Rapid7 Blog

Nexpose  

AWS power-up: Tag import, asset cleanup, AssumeRole, ad-hoc scan

AWS instances present many challenges to security practitioners, who must manage the spikes and dips of resources in infrastructures that deal in very short-lived assets. Better and more accurate syncing of when instances are spun up or down, altered, or terminated directly impacts the quality…

AWS instances present many challenges to security practitioners, who must manage the spikes and dips of resources in infrastructures that deal in very short-lived assets. Better and more accurate syncing of when instances are spun up or down, altered, or terminated directly impacts the quality of security data. A New Discovery Connection Today we’re excited to announce better integration between the Security Console and Amazon Web Services with the new Amazon Web Services Asset Sync discovery connection in InsightVM and Nexpose. This new connection is the result of customer feedback and we would like to thank everyone who submitted ideas through our idea portal. This new integration has some notable and exciting improvements over our existing AWS discovery connection that we can’t wait for you to take advantage of. Automatic Syncing with the Security Console as AWS assets are spun up and spun down As assets are created and decommissioned in AWS, the new Amazon Web Services Asset Sync discovery connection will update your Security Console. This means that users will no longer have to worry about their Security Console data being stale or inaccurate. That means no more chasing down assets in AWS for remediation only to find that the instances no longer exist or carving out time to clean up decommissioned AWS assets from the Security Console. Import AWS Tags and Filtering by AWS Tags One feature that we’ve gotten a lot of requests for is importing tags from AWS. With the Amazon Web Services Asset Sync discovery connection, you can now synchronize AWS tags and even use them to filter what assets get imported. You can also filter tags themselves so you only see tags that are important to you. Once the tags are synced, they can be used just like any other tag within Nexpose—that includes using them to filter assets, create dynamic asset groups, and even create automated actions. Remove a tag in AWS? Nexpose will detect the change and automatically remove it as well. Use AssumeRole to Fine-Tune Adding to Sites Users can now leverage AWS AssumeRole to decide which of their assets across all of their AWS accounts to include in a single site without having to configure multiple AWS discovery connections in their Security Console. Coupled with tag-based filtering, this makes managing your AWS assets much more straightforward. AssumeRole is now also available to Security Consoles outside of the AWS environment. Ad-Hoc Scans with the Pre-Authorized Engine Another feature users have requested is more flexibility in selectively scanning sites that contain AWS assets. As part of the Amazon Web Services Asset Sync discovery connection, users will now be able to select which assets they wish to scan with the AWS pre-authorized engine within a site. Use the Security Console Proxy Proxy support is also available for the Amazon Web Services Asset Sync discovery connection. If users already have a proxy server configured and enabled via their Security Console settings, they do not have to change their firewall settings to take advantage of this new discovery connection. Simply check the “Connect to AWS via proxy” box during configuration and the connection will use the configured proxy. Existing AWS Discovery Connections The previous AWS discovery connection will still be available; we recommend users transition to this new, more powerful and flexible the Amazon Web Services Asset Sync discovery connection for managing their AWS assets. Next Steps To take advantage of this new capability, you will need version 6.4.55 of the Security Console for Nexpose and InsightVM. Not already using InsightVM? Get a free trial here.

Apache Struts S2-052 (CVE-2017-9805): What You Need To Know

Apache Struts, Again? What’s Going On? Yesterday’s Apache Struts vulnerability announcement describes an XML Deserialization issue in the popular Java framework for web applications. Deserialization of untrusted user input, also known as CWE-502, is a somewhat well-known vulnerability pattern, and I would expect…

Apache Struts, Again? What’s Going On? Yesterday’s Apache Struts vulnerability announcement describes an XML Deserialization issue in the popular Java framework for web applications. Deserialization of untrusted user input, also known as CWE-502, is a somewhat well-known vulnerability pattern, and I would expect crimeware kits to incorporate this vulnerability well before most enterprises have committed to a patch, given the complications that this patch introduces. What’s The Catch? The problem with deserialization vulnerabilities is that oftentimes, application code relies precisely on the unsafe deserialization routines being exploited—therefore, anyone who is affected by this vulnerability needs to go beyond merely applying a patch and restarting the service, since the patch can make changes to how the underlying application will treat incoming data. Apache mentions this in the "Backward Compatibility" section of S2-052. Updates that mention, "it is possible that some REST actions stop working" is enough to cause cold sweats for IT operations folks who need to both secure their infrastructure and ensure that applications continue to function normally. What Can I Do? Organizations that rely on Apache Struts to power their websites need to start that application-level testing now so as to avoid becoming the next victims in a wave of automated attacks that leverage this vulnerability. Remote code execution means everything from defacements to ransoms and everything in between. In the meantime, Rapid7’s product engineering teams are working up coverage for organizations to detect, verify, and remediate this critical issue. A Metasploit module is in progress, and will be released shortly to help validate any patching or other mitigations. InsightVM customers with content at “Wednesday 6th September 2017” or later (check Administration --> General to confirm content version) can determine whether they have a vulnerable version of Apache Struts present on Unix hosts in their environment by performing an authenticated scan. The vulnerability id is struts-cve-2017-9805 should you wish to set up a scan template with just this check enabled. It has also been tagged with 'Rapid7 Critical.' An unauthenticated check for CVE-2017-9805 is available for InsightVM and Nexpose under the same id, struts-cve-2017-9805. This check does not remotely execute code; instead, it detects the presence of the vulnerable component against the root and default showcase URIs of Apache Struts instances. In addition to these specific updates, we’ve also produced a quick guide with step-by-step instructions on how InsightVM and Nexpose can be used to discover, assess, and track remediation of critical vulnerablities, including this Apache Struts vuln. Not an InsightVM customer? Download a free 30-day trial today to get started. Should I Panic? Yes, you should panic. For about two minutes. Go ahead and get it out of your system. Once that’s done, though, the work of evaluating the Apache Struts patch and how it’ll impact your business needs to get started. We can’t stress enough the impact here—Java deserialization nearly always leads to point-and-click remote code execution in the context of the web service, and patching against new deserialization bugs carries some risk of altering the intended logic for your specific web application. It’s not a great situation to be in, but it’s surmountable. If you have any questions about this issue, feel free to comment below, or get in touch with your regular Rapid7 support contacts.

Vulnerability Management Market Disruptors

Gartner’s recent vulnerability management report provides a wealth of insight into vulnerability management (VM) tools and advice for how to build effective VM programs. Although VM tools and capabilities have changed since the report’s last iteration in 2015, interestingly one thing hasn’t:…

