Tag Archive for: CVE

Greenbone AG

Availability of CVE Vulnerability Data in Greenbone Products

Greenbone AG has been consistently committed to an independent and resilient supply chain for the provision of vulnerability data for many years. Against the background of current discussions on the financing and sustainability of the CVE programme of the US organisation MITRE, we would like to inform you about our measures to ensure the continuous provision of important information about vulnerabilities in IT systems.

Since 1999, the CVE system has formed the central basis for the clear identification and classification of security vulnerabilities in IT. Funding for the central CVE database is currently secured by the US government until April 2026. Against this background, Greenbone took structural measures at an early stage to become less dependent on individual data sources.

With our OPENVAS brand, Greenbone is one of the world’s leading open source providers in the IT security ecosystem. We make an active contribution to the development of sustainable, decentralised infrastructures for the provision of vulnerability information – and are already focusing on future-proof concepts that effectively protect our customers from security risks.

Our sovereign data approach includes the following measures, among others:

  • Broad source diversification: Our Systems and our security research team monitor a large number of international information sources in order to be able to react promptly to new threats independently of the official CVE process – even if there is no official CVE entry yet.
  • Integration of alternative databases: We integrate independent vulnerability catalogues such as the European Vulnerability Database (EUVD) into our systems in order to create a stable and geographically diversified information basis.
  • Promotion of open standards: We actively support the dissemination of the CSAF standard (Common Security Advisory Framework), which enables the decentralised and federated distribution of vulnerability information.

These measures ensure that our customers retain unrestricted access to up-to-date vulnerability information, even in the event of changes in the international data ecosystem. This ensures that your IT systems remain fully protected in the future.

Greenbone stands for independent, sovereign and future-proof weak-point supply – even in a changing geopolitical environment.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Detection Stays Strong Despite NIST NVD Outage

Despite the NVD (National Vulnerability Database) outage of the NIST (National Institute of Standards and Technology), Greenbone’s detection engine remains fully operational, offering reliable, vulnerability scanning without relying on missing CVE enrichment data.

Since 1999 The MITRE Corporation’s Common Vulnerabilities and Exposures (CVE) has provided free public vulnerability intelligence by publishing and managing information about software flaws. NIST has diligently enriched these CVE reports since 2005; adding context to enhance their use for cyber risk assessment. In early 2024, the cybersecurity community was caught off guard as the NIST NVD ground to a halt. Now roughly one year later, the outage had not been fully resolved [1][2]. With an increasing number of CVE submissions each year, NIST’s struggles have left a large percentage without context such as a severity score (CVSS), affected product lists (CPE) and weakness classifications (CWE).

Recent policy shifts pushed by the Trump administration have created further uncertainty about the future of vulnerability information sharing and the many security providers that depend upon it. The FY 2025 budget for CISA includes notable reductions in specific areas such as a 49.8 million Dollar decrease in Procurement, Construction and Improvements and a 4.7 million Dollar cut in Research and Development. In response to the funding challenges, CISA has taken actions to reduce spending, including adjustments to contracts and procurement strategies.

​To be clear, there has been no outage of the CVE program yet. On April 16, the CISA issued a last minute directive to extend its contract with MITRE to ensure the operation of the CVE Program for an additional 11 months just hours before the contract was set to expire. However, nobody can predict how future events will unfold. The potential impact to intelligence sharing is alarming, perhaps signaling a new dimension to a “Cold Cyberwar” of sorts.

This article includes a brief overview of how the CVE program operates, and how Greenbone’s detection capabilities remain strong throughout the NIST NVD outage.

An Overview of the CVE Program Operations

The MITRE Corporation is a non-profit tasked with supporting US homeland security on multiple fronts including defensive research to protect critical infrastructure and cybersecurity. MITRE operates the CVE program, acting as the Primary CNA (CVE Numbering Authority) and maintaining the central infrastructure for CVE ID assignment, record publication, communication workflows among all CNAs and ADPs (Authorized Data Publishers) and program governance. MITRE provides CVE data to the public through its CVE.org website and the cvelistV5 GitHub repository, which contains all CVE Records in structured JSON format. The result has been highly efficient, standardized vulnerability reporting and seamless data sharing across the cybersecurity ecosystem.

After a vulnerability description is submitted to MITRE by a CNA, NIST has historically added:

  • CVSS (Common Vulnerability Scoring System): A severity score and detailed vector string that includes the risk context for Attack Complexity (AC), Impact to Confidentiality (C), Integrity (I), and Availability (A), as well as other factors.
  • CPE (Common Platform Enumeration): A specially formatted string that acts to identify affected products by relaying the product name, vendor, versions, and other architectural specifications.
  • CWE (Common Weakness Enumeration): A root-cause classification according to the type of software flaw involved.

CVSS allows organizations to more easily determine the degree of risk posed by a particular vulnerability and strategically conduct remediation accordingly. Also, because initial CVE reports only require a non-standardized affected product declaration, NIST’s addition of CPE allows vulnerability management platforms to conduct CPE matching as a fast, although somewhat unreliable way to determine whether a CVE exists within an organization’s infrastructure or not.

For a more detailed perspective on how the vulnerability disclosure process works and how CSAF 2.0 offers a decentralized alternative to MITRE’s CVE program, check out our article: How CSAF 2.0 Advances Automated Vulnerability Management. Next, let’s take a closer look at the NIST NVD outage and understand what makes Greenbone’s detection capabilities resilient against the NIST NVD outage.

The NIST NVD Outage: What Happened?

Starting on February 12, 2024, the NVD drastically reduced its enrichment of Common Vulnerabilities and Exposures (CVEs) with critical metadata such as CVSS, CPE and CWE product identifiers. The issue was first identified by Anchore’s VP of Security. As of May 2024, roughly 93% of CVEs added after February 12 were unenriched. By September 2024, NIST had failed to meet its self-imposed deadline; 72.4% of CVEs and 46.7% of new additions to CISA’s Known Exploited Vulnerabilities (KEVs) were still unenriched [3].

The slowdown in NVD’s enrichment process had significant repercussions for the cybersecurity community not only because enriched data is critical for defenders to effectively prioritize security threats, but also because some vulnerability scanners depend on this enriched data to implement their detection techniques.

As a cybersecurity defender, it’s worthwhile asking: was Greenbone affected by the NIST NVD outage? The short answer is no. Read on to find out why Greenbone’s detection capabilities are resilient against the NIST NVD outage.

Greenbone Detection Strong Despite the NVD Outage

Without enriched CVE data, some vulnerability management solutions become ineffective because they rely on CPE matching to determine if a vulnerability exists within an organization’s infrastructure.  However, Greenbone is resilient against the NIST NVD outage because our products do not depend on CPE matching. Greenbone’s OPENVAS vulnerability tests can be built from un-enriched CVE description. In fact, Greenbone can and does include detection for known vulnerabilities and misconfigurations that don’t even have CVEs such as CIS compliance benchmarks [4][5].

To build Vulnerability Tests (VT) Greenbone employs a dedicated team of software engineers who identify the underlying technical aspects of vulnerabilities. Greenbone does include a CVE Scanner feature capable of traditional CPE matching. However, unlike solutions that rely solely on CPE data from NIST NVD to identify vulnerabilities, Greenbone employs detection techniques that extend far beyond basic CPE matching. Therefore, Greenbone’s vulnerability detection capabilities remain robust even in the face of challenges such as the recent outage of the NIST NVD.

To achieve highly resilient, industry leading vulnerability detection, Greenbone’s OPENVAS Scanner component actively interacts with exposed network services to construct a detailed map of a target network’s attack surface. This includes identifying services that are accessible via network connections, probing them to determine products, and executing individual Vulnerability Tests (VT) for each CVE or non-CVE security flaw to actively verify whether they are present. Greenbone’s Enterprise Vulnerability Feed contains over 180,000 VTs, updated daily, to detect the latest disclosed vulnerabilities, ensuring rapid detection of the newest threats.

In addition to its active scanning capabilities, Greenbone supports agentless data collection via authenticated scans. Gathering detailed information from endpoints, Greenbone evaluates installed software packages against issued CVEs. This method provides precise vulnerability detection without depending on enriched CPE data from the NVD.

Key Takeways:

  • Independence from enriched CVE data: Greenbone’s vulnerability detection does not rely on enriched CVE data provided by NIST’s NVD, ensuring uninterrupted performance during outages. A basic description of a vulnerability allows Greenbone’s vulnerability test engineers to develop a detection module.
  • Detection beyond CPE matching: While Greenbone includes a CVE Scanner feature for CPE matching, its detection capabilities extend far beyond this basic approach, utilizing several methods that actively interact with scan targets.
  • Attack surface mapping: The OPENVAS Scanner actively interacts with exposed services to map network attack surface, identifying all network reachable services. Greenbone also performs authenticated scans to gather data directly from endpoint internals. This information is processed to identify vulnerable packages. Enriched CVE data such as CPE is not required.
  • Resilience to NVD enrichment outages: Greenbone’s detection methods remain effective even without NVD enrichment, leveraging CVE descriptions provided by CNAs to create accurate active checks and version-based vulnerability assessments.

Greenbone’s Approach is Practical, Effective and Resilient

Greenbone exemplifies the gold standard of practicality, effectiveness and resilience, achieving a benchmark that IT security teams should be striving to achieve. By leveraging active network mapping, authenticated scans and actively interacting with target infrastructure, Greenbone ensures reliable, resilient detection capabilities in diverse environments.

This higher standard enables organizations to confidently address vulnerabilities, even in complex and dynamic threat landscapes. Even in the absence of NVD enrichment, Greenbone’s detection methods remain effective. With only a general description Greenbone’s VT engineers can develop accurate active checks and product version-based vulnerability assessments.

Through a fundamentally resilient approach to vulnerability detection, Greenbone ensures reliable vulnerability management, setting itself apart in the cybersecurity landscape.

NVD / NIST / MITRE Alternatives

The MITRE issue is a wake-up call for digital sovereignty, and the EU has already (and fast) reacted. A long-awaited alternative, the EuVD by the ENISA, the European Union Agency for Cybersecurity, is there, and will be covered in one of our upcoming blog posts.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

March 2025 Threat Report: Who Do You Trust?

