Tag Archive for: Cyber Resilience

Greenbone AG

IT security update November 2023: Critical vulnerabilities and threats

In the November 2023 commVT Intelligence Update, several critical vulnerabilities and security threats have come to light. Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI) was found to be vulnerable to two actively exploited critical vulnerabilities, allowing attackers to execute arbitrary code remotely. The curl command-line tool, widely used across various platforms, faced a serious vulnerability that could result in arbitrary code execution during SOCKS5 proxy handshakes. VMware is urging immediate updates for its vCenter Server due to a critical vulnerability potentially leading to remote code execution. Multiple vulnerabilities were found in versions of PHP 8; one is a particularly critical deserialization vulnerability in the PHAR extraction process. Additionally, SolarWinds Access Rights Manager (ARM) was found susceptible to multiple critical vulnerabilities, emphasizing the urgency to update to version 2023.2.1. Lastly, two F5 BIG-IP vulnerabilities were discovered to be actively exploited, with mitigation options available and outlined below.

Cisco IOS XE: Multiple Critical Vulnerabilities

Two actively exploited critical CVSS 10 vulnerabilities were discovered in Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI); CVE-2023-20198 and CVE-2023-20273. Combined, they allow an attacker to remotely execute arbitrary code as the system user and are estimated to have been used to exploit tens of thousands of vulnerable devices within the past few weeks. Greenbone has added detection for both the vulnerable product by version [1], and another aimed at detecting the BadCandy implanted configuration file [2]. Both are VTs included in Greenbone’s Enterprise vulnerability feed.

Cisco IOS was created in the 1980s and used as the embedded OS in the networking technology giant’s routers. Fast forward to 2023, IOS XE is a leading enterprise networking full-stack software solution that powers Cisco platforms for access, distribution, core, wireless, and WAN. IOS XE is Linux-based, and specially optimized for networking and IT infrastructure, routing, switching, network security, and management. Cisco devices are pervasive in global IT infrastructure and used by organizations of all sizes, including large-scale enterprises, government agencies, critical infrastructure, and educational institutions.

Here’s how the two recently disclosed CVEs work:

CVE-2023-20198 (CVSS 10 Critical): Allows a remote, unauthenticated attacker to create an account [T1136] on an affected system with privilege level 15 (aka privileged EXEC level) access [CWE-269]. Privilege level 15 is the highest level of access to Cisco IOS. The attacker can then use that account to gain control of the affected system.
CVE-2023-20273 (CVSS 7.2 High): A regular user logged into the IOS XE web UI, can inject commands [CWE-77] that are subsequently executed on the underlying system with the system (root) privileges. This vulnerability is caused by insufficient input validation [CWE-20]. CVE is also associated with a Lua-based web-shell [T1505.003] implant dubbed “BadCandy”. BadCandy consists of an Nginx configuration file named `cisco_service.conf` that establishes a URI path to interact with the web-shell implant but requires the webserver to be restarted.

Cisco has released software updates for mitigating both CVEs in IOS XE software releases, including versions 17.9, 17.6, 17.3, and 16.12 as well as available Software Maintenance Upgrades (SMUs) and IT security teams are strongly advised to urgently install them. Cisco has also released associated indicators of compromise (IoC), Snort rules for detecting active attacks, and a TAC Technical FAQs page. Disabling the web UI prevents exploitation of these vulnerabilities and may be suitable mitigation until affected devices can be upgraded. Publicly released proof of concept (PoC) code [1][2] and a Metasploit module further increase the urgency to apply the available security updates.

Critical Vulnerability In The Curl Tool

A widespread vulnerability has been discovered in the popular curl command line tool, libcurl, and the many software applications that leverage them across a wide number of platforms. Tracked as CVE-2023-38545 (CVSS 9.8 Critical), the flaw makes curl overflow a heap-based buffer [CWE-122]] in the SOCKS5 proxy handshake that can result in arbitrary code execution [T1203]. Greenbone’s community feed includes several NVTs [1] to detect many of the affected software products and will add additional detections for CVE-2023-38545 as more vulnerable products are identified.

CVE-2023-38545 is a client-side vulnerability exploitable when passing a hostname to the SOCKS5 proxy that exceeds the maximum length of 255 bytes. If supplied with an excessively long hostname, curl is supposed to use local name resolution and pass it on to the resolved address only. However, due to the CVE-2023-38545 flaw, curl may actually copy the overly long hostname to the target buffer instead of copying just the resolved address there. The target buffer, being a heap-based buffer, and the hostname coming from the URL results in the heap-based overflow.

While the severity of the vulnerability is considered high because it can be exploited remotely and has a high impact to the confidentiality, integrity, and availability (CIA) of the underlying system, the SOCKS5 proxy method is not the default connection mode and must be declared explicitly. Additionally, for an overflow to happen an attacker also needs to cause a slow enough SOCKS5 handshake to trigger the bug. All versions of curl are affected between v7.69.0 (released March 4th, 2020) until v8.3.0. The vulnerable code was patched in v8.4.0 commit 4a4b63daaa.

