Rapid7 Blog

Greg Wiseman  

AUTHOR STATS:

13

Patch Tuesday - September 2017

It's a big month, with Microsoft patching 85 separate vulnerabilities including the two Adobe Flash Player Remote Code Execution (RCE) fixes bundled with the Edge and Internet Explorer 11 updates. Continuing recent trends, the bulk of Critical RCE vulnerabilities are client-side, primarily in Edge, IE,…

It's a big month, with Microsoft patching 85 separate vulnerabilities including the two Adobe Flash Player Remote Code Execution (RCE) fixes bundled with the Edge and Internet Explorer 11 updates. Continuing recent trends, the bulk of Critical RCE vulnerabilities are client-side, primarily in Edge, IE, and Office. Microsoft has also released patches for today's branded public disclosure, "BlueBorne", which is a collection of vulnerabilities affecting the Bluetooth stacks from multiple vendors. The Microsoft-specific issue is CVE-2017-8628, a spoofing vulnerability that could allow a man-in-the-middle attack when in physical proximity to an affected system. In terms of exploitability, CVE-2017-8759 (a flaw in the way the .NET framework processes untrusted input) is the most urgent as it is known to already be exploited in the wild. Any attacker able to persuade a user to open a maliciously crafted document or application will be able to take control of affected systems with the same privileges as the user. Among the Office vulnerabilities, CVE-2017-8742, CVE-2017-8743, and CVE-2017-8744 are memory corruption vulnerabilities that could lead to RCE which Microsoft has classified as being likely to be exploited. Administrators should prioritize rolling out .NET fixes to workstations, then any relevant Windows 10 (which bundle Edge) and IE updates, followed by the Microsoft Office and system-level patches. As usual, there are also server-side patches that need to be applied. SharePoint sees a fix for a XSS vulnerability (CVE-2017-8629) as well as for two RCE vulnerabilities that also apply to Office Online Server (CVE-2017-8631) and CVE-2017-8743). Exchange Server also gets some love with fixes for CVE-2017-11761 and CVE-2017-8758 (Information Disclosure and Privilege Escalation, respectively). Of course, standard Windows Server systems are also getting critical fixes, such as that for CVE-2017-0161, an RCE in NetBIOS Over TCP/IP (NetBT).

Patch Tuesday - July 2017

Most of the critical vulnerabilities patched this month concern client-side systems, with 14 separate Remote Code Execution (RCE) issues being addressed for the Microsoft Edge browser and five for Internet Explorer. One of the three Adobe Flash Player vulnerabilities being patched is also a critical…

Most of the critical vulnerabilities patched this month concern client-side systems, with 14 separate Remote Code Execution (RCE) issues being addressed for the Microsoft Edge browser and five for Internet Explorer. One of the three Adobe Flash Player vulnerabilities being patched is also a critical RCE bug (CVE-2017-3099). Of the 54 Microsoft CVEs addressed, 33 relate to Edge and 14 to Internet Explorer.Browser-based RCE vulnerabilities are a significant attack vector, but they typically require some degree of social engineering in order to convince the user to visit a malicious web page. Similarly with most Microsoft Office bugs (eight CVEs this month), users need to be tricked into opening attachments. More concerning are RCE vulnerabilities that do not require any user interaction. Exploits can be weaponized to quickly spread malware, as we've seen with the recent ransomware outbreaks.This month, Microsoft has fixed CVE-2017-8589, a critical RCE vulnerability that could allow an attacker to take full control of a system by sending specially crafted messages to the Windows Search service. This typically requires access to the target computer. However, in an enterprise setting, it is possible for a remote, unauthenticated actor to trigger the vulnerability via an SMB connection. Fixes for CVE-2017-8589 have been released for all supported versions of Windows, so server administrators aren't off the hook for patching. There is also CVE-2017-8501, which affects SharePoint Enterprise Server 2013.One final point of interest: last month, Microsoft released a fix for CVE-2017-8529 (a browser information disclosure vulnerability whereby an attacker can detect specific files on the user's computer) that broke the printing functionality in Internet Explorer and Edge for some users. Over the next two weeks they released various updates to resolve the printing issue, which ultimately removed the protection against CVE-2017-8529. Microsoft has still not been able to resolve the security issue without reintroducing the printing bug, and customers who take automatic updates will still be vulnerable. As of this writing, the only way to be protected is to have applied the June updates and no others (which is not recommended). The severity of CVE-2017-8529 is considered low (on server systems) to moderate (otherwise). If it is of concern, for example on particularly sensitive systems, a workaround would be to use a different web browser until this vulnerability is correctly patched.

