Tag Archive for: BSI

Greenbone AG

Salt Typhoon: Greenbone Covers All Vulnerabilities

On August 27, more than 20 security agencies published a Cybersecurity Advisory with the title “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System”

 

Publishing authorities included:

  • United States National Security Agency (NSA)
  • United States Cybersecurity and Infrastructure Security Agency (CISA)
  • United States Federal Bureau of Investigation (FBI)
  • Germany Federal Intelligence Service (BND) – Bundesnachrichtendienst
  • Germany Federal Office for the Protection of the Constitution (BfV) – Bundesamt für Verfassungsschutz
  • Germany Federal Office for Information Security (BSI) – Bundesamt für Sicherheit in der Informationstechnik

plus many more.

This is bad news. Good news is that Greenbone customers using the OPENVAS products are able to detect all vulnerabilities in this attack

  1. CVE-2024-21887 – Ivanti Connect Secure and Ivanti Policy Secure web-component command injection vulnerability, commonly chained after CVE-2023-46805 (authentication bypass).
  2. CVE-2024-3400 – Palo Alto Networks PAN-OS GlobalProtect arbitrary file creation leading to OS command injection. The CVE allows for unauthenticated remote code execution (RCE) on firewalls when GlobalProtect is enabled on specific versions/configurations.
  3. CVE-2023-20273 – Cisco Internetworking Operating System (IOS) XE software web management user interface flaw enabling post-authentication command injection/privilege escalation [T1068], commonly chained with CVE-2023-20198 for initial access to achieve code execution as root.
  4. CVE-2023-20198 – Cisco IOS XE web user interface authentication bypass vulnerability.
  5. CVE-2018-0171 – Cisco IOS and IOS XE smart install remote code execution vulnerability.

We strongly advise our customers to scan their systems and follow the information for patches, if affected.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

Massive Weaknesses in Government Data Centers, Says Bundesrechnungshof

Germany’s Bundesrechnungshof has sharply criticized the current state of cybersecurity in the federal administration. Der Spiegel quotes a document classified as confidential, which concludes that significant parts of the government’s IT infrastructure have serious security flaws and do not meet the minimum requirements of the Federal Office for Information Security (BSI).

The Bundesrechnungshof (BRH) is Germany’s supreme audit institution responsible for the federal government’s budgetary and economic oversight. It examines whether federal authorities, ministries, federal enterprises, and other public institutions are using taxpayers’ money properly, economically, and efficiently. It is independent of both the federal government and the Bundestag.

The report criticizes the lack of a central, cross-departmental information security control system. It also states that the existing security architecture must become more efficient.

Inadequate Governance  and NIS2 Preparation

Another point of criticism concerns the requirements of the NIS 2 Directive [1] [2] [3]. This introduces significant new obligations for federal authorities and KRITIS-related organizations – particularly with regard to prevention, documentation requirements, and BSI oversight. Many institutions are neither technically nor organizationally prepared for this.

The Court of Auditors welcomes the fact that the adjustment of Germany’s debt limit will allow targeted investment in cybersecurity. However, the investments are tied to the demonstrable effectiveness of the measures. In practice, this means only those who can prove their security measures lead to concrete improvements will receive future funding.

Increasing Pressure to Act

The report highlights growing pressure on public administration. The threat landscape continues to worsen, with annual damages in the hundreds of billions. The BRH is calling for a shift toward structured, data-driven, and sustainable security management.

The widespread failure is alarming. Serious weaknesses have been found in almost all data centers of German public authorities – with dramatic consequences for the security, resilience, and trustworthiness of the government’s IT infrastructure. Public authorities and KRITIS operators must take action now and introduce modern vulnerability management.

In many cases, there is not even an emergency power supply, and fewer than one in ten examined data centers meet the BSI’s minimum standards for high availability. According to the investigation, this is concerning: lack of redundancy, outdated systems, and insufficient reliability all jeopardize the functionality of critical infrastructure in the event of a crisis.

Over 180 Billion Euros in Damage Every Year

The damage is already being done: according to current figures, cyberattacks cause over 180 billion euros in damage every year in Germany. Acts of sabotage, hybrid attacks, and blackout scenarios have long been a reality – and the trend is rising.

However, the German BRH identifies many shortcomings: a lack of structured information security, cross-departmental and data-based IT risk management, and appropriate governance . Reliable information is lacking – without which it is impossible to realistically assess risk levels or progress in individual cases, let alone provide evidence.

Greenbone’s Vulnerability Management Helps

When it comes to implementing the right measures and proving their effectiveness, solutions like those offered by Greenbone come into play. Modern vulnerability management provides a decisive strategic advantage. Among other things, it provides a reliable, robust basis to support data-driven decision-making for administrators and management.

Greenbone’s OPENVAS automatically, continuously, and objectively detects, evaluates, and prioritizes vulnerabilities. This creates a reliable foundation for IT governance  structures – even in ministries, government agencies, and other public-sector enterprises. Vulnerability Management also ensures the essential transparency in times of growing accountability – thus becoming a mandatory component rather than a “nice-to-have.”

Greenbone Vulnerability Management reports contain CVSS ratings, trend analyses, and progress indicators. Authorities can use these not only for internal documentation but also to demonstrate measurable improvements to audit offices and ministries.

Equipped for NIS2

The new NIS2 directive tightens requirements for operators of critical infrastructure. It defines new responsibilities, expands BSI controls and reporting obligations, and specifies the software components to be used. As a result, more companies are dealing with the upcoming German version of the regulation.

Greenbone’s solutions actively support public authorities and KRITIS-related organizations in preparing for regulatory audits. Features such as automated vulnerability management, audit-proof reporting, and audit trails provide security, even under increasing regulatory control.

Webinars Help with Prevention – Now Is the Time to Act!

Greenbone customers receive concrete help when it comes to meeting BSI requirements in the data center, preparing for audits, and viewing vulnerability management as part of emergency preparedness. After all, prevention is always cheaper and more effective than crisis management.

