Tag Archive for: Greenbone Networks

Every year, IT and cyber security experts from public authorities, federal, state and local governments as well as the armed forces, police and intelligence services meet for the cyber security congress “Public IT Security” (PITS), initiated by Behoerdenspiegel. In 2023, the topic of vulnerabilities was once again at the top of the agenda.

This year, our CEO Dr. Jan-Oliver Wagner was invited as an expert to take part in the panel discussion “Putting a finger on a wound – managing or closing vulnerabilities?” Moderated by Katharina Sook Hee Koch from the Federal Office for Information Security (BSI), the panel included representatives from the German Informatics Society (Nikolas Becker, Head of Policy & Science), the Bundestag Committee on Digital Affairs (MdB Catarina dos Santos-Wintz, CDU/CSU), the BSI itself (Dr. Dirk Häger, Head of Department Operative Cyber Security) for an exchange of views. Dirk Kunze from the North Rhine-Westphalia State Criminal Police Office (Head of the Cybercrime/Cyber Investigations Department in the Research and Investigation Centre) was present on behalf of the executive.

from left: Catarina dos Santos-Wintz, Dirk Kunze, Katharina Sook Hee Koch, Dr. Dirk Häger, Dr. Jan Oliver Wagner, Nikolas Becker (Photo: Greenbone AG)

Should vulnerabilities be closed? By all means!

The debate quickly centered on the question of whether and how (quickly) vulnerabilities in software should be closed and/or whether this would impair the work of investigative authorities. There was great unanimity among those present that the security of citizens had the highest priority. Keeping vulnerabilities open, even for political reasons, is hardly an option, both for cost reasons (exploits are expensive) and in risk assessment.

On the contrary, open-source software should be strengthened and more rewards (bug bounties) should be offered to experts who actively search for vulnerabilities. The BSI is also firmly convinced: “Basically, vulnerabilities must be closed.” (Häger). In criminal practice, the topic apparently plays a subordinate role anyway: the police, according to the LKA in North Rhine-Westphalia, know of only a few cases where it could have helped to keep vulnerabilities open. However, open vulnerabilities are still seen as a possible element for investigations. But of course, the decision of the politicians will be followed.

Dr. Jan-Oliver Wagner: “Vulnerability management is becoming increasingly important!”

Greenbone CEO Wagner warns that the number of open vulnerabilities will increase rather than decrease in the coming years. This is despite the fact that good progress is being made with regard to security in software development. However, the regulations and thus the pressure on companies by the legislator are also becoming stricter – not necessarily a bad thing, but it does create a need for action: “The upcoming Common Security Advisory Framework (CSAF 2.0) and the EU’s Cyber Resilience Act (CRA), will significantly increase the number of known vulnerabilities.”

The CSAF makes it easier for manufacturers to report vulnerabilities, while the Cyber Resilience Act also brings responsibility to the hoover manufacturer, i.e. to all parts of the economy. If you don’t want to lose track of this, you need vulnerability management like Greenbone’s, explains Wagner. “Upcoming regulations bring the issue of vulnerabilities into all parts of the economy, as now every manufacturer is responsible for the security of the devices and their software, including, for example, manufacturers for hoover robots or other smart household appliances – For the entire life of the product!”

Vulnerability management is risk management

Vulnerability management today is pure risk management for the professional user, as it is already practiced in insurance companies – decisions are made about which vulnerabilities need to be closed and which can or must wait (triage).

This is exactly where our vulnerability management products come in – as a hardware or virtual appliance or in the Greenbone Cloud Service. Greenbone develops an open source vulnerability management and allows users to detect vulnerabilities in their own network infrastructure within a few steps. Our products generate reports with concrete instructions for action that you can implement immediately.

We work strictly according GDPR Compliance and offer an open source solution. This means best data protection compliance and is thus guaranteed free of backdoors.


The job to protect from cyberattacks by minimizing your attack surface demands three essential pillars:

Vulnerability Intelligence
Know everything about vulnerabilities and risks immediately.

Asset Intelligence
Scan all the TCP/IP protocols, dive deep into assets and use other sources of asset details.

Vulnerability Scanning
Create, deploy, and execute vulnerability tests fast and by priority.

Vulnerability Intelligence

Vulnerability Intelligence helps doing two jobs: First you must make a priority decision about what attack vectors you should address and which ones you accept. This decision is not easy and may have a far-reaching impact. Even worse, it has to be made under time pressure and with limited resources. In other words, this decision is (sometimes) a triage. The better the information about the vulnerability the better will be the decision. And the more evidence you get, the less personal educated guess you have to add. Once you decided which attack vectors to address, technical details about the vulnerability intelligence will help as a guide for an efficient remediation. Knowing how easy or complicated a remediation is supports you already during the priority decision.