Patch Tuesday - June 2017

This month sees another spate of critical fixes from Microsoft, including patches for a number of Remote Code Execution (RCE) vulnerabilities. Two of these are already known to be exploited in the wild (CVE-2017-8543 and CVE-2017-8464). Today's patches are so crucial that Microsoft has once…

This month sees another spate of critical fixes from Microsoft, including patches for a number of Remote Code Execution (RCE) vulnerabilities. Two of these are already known to be exploited in the wild (CVE-2017-8543 and CVE-2017-8464). Today's patches are so crucial that Microsoft has once again released fixes for end-of-life operating systems, citing "the elevated risk for destructive cyber attacks at this time," and explicitly calling out the threat of nation-state actors. Updates are available for Windows XP, Windows Vista, Windows 8, and Windows Server 2003. They include fixes for MS17-013 (a Security Bulletin from April), as well as 21 CVEs with impact ranging across RCE, information disclosure, and elevation of privilege. Further details are available in Microsoft's Security Advisory 4025685.This month's updates aren't just about severity, but quantity as well, with 94 separate flaws being patched (compared to 66 last month, and 44 in April). This doesn't even include the nine critical Adobe Flash Player RCE vulnerabilities (see APSB17-17 for details) that are also being fixed today and are rated "Priority 1" (meaning there is a high risk of vulnerable systems being targeted in the wild).Most of the vulnerabilities are for Windows, split evenly between desktop and server flavors. All of the Windows CVEs have a severity of Important or Critical, with the bulk of impact being information disclosure, followed by RCE, privilege escalation, and some security feature bypass vulnerabilities in newer versions of Windows (8.1, 10, Server 2012 R2, and Server 2016).Microsoft Office and Office-related software (e.g. SharePoint, Lync/Skype for Business, and Office Web Apps) also have plenty of vulnerabilities being addressed this month, with thirteen information disclosure vulnerabilities and twelve RCEs between them all. In addition to various RCE vulnerabilities for SharePoint being patched, Microsoft has released a defense-in-depth update for SharePoint Enterprise Server 2013 SP1 and Enterprise Server 2016 that harden the products without addressing specific vulnerabilities.As usual, web technologies continue to provide additional attack surface. 16 issues with the Edge browser have been patched: 10 RCE, 3 information disclosure and 3 security feature bypass vulnerabilities. Internet Explorer sees 4 RCE and 2 information disclosure bugs being fixed. Last but not least, two critical RCE vulnerabilities in Silverlight have also been patched (CVE-2017-0283 and CVE-2017-8527, each of which also affects several other products).Hopefully you don't have any obsolete operating systems in your environment. But if you do, be sure to apply this month's patches as attackers often see end-of-life systems as low-hanging fruit, and exploits are already out there. Of course, this means supported systems are also at significant risk. Best get patching!

Patch Tuesday - May 2017

It's a relatively light month as far as Patch Tuesdays go, with Microsoft issuing fixes for a total of seven vulnerabilities as part of their standard update program. However, an eighth, highly critical vulnerability (CVE-2017-0290) that had some of the security community buzzing over the…

It's a relatively light month as far as Patch Tuesdays go, with Microsoft issuing fixes for a total of seven vulnerabilities as part of their standard update program. However, an eighth, highly critical vulnerability (CVE-2017-0290) that had some of the security community buzzing over the weekend was also addressed late Monday evening. A flaw in the scanning engine used by various Microsoft anti-malware products could allow attackers to fully compromise a user's system simply by sending them a file as an email attachment or in an instant message, or by enticing them to visit a malicious web page. This vulnerability is especially dangerous for two reasons. In most attacks, users need to be tricked into opening a file or visiting a web page, and even then the malware would generally run at their privilege level unless it's able to escalate. But because the engine runs as SYSTEM, the highest privilege level, it's game over for a compromised system; the attacker has full control. Additionally, because the engine may scan files in the background before the user even sees them, exploitation can occur without the typical prerequisite social engineering tactics. The only good news here is that Microsoft shipped the fix very quickly after being notified, and since it's being delivered as an anti-malware update as opposed to via Windows Update, most users should get the patch without having to take any action.The fixes released as part of the regular Patch Tuesday updates continue some long-standing trends we've seen from Microsoft, with critical KBs for all supported operating systems addressing remote code execution (RCE) and privilege escalation vulnerabilities. Two separate RCE vulnerabilities in Office were also patched, one of which (CVE-2017-0261) is known to be exploited in the wild. The other Office vulnerability, CVE-2017-0281, is rated "Important" but affects a wide range of products beyond just Office, including Skype for Business and several server platforms such as SharePoint, Office Web Apps, and Project Server 2013. Edge and Internet Explorer remain reliable attack surfaces with RCE vulnerabilities being patched for both. Rounding out the vulnerabilities this month is a DNS denial of service (CVE-2017-0171) affecting all supported server operating systems.Alongside today's updates Microsoft published Security Advisory 4010323 indicating that they've now fully deprecated SSL/TLS certificates that use SHA-1 due to known weaknesses in the algorithm. IE 11 and Edge will no longer load sites with such certificates, and will instead display an invalid certificate warning. The exception to this is self-signed and enterprise certificates (those not chained to a Microsoft-trusted root); however, any such sites really should switch to SHA-2 based certificates as soon as possible.