The report by the German BRH is a wake-up call – and an opportunity. And because cybersecurity begins with visibility, Greenbone is the right choice. Contact us or attend our webinars – like the latest series for public authorities and KRITIS, offering in-depth information on implementing the NIS 2 Directive, data center hardening, and georedundancy, as well as on the basic structure of vulnerability control . Dates, content, and registration can be found on the website.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

TÜV Study on Cyber Security: German Companies Still Under Pressure

Companies operate under a “false sense of security,” warn the BSI and TÜV. This may sound surprising given the persistent threats. However, it is backed up by a recent study on cyber security in companies.

Many companies underestimate the situation, overestimate their own capabilities, and fail to take sufficient protective measures. These and other findings were made by the German Technical Inspection Association (TÜV) and the German Federal Office for Information Security (BSI). Only half of those surveyed were aware of NIS-2, which is alarming given that 29,000 additional companies will be affected by it. At the same time, over 90 percent consider their own security to be good or very good. Shockingly, for a quarter, IT security only plays a minor role.

BSI Management Is Concerned

The head of the BSI, Claudia Plattner, is concerned and warns that Germany still faces significant challenges ahead. Plattner also refers to the EU’s Cyber Resilience Act, which prescribes minimum requirements for networked products in Europe. TÜV notes that while awareness of the problem has grown, many companies still are not sufficiently prepared.

Dr. Michael Fübi, President of the TÜV Association, and Claudia Plattner, BSI President, at the presentation of the study, Source: BSI

Four Percent More Victims of Cyber Attacks

The 58-page study contains numerous worrying findings. The number of cyberattacks on companies increased be four percent over the last year – now impacting roughly one in seven. In almost all cases (84 percent) the intrusion was carried out via phishing. More and more threat actors utilise AI in their attacks, while it is hardly used by defenders (51 percent vs. 10 percent). Seven out of ten respondents consider security standards to be important, but only 20 percent put them into practice.

“Cybersecurity in German companies” – the TÜV Cybersecurity Study 2025

The TÜV Association is therefore calling on politicians to prioritize cybersecurity and include it in the overarching security strategy, as well as to clarify responsibilities more clearly. NIS2 and CRA must be “launched swiftly” despite all the delays to date.

TÜV’s Recommendations for Business

According to TÜV, companies should take threats seriously and carry out qualified risk analyses regularly. A cyber strategy is essential, as are security guidelines with measurable objectives, clearly assigned responsibilities, and concrete action plans.

Differences Between Large and Small Companies

The study reveals a striking difference based on company size. While 95% of companies with more than 250 employees give great importance to IT security, only two thirds of companies with up to 50 employees do so. Only in terms of self-assessment do large and small companies agree: over 90% consider themselves to be well protected, regardless of company size. However, almost half of large companies (41%) are aware of the high risk in the supply chain, while only 21% of small companies share this assessment. 78% of companies with fewer than 50 employees also do not believe that the supply chain poses a risk of cyberattack.

Origin Unknown

Although most companies fear criminal or state-sponsored attackers, internal actors are perceived as less of a threat. Only 9 percent were able to attribute attacks to a regional source, with 6 percent of the incidences coming from China, according to the more than 500 respondents.

Investment in Cyber Security

27% of companies also increased their IT security budget over the last year, while 15% hired additional experts – a slightly lower ratio than in the previous year. Around 20 percent of companies try to increase security by either using increasing or reducing the use of cloud services. Pentesting and emergency drills are also at the bottom of the list at around 25% each.

The majority of investments focus on hardware updates, new cybersecurity software, and measures for networked systems – exactly the areas covered by Greenbone’s specialized products.

Conclusion: Unspecific Threat, Known Methods, Lack of Security Discipline

Looking at the results of the study, the conclusion will be evident that, although it is by no means clear where the attacks are coming from, the successful methods of attack seem clear. There is also an asymmetry in the use of technology, as the example of AI shows.

The fact that almost 80 percent of respondents admit to only implementing common security standards to a limited extent is a clear warning sign – for BSI, Politicians, and security experts alike. Unsurprisingly, the TÜV association is calling on the German government to advance cyber security, and implement regulations quickly. After all, this is what the majority of respondents want.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

Dennis-Kenji Kipker about the future of NIS2 in Germany and Europe

With the new elections, the implementation of NIS2 in Germany appears to have been halted for the time being. While other European countries are already ready, German companies will have to wait several more months until legal certainty is established. Everything has actually been said, templates have been drawn up, but the change of government means a new start is necessary.

We spoke to one of the leading experts on NIS2: Dennis-Kenji Kipker is Scientific Director of the cyberintelligence.institute in Frankfurt/Main, professor at the Riga Graduate School of Law and regularly consults as an expert at the German Federal Office for Information Security (BSI) and many other public and scientific institutions.

Why did the German government reject the final NIS2 draft?

Portrait of Prof. Dr. Dennis-Kenji Kipker, expert in IT law and cyber security, in an interview on the implementation of the NIS2 Directive

Prof. Dr. Dennis-Kenji Kipker

Kipker: This is due to the so-called discontinuity principle. Just like with the old government, all unfinished projects must be archived. “Due to the early elections, the parliamentary procedure for the NIS2UmsuCG could not be completed” is the official term. In line with the principle of discontinuity, when a newly elected Bundestag is constituted, all bills not yet passed by the old Bundestag must be reintroduced and renegotiated. This means that the work already done on NIS2 will fall by the wayside. But you can of course build on this and reintroduce almost the same text.

Will that happen?

Kipker: There is an internal 100-day plan from the Federal Ministry of the Interior for the period after the election. According to rumors, cybersecurity is a very high priority in the plan, and NIS2 in particular is now to be implemented very quickly. If this can be implemented before fall/winter 2025 (the actual current schedule), Germany will at least avoid the embarrassment of bringing up the rear in Europe.

Is that realistic?

Kipker: You would have to recycle a lot, i.e. take over things from the last legislative period despite the principle of discontinuity. Now, it seems that the current Ministry of the Interior wants to do just that. Only the politicians and officials directly involved know whether this is realistic. However, 100 days seems very ambitious to me in the Berlin political scene, even if everyone involved pulls together. There would need to be a budget, the current NIS2UmsuCG draft would need to be revised and addressed but also finalized, and the German scope of application of the law would need to be clarified and aligned with EU law. Furthermore, at the end of 2024 and the beginning of 2025, attempts were still being made to push through many things in the Bundestag after the expert hearing on NIS2, some of which are rather questionable. In any case, this would have to be renegotiated politically and evaluated technically.