Gartner’s recent vulnerability management report provides a wealth of insight into vulnerability management (VM) tools and advice for how to build effective VM programs. Although VM tools and capabilities have changed since the report’s last iteration in 2015, interestingly one thing hasn’t: Gartner’s analysis of potential disruptors to VM tools and practices. Great minds think alike, as we’ve been heavily investing in these areas to help our customers overcome these persistent challenges. We’ve made numerous enhancements to our vulnerability management solutions (InsightVM and Nexpose) since that 2015 report to address both current and emerging vulnerability management challenges. New Asset Types: Gone are the days when you could just count the number of servers and desktops in your network and be confident that any changes in between quarterly scans would be minimal. Now, networks are constantly changing thanks to virtual machines, IoT, and containers. Nexpose was always a leader in technology integrations, and InsightVM is even more closely integrated into modern infrastructure. InsightVM is the only vulnerability management tool that has direct integration with VMware to automatically discover and assess these devices as they’re spun up; the Insight Agent is also easily clonable so you can integrate an agent into any gold image for automatic deployment. This means that even if your network is constantly changing as VMs are spun up and down, we’ve automatically got you covered. IoT devices are a trickier beast, and Rapid7 is one of the leaders in IoT security research—our recently-released hardware bridge brings the power of Metasploit to IoT penetration testing, enabling research and security testing of a wide range of IoT devices. Finally, InsightVM currently lets you discover containers in your environment, and we’re working on the ability to actively assess containers and container images, providing visibility to another area that many security teams struggle with. Bring Your Own Devices: BYOD has been the buzzword of buzzwords for a number of years now, but as consumer and corporate adoption continues to rise (powered by mobile productivity apps like messaging tools, mobile CRM apps, etc. ), the combined attack surface increases, and the line between what’s personal and what’s corporate blurs. Gartner has released several reports on the topic and recognizes that this is a continuing challenge for vulnerability management. InsightVM makes it easy to get visibility into that attack surface and assess employee devices. We can discover mobile devices that connect to ActiveSync, providing visibility into corporate device ownership so security teams can see where their risk is. Rapid7 Insight Agents can be deployed to any remote laptop, providing continuous monitoring for any device, even if it never connects to the corporate network. Agents can be installed as part of your gold laptop images so that they’re automatically deployed to new employees. With InsightVM, you don’t have to worry about losing track of people working from home or replacement laptops becoming security holes that are never scanned. Cloud Computing: Gartner lists cloud computing as an issue related to the loss of control of infrastructure and even of the devices to be scanned. We find the biggest challenge with cloud services is visibility; cloud instances are often spun up and down rapidly, and the details don’t always make their way to security, giving them only a small inkling of the true footprint and attack surface of their AWS or Azure environments. Similar to our integration with VMWare, InsightVM integrates with AWS and Azure to automatically detect new devices as they’re spun up or down. InsightVM also makes it easy to deploy agents to new cloud devices by embedding them into a gold image. To aid in visibility, you can import tags from Azure into InsightVM, so security teams can report on the same groupings that their IT and development teams use. Thus security teams can be confident in understanding their changing attack surface as rapidly as new devices are deployed. Large Volumes of Data: With all of the above factors drastically increasing the scope of vulnerability management, data management and analysis becomes more important. Even if a tool can gather vulnerability data from every part of your network, you’re never going to have time to fix everything; how do you prioritize what to fix first, and how do you get a holistic view of your security program’s progress? This challenge is why we launched InsightVM and the Insight platform in general; by leveraging the cloud for data analysis, we can provide features like live customizable dashboards and remediation tracking without weighing down customer networks. It also lets us more rapidly deploy new features, like dashboard cards and built-in ticketing integrations with ServiceNow and JIRA. Vulnerability Prioritization: According to Gartner, “A periodic scan of a 100,000-node network often yields from 1 million to as many as 10 million findings (some legitimate and some false or irrelevant).” Given the limited resources that virtually every security team faces, it’s increasingly difficult to figure out what to spend time on, especially given that some systems are more important from a business context than others. Understanding how attackers think and behave has always been one of Rapid7’s strengths, and we pass this on to our customers with InsightVM. Our risk scoring leverages CVSS and amplifies it by factoring in exploit exposure, malware exposure, and vulnerability age to provide a much more granular risk score of 1-1000, enabling customers to focus on the vulnerabilities that make it easiest for an attacker to break in. Combined with the ability to tag certain assets as critical to automatically prioritize them in remediation, we automate the often-manual process of trying to figure out what to fix first. InsightVM has been built to tackle the future of vulnerability management head-on, so that customers never have to worry about falling behind the curve and opening gaps in their security posture. For more information, Gartner customers can download the report, and try out InsightVM today!

R7-2017-13 |CVE-2017-5243: Nexpose Hardware Appliance SSH Enabled Obsolete Algorithms

Summary Nexpose physical appliances shipped with an SSH configuration that allowed obsolete algorithms to be used for key exchange and other functions. Because these algorithms are enabled, attacks involving authentication to the hardware appliances are more likely to succeed. We strongly encourage current hardware appliance…

Summary Nexpose physical appliances shipped with an SSH configuration that allowed obsolete algorithms to be used for key exchange and other functions. Because these algorithms are enabled, attacks involving authentication to the hardware appliances are more likely to succeed. We strongly encourage current hardware appliance owners to update their systems to harden their SSH configuration using the steps outlined under “Remediation” below. In addition, Rapid7 is working with the appliance vendor to ensure that future appliances will only allow desired algorithms. This vulnerability is classified as CWE-327 (Use of a Broken or Risky Cryptographic Algorithm). Given that the SSH connection to the physical appliances uses the 'administrator' account, which does have sudo access on the appliance, the CVSS base score for this issue is 8.5. Credit Rapid7 warmly thanks Liam Somerville for reporting this vulnerability to us, as well as providing information throughout the investigation to help us resolve the issue quickly. Am I affected? All physical, hardware appliances are affected. Virtual appliances (downloadable virtual machines) are NOT affected. Vulnerability Details Nexpose Physical Appliances The default SSH configuration of the hardware appliance enables potentially problematic algorithms which are considered obsolete. KEX algorithms: diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1, ssh-dss, ecdsa-sha2-nistp256, ssh-ed25519 Encryption algorithms: arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se MAC algorithms: hmac-md5-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64-etm@openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-96-etm@openssh.com, hmac-md5-96-etm@openssh.com, hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96 These are supported by the version of OpenSSH used on the appliance, and should be disabled via explicit configuration that enables only desired algorithms. Nexpose Virtual Appliances The software appliances (downloadable virtual machines) are NOT affected by this issue. They specify desired algorithms, only allowing those generally recommended. Remediation - Updated 2017/06/02 Before making any updates, first verify that your appliance is running Ubuntu 14.04 or above. You can determine the version by running "lsb_release -r”. If on 14.04, you should see output like “Release: 14.04”. If appliance is running Ubuntu 12.04 or below: OS upgrade required Please reach out to Rapid7 support for more information on upgrading. Ubuntu 12.04 reached End of Life in April 2017, and we strongly encourage you to update to a supported version. DO NOT continue with the changes below if you are not on 14.04 or above, as some of the configuration options will not be supported by older versions of OpenSSH. If appliance is running Ubuntu 14.04 or above The version of OpenSSH on base Ubuntu 14.04 (“OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014”) will support the configuration changes below. If you updated from 12.04, you may want to update OpenSSH to the latest available version to ensure you have available security patches, but it is not required for this change. You can check you OpenSSH version by running “ssh -V”. The current latest for 14.04 is “OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8” Note on verification and existing connections Do not close the SSH session you use to make the configuration change until you first attempt a new connection and verify you are able to connect. This will enable you to stay connected in the event there is a problem with the edit and you need to revert and review, as active SSH sessions should not be closed even across service restarts. If you skip this step, you may lose the ability to connect over SSH, potentially meaning you need physical access or other means to fix the issue. Configuration change Administrators need to edit the /etc/ssh/sshd_config file on their Nexpose appliance. Before changing the configuration file, copy it (e.g. "sudo cp /etc/ssh/sshd_config /home/administrator") in case there is a problem during editing. Add the following lines (based on the guidelines available here) to the end of the file: # Enable only modern ciphers, key exchange, and MAC algorithms # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com Please be careful to copy the entirety of the lines above, which may scroll horizontally in your browser. You can also copy from this gist. Depending on the version of SSH you have installed, there may be other configuration lines in that file for "KexAlgorithms", "Ciphers", and "MACs". If that is the case, remove or comment (add a"#" to the beginning of the line) those lines so that the desired configuration you add is sure to be respected. Editing this file will require root access, so the appliance default "administrator" user, or another user with permission to sudo, will need to perform this step. After updating the configuration file, verify that the changes made match the configuration above. This is important, as missing part of the configuration may result in a syntax error on service restart, and a loss of connectivity. You can run this command and compare the three output lines with the configuration block above: egrep "KexAlgorithms|Ciphers|MACs" /etc/ssh/sshd_config After verifying the configuration change, restart the SSH service by running "service ssh restart". Once that completes, verify you can still connect via ssh client to the appliance in a separate terminal. Do not close the original terminal until you've successfully connected with a second terminal. This change should not impact connections from Nexpose instances to the physical appliance (SSH is not used for this communication). The main impact is shoring up access by SSH clients such that they cannot connect to the appliance using obsolete algorithms. We apologize for any inconvenience, and would like to warmly thank the customers that worked with us to test and troubleshoot these remediations. Disclosure Timeline Wed, May 10, 2017: Vulnerability reported to Rapid7 Wed, May 17, 2017: Vulnerability confirmed by Rapid7 Tue, May 23, 2017: Rapid7 assigned CVE-2017-5243 for this issue Wed, May 31, 2017: Disclosed to MITRE Wed, May 31, 2017: Public disclosure