When it comes to protecting your organization from digital threats, who should you trust? Reality dictates that high-resilience IT security is forged from a network of strong partnerships, defense in depth; layered security controls, and regular auditing. Defensive posture needs to be monitored, measured and continuously improved. While vulnerability management has always been a core security control, it is nonetheless a fast moving target. In 2025, continuous and prioritized mitigation of security threats can have a big impact on security outcomes as adversarial time-to-exploit diminishes.

In March 2025’s monthly Threat Report, we will highlight the importance of vulnerability management and Greenbone’s industry leading vulnerability detection by reviewing the most recent critical threats. But these new threats only scratch the surface. In March 2025, Greenbone added 5,283 new vulnerability tests to our Enterprise Feed. Let’s jump into some of the important insights from a highly active threat landscape.

The US Treasury Breach: How Did It Happen?

In late December 2024, the U.S. Treasury Department disclosed that its network was breached by Chinese state-backed hackers and subsequently leveraged sanctions in early January 2025. Forensic investigations have tracked the root-cause to a stolen BeyondTrust API key. The vendor has acknowledged 17 other customers breached by this flaw. Deeper investigation has revealed that the API key was stolen via a flaw in a PostgreSQL built-in function for escaping untrusted input.

When invalid two-byte UTF-8 characters are submitted to a vulnerable PostgreSQL function, only the first byte is escaped, allowing a single quote to pass through unsanitized which can be leveraged to trigger an SQL Injection [CWE-89] attack. The exploitable functions are PQescapeLiteral(), PQescapeIdentifier(), PQescapeString() und PQescapeStringConn(). All versions of PostgreSQL before 17.3, 16.7, 15.11, 14.16, and 13.19 are affected as well as numerous products that depend on these functions.

CVE-2024-12356, (CVSS 9.8) and CVE-2024-12686, (CVSS 7.2) have been issued for BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) and CVE-2025-1094 (CVSS 8.1) addresses the flaw in PostgreSQL. The issue is the subject of several national CERT advisories including Germany’s BSI Cert-Bund (WID-SEC-2024-3726) and the Canadian Centre for Cybersecurity (AV25-084). The flaw has been added to CISA’s known exploited vulnerabilities (KEV) list, and a Metasploit module that exploits vulnerable BeyondTrust products is available, increasing the risk. Greenbone is able to detect the CVEs (Common Vulnerabilities and Exposures) discussed above both in BeyondTrust products or instances of PostgreSQL vulnerable to CVE-2025-1094.

Advanced fined 3.1 Million Pound for Lack of Technical Controls

This month, the UK’s Information Commissioner’s Office (ICO) imposed a 3.07 million Pound fine on Advanced Computer Software Group Ltd. under the UK GDPR for security failures. The case is evidence of how the financial damage caused by a ransomware attack can be further exacerbated by regulatory fines. The initial proposed amount was even higher at 6.09 million Pound. However, since the victim exhibited post-incident cooperation with the NCSC (National Cyber Security Centre), NCA (National Crime Agency) and NHS (National Health Service), a voluntary settlement of 3,076,320 Pound was approved. While operational costs and extortion payments have not been publicly disclosed, they likely add between 10 to 20 million Pound to the incident’s total costs.

Advanced is a major IT and software provider to healthcare organizations including the NHS. In August 2022, Advanced was compromised, attackers gained access to its health and care subsidiary resulting in a serious ransomware incident. The breach disrupted critical services including NHS 111 and prevented healthcare staff from accessing personal data on 79,404 individuals, including sensitive care information.

The ICO concluded that Advanced had incomplete MFA coverage, lacked comprehensive vulnerability scanning and had deficient patch management practices at the time of the incident – factors that collectively represented a failure to implement appropriate technical and organizational measures. Organizations processing sensitive data must treat security controls as non-negotiable. Inadequate patch management remains one of the most exploited gaps in modern attack chains.

Double Trouble: Backups Are Critical to Ransomware Mitigation

Backups are an organization’s last defense against ransomware and most sophisticated advanced persistent threat (APT) actors are known to target their victim’s backups. If a victim’s backups are compromised, submission to ransom demands is more likely. In 2025, this could mean multi-million Dollar losses. In March 2025, two new significant threats to backup services were revealed; CVE-2025-23120, a new critical severity flaw in Veeam was disclosed, and campaigns targeting CVE-2024-48248 in NAKIVO Backup & Replication were observed. Identifying affected systems and patching them is therefore an urgent matter.

In October 2024, our threat report alerted about another vulnerability in Veeam (CVE-2024-40711) being used in ransomware attacks. Overall, CVEs in Veeam Backup and Replication have a high conversion rate for active exploitation, PoC (Proof of Concept) exploits, and use in ransomware attacks. Here are the details for both emerging threats:

  • CVE-2024-48248 (CVSS 8.6): Versions of NAKIVO Backup & Replication before 11.0.0.88174 allow unauthorized Remote Code Execution (RCE) via a function called getImageByPath which allows files to be read remotely. This includes database files containing cleartext credentials for each system that NAKIVO connects to and backs up. A full technical description and proof-of-concept is available and this vulnerability is now tracked as actively exploited.
  • CVE-2025-23120 (CVSS 9.9): Attackers with domain user access can trigger deserialization of attacker-controlled data through the .NET Remoting Channel. Veeam attempts to restrict dangerous types via a blacklist, but researchers discovered exploitable classes (xmlFrameworkDs and BackupSummary) not on the list. These extend .NET’s DataSet class – a well-known RCE vector – allowing arbitrary code execution as SYSTEM on the backup server. The flaw is the subject of national CERT alerts globally including HK, CERT.be, and CERT-In. As per Veeam’s advisory, upgrading to version 12.3.1 is the recommended way to mitigate the vulnerability.

Greenbone is able to detect vulnerable NAKIVO and Veeam instances. Our Enterprise Feed has an active check [1] and version check [2] for CVE-2024-48248 in NAKIVO Backup & Replication, and a remote version check [3] for the Veeam flaw.

IngressNightmare: Unauthenticated Takeover in 43% of Kubernetes Clusters

Kubernetes is the most popular enterprise container orchestration tool globally. Its Ingress feature is a networking component that manages external access to services within a cluster, typically HTTP and HTTPS traffic. A vulnerability dubbed IngressNightmare has exposed an estimated 43% of Kubernetes clusters to unauthenticated remote access – approximately 6,500 clusters, including Fortune 500 companies.

The root-cause is excessive default privileges [CWE-250] and unrestricted network accessibility [CWE-284] in the Ingress-NGINX Controller tool, based on NGINX reverse proxy. IngressNightmare allows attackers to gain complete unauthorized control over workloads, APIs or sensitive resources in multi-tenant and production-grade clusters. A full technical analysis is available from the researchers at Wiz, who pointed out that K8 Admission Controllers are directly accessible without authentication by default, presenting an appealing attack surface to hackers.

The full attack trajectory to achieve arbitrary RCE against an affected K8 instance requires exploiting Ingress-NGINX. First, CVE-2025-1974 (CVSS 9.8) to upload a binary payload as the request body. It should be larger than 8kb in size while specifying a Content-Length header larger than the actual content size. This triggers NGINX to store the request body as a file, and the incorrect Content-Length header means the file will not be deleted as the server waits for more data [CWE-459].

The second stage of this attack requires exploiting CVE-2025-1097, CVE-2025-1098, or CVE-2025-24514 (CVSS 8.8). These CVEs all similarly fail to properly sanitize input [CWE-20] submitted to Admission Controllers. Ingress-NGINX converts Ingress objects to configuration files and validates them with the nginx -t command, allowing attackers to execute a limited set of NGINX configuration directives. Researchers found the ssl_engine module can be triggered to load the shared library binary payload uploaded in the first stage. Although exploitation is not trivial and no public PoC code exists yet, sophisticated threat actors will easily convert the technical analysis into effective exploits.

The Canadian Centre for Cyber Security has issued a CERT advisory (AV25-161) for IngressNightmare. Patched Ingress-NGINX versions 1.12.1 and 1.11.5 are available and users should upgrade as soon as possible. If upgrading the Ingress NGINX Controller is not immediately possible, temporary workarounds can help reduce risk. Strict network policies can restrict access to a cluster’s Admission Controllers allowing access to only the Kubernetes API Server. Alternatively, the Admission Controller component of Ingress-NGINX can be disabled entirely.

Greenbone is able to detect IngressNightmare vulnerabilities with an active check that verifies the presence of all CVEs mentioned above [1][2].

CVE-2025-29927: Next.js Framework Under Attack

A new vulnerability in Next.js, CVE-2025-29927 (CVSS 9.4) is considered high risk due the framework’s popularity and the simplicity of exploitation [1][2]. Adding to the risk, PoC exploit code is publicly available and Akamai researchers have observed active scans probing the Internet for vulnerable apps. Several national CERTs (Computer Emergency Response Teams) have issued alerts for the issue including CERT.NZ, Australian Signals Directorate (ASD), Germany’s BSI Cert-Bund (WID-SEC-2025-062), and the Canadian Centre for Cyber Security (AV25-162).

Next.js is a React middleware framework for building full-stack web applications. Middleware refers to components that sit between two or more systems and handle communication and orchestration. For web-applications, middleware converts incoming HTTP requests into responses and is often also responsible for authentication and authorization. Due to CVE-2025-29927, attackers can bypass Next.js middleware authentication and authorization simply by setting a malicious HTTP header.

If using HTTP headers seems like a bad idea for managing a web application’s internal process flow, CVE-2025-29927 is the evidence. Considering user-provided headers were not correctly distinguished from internal ones, this vulnerability should attain the status of egregious negligence. Attackers can bypass authentication by simply adding the `x‑middleware‑subrequest` header to a request and overloading it with at least as many values as the MAX_RECURSION_DEPTH which is 5. For example:

`x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware`

The flaw is fixed in Next.js versions 15.2.3, 14.2.25, 13.5.9 and 12.3.5, and users should follow the vendor’s upgrade guide. If upgrading is infeasible, it is recommended to filter the `x-middleware-subrequest` header from HTTP requests. Greenbone is able to detect vulnerable instances of Next.js with an active check and a version check.

Summary

The March 2025 threat landscape was shaped by vulnerable and actively exploited backup systems, unforgivably weak authentication logic, high-profile regulatory fines and numerous other critical software vulnerabilities. From the U.S. Treasury breach to the Advanced ransomware fallout, the theme is clear: trust doesn’t grow on trees. Cybersecurity resilience must be earned; forged through layered security controls and backed up by accountability.

