9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Hello everyone! In this episode, I will try to revive Security News with a focus on Vulnerability Management.
On the one hand, creating such reviews requires free time, which could be spent more wisely, for example, on open source projects or original research. On the other hand, there are arguments in favor of news reviews. Keeping track of the news is part of our job as vulnerability and security specialists. And preferably not only headlines.
Alternative video link (for Russia): <https://vk.com/video-149273431_456239095>
I usually follow the news using my automated telegram channel @avleonovnews. And it looks like this: I see something interesting in the channel, I copy it to Saved Messages so that I can read it later. Do I read it later? Well, usually not. Therefore, the creation of news reviews motivates to read and clear Saved Messages. Just like doing Microsoft Patch Tuesday reviews motivates me to watch what's going on there. In general, it seems it makes sense to make a new attempt. Share in the comments what you think about it. Well, if you want to participate in the selection of news, I will be glad too.
I took 10 news items from Saved Messages and divided them into 5 categories:
The Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Linux vulnerability known as PwnKit to its list of bugs exploited in the wild. Unprivileged users can exploit this vulnerabilities to gain full root privileges on Linux systems with default configurations. Reliable proof-of-concept (PoC) exploit code has been shared online less than three hours after Qualys published technical details for PwnKit. It was January 25th. The vulnerability was found in the Polkit's pkexec component used by all major distributions (including Ubuntu, Debian, Fedora, and CentOS). It has been hiding in plain sight for more than 12 years since pkexec's first release in May 2009.
The US cybersecurity agency gave all Federal Civilian Executive Branch (FCEB) agencies three weeks, until July 18, to patch their Linux servers against PwnKit and block exploitation attempts. Even though this directive only applies to federal agencies, CISA also strongly urged all US organizations from the private and public sectors to prioritize patching this bug.
Well, it would be correct to say that not only the Americans should quickly patch this.
On June 02, 2022, Atlassian published a security advisory about a critical severity Unauthenticated Remote Code Execution vulnerability affecting Confluence Server and Data Center. According to the advisory, the vulnerability is being actively exploited and Confluence Server and Data Center versions after 1.3.0 are affected. In order to exploit a vulnerable server, a remote attacker can send a malicious HTTP GET request with an OGNL payload in the URI. The vulnerable server once exploited would allow the attacker to execute commands remotely with user privileges running the Confluence application.
To detect CVE-2022-26134, the detection sends HTTP GET request with a specially crafted OGNL payload to determine the vulnerability on the target Confluence application. The OGNL payload creates a custom HTTP response header containing the output of the system command executed on Linux and Windows systems. The detection also consists of a Qualys customized OGNL payload which is platform-independent, eliminating false positives and works irrespective of the host operating system by creating a custom HTTP response header with Qualys specified value.
In this detailed technical article, Mayank Deshmukh from Qualys describes OGNL Injection, RCE Payload, Exploit POC, Exploit Analysis and Source Code Analysis. If you are interested in how such vulnerabilities are exploited and detected, check out this article.
Organizations traditionally have struggled to track vulnerabilities in public cloud platforms and services because of the lack of a common vulnerability enumeration (CVE) program like the one that MITRE maintains for publicly disclosed software security issues. A new community-based database launched this week seeks to begin addressing that issue by providing a central repository of information on known cloud service-provider security issues and the steps organizations can take to mitigate them.
The database — cloudvulndb.org — is the brainchild of security researchers at Wiz, who for some time have been advocating the need for a public catalog of known security flaws on platforms and services run by the likes of AWS, Microsoft, and Google. The database currently lists some 70 cloud security issues and vulnerabilities. Such as Azure Open Management Infrastructure (OMI) Elevation of Privilege, OMIGOD. Anyone is free to suggest new issues to add to the website or to suggest new fixes to existing issues.
It's not clear if a separate database is really needed. It seems that all of these entries can be added as NVD CVEs. Moreover, many vulnerabilities in this database already have CVE IDs. But the initiative is good. It proves once again that MITRE and NVD have problems with coverage.
