Tag Archive for: Greenbone

Joseph Lee

The “Perfect Storm” for Zyxel: EOL Routers and Ransomware Attacks

Every product has a due date, but customers often have little warning and no recourse when a vendor decides to sunset a product. Once a vendor designates a product as end-of-life (EOL) or end-of-service (EOS), managing associated risks becomes more complex. Risk is magnified when cyber criminals find and exploit vulnerabilities that will never be patched. If an EOL product becomes vulnerable in the future, its users need to implement additional security controls on their own.

Digital illustration of storm clouds and a trash bin with a router symbol, representing end-of-life IT products and increasing ransomware risks.

If the vendor is found to be still selling these vulnerable EOL products, it may be considered the “perfect storm” or the maximum disaster. In this article we will investigate several security alerts for Zyxel products including some designated EOL and another flaw exploited in ransomware attacks.

An Overview of Recent Vulnerabilities in Zyxel Products

CVE-2024-40891 (CVSS 8.8), a high severity Remote Code Execution (RCE) flaw in Zyxel’s telnet implementation has been known since mid-2024. Yet, almost six months later, Zyxel has not issued a patch, claiming the affected products are EOS and EOL. Early in 2025, Greynoise observed active exploitation of CVE-2024-40891 against vulnerable Zyxel CPE networking devices. That CVE (Common Vulnerabilities and Exposures) and another RCE flaw, CVE-2024-40890 (CVSS 8.8), were both added to CISA’s Known Exploited Vulnerabilities (KEV) list by mid-February. While both CVEs (Cybersecurity and Infrastructure Security Agency) were post-authentication RCE flaws, a third security gap, CVE-2025-0890 (CVSS 9.8), published on February 4th, provided the final piece to the puzzle: extremely weak default credentials for remotely accessible services – that is, on top of the already unencrypted Telnet authentication process.

Researchers at VulnCheck who originally discovered the flaws also pointed out that the vendor continues to sell the faulty devices despite being aware of active exploitation and having no intention to issue patches. As of February 25th, 2025, some of the affected products were still being sold from Zyxel’s official Amazon store [1][2]. On top of these, another vulnerability in Zyxel products, CVE-2024-11667, is being actively exploited in ransomware attacks by the Helldown threat actor.

In the telecom technologies sector, Zyxel holds an estimated market share of 4.19%, serving around 2,277 companies including the world’s biggest tech giants. Zyxel Group, headquartered in Hsinchu Science Park, Taiwan, is a prominent provider of networking solutions for both businesses and home users, operating globally in over 150 countries.

A Timeline of Events

  • 2024-07-13: VulnCheck notified Zyxel about vulnerabilities in CPE series products.
  • 2024-07-31: VulnCheck published information about CVE-2024-40890 and CVE-2024-40891 on their blog.
  • 2025-01-28: Active exploitation of CVE-2024-40891 was reported by GreyNoise.
  • 2025-02-03: VulnCheck released further information highlighting the risk presented by Zyxel’s position and providing evidence that vulnerable devices were still being sold online by the vendor.
  • 2025-02-04: Zyxel released a security advisory labelling affected products as EOL and stating they will not receive updates.

Technical Descriptions of Recent Zyxel Vulnerabilities

Aside from Zyxel’s slow response to security researchers and their decision to continue selling EOL products with exploitable vulnerabilities, there are additional lessons to learn from a technical assessment of the flaws themselves. Namely, how product vendors continue to market products with unforgivable security flaws while skirting accountability.

  • CVE-2024-40891 (CVSS 8.8 High): Authenticated users can exploit Telnet command injection due to improper input validation in `libcms_cli.so`. Commands are passed unchecked to a shell execution function, allowing arbitrary RCE. Aside from checking that the command string starts with an approved command, the `prctl_runCommandInShellWithTimeout` function has no filtering, allowing command chaining and arbitrary command injection.
  • CVE-2024-40890 (CVSS 8.8 High): A post-authentication command injection vulnerability in the CGI program of the legacy DSL Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.
  • CVE-2025-0890 (CVSS 9.8 Critical): Devices use weak default credentials such as usernames and passwords admin:1234, zyuser:1234, and supervisor:zyad1234. None of these accounts are visible via the web interface but can be found in the device’s `/etc/default.cfg` These default credentials are now well-known by attackers. The “supervisor” and “zyuser” accounts can both access devices remotely via Telnet. “supervisor” has hidden privileges, granting full system access, while “zyuser” can still exploit CVE-2024-40891 for RCE. Use of such default credentials violate CISA’s Secure by Design pledge and the EU’s upcoming Cyber Resilience Act (CRA).

The affected products include Zyxel VMG1312-B Series (VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A) and two Zyxel Business Gateway Series routers (SBG3300, and SBG3500). The Zyxel CPE (Customer Premises Equipment) series devices are designed for home and small business internet connectivity, such as DSL, fiber and wireless gateways. As such, they are typically installed at a customer’s location to connect them to an Internet  Service Provider’s (ISP) network and are therefore not easily protected from the Internet by firewalls. Considering the nature of Zyxel CPE devices and the vulnerabilities in question, it would not be surprising if tens of thousands or more Zyxel devices were participating in malicious botnet activity.

Greenbone is able to detect EOL Zyxel devices that are vulnerable to the aforementioned CVEs.

CVE-2024-11667: Zyxel Firewalls Exploited in Ransomware Attacks

CVE-2024-11667 (CVSS 9.8 Critical), published in late December 2024, is a path traversal flaw [CWE-22] in the web-management console of Zyxel ATP and USG FLEX firewall series. The vulnerability is known to be exploited by the Helldown threat actor in ransomware attacks and the subject of several national cybersecurity advisories [1][2].

The Helldown ransomware group emerged in August 2024 as a notable threat actor in the cybersecurity landscape. This group employs a double extortion strategy, wherein they exfiltrate sensitive data from targeted organizations and subsequently deploy ransomware to encrypt the victims’ systems. If the ransom demands are not met, Helldown threatens to publicly release the stolen data on their data leak site. In addition to exploiting these Zyxel flaws, Helldown is known to exploit Windows OS vulnerabilities, VMware ESX,  and Linux environments, often using compromised VPN credentials to move laterally within networks.

Zyxel has released an advisory acknowledging the ransomware attacks and patches for affected products. Greenbone is able to detect Zyxel products affected by CVE-2024-11667 with three separate product specific version detection tests [1][2][3].

Summary

The situation with Zyxel seems to be a perfect storm leading to an important question: What recourse do customers have when a vendor fails to patch a security gap in their product? Zyxel’s EOL networking devices remain actively exploited, with vulnerabilities that can be combined for unauthorized arbitrary RCE and other unauthorized actions. CVE-2024-40891, CVE-2024-40890, and CVE-2025-0890 are now in CISA’s KEV list, while CVE-2024-11667 has been linked to ransomware attacks. The researchers from VulnCheck, who discovered several of these CVEs, have criticized Zyxel for poor communication and further for selling unpatched EOL devices. Greenbone detects affected products enabling a proactive approach to vulnerability management and the opportunity for users to mitigate exposure.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Greenbone Detects CVE-2025-0994: Actively Exploited Flaw in Trimble Cityworks

Trimble Cityworks, an enterprise asset management (EAM) and public works management software is actively under attack. The campaign began as an unknown (zero-day) vulnerability, but is now tracked as ​​CVE-2025-0994 with a CVSS of 8.6. The vulnerability is a deserialization flaw [CWE-502] that could allow an authenticated attacker to execute arbitrary code remotely (Remote Code Execution; RCE). Greenbone includes detection for CVE-2025-0994 in the Enterprise Feed.