Greenbone continues to play a vital role by providing timely detection tests for new emerging threats and standardized compliance audits that support a wide array of enterprise architectures. Organizations that want to stay ahead of cyber crime need to proactively scan their infrastructure and close security gaps as they appear.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

February 2025 Threat Report: Tectonic Technology

Cyber threats are evolving at breakneck speed, but the fundamental weaknesses attackers exploit remain strikingly unchanged. So far in 2025, many analysts have published landscape reviews of 2024 and outlooks for 2025. The cost of cyber breaches is ticking upwards, but overall, cyber breach root-causes have not changed. Phishing [T1566] and exploiting known software vulnerabilities [T1190] continue to top the list. Another key observation is that attackers are weaponizing public information faster, converting CVE (Common Vulnerabilities and Exposures) disclosures into viable exploit code within days or even hours. Once inside a victim’s network, they are executing precision second-stage objectives faster too, deploying ransomware within minutes.

In this month’s edition of the Greenbone Threat Report, we will briefly review the disclosed chats of the Black Basta ransomware group and highlight Greenbone’s coverage of their now exposed techniques. We will also review a report from Greynoise about mass exploitation attacks, a new actively exploited vulnerability in Zimbra Collaboration Suite and new threats to edge networking devices.

The Era of Tectonic Technology

If security crises are like earthquakes, then the global tech ecosystem is the underlying tectonic plates. The global technology ecosystem would be best represented as the Paleozoic Era of geological history. Rapid innovative and competitive market forces are pushing and pulling at the fabric of IT security like the colliding supercontinents of Pangea; continuous earthquakes constantly forcing continental shift.

Entirely new paradigms of computing such as generative AI and quantum computing are creating advantages and risks; volcanoes of value and unstable ground. Global governments and tech giants are wresting for access to citizen’s sensitive personal data, adding gravity. These struggles have significant implications for privacy, security and how society will evolve. Here are some of the major forces destabilizing IT security today:

  • Rapidly evolving technologies are driving innovation, forcing technical change.
  • Organizations are both forced to change as technologies and standards depreciate and motivated to change to remain competitive.
  • Fierce market competition has accelerated product development and release cycles.
  • Strategic planned obsolescence has been normalized as a business strategy for reaping financial gain.
  • Pervasive lack of accountability for software vendors has led to prioritization of performance over “security-first” design principles.
  • Nation-states weaponize technology for Cyber Warfare, Information Warfare and Electronic Warfare.

Due to these forces, well-resourced and well-organized cyber criminals find a virtually unlimited number of security gaps to exploit. The Paleozoic Era lasted 300 million years. Hopefully, we won’t have to wait that long for product vendors to show accountability and employ secure design principles [1][2][3] to prevent so-called “unforgivable” vulnerabilities of negligence [4][5]. The takeaway is that organizations need to develop technical agility and efficient patch management programs. Continuous prioritized vulnerability management is a must.

Black Basta Tactics Revealed: Greenbone Has Coverage

Leaked internal chat logs belonging to Black Basta ransomware group have provided insight into the group’s tactics and inner workings. The logs were leaked by an individual using the alias “ExploitWhispers” who claimed the release was in response to Black Basta’s controversial targeting of Russian banks, allegedly creating internal conflicts within the group. Since its emergence in April 2022, Black Basta has reportedly amassed over $100 million in ransom payments from more than 300 victims worldwide. 62 CVEs referenced in leaked documents reveal the group’s tactics for exploiting known vulnerabilities. Of these 62, Greenbone maintains detection tests for 61, covering 98% of the CVEs.

The Greynoise 2025 Mass Exploitation Report

Mass exploitation attacks are fully automated network attacks against services that are accessible via internet. This month, Greynoise published a comprehensive report summarizing the mass exploitation landscape including the top CVEs attacked by the largest botnets (unique IPs), the most exploited product vendors and top CVEs included in the CISA’s (Cybersecurity and Infrastructure Security Agency) KEV (Known Exploited Vulnerabilities) catalog and exploited by botnets. Greenbone Enterprise Feed has detection tests for 86% of all CVEs (86 total) referenced in the report. When considering only CVEs issued in 2020 or later (66 total), our Enterprise Feed has 90% detection coverage.

Additional findings include:

  • 60% of CVEs exploited in mass exploitation attacks were published in 2020 or later.
  • Attackers are exploiting vulnerabilities within hours of disclosure.
  • 28% of vulnerabilities in CISA KEV are exploited by ransomware threat actors.

Zimbra Collaboration Suite

CVE-2023-34192 (CVSS 9.0) is a high-severity Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS) version 8.8.15. The flaw allows authenticated remote attackers to execute arbitrary code via crafted scripts targeting the `/h/autoSaveDraft` function. CISA added CVE-2023-34192 to its KEV catalog, indicating that it has been actively exploited in real-world attacks. Proof-of-concept (PoC) exploit code is publicly available, allowing low-skilled attackers to join the fray. CVE-2023-34192 has held a very high EPSS since its disclosure in 2023. For defenders leveraging EPSS for remediation prioritization, this indicates a high priority to patch.

Zimbra Collaboration Suite (ZCS) is an open-source office productivity platform that integrates email, calendar, contacts, tasks and collaboration tools but holds a niche market share of less than 1% of all email and messaging platforms.

Living on the Edge: New Critical Networking Device Flaws

In our monthly threat report we have been tracking the persistent threat to edge network devices. Earlier this-month, we reported on a perfect security storm affecting end-of-life (EOL) Zyxel routers and firewalls. In this section we will review new security risks that fall into the “edge networking” category. Greenbone has detection capabilities for all CVEs discussed below.

Chinese Hackers Exploit Palo Alto’s PAN-OS for Ransomware

CVE-2024-0012 (CVSS 9.8), a vulnerability in Palo Alto PAN-OS disclosed last November, is considered one of the most exploited vulnerabilities of 2024. The CVE is also reportedly being used by Chinese state-backed threat actors for ransomware attacks. Another new flaw affecting PAN-OS, CVE-2025-0108 (CVSS 9.1), was just disclosed this month and immediately tagged as actively exploited by CISA. CVE-2025-0108 is an authentication bypass in the management web-interface and can be chained together with CVE-2024-9474 (CVSS 7.2), a separate privilege escalation vulnerability to gain unauthenticated root control over an unpatched PAN-OS device.

SonicWall Patches a Critical Actively Exploited CVE in SonicOS

CVE-2024-53704, a critical severity vulnerability in SonicWall devices, has been recently added to CISA’s KEV list. Astoundingly, CISA lists 8 SonicWall CVEs that are known to be actively exploited in ransomware attacks. CVE-2024-53704 (CVSS 9.8) is an Improper Authentication vulnerability [CWE-287] in the SSLVPN authentication mechanism of SonicWall’s SonicOS versions 7.1.1-7058 and older, 7.1.2-7019, and 8.0.0-8035. It allows remote attackers to bypass authentication and and hijack active SSL VPN sessions, potentially gaining unauthorized network access. A full technical analysis is available from BishopFox. An advisory from SonicWall also names additional high severity CVEs in SonicOS that have been patched along with CVE-2024-53704.

Sophos’ CyberroamOS and EOL XG Firewalls Actively Exploited

Sophos, which acquired Cyberoam in 2014, has issued an alert and patch for CVE-2020-29574. CyberoamOS is part of Sophos’ product ecosystem. Aside from this CVE, Sophos XG Firewall, soon to be EOL, is also the subject of an active exploitation alert.

  • CVE-2020-29574 (CVSS 9.8): A critical SQL injection [CWE-89] vulnerability identified in the WebAdmin interface of CyberoamOS versions up to December 4, 2020. This flaw allows unauthenticated attackers to remotely execute arbitrary SQL statements, potentially gaining complete administrative access to the device. A hotfix patch has been issued, which also extends to some affected end-of-life (EOL) products.
  • CVE-2020-15069 (CVSS 9.8) is a critical Buffer Overflow vulnerability in Sophos XG Firewall versions 17.x through v17.5 MR12, allowing unauthenticated RCE via the HTTP/S Bookmarks feature for clientless access. This vulnerability, published in 2020 is now being actively exploited and has been added to CISA KEV indicating heightened risk. Sophos released an advisory in 2020 when the vulnerability was disclosed, along with a hotfix affected firewalls. The XG Series hardware appliances are soon scheduled to reach end-of-life (EOL) on March 31, 2025.

PrivEsc and Auth Bypasses in Fortinet FortiOS and FortiProxy

Fortinet disclosed two critical vulnerabilities, both affecting FortiOS and FortiProxy. The Canadian Center for Cybersecurity and the Belgian Center for Cybersecurity have issued advisories. Fortinet acknowledges active exploitation of CVE-2024-55591 and has released official guidance that includes details on affected versions and recommended updates. ​

  • CVE-2024-55591 (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. Multiple PoC exploits are available [1][2] increasing the risk of exploitation by low-skilled attackers.
  • CVE-2024-40591 (CVSS 8.8): Allows an authenticated administrator with Security Fabric permissions to escalate their privileges to super-admin by connecting the targeted FortiGate device to a malicious upstream FortiGate under their control.

Cisco Flaws Implicated as Initial Access Vectors in Telecom Hacks

In the past few months, China’s Salt Typhoon espionage group has routinely exploited at least two critical vulnerabilities in Cisco IOS XE devices to gain persistent access to telecommunications networks. Victims include Italian ISP, a South African telecom, and a large Thai telecom, and twelve universities worldwide including UCLA, Indonesia’s Universitas Negeri Malang and Mexico’s UNAM among others. Previously, Salt Typhoon had compromised at least nine U.S. telecoms, including Verizon, AT&T and Lumen Technologies. U.S. authorities claim Salt Typhoon’s goal is surveilling high-profile individuals, political figures and officials related to Chinese political interests.

CVEs exploited by Salt Typhoon include:

  • CVE-2023-20198 (CVSS 10): A privilege escalation flaw in Cisco IOS XE’s web interface. Used for initial access, allowing attackers to create an admin account.
  • CVE-2023-20273 (CVSS 7.2): Another privilege escalation flaw, used after gaining admin access to escalate privileges to root and establish a GRE (Generic Routing Encapsulation) tunnel for persistence.