Patch Tuesday - April 2017

This month's updates deliver vital client-side fixes, resolving publicly disclosed remote code execution (RCE) vulnerabilities for Internet Explorer and Microsoft Office that attackers are already exploiting in the wild. In particular, they've patched the CVE-2017-0199 zero-day flaw in Office and WordPad, which could allow an…

This month's updates deliver vital client-side fixes, resolving publicly disclosed remote code execution (RCE) vulnerabilities for Internet Explorer and Microsoft Office that attackers are already exploiting in the wild. In particular, they've patched the CVE-2017-0199 zero-day flaw in Office and WordPad, which could allow an attacker to run arbitrary code on a victim's system if they are able to successfully social engineer their target into opening or previewing a maliciously crafted document.Microsoft has also already issued a fix for their new version of Windows 10 (1703, also known as the "Creators Update"), which was only made generally available today. It addresses several RCE and elevation of privilege vulnerabilities.Data center admins can't rest easy, however. This month sees updates for all supported versions of Windows Server, with fixes across the board for RCE, privilege escalation, and denial of service (DoS) vulnerabilities.Administrators should be aware that after today, Windows Vista will no longer be supported. Any systems running Vista should be upgraded to a supported version in order to continue receiving security fixes. As the recent zero-day IIS exploit for Server 2003 R2 reminded us, attackers are happy to take advantage of obsolete systems still in use.It is also worth noting that information about this month's fixes are only available from Microsoft's Security Updates Guide. Instead of grouping related fixes under Security Bulletins such as MS16-XXX, their new system allows users to pivot on the vulnerability identifiers (CVEs) and KB article numbers. They also provide the ability to search and filter based on product, severity, and impact (e.g. RCE, DoS, etc.) which can help administrators prioritize how they roll out the updates. Please refer to this blog post for more details about how this affects Nexpose users.

Patch Tuesday - March 2017

Due in part to the delay of February's fixes, today's Patch Tuesday is a big one, comprising 18 bulletins split evenly between "Critical" and "Important" ratings. It's also significant as three of the bulletins (MS17-006, MS17-012, and MS17-013) contain fixes for…