Asset Intelligence

Asset Intelligence is about knowing as much as possible about the assets that you have to protect from cyber-attacks. It may sound strange but the first part of this is to know which assets you have. Networks can be pretty dynamic because your people are very dynamic about extending and connecting services and devices. Scanning for existence of and scanning into assets is equally important. Both builds your inventory which you will later compare with the incoming vulnerability intelligence on new attack vectors. There are expected details like product versions and there are unexpected details determined only when a security advisory is published. For the first case you build a database allowing quick offline scans upon new advisories. For the latter case you need the ability to use arbitrary TCP/IP protocols to collect the information that are required to determine the presence of a vulnerability. A special case are fictive assets represented by inventories or a Software Bill of Materials, representing for example devices that are subject to the EU Cyber Resilience Act.

Vulnerability Scanning

The art of Vulnerability Scanning begins with the creation of tests, usually derived from Vulnerability Intelligence, and verified thoroughly. The growing number of security advisories makes this also a business of priority decision about which advisories to address first. Learning about the asset inventories of our customer helps us to make this job even better for them. After rapid deployment of the tests the art of vulnerability scanning finishes with a fast, powerful, and easy to deploy set of scanners. In simple words those scanners compare the vulnerability intelligence with asset intelligence to list up the current attack surface. Scanning can be as simple a comparing a version number or as complex as a multi-stage exploit via TCP/IP. In the end of the day the result is a vulnerability status with high relevance and high quality of detection, and so will be your vulnerability remediation and vulnerability reporting.


 

The long-standing cooperation between Greenbone AG and the University of Osnabrück has once again resulted in a successful master’s thesis.

Under the title “Development of an Automated Network Perimeter Threat Prevention System (DETERRERS)”, Nikolas Wintering wrote his master’s thesis in the Mathematics, Physics, and Computer Science working group of the Department of Mathematics/Computer Science at the University of Osnabrück, developing a system for automated threat prevention at the network perimeter of a university campus network.

Particularly at risk: universities

Universities are vibrant centers of information exchange and collaboration; with their numerous hosts and a multitude of services, they offer a large attack surface for cyber threats. It is therefore enormously important for educational institutions to identify vulnerable points and automatically isolate them from the internet.

Automated vulnerability management

By automating the interactions between administrators, vulnerability scanners, and perimeter firewalls, administrators are thus supported in their work, and the university IT network is protected. Part of the system developed in the master’s thesis is also the automation of the risk assessment of the vulnerability scan results and the generation of host-based firewall configurations.

“Through the use of DETERRERS and the associated adaptation of the release processes, the security in the university network could be massively improved with very little additional effort for administrators. With the automated mitigation, it is also possible to react to new threats at short notice and thus quickly close a potential new attack surface without long manual runtimes.”
Eric Lanfer, M. Sc. (Osnabrück Computing Center, Networks Group)

Practical application and a free demonstrator

Based on a practical application in a campus network, Wintering evaluates how the risk assessment works, how the attack surface is reduced, and what effects the system has on the work of administrators. In the process, a demonstrator was also created, whose source code and functionality can be viewed and tested by interested parties on GitHub. In the long term, a continuation as an open-source project is planned.

“This is a very successful work with clear added value for practice. Making efficient security mechanisms usable in everyday life is often a big challenge, and this master’s thesis makes very convincing contributions to this.”
Prof. Dr. rer. nat. Nils Aschenbruck (University of Osnabrück, Institute of Computer Science, Distributed Systems Group)

Greenbone: experts for universities and more

Greenbone has been supplying numerous customers in the university environment with vulnerability management products for many years. Thanks to this extensive experience, we have always been able to identify and collect industry-specific requirements and incorporate them into the further development of our products.

The University of Osnabrück uses the Greenbone Enterprise Appliance 450, and we very much welcome the fact that this solution has now become part of a master’s thesis. We congratulate Nikolas Wintering on this successful scientific evaluation.


20 – 21 September 2023 | Berlin.

This year we are participating in Germany’s specialist congress for IT and cyber security for the state and administration.