MITRE shared this year's top 25 most common and dangerous weaknesses impacting software throughout the previous two calendar years. These bugs are considered dangerous because they're usually easy to discover, come with a high impact, and are prevalent in software released during the last two years.
Let's see what's on top:
1 CWE-787 Out-of-bounds Write
2 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
4 CWE-20 Improper Input Validation
5 CWE-125 Out-of-bounds Read
6 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Seems to be true, although 'OS Command Injection' could be higher. Well, we need to remember that CWE identifiers are assigned manually to vulnerabilities by some analysts and therefore there may be classification errors. But it's still interesting.
This article is based on research of Tetra Defense, a leading incident response, cyber risk management and digital forensics firm based in Madison, Wisconsin.
Attackers continue to find significant success targeting unpatched servers and vulnerable remote-access systems, researchers say – and these types of compromises cost victim organizations 54% more than compromises caused by user actions (i.e., falling for phishing and opening malicious documents).
According to a report by Tetra Defense, which analyzed incident data from the first quarter, unpatched vulnerabilities and exposing risky services—such as Remote Desktop Protocol (RDP)—account for 82% of successful attacks, while social-engineering employees to take some action accounted for just 18% of successful compromises. The article also mentions known vulnerabilities ProxyShell exploit for Microsoft Exchange servers, Log4Shell vulnerability in Java Log4j library.
Two controls – comprehensive patching and using multifactor authentication (MFA) – could have prevented nearly 80% of the investigated incidents.
Good point in the article: "Data on successful compromises can help companies determine the most critical attack vectors to address, but it should be noted that the conclusions depend greatly on the specific incident-response firm". But the fact that MFA and patching is very important is true.
The article was written by Dan Schiappa, Chief Product Officer of Arctic Wolf, Security Operations company.
Both Google and Mandiant tracked a record number of zero-days last year. More zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organization sufficiently prepared to mitigate zero-day exploits.
While patching is proper preparation, the investment in trained security professionals, in-house or outsourced, is the best defense against zero-days.
In general, I agree with everything. My opinion: while critical known vulnerabilities are not fixed promptly, it is premature to think about Zero-Days. And of course, dealing with Zero-Days is primarily the task of the SOC.
I would like to start here with an article with a provocative title
The article was written by Liran Tancman, CEO of Rezilion, a platform vendor that allows you to map, validate and eliminate software vulnerabilities.
Sometimes, too much information is a mixed blessing. Security teams use multiple vulnerability scanners in an attempt to cope with a significant rise in both attack surface diversity and software vulnerabilities. But they soon find themselves overwhelmed with results, which leads to a growing backlog of bugs that need to be fixed.
A recent analysis from RAND Corporation found no notable reduction of breaches in organizations with mature vulnerability management programs.
By the way, an interesting study, it would be right to give it a separate episode, I guess. Leave a comment if you'd like it.
Rezilion's own runtime research analysis finds, on average, only 15% of discovered vulnerabilities are loaded into memory, which makes them exploitable. That means, on average, only 15% of flaws require priority patching — or patching at all.
Also an interesting topic that deserves a separate episode.
Rezilion conducted an analysis of 20 of the most popular container images. The findings showed more than 4,347 known vulnerabilities. 75% of those rated as critical or high in severity did not load to memory and posed no risk. Organizations can use runtime analysis to prioritize remediation of vulnerabilities. A vulnerability in a package that isn't being loaded to memory can't be exploited by an attacker.
This is a long-standing dispute: is it necessary to fix vulnerabilities in software that is not running at the moment? Well, usually the answer is yes, it is necessary. Because no one can guarantee that the software will suddenly not be launched. But if it is possible to identify vulnerabilities in software that is currently running or was launched not so long ago, then this is a good source of data for additional prioritization. Why not. It's good that Rezilion highlights this.
To tell the truth, I have long been interested in what's new in Qualys Vulnerability Management, Detection and Response.