Active exploitation of CVE-2025-0994 is a real and present danger. Trimble has released a statement acknowledging the attacks against their product. Thanks to the vendor’s transparency, CISA (Cybersecurity and Infrastructure Security Agency) has added CVE-2025-0994 to their catalog of Known Exploited Vulnerabilities (KEV), published an ICS advisory as well as a CSAF 2.0 document. CSAF 2.0 advisories are machine readable advisory documents for decentralized sharing of cybersecurity intelligence.

Although many media reports and some threat platforms indicate that a public proof-of-concept (PoC) exists, the only search result for GitHub is simply a version detection test. This means it is less likely that low-skilled hackers will easily participate in attacks. The misinformation is likely due to poorly designed algorithms combined with lack of human oversight before publishing threat intelligence.

Who Is at Risk due to CVE-2025-0994?

Trimble Cityworks is designed for and used primarily by local governments and critical infrastructure providers including water and wastewater systems, energy, transportation systems, government industrial facilities and communications agencies. Cityworks enhances Geographic Information Systems (GIS) by integrating asset management and public works solutions directly with Esri ArcGIS. The software is meant to help organizations manage infrastructure, schedule maintenance and improve operational efficiency. In addition to CISA, several other government agencies have issued alerts regarding this vulnerability including the US Environment Protection Agency (EPA), the Canadian Centre for Cyber Security and New York State.

Trimble Cityworks has reported serving over 700 customers across North America, Europe, Australia and the Middle East in 2019. While specific numbers for municipal governments in the U.S., Canada and the EU are not publicly disclosed, a Shodan search and Censys map both reveal only about 100 publicly exposed instances of Cityworks. However, the application is considered to have a high adoption rate by local governments and utilities. If publicly exposed, CVE-2025-0994 could offer an attacker initial access [T1190]. For attackers who already have a foothold, the flaw is an opportunity for lateral movement [TA0008] and presents an easy mark for insider attacks.

A Technical Description of CVE-2025-0994

CVE-2025-0994 is a deserialization vulnerability [CWE-502] found in versions of Trimble Cityworks prior to 15.8.9 and Cityworks with Office Companion versions prior to 23.10. The vulnerability arises from the improper deserialization of untrusted serialized data, allowing an authenticated attacker to execute arbitrary code remotely on a target’s Microsoft Internet Information Services (IIS) web server.

Serialization is a process whereby the software code or objects are encoded to be transferred between applications and then reconstructed into the original format used by a programming language. When Trimble Cityworks processes serialized objects, it does not properly validate or sanitize untrusted input. This flaw allows an attacker with authenticated access to send specially crafted serialized objects, which can trigger arbitrary code execution on the underlying IIS server. Deserializing data from unauthenticated sources seems like a significant design flaw in itself, but failing to properly sanitize serialized data is especially poor security.

Exploitation CVE-2025-0994 could lead to:

  • Unauthorized access to sensitive data
  • Service disruption of critical infrastructure systems
  • Potential full system compromise of the affected IIS web server

Mitigating CVE-2025-0994 in Trimble Cityworks

Trimble has released patched versions of Cityworks that address the deserialization vulnerability. These patches include Cityworks 15.8.9 and Cityworks 23.10. On-premise users must immediately upgrade to the patched version, while Cityworks Online (CWOL) customers will receive these updates automatically.

Trimble noted that some on-premise deployments are running IIS with overprivileged identity permissions, which increases the attack surface. IIS should not have local or domain-level administrative privileges. Follow Trimble’s guidance in the latest Cityworks release notes to adjust IIS identity configurations properly.

Users of on-premises Trimble Cityworks should:

  • Update Cityworks 15.x versions to 15.8.9 and 23.x versions to 23.10.
  • Audit IIS identity permissions to ensure that they align with the principle of least privilege.
  • Limit attachment directory root configuration to only folders which only contain attachments.
  • Use a firewall to restrict IIS server access to trusted internal systems only.
  • Use a VPN to allow remote access to Cityworks rather than publicly exposing the service.

Summary

CVE-2025-0994 represents a serious security risk to Trimble Cityworks users, which largely comprise government and critical infrastructure environments. With active exploitation already observed, organizations must prioritize immediate patching and implement security hardening measures to mitigate the risk. Greenbone has added detection for CVE-2025-0994 to the Enterprise Feed, allowing customers to gain visibility into their exposure.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

#GreenboneGoesGlobal: Strong Presence at ITASEC 2025 in Bologna

ITASEC, Italy’s most important conference for cyber security, takes place in Bologna from February 3 to 8, 2025. As a platinum sponsor, Greenbone is sending a strong signal for European cooperation and digital security. This step demonstrates our commitment to a global presence and direct customer interaction.

Street scene in the old town of Bologna with a view of the medieval 'Due Torri' towers, venue of the IT security conference ITASEC 2025

The “Due Torri”, two medieval towers, shape the image of the historic old town of Bologna. (Photo: Markus Feilner, CC-BY 2016)

 

New Perspectives in Italy and Worldwide

“At Greenbone, we are increasingly realizing how important our vulnerability management is for customers throughout Europe and how important it is for these customers to be able to communicate with us directly on site,” explains Chief Marketing Officer Elmar Geese. To meet this demand, Greenbone has established the Italian subsidiary OpenVAS S.R.L. At the same time, Greenbone is expanding into other regions. A new subsidiary in the Netherlands and an increased engagement in the Asian market are on the agenda.

We will not only be present at ITASEC with a booth, but will also contribute to the content: Dirk Boeing, Senior Consultant and cybersecurity expert at Greenbone, will speak on February 6th at 11:00 a.m. on the panel “Security Management in the NIS2 Era”.

Visit Us in Bologna!

The annual ITASEC takes place on the campus of the “Alma Mater Studiorum Università di Bologna”, the oldest university in Europe, which has been writing science history since 1088 – an ideal place for a conference dedicated to security in the digital future. The fair is organized by the CINI Cybersecurity National Lab, with a special focus in 2025 on the topic of security and rights in cyberspace. This is also reflected in the cooperation with the SERICS conference (Security and Rights in the Cyber Space), which is supported by the SERICS foundation as part of the almost 200 billion euro Italian „National Recovery and Resilience Plan“ (NRRP).

ITASEC at the University of Bologna offers an excellent opportunity to experience Greenbone live and learn more about our solutions. And this is just the beginning: in 2025 we will be in Italy, for example, at CyberSec Italia in Rome on March 5 and 6. And from March 18 to 19, Greenbone will be at the „Digitaler Staat“ congress in Berlin, and from March 19 at secIT in Hanover. We look forward to your visit!

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

December 2024 Threat Report: Sunsetting a Record Year for IT Risk

In 2024, geopolitical instability, marked by conflicts in Ukraine and the Middle East, emphasized the need for stronger cybersecurity in both the public and private sector. China targeted U.S. defense, utilities, internet providers and transportation, while Russia launched coordinated cyberattacks on U.S. and European nations, seeking to influence public opinion and create discord among Western allies over the Ukrainian war. As 2024 ends, we can look back at a hectic cybersecurity landscape on the edge.

2024 marked another record setting year for CVE (Common Vulnerabilities and Exposures) disclosures. Even if many are so-called “AI Slop” reports [1][2], the sheer volume of published vulnerabilities creates a big haystack. As IT security teams seek to find high-risk needles in a larger haystack, the chance of oversight becomes more prevalent. 2024 was also a record year for ransomware payouts in terms of volume and size, and Denial of Service (DoS) attacks.