Also, two other CVEs in Cisco products entered the radar in February 2025:

  • CVE-2023-20118 (CVSS 7.2): A command injection vulnerability in the web-based management interface of Cisco Small Business Routers allows authenticated, remote attackers to execute arbitrary commands with root-level privileges by sending crafted HTTP requests. CISA added CVE-2023-20118 to its KEV catalog, indicating evidence of active exploitation.
  • CVE-2023-20026 (CVSS 7.2): A command injection vulnerability in the web-based management interface of Cisco Small Business Routers RV042 Series allows authenticated, remote attackers with valid administrative credentials to execute arbitrary commands on the device. The flaw is due to improper validation of user input within incoming HTTP packets. While CVE-2023-20026 is not known to be exploited in any active campaigns, Cisco’s Product Security Incident Response Team (PSIRT) is aware that PoC exploit code for this vulnerability exists.

Ivanti Patches Four Critical Flaws

Four critical vulnerabilities were identified, affecting Ivanti Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA). No reports of active attacks in the wild or PoC exploits have emerged yet. Ivanti advises users to promptly update to the newest versions to address these critical vulnerabilities.

Here is a brief technical summary:

  • CVE-2025-22467 (CVSS 8.8): Attackers with credentials can achieve remote code execution (RCE) due to a stack-based buffer overflow [CWE-121] flaw in ICS versions prior to 22.7R2.6.
  • CVE-2024-38657 (CVSS 9.1): Attackers with credentials can write arbitrary files due to an external control of file name vulnerability in ICS versions before 22.7R2.4 and IPS versions before 22.7R1.3.
  • CVE-2024-10644 (CVSS 9.1): A code injection flaw in ICS (pre-22.7R2.4) and IPS (pre-22.7R1.3), allows arbitrary RCE to authenticated administrators. ​
  • CVE-2024-47908 (CVSS 7.2): An operating system command injection vulnerability [CWE-78] in CSA’s admin web console (versions before 5.0.5), allows arbitrary RCE to authenticated administrators.

Summary

This month’s Threat Report highlights key cybersecurity developments, including the evolving tactics of ransomware groups like Black Basta and the pervasive critical threat to edge network devices. With the support of AI tools, attackers are exploiting vulnerabilities faster-sometimes within hours of disclosure. Organizations must remain vigilant by adopting proactive security measures, continuously updating their defenses and leveraging threat intelligence to stay ahead of emerging threats.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Exciting New Features Arrive for Greenbone Enterprise Appliances

We’re excited to announce the release of several feature updates to our Greenbone Operating System (GOS), the software stack behind our physical and virtual Enterprise Appliances. The updates introduce new front-end features to enhance enterprise vulnerability management capabilities, and performance enhancing back-end features. The newest updates to the Greenbone Operating System (GOS), version 24.10, reflect Greenbone’s commitment to empowering fundamental cybersecurity best practices and enabling organizations to prioritize and close security gaps faster than ever before.

In this post, we’ll delve into the latest features and improvements that make our line of Enterprise Appliances even more powerful tools for exposure management and cybersecurity compliance.

GOS 24.10 Brings All New Features

The Greenbone Security Assistant (GSA) is the IT administrator’s doorway into security visibility. From a high-level vantage, the GSA web-interface has a totally new look. The updated version features a modern minimalist look and feel, emphasizing utility and usability, while keeping Greenbone’s capabilities within reach. But the new look is just scratching the surface. Let’s review some deeper changes on the horizon.

The New Compliance Audit Report View

Cybersecurity compliance is increasingly important. New regulations across the EU such as the Digital Operational Resilience Act (DORA), the Network and Information Security Directive 2 (NIS2) and the Cyber Resilience Act (CRA) require organizations to take more proactive actions to protect digital infrastructure. Other forces such as cybersecurity insurance, the need for stronger third party oversight and accountability to customers are impacting how companies oversee their cybersecurity operations.

The GOS 24.10 update includes a brand new compliance-focused view designed to enhance insight into regulatory and policy alignment. The updated user-interface allows greater visibility into cybersecurity risks, supporting alignment with IT governance goals. It hosts compliance audit reports, new dashboard displays and filtering options. This helps keep compliance-focused data distinct from regular scan reports. Delta audit reports also highlight compliance progress with visual indicators and tooltips for easy identification.

EPSS Support Adds AI-Based Prioritization

As the number of new CVEs (Common Vulnerabilities and Exposures) continues to increase, prioritizing vulnerabilities to focus on the most high-impact threats is critical. The Exploit Prediction Scoring System (EPSS) is an AI-driven metric that estimates the likelihood of a CVE being exploited in the wild. EPSS applies machine learning (ML) to historical data to predict which new CVEs are at highest risk of active attack.

EPSS data is now integrated into our Enterprise Appliances. Regularly updated exploitation probabilities for every active CVE are not available in the Greenbone platform. Administrators can leverage up-to-date exploit probability scores and percentiles in addition to the traditional CVSS severity, empowering them to focus on the most critical pressive vulnerabilities in their operations.

More Adaptable CSV and JSON Report Exporting Capabilities

Greenbone’s approach has always centered on simplicity and flexibility. As such, the solutions fit a wide spectrum of unique operational needs. GOS 24.10 introduces JSON formatted report exporting. Users can also now customize the fields in exported CSV and JSON reports. This allows reports to be customized directly from Greenbone to more precisely match report requirements and focus on what’s essential for analysis, compliance or decision-making.

Additional Backend Optimizations

To enhance the flexibility and accuracy of vulnerability matching, Greenbone has introduced several backend optimizations focused on CPE (Common Platform Enumeration) handling and feed management. Here is a look at what’s new:

  • The backend can convert CPEv2.3 strings to CPEv2.2 URIs, storing both versions for more reliable affected product matching. Future development may include advanced, on-the-fly matching, bringing even more precision to vulnerability assessments.
  • Greenbone Enterprise Appliances now support JSON-based CVE, CPE, EPSS, and CERT feeds and gzip data compression.

Summary

With the release of a new round of updates, Greenbone is strengthening the flagship Greenbone Enterprise Appliances. The updates introduce a modernized GSA web-interface, a compliance-focused audit report view for improved visibility, and enhanced CSV and JSON exporting capabilities give users control over report data. We’ve also added AI-based EPSS to the available options for vulnerability risk prioritization. Finally, backend optimizations ensure seamless compatibility with new CPE formats and JSON-based feeds. Together, these features add to Greenbone’s adaptable vulnerability management capabilities allowing organizations to stay ahead of emerging threats with industry leading vulnerability detection and prioritization.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

December 2024 Threat Report: Sunsetting a Record Year for IT Risk

In 2024, geopolitical instability, marked by conflicts in Ukraine and the Middle East, emphasized the need for stronger cybersecurity in both the public and private sector. China targeted U.S. defense, utilities, internet providers and transportation, while Russia launched coordinated cyberattacks on U.S. and European nations, seeking to influence public opinion and create discord among Western allies over the Ukrainian war. As 2024 ends, we can look back at a hectic cybersecurity landscape on the edge.

2024 marked another record setting year for CVE (Common Vulnerabilities and Exposures) disclosures. Even if many are so-called “AI Slop” reports [1][2], the sheer volume of published vulnerabilities creates a big haystack. As IT security teams seek to find high-risk needles in a larger haystack, the chance of oversight becomes more prevalent. 2024 was also a record year for ransomware payouts in terms of volume and size, and Denial of Service (DoS) attacks.

It also saw the NIST NVD outage, which affected many organizations around the world including security providers. Greenbone’s CVE scanner is a CPE (Common Platform Enumeration) matching function and has been affected by the NIST NVD outage. However, Greenbone’s primary scanning engine, OpenVAS Scanner, is unaffected. OpenVAS actively interacts directly with services and applications, allowing Greenbone’s engineers to build reliable vulnerability tests using the details from initial CVE reports.

In 2025, fortune will favor organizations that are prepared. Attackers are weaponizing cyber-intelligence faster; average time-to-exploit (TTE) is mere days, even hours. The rise of AI will create new challenges for cybersecurity. Alongside these advancements, traditional threats remain critical for cloud security and software supply chains. Security analysts predict that fundamental networking devices such as VPN gateways, firewalls and other edge devices will continue to be a hot target in 2025.

In this edition of our monthly Threat Report, we review the most pressing vulnerabilities and active exploitation campaigns that emerged in December 2024.

Mitel MiCollab: Zero-Day to Actively Exploited in a Flash

Once vulnerabilities are published, attackers are jumping on them with increased speed. Some vulnerabilities have public proof of concept (PoC) exploit code within hours, leaving defenders with minimal reaction time. In early December, researchers at GreyNoise observed exploitation of Mitel MiCollab the same day that PoC code was published. Mitel MiCollab combines voice, video, messaging, presence and conferencing into one platform. The new vulnerabilities have drawn alerts from the Belgian national Center for Cybersecurity, the Australian Signals Directorate (ASD) and the UK’s National Health Service (NHS) in addition to the American CISA (Cybersecurity and Infrastructure Security Agency). Patching the recent vulnerabilities in MiCollab is considered urgent.

Here are details about the new actively exploited CVEs in Mitel MiCollab:

  • CVE-2024-41713 (CVSS 7.8 High): A path traversal vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab allows unauthenticated path traversal by leveraging the “…/” technique in HTTP requests. Exploitation can expose highly sensitive files.
  • CVE-2024-35286 (CVSS 10 Critical): A SQL injection vulnerability has been identified in the NPM component of Mitel MiCollab which could allow a malicious actor to conduct a SQL injection attack.

Since mid-2022, CISA has tracked three additional actively exploited CVEs in Mitel products which are known to be leveraged in ransomware attacks. Greenbone is able to detect endpoints vulnerable to these high severity CVEs with active checks [4][5].

Array Networks SSL VPNs Exploited by Ransomware

CVE-2023-28461 (CVSS 9.8 Critical) is a Remote Code Execution (RCE) vulnerability in Array Networks Array AG Series and vxAG SSL VPN appliances. The devices, touted by the vendor as a preventative measure against ransomware, are now being actively exploited in recent ransomware attacks. Array Networks themselves were breached by the Dark Angels ransomware gang earlier this year [1][2].

