We live and work in the digital world. The issue of cybersecurity therefore affects us all – both companies and government administrations, as well as each and every one of us. This applies not only to our own direct use of digital systems, but also – sometimes even in particular – where others provide us with digitalized services that are sometimes desirable, but also irreplaceable. It becomes existential at the latest where we depend on critical infrastructure: Water, electricity, health, security and some more.

As technical networking increase, nearly every digital device becomes a potential gateway for cyberattacks. Cybersecurity is therefore a technical, social and consumer issue.

The German government sensibly relies on (quote from the coalition agreement of the SPD, Bündnis 90 / Die Grünen and the FDP) “effective vulnerability management, with the aim of closing security gaps”. To establish a general resilience against cyber-attacks in Europe, the EU has launched the Cyber Resilience Act (CRA)

Cyber Resilience Act makes vulnerability management mandatory

In the Cyber Resilience Act (CRA), the EU member states have agreed on a common position – this was announced by the Council of the EU in a press release at the end of July and reports optimistically:
“An agreement that advances EU’s commitment towards a safe and secure digital single market. IoT and other connected objects need to come with a baseline level of cybersecurity when they are sold in the EU, ensuring that businesses and consumers are effectively protected against cyber threats. This is an important milestone for the Spanish presidency, and we hope to bring forward negotiations with the Parliament as much as possible.”

The CRA is intended to anchor digital security sustainably in Europe through common cybersecurity standards for networked devices and services. Thus, the CRA not only has a high impact on the manufacturers of digital devices, the EU is also creating a new, norm-setting standard. As an IT security company, we have been supporting our customers in achieving the best possible security standard for 15 years. We see the new standardization by the CRA as an opportunity and are happy to help our customers to use it for even more security.

Continuously demonstrate safety

The new CRA regulations on vulnerability handling and detection, which are intended to “ensure the cybersecurity of digital products … and regulate obligations of economic operators such as importers or distributors with regard to these procedures”, pose challenges for many companies. Using tools such as Greenbone’s vulnerability management makes it much easier to comply with the new requirements. This also goes as far as checking whether suppliers, for example, meet the required and assured safety standards.

More responsibility

Companies are called upon by the CRA to carry out regular, permanent and sustainable vulnerability analyses and to have external audits carried out for products classified as “critical”. This can be especially difficult for older products. Greenbone also helps because we can examine such products, which are often imperfectly documented, even while they are in operation.

Where our customers already do this regularly, they are able to act quickly and gain valuable time to mitigate potential risks.

Become active now

The CRA introduces rules to protect digital products that were not previously covered by law, so companies face new and major challenges that affect the entire supply chain.

We can help you meet the requirements. the Greenbone Vulnerability Management product series, the Greenbone Enterprise Appliances enable compliance with the CRA – on premise or from the cloud. Our experts will be happy to advise you.

For this study commissioned by the OSB Alliance, Dr. Mark Ohm investigated how the security of open source and proprietary software can be evaluated and improved in perspective.

The development of information technology in the last decades is remarkable: The path begins with helpful support functions in computational and data-heavy processes and leads us to the dominant technology of the present and future, without which nothing works. In the process, attention is increasingly shifting from the devices we need to use this technology to the software we use to benefit from the devices and its risks.
Complex software systems that increasingly intervene in our society – that’s what we call digitalisation. Whether we are talking about industrial applications, social media or artificial intelligence, there is always software behind it. And this brings the security and trustworthiness of software systems, on which we are increasingly dependent, to the fore.

The role of security in software development

Well over 90% of all software contains open source – including proprietary products. The security of open source therefore concerns all software producers and users today. If we want security, we have to be able to check it. Software development is evolving, tools are integrating more and more protection mechanisms, and the ability to check for vulnerabilities is improving. At the same time, the number of vulnerabilities and attacks is also increasing.