It also saw the NIST NVD outage, which affected many organizations around the world including security providers. Greenbone’s CVE scanner is a CPE (Common Platform Enumeration) matching function and has been affected by the NIST NVD outage. However, Greenbone’s primary scanning engine, OpenVAS Scanner, is unaffected. OpenVAS actively interacts directly with services and applications, allowing Greenbone’s engineers to build reliable vulnerability tests using the details from initial CVE reports.

In 2025, fortune will favor organizations that are prepared. Attackers are weaponizing cyber-intelligence faster; average time-to-exploit (TTE) is mere days, even hours. The rise of AI will create new challenges for cybersecurity. Alongside these advancements, traditional threats remain critical for cloud security and software supply chains. Security analysts predict that fundamental networking devices such as VPN gateways, firewalls and other edge devices will continue to be a hot target in 2025.

In this edition of our monthly Threat Report, we review the most pressing vulnerabilities and active exploitation campaigns that emerged in December 2024.

Mitel MiCollab: Zero-Day to Actively Exploited in a Flash

Once vulnerabilities are published, attackers are jumping on them with increased speed. Some vulnerabilities have public proof of concept (PoC) exploit code within hours, leaving defenders with minimal reaction time. In early December, researchers at GreyNoise observed exploitation of Mitel MiCollab the same day that PoC code was published. Mitel MiCollab combines voice, video, messaging, presence and conferencing into one platform. The new vulnerabilities have drawn alerts from the Belgian national Center for Cybersecurity, the Australian Signals Directorate (ASD) and the UK’s National Health Service (NHS) in addition to the American CISA (Cybersecurity and Infrastructure Security Agency). Patching the recent vulnerabilities in MiCollab is considered urgent.

Here are details about the new actively exploited CVEs in Mitel MiCollab:

  • CVE-2024-41713 (CVSS 7.8 High): A path traversal vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab allows unauthenticated path traversal by leveraging the “…/” technique in HTTP requests. Exploitation can expose highly sensitive files.
  • CVE-2024-35286 (CVSS 10 Critical): A SQL injection vulnerability has been identified in the NPM component of Mitel MiCollab which could allow a malicious actor to conduct a SQL injection attack.

Since mid-2022, CISA has tracked three additional actively exploited CVEs in Mitel products which are known to be leveraged in ransomware attacks. Greenbone is able to detect endpoints vulnerable to these high severity CVEs with active checks [4][5].

Array Networks SSL VPNs Exploited by Ransomware

CVE-2023-28461 (CVSS 9.8 Critical) is a Remote Code Execution (RCE) vulnerability in Array Networks Array AG Series and vxAG SSL VPN appliances. The devices, touted by the vendor as a preventative measure against ransomware, are now being actively exploited in recent ransomware attacks. Array Networks themselves were breached by the Dark Angels ransomware gang earlier this year [1][2].

According to recent reports, Array Networks holds a significant market share in the Application Delivery Controller (ADC) market. According to the ​​IDC’s WW Quarterly Ethernet Switch Tracker, they are the market leader in India, with a market share of 34.2%. Array Networks has released patches for affected products running ArrayOS AG 9.4.0.481 and earlier versions. The Greenbone Enterprise Feed has included a detection test for CVE-2023-28461 since it was disclosed in late March 2023.

CVE-2024-11667 in Zyxel Firewalls

CVE-2024-11667 (CVSS 9.8 Critical) in Zyxel firewall appliances are being actively exploited in ongoing ransomware attacks. A directory traversal vulnerability in the web management interface could allow an attacker to download or upload files via a maliciously crafted URL. Zyxel Communications is a Taiwanese company specializing in designing and manufacturing networking devices for businesses, service providers and consumers. Reports put Zyxel’s market share at roughly 4.2% of the ICT industry with a diverse global footprint including large Fortune 500 companies.

A defense in depth approach to cybersecurity is especially important in cases such as this. When attackers compromise a networking device such as a firewall, typically they are not immediately granted access to highly sensitive data. However, initial access allows attackers to monitor network traffic and enumerate the victim’s network in search of high value targets.

Zyxel advises updating your device to the latest firmware, temporarily disabling remote access if updates cannot be applied immediately and applying their best practices for securing distributed networks. CVE-2024-11667 affects Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38 and USG20(W)-VPN series firmware versions V5.10 through V5.38. Greenbone can detect the vulnerability CVE-2024-11667 across all affected products.

Critical Flaws in Apache Struts 2

CVE-2024-53677 (CVSS 9.8 Critical), an unrestricted file upload [CWE-434] flaw affecting Apache Struts 2 allows attackers to upload executable files into web-root directories. If a web-shell is uploaded, the flaw may lead to unauthorized Remote Code Execution. Apache Struts is an open-source Java-based web-application framework widely used by the public and private sectors including government agencies, financial institutions and other large organizations [1]. Proof of concept (PoC) exploit code is publicly available, and CVE-2024-53677 is being actively exploited increasing its risk.

The vulnerability was originally tracked as CVE-2023-50164, published in December 2023 [2][3]. However, similarly to a recent flaw in VMware vCenter, the original patch was ineffective resulting in the re-emergence of vulnerability. CVE-2024-53677 affects the FileUploadInterceptor component and thus, applications not using this module are unaffected. Users should update their Struts2 instance to version 6.4.0 or higher and migrate to the new file upload mechanism. Other new critical CVEs in popular open-source software (OSS) from Apache:

The Apache Software Foundation (ASF) follows a structured process across its projects that encourages private reporting and releasing patches prior to public disclosure so patches are available for all CVEs mentioned above. Greenbone is able to detect systems vulnerable to CVE-2024-53677 and other recently disclosed vulnerabilities in ASF Foundation products.

Palo Alto’s Secure DNS Actively Exploited for DoS

CVE-2024-3393 (CVSS 8.7 High) is a DoS (Denial of Service) vulnerability in the DNS Security feature of PAN-OS. The flaw allows an unauthenticated attacker to reboot PA-Series firewalls, VM-Series firewalls, CN-Series firewalls and Prisma Access devices via malicious packets sent through the data plane. By repeatedly triggering this condition, attackers can cause the firewall to enter maintenance mode. CISA has identified CVE-2024-3393 vulnerability as actively exploited and it’s among five other actively exploited vulnerabilities in Palo Alto’s products over only the past two months.

According to the advisory posted by Palo Alto, only devices with a DNS Security License or Advanced DNS Security License and logging enabled are affected. It would be an easy assumption to say that these conditions mean that top-tier enterprise customers are affected. Greenbone is able to detect the presence of devices affected by CVE-2024-3393 with a version detection test.

Microsoft Security in 2024: Who Left the Windows Open?

While it would be unfair to single out Microsoft for providing vulnerable software in 2024, the Redmond BigTech certainly didn’t beat security expectations. A total of 1,119 CVEs were disclosed in Microsoft products in 2024; 53 achieved critical severity (CVSS > 9.0), 43 were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and at least four were known vectors for ransomware attacks. Although the comparison is rough, the Linux kernel saw more (3,148) new CVEs but only three were rated critical severity and only three were added to CISA KEV. Here are the details of the new actively exploited CVEs in Microsoft Windows:

  • CVE-2024-35250 (CVSS 7.8 High): A privilege escalation flaw allowing an attacker with local access to a system to gain system-level privileges. The vulnerability was discovered in April 2024, and PoC exploit code appeared online in October.
  • CVE-2024-49138 (CVSS 7.8 High): A heap-based buffer overflow [CWE-122] privilege escalation vulnerability; this time in the Microsoft Windows Common Log File System (CLFS) driver. Although no publicly available exploit exists, security researchers have evidence that this vulnerability can be exploited by crafting a malicious CLFS log to execute privileged commands at the system privilege level.