When do you think this will happen?

Kipker: It’s hard to say, but even if you break the 100-day deadline, it should be feasible to complete a national NIS2 implementation before the winter of 2025/2026. But that’s just a very preliminary assumption that I keep hearing from “usually well-informed circles”. One way or another, we will be at the bottom of the league when it comes to Europe-wide implementation, and all the current ambitions won’t change that.

And what is the situation like in other European countries?

Kipker: A lot is happening right now. It has been recognized, for example, that the different national implementations of NIS2 lead to frictional losses and additional costs for the affected companies – that’s not really surprising. A few weeks ago, the European Union Agency For Cybersecurity (ENISA) published a report that is well worth reading, which explains and evaluates the maturity and criticality of relevant NIS2 sectors in a European comparison. “NIS360 is intended to support Member States and national authorities in identifying gaps and prioritizing resources”, writes the EU cybersecurity authority. And we at cyberintelligence.institute have produced a comprehensive study on behalf of the Swiss company Asea Brown Boveri, which also takes a closer look at the EU-wide implementation of the NIS2 directive.

What key insight did you gain there?

Kipker: The Comparison Report is primarily aimed at transnationally operating companies that are looking for a first point of contact for cybersecurity compliance. Above all, there is a lack of central administrative responsibilities in the sense of a “one-stop store”, and the diverging implementation deadlines are causing problems for companies. As of the end of January, only nine EU states had transposed NIS2 into national law, while the legislative process had not yet been completed in 18 other states. Another key insight: Just because I am NIS2-compliant in one EU member state does not necessarily mean that this also applies to another member state.

So, Germany may not be a pioneer, but it is not lagging behind either?

Kipker: We are definitely not at the forefront, but if we manage to implement it nationally this year, we may not be the last, but we will be among the last. My guess in this respect now is that we won’t have really reliable results until the fourth quarter of 2025. So, it’s going to be close to avoid being left in the red after all. Politicians will have to decide whether this can meet our requirements in terms of cyber security and digital resilience.

Where can affected companies find out about the current status?

Kipker: There are ongoing events and opportunities for participation. On March 18, for example, there will be a BSI information event (in German language) where you can ask about the plans. Then, in May 2025, there will also be the NIS-2 Congress right next door to us in Frankfurt, for which the “most recognized NIS-2 Community Leader” has just been selected. There will certainly be one or two interesting tidbits of information to pick up here. Otherwise, feel free to contact me at any time if you have any questions about NIS2!

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Audits CIS Google Chrome Benchmarks

Web browsers are a primary gateway to business and consequently they are also a primary gateway for cyber attacks. Malware targeting browsers could gain direct unauthorized access to a target’s network and data or social engineer victims into providing sensitive information that gives the attacker unauthorized access, such as account credentials. In 2024, major browsers (Chrome, Firefox, and Safari) accounted for 59 Critical severity (CVSS3 ³ 9) and 256 High severity (CVSS3 between 7.0 and 8.9) vulnerabilities. 10 CVEs (Common Vulnerabilities and Exposures) in the trifecta were added to the KEV (Known Exploited Vulnerabilities) catalog of CISA (Cybersecurity & Infrastructure Security Agency). Browser security should therefore be top-of-mind for security teams.

In light of this, we are proud to announce the addition of CIS Google Chrome Benchmark v3.0.0 Level 1 auditing to our list of compliance capabilities. This latest feature allows our Enterprise feed subscribers to verify their Google Chrome configurations against the industry-leading CIS compliance framework of the CIS (Center for Internet Security). The new Google Chrome benchmark tests will sit among our other CIS controls in critical cybersecurity areas such as Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows and Linux [1] [2].

CIS Google Chrome Benchmark for Windows

The CIS Google Chrome Benchmark v3.0.0 Level 1 is now available in the Greenbone Enterprise Feed. It establishes a hardened configuration for the Chrome browser. For Windows, implementing the controls involves setting Windows registry keys to define Chrome’s security configuration. Continuous attestation is important because if modified at the user level Chrome becomes more vulnerable to data-leakage, social engineering attacks or other attack vectors.

Our Enterprise vulnerability feed uses compliance policies to run tests on target endpoints, verifying each requirement in the CIS benchmark through one or more dedicated vulnerability tests. These tests are grouped into scan configurations which can be used to create scan tasks that access groups of target systems to verify their security posture. When aligning with internal risk requirements or mandatory government policies, Greenbone has you covered.

The Importance of Browser Security

Much of the critical information flowing through the average organization is transmitted through the browser. The rise of a remote workforce and cloud-based web-applications means that web browsers are a primary interface for business activities. Not surprisingly, in the past few years, Internet browsers have been a hotbed for exploitation. National cybersecurity agencies such Germany’s BSI [3] [4], CISA [5] [6], and the Canadian Centre for Cyber Security [7] have all released advisories for addressing the risks posed by Internet browsers.

Browsers can be exploited via technical vulnerabilities and misconfigurations that could lead to remote code execution, theft of sensitive data and account takeover, but are also a conduit for social engineering attacks. Browser security must be addressed by implementing a hardened security profile and continuously attesting it and by regularly applying updates to combat any recently discovered vulnerabilities. Greenbone is able to detect known vulnerabilities for published CVEs in all major browsers and now with our latest CIS Google Chrome Benchmark certification, we can attest industry standard browser compliance.

How Does the CIS Google Chrome Benchmark Improve Browser Security?

Every CIS Benchmark is developed through a consensus review process that involves a global community of subject matter experts from diverse fields such as consulting, software development, auditing, compliance, security research, operations, government, and legal. This collaborative process is meant to ensure that the benchmarks are practical and data-driven and reflect real-world expertise. As such, CIS Benchmarks serve as a vital part of a robust cybersecurity program.

In general, CIS Benchmarks focus on secure technical configuration settings and should be used alongside essential cyber hygiene practices, such as monitoring and promptly patching vulnerabilities in operating systems, applications and libraries.