InsightVM/Nexpose Patch Tuesday Reporting

Many of our customers wish to report specifically on Microsoft patch related vulnerabilities. This often includes specific vulnerabilities that are patched in Patch Tuesday updates. This post will show you the various ways that you can create reports for each of these. Remediation Projects Remediation…

Many of our customers wish to report specifically on Microsoft patch related vulnerabilities. This often includes specific vulnerabilities that are patched in Patch Tuesday updates. This post will show you the various ways that you can create reports for each of these. Remediation Projects Remediation Projects are a feature included in InsightVM that allow you to get a live view of the state of assets in your environment (please note that this feature requires that you have opted into the Insight Platform). Using Remediation Projects you can build dynamic projects that track vulnerabilities related to Microsoft patches as they are identified in your environment. To set up a dynamic project for Microsoft Patch related vulnerabilities, follow the steps below: Go to ‘Projects' in the InsightVM menu and click ‘CREATE A PROJECT' You will see a new overlay appear which provides options to configure for the project. Under the ‘Project Content' section, you can configure ‘Vulnerability Filters'. For reporting on all Microsoft Patch vulnerabilities, you can configure the following filter: vulnerability.categories IN ["Microsoft Patch"] For reporting on specific vulnerabilities, you can use a filter similar to this, changing the vulnerability titles to the ones for which you are interesting in creating a project: vulnerability.title CONTAINS 'Microsoft CVE-2017-0175' || vulnerability.title CONTAINS 'Microsoft CVE-2017-0148' As new vulnerabilities that meet the project criteria are identified, they will be added to the project. Using Vulnerability Filters Vulnerability filters allow you to filter on vulnerability , severity, and categories. These can be applied in the scope section of any report that you are generating, making this option very flexible. Within the Vulnerability Filter selection window, we can select the 'MICROSOFT PATCH' category. This allows for reporting on vulnerabilities that are specific to Microsoft patches for any report template, built-in or custom. The caveat to this method is that it will return all vulnerabilities in the MICROSOFT PATCH category. If you want to report on specific vulnerabilities fixed in Patch Tuesday updates, you can use the 'SQL Query Export' export template to facilitate this. SQL Query Export When reporting using the SQL Query Export template, it is important to know that Microsoft recently changed the naming scheme for security bulletins that it publishes. Prior to February 14th, 2017 Microsoft issued security bulletins using a this format: msft-cve-yyyy-nnnn. From February 14th, 2017 on, Microsoft will be using a CVE based format. You can read more about these changes here: A Reminder About Upcoming Microsoft Vulnerability Content Changes. What this means is that you may need to use both formats when using the SQL Query Export template, so keep in mind the format of the bulletin on which you want to report. Below you will find a simple query that identifies hosts with specific vulnerabilities, as well as one that also includes remediation information. Patch Tuesday SELECT da.ip_address AS ip_address, da.host_name AS hostname, dv.title AS vulnerability, dv.riskscore as vulnerability_riskscore, dv.date_published AS vulnerability_date_published, proofAsText(dv.description) AS vulnerability_description FROM fact_asset_vulnerability_finding favf JOIN dim_asset da USING (asset_id) JOIN dim_vulnerability dv USING (vulnerability_id) WHERE dv.title ~* '(Microsoft CVE-2017-0175|Microsoft CVE-2017-0148)' ORDER BY round(dv.riskscore) DESC; Note the '|' delimiter between the vulnerability titles in the WHERE clause. This allows you to add as many patterns as necessary. The '~*' in the WHERE clause is a case-insensitive regex match operator. Patch Tuesday with Remediations SELECT da.ip_address AS ip_address, da.host_name AS hostname, dv.title AS vulnerability, round(dv.riskscore) as vulnerability_riskscore, dv.date_published AS vulnerability_date_published, ds.summary AS solution_summary, proofAsText(ds.fix) AS fix FROM dim_asset_vulnerability_best_solution JOIN dim_vulnerability dv USING (vulnerability_id) JOIN dim_asset da USING (asset_id) JOIN dim_solution ds USING (solution_id) WHERE dv.title ~* '(Microsoft CVE-2017-0175|Microsoft CVE-2017-0148)' ORDER BY round(dv.riskscore) DESC; This query is similar to the previous query but also includes the solutions for vulnerabilities identified on a host. To learn more about using the InsightVM/Nexpose Data Model for reporting, check out the documentation here: https://help.rapid7.com/insightvm/en-us/#Files/Creating_reports_based_on_SQL_queries.html

Samba CVE-2017-7494: Scanning and Remediating in InsightVM and Nexpose

Just when you'd finished wiping away your WannaCry tears, the interwebs dropped another bombshell: a nasty Samba vulnerability, CVE-2017-7494 (no snazzy name as of the publishing of this blog, but hopefully something with a Lion King reference will be created soon). As with WannaCry, we…

Just when you'd finished wiping away your WannaCry tears, the interwebs dropped another bombshell: a nasty Samba vulnerability, CVE-2017-7494 (no snazzy name as of the publishing of this blog, but hopefully something with a Lion King reference will be created soon). As with WannaCry, we wanted to keep this simple. First, check out Jen Ellis's overview of the Samba vulnerability, and then review the below steps to quickly scan for this vulnerability on your own infrastructure and create a dynamic asset group for tagging and reporting. If you aren't already a customer, you can use this free trial to scan for the Samba vulnerability across your environment. Authenticated checks are live in our vulnerability management solutions Nexpose and InsightVM, as well as unauthenticated and authenticated remote checks. Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for CVE-2017-7494: 1. Under administration, go to manage templates. 2. Copy the following template: Full Audit enhanced logging without Web Spider. Don't forget to give your copy a name and description! 3. Click on Vulnerability Checks and then “By Individual Check” 4. Add Check “CVE-2017-7494” and click save. This should come back with 41 checks that are related to CVE-2017-7494. 5. Save the template and run a scan to identify all assets with CVE-2017-7494. Creating a Dynamic Asset Group for CVE-2017-7494 Now that you have your assets scanned, you may want to create a Dynamic Asset Group off of which to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the InsightVM console, just under the search button. Now, use the "CVE ID" filter to specify the CVE: This asset group can now be used for reporting as well as tagging to quickly identify exposed systems. Using these steps, you'll be able to quickly scan as well as report on the Samba vulnerability. Let us know if you have any more questions!