New risks are emerging, and we have no choice but to face them. We have implemented many protective mechanisms for this at Greenbone, and integrated them into our certified security management. Also because, as a provider of security products, we deal with vulnerabilities more intensively than other companies, we have a special motivation and expertise in this area. We also know that not all risks can be discovered and eliminated during software development, but that software and systems must also be monitored and tested during operation. That is what we are here for with our products.

Our role in improving security

We want to make the IT world safer. We would like to contribute to this with our products, but also with the support of this study.

Please find the complete study here.

Starting in 2024, the EU plans to spend one billion euros on the “Cybersolidarity Act”, and North Rhine-Westphalia is funding institutions that invest in IT security and hazard prevention with more than 70 million euros: Anyone who has not yet put the topic of vulnerability management on their agenda should do so as soon as possible – and take advantage of the funding that has been made available.

The EU will invest massively in vulnerability management: According to a DPA report, the Commission wants to “establish national and cross-border security centres across the EU” that will use artificial intelligence (AI) and data analysis to detect and report cyber threats and incidents in a timely manner.”
A “European Cybersolidarity Act” is to be, achieved to “strengthen the EU’s capabilities for effective operational cooperation, solidarity and resilience”, concretely this means “creating a secure digital environment for citizens and businesses and protecting critical facilities and essential services such as hospitals and public utilities.”

Concrete plans

The law provides for a cyber emergency mechanism, preparedness measures, the creation of a new EU cyber security reserve and financial support for mutual administrative assistance, as well as the creation of an “EU Cyber Security Skills Academy” (on the EU’s Digital Skills & Jobs platform). Two thirds of the 1.1 billion will be financed through the “Digital Europe” programme.

70 million in funding from NRW

However, the increasing attacks on critical infrastructures, authorities and companies are not leaving the governments of the federal states idle. The federal state of North Rhine-Westphalia, for example, is setting a good example: the black-green state government under Science Minister Brandes (CDU) is now concretely offering to support day-care centres, schools and universities not only with energy prices, but also with 77 million euros in cybersecurity in the same package. According to dpa, this includes many different aspects, from IT systems such as firewalls or two-factor authentication to emergency power generators and locking systems, but also “more personnel” in the field of cybersecurity. Existing funding pots for IT security, for example digital-sicher.nrw, remain unaffected.

Funding from the federal government and other states

The federal government is also currently providing support for security-conscious entrepreneurs and managers: the BMWK is currently setting up a transfer office for IT security in the economy, whose funding office is to provide targeted support for small and medium-sized enterprises. In Bavaria, which is dominated by the election campaign, information can be found at Bayern Innovativ or at the IT Security Cluster. Hesse boasts of offering a “nationwide unique support for small and medium-sized enterprises against cyber attacks”, and in Baden-Württemberg, they not only support AI cybersecurity projects, but in January they also launched half a million euros in funding for SMEs that want to invest in cybersecurity.

Greenbone’ support for cybersecurity

We at Greenbone have created a solution with the Greenbone Enterprise Appliances that closes this gap and ensures cybersecurity. Potential vulnerabilities are found before they are exploited. The vast majority of vulnerabilities that lead to damage in IT infrastructures are not new, but have been known for more than a year. What is often missing are solutions that offer active security by detecting such vulnerabilities before they are exploited by attackers, prioritising them and making suggestions for their elimination. This is exactly what Greenbone has been doing very successfully for over 10 years.

The Greenbone Enterprise Appliances offer solutions for different needs, adaptable to the individual company size in the form of a hardware solution, a virtual solution or a cloud solution as a managed service. In addition, the package includes an all-round service from support with the application for funding and implementation to data analysis and remediation of vulnerabilities. Find out more about Greenbone’s cybersecurity here.

Reduce the risk of an attack from the internet on your servers: Take advantage of Greenbone’s latest offer: With our Pentesting Web Applications, we help you to get the best possible security for your web applications.