VMware vCenter Server: Multiple Vulnerabilities

CVE-2023-34048 is a critical severity vulnerability that could allow a malicious actor with network access to vCenter Server to cause an out-of-bounds write [CWE-787] potentially leading to remote code execution (RCE). The affected software includes VMware vCenter Server versions 6.5, 6.7, 7.0, and 8.0. VMWare has issued a security advisory to address both vulnerabilities which states that there are no known mitigations other than installing the provided updates. Both vulnerabilities can be detected by Greenbone’s enterprise vulnerability feed [1]. The vCenter Server patch also fixes CVE-2023-34056, a medium-severity information disclosure resulting from improper authorization [CWE-285].

Although there are no reports that CVE-2023-34048 is being actively exploited in the wild attackers have proven adept at swiftly converting threat intelligence into exploit code. Research by Palo Alto Networks Unit 42 threat research group shows that on average an exploit is published 37 days after a security patch is released.

Here are some brief details on both CVEs:

CVE-2023-34048 (CVSS 9.8 Critical): vCenter Server contains an out-of-bounds write [CWE-787] vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability to achieve remote code execution (RCE). The Distributed Computing Environment Remote Procedure Call (DCERPC) protocol facilitates remote procedure calls (RPC) in distributed computing environments, allowing applications to communicate and invoke functions across networked systems.
CVE-2023-34056 (CVSS 4.3 Medium): vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data.

Multiple Vulnerabilities Discovered In PHP 8

Several vulnerabilities were identified in PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3. Although the group of vulnerabilities does include one critical and two high-severity vulnerabilities, these require particular contexts to be present for exploitation; either deserializing PHP applications using PHAR or else using PHP’s core path resolution functions on untrusted input. Greenbone’s enterprise VT feed includes multiple detection tests for these vulnerabilities across multiple platforms.

Here are brief descriptions of the most severe recent PHP 8 vulnerabilities:

CVE-2023-3824 (CVSS 9.8 Critical): A PHAR file (short for PHP Archive) is a compressed packaging format in PHP, which is used to distribute and deploy complete PHP applications in a single archive file. While reading directory entries during the PHAR archive loading process, insufficient length checking may lead to a stack buffer overflow [CWE-121], potentially leading to memory corruption or remote code execution (RCE).
CVE-2023-0568 (CVSS 8.1 High): PHP’s core path resolution function allocates a buffer one byte too small. When resolving paths with lengths close to the system `MAXPATHLEN` setting, this may lead to the byte after the allocated buffer being overwritten with NULL value, which might lead to unauthorized data access or modification. PHP’s core path resolution is used for the `realpath()` and `dirname()` functions, when including other files using the `include()`, `include_once()`, `require()`, and `require_once()`, and during the process of resolving PHP’s “magic” constants” such as `__FILE__` and `__DIR__`.
CVE-2023-0567 (CVSS 6.2 Medium): PHP’s `password_verify()` function may accept some invalid Blowfish hashes as valid. If such an invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid [CWE-287]. Notably, this vulnerability has been assigned different CVSS scores by NIST (CVSS 6.2 Medium) and the PHP group CNA (CVSS 7.7 High), the difference being that the PHP Group CNA considers CVE-2023-0567 a high risk to confidentiality while NIST does not. CNAs are a group of independent vendors, researchers, open source software developers, CERT, hosted service, and bug bounty organizations authorized by the CVE Program to assign CVE IDs and publish CVE records within their own specific scopes of coverage.

SolarWinds Access Rights Manager (ARM): Multiple Critical Vulnerabilities

SolarWinds Access Rights Manager (ARM) prior to version 2023.2.1 is vulnerable to 8 different exploits; one critical and two additional high-severity vulnerabilities (CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187). These include authenticated and unauthenticated privilege escalation [CWE-269], directory traversal [CWE-22], and remote code execution (RCE) at the most privileged “SYSTEM” level. Greebone’s Enterprise vulnerability feed includes both local security check (LSC) [1] and remote HTTP detection [2].

SolarWinds ARM is an enterprise access control software for Windows Active Directory (AD) networks and other resources such as Windows File Servers, Microsoft Exchange services, and Microsoft SharePoint as well as virtualization environments, cloud services, NAS devices, and more. The widespread use of ARM and other SolarWinds software products means that its vulnerabilities have a high potential to impact a wide range of large organizations including critical infrastructure.

These and more recent vulnerabilities are disclosed in SolarWinds’ security advisories. Although no reports of active exploitation have been released, mitigation is highly recommended and available by installing SolarWinds ARM version 2023.2.1.

F5 BIG-IP: Unauthenticated RCE And Authenticated SQL Injection Vulnerabilities

Two RCE vulnerabilities in F5 BIG-IP, CVE-2023-46747 (CVSS 9.8 Critical) and CVE-2023-46748 (CVSS 8.8 High), have been observed by CISA to be actively exploited in the wild soon after PoC code was released for CVE-2023-46747. A Metasploit exploit module has also since been published. F5 BIG-IP is a family of hardware and software IT security products for ensuring that applications are always secure and perform the way they should. The platform is produced by F5 Networks, and it focuses on application services ranging from access and delivery to security. Greenbone has added detection for both CVEs [1][2].

CVE-2023-46747 is a remote authentication bypass [CWE-288] vulnerability while CVE-2023-46748 is a remote SQL injection vulnerability [CWE-89] that can only be exploited by an authenticated user. The affected products include the second minor release (X.1) for major versions 14-17 of BIG-IP Advanced Firewall Manager (AFM) and F5 Networks BIG-IP Application Security Manager (ASM).