According to the recently released Verizon DBIR report, vulnerability exploitation continued to be one of the top three attack vectors exploited by bad actors in 2021 to break into organizations. As of this writing, it’s only June, but more than 10,000 vulnerabilities have already been disclosed in 2022, according to the National Vulnerability Database (NVD). As if that weren’t bad enough, the rate of increase of ransomware attacks last year was more than the last five years combined.
All these introduce delays in the remediation process.
Qualys VMDR 2.0 introduces TruRisk scores that help organizations prioritize vulnerabilities based on risk ratings that weigh multiple factors such as exploit code maturity, exploitation in the wild, and multiple other factors that accurately measure risk.
In general, it looks like Tenable vulnerability priority rating (VPR). It's probably generated the same way. But the technical details of TruRisk are not given here.
A key step in any remediation workflow is good communication between the vulnerability management (VM) team and the remediation team. However, these two teams use different products and different terminology. The VM team understands the risk and QIDs. The remediation team understands patches. Qualys maps the selected vulnerabilities to the right patches and configuration changes required to remediate them specific to the organization’s unique environment. For some assets, this entire process can be automated with VMDR 2.0. For example, a zero-touch automation job can be created to patch non-mission critical assets that will automatically execute as soon as a new vulnerability with a Qualys Detection Score >90 is detected.
Integrated Patch Management is Simply Faster. On average, organizations that use Qualys VMDR + Patch Management remediate vulnerabilities 35% faster than organizations that use separate tools. Even better, with some vulnerabilities the difference can be 63% faster with a combined solution.
I agree that the focus of the VM should be on Remediation and it's good that Qualys is pushing this topic. Is there enough new features to call this update VMDR 2.0? I don't think so yet. It seems that if Remediation were fully automated for 100% of the hosts (which requires a fundamentally different approach to functional testing after the patch), then it would be 2.0. But marketers of Qualys know better.
Today’s modern attack surface needs a next-gen, advanced vulnerability management approach to deal with the complex, ever-evolving attack surfaces and to curb cyberattacks. Why Conventional Vulnerability Management is not the Best-fit for Modern Security Landscape
And to overcome these issues, you need Advanced Vulnerability Management from Secpod. In general, the list of cons looks fair, and the fact that they pay attention to vulnerabilities in addition to CVEs seems to me very correct.
I have nothing against people or companies from Western countries. According to Google analytics, the majority of visitors to my avleonov.com blog are actually from the US (then India, China, and Russia). However, that's how it goes. Some companies stop working in Russia because of the sanctions. And Russian information security specialists should take into account these risks, mitigate them and warn colleagues who may also face these problems.
Last week there was news that SAP and Microsoft will block Russian companies' access to software updates, including security updates, in August. For some reason, the news was published in Bloomberg without reference to the source.
> "It's not just industry that's affected. SAP SE and Microsoft Corp. are due to stop updates and services for Russian companies in August, leaving businesses and government services that rely on their software potentially vulnerable to security breaches and viruses."
Some time later, this paragraph was rewritten. The mention of August was removed. Unfortunately, the fact that the leading Western media are spreading propaganda and rumors is no longer surprising. I do not even want to give a link to the article, whoever is interested can google it on their own.
However, what if this really happens? What if we can no longer use WSUS and SCCM to update the Windows infrastructure? And even more, if we get some malicious functionality in the updates, which will be activated over time. Unfortunately, what once seemed like a minor risk and paranoia is now becoming more than real. Therefore, we need to think in advance about network isolation, alternative ways to update the Windows infrastructure, implement control over backups, implement information security tools that could compensate for the lack of patches to some extent. And most importantly, we need to quickly reduce dependence on the software of unstable vendors. And this is now relevant not only for Russia, but also for the BRICS countries and other countries that are already under US sanctions or may potentially face them.
I also finally decided to launch a Russian-language telegram channel "Управление Уязвимостями и прочее" @avleonovrus. I think it will be updated a little more often, and there will be more reactions to our local Russian topics. Therefore, those who are interested, subscribe.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P