Dr. Jan-Oliver Wagner, Greenbone, will speak together with

Dr. Dirk Häger, Head of Operational Cybersecurity Department, Federal Office for Information Security
Carsten Meywirth, Head of Cybercrime Department, Federal Criminal Police Office
Nikolas Becker, Head of Policy & Science, German Informatics Society and
Catarina dos Santos-Wintz, Member of the German Bundestag (CDU/CSU) and member of the Committee for Digital Affairs

on: 21.09.2023
at: 9:20 am

in the main program about the topic: Putting a finger in the wound – managing or closing vulnerabilities?

Visit us in our lounge at stand 43 and exchange views with our experts on vulnerability management and cyber security.

More: https://www.public-it-security.de/anmeldung/


A new wave of ransomware attacks has been threatening numerous servers in Europe. The attacks focus on the hypervisors in VMware’s virtualization server ESXi.
Patches are available, Greenbone’s products can protect and help to find the vulnerability.

The German BSI explicitly warns of the vulnerability and in its latest information on the security situation speaks of thousands of servers and a worldwide threat with a focus on Europe, the U.S. and Canada, using a vulnerability that the manufacturer already patched almost two years ago: (CVE-2021-21974).

Not only VMWare servers themselves at risk

According to IT security portal Hackernews, French provider OVHcloud has confirmed the open source implementation of the IETF Service Location Protocol (OpenSLP) as an entry point.

The threat to IT systems in this case is classified as business-critical – a successful attack with ransomware can therefore cause massive disruptions to regular operations. What is particularly serious about attacks of this type is that under certain circumstances not only institutions that use VMware ESXi themselves are affected, but also third parties – for example, via the server systems hosted in VMware virtualization.

France, Italy, Finland, Canada and the U.S.

Suspicions that European organizations and institutions were the main focus of attackers in the latest wave of attacks were also confirmed a few days later, when the Italian National Cybersecurity Agency ACN warned of the vulnerabilities and a “large-scale wave of attacks.” A Reuters report also speaks of attacks in Finland and the United States.

Users can protect themselves, however: The manufacturer VMware advises upgrading to the latest version of its software – and installing the patch. In general, systems like Greenbone Vulnerability Management help prevent such intrusions by finding the unpatched gaps and proactively warning administrators in reports.

Checking with the Greenbone Cloud

Installation of the VMware patch is free, as is an audit of their systems with the Greenbone Cloud Service Trial. In general, administrators should always ensure that all backups are secured against ransomware and examine log files for suspicious system access – the BSI lists six questions on the checklist in its warning that every administrator should ask themselves now.


Contact Free Trial Buy Here Back to Overview

Greenbone is stepping up its commitment to open source and the community edition of its vulnerability management software. In addition to the open source code on Github, Greenbone now also provides pre-configured and tested Docker containers.

Official containers from the manufacturer itself

The Greenbone Community Containers are regularly built automatically and are also available for ARM and Raspberry Pi.

Björn Ricks, Senior Software Developer at Greenbone, sees this as a “big improvement for admins who just want to give Greenbone a try. Our official containers replace the many different Docker images that exist on the web with an official, always up-to-date, always-maintained version of Greenbone.”

Official Docker Container for Greenbone Community Edition

Hi Björn, what is your role at Greenbone?

Björn Ricks: One of my current tasks is to provide community container builds at Greenbone. Taking care of the community has always been a big concern of mine and for a long time I wanted to make sure that we also provide “official” Docker images of Greenbone. I’m very pleased that this has now worked out.

What is the benefit of the images for the community?

Björn Ricks: We make it much easier for administrators and users who want to test Greenbone. The installation now works completely independent of the operating system used: just download and run the Docker compose file that describes the services, open the browser and scan the local network. I think that’s a much lower barrier to entry, ideal even for anyone who doesn’t yet know the details and capabilities of our products.

Why does Greenbone now provide containers itself? There were already some on the net, weren’t there?

Björn Ricks: Yes, that’s right, but we found out that some people were unsure about the content, legitimacy and maintenance of these images. That’s why we decided to offer Docker images signed by us with verified and secured content.
All the container images existing on the network have different version status and even more so different quality grade. It is often impossible to tell from the outside whether an image is “any good” or not. Of course, you also have to trust the external authors and maintainers that they know what they are doing and that their images do not contain any additional security vulnerabilities. Only we, as producers of our own software, can guarantee that the published container images have the current version status and the desired quality grade.

Does Greenbone also plan to provide Docker images for its commercial product line, Greenbone Enterprise Appliances?