According to recent reports, Array Networks holds a significant market share in the Application Delivery Controller (ADC) market. According to the ​​IDC’s WW Quarterly Ethernet Switch Tracker, they are the market leader in India, with a market share of 34.2%. Array Networks has released patches for affected products running ArrayOS AG 9.4.0.481 and earlier versions. The Greenbone Enterprise Feed has included a detection test for CVE-2023-28461 since it was disclosed in late March 2023.

CVE-2024-11667 in Zyxel Firewalls

CVE-2024-11667 (CVSS 9.8 Critical) in Zyxel firewall appliances are being actively exploited in ongoing ransomware attacks. A directory traversal vulnerability in the web management interface could allow an attacker to download or upload files via a maliciously crafted URL. Zyxel Communications is a Taiwanese company specializing in designing and manufacturing networking devices for businesses, service providers and consumers. Reports put Zyxel’s market share at roughly 4.2% of the ICT industry with a diverse global footprint including large Fortune 500 companies.

A defense in depth approach to cybersecurity is especially important in cases such as this. When attackers compromise a networking device such as a firewall, typically they are not immediately granted access to highly sensitive data. However, initial access allows attackers to monitor network traffic and enumerate the victim’s network in search of high value targets.

Zyxel advises updating your device to the latest firmware, temporarily disabling remote access if updates cannot be applied immediately and applying their best practices for securing distributed networks. CVE-2024-11667 affects Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38 and USG20(W)-VPN series firmware versions V5.10 through V5.38. Greenbone can detect the vulnerability CVE-2024-11667 across all affected products.

Critical Flaws in Apache Struts 2

CVE-2024-53677 (CVSS 9.8 Critical), an unrestricted file upload [CWE-434] flaw affecting Apache Struts 2 allows attackers to upload executable files into web-root directories. If a web-shell is uploaded, the flaw may lead to unauthorized Remote Code Execution. Apache Struts is an open-source Java-based web-application framework widely used by the public and private sectors including government agencies, financial institutions and other large organizations [1]. Proof of concept (PoC) exploit code is publicly available, and CVE-2024-53677 is being actively exploited increasing its risk.

The vulnerability was originally tracked as CVE-2023-50164, published in December 2023 [2][3]. However, similarly to a recent flaw in VMware vCenter, the original patch was ineffective resulting in the re-emergence of vulnerability. CVE-2024-53677 affects the FileUploadInterceptor component and thus, applications not using this module are unaffected. Users should update their Struts2 instance to version 6.4.0 or higher and migrate to the new file upload mechanism. Other new critical CVEs in popular open-source software (OSS) from Apache:

The Apache Software Foundation (ASF) follows a structured process across its projects that encourages private reporting and releasing patches prior to public disclosure so patches are available for all CVEs mentioned above. Greenbone is able to detect systems vulnerable to CVE-2024-53677 and other recently disclosed vulnerabilities in ASF Foundation products.

Palo Alto’s Secure DNS Actively Exploited for DoS

CVE-2024-3393 (CVSS 8.7 High) is a DoS (Denial of Service) vulnerability in the DNS Security feature of PAN-OS. The flaw allows an unauthenticated attacker to reboot PA-Series firewalls, VM-Series firewalls, CN-Series firewalls and Prisma Access devices via malicious packets sent through the data plane. By repeatedly triggering this condition, attackers can cause the firewall to enter maintenance mode. CISA has identified CVE-2024-3393 vulnerability as actively exploited and it’s among five other actively exploited vulnerabilities in Palo Alto’s products over only the past two months.

According to the advisory posted by Palo Alto, only devices with a DNS Security License or Advanced DNS Security License and logging enabled are affected. It would be an easy assumption to say that these conditions mean that top-tier enterprise customers are affected. Greenbone is able to detect the presence of devices affected by CVE-2024-3393 with a version detection test.

Microsoft Security in 2024: Who Left the Windows Open?

While it would be unfair to single out Microsoft for providing vulnerable software in 2024, the Redmond BigTech certainly didn’t beat security expectations. A total of 1,119 CVEs were disclosed in Microsoft products in 2024; 53 achieved critical severity (CVSS > 9.0), 43 were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and at least four were known vectors for ransomware attacks. Although the comparison is rough, the Linux kernel saw more (3,148) new CVEs but only three were rated critical severity and only three were added to CISA KEV. Here are the details of the new actively exploited CVEs in Microsoft Windows:

  • CVE-2024-35250 (CVSS 7.8 High): A privilege escalation flaw allowing an attacker with local access to a system to gain system-level privileges. The vulnerability was discovered in April 2024, and PoC exploit code appeared online in October.
  • CVE-2024-49138 (CVSS 7.8 High): A heap-based buffer overflow [CWE-122] privilege escalation vulnerability; this time in the Microsoft Windows Common Log File System (CLFS) driver. Although no publicly available exploit exists, security researchers have evidence that this vulnerability can be exploited by crafting a malicious CLFS log to execute privileged commands at the system privilege level.

Detection and mitigation of these new Windows CVEs is critical since they are actively under attack. Both were patched in Microsoft’s December patch release. Greenbone is able to detect CVE-2024-35250 and CVE-2024-49138 as well as all other Microsoft vulnerabilities published as CVEs.

Summary

2024 highlighted the continuously challenging cybersecurity landscape with record-setting vulnerability disclosures, ransomware payouts, DoS attacks and an alarming rise in active exploitations. The rapid weaponization of vulnerabilities emphasizes the need for a continuous vulnerability management strategy and a defense-in-depth approach.

December saw new critical flaws in Mitel, Apache and Microsoft products. More network products: Array Networks VPNs and Zyxel firewalls are now being exploited by ransomware threat actors underscoring the urgency for proactive patching and robust detection measures. As we enter 2025, fortune will favor those prepared; organizations must stay vigilant to mitigate risks in an increasingly hostile cyber landscape.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

August 2024 Threat Tracking: Threats on the Rise

The cybersecurity risk environment has been red hot through the first half of 2024. Critical vulnerabilities in even the most critical technologies are perpetually open to cyber attacks, and defenders face the continuous struggle to identify and remediate these relentlessly emerging security gaps. Large organizations are being targeted by sophisticated “big game hunting” campaigns by ransomware gangs seeking to hit the ransomware jackpot. The largest ransomware payout ever was reported in August – 75 million Dollar to the Dark Angels gang. Small and medium sized enterprises are targeted on a daily basis by automated “mass exploitation” attacks, also often seeking to deliver ransomware [1][2][3].

A quick look at CISA’s Top Routinely Exploited Vulnerabilities shows us that even though cyber criminals can turn new CVE (Common Vulnerabilities and Exposures) information into exploit code in a matter of days or even hours, older vulnerabilities from years past are still on their radar.

In this month’s Threat Tracking blog post, we will point out some of the top cybersecurity risks to enterprise cybersecurity, highlighting vulnerabilities recently reported as actively exploited and other critical vulnerabilities in enterprise IT products.

The BSI Improves LibreOffice’s Mitigation of Human Error

OpenSource Security on behalf of the German Federal Office for Information Security (BSI) recently identified a secure-by-design flaw in LibreOffice. Tracked as CVE-2024-6472 (CVSS 7.8 High), it was found that users could enable unsigned macros embedded in LibreOffice documents, overriding the “high security mode” setting. While exploitation requires human interaction, the weakness addresses a false sense of security, that unsigned macros could not be executed when “high security mode” enabled.

KeyTrap: DoS Attack Against DNSSEC

In February 2024, academics at the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt disclosed “the worst attack on DNS ever discovered”. According to German researchers, a single packet can cause a “Denial of Service” (DoS) by exhausting a DNSSEC-validating DNS resolver. Dubbed “KeyTrap”, attackers can exploit the weakness to prevent clients using a compromised DNS server from accessing the internet or local network resources. The culprit is a design flaw in the current DNSSEC specification [RFC-9364] that dates back more than 20 years [RFC-3833].

Published in February 2024 and tracked as CVE-2023-50387 (CVSS 7.5 High), exploitation of the vulnerability is considered trivial and proof-of-concept code is available on GitHub. The availability of exploit code means that low skilled criminals can easily launch attacks. Greenbone can identify systems with vulnerable DNS applications impacted by CVE-2023-50387 with local security checks (LSC) for all operating systems.

CVE-2024-23897 in Jenkins Used to Breach Indian Bank

CVE-2024-23897 (CVSS 9.8 Critical) in Jenkins (versions 2.441 and LTS 2.426.2 and earlier) is being actively exploited and used in ransomware campaigns including one against the National Payments Corporation of India (NPCI). Jenkins is an open-source automation server used primarily for continuous integration (CI) and continuous delivery (CD) in software development operations (DevOps).

The Command Line Interface (CLI) in affected versions of Jenkins contains a path traversal vulnerability [CWE-35] caused by a feature that replaces the @-character followed by a file path with the file’s actual contents. This allows attackers to read the contents of sensitive files including those that provide unauthorized access and subsequent code execution. CVE-2024-23897 and its use in ransomware attacks follows a joint CISA and FBI alert for software vendors to address path traversal vulnerabilities [CWE-35] in their products. Greenbone includes an active check [1] and two version detection tests [2][3] for identifying vulnerable versions of Jenkins on Windows and Linux.

2 New Actively Exploited CVEs in String of Apache OFBiz Flaws

Apache OFBiz (Open For Business) is a popular open-source enterprise resource planning (ERP) and e-commerce software suite developed by the Apache Software Foundation. In August 2024, CISA alerted the cybersecurity community to active exploitation of Apache OFBiz via CVE-2024-38856 (CVSS 9.8 Critical) affecting versions before 18.12.13. CVE-2024-38856 is a path traversal vulnerability [CWE-35] that affects OFBiz’s “override view” functionality allowing unauthenticated attackers Remote Code Execution (RCE) on the affected system.

CVE-2024-38856 is a bypass of a previously patched vulnerability, CVE-2024-36104, just published in June 2024, indicating that the initial fix did not fully remediate the problem. This also builds upon another 2024 vulnerability in OFBiz, CVE-2024-32113 (CVSS 9.8 Critical), which was also being actively exploited to distribute Mirai botnet. Finally, in early September 2024, two new critical severity CVEs, CVE-2024-45507 and CVE-2024-45195 (CVSS 9.8 Critical) were added to the list of threats impacting current versions of OFBiz.

