New OS versions to be released on April 30th and October 31st every year
In 2019, we will be switching to a new release scheme for updated versions of the Greenbone OS – the Greenbone Security Manager (GSM) operating system – with fixed release dates every year, giving our customers, partners, and the Greenbone development team more planning certainty.
The new fixed dates will be April 30th and October 31st each year. However, during 2019, as we transition to this new scheme, we will introduce GOS 5.0 in two staged releases, with ENTRY/SME scheduled for April 30th and MIDRANGE/ENTERPRISE/SENSOR set for June 30th. GOS 6.0 will then be released for all GSM devices in a single step in accordance with the new scheme. From 2020 onwards, the new time-based release system will apply in full.
The scheme is based on hard deadlines for new features, new GSM types and new hardware. If a feature does not make it to a release date, it will be included in the subsequent release.
OS updates tested over one-month phase in the Greenbone community
In addition, our Greenbone Vulnerability Management (GVM) system will undergo a one-month test phase in conjunction with each GOS release. Before the April 30th and October 31st release dates, the Source Edition will be made available on the GVM system within the Greenbone community. As a result, any bugs can be found and eliminated before our customers and partners put the new GOS into operation.
Another advantage of having two new major OS versions per year is that our customers can benefit from our latest innovations much more quickly. Users will be able to jump to new GOS versions faster, either every six months on the official release dates (our innovation cycle), or every 12 months during a three-month migration phase (May/June/July or November/December/January) when they can skip a GOS generation (a more conservative cycle).
https://www.greenbone.net/wp-content/uploads/01_Logo-mit-Schriftzug_500px_on_white_horiz1.jpg00Dirk Schraderhttps://www.greenbone.net/wp-content/uploads/01_Logo-mit-Schriftzug_500px_on_white_horiz1.jpgDirk Schrader2019-04-16 17:20:022019-04-17 14:38:27Dates fixed for new Greenbone OS releases
Serious vulnerability discovered in D-Link routers
UPDATE: patch available for users on D-Link support pages
In November 2018, Greenbone discovered a serious security vulnerability in D-Link routers and drew the company’s attention to it. The vulnerability is easy for hackers to exploit and allows unauthorised access to networks. There is now a patch available from the vendor. Greenbone has been offering its customers a vulnerability test (NVT) as part of its daily security feed since the end of last year.
Routers are pivotal to both home and business networks. They establish an Internet connection for connected laptops and PCs, and also for smart home and industrial applications. But even though so many components of a network converge here, router security is not always adequate. For example, last year, researchers at the American Consumer Institute found known vulnerabilities in 83 percent of the routers it examined as part of the study. Hackers can use these vulnerabilities to gain access to the device itself and therefore to the entire network. In total, the researchers counted more than 30,000 separate vulnerabilities – 7 percent of which represented a critical risk, while 21 percent were high risk.
Design errors make the DWR and DAP models vulnerable to attack
In addition to the already known vulnerabilities in routers, new ones are being found on a near constant basis. In November 2018, Greenbone security researchers found a serious vulnerability in various D-Link routers, particularly the DWR and DAP models. Described as an “Unauthenticated Remote Code Execution”, the vulnerability is a security hole where an attacker can execute commands on the router without any authentication. In the case of the D-Link routers, a hacker can even obtain full administrative rights. It is very likely that the NIST (National Institute of Standards and Technology) will award the highest possible CVSS rating (Common Vulnerability Scoring System) of 10.0.
The cause is probably a design flaw. In the devices we tested, we found an executable file called “EXCU_SHELL” that can be selected from the web browser using a so-called GET request. This is responsible for some useful (yet harmless) operations, such as displaying information about the installed firmware. But if you adjust some of the file’s parameters, it is possible to insert and execute arbitrary commands.
Access to routers without authentication possible
D-Link is one of the top vendors in the global wireless router market and was the market leader in 2017, with a market share of 24.1 percent.
But it’s not just the potential number of customers that could be impacted that make this vulnerability significant. According to the CVSS basic score calculator, the severity of the vulnerability is high and relatively easy to exploit. The “EXCU_SHELL” file is not password-protected and hackers can therefore access the router and the associated network without authentication. Once infiltrated, all incoming and outgoing Internet traffic can be viewed, modified and controlled. It may even be possible for hackers to spread malware.
With smart home and IoT technologies, such vulnerabilities cause considerable damage. Hackers can open the door to critical infrastructures, such as health care facilities or energy suppliers.