Due in part to the delay of February's fixes, today's Patch Tuesday is a big one, comprising 18 bulletins split evenly between "Critical" and "Important" ratings. It's also significant as three of the bulletins (MS17-006, MS17-012, and MS17-013) contain fixes for vulnerabilities that were previously disclosed by external vendors and have exploit code publicly available. Administrators should prioritize these three updates before moving on to the remaining Critical and then Important ones. CVE-2017-0037 is a particularly nasty one, allowing attackers to remotely execute arbitrary code if a user visits a malicious web page using Internet Explorer 11 (or potentially Edge). CVE-2017-0038 allows remote attackers to glean potentially sensitive information from process heap memory due to an EMF file handling defect. And CVE-2017-0016 is a denial of service vulnerability that can crash Windows when connecting to a malicious SMB share. Exploit code for it has been publicly available since at least February 1st. The fact that Microsoft published security bulletins at all this month may come as a surprise to some, given that they announced their intention to transition away from the Security Bulletin model in favour of their Security Updates Guide after January's updates. February's out-of-band release of Adobe Flash Player fixes as MS17-005 hinted that they weren't quite done with the format, and the slew of bulletins issued this month confirms that it's not yet deprecated. Even so, the Rapid7 vulnerability content team is pressing forward with our promised changes to the way we identify Microsoft vulnerabilities. Instead of being bulletin-centric (e.g. "MS17-004: Security Update for Local Security Authority Subsystem Service (3216771)") vulnerabilities will be broken down by CVE. For example, MS17-017 is split across four separate CVE identifiers: msft-cve-2017-0050: Microsoft CVE-2017-0050: Windows Kernel Elevation of Privilege Vulnerability msft-cve-2017-0101: Microsoft CVE-2017-0101: Windows Elevation of Privilege Vulnerability msft-cve-2017-0102: Microsoft CVE-2017-0102: Windows Elevation of Privilege Vulnerability msft-cve-2017-0103: Microsoft CVE-2017-0103: Windows Registry Elevation of Privilege Vulnerability This provides a more accurate assessment of risk compared to the legacy approach, where a single bulletin could encompass many individual vulnerabilities. Indeed, across the 18 bulletins this month there are a total of 134 unique CVE identifiers. One last piece of administrivia this month that security teams should be aware of: the security-only updates for Windows 7, Server 2008 R2, Windows 8.1, and Server 2012 R2 do not include security updates for Internet Explorer. This aligns with how Microsoft has traditionally shipped IE fixes, but is a change back from how they've done it over the past several months. Happy patching!

February 2017 Patch Tuesday: Delayed

Earlier today Microsoft announced that they will be delaying this month's security updates due to finding a last-minute issue that could "impact some customers." This may be due to a glitch in their new process that they were not able to iron out in time…

Earlier today Microsoft announced that they will be delaying this month's security updates due to finding a last-minute issue that could "impact some customers." This may be due to a glitch in their new process that they were not able to iron out in time for today's planned release.We will be keeping an eye out for any updates and will, as always, provide timely coverage for the security vulnerabilities once they become public. There is no word yet of when that might be.

A Reminder About Upcoming Microsoft Vulnerability Content Changes

Update (February 14th): Microsoft has delayed the release of their February 2017 security updates due to a last-minute issue. As always, we will provide timely coverage for the vulnerabilities once Microsoft has published the updates.Next Tuesday (February 14th) will mark a major change in…

Update (February 14th): Microsoft has delayed the release of their February 2017 security updates due to a last-minute issue. As always, we will provide timely coverage for the vulnerabilities once Microsoft has published the updates.Next Tuesday (February 14th) will mark a major change in how Microsoft issues their security updates. Since October 2003, on the second Tuesday of each month (plus occasional bonus out-of-band updates) Microsoft has published a number of Security Bulletins detailing fixes to vulnerabilities in their software products. System administrators and security professionals are well familiar with identifiers of the form MS14-060, where the first two digits after MS refer to the year the bulletin was published and the last three increment over the course of the year. Each of these bulletins could include several vulnerabilities and/or Knowledge Base article identifiers (KBs).After last month's atypically small number of bulletins, MS17-004 is the last of this format. Microsoft has announced that their new single destination for security vulnerability information will be their Security Updates Guide (still in "preview" as of this writing). Instead of publishing bulletins to describe related vulnerabilities, the new Updates Guide breaks down fixes by CVE identifier, KB number, and product.What This Means For Nexpose UsersNexpose's existing Windows Hotfix vulnerability content uses Microsoft's bulletin numbers, for example, MS16-151: Security Update for Windows Kernel-Mode Drivers (3205651). If you have any habits or workflows that assume identifiers or titles in this particular format (e.g. filtering by vulnerability title), they will not include Windows Hotfix content from this coming Patch Tuesday onward. The new format will be CVE-based, with identifiers of the form msft-cve-yyyy-nnnn. Legacy content will not be changed to reflect this new format. However, to take the above MS16-151 as an example, it would become two distinct vulnerabilities:Microsoft CVE-2016-7259: Win32k Elevation of Privilege VulnerabilityMicrosoft CVE-2016-7260: Win32k Elevation of Privilege VulnerabilityIn case you are used to dealing with vulnerability IDs, these would be called msft-cve-2016-7259 and msft-cve-2016-7260 respectively.Although this may take some getting used to, it will result in more accurate risk scores, as described in this blog post from when we introduced a similar change for Adobe, Debian and Ubuntu security advisories.Check back next week after Microsoft issues February's updates; we will provide some more concrete examples of these changes, along with our standard analysis of the fixes.