If you are running an affected version you can eliminate this vulnerability by installing the vendor-provided HOTFIX updates [1][2]. The term “hotfix” implies that the patch can be applied to a system while it is running and operational, without the need for a shutdown or reboot. If updating is not an option, CVE-2023-46747 can be mitigated by downloading and running a bash script that adds or updates the `requiredSecret` attribute in the Tomcat configuration, which is used for authentication between Apache and Tomcat, and CVE-2023-46748 can be mitigated by restricting access to the Configuration utility to allow only trusted networks or devices, and ensuring only trusted user accounts exist thereby limiting the attack surface.


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

CVE News: Critical vulnerabilities Atlassian and F5 Big vulnerability tests released by Greenbone

Our developers have provided vulnerability tests for two critical vulnerabilities in widely used enterprise software. Within a very short time, tests for CVE 2023-22518 und CVE 2023-46747 were integrated, and customers of Greenbone’s Enterprise Feed were protected.

Knowledge management tools Confluence and Jira from Australian vendor Atlassian have been hit by a serious security vulnerability, rated 9.8 out of 10 on the CERT scale. Since November 8, CVE 2023-22518 has been actively exploited by attackers gaining unauthorized access to company data, according to media reports.

According to the company, the “authentication flaw” affects all versions of Confluence Data Center and Server, but not the cloud version at Atlassian itself. For anyone else, including users of Jira, but especially all publicly accessible Confluence servers, there is a “high risk and need to take immediate action”, writes Atlassian.

We reacted quickly and provided our customers with appropriate tests before ransomware attacks could be successful. Customers of the Greenbone Enterprise Feed were warned and reminded of the patch via update.

Remote code execution: F5 BIG-IP allows request smuggling

Also at the end of October, security researchers from Praetorian Labs discovered a serious vulnerability (CVE-2023-46747) in the products of application security expert F5. The American company’s solutions are designed to protect large networks and software environments; the software, which was launched in 1997 as a load balancer, is primarily used in large enterprises.

However, according to the experts, attackers can remotely execute code on the BIG-IP servers by adding arbitrary system commands to the administration tools via manipulated URLs. Details can be found at Praetorian; patches are available, and a long list of BIG-IP products of versions 13, 14, 15, 16, and 17 are affected, both in hardware and software.

We reacted quickly and integrated tests into its vulnerability scanners on the same day, which test the BIG-IP installations at Greenbone Enterprise for vulnerable versions and, if necessary, point to the patches listed at F5.

Our vulnerability management products, the Greenbone Enterprise Appliances, offer the best protection.

Professional vulnerability management is an indispensable part of IT security. It enables the early detection of risks and provides valuable instructions for their elimination.
The Greenbone Enterprise Feed is updated daily to detect new vulnerabilities. We therefore recommend that you regularly update and scan all your systems. Please also read this article on IT security and the timeline of common attack vectors.


Contact Free Trial Buy Here Back to Overview

/by
Elmar Geese

Current Report on the State of IT Security in Germany 2023

On November 2, Federal Minister of the Interior Nancy Faeser and Claudia Plattner, President of the Federal Office for Information Security (BSI), presented the latest report on the state of IT security in Germany. Attacks with ransomware represent the largest and most frequent risk, but by far not the only one. As long as these attacks cannot be completely prevented, systems must become more secure in order to prevent or at least reduce damage.

In Germany, there are a number of initiatives to improve vulnerability management. These include the National IT Security Act (IT-SiG) and the BSI’s IT-Grundschutz Compendium. The “nationwide situation picture” rightly called for by BSI President Claudia Plattner can thus map the threat situation to the situation of vulnerable systems, thereby helping to warn in advance and respond quickly and effectively in the specific event of an attack.

“Digitization makes many things in our everyday lives easier. At the same time, it creates new areas of attack,” says Federal Minister of the Interior Nancy Faeser. We need to counter the growing risks posed by progressive networking with automated tools and processes. By using them, companies and organizations can better protect their IT systems and reduce the probability of a successful cyber attack.

Insecure systems make it easier for attackers to cause damage. Improving vulnerability management is therefore an important step toward increasing IT security in Germany.Insecure systems make it easier for attackers to wreak havoc. Improving vulnerability management is therefore an important step towards increasing IT security in Germany.

Contact Free Trial Buy Here Back to Overview

/by
Greenbone AG

Critical vulnerability in Citrix Netscaler: Greenbone provides tests

On October 10th, Citrix officially informed about the vulnerability in the Netscaler software, CVE-2023-4966, which is categorized as “critical” according to CVSS with a score of 9.4 and allows unauthorized access to corporate networks.

Greenbone has reacted to these vulnerabilities and implemented vulnerability tests at an early stage. Greenbone customers using the Citrix Netscaler Gateway, or ADC, are therefore on the safe side.

Nevertheless, the vulnerability is serious, which is why the BSI issues an urgent warning:

“The vulnerability allows attackers to disclose sensitive information without authentication. This allows authenticated sessions to be hijacked and multifactor authentication (MFA) or other means of authentication to be bypassed”.

The vulnerability, which has been actively exploited since the end of August, has been reported in numerous media outlets. Users should install the patches provided by Citrix as soon as possible. Citrix’s NetScaler ADC and NetScaler Gateway products, versions 13 and 14, and versions 12 and 13 of NetScaler ADC are affected. In addition to CVE-2023-4966, an advisory has been issued for CVE-2023-4967, which allows a Denial of Service (DoS).