Detection and mitigation of these new Windows CVEs is critical since they are actively under attack. Both were patched in Microsoft’s December patch release. Greenbone is able to detect CVE-2024-35250 and CVE-2024-49138 as well as all other Microsoft vulnerabilities published as CVEs.

Summary

2024 highlighted the continuously challenging cybersecurity landscape with record-setting vulnerability disclosures, ransomware payouts, DoS attacks and an alarming rise in active exploitations. The rapid weaponization of vulnerabilities emphasizes the need for a continuous vulnerability management strategy and a defense-in-depth approach.

December saw new critical flaws in Mitel, Apache and Microsoft products. More network products: Array Networks VPNs and Zyxel firewalls are now being exploited by ransomware threat actors underscoring the urgency for proactive patching and robust detection measures. As we enter 2025, fortune will favor those prepared; organizations must stay vigilant to mitigate risks in an increasingly hostile cyber landscape.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Patch Now! Cleo Products Actively Exploited in Ransomware Attacks

An actively exploited RCE (Remote Code Execution) with system privileges vulnerability that does not require user-interaction is as bad as it gets from a technical standpoint. When that CVE impacts software widely used by Fortune 500 companies, it is a ticking time bomb. And when advanced persistent threat actors jump on a software vulnerability such as this, remediation needs to become an emergency response effort. Most recently, CVE-2024-50623 (also now tracked as CVE-2024-55956) affecting more than 4,200 users of Cleo’s MFT (Managed File Transfer) software met all these prerequisites for disaster. It has been implicated in active ransomware campaigns affecting several Fortune 500 companies taking center stage in cybersecurity news.

In this cybersecurity alert, we provide a timeline of events related to CVE-2024-50623 and CVE-2024-55956 and associated ransomware campaigns. Even if you are not using an affected product, this will give you valuable insight into the vulnerability lifecycle and the risks of third-party software supply chains. 

CVE-2024-50623 and CVE-2024-55956: a Timeline of Events

The vulnerability lifecycle is complex. You can review our previous article about next-gen vulnerability management for an in depth explanation on how this process happens. In this report, we will provide a timeline for the disclosure and resolution of CVE-2024-50623 and subsequently CVE-2024-55956 as a failed patch attempt from the software vendor Cleo was uncovered and exploited by ransomware operators. Our Greenbone Enterprise Feed includes detection modules for both CVEs [1][2], allowing organizations to identify vulnerable systems and apply emergency remediation. Here is a timeline of events so far:

  • October 28, 2024: CVE-2024-50623 (CVSS 10 Critical) affecting several Cleo MFT products was published by the vendor and a patched version 5.8.0.21 was
  • November 2024: CVE-2024-50623 was exploited for data exfiltration impacting at least 10 organizations globally including Blue Yonder, a supply chain management service used by Fortune 500 companies.
  • December 3, 2024: Security researchers at Huntress identified active exploitation of CVE-2024-50623 capable of bypassing the original patch (version 5.8.0.21).
  • December 8, 2024: Huntress observed a significant uptick in the rate of exploitation. This could be explained by the exploit code being sold in a Malware as a Service cyber crime business model or simply that the attackers had finished reconnaissance and launched a widespread campaign for maximum impact.
  • December 9, 2024: Active exploitation and proof-of-concept (PoC) exploit code was reported to the software vendor Cleo.
  • December 10, 2024: Cleo released a statement acknowledging the exploitability of their products despite security patches and issued additional mitigation guidance.
  • December 11, 2024: Wachtowr Labs released a detailed technical report describing how CVE-2024-50623 allows RCE via Arbitrary File Write [CWE-434]. Cleo updated their mitigation guidance and released a subsequent patch (version 5.8.0.24).
  • December 13, 2024: A new name, CVE-2024-55956 (CVSS 10 Critical), was issued for tracking this ongoing vulnerability, and CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, flagged for use in ransomware attacks.

Cleo Products Leveraged in Ransomware Attacks

The risk to global business posed by CVE-2024-50623 and CVE-2024-55956 is high. These two CVEs potentially impact more than 4,200 customers of Cleo LexiCom, a desktop-based client for communication with major trading networks, Cleo VLTrader, a server-level solution tailored for mid-enterprise organizations, and Cleo Harmony for large enterprises.

The CVEs have been used as initial access vectors in a recent ransomware campaign. The Termite ransomware operation [1][2] has been implicated in the exploitation of Blue Yonder, a Panasonic subsidiary in November 2024. Blue Yonder is a supply chain management platform used by large tech companies including Microsoft, Lenovo, and Western Digital, and roughly 3,000 other global enterprises across many industries; Bayer, DHL, and 7-Eleven to name a few. Downtime of Blue Yonder’s hosted service caused payroll disruptions for StarBucks. The Clop ransomware group has also claimed responsibility for recent successful ransomware attacks.

In the second stage of some breaches, attackers conducted Active Directory domain enumeration [DS0026], installed web-shells [T1505.003] for persistence [TA0003], and attempted to exfiltrate data [TA0010] from the victim’s network after gaining initial access via RCE. An in-depth technical description of the Termite ransomware’s architecture is also available.

Mitigating CVE-2024-50623 and CVE-2024-55956

Instances of Cleo products version 5.8.0.21 are still vulnerable to cyber attacks. The most recent patch, version 5.8.0.24 is required to mitigate exploitation. All users are urged to apply updates with urgency. Additional mitigation and best practices include disabling the autorun functionality in Cleo products, removing access from the Internet or using firewall rules to restrict access to only authorized IP addresses, and blocking the IP addresses of endpoints implicated in the attacks.

Summary

Cleo Harmony, VLTrader, and LexiCom prior to version 5.8.0.24 are under active exploitation due to critical RCE vulnerabilities (CVE-2024-50623 and CVE-2024-55956). These flaws have been the entry point for successful ransomware attacks against at least 10 organizations and impacting Fortune 500 companies. Greenbone provides detection for affected products and affected users are urged to apply patches and implement mitigation strategies, as attackers will certainly continue to leverage these exploits.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Audits CIS Google Chrome Benchmarks

Web browsers are a primary gateway to business and consequently they are also a primary gateway for cyber attacks. Malware targeting browsers could gain direct unauthorized access to a target’s network and data or social engineer victims into providing sensitive information that gives the attacker unauthorized access, such as account credentials. In 2024, major browsers (Chrome, Firefox, and Safari) accounted for 59 Critical severity (CVSS3 ³ 9) and 256 High severity (CVSS3 between 7.0 and 8.9) vulnerabilities. 10 CVEs (Common Vulnerabilities and Exposures) in the trifecta were added to the KEV (Known Exploited Vulnerabilities) catalog of CISA (Cybersecurity & Infrastructure Security Agency). Browser security should therefore be top-of-mind for security teams.

In light of this, we are proud to announce the addition of CIS Google Chrome Benchmark v3.0.0 Level 1 auditing to our list of compliance capabilities. This latest feature allows our Enterprise feed subscribers to verify their Google Chrome configurations against the industry-leading CIS compliance framework of the CIS (Center for Internet Security). The new Google Chrome benchmark tests will sit among our other CIS controls in critical cybersecurity areas such as Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows and Linux [1] [2].

CIS Google Chrome Benchmark for Windows

The CIS Google Chrome Benchmark v3.0.0 Level 1 is now available in the Greenbone Enterprise Feed. It establishes a hardened configuration for the Chrome browser. For Windows, implementing the controls involves setting Windows registry keys to define Chrome’s security configuration. Continuous attestation is important because if modified at the user level Chrome becomes more vulnerable to data-leakage, social engineering attacks or other attack vectors.

