worldwide. We also made several investments to both InsightVM and Nexpose throughout the second quarter that will help improve and better automate vulnerability management for your organization. Let’s dive in!

New dashboard cards based on CVSS v3 Severity (InsightVM)

CVSS (Common Vulnerability Scoring System) is an open standard for scoring the severity of vulnerabilities; it’s a key metric that organizations use to prioritize risk in their environments. To empower organizations with tools to do this more effectively, we recently duplicated seven CVSS dashboard cards in InsightVM to include a version that sorts the vulnerabilities based on CVSS v3 scores.The v3 CVSS system made some changes to both quantitative and qualitative scores. For example, Log4Shell had a score of 9.3 (high) in v2 and a 10 (critical) in v3.

Having both V2 and V3 version dashboards available allows you to prioritize and sort vulnerabilities according to your chosen methodology. Security is not one-size-fits all, and the CVSS v2 scoring might provide more accurate vulnerability prioritization for some customers. InsightVM allows customers to choose whether v2 or v3 scoring is a better option for their organizations’ unique needs.  

The seven cards now available for CVSS v3 are:

  • Exploitable Vulnerabilities by CVSS Score
  • Exploitable Vulnerability Discovery Date by CVSS Score
  • Exploitable Vulnerability Publish Age by CVSS Score
  • Vulnerability Count By CVSS Score Over Time
  • Vulnerabilities by CVSS Score
  • Vulnerability Discovery Date by CVSS Score
  • Vulnerability Publish Age by CVSS Score
What’s New in InsightVM and Nexpose: Q2 2022 in Review

Asset correlation for Citrix VDI instances (InsightVM)

You asked, and we listened. By popular demand, InsightVM can now identify agent-based assets that are Citrix VDI instances and correlate them to the user, enabling more accurate asset/instance tagging.

Previously, when a user started a non-persistent VDI, it created a new AgentID, which then created a new asset in the console and consumed a user license. The InsightVM team is excited to bring this solution to our customers for this widely persistent problem.

Through the Improved Agent experience for Citrix VDI instances, when User X logs into their daily virtual desktop, it will automatically correlate to User’s experience, maintain the asset history, and consume only one license. The result is a smoother, more streamlined experience for organizations that deploy and scan Citrix VDI.

Scan Assistant made even easier to manage (Nexpose and InsightVM)

In December 2021, we launched Scan Assistant, a lightweight service deployed on an asset that uses digital certificates for handshake instead of account-based credentials; This alleviates the credential management headaches VM teams often encounter. The Scan Assistant is also designed to drive improved vulnerability scanning performance in both InsightVM and Nexpose, with faster completion times for both vulnerability and policy scans.

We recently released Scan Assistant 1.1.0, which automates Scan Assistant software updates and digital certificate rotation for customers seeking to deploy and maintain a fleet of Scan Assistants. This new automation improves security – digital certificates are more difficult to compromise than credentials – and simplifies administration for organizations by enabling them to centrally manage features from the Security Console.

Currently, these enhancements are only available on Windows OS. To opt into automated Scan Assistant software updates and/or digital certificate rotation, please visit the Scan Assistant tab in the Scan Template.

What’s New in InsightVM and Nexpose: Q2 2022 in Review

What’s New in InsightVM and Nexpose: Q2 2022 in Review

Recurring coverage (Nexpose and InsightVM)

Rapid7 is committed to providing ongoing monitoring and coverage for a number of software products and services. The Vulnerability Management team continuously evaluates items to add to our recurring coverage list, basing selections on threat and security advisories, overall industry adoption, and customer requests.

We recently added several notable software products/services to our list of recurring coverage, including:

  • AlmaLinux and Rocky Linux. These free Linux operating systems have grown in popularity among Rapid7 Vulnerability Management customers seeking a replacement for CentOS. Adding recurring coverage for both AlmaLinux and Rocky Linux enables customers to more safely make the switch and maintain visibility into their vulnerability risk profile.
  • Oracle E-Business Suite. ERP systems contain organizations’ “crown jewels” – like customer data, financial information, strategic plans, and other proprietary data – so it’s no surprise that attacks on these systems have increased in recent years. Our new recurring coverage for the Oracle E-Business Suite is one of the most complex pieces of recurring coverage added to our list, providing coverage for several different components to ensure ongoing protection for Oracle E-Business Suite customers’ most valuable information.
  • VMware Horizon. The VMware Horizon platform enables the delivery of virtual desktops and applications across a number of operating systems. VDI is a prime target for bad actors trying to access customer environments, due in part to its multiple entry points; once a hacker gains entry, it’s fairly easy for them to jump into a company’s servers and critical files. By providing recurring coverage for both the VMware server and client, Rapid7 gives customers broad coverage of this particular risk profile.