WannaCry - Scanning & Reporting

In light of the recent WannaCry Ransomware attacks, I thought it'd be great to share ways of finding out which assets are susceptible to this attack. 1) Create a custom scan template to check for MS17-010 The easiest way to create a Custom template is…

In light of the recent WannaCry Ransomware attacks, I thought it'd be great to share ways of finding out which assets are susceptible to this attack. 1) Create a custom scan template to check for MS17-010 The easiest way to create a Custom template is by making a copy of an existing template Administration -> Templates -> Click: Manage Templates -> Copy: Full audit enhanced logging without Web Spider -> IMPORTANT: Name your copy of the Scan Template -> Click: Vulnerability Checks -> Click: By Individual Check -> Add Check -> Enter: MS17-010 (As of 5/15/17 there are 192 individual checks) *Be sure to remove all checks from the "By Category" and "By Check Type" sections to ensure that only the individual checks are loaded for the scan(s). 2) If you want to create a Dynamic Asset Group (DAG) for assets vulnerable to this attack: Create a new DAG with the following filters: 'CVE ID' 'is' CVE-2017-0143 'CVE ID' 'is' CVE-2017-0144 'CVE ID' 'is' CVE-2017-0145 'CVE ID' 'is' CVE-2017-0146 'CVE ID' 'is' CVE-2017-0147 'CVE ID' 'is' CVE-2017-0148 Change "Match (all) of the specified filters." to "Match (any) of the specified filters." Hit SEARCH. You should then have a result of all assets that have ANY of those CVEs specified above. 3) You can also create a SQL report to list ANY asset affected by ANY of the 6 CVEs: SELECT da.ip_address AS "IP Adress", da.host_name AS "Host Name", dv.title AS "Title", dv.description AS "Description", dv.severity AS "Severity" FROM dim_vulnerability dv JOIN dim_asset_vulnerability_solution das USING(vulnerability_id) JOIN dim_asset da USING(asset_id) WHERE title ILIKE '%2017-0143%' OR title ILIKE '%2017-0144%' OR title ILIKE '%2017-0145%' OR title ILIKE '%2017-0146%' OR title ILIKE '%2017-0147%' OR title ILIKE '%2017-0148%' (Please keep in mind that it will list every instance of any of the CVEs in question.) There are currently 32 checks for each CVE, there are 6 CVEs; a total of 192 checks. However, an asset should not list more than one check for each CVE which should result at most 6 instances per asset. You can create a SQL query to check for only the count or unique instances that way the report contains less rows.

CVE-2017-5242: Nexpose/InsightVM Virtual Appliance Duplicate SSH Host Key

Today, Rapid7 is notifying Nexpose and InsightVM users of a vulnerability that affects certain virtual appliances. While this issue is relatively low severity, we want to make sure that our customers have all the information they need to make informed security decisions regarding their networks.…

Today, Rapid7 is notifying Nexpose and InsightVM users of a vulnerability that affects certain virtual appliances. While this issue is relatively low severity, we want to make sure that our customers have all the information they need to make informed security decisions regarding their networks. If you are a Rapid7 customer who has any questions about this issue, please don't hesitate to contact your customer success manager (CSM), or your usual support contact. We apologize for any inconvenience this may cause our customers. We take our customers' security very seriously and strive to provide full transparency and clarity so users can take action to protect their assets as soon as practicable. Description of CVE-2017-5242 Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots. A malicious user with privileged access to one of these vulnerable virtual appliances could retrieve the SSH host private key and use it to impersonate another user's vulnerable appliance. In order to do so, an attacker would also need to redirect traffic from the victim's appliance to the attacker's appliance. Likewise, an attacker that can capture SSH traffic between a victim's client machine and the victim's virtual appliance could decrypt this traffic. In either attack scenario, an attacker would need to gain a privileged position on a victim's network in order to capture or redirect network traffic. Since our virtual appliances are rarely exposed directly to the internet, this added complexity makes it a relatively low-risk vulnerability. Am I affected? Customers can determine whether their virtual appliance is affected by running the following command: stat /etc/ssh/ssh_host_* | grep Modify Modify: 2017-04-29 13:20:13.684650643 -0700 Modify: 2017-04-29 13:20:13.684650643 -0700 Modify: 2017-04-29 13:20:13.724650642 -0700 Modify: 2017-04-29 13:20:13.724650642 -0700 Modify: 2017-04-29 13:20:13.764650641 -0700 Modify: 2017-04-29 13:20:13.764650641 -0700 Modify: 2017-04-29 13:20:13.592650647 -0700 Modify: 2017-04-29 13:20:13.592650647 -0700 Affected virtual appliances contain SSH host keys generated between April 5th, 2017 and May 3rd, 2017. If the modified date for any of the SSH host keys falls in this range, then the virtual appliance is affected and the remediation steps below should be completed. Remediation Customers should either download and deploy the latest virtual appliance or regenerate SSH host keys, using these commands: /bin/rm -v /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server /etc/init.d/ssh restart Post-remediation After regenerating the SSH host keys, customers will see a "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" notice the next time they SSH to the virtual appliance. Customers should run the following command on the client they use to SSH to the virtual appliance. ssh-keygen -R <Virtual_Appliance_FQDN_or_IP> Resources The latest virtual appliances are available at: https://community.rapid7.com/docs/DOC-2595 Additional details to resolve “REMOTE HOST IDENTIFICATION HAS CHANGED!” warning can be found at: https://www.cyberciti.biz/faq/warning-remote-host-identification-has-changed-err or-and-solution/

Exploitable Vulnerabilities: A Metasploit-Vulnerability Management Love Story

Integrating InsightVM or Nexpose (Rapid7's vulnerability management solutions) with Metasploit (our penetration testing solution) is a lot like Cupid playing “matchmaker” with vulnerabilities and exploit modules. When a vulnerability scan is imported into Metasploit, many things happen under the hood, outside of generating host, service,…