The CIS Google Chrome Benchmark defines security controls such as:

  • No domains can bypass scanning for dangerous resources such as phishing content and malware.
  • Strict verification of SSL/TLS certificates issued by websites.
  • Reducing Chrome’s overall attack surface by ensuring the latest updates are automatically applied periodically.
  • Chrome is configured to detect DNS interception which could potentially allow DNS hijacking.
  • Chrome and extensions cannot interact with other third party software.
  • Websites and browser extensions cannot abuse connections with media, the local file system or external devices such as Bluetooth, USB or media casting devices.
  • Only extensions from the Google Chrome Web Store can be installed.
  • All processes forked from the main Chrome process are stopped once the Chrome application has been closed.
  • SafeSites content filtering blocks links to adult content from search results.
  • Prevent importing insecure data such as auto-fill form data, default homepage or other configuration settings.
  • Ensuring that critical warnings cannot be suppressed.

Greenbone Is a CIS Consortium Member

As a member of the CIS consortium, Greenbone continues to enhance its CIS Benchmark scan configurations. All our CIS Benchmarks policies are aligned with CIS hardening guidelines and certified by CIS, ensuring maximum security for system audits. Also, Greenbone has added a new compliance view to the Greenbone Security Assistant (GSA) web-interface, streamlining the process for organizations seeking to remove security gaps from their infrastructure to prevent security breaches.

Summary

CIS Controls are critical for safeguarding systems and data by providing clear, actionable guidance on secure configurations. The CIS Google Chrome Benchmark is especially vital at the enterprise level, where browsers impact many forms of sensitive data. It’s exciting to announce that Greenbone is expanding the industry leading vulnerability detection capabilities with a new compliance scan: the CIS Google Chrome Benchmark v3.0.0 Level 1. With this certification, Greenbone continues to strengthen its position as a trusted ally in proactive cybersecurity. This latest feature reflects our dedication to advancing IT security and protecting against evolving cyber threats.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

November 2024 Threat Report: Vulnerability Management is Becoming Crucial

The world may be entering into a new phase of cyber, and a new technological paradigm. So-called “industry leading” or “enterprise grade” software is perpetually shown to be vulnerable with new critical vulnerabilities exposed and evidence of active exploitation on a weekly basis. Fancy new features keep us engaged but, considering the risk of fast-moving technologies, it’s important to work with organizations that keep things simple, stick to their core competencies and do things right.

In this November 2024’s edition of the Greenbone vulnerability report, we examine some recently released reports from the BSI and CISA to see what government cybersecurity agencies make of the current threat environment, then we follow up with news of the most pressing and actively exploited vulnerabilities in this month. Considering the high degree of risk presented by the current landscape of cybersecurity threats, it’s important to prioritize the fundamentals of IT security – and software design – to avoid building operations on a proverbial house of cards.

BSI Releases Its Annual IT Security Summary for 2024

Policy in the EU continues to rapidly evolve in response to increasing cyber risk. Cybersecurity for all requires cross-border cooperation on many levels. According to the 2024 summary report, the German Federal Office for Information Security (BSI) is focused on harmonizing national specifications with cybersecurity best practices while considering the economic and technical feasibility of new measures. Referred to as the “Europeanisation of Cybersecurity”, European standardisation and Germany’s collaboration with the three European Standardisation Organisations CEN, CENELEC and ETSI promote a risk-based approach to enforcing security best practices among critical infrastructure and providers of virtually all digital products.

Regarding the Cyber Resilience Act (CRA), each member state will have authority to remove non-compliant products from the market and penalise offending vendors. “Important products” (Class I), such as password managers and routers, must follow harmonised European standards (hEN). Regarding NIS2, the BSI received 726 reports representing 141 incidents from critical infrastructure facilities so far in 2024. This includes sectors like healthcare, energy, water, food, IT and telecommunications, financial and insurance services, among others.

The BSI also observed an overall increase in new malware variants and 256% increase in malware exploiting Windows. Reading the full report relays trends in attacker behaviors such as an increase in Bring Your Own Vulnerable Driver (BYOVD) attacks capable of disabling EDR security products. There were also ongoing efforts to sinkhole botnets that contribute to mass exploitation attacks at scale, and the continuing fragmentation of cybercrime activities into initial access brokering and second stage ransomware groups.

How do these observations pertain to Greenbone and vulnerability management in general? While effective vulnerability management and compliance auditing are only one piece of the enterprise cybersecurity puzzle, closing known security gaps and regularly attesting strong security configurations is a critical core competency that all organizations need to master.

CISA’s Most Exploited Vulnerabilities of 2023 Are Revealing

The 2023 Top Routinely Exploited Vulnerabilities report from the Cybersecurity & Infrastructure Security Agency (CISA) observed an increase in exploited zero-day vulnerabilities compared to 2022 and their use in attacks on high-priority targets. Other than zero-days, the report lists the top 47 CVEs (Common Vulnerabilities and Exposures) exploited by attackers. Networking (40%) and productivity software (34%) make up the vast majority of highly targeted CVEs. There is also a strong trend in the type of software flaws most exploited. Mishandling untrusted input accounts for 38% of the most attacked software flaws, while improper authentication and authorization make up 34%. Sadly, considerations for securing these flaws are elementary, covered in application design 101. Also, 90% of the top exploited vulnerabilities in the report are in closed source proprietary products indicating that cyber criminals are not hindered by reverse engineering barriers.

While the EU is motivated to improve security via legal requirements, CISA continues its plea for software vendors to employ Secure by Design principles during development stages. They also suggest that more pay-to-hack bug bounty programs could incentivize ethical security researchers.

Multiple Critical Flaws in Palo Alto Products Attacked

On November 8, 2024, Palo Alto Networks issued a security advisory revealing a zero-day remote code execution (RCE) vulnerability affecting its PAN-OS operating system. The advisory was soon updated after evidence of active exploitation emerged. Here is a summary of new vulnerabilities in Palo Alto products disclosed in November 2024.