Björn Ricks: That depends on requests from our commercial customers. The Greenbone Community Edition includes access to the community feed with around 100,000 vulnerability tests. Our commercial feed contains even more tests, including those for many proprietary products that our customers use.

We have found that our customers are happy with our appliances, our virtual appliances, and our cloud solution – all of which qualify for use of the commercial feed subscription. However, this could change, and if it does, we will consider offering Docker containers to commercial customers.

How often are the images updated and what feed is included?

Björn Ricks: The images are built and published directly from the source code repositories. So they are always up to date and contain all patches. At the moment only the community feed is available for the images, but this might change in the future.

Where can I get the images and the documentation?

Björn Ricks: The Docker compose file for orchestrating the services is linked in the documentation, The Dockerfiles for building the Docker images can also be found on Github in the corresponding repositories, and are quite easy to download, for example: here.


Contact Free Trial Buy Here Back to Overview

Greenbone, a world leader in open source vulnerability management software, has released its latest scanner, Notus.

“With Notus, a milestone for the performance of extensive comparisons of software versions has been created in recent years,” explains CIO Elmar Geese.

With Notus, Greenbone is also responding to customer requests for better performance in version checks. Whether a security vulnerability is dangerous for a company depends mainly on the installed software versions and their patch level. In very many cases, a vulnerability scanner must therefore match a large number of software versions and detect combinations of these. As the complexity of the setups increases, this test becomes more and more extensive. However, because the overall result of the scan also depends heavily on this data collection, Notus will enable such scans much faster than any of its predecessors.

Faster thanks to JSON

“The scanner rattles off the relevant servers and captures software running there. For the actual scan, it essentially only gets the info about affected and fixed packages,” explains Björn Ricks, Senior Software Developer at Greenbone. “With the previously used scanner and its predecessors, we usually had to start a separate process per version check, meaning a separate manually created script. Generating these scripts automatically is time-consuming.” Notus, on the other hand, only loads the data it needs from JSON files. Ricks sums it up, “Notus is significantly more efficient, requires fewer processes, less overhead, less memory, …”

CIO Geese then also declares the Notus scanner to be a “milestone for our users, it improves the performance significantly. Our well-known high detection quality as well as performance, central goals of our product strategy, will be optimally supported by the new scanner.”

Notus, Greenbone and OpenVAS

The Notus project consists of two parts: a Notus generator, which creates the JSON files containing information about vulnerable RPM/Debian packages, and the Notus scanner, which loads these JSON files and interprets the information from them.

OpenVAS, the Open Vulnerability Assessment System, was created in 2005, when the development team of the Nessus vulnerability scanner decided to stop working under open source licenses and move to a proprietary business model.

Since 2008, Greenbone has been providing professional vulnerability scanning support. For this purpose, Greenbone took over the further development of OpenVAS, added several software components and thus transformed OpenVAS into a comprehensive vulnerability management solution that still carries the values of free software. The first appliances came onto the market in spring 2010.

Contact Free Trial Buy Here Back to Overview

Both the cryptocurrency Bitcoin and the darknet have a dubious reputation. The media like to portray both as opaque, criminal parallel worlds. For Ransomware as a Service, Bitcoin and the darknet are welcome tools. Organized crime has been using them for a long time to disguise its business, even if it by no means makes the criminals anonymous and safe from prosecution.

Ransomware became the world’s biggest threat to IT systems in 2021. If you want to successfully protect yourself against it, you also need to understand how the parties involved proceed. Part one of this series of articles focused on the business model of Ransomware as a Service. Part two showed why this “professionalization” also leads to a changed mindset among attackers. Part three now explains why the IT tools that organized crime uses to order and transfer money are far from secure.

Ransomware as a Service: abstract image of Bitcoin logo

Anonymous and Secure?

Bitcoin as a means of payment and the darknet are proving to be practical, helpful and attractive for attackers. Under the cloak of supposed anonymity, they think they are protected from prosecution and shielded from consequences. But this is a common misconception: neither Bitcoin nor the darknet are anonymous in practice.

While cryptocurrency was never designed for anonymity, but explicitly for traceability of transactions even without a reliable central authority, the darknet turns out to be not even remotely as anonymous as its creators would have liked. This is also shown by reports such as the recent ones about KAX17’s “de-anonymization attacks” on the Tor network. Nearly always, classic investigative methods are enough for law enforcement to track down even ransomware actors like the REvil group. This group had collected half a million euros in ransoms in more than 5,000 infections, according to Heise [German only].