Integrating InsightVM or Nexpose (Rapid7's vulnerability management solutions) with Metasploit (our penetration testing solution) is a lot like Cupid playing “matchmaker” with vulnerabilities and exploit modules. When a vulnerability scan is imported into Metasploit, many things happen under the hood, outside of generating host, service, and vulnerability data in your workspace. In much the same way that Cupid takes into account the qualities of the individuals he is matchmaking, when a host's service is found to have a vulnerability, Metasploit will check its ever growing store of modules for one that can potentially be run against the host's vulnerabilities. This is referred to as an Automatic Exploitation Match. Match generation takes into account not only the vulnerability, but attributes of the host like platform, architecture, etc. This special set of criteria leads to the generation of module matches that have a pretty high chance of successfully being run on the host. Of course, just like with Cupid's matchmaking, given the uncertain nature of networking environments and other factors, the default configuration for a module may not always work without some tweaking of parameters (e.g. using a bind payload for a target that is behind a NAT). Two people may be compatible, but sometimes things just don't work out. Modules that have been matched with vulnerable hosts can be viewed at a single vulnerability instance's related modules tab. This is all well and good, but vulnerability instances are attributed to a single host, which means the same Vulnerability definition will show up in several Vulnerability instances, one for each host that has an instance of that Vulnerability. When dealing with a non-trivial environment containing several hosts, the table of Vulnerabilities quickly explodes in number, becoming difficult to manage and make sense of. This can be similar to the feeling of being overwhelmed by the plenty of fish that are out there in the sea: a lot of noise, when you really just want to know which are even compatible. It is difficult to determine which vulnerability instances actually have modules that can be used against them, requiring iteratively clicking on each Vulnerability instance's related modules tab to see.  If only there was a way to view the results of matchmaking modules with vulnerabilities in an intuitive and productive way… With the latest release of Metasploit Pro, we introduce the Applicable Modules tab to the workspace analysis view. This view aims to solve the problem of making sense of a massive list of vulnerabilities. Similar to the way a single vulnerability page has a related modules tab, the Applicable Modules tab in workspace analysis aggregates a list of related modules across all vulnerable instances in your workspace. Along with each module entry in this list, relevant metadata related to the module are also quickly viewable, including the affected hosts and associated vulnerabilities. Hover over the various metadata entities to view additional information, such as services on a host or a full vulnerability description, without having to navigate away from the page. You can click on a module to autoconfigure a module run with all affected hosts filled in as targets. This list defaults to being sorted by module release date, so you can quickly see the latest hotness Metasploit has to offer that can target hosts in your environment. The Applicable Modules table densely packs and associates host, vuln, and module-matching information that is relevant to your workspace into a single view, allowing for deeper insight at a glance. Metasploit generates quite a bit of insightful data regarding the relationship of vulnerabilities found in your workspace and their exploitability via modules. The Applicable Modules workspace analysis tab intuitively presents the relevant information relating hosts, vulnerabilities, and the exploit modules within Metasploit by listing modules that can target assets in your environment. Be sure to also catch the other productivity enhancements included in the latest release: “Single Host's modules view as a searchable/sortable table” and “Pushing InsightVM and Nexpose Exceptions and Validations from Task Chains”. All is fair in <3 and Infosec. Happy exploiting, friends!

The Shadow Brokers Leaked Exploits Explained

The Rapid7 team has been busy evaluating the threats posed by last Friday's Shadow Broker exploit and tool release and answering questions from colleagues, customers, and family members about the release. We know that many people have questions about exactly what was released, the threat…

The Rapid7 team has been busy evaluating the threats posed by last Friday's Shadow Broker exploit and tool release and answering questions from colleagues, customers, and family members about the release. We know that many people have questions about exactly what was released, the threat it poses, and how to respond, so we have decided to compile a list of frequently asked questions. What's the story? On Friday, April 15, a hacking group known as the “Shadow Brokers” released a trove of alleged NSA data, detailing exploits and vulnerabilities in a range of technologies. The data includes information on multiple Windows exploits, a framework called Fuzzbunch for loading the exploit binaries onto systems, and a variety of post-exploitation tools. This was understandably a cause for concern, but fortunately, none of the exploits were zero days. Many targeted older systems and the vulnerabilities they exploited were well-known, and four of the exploits targeted vulnerabilities that were patched last month. Who are these shady characters? The Shadow Brokers are a group that emerged in August of 2016, claiming to have information on tools used by a threat group known as Equation Group. The initial information that was leaked by the Shadow Brokers involved firewall implants and exploitation scripts targeting vendors such as Cisco, Juniper, and Topsec, which were confirmed to be real and subsequently patched by the various vendors. Shadow Brokers also claimed to have access to a larger trove of information that they would sell for 1 million bitcoins, and later lowered the amount to 10,000 bitcoins, which could be crowdfunded so that the tools would be released to the public, rather than just to the highest bidder. The Shadow Brokers have popped up from time to time over the past 9 months leaking additional information, including IP addresses used by the Equation Group and additional tools. Last week, having failed to make their price, they released the password for the encrypted archive, and the security community went into a frenzy of salivation and speculation as it raced to unpack the secrets held in the vault. The April 15th release seems to be the culmination of the Shadow Brokers' activity; however, it is possible that there is still additional information about the Equation Group that they have not yet released to the public. Should you be worried? A trove of nation state-level exploits being released for anyone to use is certainly not a good thing, particularly when they relate to the most widely-used software in the world, but the situation is not as dire as it originally seemed. There are patches available for all of the vulnerabilities, so a very good starting point is to verify that your systems are up to date on patches. Home users and small network operators likely had the patches installed automatically in the last update, but it is always good to double-check. If you are unsure if you are up to date on these patches, we have checks for them all in Rapid7 Nexpose and Rapid7 InsightVM. These checks are all included in the Microsoft hotfix scan template. EternalBlue EternalSynergy EternalRomance EternalChampion MS17-010 msft-cve-2017-0143 msft-cve-2017-0144 msft-cve-2017-0145 msft-cve-2017-0146 msft-cve-2017-0147 msft-cve-2017-0148 EmeraldThread MS10-061 WINDOWS-HOTFIX-MS10-061 EskimoRoll MS14-068 WINDOWS-HOTFIX-MS14-068 EducatedScholar MS09-050 WINDOWS-HOTFIX-MS09-050 EclipsedWing MS08-067 WINDOWS-HOTFIX-MS08-067 If you want to ensure your patching efforts have been truly effective, or understand the impact of exploitation, you can test your exposure with several modules in Rapid7 Metasploit: EternalBlue MS17-010 auxiliary/scanner/smb/smb_ms17_010 EmeraldThread MS10-061 exploit/windows/smb/psexec EternalChampion MS17-010 auxiliary/scanner/smb/smb_ms17_010 EskimoRoll MS14-068 / CVE-2014-6324 auxiliary/admin/kerberos/ms14_068_kerberos_checksum EternalRomance MS17-010 auxiliary/scanner/smb/smb_ms17_010 EducatedScholar MS09-050 auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh, auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff, exploits/windows/smb/ms09_050_smb2_negotiate_func_index EternalSynergy MS17-010 auxiliary/scanner/smb/smb_ms17_010 EclipsedWing MS08-067 auxiliary/scanner/smb/ms08_067_check exploits/windows/smb/ms08_067_netapi In addition, all of the above exploits can also be pivoted to a Meterpreter session via the DoublePulsar implant. What else can you do to protect yourselves? If patching is still in progress or will take a little bit longer to fully implement (we get it) then there are detections for the exploits that you can implement while patching in underway. For examples of ways to implement detections, check out this blog post from Mike Scutt. Rapid7 InsightIDR, our solution for incident detection and response, has an active Threat Community with intelligence to help detect the use of these exploits and any resulting attacker behavior. You can subscribe to this threat in the community portal. For more on how threat intel works in InsightIDR, check out this 4-min Solution Short. It is also important to stay aware of other activity on your network during the patching and hardening processes. It is easy to get distracted by the latest threats, and attackers often take advantage of defender preoccupation to achieve their own goals, which may or may not have anything to do with this latest tool leak. What about that IIS 6 box we have on the public internet? It is very easy for commentators to point fingers and say that anyone who has legacy or unsupported systems should just get rid of them, but we know that the reality is much more complicated. There will be legacy systems (IIS 6 and otherwise) in organizations that for whatever reason cannot just be replaced or updated. That being said, there are some serious issues with leaving systems that are vulnerable to these exploits publicly accessible. Three of the exploits (“EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”) will remain effective on EOL systems and the impacts are concerning enough that it is really not a good idea to have internet-facing vulnerable systems. If you are in this position we recommend coming up with a plan to update the system and to keep a very close eye on the development of this threat. Due to the sophistication of this tool set, if widespread exploitation starts then it will likely only be a matter of time before the system is compromised. Should you be worried about the Equation Group? The threat from Equation Group itself to most organizations is minimal, unless your organization has a very specific threat profile. Kaspersky's initial analysis of the group lists the countries and sectors that they have seen targeted in the past. This information can help you determine if your organization may have been targeted. While that is good news for most organizations, that doesn't mean that there is no cause for concern. These tools appear to be very sophisticated, focusing on evading security tools such as antivirus and generating little to no logging on the systems that they target. For most organizations the larger threat is that of attackers co-opting these very sophisticated and now public exploits and other post-exploitation tools and using them to achieve their own goals. This increases the threat and makes defending against, and detecting, these tools more critical. We have seen a sharp decrease in the amount of time it take criminals to incorporate exploits into their existing operations. It will not be long before we will start to see more widespread attacks using these tools. Where should I build my underground bunker? While this particular threat is by no means a reason to go underground, there are plenty of other reasons that you may need to hide from the world and we believe in being prepared. That being said, building your own underground bunker is a difficult and time consuming task, so we recommend that you find an existing bunker, pitch in some money with some friends, and wait for the next inevitable bunker-level catastrophe to hit, because this isn't it.