Keep your IT networks secure!

Vulnerability management is a key tool in securing IT networks. It enables you to identify and eliminate potential risks in your systems. The Greenbone Enterprise Feed is updated daily to detect new vulnerabilities. Therefore, we recommend regular updates and scans for all your systems. Please also read this article about IT security and the timeline of common attack vectors.

The Greenbone Enterprise Appliances are offered as hardware or as virtual appliances. Greenbone works GDPR-compliant and offers an open-source solution. This means the best data protection compliance and is thus guaranteed to be completely free of backdoors.


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

“Vulnerability management is becoming increasingly important” – Greenbone CEO Dr. Jan-Oliver Wagner at PITS Congress

Every year, IT and cyber security experts from public authorities, federal, state and local governments as well as the armed forces, police and intelligence services meet for the cyber security congress “Public IT Security” (PITS), initiated by Behoerdenspiegel. In 2023, the topic of vulnerabilities was once again at the top of the agenda.

This year, our CEO Dr. Jan-Oliver Wagner was invited as an expert to take part in the panel discussion “Putting a finger on a wound – managing or closing vulnerabilities?” Moderated by Katharina Sook Hee Koch from the Federal Office for Information Security (BSI), the panel included representatives from the German Informatics Society (Nikolas Becker, Head of Policy & Science), the Bundestag Committee on Digital Affairs (MdB Catarina dos Santos-Wintz, CDU/CSU), the BSI itself (Dr. Dirk Häger, Head of Department Operative Cyber Security) for an exchange of views. Dirk Kunze from the North Rhine-Westphalia State Criminal Police Office (Head of the Cybercrime/Cyber Investigations Department in the Research and Investigation Centre) was present on behalf of the executive.

Panel discussion at the cyber security congress PITS 2023 with Greenbone CEO Dr. Jan-Oliver Wagner and representatives of the BSI, Bundestag, LKA NRW and Gesellschaft für Informatik on the topic of vulnerability management.

from left: Catarina dos Santos-Wintz, Dirk Kunze, Katharina Sook Hee Koch, Dr. Dirk Häger, Dr. Jan Oliver Wagner, Nikolas Becker (Photo: Greenbone AG)

Should vulnerabilities be closed? By all means!

The debate quickly centered on the question of whether and how (quickly) vulnerabilities in software should be closed and/or whether this would impair the work of investigative authorities. There was great unanimity among those present that the security of citizens had the highest priority. Keeping vulnerabilities open, even for political reasons, is hardly an option, both for cost reasons (exploits are expensive) and in risk assessment.

On the contrary, open-source software should be strengthened and more rewards (bug bounties) should be offered to experts who actively search for vulnerabilities. The BSI is also firmly convinced: “Basically, vulnerabilities must be closed.” (Häger). In criminal practice, the topic apparently plays a subordinate role anyway: the police, according to the LKA in North Rhine-Westphalia, know of only a few cases where it could have helped to keep vulnerabilities open. However, open vulnerabilities are still seen as a possible element for investigations. But of course, the decision of the politicians will be followed.

Dr. Jan-Oliver Wagner: “Vulnerability management is becoming increasingly important!”

Greenbone CEO Wagner warns that the number of open vulnerabilities will increase rather than decrease in the coming years. This is despite the fact that good progress is being made with regard to security in software development. However, the regulations and thus the pressure on companies by the legislator are also becoming stricter – not necessarily a bad thing, but it does create a need for action: “The upcoming Common Security Advisory Framework (CSAF 2.0) and the EU’s Cyber Resilience Act (CRA), will significantly increase the number of known vulnerabilities.”

The CSAF makes it easier for manufacturers to report vulnerabilities, while the Cyber Resilience Act also brings responsibility to the hoover manufacturer, i.e. to all parts of the economy. If you don’t want to lose track of this, you need vulnerability management like Greenbone’s, explains Wagner. “Upcoming regulations bring the issue of vulnerabilities into all parts of the economy, as now every manufacturer is responsible for the security of the devices and their software, including, for example, manufacturers for hoover robots or other smart household appliances – For the entire life of the product!”

Vulnerability management is risk management

Vulnerability management today is pure risk management for the professional user, as it is already practiced in insurance companies – decisions are made about which vulnerabilities need to be closed and which can or must wait (triage).

This is exactly where our vulnerability management products come in – as a hardware or as a virtual appliance. Greenbone develops an open source vulnerability management and allows users to detect vulnerabilities in their own network infrastructure within a few steps. Our products generate reports with concrete instructions for action that you can implement immediately.

We work strictly according GDPR Compliance and offer an open source solution. This means best data protection compliance and is thus guaranteed free of backdoors.


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

Federal, state and EU governments invest millions in cybersecurity funding

Starting in 2024, the EU plans to spend one billion euros on the “Cybersolidarity Act”, and North Rhine-Westphalia is funding institutions that invest in IT security and hazard prevention with more than 70 million euros: Anyone who has not yet put the topic of vulnerability management on their agenda should do so as soon as possible – and take advantage of the funding that has been made available.

Visual representation of digital map with text: "300 million for crisis management in North Rhine-Westphalia", highlighting regional cybersecurity funding.