Nexpose OS Fingerprinting Feedback

Have you ever run a Nexpose scan and had the wrong operating system identified for an asset? Perhaps the incorrect TCP/IP stack fingerprint was used, or you scanned an embedded device we haven't seen before. The March 9th release of Nexpose (6.1.14)…

Have you ever run a Nexpose scan and had the wrong operating system identified for an asset? Perhaps the incorrect TCP/IP stack fingerprint was used, or you scanned an embedded device we haven't seen before. The March 9th release of Nexpose (6.1.14) has a new feature that allows you easily report such fingerprinting errors to Rapid7 and helps us to improve fingerprinting accuracy. No need to open a support ticket!A new feedback button (circled below), available on the Asset detail page next to the OS, will open a dialog with fields to correct the vendor, OS, and/or version:The vendor and OS fields will autocomplete products we already know about, so once you begin typing you can choose a suggestion from the drop-down that appears:We recommend that you use these suggestions if an appropriate one is shown. This will help reduce inconsistencies in submitted reports, allowing us to more effectively analyze them and correct Nexpose's fingerprinting behaviour.Clicking "Send Now" will transfer the most recent scan log for the misfingerprinted asset to Rapid7 (for context), along with the corrections provided in the dialog. Feel free to close the dialog at any time after this; the information will continue to be sent in the background. If you want to be notified when the information has successfully been sent, keep the dialog open until the confirmation message is shown:We strive to have the most accurate fingerprinting possible in Nexpose, so your reports are greatly appreciated!

TLS Coverage Improvements in Nexpose 6.0.2

Over the last couple of years, some of the most serious and widely publicized vulnerabilities have been related to the Transport Layer Security (TLS) protocol and its predecessor, Secure Sockets Layer (SSL). Because TLS is so fundamental to keeping network communications secure, new flaws that…