New Vulnerability Remediation Display in Nexpose Gets You to a Fix Faster

Background Information As part of the Nexpose 6.4.28 release on Wednesday, March 29th, we introduced a new way to view remediation solution data in both the Nexpose Console UI and the Top Remediations Report. Over the years, we've heard from our customers that…

Background Information As part of the Nexpose 6.4.28 release on Wednesday, March 29th, we introduced a new way to view remediation solution data in both the Nexpose Console UI and the Top Remediations Report. Over the years, we've heard from our customers that the Top Remediations Report is one of the most useful features in our vulnerability management solution, but there's always room for improvement.  Specifically, they want to only see solutions that are applicable to the asset based on its OS, instead of solution data for all operating systems and platforms.  This led to larger reports and frustrated remediators who need to figure out which exact solution to apply. Enhanced Top Remediations Report We've improved the Top Remediations Report to present a single solution called the “best solution”. This solution is selected from a pool of solutions that are the highest in their supersedence chain, i.e. “rollup”, and are applicable to the asset's OS/platform.  Usually, there is only a single choice, but if there are multiple solutions that meet the criteria for the best solution, Nexpose will choose the latest or most comprehensive solution. This results in a more concentrated delivery of solution prescriptions in the Top Remediations report.  The report provides solutions that will mitigate the same or more amount of risk with a fewer, more finely distilled selection of solutions. In addition to changes in the Top Remediations Report, we have also updated the presentation of solution data in the console UI itself. On the Asset Details Page - New Solutions “Pill” in Vulnerabilities Table: These pill icons indicate the status of the solution. Solution Pill Icon Description A single best solution for the vulnerability. Warning – there is no single best solution or “tie breaker”, so one or more of the following solutions needs to be applied. Error – no solution is applicable, usually because solution is deprecated by the vendor or the Console is decommissioned and not taking updates. Clicking on the new pill icons in the Solutions column will navigate to a new Remediations portlet. This makes all the solution data pertaining to a vulnerability accessible without overwhelming users with the full set of data right away.  Rather than loading the full solution superset every time, the solution information is presented in a more structured way - with the best solutions displayed first, followed by supporting data ordered by priority. Fix all vulnerabilities on an asset or just a targeted few The Remediations portlet can be found on the Asset Details page and has three tabs. The first two tabs are helpful when you are remediating an asset and focused on mitigating as much risk as possible on the asset.  Best Solutions shows the single solution for each vulnerability on the asset, selecting from the data in the Applicable Solutions tab.  The Solutions by Vulnerability tab provides a different view showing solutions by vulnerability, which is helpful in scenarios where remediators are targeting a specific vulnerability to fix. Best solutions for one or all assets The Remediations portlet is also available on the Vulnerabilities Detail Page. Since we are viewing a vulnerability without an asset in mind, the tabs provided show all the solutions that remediate the vulnerability across any OS, platform, library, etc., both in rollup and non-rollup view. However, when viewing a vulnerability found on a particular asset, users will see more information.  The two additional tabs show information in the same fashion as on the Assets Detail Page, so that users can view specific remediation steps to take for a specific vulnerability on a specific asset. Asset Best Solutions lists the single best solution for remediating the vulnerability on this asset. The second tab, Asset Applicable Solutions, allows users to view other possible solutions.  These entries are specific to the OS/Platform or other profile data of the asset, and are also the highest in their supersedence chains. More resources In summary, this new structured solution data in the Console UI and enhancement of the Top Remediations report strikes a balance between keeping the Top Remediations Report clean and actionable while also making available the full set of solution data.  Users will be able to fix faster without losing the ability to look at all of their options. Here are a couple links that may provide more background on the topics covered in this post: Release Notes Help Documentation on Best Solutions

Protecting Your Web Apps with AppSpider Defend Until They Can Be Patched

AppSpider scans can detect exploitable vulnerabilities in your applications, but once these vulnerabilities are detected how long does it take your development teams to create code fixes for them?  In some cases it could take several days to weeks before a fix/patch to…

AppSpider scans can detect exploitable vulnerabilities in your applications, but once these vulnerabilities are detected how long does it take your development teams to create code fixes for them?  In some cases it could take several days to weeks before a fix/patch to resolve the vulnerability can be deployed, and during this time someone could be actively exploiting this issue in your application.  AppSpider Defend, which is now integrated into AppSpider Pro, helps to protect your applications until a fix for the identified vulnerabilities are deployed.Defend allows you to easily create custom defenses for Web Application Firewalls(WAFs), Intrusion Protection Systems(IPS), or Intrusion Detection Systems(IDS), based on the results of vulnerability scans conducted with AppSpider .Using innovative automated rule generation, Defend, part of AppSpider Pro, helps security professionals to patch web application vulnerabilities with custom rules in a matter of minutes, instead of the days or weeks it can take by hand. Without the need to build a custom rule for a WAF or IPS or the need to deliver a source code patch, Defend allows developers the time to identify the root cause of the problem and fix it in the code. When you are ready to generate Defend rules, simply:Click on the Load Findings icon.Select the vulnerability summary XML file from a completed AppSpider scan.Determine which of the discovered vulnerabilities you would like to generate Defend rules for.Select the WAF/IDS/IPS that you want to configure with Defend. The current supported WAF/IDS/IPS's are the following:  ModSecurity, SourceFire/Snort, Nitro/Snort, Imperva, Secui/Snort, Akamai, Barracuda, F5, and DenyAll.Then click on the Export Rules icon to generate a Defend rules file which can be uploaded into your WAF/IDS/IPS solution.With these 5 easy steps you can generate a set of Defend rules that, along with your existing WAF/IDS/IPS solution, can help protect against exploits discovered by AppSpider.Once you have loaded the Defend rule set into your WAF/IDS/IPS solution you can verify that the Defend protection has been enabled by clicking the Defend Scan icon which will launch a Defend Quick scan to replay the attacks which AppSpider used to discover the vulnerabilities and confirm that the attacks are no longer successful due to the Defend rules being deployed.For more information on how the Defend functionality works you can review the AppSpider Pro User Guide.