D-Link publishes security update on March 19, 2019
Greenbone reported the vulnerability to D-Link last November. The manufacturer was responsive throughout the process and asked us to take over the CVE application. The D-Link website now provides information for customers and a patch has been made available.
After more than 90 days that have passed since the vulnerability was discovered – the deadline expired on February 11, 2019 – we were acting in accordance with Responsible Disclosure and published all available information to protect users. For Greenbone customers, the gap has been visible via the daily security feed since November 2018.
Manufacturers must act
Given the sheer number of security vulnerabilities on routers, closing the D-Link gap is certainly just a drop in the ocean. While the number of vulnerabilities is intimidating, placing your head in the sand is not an option. Focus must be placed on persuading (or, in some cases, forcing) as many manufacturers as possible to secure their routers.
The EU directive on the security of Network and Information Systems (NIS) was approved in August 2016, giving member states 21 months to embed the directive into their respective national laws. The directive became UK law in May this year and all organizations deemed ‘Operators of Essential Services’ (OES) must have complied and will do so from this date forward – if they fail they could face a fine of up to £17m.
A matter of vulnerability management
With the directive now in place, each state needs to ensure the continuity of their essential services besides any cause that could affect the networks and information systems enabling those critical infrastructures. What this really means is that those services need to improve not only their resistance to cyber attacks, but their resilience which refers to the ability to continuously deliver the intended business objective despite adverse cyber events.
Critical infrastructures – example transportation systems
Critical infrastructures, like energy, health, finance and transportation, share one common prerequisite: they mostly consist of converged technologies. It is this interdependency of industry control systems (ICS) and IT systems that increase the attack surface drastically. A major element of resilience as I mentioned above, then, is to minimize the attack surface of the overall infrastructure by identifying vulnerabilities which could be exploited by an adversary. So far, so good. But how do organizations tackle this?
We have outlined information on steps organizations need to take to address their vulnerabilities – taking into account their business needs at all times. The first issue in a series of whitepapers to come from us looks at the systems and processes of the transportation industry. In the light of the new EU directive, how can internal security guidelines be changed due to the new regulations?
Learn more: Download our Whitepaper ‘Sustainable Cyber Resilience for Critical Infrastructures – Transportation Systems and Networks’ here for free.
https://www.greenbone.net/wp-content/uploads/maxim-melnikov-69938_klein.png534800Dirk Schraderhttps://www.greenbone.net/wp-content/uploads/01_Logo-mit-Schriftzug_500px_on_white_horiz1.jpgDirk Schrader2018-11-19 12:50:352018-11-19 12:50:35EU directive: Cyber-resilience of critical national infrastructure now fundamental to UK security and excellence
Dates fixed for new Greenbone OS releases
BlogNew OS versions to be released on April 30th and October 31st every year
In 2019, we will be switching to a new release scheme for updated versions of the Greenbone OS – the Greenbone Security Manager (GSM) operating system – with fixed release dates every year, giving our customers, partners, and the Greenbone development team more planning certainty.
The new fixed dates will be April 30th and October 31st each year. However, during 2019, as we transition to this new scheme, we will introduce GOS 5.0 in two staged releases, with ENTRY/SME scheduled for April 30th and MIDRANGE/ENTERPRISE/SENSOR set for June 30th. GOS 6.0 will then be released for all GSM devices in a single step in accordance with the new scheme. From 2020 onwards, the new time-based release system will apply in full.
The scheme is based on hard deadlines for new features, new GSM types and new hardware. If a feature does not make it to a release date, it will be included in the subsequent release.
OS updates tested over one-month phase in the Greenbone community
In addition, our Greenbone Vulnerability Management (GVM) system will undergo a one-month test phase in conjunction with each GOS release. Before the April 30th and October 31st release dates, the Source Edition will be made available on the GVM system within the Greenbone community. As a result, any bugs can be found and eliminated before our customers and partners put the new GOS into operation.
Another advantage of having two new major OS versions per year is that our customers can benefit from our latest innovations much more quickly. Users will be able to jump to new GOS versions faster, either every six months on the official release dates (our innovation cycle), or every 12 months during a three-month migration phase (May/June/July or November/December/January) when they can skip a GOS generation (a more conservative cycle).
Serious vulnerability discovered in D-Link routers
BlogSerious vulnerability discovered in D-Link routers
UPDATE: patch available for users on D-Link support pages
In November 2018, Greenbone discovered a serious security vulnerability in D-Link routers and drew the company’s attention to it. The vulnerability is easy for hackers to exploit and allows unauthorised access to networks. There is now a patch available from the vendor. Greenbone has been offering its customers a vulnerability test (NVT) as part of its daily security feed since the end of last year.