Over the last couple of years, some of the most serious and widely publicized vulnerabilities have been related to the Transport Layer Security (TLS) protocol and its predecessor, Secure Sockets Layer (SSL). Because TLS is so fundamental to keeping network communications secure, new flaws that are discovered can have a disproportionate effect on an organization's risk. From Heartbleed to POODLE, FREAK to Logjam, system administrators dread the next vulnerability announcement with a catchy name or custom designed logo that will require patching and/or reconfiguring any services using TLS. The October 14th release of Nexpose (6.0.2) contains a number of improvements related to TLS that will make it easier for administrators to track which versions of the protocols are supported by assets, along with which cipher suites are enabled. We've also broken up our weak cipher vulnerability into multiple vulnerabilities to make it clearer why particular cipher suites are flagged as insecure. (Note that we will continue to ship the old ssl-weak-ciphers vulnerability alongside the new ones for a period of time to give customers who typically do content-only updates a chance to get the required product changes without losing coverage.) Cipher Suite Enumeration The most significant enhancement with this release is that Nexpose now enumerates the protocol versions (SSLv2 and v3, TLS v1.0, v1.1 and v1.2) and associated cipher suites for each TLS endpoint that gets scanned. This information is stored in the service configuration, accessible by clicking on the Service Name under the SERVICES section of an asset's page: A number of new configuration settings are available: The new ssl.protocols configuration setting is a comma-delimited list of protocol versions supported by the endpoint. As a convenience, the sslv3, tlsv1_0, tlsv1_1, and tlsv1_2 settings contain "true" if that protocol is supported, or "false" if Nexpose was unable to connect via that version. In this case, we can see that only SSLv3 is supported. The sslv3.ciphers setting is a comma-delimited list of cipher suites available when using SSLv3 to connect to the service. There are also dh.keysize settings indicating the size of the key used by cipher suites that use Diffie-Hellman key exchange. Exporting Cipher Suite Data Although having all the cipher suites in the service configuration is convenient for taking a quick look at how a service is configured, it does not lend itself well to bulk or offline analysis. To facilitate this, the data can be exported as a SQL Query Export with a row per cipher suite. This is done by going to the Reports tab, choosing Create a Report, giving it a name (here "ciphersuite export"), choosing the Export tab and then the SQL Query Export template: Next, define the query that will expand the comma-delimited list into individual rows: The query: SELECT ds.name AS site_name, da.ip_address, da.host_name, dos.asset_type, dasc.port, split_part(dasc.name, '.', 1) protocol_version, unnest(string_to_array(dasc.value, ',')) cipher_suite FROM dim_asset da JOIN dim_operating_system dos USING (operating_system_id) JOIN dim_host_type dht USING (host_type_id) JOIN dim_asset_service_configuration dasc USING (asset_id) JOIN dim_site_asset dsa USING (asset_id) JOIN dim_site ds USING (site_id) WHERE dasc.name ILIKE 'sslv2.ciphers' OR dasc.name ILIKE 'sslv3.ciphers' OR dasc.name ILIKE 'tlsv1_0.ciphers' OR dasc.name ILIKE 'tlsv1_1.ciphers' OR dasc.name ILIKE 'tlsv1_2.ciphers' will convert the comma-separated list into an array (string_to_array) and then expand it into a row per cipher suite (unnest). Now, select the site and scan of interest, then save and run the report: Once the report has finished, you can download it as a CSV file containing rows with the site name, host name, IP address, protocol version and cipher suite: New Weak Cipher Checks In addition to the cipher suite enumeration, we have also changed how our vulnerability checks for ciphers are performed. Our old vulnerability checks each connected to the server and requested SSL/TLS handshakes using the vulnerable ciphers. This meant that it was possible for multiple handshakes to be performed with the same cipher if the cipher was listed in multiple vulnerabilities. This led to unnecessary requests to the scan target. With the new cipher enumeration, we are performing the vulnerability checks against the configuration settings of the scan target, without performing any additional requests. This results in better, scalable vulnerability checks. We have also expanded our three previous vulnerability checks into seven new checks.  This allows more direct explanations as to why a cipher is weak and vulnerable. To accommodate customers who will only perform content updates this release, we are shipping the new vulnerability checks alongside the old checks. This is just for a transition period and it is recommended to update Nexpose to prevent loss of coverage when the old checks are deprecated. The seven vulnerabilities are: ssl-anon-ciphers: The server is configured to support anonymous cipher suites with no key authentication. These ciphers are highly vulnerable to man in the middle attacks. ssl-cbc-ciphers: The server is configured to support Cipher Block Chaining (CBC) ciphers. These ciphers have problems with the way TLS implements CBC mode and can be vulnerable to multiple attacks. Known attacks include the "BEAST" attack (CVE-2011-3389) and the "Lucky Thirteen" (CVE-2013-0169). ssl-des-ciphers: Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on DES (Data Encryption Standard) and IDEA (International Data Encryption Algorithm) algorithms. DES and IDEA are no longer recommended for general use in TLS, and have been removed from TLS version 1.2. ssl-export-ciphers: The TLS/SSL server supports export cipher suites, intentionally crippled to conform to US export laws. Symmetric ciphers used in export cipher suites typically do not exceed 56 bits. ssl-null-ciphers: The TLS/SSL server supports null cipher suites. Null cipher suites do not provide any data encryption and/or data integrity. ssl-rsa-export-ciphers: The TLS/SSL server supports RSA-based cipher suites intentionally weakened due to export control regulations. This may enable an attacker to launch man-in-the-middle attacks and monitor or tamper with sensitive data against clients susceptible to the FREAK vulnerability. These cipher suites can typically be identified by the word "EXP" or "EXPORT" in their name. rc4-cve-2013-2566: Recent cryptanalysis results exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. As a result, RC4 can no longer be seen as providing a sufficient level of security for SSL/TLS sessions. It has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. Note that ssl-rsa-export-ciphers and rc4-cve-2013-2566 already exist in Nexpose. The more generic ssl-weak-ciphers vulnerability will be deprecated in an upcoming release. Along with all these additions, this release fixes various outstanding issues with Nexpose's TLS coverage. These changes also lay the groundwork for further TLS improvements, coming soon!

Apple Releases Patch for Shellshock, May Still Be Vulnerable

Yesterday, Apple released security updates that address two of the "Shellshock" bash vulnerabilities: CVE-2014-6271 and CVE-2014-7169. At the time of writing, the updates are not available using Software Update on OS X. Instead, users should download the package directly from Apple's web site to install…