The EU will invest massively in vulnerability management: According to a DPA report, the Commission wants to “establish national and cross-border security centres across the EU” that will use artificial intelligence (AI) and data analysis to detect and report cyber threats and incidents in a timely manner.”
A “European Cybersolidarity Act” is to be, achieved to “strengthen the EU’s capabilities for effective operational cooperation, solidarity and resilience”, concretely this means “creating a secure digital environment for citizens and businesses and protecting critical facilities and essential services such as hospitals and public utilities.”

Concrete plans

The law provides for a cyber emergency mechanism, preparedness measures, the creation of a new EU cyber security reserve and financial support for mutual administrative assistance, as well as the creation of an “EU Cyber Security Skills Academy” (on the EU’s Digital Skills & Jobs platform). Two thirds of the 1.1 billion will be financed through the “Digital Europe” programme.

70 million in funding from NRW

However, the increasing attacks on critical infrastructures, authorities and companies are not leaving the governments of the federal states idle. The federal state of North Rhine-Westphalia, for example, is setting a good example: the black-green state government under Science Minister Brandes (CDU) is now concretely offering to support day-care centres, schools and universities not only with energy prices, but also with 77 million euros in cybersecurity in the same package. According to dpa, this includes many different aspects, from IT systems such as firewalls or two-factor authentication to emergency power generators and locking systems, but also “more personnel” in the field of cybersecurity. Existing funding pots for IT security, for example digital-sicher.nrw, remain unaffected.

Funding from the federal government and other states

The federal government is also currently providing support for security-conscious entrepreneurs and managers: the BMWK is currently setting up a transfer office for IT security in the economy, whose funding office is to provide targeted support for small and medium-sized enterprises. In Bavaria, which is dominated by the election campaign, information can be found at Bayern Innovativ or at the IT Security Cluster. Hesse boasts of offering a “nationwide unique support for small and medium-sized enterprises against cyber attacks”, and in Baden-Württemberg, they not only support AI cybersecurity projects, but in January they also launched half a million euros in funding for SMEs that want to invest in cybersecurity.

Greenbone’ support for cybersecurity

We at Greenbone have created a solution with the Greenbone Enterprise Appliances that closes this gap and ensures cybersecurity. Potential vulnerabilities are found before they are exploited. The vast majority of vulnerabilities that lead to damage in IT infrastructures are not new, but have been known for more than a year. What is often missing are solutions that offer active security by detecting such vulnerabilities before they are exploited by attackers, prioritising them and making suggestions for their elimination. This is exactly what Greenbone has been doing very successfully for over 10 years.

The Greenbone Enterprise Appliances offer solutions for different needs, adaptable to the individual company size in the form of a hardware solution or as a virtual solution. In addition, the package includes an all-round service from support with the application for funding and implementation to data analysis and remediation of vulnerabilities. Find out more about Greenbone’s cybersecurity here.


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

Greenbone tests your web applications

Reduce the risk of an attack from the internet on your servers: Take advantage of Greenbone’s latest offer: With our Pentesting Web Applications, we help you to get the best possible security for your web applications.

The numbers speak for themselves: attacks on web applications are on the rise, have been for years, and there is no end in sight. The complexity of modern web presences and services requires a high level of security measures and cannot be managed without testing by experts.

The only thing that helps here is the technique of so-called “pentesting” of web applications, or more precisely “web application penetration testing”. With this attempt to penetrate protected systems from the outside (“penetration”), Greenbone’s experts create an active analysis of vulnerabilities and can thus evaluate the security of a web application. Although there are guidelines such as the highly recommended one from the German Federal Office for Information Security (BSI), which describes the procedure for testing, nothing can replace the expert who puts your system under the microscope himself. In this video you will get a first impression of the work of our security experts. 

Greenbone acts strictly according to the regulations of the DSGVO, is certified according to ISO 27001/9001. As with its vulnerability management products, with the web application pentests you also receive detailed reports on your security situation with clear instructions for action, which the Greenbone experts are happy to help you implement. The offer covers both the client and server side of your web applications and is based on the most modern and up-to-date guidelines, for example the OWASP Top 10 or the OWASP Risk Assessment Framework (RAF). Whether it is cross-site scripting (XSS), SQL injection, information disclosure or command injection, whether there are gaps in the authentication mechanisms of your servers or websockets are the source of danger – Greenbone’s experts will find the vulnerabilities.

As the world’s leading provider of open source vulnerability management products, Greenbone always has the latest expertise in dealing with vulnerabilities and security risks, including here in “black box testing”, when our experts take a close look at your systems from the outside, just as an attacker would: with the perspective of a potential attacker, you will ideally find every existing vulnerability in your IT infrastructure and can take care of fixing them. Only those who know their vulnerabilities can implement security measures in a targeted manner. Find out more about Greenbone AG’s products and services here.

Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

Greenbone launches new Community Portal

Greenbone, the global leader in open source vulnerability management solutions, has launched a community portal for its user and developer community, making the extensive information available for community editions clearer and easier to access.

Graphic with rocket and the welcome to the new Greenbone Community Portal

Who is the portal for?

At community.greenbone.net, vulnerability management experts invite users, developers and all IT professionals who are professionally involved in security and protection against hackers to browse forums, blogs, news and documentation and help shape the pages.

Central point of contact
“Our new Community Portal is the central place where users, experts, Greenbone employees and anyone else interested can meet and get up-to-the-minute information about the products, the company or new features,” explains Greenbone’s Community Manager DeeAnn Little: “We want the portal to be a home for the large, worldwide Greenbone community, with all the links and information anyone who works with our vulnerability management tools needs.”