The numbers speak for themselves: attacks on web applications are on the rise, have been for years, and there is no end in sight. The complexity of modern web presences and services requires a high level of security measures and cannot be managed without testing by experts.

The only thing that helps here is the technique of so-called “pentesting” of web applications, or more precisely “web application penetration testing”. With this attempt to penetrate protected systems from the outside (“penetration”), Greenbone’s experts create an active analysis of vulnerabilities and can thus evaluate the security of a web application. Although there are guidelines such as the highly recommended one from the German Federal Office for Information Security (BSI), which describes the procedure for testing, nothing can replace the expert who puts your system under the microscope himself. In this video you will get a first impression of the work of our security experts. 

Greenbone acts strictly according to the regulations of the DSGVO, is certified according to ISO 27001/9001 and also has Ü2-certified security experts according to § 9 of the Security Audit Act (SÜG). As with its vulnerability management products, with the web application pentests you also receive detailed reports on your security situation with clear instructions for action, which the Greenbone experts are happy to help you implement. The offer covers both the client and server side of your web applications and is based on the most modern and up-to-date guidelines, for example the OWASP Top 10 or the OWASP Risk Assessment Framework (RAF). Whether it is cross-site scripting (XSS), SQL injection, information disclosure or command injection, whether there are gaps in the authentication mechanisms of your servers or websockets are the source of danger – Greenbone’s experts will find the vulnerabilities.

As the world’s leading provider of open source vulnerability management products, Greenbone always has the latest expertise in dealing with vulnerabilities and security risks, including here in “black box testing”, when our experts take a close look at your systems from the outside, just as an attacker would: with the perspective of a potential attacker, you will ideally find every existing vulnerability in your IT infrastructure and can take care of fixing them. Only those who know their vulnerabilities can implement security measures in a targeted manner. Find out more about Greenbone AG’s products and services here.

Even more than two years after the first problems with Log4j became known, many scenarios are apparently still running unpatched versions of the logging library.

Greenbone’s products help – especially in detecting outdated software.

No one should take Log4j lightly as a done deal just because the vulnerability (CVE 2021-44228) has actually been fixed for a year and a half. That is the conclusion of an event at the end of March in which the German Federal Office for Information Security (BSI) issued an urgent warning. The vulnerability affected Log4j versions 2.0 to 2.14.1 and allowed attackers to execute their own programme code on target systems and compromise third-party servers. Greenbone’s products have detected the Log4j vulnerabilities since December 2021 and can therefore warn administrators.

Under the title “Log4j & Consequences” in the series “BuntesBugBounty“, the BSI spoke with Christian Grobmeier from the Log4j team and Brian Behlendorf from the Open Source Security Foundation (OpenSSF). Shockingly, more than a third of the downloads on the Log4j website still add up to outdated versions that do not contain the important patch – it can be assumed that numerous systems in companies are still vulnerable.

This is mainly due to third-party software that Log4j embeds or integrates via software distribution – which is not at all surprising to Grobmeier, because that is how the supply chain works with open-source software. According to the Log4J developer, nothing can be changed in the near future.

This is also confirmed by the Open SSF: for Behlendorf, only stricter liability for software producers could be helpful, as is already being considered in the USA. Without fundamentally new approaches, the problems are unlikely to change.

Those who nevertheless want to protect themselves permanently against attacks on known vulnerabilities that have already been patched should take a look at Greenbone’s products. Only professional vulnerability management gives administrators an overview of outdated software versions and unpatched gaps in the company’s systems – and thus creates the basis for further security measures.

The development of vulnerability tests is a key activity at Greenbone and a continuous process that ensures the high quality of the products and thus the high benefit for customers. Security checks are carried out every day and vulnerability tests are developed and integrated into the products daily as well, prioritized by the security situation. In the case of critical security warnings, as with Log4j, Greenbone reports on the current status, the facts and how to deal with them, for example in the blog posts about Log4j.