Yesterday, Apple released security updates that address two of the "Shellshock" bash vulnerabilities: CVE-2014-6271 and CVE-2014-7169. At the time of writing, the updates are not available using Software Update on OS X. Instead, users should download the package directly from Apple's web site to install it. Updates are available for 10.7 (Lion), 10.8 (Mountain Lion) and 10.9 (Mavericks).Amidst the flurry of activity and interest around Shellshock over the last week, several additional bash vulnerabilities have come to light. The initial fix for CVE-2014-6271 was incomplete, leading to CVE-2014-7169 being found. Since then, several more related CVEs have been announced. Hanno Böck has released a simple tool called bashcheck that tests which vulnerabilities an installed version of bash is susceptible to. I ran this on a patched version of 10.8 (Mountain Lion) and verified the fix addresses the first two vulnerabilities, but it seems that the updated version of bash may still be vulnerable to CVE-2014-7186:All OS X users are advised to apply this update immediately. Metasploit already has a local root exploit for OS X via VMWare Fusion due to CVE-2014-6271.Additional information about this update from Apple is available in this post to their security-announce mailing list.Update (October 2nd):OS X users can breathe a little easier. The bashcheck script has been updated with some refined tests, which now indicate that although Apple's updated version of Bash does still contain two Shellshock-related bugs, they are not actually exploitable. Output from a patched Mavericks system:Just to drive home the importance of applying this update, here is the result from an unpatched Mavericks system:

Oracular Spectacular

Nexpose version 5.9.10 includes significant improvements to its Oracle Database fingerprinting and vulnerability coverage. When configured with appropriate database credentials, Nexpose scans can accurately identify which patches have been applied. This post will go through the steps for setting up such a scan,…

Nexpose version 5.9.10 includes significant improvements to its Oracle Database fingerprinting and vulnerability coverage. When configured with appropriate database credentials, Nexpose scans can accurately identify which patches have been applied. This post will go through the steps for setting up such a scan, as well as discuss some of the finer details about Oracle's versioning scheme and the terminology around their quarterly Critical Patch Update program. Scanning Oracle Databases with Nexpose Nexpose requires access to the sys.registry$history table in order to determine the patch level of the database. While Nexpose will happily scan your database when configured to log in as a highly privileged role such as SYSDBA, this is not recommended. You may create a user with more limited access as follows: CREATE USER nxpscan IDENTIFIED BY aStrongerPasswordThanThis; GRANT create session TO nxpscan; GRANT select ON sys.registry$history TO nxpscan; With this account in place, you may now configure a Nexpose site to use the Oracle-specific credentials. Assuming you have a site with your database hosts and an applicable scan template (e.g. Full audit without Web Spider) set up, on the Site Configuration page click the "Credentials" link at the left and then the "New" button under the Credential Listing Enter a name and (optionally) a description for the credentials in the General section of the Site Credential Configuration editor. Then click the Next button. In the Account section of the Site Credential Configuration editor, choose "Oracle" as the Service, fill in the appropriate SID for your database, and the user name and password you created earlier. Check that the credentials are valid by clicking on "Test Credentials," entering the host name and port, and then clicking the "Test credentials" button. If all goes well an "Authentication succeeded" dialog will appear. Click "OK" on it and then click "Save" on the Site Credential Configuration editor. The new credentials should now appear in the Site Configuration. Click "Save" again. Any Oracle Database installations in the site for which these credentials are valid will now be accurately fingerprinted, and any missing Critical Patch Updates will show up under the asset's vulnerability listing. Unauthenticated Scans Without database credentials, Nexpose is only able to determine version information up to the "patch set" level -- that is, the fourth part of the version string (see below). In older checks, Nexpose attempts to trigger error conditions in order to look for the presence of specific vulnerabilities, for example by attempting buffer overflows or SQL injections. Other checks, which rely on version numbers to determine vulnerabilities, are classified as "potentials" and will not run unless explicitly enabled in a scan template. If potential checks are enabled and no valid credentials are available, an Oracle Database scan may result in many false positives. Oracle Database Versions Why does Nexpose need access to system tables to achieve accurate results? Oracle Database versions follow a five-part versioning scheme A.B.C.D.E, where A is the major release, B is the maintenance release, C is the application server release number, D is the patch set, and E is the patch set update number. For example, an Oracle Database at version 11.2.0.3.10 is interpreted as an 11_g_R2 database, at patch set 11.2.0.3, with update 10 applied. When connecting to a database server, only the first four parts are sent. Oracle's quarterly updates typically only affect the fifth part of the version (E), or in the case of Security Patch Updates (SPUs), not at all. Oracle has a variety of types of patch releases, their terminology for which has changed over time: Bundle Patch (BP) - An iterative, cumulative patch that is issued between patch sets. Bundle patches usually include only fixes, but some products may include minor enhancements. Examples are the Database Windows Bundles and SOA Bundle Patches. Critical Patch Update (CPU) - Oracle's program for quarterly release of security fixes. Patches released as part of this program may be Patch Set Updates, Security Patch Updates, and Bundle Patches. Regardless of the patch type, the patches are cumulative. Previously, CPU was also the term used for Oracle's security-only patches (now known as SPUs). Interim Patch - A patch containing one or more fixes made available to customers who cannot wait until the next patch set or new product release to get a fix. Patch Set - An integrated, cumulative, fully tested collection of fixes issued in between major product releases. Patch sets may include minor enhancements. Fourth part of the version string. Patch Set Update (PSU) - A quarterly patch that contains the most critical fixes for the applicable product, allowing customers to apply one patch to avoid many problems. Fifth part of the version string. Security Patch Update (SPU) - An iterative, cumulative patch consisting of security fixes. Formerly known as Critical Patch Update. Does not affect version string. Nexpose will fingerprint the most recently applied PSU, SPU, or BP. To see the patch level a database is at, find the "Oracle TNS Listener" under the Service Listing of an asset, and click it. Any discovered configuration items will be shown, including the update type and version: In this case, you can see that the Security Patch Update (spu) from January 2014 (2014-01) has been applied. If the Patch Set Update had been applied, as opposed to the SPU, the version would be 11.2.0.4.1 and the updateType would be "psu." In the case of a database running on Windows, the version would be 11.2.0.4.BP1 (Bundle Patch 1) and the updateType would be "winbundle."