Our Enterprise vulnerability feed uses compliance policies to run tests on target endpoints, verifying each requirement in the CIS benchmark through one or more dedicated vulnerability tests. These tests are grouped into scan configurations which can be used to create scan tasks that access groups of target systems to verify their security posture. When aligning with internal risk requirements or mandatory government policies, Greenbone has you covered.

The Importance of Browser Security

Much of the critical information flowing through the average organization is transmitted through the browser. The rise of a remote workforce and cloud-based web-applications means that web browsers are a primary interface for business activities. Not surprisingly, in the past few years, Internet browsers have been a hotbed for exploitation. National cybersecurity agencies such Germany’s BSI [3] [4], CISA [5] [6], and the Canadian Centre for Cyber Security [7] have all released advisories for addressing the risks posed by Internet browsers.

Browsers can be exploited via technical vulnerabilities and misconfigurations that could lead to remote code execution, theft of sensitive data and account takeover, but are also a conduit for social engineering attacks. Browser security must be addressed by implementing a hardened security profile and continuously attesting it and by regularly applying updates to combat any recently discovered vulnerabilities. Greenbone is able to detect known vulnerabilities for published CVEs in all major browsers and now with our latest CIS Google Chrome Benchmark certification, we can attest industry standard browser compliance.

How Does the CIS Google Chrome Benchmark Improve Browser Security?

Every CIS Benchmark is developed through a consensus review process that involves a global community of subject matter experts from diverse fields such as consulting, software development, auditing, compliance, security research, operations, government, and legal. This collaborative process is meant to ensure that the benchmarks are practical and data-driven and reflect real-world expertise. As such, CIS Benchmarks serve as a vital part of a robust cybersecurity program.

In general, CIS Benchmarks focus on secure technical configuration settings and should be used alongside essential cyber hygiene practices, such as monitoring and promptly patching vulnerabilities in operating systems, applications and libraries.

The CIS Google Chrome Benchmark defines security controls such as:

  • No domains can bypass scanning for dangerous resources such as phishing content and malware.
  • Strict verification of SSL/TLS certificates issued by websites.
  • Reducing Chrome’s overall attack surface by ensuring the latest updates are automatically applied periodically.
  • Chrome is configured to detect DNS interception which could potentially allow DNS hijacking.
  • Chrome and extensions cannot interact with other third party software.
  • Websites and browser extensions cannot abuse connections with media, the local file system or external devices such as Bluetooth, USB or media casting devices.
  • Only extensions from the Google Chrome Web Store can be installed.
  • All processes forked from the main Chrome process are stopped once the Chrome application has been closed.
  • SafeSites content filtering blocks links to adult content from search results.
  • Prevent importing insecure data such as auto-fill form data, default homepage or other configuration settings.
  • Ensuring that critical warnings cannot be suppressed.

Greenbone Is a CIS Consortium Member

As a member of the CIS consortium, Greenbone continues to enhance its CIS Benchmark scan configurations. All our CIS Benchmarks policies are aligned with CIS hardening guidelines and certified by CIS, ensuring maximum security for system audits. Also, Greenbone has added a new compliance view to the Greenbone Security Assistant (GSA) web-interface, streamlining the process for organizations seeking to remove security gaps from their infrastructure to prevent security breaches.

Summary

CIS Controls are critical for safeguarding systems and data by providing clear, actionable guidance on secure configurations. The CIS Google Chrome Benchmark is especially vital at the enterprise level, where browsers impact many forms of sensitive data. It’s exciting to announce that Greenbone is expanding the industry leading vulnerability detection capabilities with a new compliance scan: the CIS Google Chrome Benchmark v3.0.0 Level 1. With this certification, Greenbone continues to strengthen its position as a trusted ally in proactive cybersecurity. This latest feature reflects our dedication to advancing IT security and protecting against evolving cyber threats.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone 2024 Review: A Very Good Year with Growth Everywhere

Also in its 16th year, the Osnabrück-based expert and market leader in Open Source Vulnerability Management has kept growing, both in employees, customers, partners and last not least on this blog.

After doubling our workforce over the last two years, we at Greenbone are looking proudly at 143 employees, most of them work remotely. This growth brought about many new contributions, and of course many company events, unique development talks and a people lead concept with cross feedback as a major step forward in developing leadership culture. Inspired by happiness surveys, Greenbone will keep on growing and is a great employer. Have you applied yet?

Greenbone Threat Report

So, it’s no wonder that also this blog benefited from the growth and introduced a successful new format: Every month, we are now presenting with the Threat Report a monthly deep dive into the news and atrocities of vulnerability management, mitigation and new threats on the radar of our customers (and anybody interested in security). We started this series in March 2024 and have published 10 thorough blog reports so far. Find all of them here, and the last update here.

Endangered: Ivanti, Fortinet, Exchange, Confluence…

Apart from that, we could report on several crucial vulnerabilities. From Juniper and Ivanti to Fortinet, from problems in Microsoft Exchange and Sharepoint to Atlassians knowledge management Confluence: our experts provided helpful insights for nearly all customers.

Of course our blog reported on CrowdStrike and how it only took 62 minutes for a security provider to become a massive threat. We wrote about the never-ending dangers from Chinese hackers, DOS attacks, automated mass attacks, severe SSH key problems and featured in-depth analysis and papers, for example on the costs of cyber attacks.

Growing challenges: cyber threats and new legislation

In five blog posts we explained threat levels and specific vulnerability risks in branches affected hard by common vulnerabilities: For example, SMEs are investing more in security, Helsinki schools have been attacked and of course public administration networks are under special threat, as is practically anything in health care – says the BSI (Bundesamt für Sicherheit in der Informationstechnik), the German Federal Office for Information Security. Especially the latter two branches, not only among our customers, will also have benefited from the many posts we published on regulations – like CSAF (Common Security Advisory Framework) and the many updates on the slowly ongoing and interrupted (in Germany) progress of NIS2 (Network and Information Security).

All-year Topic NIS2

The NIS Directive in its second edition was a topic that has been and will be on the watchlist of Greenbone and our customers. Since the European Union decided on the second „Directive on Security of Network and Information Systems“ NIS, many member states have applied regulations that clarify how companies have to implement it. Only in Germany that took a little longer and – due to the fall of the government late in the year – has not been finished. Nevertheless, all the information and plans are available, there’s even a test from the BSI that allows you to check whether your networks are affected and need immediate action.

Greenbone Goes Green: ISO 14001

We wrote about sustainability and the great success Greenbone made with achieving the ISO 14001 certificate. Our CMO Elmar Geese shared his thoughts on the future of clouds and the breaking of their hype cycle. He also took part in a panel on artificial intelligence, and our products now integrate additional BSI basic and CIS guidelines to protect your office software.

New Products: Major Release 24.10, Greenbone Basic, Feed-Updates

But 2024 brought also many updates and news on our products: Greenbone’s vulnerability management got several improvements and updates, with a new video to explain vulnerability management in 12 minutes. In July, our new scan engine Notus received Support for Amazon’s Red-Hat-Linux variant dominating Amazon Web Services. Later in 2024 Greenbone both announced a new major version of its Enterprise Appliance (24.10) and a completely new product targeted at small and medium size businesses called “Greenbone Basic”. Ready to try?

But maybe you want to read about how Greenbone leads the competition of vulnerability scanners in our benchmark or find out what your Key Performance Indicators for vulnerability management products are.

Congresses and Events: Our Highlights of the Year 

If you want to meet us, you’ll find a growing amount of opportunities … worldwide, also showed in our blog: we also reported almost live from the other side of the globe, where Greenbone had a presence at the Singapore International Cyber Week. This conference was not only one of the major IT security events in Asia, but also one in a long list of business fairs that Greenbone attended: Public IT Security (PITS) in Berlin, the it-sa in Nuremberg or the Potsdam Conference for National Security are just a few to name.