  • CVE-2024-0012 (CVSS 9.8 High): An authentication bypass in PAN-OS allows unauthenticated access to administrator privileges. Attackers may perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.
  • CVE-2024-9474 (CVSS 7.2 High): A privilege escalation vulnerability in PAN-OS software allows PAN-OS administrators to perform actions on the firewall with root privileges.
  • CVE-2024-9463 (CVSS 7.5 High): An OS command injection vulnerability in Expedition allows an unauthenticated attacker to run arbitrary OS commands as root. This allows unauthorized disclosure of usernames, cleartext passwords, device configurations and device API keys of PAN-OS firewalls.
  • CVE-2024-9465 (CVSS 9.1 High): SQL injection could allow an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations and device API keys, or create and read arbitrary files on the Expedition system.
  • CVE-2024-5910 (CVSS 9.8 High): Missing authentication for a critical function in Expedition can lead to admin account takeover remotely and expose configuration secrets, credentials and other data.

Greenbone is able to detect all new CVEs published in Palo Alto devices in November 2024. Ideally, ensure networking management interfaces are not accessible via the public Internet and for best practices, use firewall configuration to prevent access from unauthorized internal network endpoints.

US Critical Telecom Infrastructure Breached

The recent breaches involving major US telecom providers serves as a stark warning to all organizations operating complex IT infrastructure at scale. Blame has been laid on Chinese backed hacking groups who reportedly used the access to intercepted U.S. political officials’ calls, SMS text-messages and intercepted mobile metadata. According to Adam Meyers, vice president of intelligence at CrowdStrike, by compromising the telecoms directly, threat actors circumvent the need for breaching the individual networks of their targets. Considering the sheer number of critical vulnerabilities in products from US networking vendors such as Palo Alto Networks, Oracle, Cisco, Citrix, Ivanti, Broadcom, Microsoft and Fortinet more intensive application security testing would greatly reduce the risk to their core customers – US companies at home and abroad, and other large global firms.

Liminal Panda, Salt Typhoon, Volt Typhoon and others are known to attack “shadow IT” – legacy mobile protocols that IT administrators are not aware is still active or actively monitoring. Sophisticated, highly skilled APT actors are highly adaptable and have the resources to develop malware for virtually any known vulnerability that is exploitable, as well as actively develop zero-day exploits yet unknown.

5 Privilege Escalation Flaws Found in Ubuntu’s Needrestart

A flaw in Ubuntu’s Needrestart feature could allow an unprivileged local attacker to execute shell commands as root user. The new CVEs impact all versions of Needrestart going back to 2014. Needrestart determines whether any processes need to be restarted after systemwide packages are updated to avoid a full reboot and is invoked by the apt package manager. The vulnerability is caused when untrusted data such as environment variables are passed unsanitized to the Module::ScanDeps library which executes as root. These user-level environment variables can also influence Python and Ruby interpreters during Needrestart’s execution.

The vulnerabilities can be mitigated by updating Needstart to a patched version or by disabling the interpreter scanning feature by setting $nrconf{interpscan} = 0 in the needrestart.conf configuration file. Greenbone includes detection for all CVEs related to Needrestart feature [1][2][3].

Here is a brief description the newly disclosed CVEs:

  • CVE-2024-11003 (CVSS 7.8 High): Unsanitized data passed to the Module::ScanDeps library could allow a local attacker to execute arbitrary shell commands.
  • CVE-2024-10224 (CVSS 5.3): Unsanitized input passed to the Module::ScanDepscan library allows execution of arbitrary shell commands by opening a “pesky pipe” (such as passing “commands|” as a filename) or by passing arbitrary strings to eval().
  • CVE-2024-48990 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by tricking Needrestart into running the Python interpreter via the PYTHONPATH environment variable.
  • CVE-2024-48991 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by winning a race condition and pointing Needrestart to a fake Python interpreter instead of the system’s real Python interpreter.
  • CVE-2024-48992 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter via the RUBYLIB environment variable.

Is Third Time the Charm for VMware vCenter Critical RCE Flaws?

VMware has been grappling with the challenge of effectively patching critical vulnerabilities in its vCenter server products. Broadcom, which owns VMware, initially released patches in September for two significant vulnerabilities in vCenter, CVE-2024-38812 (CVSS 9.8 High) classified as a heap-overflow vulnerability in the implementation of the DCERPC protocol, and CVE-2024-38813 (CVSS 9.8 High) which offers privilege escalation via ​​specially crafted network packets.

However, these initial patches were insufficient, prompting a second round of patches in October. Despite these efforts, it was confirmed in November that the CVEs were still vulnerable and had been exploited in the wild. vCenter is a prime target for attackers due to its widespread use, and the situation highlights ongoing security challenges. VMware users should apply patches promptly. When CVEs such as these in VMware vCenter are updated with new information, Greenbone’s team of security analysts reviews the changes and updates our vulnerability tests accordingly.

Helldown Ransomware Exploiting Zyxel and Its Customers

In November 2024, a Linux variant of the Helldown ransomware payload was discovered. Helldown is known to exploit the IPSec VPN of Zyxel devices via CVE-2024-42057 (CVSS 8.1 High) for initial access. After gaining a foothold, Helldown steals any accessible credentials and creates new users and VPN tunnels to maintain persistence. The new variant targets VMware ESXi virtual machines to exfiltrate their data and encrypt them. This technique is shared by other ransomware groups such as the Play gang.

The Helldown ransomware group is considered an emerging threat, claiming over 30 victims since August, including the maker of Zyxel products themselves. Zyxel has issued an article acknowledging the attacks with mitigation instructions and Truesec has published known Helldown TTP (Tactics Techniques and Procedures) from their response efforts. Greenbone is able to detect all vulnerabilities known to be associated with Helldown ransomware attacks including CVE-2024-42057 in Zyxel products [1][2][3] as well as known software vulnerabilities used by other ransomware threat actors to gain initial access, escalate privileges and move laterally to high value targets within the victim’s network.

Summary

From EU policy advancements to CISA’s insights on exploited vulnerabilities: the critical need for better software development practices, effective vulnerability management and defense in depth is evident. November’s events, such as Palo Alto’s zero-days, Ubuntu’s Needrestart flaws and VMware vCenter’s ongoing challenges, emphasize the importance of timely monitoring and patching of critical infrastructure. Emerging threats like Helldown ransomware reinforce the need for proactive defense strategies. Greenbone continues to support organizations by detecting critical vulnerabilities, providing actionable insights and advocating for a security-first approach with fundamental IT security best practices.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Understanding CSAF 2.0 Stakeholders and Roles

The Common Security Advisory Framework (CSAF) is a framework for providing machine-readable security advisories following a standardized process to enable automated cybersecurity information sharing. Greenbone is continously working on the integration of technologies that leverage the CSAF 2.0 standard for automated cybersecurity advisories. For an introduction to CSAF 2.0 and how it supports next-generation vulnerability management, you can refer to our previous blog post.