Multiple Vulnerabilities Affecting Four Rapid7 Products

Today, we'd like to announce eight vulnerabilities that affect four Rapid7 products, as described in the table below. While all of these issues are relatively low severity, we want to make sure that our customers have all the information they need to make informed security…

Today, we'd like to announce eight vulnerabilities that affect four Rapid7 products, as described in the table below. While all of these issues are relatively low severity, we want to make sure that our customers have all the information they need to make informed security decisions regarding their networks. If you are a Rapid7 customer who has any questions about these issues, please don't hesitate to contact your customer success manager (CSM), our support team, or leave a comment below. For all of these vulnerabilities, the likelihood of exploitation is low, due to an array of mitigating circumstances, as explained below. Rapid7 would like to thank Noah Beddome, Justin Lemay, Ben Lincoln (all of NCC Group); Justin Steven; and Callum Carney - the independent researchers who discovered and reported these vulnerabilities, and worked with us on pursuing fixes and mitigations. Rapid7 ID CVE Product Vulnerability Status NEX-49834 CVE-2017-5230 Nexpose Hard-Coded Keystore Password Fixed (6.4.50-2017-0809) MS-2417 CVE-2017-5228 Metasploit stdapi Dir.download() Directory Traversal Fixed (4.13.0-2017020701) MS-2417 CVE-2017-5229 Metasploit extapi Clipboard.parse_dump() Directory Traversal Fixed (4.13.0-2017020701) MS-2417 CVE-2017-5231 Metasploit stdapi CommandDispatcher.cmd_download() Globbing Directory Traversal Fixed (4.13.0-2017020701) PD-9462 CVE-2017-5232 Nexpose DLL Preloading Fixed (6.4.24) PD-9462 CVE-2017-5233 AppSpider Pro DLL Preloading Fix in progress (6.14.053) PD-9462 CVE-2017-5234 Insight Collector DLL Preloading Fixed (1.0.16) PD-9462 CVE-2017-5235 Metasploit Pro DLL Preloading Fixed (4.13.0-2017022101) CVE-2017-5230: Rapid7 Nexpose Static Java Keystore Passphrase Cybersecurity firm NCC Group discovered a design issue in Rapid7's Nexpose vulnerability management solution, and has released an advisory with the relevant details here. This section briefly summarizes NCC Group's findings, explains the conditions that would need to be met in order to successfully exploit this issue, and offers mitigation advice for Nexpose users. Conditions Required to Exploit One feature of Nexpose, as with all other vulnerability management products, is the ability to configure a central repository of service account credentials so that a VM solution can login to networked assets and perform a comprehensive, authenticated scan for exposed, and patched, vulnerabilities. Of course, these credentials tend to be sensitive, since they tend to have broad reach across an organization's network, and care must be taken to store them safely. The issue identified by NCC Group revolves around our Java keystore for storing these credentials, which is encrypted with a static, vendor-provided password, "r@p1d7k3y5t0r3." If a malicious actor were to get a hold of this keystore, that person could use this password to decrypt and expose all stored scan credentials. While this is not obviously documented, this password is often known to Nexpose customers and Rapid7 support engineers, since it's used in some backup recovery scenarios. This vulnerability is not likely to offer an attacker much of an advantage however, since they would need to already have extraordinary control over your Nexpose installation in order to exercise it. This is because you need high level privileges to be able to actually get hold of the keystore that contains the stored credentials. So, in order to obtain and decrypt this file, an attacker would need to already have at least root/administrator privileges on the server running the Nexpose console, OR have a Nexpose console "Global Administrator" account, OR have access to a backup of a Nexpose console configuration. If the attacker already has root on the Nexpose console, the jig is up; customers are already advised to restrict access to Nexpose servers through normal operating system and network controls. This level of access would already represent a serious security incident, since the attacker would have complete control over the Nexpose services and could leverage one of any number of techniques to extend privileges to other network assets, such as conducting local man-in-the-middle network monitoring, local memory profiling, or other, more creative techniques to increase access. Similarly, Global Administrator access to the Nexpose console would, at minimum, allow an attacker to obtain a list of every vulnerable system in scope, alter or skip scheduled scans, and create new and malicious custom scan templates. That leaves Nexpose console backups, which we believe represents the most likely attack vector. Sometimes, backups of critical configurations are stored in networked locations that aren't as secure as the backed-up system itself. We advise against this, for obvious reasons; if backups are not secured at least as well as the Nexpose server itself, it is straightforward to restore the backup to a machine under the attacker's control (where he would have root/administrator), and proceed to leverage that local privilege as above. Designing a Fix While encrypting these credentials at rest is clearly important for safety's sake, eventually these credentials do have to be decrypted, and the key to that decryption has to be stored somewhere. After all, the whole point of a scheduled, authenticated scan is to automate logins. Storing that key offline, in an operator's head, means having to deal with a password prompt anytime a scan kicks off. This would be a significant change in how the product works, and would be a change for the worse. Designing a workable fix to this exposure is challenging. The simple solution is to enable users to pick their own passwords for this keystore, or generate one per installation. This would at least force attackers who have gained access to critical network infrastructure to do the work of either cracking the saved keystore, or do the slightly more complicated work of stepping through the decryption process as it executes. Unfortunately, this approach would immediately render existing backups of the Nexpose console unusable -- a fact that tends to only be important at the least opportune time, after a disaster has taken out the hosting server. Given the privilege requirements of the attack, this trade-off, in our opinion, isn't worth the future disaster of unrestorable backups. While we do expect to implement a new strategy for encrypting stored credentials in a future release, care will need to be taken to both ensure that the customer experience with disaster recovery remains the same and support costs aren't unreasonably impacted by this change. Mitigations for CVE-2017-5320 As of August of 2017, a fixed version has been released. CVE-2017-5228, CVE-2017-5229, CVE-2017-5231: Metasploit Meterpreter Multiple Directory Traversal Issues Metasploit Framework contributor and independent security researcher Justin Steven reported three issues in the way Metasploit Meterpreter handles certain directory structures on victim machines, which can ultimately lead to a directory traversal issue on the Meterpreter client. Justin reported his findings in an advisory, here. Conditions Required to Exploit In order to exploit this issue, we need to first be careful when discussing the "attacker" and "victim." In most cases, a user who is loading and launching Meterpreter on a remote computer is the "attacker," and that remote computer is the "victim." After all, few people actually want Meterpreter running on their machine, since it's normally delivered as a payload to an exploit. However, this vulnerability flips these roles around. If a computer acts as a honeypot, and lures an attacker into loading and running Meterpreter on it, that honeypot machine has a unique opportunity to "hack back" at the original Metasploit user by exploiting these vulnerabilities. So, in order for an attack to be successful, the attacker, in this case, must entice a victim into establishing a Meterpreter session to a computer under the attacker's control. Usually, this will be the direct result of an exploit attempt from a Metasploit user. Designing a Fix Justin worked closely with the Metasploit Framework team to develop fixes for all three issues. The fixes themselves can be inspected in the open source Metasploit framework repository, at Pull Requests 7930, 7931, and 7932, and ensure that data from Meterpreter sessions is properly inspected, since that data can possibly be evil. Huge thanks to Justin for his continued contributions to Metasploit! Mitigations for CVE-2017-5228, CVE-2017-5229, CVE-2017-5230 In addition to updating Metasploit to at least version 4.3.20, Metasploit users can help protect themselves from the consequences of interacting with a purposefully malicious host with the use of Meterpreter's "Paranoid Mode," which can significantly reduce the threat of this and other undiscovered issues involving malicious Meterpreter sessions. CVE-2017-5232, CVE-2017-5233, CVE-2017-5234, CVE-2017-5235: DLL Preloading Independent security researcher Callum Carney reported to Rapid7 that the Nexpose and AppSpider installers ship with a DLL Preloading vulnerability, wherein an attacker could trick a user into running malicious code when installing Nexpose for the first time. Further investigation from Rapid7 Platform Delivery teams revealed that the installation applications for Metasploit Pro and the Insight Collector exhibit the same vulnerability. Conditions Required to Exploit DLL Preloading vulnerabilities are well described by Microsoft, here, but in short, DLL preloading vulnerabilities occur when a program fails to specify an exact path to a system DLL; instead, the program can seek that DLL in a number of default system locations, as well as the current directory. In the case of an installation program, that current directory may be a general "Downloads" folder, which can contain binaries downloaded from all sorts of places. If an attacker can convince a victim to download a malicious DLL, store it in the same location as one of the Rapid7 installers identified above, and then install one of those applications, the victim can trigger the vulnerability. In practice, DLL preloading vulnerabilities occur more often on shared workstations, where the attacker specifically poisons the Downloads directory with a malicious DLL and waits for the victim to download and install an application susceptible to this preloading attack. It is also sometimes possible to exercise a browser vulnerability to download (but not execute) an arbitrary file, and again, wait for the user to run an installer later. In all cases, the attacker must already have write permissions to a directory that contains the Rapid7 product installer. Usually, people only install Rapid7 products once each per machine, so the window of exploitation is also severely limited. Designing a Fix In the case of Metasploit Pro, Nexpose, and the Insight Collector, the product installers were updated to define exactly where system DLLs are located, and no longer rely on dynamic searching for missing DLLs. An updated installer for Appspider Pro will be made available once testing is completed. Mitigations for CVE-2017-5232, CVE-2017-5233, CVE-2017-5234, CVE-2017-5235 In all cases, users are advised to routinely clean out their "Downloads" folder, as this issue tends to crop up in installer packages in general. Of course, users should be aware of where they are downloading and running executable software, and Microsoft Windows executables support a robust, certificate-based signing procedure that can ensure that Windows binaries are, in fact, what they purport to be. Users who keep historical versions of installers for backup and downgradability purposes should be careful to only launch those installation applications from empty directories, or at least, directories that do not contain unknown, unsigned, and possibly malicious DLLs. Coordinated Disclosure Done Right NCC Group, Justin Steven, and Callum Carney all approached Rapid7 with these issues privately, and have proven to be excellent and accommodating partners in reporting these vulnerabilities to us. As a publisher of vulnerability information ourselves, Rapid7 knows that this kind of work can at times be combative, unpleasant, and frustrating. Thankfully, that was not the case with these researchers, and we greatly appreciate their willingness to work with us and lend us their expertise. If you're a Rapid7 customer who has any questions about this advisory, please don't hesitate to contact your regular support channel, or leave a comment below.