Thank You and Happy Holidays!

So, obviously, also our 16th year was a good one, “a very good year” and thus we would like to take this opportunity to thank all customers, partners and the community again: Without your help none of this would be possible.

Thank you, happy holidays and a happy new year!

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

November 2024 Threat Report: Vulnerability Management is Becoming Crucial

The world may be entering into a new phase of cyber, and a new technological paradigm. So-called “industry leading” or “enterprise grade” software is perpetually shown to be vulnerable with new critical vulnerabilities exposed and evidence of active exploitation on a weekly basis. Fancy new features keep us engaged but, considering the risk of fast-moving technologies, it’s important to work with organizations that keep things simple, stick to their core competencies and do things right.

In this November 2024’s edition of the Greenbone vulnerability report, we examine some recently released reports from the BSI and CISA to see what government cybersecurity agencies make of the current threat environment, then we follow up with news of the most pressing and actively exploited vulnerabilities in this month. Considering the high degree of risk presented by the current landscape of cybersecurity threats, it’s important to prioritize the fundamentals of IT security – and software design – to avoid building operations on a proverbial house of cards.

BSI Releases Its Annual IT Security Summary for 2024

Policy in the EU continues to rapidly evolve in response to increasing cyber risk. Cybersecurity for all requires cross-border cooperation on many levels. According to the 2024 summary report, the German Federal Office for Information Security (BSI) is focused on harmonizing national specifications with cybersecurity best practices while considering the economic and technical feasibility of new measures. Referred to as the “Europeanisation of Cybersecurity”, European standardisation and Germany’s collaboration with the three European Standardisation Organisations CEN, CENELEC and ETSI promote a risk-based approach to enforcing security best practices among critical infrastructure and providers of virtually all digital products.

Regarding the Cyber Resilience Act (CRA), each member state will have authority to remove non-compliant products from the market and penalise offending vendors. “Important products” (Class I), such as password managers and routers, must follow harmonised European standards (hEN). Regarding NIS2, the BSI received 726 reports representing 141 incidents from critical infrastructure facilities so far in 2024. This includes sectors like healthcare, energy, water, food, IT and telecommunications, financial and insurance services, among others.

The BSI also observed an overall increase in new malware variants and 256% increase in malware exploiting Windows. Reading the full report relays trends in attacker behaviors such as an increase in Bring Your Own Vulnerable Driver (BYOVD) attacks capable of disabling EDR security products. There were also ongoing efforts to sinkhole botnets that contribute to mass exploitation attacks at scale, and the continuing fragmentation of cybercrime activities into initial access brokering and second stage ransomware groups.

How do these observations pertain to Greenbone and vulnerability management in general? While effective vulnerability management and compliance auditing are only one piece of the enterprise cybersecurity puzzle, closing known security gaps and regularly attesting strong security configurations is a critical core competency that all organizations need to master.

CISA’s Most Exploited Vulnerabilities of 2023 Are Revealing

The 2023 Top Routinely Exploited Vulnerabilities report from the Cybersecurity & Infrastructure Security Agency (CISA) observed an increase in exploited zero-day vulnerabilities compared to 2022 and their use in attacks on high-priority targets. Other than zero-days, the report lists the top 47 CVEs (Common Vulnerabilities and Exposures) exploited by attackers. Networking (40%) and productivity software (34%) make up the vast majority of highly targeted CVEs. There is also a strong trend in the type of software flaws most exploited. Mishandling untrusted input accounts for 38% of the most attacked software flaws, while improper authentication and authorization make up 34%. Sadly, considerations for securing these flaws are elementary, covered in application design 101. Also, 90% of the top exploited vulnerabilities in the report are in closed source proprietary products indicating that cyber criminals are not hindered by reverse engineering barriers.

While the EU is motivated to improve security via legal requirements, CISA continues its plea for software vendors to employ Secure by Design principles during development stages. They also suggest that more pay-to-hack bug bounty programs could incentivize ethical security researchers.

Multiple Critical Flaws in Palo Alto Products Attacked

On November 8, 2024, Palo Alto Networks issued a security advisory revealing a zero-day remote code execution (RCE) vulnerability affecting its PAN-OS operating system. The advisory was soon updated after evidence of active exploitation emerged. Here is a summary of new vulnerabilities in Palo Alto products disclosed in November 2024.

  • CVE-2024-0012 (CVSS 9.8 High): An authentication bypass in PAN-OS allows unauthenticated access to administrator privileges. Attackers may perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.
  • CVE-2024-9474 (CVSS 7.2 High): A privilege escalation vulnerability in PAN-OS software allows PAN-OS administrators to perform actions on the firewall with root privileges.
  • CVE-2024-9463 (CVSS 7.5 High): An OS command injection vulnerability in Expedition allows an unauthenticated attacker to run arbitrary OS commands as root. This allows unauthorized disclosure of usernames, cleartext passwords, device configurations and device API keys of PAN-OS firewalls.
  • CVE-2024-9465 (CVSS 9.1 High): SQL injection could allow an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations and device API keys, or create and read arbitrary files on the Expedition system.
  • CVE-2024-5910 (CVSS 9.8 High): Missing authentication for a critical function in Expedition can lead to admin account takeover remotely and expose configuration secrets, credentials and other data.

Greenbone is able to detect all new CVEs published in Palo Alto devices in November 2024. Ideally, ensure networking management interfaces are not accessible via the public Internet and for best practices, use firewall configuration to prevent access from unauthorized internal network endpoints.

US Critical Telecom Infrastructure Breached

The recent breaches involving major US telecom providers serves as a stark warning to all organizations operating complex IT infrastructure at scale. Blame has been laid on Chinese backed hacking groups who reportedly used the access to intercepted U.S. political officials’ calls, SMS text-messages and intercepted mobile metadata. According to Adam Meyers, vice president of intelligence at CrowdStrike, by compromising the telecoms directly, threat actors circumvent the need for breaching the individual networks of their targets. Considering the sheer number of critical vulnerabilities in products from US networking vendors such as Palo Alto Networks, Oracle, Cisco, Citrix, Ivanti, Broadcom, Microsoft and Fortinet more intensive application security testing would greatly reduce the risk to their core customers – US companies at home and abroad, and other large global firms.

Liminal Panda, Salt Typhoon, Volt Typhoon and others are known to attack “shadow IT” – legacy mobile protocols that IT administrators are not aware is still active or actively monitoring. Sophisticated, highly skilled APT actors are highly adaptable and have the resources to develop malware for virtually any known vulnerability that is exploitable, as well as actively develop zero-day exploits yet unknown.

5 Privilege Escalation Flaws Found in Ubuntu’s Needrestart

A flaw in Ubuntu’s Needrestart feature could allow an unprivileged local attacker to execute shell commands as root user. The new CVEs impact all versions of Needrestart going back to 2014. Needrestart determines whether any processes need to be restarted after systemwide packages are updated to avoid a full reboot and is invoked by the apt package manager. The vulnerability is caused when untrusted data such as environment variables are passed unsanitized to the Module::ScanDeps library which executes as root. These user-level environment variables can also influence Python and Ruby interpreters during Needrestart’s execution.

The vulnerabilities can be mitigated by updating Needstart to a patched version or by disabling the interpreter scanning feature by setting $nrconf{interpscan} = 0 in the needrestart.conf configuration file. Greenbone includes detection for all CVEs related to Needrestart feature [1][2][3].