At its latest patchday, software manufacturer Microsoft patched a severe zero-day vulnerability that had been exploited by intelligence agencies and Russian hacker groups, among others, in the summer of 2022. Early on, Greenbone was able to provide a test in the process, helping companies find unpatched systems and secure data centers and clients.

The CVE-2023-23397 was discovered by the Ukrainian Computer Emergency Response Team (CERT-UA), affects all versions of Microsoft Outlook on Windows and allows attackers to access SMB servers via emails with extended MAPI commands.

Fully automated attack in the background

This, Microsoft warns urgently, can happen fully automatically and in the background, without the user having opened or even previewed the malicious mail: The dangerous commands would be executed directly upon arrival – no credentials entered or careless mouse clicks done by the user are necessary.

Even though all users of Outlook for Windows are affected; systems with Android, iOS or macOS are not vulnerable. Attackers can only exploit this vulnerability if the (old) NTLM authentication is used, web interfaces such as Office 365 are also safe, as Microsoft explains.

Mitigation: Block SMB connections, add users to AD groups

Due to the high potential for damage, the vendor strongly urges customers to apply the appropriate patch. As intermediate, temporary solution, users should be included in the group of protected users in Active Directory and all outgoing SMB connections should be blocked.

Greenbone customers had already been provided with a test one day before Microsoft’s patchday. One day before the manufacturer closed the gap, we were able to warn users about the vulnerability CVE-2023-23397. This example shows once again how important professional vulnerability management is for IT security in companies.

Details of our vulnerability test are available to Greenbone customers here – it is already integrated into Greenbone’s Enterprise Feed and the vulnerability detection of our products.

Incidentally, in a blog post, Microsoft states that previous attacks via this vulnerability have been of limited scope, mostly targeting a “limited number of government, transportation, energy and military organizations in Europe” in 2022 and carried out by Russian-based actors. Media outlets such as Bleeping Computer, which first obtained the internal information from Microsoft, reported attacks from April to December 2022, also carried out by the well-known APT-28 group, for example.

Test Greenbone Vulnerability Management for free

As a “Trial” the Greenbone Enterprise Appliances are free of charge for 14 days. Users can try it out quickly, without special know-how directly in the web browser. A direct upgrade to a valid subscription is possible at any time. All Greenbone Enterprise Appliances use the daily updated Greenbone Enterprise Feed which helps to automatically test your IT network and all connected devices for more than 100,000 vulnerabilities and provides a daily updated, accurate status of the security situation in your company. Because the vulnerability check also provides information on the severity, you can easily prioritize the identified vulnerabilities and the measures to be taken.

Vulnerability management that inspects your IT infrastructure from the outside is indispensable in modern companies. Ideally, by acting like a potential attacker, you can find all vulnerabilities in your IT infrastructure the attacker could exploit. so to speak, and take care of its elimination. Only those who know their vulnerabilities can implement the right security measures.

According to the latest study by Orange Security, 13 percent of the vulnerabilities found in today’s corporate networks were already known in 2012, and almost half of all gaps are more than five years old – and the trend is increasing. Professional vulnerability management such as the Greenbone product family can provide a remedy.

The Orange Security Navigator takes a look at the current threat situation on many pages every year. In the latest edition, the security software manufacturer comes to astonishing insights regarding the age of vulnerabilities in companies. The oldest risks have existed for 20 years or more, writes Orange, and patching is also taking longer and longer.

Even recently, problems that were actually fixed long ago filled the headlines: A security hole in VMWare’s ESXi server, which had been closed for years, was actively exploited by attackers. According to the German Federal Office for Information Security (BSI), thousands of servers were infected with ransomware and encrypted – details here in the Greenbone blog.

Orange Security can also sing from the same song: “Our pentesters find vulnerabilities that were first identified in 2010 (…) [and] problems whose causes go back to 1999. (…) This is a very worrying result.” In the case of the ESXi incident, the vulnerability had already been closed by the manufacturer in February 2021, but not all users had applied the necessary updates – which is exactly where Greenbone’s products help by actively scanning your systems for known, open vulnerabilities.