Due to the notice of active exploitation and Proof-of-Concept (PoC) exploits being readily available for CVE-2024-38856 [1][2] and CVE-2024-32113 [1][2] affected users need to patch urgently. Greenbone can detect all aforementioned CVEs in Apache OFBiz with both active and version checks.

CVE-2022-0185 in the Linux Kernel Actively Exploited

CVE-2022-0185 (CVSS 8.4 High), an heap-based buffer overflow vulnerability in the Linux kernel, was added to CISA KEV in August 2024. Publicly available PoC-exploit-code and detailed technical descriptions of the vulnerability have contributed to the increase in cyber attacks exploiting CVE-2022-0185.

In CVE-2022-0185 in Linux’s “legacy_parse_param()” function within the Filesystem Context functionality the length of supplied parameters is not being properly verified. This flaw allows an unprivileged local user to escalate their privileges to the root user.

Greenbone could detect CVE-2022-0185 since it was disclosed in early 2022 via vulnerability test modules covering a wide set of Linux distributions including Red Hat, Ubuntu, SuSE, Amazon Linux, Rocky Linux, Fedora, Oracle Linux and Enterprise products such as IBM Spectrum Protect Plus.

New VoIP and PBX Vulnerabilities

A handful of CVEs were published in August 2024 impacting enterprise voice communication systems. The vulnerabilities were disclosed in Cisco’s small business VOIP systems and Asterisk, a popular open-source PBX branch system. Let’s dig into the specifics:

Cisco Small Business IP Phones Offer RCE and DoS

Three high severity vulnerabilities were disclosed that impact the web-management console of Cisco Small Business SPA300 Series and SPA500 Series IP Phones. While underscoring the importance of not exposing management consoles to the internet, these vulnerabilities also represent a vector for an insider or dormant attacker who has already gained access to an organization’s network to pivot their attacks to higher value assets and disrupt business operations.

Greenbone includes detection for all newly disclosed CVEs in Cisco Small Business IP Phone. Here is a brief technical description of each:

  • CVE-2024-20454 and CVE-2024-20450 (CVSS 9.8 Critical): An unauthenticated, remote attacker could execute arbitrary commands on the underlying operating system with root privileges because incoming HTTP packets are not properly checked for size, which could result in a buffer overflow.
  • CVE-2024-20451 (CVSS 7.5 High): An unauthenticated, remote attacker could cause an affected device to reload unexpectedly causing a Denial of Service because HTTP packets are not properly checked for size.

CVE-2024-42365 in Asterisk PBX Telephony Toolkit

Asterisk is an open-source private branch exchange (PBX) and telephony toolkit. PBX is a system used to manage internal and external call routing and can use traditional phone lines (analog or digital) or VoIP (IP PBX). CVE-2024-42365, published in August 2024, impacts versions of asterisk before 18.24.2, 20.9.2 and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2. An exploit module has also been published for the Metasploit attack framework adding to the risk, however, active exploitation in the wild has not yet been observed.

Greenbone can detect CVE-2024-42365 via network scans. Here is a brief technical description of the vulnerability:

  • CVE-2024-42365 (CVSS 8.8 High): An AMI user with “write=originate” may change all configuration files in the “/etc/asterisk/” directory. This occurs because they are able to curl remote files and write them to disk but are also able to append to existing files using the FILE function inside the SET application. This issue may result in privilege escalation, Remote Code Execution or blind server-side request forgery with arbitrary protocols.

Browsers: Perpetual Cybersecurity Threats

CVE-2024-7971 and CVE-2024-7965, two new CVSS 8.8 High severity vulnerabilities in the Chrome browser, are being actively exploited for RCE. Either CVE can be triggered when victims are tricked into simply visiting a malicious web page. Google acknowledges that exploit code is publicly available, giving even low skilled cyber criminals the ability to launch attacks. Google Chrome has seen a steady stream of new vulnerabilities and active exploitation in recent years. A quick inspection of Mozilla Firefox shows a similar continuous stream of critical and high severity CVEs; seven Critical and six High severity vulnerabilities were disclosed in Firefox during August 2024, although active exploitation of these has not been reported.

The continuous onslaught of vulnerabilities in major browsers underscores the need for diligence to ensure that updates are applied as soon as they become available. Due to Chrome’s high market share of over 65% (over 70% considering Chromium-based Microsoft Edge) its vulnerabilities receive increased attention from cyber criminals. Considering the high number of severe vulnerabilities impacting Chromium’s V8 engine (more than 40 so far in 2024), Google Workspace admins might consider disabling V8 for all users in their organization to increase security. Other options for hardening browser security in high-risk scenarios include using remote browser isolation, network segmentation and booting from secure baseline images to ensure endpoints are not compromised.

Greenbone includes active authenticated vulnerability tests to identify vulnerable versions of browsers for Linux, Windows and macOS.

Summary

New critical and remotely exploitable vulnerabilities are being disclosed at record shattering rates amidst a red hot cyber risk environment. Asking IT security teams to manually track newly exposed vulnerabilities in addition to applying patches imposes an impossible burden and risks leaving critical vulnerabilities undetected and exposed. Vulnerability management is considered a fundamental cybersecurity activity; defenders of large, medium and small organizations need to employ tools such as Greenbone to automatically seek and report vulnerabilities across an organization’s IT infrastructure. 

Conducting automated network vulnerability scans and authenticated scans of each system’s host attack surface can dramatically reduce the workload on defenders, automatically providing them with a list of remediation tasks that is sortable according to threat severity.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Enterprise Products Lead all Network Vulnerability Scanners

OpenVAS began in 2005 when Nessus transitioned from open source to a proprietary license. Two companies, Intevation and DN Systems adopted the existing project and began evolving and maintaining it under a GPL v2.0 license. Since then, OpenVAS has evolved into Greenbone, the most widely-used and applauded open-source vulnerability scanner and vulnerability management solution in the world. We are proud to offer Greenbone as both a free Community Edition for developers and also as a range of enterprise products featuring our Greenbone Enterprise Feed to serve the public sector and private enterprises alike.

As the “old-dog” on the block, Greenbone is hip to the marketing games that cybersecurity vendors like to play. However, our own goals remain steadfast – to share the truth about our product and industry leading vulnerability test coverage. So, when we reviewed a recent 2024 network vulnerability scanner benchmark report published by a competitor, we were a little shocked to say the least.

As the most recognized open-source vulnerability scanner, it makes sense that Greenbone was included in the competition for top dog. However, while we are honored to be part of the test, some facts made us scratch our heads. You might say we have a “bone to pick” about the results. Let’s jump into the details.

What the 2024 Benchmark Results Found

The 2024 benchmark test conducted by Pentest-Tools ranked leading vulnerability scanners according to two factors: Detection Availability (the CVEs each scanner has detection tests for) and Detection Accuracy (how effective their detection tests are).

The benchmark pitted our free Community Edition of Greenbone and the Greenbone Community Feed against the enterprise products of other vendors: Qualys, Rapid7, Tenable, Nuclei, Nmap, and Pentest-Tools’ own product. The report ranked Greenbone 5th in Detection Availability and roughly tied for 4th place in Detection Accuracy. Not bad for going up against titans of the cybersecurity industry.

The only problem is, as mentioned above, Greenbone has an enterprise product too, and when the results are recalculated using our Greenbone Enterprise Feed, the findings are starkly different – Greenbone wins hands down.

Here is What we Found

Bar chart from the 2024 benchmark for network vulnerability scanners: Greenbone Enterprise achieves the highest values with 78% availability and 61% accuracy

 

Our Enterprise Feed Detection Availability Leads the Pack

According to our own internal findings, which can be verified using our SecInfo Portal, the Greenbone Enterprise Feed has detection tests for 129 of the 164 CVEs included in the test. This means our Enterprise product’s Detection Availability is a staggering 70.5% higher than reported, placing us heads and tails above the rest.

To be clear, the Greenbone Enterprise Feed tests aren’t something we added on after the fact. Greenbone updates both our Community and Enterprise Feeds on a daily basis and we are often the first to release vulnerability tests when a CVE is published. A review of our vulnerability test coverage shows they have been available from day one.

Our Detection Accuracy was far Underrated

And another thing. Greenbone isn’t like those other scanners. The way Greenbone is designed gives it strong industry leading advantages. For example, our scanner can be controlled via API allowing users to develop their own custom tools and control all the features of Greenbone in any way they like. Secondly, our Quality of Detection (QoD) ranking doesn’t even exist on most other vulnerability scanners.

The report author made it clear they simply used the default configuration for each scanner. However, without applying Greenbone’s QoD filter properly, the benchmark test failed to fairly assess Greenbone’s true CVE detection rate. Applying these findings Greenbone again comes out ahead of the pack, detecting an estimated 112 out of the 164 CVEs.

Summary

While we were honored that our Greenbone Community Edition ranked 5th in Detection Availability and tied for 4th in Detection Accuracy in a recently published network vulnerability scanner benchmark, these results fail to consider the true power of the Greenbone Enterprise Feed. It stands to reason that our Enterprise product should be in the running. Afterall, the benchmark included enterprise offerings from other vendors.

When recalculated using the Enterprise Feed, Greenbone’s Detection Availability leaps to 129 of the 164 CVEs on the test, 70.5% above what was reported. Also, using the default settings fails to account for Greenbone’s Quality of Detection (QoD) feature. When adjusted for these oversights, Greenbone ranks at the forefront of the competition. As the most used open-source vulnerability scanner in the world, Greenbone continues to lead in vulnerability coverage, timely publication of vulnerability tests, and truly enterprise grade features such as a flexible API architecture, advanced filtering, and Quality of Detection scores.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

How CSAF 2.0 Advances Automated Vulnerability Management

IT security teams don’t necessarily need to know what CSAF is, but on the other hand, familiarity with what’s happening “under the hood” of a vulnerability management platform can give context to how next-gen vulnerability management is evolving, and the advantages of automated vulnerability management. In this article, we take an introductory journey through CSAF 2.0, what it is, and how it seeks to benefit enterprise vulnerability management. 

Greenbone AG is an official partner of the German Federal Office for Information Security (BSI) to integrate technologies that leverage the CSAF 2.0 standard for automated cybersecurity advisories.

What is CSAF?

The Common Security Advisory Framework (CSAF) 2.0 is a standardized, machine-readable vulnerability advisory format. CSAF 2.0 enables the upstream cybersecurity intelligence community, including software and hardware vendors, governments, and independent researchers to provide information about vulnerabilities. Downstream, CSAF allows vulnerability information consumers to aggregate security advisories from a decentralized group of providers and automate risk assessment with more reliable information and less resource overhead.