Here is a brief description the newly disclosed CVEs:

  • CVE-2024-11003 (CVSS 7.8 High): Unsanitized data passed to the Module::ScanDeps library could allow a local attacker to execute arbitrary shell commands.
  • CVE-2024-10224 (CVSS 5.3): Unsanitized input passed to the Module::ScanDepscan library allows execution of arbitrary shell commands by opening a “pesky pipe” (such as passing “commands|” as a filename) or by passing arbitrary strings to eval().
  • CVE-2024-48990 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by tricking Needrestart into running the Python interpreter via the PYTHONPATH environment variable.
  • CVE-2024-48991 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by winning a race condition and pointing Needrestart to a fake Python interpreter instead of the system’s real Python interpreter.
  • CVE-2024-48992 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter via the RUBYLIB environment variable.

Is Third Time the Charm for VMware vCenter Critical RCE Flaws?

VMware has been grappling with the challenge of effectively patching critical vulnerabilities in its vCenter server products. Broadcom, which owns VMware, initially released patches in September for two significant vulnerabilities in vCenter, CVE-2024-38812 (CVSS 9.8 High) classified as a heap-overflow vulnerability in the implementation of the DCERPC protocol, and CVE-2024-38813 (CVSS 9.8 High) which offers privilege escalation via ​​specially crafted network packets.

However, these initial patches were insufficient, prompting a second round of patches in October. Despite these efforts, it was confirmed in November that the CVEs were still vulnerable and had been exploited in the wild. vCenter is a prime target for attackers due to its widespread use, and the situation highlights ongoing security challenges. VMware users should apply patches promptly. When CVEs such as these in VMware vCenter are updated with new information, Greenbone’s team of security analysts reviews the changes and updates our vulnerability tests accordingly.

Helldown Ransomware Exploiting Zyxel and Its Customers

In November 2024, a Linux variant of the Helldown ransomware payload was discovered. Helldown is known to exploit the IPSec VPN of Zyxel devices via CVE-2024-42057 (CVSS 8.1 High) for initial access. After gaining a foothold, Helldown steals any accessible credentials and creates new users and VPN tunnels to maintain persistence. The new variant targets VMware ESXi virtual machines to exfiltrate their data and encrypt them. This technique is shared by other ransomware groups such as the Play gang.

The Helldown ransomware group is considered an emerging threat, claiming over 30 victims since August, including the maker of Zyxel products themselves. Zyxel has issued an article acknowledging the attacks with mitigation instructions and Truesec has published known Helldown TTP (Tactics Techniques and Procedures) from their response efforts. Greenbone is able to detect all vulnerabilities known to be associated with Helldown ransomware attacks including CVE-2024-42057 in Zyxel products [1][2][3] as well as known software vulnerabilities used by other ransomware threat actors to gain initial access, escalate privileges and move laterally to high value targets within the victim’s network.

Summary

From EU policy advancements to CISA’s insights on exploited vulnerabilities: the critical need for better software development practices, effective vulnerability management and defense in depth is evident. November’s events, such as Palo Alto’s zero-days, Ubuntu’s Needrestart flaws and VMware vCenter’s ongoing challenges, emphasize the importance of timely monitoring and patching of critical infrastructure. Emerging threats like Helldown ransomware reinforce the need for proactive defense strategies. Greenbone continues to support organizations by detecting critical vulnerabilities, providing actionable insights and advocating for a security-first approach with fundamental IT security best practices.

Contact Test Now Buy Here Back to Overview

/by
Dirk Boeing

Innovation Meets Resonance: Greenbone Successful at SICW

The Singapore International Cyber Week (SICW) is one of the most important cybersecurity events worldwide. We were able to present our solutions to an international audience – and recieved great interest, inspiring discussions and valuable feedback. Three successful days in Singapore and an important step in strengthening our international presence!

Greenbone team and partners taking a group photo together at the stand at Singapore International Cyber Week 2024.

Since its launch, SICW has been bringing together leading companies, start-ups, government organizations and security authorities from around the world every year. The aim is to share knowledge, promote partnerships and present innovative solutions that meet the growing challenges in the field of cybersecurity. The event, organized by the Cyber Security Agency of Singapore (CSA), was launched in 2016 and has been held annually in Singapore ever since.

This year, Greenbone had the honor of being present at SICW as a technology partner of Huawei. During three exciting days, we presented our Enterprise Appliances to an international audience and were thrilled by the response.

Great Interest in Greenbone Solutions

We were overwhelmed by the positive feedback from visitors to our solutions – for us a strong signal that our cybersecurity solutions are also very important for the Asian market. In numerous discussions, we repeatedly noticed how great the interest is in a vulnerability scanner with excellent feed that focuses on the essentials while also allowing connection to other systems via its API.

VIP Visitors and Inspiring Talks

We were particularly pleased to welcome prominent personalities to our booth. A real highlight was the visit of John Tan, Commissioner of Cybersecurity and Chief Executive of the Cybersecurity Agency of Singapore. His interest and the numerous discussions with potential customers and partners have encouraged us to further expand our presence in Asia.

Conversation between stand visitors in front of the Greenbone display with world map and product information at SICW 2024.

Not entirely unexpected star of our appearance was “the Beast”, our company logo as a plush toy. It put a smile on the faces of many visitors to our stand and often served as a friendly icebreaker, facilitating lively and valuable discussions. 

Conclusion: Momentum for the Future

SICW was a great success for Greenbone. We were not only able to present our solutions to a broad audience, but also establish valuable connections and noticeably increase interest in the Asian market. The great popularity and high demand for our “Beast” shows that our brand is also very well received emotionally – and we look forward to continuing to build on this momentum.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Understanding CSAF 2.0 Stakeholders and Roles

The Common Security Advisory Framework (CSAF) is a framework for providing machine-readable security advisories following a standardized process to enable automated cybersecurity information sharing. Greenbone is continously working on the integration of technologies that leverage the CSAF 2.0 standard for automated cybersecurity advisories. For an introduction to CSAF 2.0 and how it supports next-generation vulnerability management, you can refer to our previous blog post.

In 2024, the NIST National Vulnerabilities Database (NVD) outage has disrupted the flow of critical cybersecurity intelligence to downstream consumers. This makes the decentralized CSAF 2.0 model increasingly relevant. The outage highlights the need for a decentralized cybersecurity intelligence framework for increased resilience against a single point of failure. Those who adopt CSAF 2.0, will be one step closer to a more reliable cybersecurity intelligence ecosystem.

Table of Contents

1. What We Will Cover in this Article
2. Who Are the CSAF Stakeholders?
2.1. Understanding Roles in the CSAF 2.0 Process
2.1.1. CSAF 2.0 Issuing Parties
2.1.1.1. Understanding the CSAF Publisher Role
2.1.1.2. Understanding the CSAF Provider Role
2.1.1.3. Understanding the CSAF Trusted-Provider Role
2.1.2. CSAF 2.0 Data Aggregators
2.1.2.1. Understanding the CSAF Lister Role
2.1.2.2. Understanding the CSAF Aggregator Role
3. Summary

1. What We Will Cover in this Article

This article will provide a detailed explanation of the various stakeholders and roles defined in the CSAF 2.0 specification. These roles govern the mechanisms of creating, disseminating and consuming security advisories within the CSAF 2.0 ecosystem. By understanding who the stakeholders of CSAF are and the standardized roles defined by the CSAF 2.0 framework, security practitioners can better realize how CSAF works, whether it can serve to benefit their organization and how to implement CSAF 2.0.

2. Who Are the CSAF Stakeholders?

At the highest level, the CSAF process has two primary stakeholder groups: upstream producers who create and supply cybersecurity advisories in the CSAF 2.0 document format and downstream consumers (end-users) who consume the advisories and apply the security information they contain.