This is becoming increasingly important because, even according to Orange, more and more critical gaps are sometimes open for six months or longer, In recent years, the average time to a fix has increased by 241 percent. While patching of serious vulnerabilities is on average one-third faster than for less critical threats, the maximum time required to apply a patch is a concern: “Whether critical or not, some patches take years to apply.

Only one-fifth of all vulnerabilities found are fixed in less than 30 days, the study explains, while 80% remain open for more than a month. On average, it takes a full 215 days for gaps to be closed. Of the vulnerabilities waiting 1000 days for a patch, 16% were classified as severe, with three-quarters of medium threat, it said. In the case of the ESXi vulnerability, there has been an alert for two years, a high-risk classification and also a patch to fix it. Despite this, a large number of organizations have been successfully attacked by exploiting the vulnerability.

The problem is well known: Calls for vulnerability and patch management from data protection regulators, for example, are a regular occurrence. “I look at the topic of information security with concern. On the one hand, many organizations still haven’t done their homework to eliminate known vulnerabilities in IT systems – the data breach reports show us how such vulnerabilities are exploited again and again, and often data can be leaked.” Marit Hansen, Schleswig-Holstein State Commissioner for Data Protection, February 2022.

When it comes to cybersecurity, companies face major challenges, she said: More than 22 vulnerabilities with CVE are published every day, with an average CVSS score of 7 or more, she said. Without professional vulnerability management, this can no longer be handled, Orange also explains.

This makes the early detection and recording of vulnerabilities in the company all the more important. Greenbone products can take a lot of the work out of this and provide security – as a hardware or virtual appliance or as a cloud service. The Greenbone Enterprise Feed, from which all Greenbone security products are fed, receives daily updates and thus covers a high percentage of risks. Our security experts have been researching the topic for over 10 years, so we can detect risks even in grown structures.

Vulnerability management is an indispensable part of IT security. It can find risks and provides valuable information on how to eliminate them. However, there is no such thing as one hundred percent security, and there is no single measure that is sufficient to achieve the maximum level of security – vulnerability management is an important building block. Only the totality of the systems deployed, together with comprehensive data protection and cyber security concepts, is the best possible security.

Osnabrück, March 8, 2023 – Our transformation from Greenbone Networks GmbH into the Greenbone AG was completed today by entry into the commercial register (HR B 218768) and is thus effective.

We have taken the next big step and become an AG. Why did we take this step? Our former managing director and also new CEO, Dr. Jan-Oliver Wagner, explains it like this:

“The conversion to a stock corporation is a pioneering step into the future for us. It is the result of the strong and self-financed growth of the past years into an established and industry-leading medium-sized company. With this step, we are simplifying the further development and expansion of our business relationships at home and abroad.”

Our board consists of two people, the second is Elmar Geese, who is already responsible for Greenbone’s marketing today:

“With our products for intelligent vulnerability management, we have the potential to evolve from a market leader in the open source sector to an even much stronger player. With our new positioning, and also with new products, we want to take this next big step.”

Dr. Jan-Oliver Wagner, CEO und Mitbegründer von Greenbone

Dr. Jan-Oliver Wagner, CEO

Elmar Geese, CIO und CMO

Elmar Geese, CMO/CIO

About Greenbone AG

Greenbone products identify security gaps, assess their risk potential and recommend measures for remediation. In this way, vulnerabilities are uncovered before they can cause damage.
Further information about Greenbone, its products, the topic of cyber security, and current vulnerabilities can be found here.

Media Contact
Britta Zurborn

Contact Free Trial Buy Here Back to Overview

A new wave of ransomware attacks has been threatening numerous servers in Europe. The attacks focus on the hypervisors in VMware’s virtualization server ESXi.
Patches are available, Greenbone’s products can protect and help to find the vulnerability.