What the new portal offers
For both Greenbone OpenVAS and the Greenbone Community Edition, you can find (under “Getting started“) numerous instructions on how to install and configure the community versions. In addition, there are news and updates, for example about the recently released Docker container releases of the Community Edition but also current figures about Greenbone installations on a world map and a completely revised forum with new categories and Blog.

For the community, with the community
“All this would not be possible without the numerous contributions from the Greenbone community, but at the same time this is only the first step,” explains Little: “In the future, we will also have our experts explain technical details and present new features here.

Greenbone invites the large community to give input and suggestions which topics are of relevance and interest for them Little explains:

“We welcome all input and all suggestions, ideas and ideas for improvement, which is exactly what the portal is here for. Send us your questions, any questions! What have we missed? What would you like to see? How can we make the portal, the forum and the new pages even better? What topics would you like to see – what should we report on?” You can leave your statement here, we will be glad to reveive it.

Greenbone Community Forum in a new look

Greenbone has also integrated the popular User Forum into the Community Portal. With the new look, it will continue to provide users of Greenbone’s software – regardless of their technical background – with a platform for ideas, mutual help, but also feedback.

Screenshot of the new Greenbone Community Forum with categories and current discussions

“The forum is a place where users can meet and help each other as equals – it’s a place of exchange where we can always learn, too,” Little explains. “Whether it’s a beginner’s question, more in-depth howtos, or getting started guides, many a user will find help from experienced users in the forum, even in exotic setups.”


Contact Free Trial Buy Here Back to Overview

/by
Greenbone AG

More than 100,000 Vulnerability Tests in the Greenbone Security Feed

The goal of vulnerability management is to detect all security gaps in an IT network before an attacker does so. The Greenbone Security Feed (GSF) provides the vulnerability tests (VTs) that the scanner of the Greenbone solutions performs for this purpose. As a component of the Greenbone Security Manager (GSM) and the Greenbone Cloud Services (GCS), it is updated daily and provides protection against major and well-known vulnerabilities such as SUPERNOVA, BlueKeep and PrintNightmare.
We are happy to announce that the success story is growing steadily and that since this month our Greenbone Security Feed contains more than 100,000 vulnerability tests!

Let’s take a look at the history of the feed.

In 2005, the development of the Nessus vulnerability scanner decided to stop working under open source licenses and switch to a proprietary business model. By that time, members from Intevation and DN-Systems – the two companies that would later found Greenbone – were already contributing developments to Nessus. In 2006, several forks of Nessus were created in response to the discontinuation of the open source solution. Of these forks, only one remains active: OpenVAS, the Open Vulnerability Assessment System.

In late 2008, Greenbone was formed to push OpenVAS. In the same year, two other companies became active: Secpod from India and Security Space from Canada. Both focused on providing vulnerability testing and partnered with Greenbone to create a reliable and up-to-date feed of vulnerability tests.

This started with the removal of source code and vulnerability tests where the license was unclear or incompatible. Several thousand vulnerability tests were eliminated to get a clean baseline with just under 3000 vulnerability tests at the time.

Shortly after, the content of the feed grew rapidly and steadily to over 10,000 vulnerability tests. 50,000 tests were then contained in the feed after about 8 years of development in 2016. The next 50,000 followed after only 5 more years and represent the current state with more than 100,000 vulnerability tests.

Number of VTs over time

Number of VTs over time

How Is the Feed Composed Anyway?

It is also interesting to see how these 100,000 vulnerability tests in the feed are put together. In our SecInfo Portal, you can easily take a look at all the included tests yourself.

About half of the tests detect vulnerabilities with a high severity class – i.e., with a severity between 7.0 and 10.0. Another 40,000 tests such with the severity class “Medium” (severity 4.0 to 6.9).

Distribution of the more than 100,000 vulnerability tests among the severity classes

Distribution of VTs by severity class

Vulnerabilities for the same area are grouped into families. Among the largest families of vulnerability tests are mainly those for local security checks, i.e., authenticated scans. In these, the target is scanned both from the outside via the network and from the inside using a valid usage login. Thus, more details about vulnerabilities can be found on the scanned system. Vulnerability tests for such authenticated scans already account for over 60,000 tests. The largest VT families with a total of almost 30,000 vulnerability tests are “Fedora Local Security Checks” and “SuSE Local Security Checks”.

Number of VTs in the top 10 VT Families

Number of VTs in the top 10 VT Families

Globally Known Vulnerabilities Are also Covered

The general public is unaware of many vulnerabilities. But every now and then, particularly significant and spectacular cyber attacks make it into the media – especially when many large companies or governments are affected.

Greenbone reacts immediately when such incidents become known and starts developing a corresponding vulnerability test. Such notable vulnerabilities in recent years include Heartbleed (2014), POODLE (2014), DROWN (2016), Meltdown (2018), Spectre (2018), BlueKeep (2019) and PrintNightmare (2021). Most people probably also particularly remember the Solarwinds attack in 2019 and 2020. The attackers had exploited a previously unknown vulnerability to inject the malicious webshell “SUPERNOVA”.
All of these vulnerabilities can be detected via tests in the Greenbone Security Feed.

In the future, we will continue to work on expanding the scope of our feed to provide users with the opportunity to detect vulnerabilities at an early stage and not give attacks a chance. So with our solutions constantly updated to cover the latest and most critical vulnerabilities, you can relax. The next 100,000 vulnerability tests will follow – stay tuned!