Routers are pivotal to both home and business networks. They establish an Internet connection for connected laptops and PCs, and also for smart home and industrial applications. But even though so many components of a network converge here, router security is not always adequate. For example, last year, researchers at the American Consumer Institute found known vulnerabilities in 83 percent of the routers it examined as part of the study. Hackers can use these vulnerabilities to gain access to the device itself and therefore to the entire network. In total, the researchers counted more than 30,000 separate vulnerabilities – 7 percent of which represented a critical risk, while 21 percent were high risk.
Design errors make the DWR and DAP models vulnerable to attack
In addition to the already known vulnerabilities in routers, new ones are being found on a near constant basis. In November 2018, Greenbone security researchers found a serious vulnerability in various D-Link routers, particularly the DWR and DAP models. Described as an “Unauthenticated Remote Code Execution”, the vulnerability is a security hole where an attacker can execute commands on the router without any authentication. In the case of the D-Link routers, a hacker can even obtain full administrative rights. It is very likely that the NIST (National Institute of Standards and Technology) will award the highest possible CVSS rating (Common Vulnerability Scoring System) of 10.0.
The cause is probably a design flaw. In the devices we tested, we found an executable file called “EXCU_SHELL” that can be selected from the web browser using a so-called GET request. This is responsible for some useful (yet harmless) operations, such as displaying information about the installed firmware. But if you adjust some of the file’s parameters, it is possible to insert and execute arbitrary commands.
Access to routers without authentication possible
D-Link is one of the top vendors in the global wireless router market and was the market leader in 2017, with a market share of 24.1 percent.
But it’s not just the potential number of customers that could be impacted that make this vulnerability significant. According to the CVSS basic score calculator, the severity of the vulnerability is high and relatively easy to exploit. The “EXCU_SHELL” file is not password-protected and hackers can therefore access the router and the associated network without authentication. Once infiltrated, all incoming and outgoing Internet traffic can be viewed, modified and controlled. It may even be possible for hackers to spread malware.
With smart home and IoT technologies, such vulnerabilities cause considerable damage. Hackers can open the door to critical infrastructures, such as health care facilities or energy suppliers.
D-Link publishes security update on March 19, 2019
Greenbone reported the vulnerability to D-Link last November. The manufacturer was responsive throughout the process and asked us to take over the CVE application. The D-Link website now provides information for customers and a patch has been made available.
After more than 90 days that have passed since the vulnerability was discovered – the deadline expired on February 11, 2019 – we were acting in accordance with Responsible Disclosure and published all available information to protect users. For Greenbone customers, the gap has been visible via the daily security feed since November 2018.
Manufacturers must act
Given the sheer number of security vulnerabilities on routers, closing the D-Link gap is certainly just a drop in the ocean. While the number of vulnerabilities is intimidating, placing your head in the sand is not an option. Focus must be placed on persuading (or, in some cases, forcing) as many manufacturers as possible to secure their routers.
EU directive: Cyber-resilience of critical national infrastructure now fundamental to UK security and excellence
BlogThe EU directive on the security of Network and Information Systems (NIS) was approved in August 2016, giving member states 21 months to embed the directive into their respective national laws. The directive became UK law in May this year and all organizations deemed ‘Operators of Essential Services’ (OES) must have complied and will do so from this date forward – if they fail they could face a fine of up to £17m.
A matter of vulnerability management
With the directive now in place, each state needs to ensure the continuity of their essential services besides any cause that could affect the networks and information systems enabling those critical infrastructures. What this really means is that those services need to improve not only their resistance to cyber attacks, but their resilience which refers to the ability to continuously deliver the intended business objective despite adverse cyber events.
Critical infrastructures – example transportation systems
Critical infrastructures, like energy, health, finance and transportation, share one common prerequisite: they mostly consist of converged technologies. It is this interdependency of industry control systems (ICS) and IT systems that increase the attack surface drastically. A major element of resilience as I mentioned above, then, is to minimize the attack surface of the overall infrastructure by identifying vulnerabilities which could be exploited by an adversary. So far, so good. But how do organizations tackle this?
We have outlined information on steps organizations need to take to address their vulnerabilities – taking into account their business needs at all times. The first issue in a series of whitepapers to come from us looks at the systems and processes of the transportation industry. In the light of the new EU directive, how can internal security guidelines be changed due to the new regulations?
Learn more: Download our Whitepaper ‘Sustainable Cyber Resilience for Critical Infrastructures – Transportation Systems and Networks’ here for free.