The German BSI explicitly warns of the vulnerability and in its latest information on the security situation speaks of thousands of servers and a worldwide threat with a focus on Europe, the U.S. and Canada, using a vulnerability that the manufacturer already patched almost two years ago: (CVE-2021-21974).

Not only VMWare servers themselves at risk

According to IT security portal Hackernews, French provider OVHcloud has confirmed the open source implementation of the IETF Service Location Protocol (OpenSLP) as an entry point.

The threat to IT systems in this case is classified as business-critical – a successful attack with ransomware can therefore cause massive disruptions to regular operations. What is particularly serious about attacks of this type is that under certain circumstances not only institutions that use VMware ESXi themselves are affected, but also third parties – for example, via the server systems hosted in VMware virtualization.

France, Italy, Finland, Canada and the U.S.

Suspicions that European organizations and institutions were the main focus of attackers in the latest wave of attacks were also confirmed a few days later, when the Italian National Cybersecurity Agency ACN warned of the vulnerabilities and a “large-scale wave of attacks.” A Reuters report also speaks of attacks in Finland and the United States.

Users can protect themselves, however: The manufacturer VMware advises upgrading to the latest version of its software – and installing the patch. In general, systems like Greenbone Vulnerability Management help prevent such intrusions by finding the unpatched gaps and proactively warning administrators in reports.

Checking with the Greenbone Cloud

Installation of the VMware patch is free, as is an audit of their systems with the Greenbone Cloud Service Trial. In general, administrators should always ensure that all backups are secured against ransomware and examine log files for suspicious system access – the BSI lists six questions on the checklist in its warning that every administrator should ask themselves now.

Contact Free Trial Buy Here Back to Overview

For almost two years, Greenbone has been adding more and more tests from the recommendations of the Center for Internet Security (CIS) in its security feed. Among the newest ones are benchmarks for the container management solution Docker.

Docker is one of the most common container technologies in enterprise environments. Its increasing popularity within DevOps circles, ease-of-use and flexibility made it popular among developers and DevOPS. Therefore, the CIS is providing benchmark tests for configuration compliance in Docker environments which are „intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Docker“ – and Greenbone is happy to integrate these tests in its vulnerability management products.

Testing Docker environments for Vulnerabilities

The CIS benchmarks (more than 140 as of 2023) contain guidance on best practices for configuring IT systems, networks, and software. They are created together with developers, subject matter experts and companies in enterprise Docker environments and have become the reference for compliance testing regarding cybersecurity. The CIS benchmarks come in seven groups, (Operating System, Server Software, Cloud Provider Benchmarks, Mobile Device, Network Device, Desktop Software, Multi-Function Print Device), of which the Docker tests reside in the Server section. Greenbone has been supporting Docker for a while, continuously updating the tests.

Greenbone has been supporting CIS benchmarks for years

Since 2021, Greenbone has been integrating and continuously expanding CIS benchmarks in its products – now integrating the docker compliance benchmarks for Docker systems newer than Docker 1.4. All tests are combined by Greenbone into scan configurations and added to the Greenbone Enterprise Feed. The Greenbone product will run the set of tests on a target system, checking configuration and other settings, for example file permissions. Having done so, it returns a report with mitigation strategies to the administrator who can then adapt his systems to the recommendations for security compliance.

Certified by CIS

As a member CIS consortium Greenbone is continuously expanding its CIS Benchmark scan configurations – right now, for example, Greenbone is working on Kubernetes integration. Like all compliance policies developed by Greenbone on the basis of CIS Benchmarks, the latest ones are certified by CIS – this means maximum security when it comes to auditing a system according to CIS hardening recommendations. This not only simplifies the preparation of audits, important criteria can be checked in advance with a scan by a Greenbone product and, if necessary, any weaknesses found can be remedied before problems arise.

Contact Free Trial Buy Here Back to Overview