Contact Free Trial Buy Here Back to Overview

/by
Greenbone AG

Vulnerability Management in the Water Sector

The water sector is one of the critical infrastructures (CRITIS). A successful attack on the sector can lead to significant hygiene and health problems and, in the worst case, threaten human lives. At the 6th VDI conference on “Optimizing Industrial Wastewater Treatment Plants”, Greenbone will provide information on vulnerability management in the water sector and how the attack surface of IT infrastructures can be reduced by early detection and elimination of vulnerabilities.

View of an industrial control system (ICS)

Everything Fine Thanks to Digitization? Digitization is seen as the savior of the hour. Even if this may be viewed critically at times, this development cannot be stopped. There are simply too many reasons in favor of digitization. But there are also many reasons that we need to take a critical look at, especially where our security is concerned. The more information technology we put in place, the more digitized attack surfaces we offer. Malicious users of these attack surfaces can operate globally, and likewise digitized currencies like Bitcoin allow them to profit from vulnerabilities globally as well. Unlike a bank robbery, an attack on an industrial wastewater facility is more of a a means to an end. The attacker does not want the contents of a safe, but rather targets the vulnerability as such in order to gain advantages, usually through blackmail. Not only technical systems themselves are attacked, but often also the technical and organizational environment from networks to administration. These attackers are not hackers with hoodies and matrix screen savers who just happen to have emergency on their account, but criminal organizations that are industrially and professionally organized. We must arm ourselves against them with resilient organizations, processes and solutions. This brings the topic of cyber resilience more and more to our attention. Cyber resilience is the ability of a company or organization to maintain its business processes despite adverse cyber circumstances. These can be cyber attacks, but also unintentional obstacles such as a failed software update or human error. Cyber resilience is a comprehensive concept that goes beyond IT security. It combines the areas of information security, business continuity, and organizational resilience. To achieve a state of cyber resilience, it is important to identify vulnerabilities early, prioritize them economically, and eliminate them. Infographic showing the cyclical process of vulnerability management with the steps: prepare, identify, classify, prioritize, assign, mitigate and remediate, store and repeat, improve. Why Cyber Resilience Is Particularly Important for Critical Infrastructures Sustainable cyber resilience is important for companies in all industries. But it is indispensable in the area of critical infrastructure (CRITIS). As defined by the German government, this includes “organizations or facilities of critical importance to the state community, the failure or impairment of which would result in sustained supply shortages, significant disruptions to public safety, or other dramatic consequences.” CRITIS organizations must therefore protect themselves particularly well against cyber attacks – this is required by law. The EU launched the European Programme for Critical Infrastructure Protection (EPCIP) back in 2006 and expanded and supplemented it in subsequent years. Member states are implementing the EU NIS directive in national law, Germany for instance with the IT Security Act (IT-SIG). Large economic nations have already developed regulatory bodies. In the U.S., for example, this is the National Institute of Standards and Technology (NIST) and in Germany the Federal Office for Information Security (BSI). In Germany, the critical infrastructures are divided into 9 sectors. One of these is the water sector with the divisions of public water supply and wastewater disposal. It includes, for example, waterworks, pumping stations, water pipelines and networks, wastewater treatment plants, the sewerage system, and dam and flood protection facilities. They all play a critical role in our society. Attacks on the water supply could therefore hit a society to the core and, in the worst case, threaten human lives. Attacks on the wastewater disposal system are just as dangerous. If it no longer functions, the result would be considerable hygienic and health problems. Since the water infrastructure uses many IT systems and electronic control systems (ICS) nowadays, it becomes an attractive target for hackers. Incidents Show the Vulnerability of the Water Sector In recent years, there have been numerous attacks on water infrastructures worldwide. Fortunately, there have been no serious consequences so far. However, the attacks show that hackers are exploring how to take control of control systems and prepare further attacks. In 2013, for example, Iranian hackers attempted to penetrate the systems of the Bowman Avenue Dam near the town of Rye Brooke, near New York. The dam is used to control the flow of water after heavy rains and prevent flooding of the town. The hackers managed to gain control over the flood gates’ control system. However, as these were currently offline due to maintenance, the cyber criminals were fortunately unable to cause any damage. In March 2016, security specialist Verizon reported a cyber attack on a U.S. water utility known by the pseudonym Kemuri Water Company in its monthly Security Breach Report. Hackers had penetrated the SCADA platform. This allowed them to manipulate programmable logic controllers. They changed settings on the water flow and the amount of chemicals added for water treatment. Fortunately, the water utility quickly discovered the incident and was able to correct the settings without causing any major damage. For their attack, the hackers exploited an unpatched vulnerability in the customer payment portal. Between November 2016 and January 2017, cyber criminals hacked several wireless routers at a U.S. water agency. The routers were used to provide secure wireless access for pump station monitoring. Fortunately, however, the attackers were not looking to sabotage, but were targeting the agency’s Internet resources. Their bill rose from an average of $ 300 per month to a whopping $ 45,000 in December and $ 53,000 in January. For their attack, the hackers exploited a vulnerability in the routers of the manufacturer Sixnet. According to its own information, Sixnet had already made a patch available in May, but the authority had not installed it. Over the past year, Israel has been the victim of multiple cyber attacks on water supply and treatment facilities. In April, hackers undertook a major cyber attack on control and monitoring systems at wastewater treatment plants, pumping stations and sewers, the Israeli National Cyber Directorate (INCD) said in a statement. The INCD then demanded companies in the water sector to change passwords for all systems connected to the Internet-connected systems and to ensure that control system software is up-to-date. The hackers attempted to change the chlorine content of water at a water treatment plant. The attack was not successful. Had it been, it could have resulted in mild intoxication of the population served by the treatment plant. Back in June, there were two more attacks on Israel’s water facilities. This time, agricultural water pumps were affected. Although there has not yet been a comparable incident in Germany, the Federal Office for Information Security (BSI) reports about the implementation of the necessary organizational and technical precautions to prevent disruptions in its current report on the state of IT security in Germany. In the water sector, this reveals deficiencies in the areas of network separation, emergency management and physical security. In the reporting period from June 2019 to May 2020, there were several incidents in the water sector in Germany that were due to faults in control components. Remediation of the malfunctions was very lengthy and costly. Damage was avoided by operators acting prudently and having redundancies in place. Attack Points in the Water Sector IT and OT systems support the water cycle. In water production (1), quality control systems and digital pump control are used to manage water inflow from various sources towards water distribution (2). Digital metering and control methods monitor water pressure and quality in the water network and are thus part of the overall IT attack surface. In sewage systems (3), wastewater pumps and pre-treatments by filters, which are monitored at central points, are used. Water treatment (4) is a critical component due to the necessary digitalized control of physical, chemical and biological processes. Schematic representation of the water cycle with four stages: water production, water distribution, water disposal, and water treatment. Many networked IT systems and industrial control systems are therefore used in drinking water supply and wastewater disposal, enabling largely automated processes. Examples include sensors for temperature, flow rate, or chlorine content, remotely readable meters, and web portals and mobile apps for customers. Challenges for Cyber Resilience in the Water Sector To reduce their attack surface for cyber criminals, water sector organizations must consider the full range of networked systems, devices and applications. But this is not always easy. One problem is that the ICSs used in the water infrastructure come from different generations. Many of the older control systems were developed at a time when little or no consideration was given to cyber security. This leads to a heterogeneous, vulnerable IT landscape. Additionally, the high degree of automation and dependence on industrial controls makes water infrastructure particularly vulnerable to attack. Furthermore, the IT systems in use are becoming increasingly complex. This makes it difficult for companies to achieve a sufficient level of protection. The increasing networking of components within the field and control level as well as the control and process control technology increases the complexity even further.  At the same time, this increases the attack surface for hackers. They have more and more opportunities to penetrate networks, steal data or manipulate industrial controls. Even Previously Unexploited Vulnerabilities Should Not Be Underestimated A recent study by Kenna Security found that the total number of vulnerabilities discovered per year has increased from 4,100 in 2011 to 17,500 in 2021. On the other hand, the percentage of vulnerabilities exploited by hackers has not grown at the same rate. What is the reason for this? Cyber crime follows the same economic rules as any other business model: least investment for maximum result. But cyber crime also suffers from the same problem as the IT industry in general: experts are a limited resource. Companies cannot change this initial situation, but they can ensure that their attack surface is reduced. Tolerating a large attack surface, even if the vulnerabilities are not yet weaponized, is replacing control with gambling. As soon as it seems cheaper for cyber criminals or the outcome is promising, cyber crime will focus on vulnerabilities that are not yet weaponized, and the conversion of vulnerabilities into weapons will happen quickly. Even worse is the motivation of cyber terrorists, who have so far been fortunately unsuccessful due to a lack of expertise. It is unclear whether they will gain the necessary skills and if so, when. But they do not follow the rules of economics, which makes them less predictable in selecting targets and suitable weaponized vulnerabilities. In essence, there are two good general reasons why organizations should establish a process to manage and minimize their entire attack surface and not just focus on current (or likely) weaponizable vulnerabilities:

