10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.3 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind.
Alternative video link (for Russia): <https://vk.com/video-149273431_456239134>
This month I made some improvements to my Vulristics vulnerability prioritization tool. These changes relate to the use of exploit data on Github. We all know that exploits are often posted on GitHub. But how adequate is this source in order to evaluate the exploitability?
For example, there is an interesting PoC in GitHub repository on github. It contains the results of an automated search for exploits of CVE vulnerabilities on GitHub. There are currently PoCs for 4484 CVE IDs.
Distribution by years:
CVE-1999-_: 4 CVE-2000-_: 4
CVE-2001-_: 10 CVE-2002-_: 14
CVE-2003-_: 6 CVE-2004-_: 9
CVE-2005-_: 7 CVE-2006-_: 13
CVE-2007-_: 18 CVE-2008-_: 21
CVE-2009-_: 22 CVE-2010-_: 25
CVE-2011-_: 27 CVE-2012-_: 39
CVE-2013-_: 64 CVE-2014-_: 128
CVE-2015-_: 144 CVE-2016-_: 185
CVE-2017-_: 323 CVE-2018-_: 407
CVE-2019-_: 504 CVE-2020-_: 684
CVE-2021-_: 747 CVE-2022-_: 739
CVE-2023-*: 340
The total number of CVEs is growing, and so is the number of exploitable CVEs. But no one guarantees that PoC is functional and that there are no rickrolls or malware. Be careful.
For example, it contains Office RCE vulnerability (CVE-2023-36884) from the July Patch Tuesday. But if you look closely, everything is not so rosy. Let's see.
There is no POC yet.
So "PoC in GitHub" would be more appropriate to call "CVE mentions in GitHub". It will highlight mentions of CVEs, but, of course, it will not show the context. Then only manual analysis or some automated classification will help you.
The ambiguity of exploitation data on GitHub is also bad for my Vulristics reports. For high-profile vulnerabilities, such as Zerologon (CVE-2020-1472), there are too many references to GitHub in the report, most of which are not related to exploits.
And it is very difficult to automatically understand which repositories contain exploits and which contain irrelevant content. And, as a rule, it is not really necessary. Fully functional exploit will most likely end up in specialized exploit packs, although it may happen with some delay.
Therefore, I think Vulristics users should be able to generate both reports containing as much information about exploits as possible (although it will be littered) and reports that take into account only known exploit packs.
I have added the option --vulners-use-github-exploits-flag
, which can be either True
or False
. The default value is True
.
I also added [source] links.
An exploit from GitHub, as a rule, ends up in a specialized exploit pack over time, BUT NOT ALWAYS! For example,Command Injection - SAP NetWeaver (CVE-2022-22536).
We see that exploits for this vulnerability are available only on the GitHub. And, judging by the description, they are valid.
And if we generate a Vulristics report with --vulners-use-github-exploits-flag "False"
, then we will lose this valuable information.
So be aware and use the option with caution.
In early August, Qualys introduced new capabilities for analyzing the vulnerabilities of self-written (First-Party) and open source applications.
Tenable announced Vulnerability (Exposure) Management with generative AI similar to ChatGPT. The product (or rather technology) will be called ExposureAI and will be available as part of Tenable One.
Main features:
As with Cyclops Security, which announced similar functionality a little earlier, it all depends on how smart the system turns out to be and how bad mistakes it makes.
SC Awards continues to be fun. This year Rapid7 InsightVM received "Best Vulnerability Management Solution". In the nomination there was Tenable - it's ok. Do you know what other 3 giants and innovators of the VM market were there?
Palo Alto Networks Prisma Cloud - cloud-native application protection platform
Lacework - cloud security platform
Coalfire Ransomware Simulation-as-a-Service (RSaaS)
Have the contest organizers heard of Qualys VM?
Apparently, so that Tenable would not be offended, they were given "Best Risk / Policy Management Solution" (Qualys was also in this nomination) and "Best Security Company". The company is the best, but apparently their VM is so-so, Rapid7's solution is better. The only pity is that Rapid7 seems to have problems with sales of this best VM solution. "Rapid7 will lay off about 18 per cent of its workforce, around 470 employees, with significant cuts to sales and engineering – as well as permanently close some office locations".
Now let's talk about vulnerabilities.
Anglo-Saxon state security agencies from 5 countries issued a joint advisory "2022's Top Routinely Exploited Vulnerabilities". I took this report, wrote out the CVE references and released 2 Vulristics reports:
In the Top 12 Vulnerabilities, all CVEs have links to exploits and signs of exploitation in the wild. All of them are Urgent, except for one, because it is EoP in the not-so-common Workspace One. The most critical are RCEs in Apache Log4j2, Microsoft Exchange, and Confluence.
In the extended report, all CVEs have the sign of exploitation in the wild, but there are 6 vulnerabilities without links to exploits and therefore with Critical/High criticality. The most critical are RCEs in Apache HTTP Server, Apache Log4j2, Windows RDP and Microsoft Exchange.
It is worth noting that the extended list contains such Oldies But Goodies vulnerabilities as:
Compared to last year advisory, GitLab and exotics like Hikvision and Buffalo are gone. The set of CVEs looks better.
Commands for those who want to build a report themselves in Vulristics using comments for CVEs from AA23-215A.
$ cat AA23-215A_comments.txt | grep -v "30 Additional" | egrep -o "CVE-[0-9]-[0-9]" | sort | uniq > AA23-215A_cves_top12.txt
$ cat AA23-215A_comments.txt | egrep -o "CVE-[0-9]-[0-9]" | sort | uniq > AA23-215A_cves.txt
$ python3 vulristics.py --report-type "cve_list" --cve-project-name "AA23-215A" --cve-list-path "AA23-215A_cves.txt" --cve-comments-path "AA23-215A_comments.txt" --cve-data-sources "ms,nvd,epss,vulners,attackerkb" --rewrite-flag "True"
$ python3 vulristics.py --report-type "cve_list" --cve-project-name "AA23-215A_top12" --cve-list-path "AA23-215A_cves_top12.txt" --cve-comments-path "AA23-215A_comments.txt" --cve-data-sources "ms,nvd,epss,vulners,attackerkb" --rewrite-flag "False"
Funny detail: 8 agencies from 5 countries released this, but there was no one who carefully read and noticed that in several places the identifier for Log4Shell is written as "CVE-2021- 44228" with a space. Both in pdf, and in the web-version.
My impressions of the August Microsoft Patch Tuesday - nothing special.
Formally, the most critical vulnerability is Denial of Service - .NET and Visual Studio (CVE-2023-38180), because there are signs of exploitation. There are no details, but it is somehow doubtful.
No more vulnerabilities with public exploits or signs of exploitation.
Several Remote Code Executions - Microsoft Exchange (CVE-2023-35368, CVE-2023-38185, CVE-2023-35388, CVE-2023-38182). 3 of them definitely require authentication, one is unclear. This authentication can potentially be obtained throughElevation of Privilege - Microsoft Exchange (CVE-2023-21709) - "This vulnerability allows a remote, unauthenticated attacker to log in as another user". It's better to patch!
Remote Code Execution - Microsoft Teams (CVE-2023-29328, CVE-2023-29330). Fortunately, in Russia it's not popular anymore.
There is also a bunch of EoPs in the Windows kernel&components.
Full report: ms_patch_tuesday_august2023_report
Among other vulnerabilities of this month, I would like to highlight:
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.3 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%