In 2024, the NIST National Vulnerabilities Database (NVD) outage has disrupted the flow of critical cybersecurity intelligence to downstream consumers. This makes the decentralized CSAF 2.0 model increasingly relevant. The outage highlights the need for a decentralized cybersecurity intelligence framework for increased resilience against a single point of failure. Those who adopt CSAF 2.0, will be one step closer to a more reliable cybersecurity intelligence ecosystem.

Table of Contents

1. What We Will Cover in this Article
2. Who Are the CSAF Stakeholders?
2.1. Understanding Roles in the CSAF 2.0 Process
2.1.1. CSAF 2.0 Issuing Parties
2.1.1.1. Understanding the CSAF Publisher Role
2.1.1.2. Understanding the CSAF Provider Role
2.1.1.3. Understanding the CSAF Trusted-Provider Role
2.1.2. CSAF 2.0 Data Aggregators
2.1.2.1. Understanding the CSAF Lister Role
2.1.2.2. Understanding the CSAF Aggregator Role
3. Summary

1. What We Will Cover in this Article

This article will provide a detailed explanation of the various stakeholders and roles defined in the CSAF 2.0 specification. These roles govern the mechanisms of creating, disseminating and consuming security advisories within the CSAF 2.0 ecosystem. By understanding who the stakeholders of CSAF are and the standardized roles defined by the CSAF 2.0 framework, security practitioners can better realize how CSAF works, whether it can serve to benefit their organization and how to implement CSAF 2.0.

2. Who Are the CSAF Stakeholders?

At the highest level, the CSAF process has two primary stakeholder groups: upstream producers who create and supply cybersecurity advisories in the CSAF 2.0 document format and downstream consumers (end-users) who consume the advisories and apply the security information they contain.

Upstream producers are typically software product vendors (such as Cisco, Red Hat and Oracle) who are responsible for maintaining the security of their digital products and providing publicly available information about vulnerabilities. Upstream stakeholders also include independent security researchers and public entities that act as a source for cybersecurity intelligence such as the US Cybersecurity Intelligence and Security Agency (CISA) and the German Federal Office for Information Security (BSI).

Downstream consumers consist of private corporations who manage their own cybersecurity and Managed Security Service Providers (MSSPs), third-party entities that provide outsourced cybersecurity monitoring and management. The information contained in CSAF 2.0 documents is used downstream by IT security teams to identify vulnerabilities in their infrastructure and plan remediation and by C-level executives for assessing how IT risk could negatively impact operations.

Diagram of the CSAF 2.0 stakeholders: On the left, the upstream producers such as software vendors, authorities, and researchers; on the right, the downstream consumers such as CERTs, SOC teams, and security platforms – connected through the CSAF 2.0 advisory format.

The CSAF 2.0 standard defines specific roles for upstream producers that outline their participation in creating and disseminating advisory documents. Let’s examine those officially defined roles in more detail.

2.1. Understanding Roles in the CSAF 2.0 Process

CSAF 2.0 Roles are defined in Section 7.2. They are divided into two distinct groups: Issuing Parties (“Issuers”) and Data Aggregators (“Aggregators”). Issuers are directly involved in the creation of advisory documents. Aggregators collect those documents and distribute them to end-users, supporting automation for consumers. A single organization may fulfill the roles of both an Issuer and an Aggregator, however, these functions should operate as separate entities.  Obviously, organizations who act as upstream producers must also maintain their own cybersecurity. Therefore, they may also be a downstream consumer – ingesting CSAF 2.0 documents to support their own vulnerability management activities.

Diagram of the CSAF 2.0 upstream roles, showing the groups Issuing Parties (Producer, Provider, Trusted Provider) and Data Aggregators (Lister, Aggregator), who forward cybersecurity advisories to downstream consumers.

Next, let’s break down the specific responsibilities for CSAF 2.0 Issuing Parties and Data Aggregators.

2.1.1. CSAF 2.0 Issuing Parties

Issuing Parties are the origin of CSAF 2.0 cybersecurity advisories. However, Issuing Parties are not responsible for transmitting the documents to end-users. Issuing Parties are responsible for indicating if they do not want their advisories to be listed or mirrored by Data Aggregators. Also, CSAF 2.0 Issuing Parties can also act as Data Aggregators.

Here are explanations of each sub-role within the Issuing Parties group:

2.1.1.1. Understanding the CSAF Publisher Role

Publishers are typically organizations that discover and communicate advisories only on behalf of its own digital products. Publishers must satisfy requirements 1 to 4 in Section 7.1 of the CSAF 2.0 specification. This means issuing structured files with valid syntax and content that adhere to the CSAF 2.0 filename conventions described in Section 5.1 and ensuring that files are only available via encrypted TLS connections. Publishers must also make all advisories classified as TLP:WHITE publicly accessible.

Publishers must also have a publicly available provider-metadata.json document containing basic information about the organization, its CSAF 2.0 role status, and links to an OpenPGP public key used to digitally sign the provider-metadata.json document to verify its integrity. This information about the Publisher is used downstream by software apps that display the publisher’s advisories to end-users.

2.1.1.2. Understanding the CSAF Provider Role

Providers make CSAF 2.0 documents available to the broader community. In addition to meeting all the same requirements as a Publisher, a Provider must provide its provider-metadata.json file according to a standardized method (at least one of the requirements 8 to 10 from Section 7.1), employ standardized distribution for its advisories, and implement technical controls to restrict access to any advisory documents with a TLP:AMBER or TLP:RED status.

Providers must also choose to distribute documents in either a directory-based or the ROLIE-based method. Simply put, directory-based distribution makes advisory documents available in a normal directory path structure, while ROLIE (Resource-Oriented Lightweight Information Exchange) [RFC-8322] is a RESTful API protocol designed specifically for security automation, information publication, discovery and sharing.