Remediation Projects (InsightVM)​​

Remediation Projects help security teams collaborate and track progress of remediation work (often assigned to their IT ops counterparts). We’re excited to announce a few updates to this feature:

Better way to track progress for projects

The InsightVM team has updated the metric that calculates progress for Remediation Projects. The new metric will advance for each individual asset remediated within a “solution” group. Yes, this means customers no longer have to wait for all the affected assets to be remediated to see progress. Security teams can thus have meaningful discussions about progress with assigned remediators or upper management. Learn more.

Remediator Export

We added a new and much requested solution-based CSV export option to Remediation Projects. Remediator Export contains detailed information about the assets, vulnerabilities, proof data, and more for a given solution. This update makes it easy and quick for the Security teams to share relevant data with the Remediation team. It also gives remediators all of the information they need.On the other hand, the remediators will have all the information they need. We call this a win-win for both teams! Learn more.

Project search bar for Projects

Our team has added a search bar on the Remediation Projects page. This highly requested feature empowers customers to easily locate a project instead of having to scroll down the entire list.

What’s New in InsightVM and Nexpose: Q2 2022 in Review

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

To Maze and Beyond: How the Ransomware Double Extortion Space Has Evolved

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2022/07/27/to-maze-and-beyond-how-the-ransomware-double-extortion-space-has-evolved/

To Maze and Beyond: How the Ransomware Double Extortion Space Has Evolved

We’re here with the final installment in our Pain Points: Ransomware Data Disclosure Trends report blog series, and today we’re looking at a unique aspect of the report that clarifies not just what ransomware actors choose to disclose, but who discloses what, and how the ransomware landscape has changed over the last two years.

Firstly, we should tell you that our research centered around the concept of double extortion. Unlike traditional ransomware attacks, where bad actors take over a victim’s network and hold the data hostage for ransom, double extortion takes it a step further and extorts the victim for more money with the threat (and, in some cases, execution) of the release of sensitive data. So not only does a victim experience a ransomware attack, they also experience a data breach, and the additional risk of that data becoming publicly available if they do not pay.

According to our research, there have been a handful of major players in the double extortion field starting in April 2020, when our data begins, and February 2022. Double extortion itself was in many ways pioneered by the Maze ransomware group, so it should not surprise anyone that we will focus on them first.

The rise and fall of Maze and the splintering of ransomware double extortion

Maze’s influence on the current state of ransomware should not be understated. Prior to the group’s pioneering of double extortion, many ransomware actors intended to sell the data they encrypted to other criminal entities. Maze, however, popularized another revenue stream for these bad actors, leaning on the victims themselves for more money. Using coercive pressure, Maze did an end run around one of the most important safeguards organizations can take against ransomware: having safely secured and regularly updated backups of their important data.

Throughout most of 2020 Maze was the leader of the double extortion tactic among ransomware groups, accounting for 30% of the 94 reported cases of double extortion between April and December of 2020. This is even more remarkable given the fact that Maze itself was shut down in November of 2020.

Other top ransomware groups also accounted for large percentages of data disclosures. For instance, in that same year, REvil/Sodinokibi accounted for 19%, Conti accounted for 14%, and NetWalker 12%. To give some indication of just how big Maze’s influence was and offer explanation for what happened after they were shut down, Maze and REvil/Sodinokibi accounted for nearly half of all double extortion attacks that year.

However, once Maze was out of the way, double extortion still continued, just with far more players taking smaller pieces of the pie. Conti and REvil/Sodinokibi were still major players in 2021, but their combined market share barely ticked up, making up just 35% of the market even without Maze dominating the space. Conti accounted for 19%, and REvil/Sodinokibi dropped to 16%.

But other smaller players saw increases in 2021. CL0P’s market share rose to 9%, making it the third most active group. Darkside and RansomEXX both went from 2% in 2020 to 6% in 2021. There were 16 other groups who came onto the scene, but none of them took more than 5% market share. Essentially, with Maze out of the way, the ransomware market splintered with even the big groups from the year before being unable to step in and fill Maze’s shoes.

What they steal depends on who they are

Even ransomware groups have their own preferred types of data to steal, release, and hold hostage. REvil/Sodinokibi focused heavily on releasing customer and patient data (present in 55% of their disclosures), finance and accounting data (present in 55% of their disclosures), employee PII and HR data (present in 52% of their disclosures), and sales and marketing data (present in 48% of their disclosures).