CVE-2017-3823: Remote Code Execution Vulnerability in Cisco WebEx Browser Plugin

On January 21st 2017, Google's Project Zero disclosed a vulnerability in Cisco's WebEx browser plugin extension that could allow attackers to perform a remote code execution (RCE) exploit on any Windows host running the plugin. An initial fix was pushed out by Cisco that warned…

On January 21st 2017, Google's Project Zero disclosed a vulnerability in Cisco's WebEx browser plugin extension that could allow attackers to perform a remote code execution (RCE) exploit on any Windows host running the plugin. An initial fix was pushed out by Cisco that warned a user if they were launching a meeting from a domain other than *.webex.com or *.webex.com.cn, however, the fix was questioned by April King from Mozilla based on the WebEx domain's security audit results from their Observatory project. Cisco released a fix on 26th January 2017 that not only whitelisted the domains where meetings could be launched, but also tightened up the verification mechanisms to calls on DLLs, as observed by Tavis Ormandy at Project Zero, “It looks like they correctly handle Mac and Windows, and have also added some verification on GpcInitCall/GpcExitCall/etc so that functions have to match a RegEx. This looks like a huge improvement.” Full details of the vulnerability disclosure from Cisco can be found here. The following versions of plugins were declared vulnerable: < 1.0.7 on Google Chrome < 106 on Mozilla Firefox < 2.1.0.10 on Internet Explorer Nexpose version 6.4.21 will allow you to detect if you have a vulnerable version of the Cisco WebEx plugin installed on any of your Windows hosts in your network and if you are vulnerable to CVE-2017-3823. As this is an authenticated check, credentials will need to be configured for the scan.

Maximizing PCI Compliance with Nexpose and Coalfire

In 2007 Coalfire selected Rapid 7 Nexpose as the engine around which to build their PCI Approved Scan Vendor offering.  PCI was just a few years old and merchants were struggling to achieve and document full compliance with the highly proscriptive Data Security Standard.…

In 2007 Coalfire selected Rapid 7 Nexpose as the engine around which to build their PCI Approved Scan Vendor offering.  PCI was just a few years old and merchants were struggling to achieve and document full compliance with the highly proscriptive Data Security Standard.  Our goal was to find that classic sports car blend of style and power: a vulnerability assessment solution that was as streamlined and easy to use as possible, but robust enough to significantly improve the customer's security.  In other words, an ASV service that could meet the needs of a large multi-national enterprise as well as the small franchise owner just learning how to spell IT.  After looking at all the alternatives, Coalfire selected Nexpose for its high-end performance and ease of interoperability to build around, all at a price point that kept us competitive.The Coalfire scanning solution has gone by many names since its first ASV certification: Surefire Compliance, ARM PCI RapidScan, Coalfire RapidScan right up to today's CoalfireOne℠ scanning platform.  But through all of it, Nexpose was under the hood making it go, with the power and reliability of a GM LS Series 6.0L or an AMC 4.0 straight-six.  Sorry, that might be taking the analogy a bit far (and letting my car geek show), but the point is, we never had to worry if the scan was going to run or if it was going to find the latest SSL vulnerability, it just did.  And that let us focus on the user experience which was always our plan.With our new ASV partnership, Rapid 7's ASV customers now get that “best of both worlds” pairing.  The same high confidence in scan findings they're used to, with the simplicity of CoalfireOne management.  Define your targets, set your schedule, review and dispute findings, and download your attestation of compliance -- all through the easy to use Web interface.  It's a little like a Shelby Cobra -- body by AC Cars, V8 by Ford.  Okay, I'm done.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Upcoming Event

UNITED 2017

Rapid7's annual security summit is taking place September 12-14, 2017 in Boston, MA. Join industry peers for candid talks, focused trainings, and roundtable discussions that accelerate innovation, reduce risk, and advance your business.

Register Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now