If a Provider uses the ROLIE-based distribution, it must also satisfy requirements 15 to 17 from Section 7.1. Alternatively, if a Provider uses the directory-based distribution it must satisfy requirements 11 to 14 from Section 7.1.

2.1.1.3. Understanding the CSAF Trusted-Provider Role

Trusted-Providers are a special class of CSAF Providers who have established a high level of trust and reliability. They must adhere to stringent security and quality standards to ensure the integrity of the CSAF documents they issue.

In addition to meeting all the requirements of a CSAF Provider, Trusted-Providers must also satisfy the requirements 18 to 20 from Section 7.1 of the CSAF 2.0 specification. These requirements include providing a secure cryptographic hash and OpenPGP signature file for each CSAF document issued and ensuring the public part of the OpenPGP signing key is made publicly available.

2.1.2. CSAF 2.0 Data Aggregators

Data Aggregators focus on the collection and redistribution of CSAF documents. They act as a directory for CSAF 2.0 Issuers and their advisory documents and intermediary between Issuers and end-users. A single entity may act as both a CSAF Lister and Aggregator. Data Aggregators may choose which upstream Publishers’ advisories to list or collect and redistribute based on their customer’s needs.

Here are explanations of each sub-role in the Data Aggregator group:

2.1.2.1. Understanding the CSAF Lister Role

Listers gather CSAF documents from multiple CSAF Publishers and list them in a centralized location to facilitate retrieval. The purpose of a Lister is to act as a sort of directory for CSAF 2.0 advisories by consolidating URLs where CSAF documents can be accessed. No Lister is assumed to provide a complete set of all CSAF documents.

Listers must publish a valid aggregator.json file that lists at least two separate CSAF Provider entities and while a Lister may also act as an Issuing Party, it may not list mirrors pointing to a domain under its own control.

2.1.2.2. Understanding the CSAF Aggregator Role

The CSAF Aggregator role represents the final waypoint between published CSAF 2.0 advisory documents and the end-user. Aggregators provide a location where CSAF documents can be retrieved by an automated tool. Although Aggregators act as a consolidated source of cybersecurity advisories, comparable to NIST NVD or The MITRE Corporation’s CVE.org, CSAF 2.0 is a decentralized model as opposed to a centralized model. Aggregators are not required to offer a comprehensive list of CSAF documents from all Publishers. Also, Publishers may provide free access to their CSAF advisory feed, or operate as a paid service.

Similarly to Listers, Aggregators must make an aggregator.json file available publicly and CSAF documents from each mirrored Issuer must be placed in a separate dedicated folder along with the Issuer’s provider-metadata.json. Essentially, Aggregators must satisfy the requirements 1 to 6 and 21 to 23 from Section 7.1 of the CSAF 2.0 specification.

CSAF Aggregators are also responsible for ensuring that each mirrored CSAF document has a valid signature (requirement 19) and a secure cryptographic hash (requirement 18). If the Issuing Party does not provide these files, the Aggregator must generate them.

3. Summary

Understanding CSAF 2.0 stakeholders and roles is essential for ensuring proper implementation of CSAF 2.0 and to benefit from automated collection and consumption of critical cybersecurity information. The CSAF 2.0 specification defines two main stakeholder groups: upstream producers, responsible for creating cybersecurity advisories, and downstream consumers, who apply this information to enhance security. Roles within CSAF 2.0 include Issuing Parties, such as Publishers, Providers, and Trusted-Providers to who generate and distribute advisories, and Data Aggregators, like Listers and Aggregators, who collect and disseminate these advisories to end-users.

Members of each role must adhere to specific security controls that support the secure transmission of CSAF 2.0 documents, and the Traffic Light Protocol (TLP) governs how documents are authorized to be shared and the required access controls.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

#nis2know: BSI launches NIS2 vulnerability test

The German implementation of the EU’s NIS2 directive is becoming more and more defined: End of July, the NIS2 Implementation Act passed the German government’s cabinet, a final decision in the Bundestag is imminent. For all companies and authorities wondering whether this concerns them, the BSI has now launched a comprehensive website with an impact assessment and valuable information under the catchy hashtag #nis2know.

Even if the Bundestag resolution is not yet passed and thus the originally planned date in October will perhaps not be feasible anymore, companies must prepare now, the Federal Office for Information Security (BSI) demands. The BSI is therefore providing companies and organizations of all kinds with an eight-part questionnaire (in German only) to help IT managers and managers find out whether the strict regulations of NIS2 also apply to them. For all companies and organizations that fall under the NIS2 regulation, the BSI also provides further assistance and answers to the question of what they can do now in advance of NIS2 coming into force.

High need, high demand

Demand appears to be high, with both BSI head Claudia Plattner and Federal CIO Markus Richter reporting success in the form of several thousand hits in the first few days (for example on LinkedIn: Plattner, Richter). The NIS2 vulnerability test can be found directly on the BSI website. Here you will find “specific questions based on the directive to classify your company”. The questions are “kept short and precise and are explained in more detail in small print if necessary”. Anyone filling out the BSI’s questionnaire will know within minutes whether their company or organization is affected by NIS2.

In the questions, the respondent must address whether their company is the operator of a critical facility, a provider of publicly accessible telecommunications services or public telecommunications networks, a qualified trust service provider, a top-level domain name registry or a DNS service provider. Even if the company is a non-qualified trust service provider or offers goods and services that fall under one of the types of facilities specified in Annex 1 or 2 of the NIS 2 Directive, it is affected by the NIS 2 regulations.

Anybody who can answer all questions with “No” is not affected by NIS2. For everyone else, however, the BSI offers extensive help and research options on what to do now. A FAQ list explains in detail in nine questions the current status, whether you should wait or already start preparing. Links to sources and contacts can be found here, as well as further information for the impact checks and explanations of terms (for example: What does “important”, “essential” and “particularly important” mean in the context of NIS2?) Also very important are the sections that explain which obligations and evidence affected companies must provide when and where, as well as the still unanswered discussion as to when NIS2 becomes binding.

The BSI’s wealth of information also includes support services for businesses, as well as clear instructions for the next steps and basic explanations on critical infrastructures (KRITIS) in general.