Upstream producers are typically software product vendors (such as Cisco, Red Hat and Oracle) who are responsible for maintaining the security of their digital products and providing publicly available information about vulnerabilities. Upstream stakeholders also include independent security researchers and public entities that act as a source for cybersecurity intelligence such as the US Cybersecurity Intelligence and Security Agency (CISA) and the German Federal Office for Information Security (BSI).

Downstream consumers consist of private corporations who manage their own cybersecurity and Managed Security Service Providers (MSSPs), third-party entities that provide outsourced cybersecurity monitoring and management. The information contained in CSAF 2.0 documents is used downstream by IT security teams to identify vulnerabilities in their infrastructure and plan remediation and by C-level executives for assessing how IT risk could negatively impact operations.

Diagram of the CSAF 2.0 stakeholders: On the left, the upstream producers such as software vendors, authorities, and researchers; on the right, the downstream consumers such as CERTs, SOC teams, and security platforms – connected through the CSAF 2.0 advisory format.

The CSAF 2.0 standard defines specific roles for upstream producers that outline their participation in creating and disseminating advisory documents. Let’s examine those officially defined roles in more detail.

2.1. Understanding Roles in the CSAF 2.0 Process

CSAF 2.0 Roles are defined in Section 7.2. They are divided into two distinct groups: Issuing Parties (“Issuers”) and Data Aggregators (“Aggregators”). Issuers are directly involved in the creation of advisory documents. Aggregators collect those documents and distribute them to end-users, supporting automation for consumers. A single organization may fulfill the roles of both an Issuer and an Aggregator, however, these functions should operate as separate entities.  Obviously, organizations who act as upstream producers must also maintain their own cybersecurity. Therefore, they may also be a downstream consumer – ingesting CSAF 2.0 documents to support their own vulnerability management activities.

Diagram of the CSAF 2.0 upstream roles, showing the groups Issuing Parties (Producer, Provider, Trusted Provider) and Data Aggregators (Lister, Aggregator), who forward cybersecurity advisories to downstream consumers.

Next, let’s break down the specific responsibilities for CSAF 2.0 Issuing Parties and Data Aggregators.

2.1.1. CSAF 2.0 Issuing Parties

Issuing Parties are the origin of CSAF 2.0 cybersecurity advisories. However, Issuing Parties are not responsible for transmitting the documents to end-users. Issuing Parties are responsible for indicating if they do not want their advisories to be listed or mirrored by Data Aggregators. Also, CSAF 2.0 Issuing Parties can also act as Data Aggregators.

Here are explanations of each sub-role within the Issuing Parties group:

2.1.1.1. Understanding the CSAF Publisher Role

Publishers are typically organizations that discover and communicate advisories only on behalf of its own digital products. Publishers must satisfy requirements 1 to 4 in Section 7.1 of the CSAF 2.0 specification. This means issuing structured files with valid syntax and content that adhere to the CSAF 2.0 filename conventions described in Section 5.1 and ensuring that files are only available via encrypted TLS connections. Publishers must also make all advisories classified as TLP:WHITE publicly accessible.

Publishers must also have a publicly available provider-metadata.json document containing basic information about the organization, its CSAF 2.0 role status, and links to an OpenPGP public key used to digitally sign the provider-metadata.json document to verify its integrity. This information about the Publisher is used downstream by software apps that display the publisher’s advisories to end-users.

2.1.1.2. Understanding the CSAF Provider Role

Providers make CSAF 2.0 documents available to the broader community. In addition to meeting all the same requirements as a Publisher, a Provider must provide its provider-metadata.json file according to a standardized method (at least one of the requirements 8 to 10 from Section 7.1), employ standardized distribution for its advisories, and implement technical controls to restrict access to any advisory documents with a TLP:AMBER or TLP:RED status.

Providers must also choose to distribute documents in either a directory-based or the ROLIE-based method. Simply put, directory-based distribution makes advisory documents available in a normal directory path structure, while ROLIE (Resource-Oriented Lightweight Information Exchange) [RFC-8322] is a RESTful API protocol designed specifically for security automation, information publication, discovery and sharing.

If a Provider uses the ROLIE-based distribution, it must also satisfy requirements 15 to 17 from Section 7.1. Alternatively, if a Provider uses the directory-based distribution it must satisfy requirements 11 to 14 from Section 7.1.

2.1.1.3. Understanding the CSAF Trusted-Provider Role

Trusted-Providers are a special class of CSAF Providers who have established a high level of trust and reliability. They must adhere to stringent security and quality standards to ensure the integrity of the CSAF documents they issue.

In addition to meeting all the requirements of a CSAF Provider, Trusted-Providers must also satisfy the requirements 18 to 20 from Section 7.1 of the CSAF 2.0 specification. These requirements include providing a secure cryptographic hash and OpenPGP signature file for each CSAF document issued and ensuring the public part of the OpenPGP signing key is made publicly available.

2.1.2. CSAF 2.0 Data Aggregators

Data Aggregators focus on the collection and redistribution of CSAF documents. They act as a directory for CSAF 2.0 Issuers and their advisory documents and intermediary between Issuers and end-users. A single entity may act as both a CSAF Lister and Aggregator. Data Aggregators may choose which upstream Publishers’ advisories to list or collect and redistribute based on their customer’s needs.

Here are explanations of each sub-role in the Data Aggregator group:

2.1.2.1. Understanding the CSAF Lister Role

Listers gather CSAF documents from multiple CSAF Publishers and list them in a centralized location to facilitate retrieval. The purpose of a Lister is to act as a sort of directory for CSAF 2.0 advisories by consolidating URLs where CSAF documents can be accessed. No Lister is assumed to provide a complete set of all CSAF documents.

Listers must publish a valid aggregator.json file that lists at least two separate CSAF Provider entities and while a Lister may also act as an Issuing Party, it may not list mirrors pointing to a domain under its own control.

2.1.2.2. Understanding the CSAF Aggregator Role

The CSAF Aggregator role represents the final waypoint between published CSAF 2.0 advisory documents and the end-user. Aggregators provide a location where CSAF documents can be retrieved by an automated tool. Although Aggregators act as a consolidated source of cybersecurity advisories, comparable to NIST NVD or The MITRE Corporation’s CVE.org, CSAF 2.0 is a decentralized model as opposed to a centralized model. Aggregators are not required to offer a comprehensive list of CSAF documents from all Publishers. Also, Publishers may provide free access to their CSAF advisory feed, or operate as a paid service.

Similarly to Listers, Aggregators must make an aggregator.json file available publicly and CSAF documents from each mirrored Issuer must be placed in a separate dedicated folder along with the Issuer’s provider-metadata.json. Essentially, Aggregators must satisfy the requirements 1 to 6 and 21 to 23 from Section 7.1 of the CSAF 2.0 specification.

CSAF Aggregators are also responsible for ensuring that each mirrored CSAF document has a valid signature (requirement 19) and a secure cryptographic hash (requirement 18). If the Issuing Party does not provide these files, the Aggregator must generate them.

3. Summary

Understanding CSAF 2.0 stakeholders and roles is essential for ensuring proper implementation of CSAF 2.0 and to benefit from automated collection and consumption of critical cybersecurity information. The CSAF 2.0 specification defines two main stakeholder groups: upstream producers, responsible for creating cybersecurity advisories, and downstream consumers, who apply this information to enhance security. Roles within CSAF 2.0 include Issuing Parties, such as Publishers, Providers, and Trusted-Providers to who generate and distribute advisories, and Data Aggregators, like Listers and Aggregators, who collect and disseminate these advisories to end-users.

Members of each role must adhere to specific security controls that support the secure transmission of CSAF 2.0 documents, and the Traffic Light Protocol (TLP) governs how documents are authorized to be shared and the required access controls.

Contact Test Now Buy Here Back to Overview

/by