  • Pandemic risk: while it may not be attractive for a single criminal organization to invest in turning a more expensive vulnerability into a weapon, the more organizations choose not to do anything about that vulnerability, the more interesting it becomes. The fewer that are vaccinated, the better the pandemic spreads.
  • Automation risk: automating exploits is not only an attractive, cost-effective way to go. It significantly reduces the window of opportunity to respond with countermeasures.

Reduced Attack Surface with Vulnerability Management Regardless of how many vulnerabilities exist, managing damage and actively countering ongoing attacks becomes exponentially expensive for organizations if not accompanied by an ongoing process that identifies, manages and reduces the attack surface. Cyber resilience is a continuous process. It strengthens an organization’s ability to withstand an attack and enables it to continue to function during an attack. To achieve this, it is important to reduce the attack surface and thus stabilize the base. This means identifying vulnerabilities that could be exploited by an attacker and thus staying one step ahead of the attacker. 999 out of 1,000 vulnerabilities have been known for over a year. With vulnerability management, this means that these vulnerabilities can be identified and eliminated before they are exploited by an attacker. This greatly reduces the attack surface of the IT infrastructure. Vulnerability management systems are fully automated and, thanks to features such as schedules and custom scan configurations, offer users the ability to create complete vulnerability management processes that constantly scan for vulnerabilities. As a result, vulnerability management ensures more resilient systems in the long term.

Contact Free Trial Buy Here Back to Overview

/by