Take action now, despite waiting for the Bundestag

The national implementation of the European NIS2 Directive, which has been the subject of heated debate in some quarters, was recently delayed due to major differences of opinion between the parties involved, meaning that the previously expected date had to be postponed. The Federal Ministry of the Interior had already confirmed weeks ago that it would not come into force in October.

Irrespective of the wait for the Bundestag, those affected should take action now, writes the BSI: responsible persons and teams must be appointed, roles and tasks must be defined, but also an inventory is to be taken and processes are to be set up for continuous improvement. Preparing for the upcoming reporting obligation should be a top priority.

Extensive information also from Greenbone

Greenbone has also devoted numerous blog posts and guides to the topic of NIS2 in recent months, from the Cyber Resilience Act and the threat situation for municipalities to effective measures and basically everything what is needed to know about NIS2 right now.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

NIS2: What you need to know

NIS2 Umsetzung gezielt auf den Weg bringen!

The deadline for the implementation of NIS2 is approaching – by October 17, 2024, stricter cybersecurity measures are to be transposed into law in Germany via the NIS2 Implementation Act. Other member states will develop their own legislature based on EU Directive 2022/2555. We have taken a close look at this directive for you to provide you with the most important pointers and signposts for the entry into force of NIS2 in this short video. In this video, you will find out whether your company is affected, what measures you should definitely take, which cybersecurity topics you need to pay particular attention to, who you can consult in this regard and what the consequences of non-compliance are.

Preview image for the video 'What you need to know about NIS2' with European star circle and NIS2 lettering - redirects to YouTube

Learn about the Cyber Resilience Act, which provides a solid framework to strengthen your organization’s resilience against cyberattacks. The ENISA Common Criteria will help you assess the security of your IT products and systems and take a risk-minimizing approach right from the development stage. Also prioritize the introduction of an information management system, for example by implementing ISO 27001 certification for your company. Seek advice about IT baseline protection from specialists recommended by the BSI or your local responsible office.

In addition to the BSI as a point of contact for matters relating to NIS2, we are happy to assist you and offer certified solutions in the areas of vulnerability management and penetration testing. By taking a proactive approach, you can identify security gaps in your systems at an early stage and secure them before they can be used for an attack. Our vulnerability management solution automatically scans your system for weaknesses and reports back to you regularly. During penetration testing, a human tester attempts to penetrate your system to give you final assurance about the attack surface of your systems.

You should also make it a habit to stay up to date with regular cybersecurity training and establish a lively exchange with other NIS2 companies. This is the only way for NIS2 to lead to a sustainable increase in the level of cyber security in Europe.

To track down the office responsible for you, follow the respective link for your state.

Austria France Malta
Belgium Germany Netherlands
Bulgaria Greece Poland
Croatia Hungary Portugal
Cyprus Ireland Romania
Czech Republic Italy Slovakia
Denmark Latvia Slovenia
Estonia Lithuania Spain
Finland Luxembourg Sweden

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

Protection of Office Suites: Greenbone Integrates Additional BSI Basic and CIS Guidelines

The IT-Grundschutz-Compendium of the Federal Office for Information Security (BSI) has, in recent years, provided clear guidelines for users of Microsoft Office. Since April 2024, Greenbone’s enterprise products have integrated tests to verify whether a company is implementing these instructions. The BSI guidelines are aligned with the Center for Internet Security (CIS) guidelines.

In the section “APP:Applications 1.1. Office Products” the BSI specifies the “requirements for the functionality of Office product components.” The goal is to protect the data processed and used by the Office software. While Microsoft Office is likely the primary reference due to its widespread market penetration, the model behind the BSI guidelines aims to apply to any office product “that is locally installed and used to view, edit, or create documents, excluding email applications.”

BSI Guidelines

The module explicitly builds on the requirements of the “APP.6 General Software” component and refers to the modules “APP.5.3 General Email Client,” “APP.4.3 Relational Databases,” and “OPS.2.2 Cloud Usage,” although it expressly does not consider these.

The BSI identifies three main threats to Office suites:

  • Lack of customization of Office products to the institution’s needs
  • Malicious content in Office documents
  • Loss of integrity of Office documents

The components listed in the BSI IT-Grundschutz-Compendium include 16 points, some of which have since been removed. Greenbone has developed several hundred tests, primarily addressing five of the basic requirements, including “Secure opening of documents from external sources” (APP.1.1. A3) and “Use of encryption and digital signatures” listed in APP.1.1. A15. The BSI specifies:

“All documents obtained from external sources MUST be checked for malware before being opened. All file formats deemed problematic and all unnecessary within the institution MUST be banned. If possible, they SHOULD be blocked. Technical measures SHOULD enforce that documents from external sources are checked.”

Regarding encryption, it states: “Data with increased protection requirements SHOULD only be stored or transmitted in encrypted form. Before using an encryption method integrated into an Office product, it SHOULD be checked whether it offers sufficient protection. Additionally, a method SHOULD be used that allows macros and documents to be digitally signed.”

CIS Guidelines Enhance Basic Protection

In addition to the requirements listed in the BSI Basic Protection Manual, the CIS Benchmark from the Center for Internet Security (CIS) for Microsoft Office includes further and more specific suggestions for securing Microsoft products. The CIS guidelines are developed by a community of security experts and represent a consensus-based best practice collection for Microsoft Office.

As one of the first and only vulnerability management providers, Greenbone now offers tests on security-relevant features mentioned in the CIS guidelines, uniting CIS and BSI instructions in numerous, sometimes in-depth tests, such as on ActiveX Control Initialization in Microsoft Office. The Greenbone Vulnerability Management tests whether this switch is set to “enabled”, but also many other settings, for example, whether “Always prevent untrusted Microsoft Query files from opening” is set to “Enabled” among many others.

Many tests focus on external content, integrating macros, and whether and how these external contents are signed, verifiable, and thus trustworthy or not, and whether administrators have done their homework in configuring Microsoft Office. According to the BSI, one of the most significant threats (and the first mentioned) is the lack of adaptation of Office products to the reality and the business processes in the company. Greenbone’s new tests ensure efficient compliance with regulations, making it harder for attackers and malware to establish a foothold and cause damage in the company.

Contact Test Now Buy Here Back to Overview

/by