By providing a standardized machine readable format, CSAF represents an evolution towards “next-gen” automated vulnerability management which can reduce the burden on IT security teams facing an ever increasing number of CVE disclosures, and improve risk-based decision making in the face of an “ad-hoc” approach to vulnerability intelligence sharing.

CSAF 2.0 is the replacement for the Common Vulnerability Reporting Framework (CVRF) v1.2 and extends its predecessor’s capabilities to offer greater flexibility.

Here are the key takeaways:

  • CSAF is an international open standard for machine readable vulnerability advisory documents that uses the JSON markup language.
  • CSAF aggregation is a decentralized model of distributing vulnerability information.
  • CSAF 2.0 is designed to enable next-gen automated enterprise vulnerability management.

The Traditional Process of Vulnerability Management

The traditional process of vulnerability management is a difficult process for large organizations with complex IT environments. The number of CVEs published each patch cycle has been increasing at an unmanageable pace [1][2]. In a traditional vulnerability management process, IT security teams collect vulnerability information manually via Internet searches. In this way, the process involves extensive manual effort to collect, analyze, and organize information from a variety of sources and ad-hoc document formats.

These sources typically include:

  • Vulnerability tracking databases such as NIST NVD
  • Product vendor security advisories
  • National and international CERT advisories
  • CVE numbering authority (CNA) assessments
  • Independent security research
  • Security intelligence platforms
  • Exploit code databases

The ultimate goal of conducting a well-informed risk assessment can be confounded during this process in several ways. Advisories, even those provided by the product vendor themselves, are often incomplete and come in a variety of non-standardized formats. This lack of cohesion makes data-driven decision making difficult and increases the probability of error.

Let’s briefly review the existing vulnerability information pipeline from both the creator and consumer perspectives:

The Vulnerability Disclosure Process

Common Vulnerability and Exposure (CVE) records published in the National Vulnerability Database (NVD) of the NIST (National Institute of Standards and Technology) represent the world’s most centralized global repository of vulnerability information. Here is an overview of how the vulnerability disclosure process works:

  1. Product vendors become aware of a security vulnerability from their own security testing or from independent security researchers, triggering an internal vulnerability disclosure policy into action. In other cases, independent security researchers may interact directly with a CVE Numbering Authority (CNA) to publish the vulnerability without prior consultation with the product vendor.
  2. Vulnerability aggregators such as NIST NVD and national CERTs create unique tracking IDs (such as a CVE ID) and add the disclosed vulnerability to a centralized database where product users and vulnerability management platforms such as Greenbone can become aware and track progress.
  3. Various stakeholders such as the product vendor, NIST NVD and independent researchers publish advisories that may or may not include remediation information, expected dates for official patches, a list of affected products, CVSS impact assessment and severity ratings, Common Platform Enumeration (CPE) or Common Weakness Enumeration (CWE).
  4. Other cyber-threat intelligence providers such as CISA’s Known Exploited Vulnerabilities (KEV) and First.org’s Exploit Prediction Scoring System (EPSS) provide additional risk context.

The Vulnerability Management Process

Product users are responsible for ingesting vulnerability information and applying it to mitigate the risk of exploitation. Here is an overview of the traditional enterprise vulnerability management process:

  1. Product users need to manually search CVE databases and monitor security advisories that pertain to their software and hardware assets or utilize a vulnerability management platform such as Greenbone which automatically aggregate the available ad-hoc threat advisories.
  2. Product users must match the available information to their IT asset inventory. This typically involves maintaining an asset inventory and conducting manual matching, or using a vulnerability scanning product to automate the process of building an asset inventory and executing vulnerability tests.
  3. IT security teams prioritize the discovered vulnerabilities according to the contextual risk presented to critical IT systems, business operations, and in some cases public safety.
  4. Remediation tasks are assigned according to the final risk assessment and available resources.

What is Wrong with Traditional Vulnerability Management?

Traditional or manual vulnerability management processes are operationally complex and lack efficiency. Aside from the operational difficulties of implementing software patches, the lack of accessible and reliable information bogs down efforts to effectively triage and remediate vulnerabilities. Using CVSS alone to assess risk has also been criticized [1][2] for lacking sufficient context to satisfy robust risk-based decision making. Although vulnerability management platforms such as Greenbone greatly reduce the burden on IT security teams, the overall process is still often plagued by time-consuming manual aggregation of ad-hoc vulnerability advisories that can often result in incomplete information.

Especially in the face of an ever increasing number of vulnerabilities, aggregating ad-hoc security information risks being too slow and introduces more human error, increasing vulnerability exposure time and confounding risk-based vulnerability prioritization.

Lack of Standardization Results in Ad-hoc Intelligence

The current vulnerability disclosure process lacks a formal method of distinguishing between reliable vendor provided information, and information provided by arbitrary independent security researchers such as Partner CNAs. In fact, the official CVE website itself promotes the low requirements for becoming a CNA. This results in a large number of CVEs being issued without detailed context, forcing extensive manual enrichment downstream.

Which information is included depends on the CNA’s discretion and there is no way to classify the reliability of the information. As a simple example of the problem, the affected products in an ad-hoc advisory are often provided using a wide range of descriptors that need to be manually interpreted. For example:

  • Version 8.0.0 – 8.0.1
  • Version 8.1.5 and later
  • Version <= 8.1.5
  • Versions prior to 8.1.5
  • All versions < V8.1.5
  • 0, V8.1, V8.1.1, V8.1.2, V8.1.3, V8.1.4, V8.1.5

Scalability

Because vendors, assessors (CNAs), and aggregators utilize various distribution methods and formats for their advisories, the challenge of efficiently tracking and managing vulnerabilities becomes operationally complex and difficult to scale. Furthermore, the increasing rate of vulnerability disclosure exacerbates manual processes, overwhelms security teams, and increases the risk of error or delay in remediation efforts.

Difficult to Assess Risk Context

NIST SP 800-40r4 “Guide to Enterprise Patch Management Planning” Section 3 advises the application of enterprise level vulnerability metrics. Because risk ultimately depends on each vulnerability’s context – factors such as affected systems, potential impact, and exploitability – the current environment of ad-hoc security intelligence presents a significant barrier to robust risk-based vulnerability management.

How Does CSAF 2.0 Solve These Problems?

CSAF documents are essential cyber threat advisories designed to optimize the vulnerability information supply chain. Instead of manually aggregating ad-hoc vulnerability data, product users can automatically aggregate machine-readable CSAF advisories from trusted sources into an Advisory Management System that combines core vulnerability management functions of asset matching and risk assessment. In this way, security content automation with CSAF aims to address the challenges of traditional vulnerability management by providing more reliable and efficient security intelligence, creating the potential for next-gen vulnerability management.

Here are some specific ways that CSAF 2.0 solves the problems of traditional vulnerability management:

More Reliable Security Information

CSAF 2.0 remedies the crux of ad-hoc security intelligence by standardizing several aspects of a vulnerability disclosure. For example, the affected version specifier fields allow standardized data such as Version Range Specifier (vers), Common Platform Enumeration (CPE), Package URL specification, CycloneDX SBOM as well as the product’s common name, serial number, model number, SKU or file hash to identify affected product versions.

In addition to standardizing product versions, CSAF 2.0 also supports Vulnerability Exploitability eXchange (VEX) for product vendors, trusted CSAF providers, or independent security researchers to explicitly declare product remediation status. VEX provides product users with recommendations for remedial actions.

The explicit VEX status declarations are:

  • Not affected: No remediation is required regarding a vulnerability.
  • Affected: Actions are recommended to remediate or address a vulnerability.
  • Fixed: Represents that these product versions contain a fix for a vulnerability.
  • Under Investigation: It is not yet known whether these product versions are affected by a vulnerability. An update will be provided in a later release.

More Effective Use of Resources

CSAF enables several upstream and downstream optimizations to the traditional vulnerability management process. The OASIS CSAF 2.0 documentation includes descriptions of several compliance goals that enable cybersecurity administrators to automate their security operations for more efficient use of resources.

Here are some compliance targets referenced in the CSAF 2.0 documentation that support more effective use of resources above and beyond the traditional vulnerability management process:

  • Advisory Management System: A software system that consumes data and produces CSAF 2.0 compliant advisory documents. This allows CSAF producing teams to assess the quality of data being ingested at a point in time, verify, convert, and publish it as a valid CSAF 2.0 security advisory. This allows CSAF producers to optimize the efficiency of their information pipeline while verifying accurate advisories are published.
  • CSAF Management System: A program that can manage CSAF documents and is able to display their details as required by CSAF viewer. At the most fundamental level, this allows both upstream producers and downstream consumers of security advisories to view their content in a human readable format.
  • CSAF Asset Matching System / SBOM Matching System: A program that integrates with a database of IT assets including Software Bill of Materials (SBOM) and can match assets to any CSAF advisories. An asset matching system serves to provide a CSAF consuming organization with visibility into their IT infrastructure, identify where vulnerable products exist, and optimally provide automated risk assessment and remediation information.
  • Engineering System: A software analysis environment within which analysis tools execute. An engineering system might include a build system, a source control system, a result management system, a bug tracking system, a test execution system and so on.

Decentralized Cybersecurity Information

A recent outage of the NIST National Vulnerability Database (NVD) CVE enrichment process demonstrates how reliance on a single source of vulnerability information can be risky. CSAF is decentralized, allowing downstream vulnerability consumers to source and integrate information from a variety of sources. This decentralized model of intelligence sharing is more resilient to an outage by one information provider, while sharing the burden of vulnerability enrichment more effectively distributes the workload across a wider set of stakeholders.

Enterprise IT product vendors such as RedHat and Cisco have already created their own CSAF and VEX feeds while government cybersecurity agencies and national CERT programs such as the German Federal Office For Information Security Agency (BSI) and US Cybersecurity & Infrastructure Security Agency (CISA) have also developed CSAF 2.0 sharing capabilities. 

The decentralized model also allows for multiple stakeholders to weigh in on a particular vulnerability providing downstream consumers with more context about a vulnerability. In other words, an information gap in one advisory may be filled by an alternative producer that provides the most accurate assessment or specialized analysis.