Using Nexpose to Stop the Bleeding (Scanning for the OpenSSL Heartbleed Vulnerability)

By now you have almost certainly heard about the recently disclosed OpenSSL Heartbleed vulnerability (CVE-2014-0160). The April 9th update for Nexpose includes both authenticated and unauthenticated vulnerability checks for Heartbleed.Scanning your assets with the regular full audit template, or indeed any template that isn't…

By now you have almost certainly heard about the recently disclosed OpenSSL Heartbleed vulnerability (CVE-2014-0160). The April 9th update for Nexpose includes both authenticated and unauthenticated vulnerability checks for Heartbleed.Scanning your assets with the regular full audit template, or indeed any template that isn't tuned to exclude many ports or vulnerabilities, will automatically pick up this vulnerability. But it is also possible to create a focused template to scan specifically for Heartbleed.On the Administration page, click on TEMPLATES -> Create (or use the T, C keyboard shortcuts).In the Scan Template Configuration, remove the Web Spidering and Policies check types and give the site a name and description.Click Next to go to the Asset Discovery section. Check Send ICMP “pings” and Send TCP packets to ports. Enter any TCP ports that may be running SSL on your network.Nexpose's default Service Discovery options should be sufficient to cover most situations, but if you have any SSL-enabled services on unusual ports you should add them to the Additional ports section of the Service Discovery section.To adjust the template so it targets only the checks relevant to Heartbleed, first click on the Vulnerability Checks link at the left. Then click the By Category link under "Selected Checks." Under Disabled click the Remove categories button and select all the categories by clicking the checkbox in the table header. Click Save. At this point no vulnerability checks are enabled, and you have a blank slate to add specific checks to the template.To add the Heartbleed checks, click the triangle next to By Individual Check and click the Add checks button. Type "cve-2014-0160" for the Search criteria and click Search. Click the checkbox in the header of the vulnerability check table to select all of Nexpose's Heartbleed checks, including authenticated checks. If you only want to run unauthenticated checks, just select the OpenSSL (CVE-2014-0160) checks. Nexpose has two unauthenticated checks: one simply looks at HTTP headers for a vulnerable version of OpenSSL, while the other attempts to trigger the bug and examines the data returned by the server to determine whether it is vulnerable. Authenticated checks are available for a variety of platforms (e.g. Ubuntu, Red Hat, etc.) and are able to check servers directly for installed versions of OpenSSL that are vulnerable. A site must be configured with credentials in order for authenticated checks to work.Click Save in the search dialog and then again in the Scan Template Configuration.Now you can set up a site to use this template by either editing an existing site or creating a new one. On the Site Configuration page go to Scan Setup and select the custom template you just created. Click Save.The site is now set up to scan only for Heartbleed vulnerabilities.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Upcoming Event

UNITED 2017

Rapid7's annual security summit is taking place September 12-14, 2017 in Boston, MA. Join industry peers for candid talks, focused trainings, and roundtable discussions that accelerate innovation, reduce risk, and advance your business.

Register Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now