CL0P on the other hand was far more focused on Employee PII & HR data with that type of information present in 70% of their disclosures, more than double any other type of data. Conti overwhelmingly focused on Finance and Accounting data (present in 81% of their disclosures) whereas Customer & Patient Data was just 42% and Employee PII & HR data at just 27%.

Ultimately, these organizations have their own unique interests in the type of data they choose to steal and release during the double extortion layer of their ransomware attacks. They can act as calling cards for the different groups that help illuminate the inner workings of the ransomware ecosystem.

Thank you for joining us on this unprecedented dive into the world of double extortion as told through the data disclosures themselves. To dive even deeper into the data, download the full report.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Q2 InsightVM Release Update: Let’s Focus on Remediation for Just a Minute

Post Syndicated from Devin Krugly original https://blog.rapid7.com/2022/07/14/q2-insightvm-release-update-lets-focus-on-remediation-for-just-a-minute/

Q2 InsightVM Release Update: Let’s Focus on Remediation for Just a Minute

Think of an endeavor in your life where your success is entirely dependent on the success of others. What’s the first example that comes to mind? It’s common in team sports – a quarterback and a wide receiver, a fullback and their goalie, an equestrian and their horse.

What if you narrow the scope to endeavors or activities at work? A little more difficult, right? A large project is an easy candidate, but those are generally distributed across many people over a long time period, which allows for mitigation and planning.

For those that make a living in cybersecurity, the example that immediately comes to mind is vulnerability management (VM). VM, which really falls under the heading of risk management, requires deft handling of executive communications, sometimes blurred to abstract away the tedious numbers and present a risk statement. At the same time, judicious management of vulnerability instances and non-compliant configurations that exceed organization thresholds – i.e., all the numbers – requires very detailed and often painstaking focus on the minutiae of a VM program. Then, layer in the need for situational awareness to answer context-specific questions like, “Are we vulnerable, and if so, do we need to act immediately?” or “Why did the security patch fail on only 37 of the 2184 target systems?” It becomes glaringly apparent that communication and alignment among all stakeholders – security team, IT operations, and business leadership – are paramount to achieve “dependent” success.

Based on customer feedback and directional input, we’re pleased to release two updates that are aimed at not only improving VM program success but also reducing the effort to get you there.

Remediation Project progress

In what may be the most exciting and warmly received update for some, we are releasing a new method to calculate and display progress for Remediation Projects. Historically, credit for patching and subsequent reporting of “percent complete” toward closing any one Remediation Project was only given when all affected assets for a single solution were remediated. So we’ve updated the calculation to account for “partial” credit. Now, remediation teams will see incremental progress as individual assets for specific solutions (i.e. patches) are applied. This is a much more accurate representation of the work and effort invested. It is also a much more precise indication of what additional effort is needed to close out the last few pesky hosts that have so far resisted your best remediation efforts.

For some, the scope and scale of risk management in the world of VM has outgrown original designs – more assets, more vulns. We’ve acted on the sage wisdom of many who have suggested such an update and made that available in Version 6.6.150

Q2 InsightVM Release Update: Let’s Focus on Remediation for Just a Minute

This update will affect all Remediation Projects, so we encourage teams to leverage this blog post to share the details behind this release as a heads-up and possibly improve relations with your teammates. It’s only by partnering and aligning on the effort involved that this “success dependency” becomes a power-up, rather than a power drain.

Remediator Export

I am particularly excited about this seemingly minor but mighty update, because I can remember having to script around or find automation to stitch together different source documents to produce what we have elected to refer to as a Remediator Export. The number of stakeholders and the diversity of teams involved in modern VM programs necessitate on-demand access to the supporting data and associated context. This export is for – you guessed it – the teams that have the heaviest lift in any VM program: the folks that push patches, update configs, apply mitigating controls, and are usually involved in all the necessary testing – the Remediators. Whether the catalyst for such a detailed export (26 data fields in all) is to troubleshoot a failed install or to simply have more direct access to vulnerability proof data the Remediator Export will offer improvements for nearly every remediation team.

Q2 InsightVM Release Update: Let’s Focus on Remediation for Just a Minute

You can access this upcoming solution based export from any Remediation Project peek panel. The Export to CSV dropdown now has an additional option that includes the data fields cited above and helps meet team’s needs where they are today.

Q2 InsightVM Release Update: Let’s Focus on Remediation for Just a Minute

The Remediator CSV file is accessible to anyone with permission to Remediation Projects, Goals, and SLAs and carries the following naming convention: “Project-Name_Solution-UUID.csv.” We are already thinking about options to provide similar capability at the Remediation Project level.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.