Improved Risk Assessment and Vulnerability Prioritization

Overall, the benefits of CSAF 2.0 contribute to more accurate and efficient risk assessment, prioritization and remediation efforts. Product vendors can directly publish reliable VEX advisories giving cybersecurity decision makers more timely and trustworthy remediation information. Also, the aggregate severity (aggregate_severity) object in CSAF 2.0 acts as a vehicle to convey reliable urgency and criticality information for a group of vulnerabilities, enabling a more unified risk analysis, and more data driven prioritization of remediation efforts, reducing the exposure time of critical vulnerabilities.

Summary

Traditional vulnerability management processes are plagued by lack of standardization resulting in reliability and scalability issues and increasing the difficulty of assessing risk context and the likelihood of error.

The Common Security Advisory Framework (CSAF) 2.0 seeks to revolutionize the existing process of vulnerability management by enabling more reliable, automated vulnerability intelligence gathering. By providing a standardized machine-readable format for sharing cybersecurity vulnerability information, and decentralizing its source, CSAF 2.0 empowers organizations to harness more reliable security information to achieve more accurate, efficient, and consistent vulnerability management operations.

Greenbone AG is an official partner of the German Federal Office for Information Security (BSI) to integrate technologies that leverage the CSAF 2.0 standard for automated cybersecurity advisories.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Springtime for Vulnerabilities

March 2024 was another eventful month for vulnerabilities and cybersecurity in general. It was the second consecutive month of lapsed Common Vulnerability Exposure (CVE) enrichment putting defenders in a precarious position with reduced risk visibility. The Linux kernel continued its elevated pace of vulnerability disclosures and was commissioned as a new CVE Numbering Authority (CNA). In addition, several critical vulnerabilities were added to CISA’s Known Exploited Vulnerabilities (KEV) list including Microsoft Windows, Fortinet FortiClientEMS, all the major browsers, and enterprise Continuous Integration And Delivery software vendor JetBrains.

Here’s a quick review of March 2024’s most impactful cybersecurity events.

The NIST NVD Disruption

NIST’s National Vulnerability Database (NVD) team largely abandoned CVE Enrichment in February 2024 with no warning. NIST NVD slowed to a CVE enrichment rate of just over 5% during March and it became obvious that the abrupt halt was not just a short-term outage. Disruption of CVE enrichment puts cybersecurity operations around the world at a big disadvantage because the NVD is the largest centralized repository of vulnerability severity information. Without severity enrichment, cybersecurity admins are left with very little information for vulnerability prioritization and risk management decision making.

Experts in the cybersecurity community traded public speculation until the VulnCon & Annual CNA Summit, where NIST’s Tanya Brewer announced that the non-regulatory US government agency would relinquish some aspects of the NVD management to an industry consortium. Brewer did not explain the exact cause for outage, but forecasted several additional goals for NIST NVD moving forward:

  • Allowing more outside parties to submit enrichment data
  • Improving the NVD’s software identification capabilities
  • Adding new types of threat intelligence data such as EPSS and the NIST Bugs Framework
  • Improving the NVD data’s usability and supporting new use cases
  • Automating some aspects of CVE analysis

Plenty Going On “In The Linux Kernel”

A total of 259 CVEs were disclosed in March 2024 with a description that began with: “In the Linux kernel” marking the second most active month ever for Linux vulnerability disclosures. The all time record was set one month prior in February with a total of 279 CVEs issued. March also marked a new milestone for kernel.org, the maintainer of the Linux kernel, as it was inducted as a CVE Numbering Authority (CNA). Kernel.org will now assume the role of assigning and enriching CVEs that impact the Linux kernel. Going forward the kernel.org asserts that CVEs will only be issued for discovered vulnerabilities after a fix is available, and CVEs will only be issued for versions of the Linux kernel that are actively supported.

Multiple High Severity Vulnerabilities In Fortinet Products

Several High severity vulnerabilities in Fortinet FortiOS and FortiClientEMS were disclosed. Of these, CVE-2023-48788 has been added to CISA’s KEV database. The risk imposed by CVE-2023-48788 is further compounded by the existence of a publicly available proof-of-concept (PoC) exploit. While CVE-2023-48788 is notably an SQL Injection [CWE-89] vulnerability, it can be exploited in tandem with the xp_cmdshell function of Microsoft SQL Server for remote code execution (RCE). Even when xp_cmdshell is not enabled by default, researchers have shown that it can be enabled via the SQL Injection weakness.

Greenbone has a network vulnerability test (NVT) that can identify systems affected by CVE-2023-48788, local security checks (LSCs) [1][2] that can identify systems affected by CVE-2023-42790 and CVE-2023-42789, and another LSC to identify systems affected by CVE-2023-36554. A proof-of-concept exploit for CVE-2023-3655 has been posted to GitHub.

  • CVE-2023-48788 (CVSS 9.8 Critical): A SQL Injection vulnerability allowing an attacker to execute unauthorized code or commands via specially crafted packets in Fortinet FortiClientEMS version 7.2.0 through 7.2.2.
  • CVE-2023-42789 (CVSS 9.8 Critical): An out-of-bounds write in Fortinet FortiOS allows an attacker to execute unauthorized code or commands via specially crafted HTTP requests. Affected products include FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13.
  • CVE-2023-42790 (CVSS 8.1 High): A stack-based buffer overflow in Fortinet FortiOS allows an attacker to execute unauthorized code or commands via specially crafted HTTP requests. Affected products include FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13.
  • CVE-2023-36554 (CVSS 9.8 Critical): FortiManager is prone to an improper access control vulnerability in backup and restore features that can allow attackers to execute unauthorized code or commands via specially crafted HTTP requests. Affected products are FortiManager version 7.4.0, version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.10, version 6.4.0 through 6.4.13 and 6.2, all versions.

Zero Days In All Major Browsers

Pwn2Own, an exciting hacking competition took place at CanSecWest security conference on March 20th – 22nd. At this year’s event, 29 distinct zero-days were discovered and over one million dollars in prize money was awarded to security researchers. Independent entrant Manfred Paul earned a total of $202,500 including $100,000 for two zero day sandbox escape vulnerabilities in Mozilla Firefox. Mozilla quickly issued updates to Firefox with version 124.0.1.

Manfred Paul also achieved remote code execution (RCE) in Apple’s Safari by combining Pointer Authentication Code (PAC) [D3-PAN] bypass and integer underflow [CWE-191] zero-days. PACs in Apple’s operating systems are cryptographic signatures for verifying the integrity of pointers to prevent the exploitation of memory corruption bugs. PAC has been bypassed before for RCE in Safari. Manfred defeated Google Chrome and Microsoft Edge via an Improper Validation of Specified Quantity in Input [CWE-1284] vulnerability to complete the browser exploit trifecta.

The fact all major browsers were breached underscores the high risk of visiting untrusted Internet sites and the overall lack of security provided by major browser vendors. Greenbone includes tests to identify vulnerable versions of Firefox and Chrome.

  • CVE-2024-29943 (CVSS 10 Critical): An attacker was able to exploit Firefox via an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects versions of Firefox before 124.0.1.
  • CVE-2024-29944 (CVSS 10 Critical): Firefox incorrectly handled Message Manager listeners allowing an attacker to inject an event handler into a privileged object to execute arbitrary code.
  • CVE-2024-2887 (High Severity): A type confusion [CWE-843] vulnerability in the Chromium browser’s implementation of WebAssembly (Wasm).

New Actively Exploited Microsoft Vulnerabilities

Microsoft’s March 2024 security advisory included a total of 61 vulnerabilities impacting many products. The Windows kernel had the most CVEs disclosed with a total of eight, five of which are rated high severity. Microsoft WDAC OLE DB provider for SQL, Windows ODBC Driver, SQL Server, and Microsoft WDAC ODBC Driver combined to account for ten high severity CVEs. There are no workarounds for any vulnerabilities in the group meaning that updates must be applied to all affected products. Greenbone includes vulnerability tests to detect the newly disclosed vulnerabilities from Microsoft’s March 2024 security advisory.

Microsoft has so far tagged six its new March 2024 vulnerabilities as “Exploitation More Likely”, while two new vulnerabilities affecting Microsoft products were added to the CISA KEV list; CVE-2023-29360 (CVSS 8.4 High) affecting Microsoft Streaming Service and CVE-2024-21338 (CVSS 7.8 High) published in 2023 were assigned actively exploited status in March.

CVE-2024-27198: Critical Severity CVE In JetBrains TeamCity

TeamCity is a popular continuous integration and continuous delivery (CI/CD) server developed by JetBrains, the same company behind other widely-used development tools like IntelliJ IDEA, the leading Kotlin Integrated Development Environment (IDE), and PyCharm, an IDE for Python. TeamCity is designed to help software development teams automate and streamline their build, test, and deployment processes and competes with other CI/CD platforms such as Jenkins, GitLab CI/CD, Travis CI, and Azure DevOps, among others. TeamCity is estimated to hold almost 6% of the total Continuous Integration And Delivery market share and ranks third overall, while according to JetBrains, over 15.9 million developers use their products, including 90 of the Fortune Global Top 100 companies.

Given JetBrains market position, a critical severity vulnerability in one of their products will quickly attract the attention of threat actors. Within three days of CVE-2024-27198 being published it was added to the CISA KEV catalog. Greenbone Enterprise vulnerability feed includes tests to identify affected products including a version check and an active check that sends a crafted HTTP GET request and analyzes the response.

When combined, CVE-2024-27198 (CVSS 9.8 Critical) and CVE-2024-27199 allow an attacker to bypass authentication using an alternative path or channel [CWE-288] to read protected files including those outside of the restricted directory [CWE-23] and perform limited admin actions.

Summary

March 2024 was another fever-pitched month for software vulnerabilities due to the NIST NVD outage and active exploitation of several vulnerabilities in enterprise and consumer software products. On the bright side, several zero-day vulnerabilities impacting all major browsers were identified and patched.

However, the fact that a single researcher was able to so quickly exploit all major browsers is serious wake-up call for all organizations since the browser plays such a fundamental role in modern enterprise operations. Vulnerability management remains a core element in cybersecurity strategy, and regularly scanning IT infrastructure for vulnerabilities ensures that the latest threats can be identified for remediation – closing the gaps that attackers seek to exploits for access to critical systems and data.

Contact Test Now Buy Here Back to Overview

/by