Never a Good Idea: Cooperating With Criminals

No matter whether online or offline, anyone who gets involved with blackmailers is abandoned. As in real life, good advice is never to pay a ransom. Regardless of how professional the hotline on the other end seems, trust is not appropriate. The operators of REvils Ransomware as a Service, for example, even stole the extorted ransoms from their clients via a backdoor in the malware.

It all started out so friendly and idealistic. Roger Dingledine and Nick Mathewson laid the foundations for the Tor network in the early 2000s. Based on the idea of onion rings, numerous cryptographically secured layers on top of each other were supposed to ensure reliable anonymity on the web – in their opinion, a fundamental right, analogous to the privacy definition of Eric Hughes “Cypherpunk’s Manifesto”. Then in 2009, Bitcoin saw the light of day, first described by the almost mystical figure of Satoshi Nakamoto.

Darknet and Bitcoin Are Not “Criminal”

Neither the darknet nor Bitcoin were designed to conceal or enable dark schemes. The goal was to create free, independent, supposedly uncontrollable and largely secure structures for information exchange and payment. Like a knife, however, the services can be instrumentalized for both good and evil – and, of course, organized crime knows how to use this to its advantage. The focus is not always on leaving no traces. Most often, the focus is on the simplicity and availability of the means. Bitcoin and the darknet are simply the tools of choice because they are there.

But as in the real world, the easiest way to catch the extortionists is during the money transfer: a blockchain like Bitcoin documents all transactions ever made, including the wallet information (i.e., the Bitcoin owner), and makes it available for viewing at any time. The same applies to the darknet: even if anonymity is technically possible, people regularly fail to meet the simplest requirements. GPS meta-data can be found in photos or UPS codes in the illegal store. The legendary drug store Silkroad was busted because employees made mistakes and confessed.

Digitized, Organized Crime

The darknet and cryptocurrencies are helpful tools for organized crime and thus fire accelerators for the rapidly growing number of serious ransomware attacks. But they are by no means essential, nor are they to blame. Such cyber crime is just the modern IT variant of what we can also experience on the streets of any major city. Ransomware is, so to speak, the modern protection racket, Bitcoin is the garbage can for the handover, and the darknet is the dark bar where deals are made.

The perfidy is not in the tools, but in the methods and the long experience in the “business”. Trend Micro, for example, describes the “double extortion ransomware” approach. Here, attackers first make an image of the data and threaten to publish it if payment is not made (i.e., if it is not decrypted). Organized crime has been in the extortion business not just since Bitcoin or the darknet came into existence. Even though the two technologies now enable cyber criminals to extort large sums of money undetected at first, conventional methods are almost always sufficient for detection. The most important prerequisite here is that enough law enforcement personnel are available, not primarily their technical equipment.

Take Precautions

But at this point, in the company, the horse has already bolted. If you are faced with encrypted data and a ransom demand, the darknet, Bitcoin and the detection rate are probably of secondary importance. Much more important is the question of how to get out of the unfortunate situation. And you can only do that if you were prepared. This includes backups, restore tests and the immediate disconnection of all affected machines (network split) – in other words, proactive risk management, disaster recovery tests and constant maintenance of your own systems. Another important component is multi-factor authentication, which prevents attackers from shimmying from one system to the next using acquired passwords alone.

The most important thing, however, is to avoid critical situations in the first place and to identify vulnerabilities in your own systems and close them quickly. Modern vulnerability management like Greenbone’s does just that: it gives you the ability to close gaps in your systems, making the corporate network unattractive, costly, and thus a deterrent to professional cyber criminals, not just from the Ransomware-as-a-Service world.

Greenbone’s products monitor the corporate network or external IT resources for potential vulnerabilities by continuously and fully automatically examining it and, as Greenbone Enterprise Appliances or the Greenbone Cloud Service (software as a service hosted in German data centers), guarantee security by always up-to-date scans and tests.

How this works is described by Elmar Geese, CIO/CMO at Greenbone, also here in the blog with a post around the Log4j vulnerability. In addition, Geese explains how quickly and securely the administration and management are also informed of the latest vulnerabilities and how exactly the scan for vulnerabilities such as Log4Shell is carried out.


Contact Free Trial Buy Here Back to Overview

We are proud to have received ISO certification of our management systems for the aspects of quality (ISO 9001) and information security (ISO 27001) at the end of 2021.

Logos of ISO certification of our management systems

Our success makes us grow, and our growth promotes structure and processes. That is why we actively accompany the creation of structures and processes even more than in the past. In doing so, we are guided by the following goals:

  • Create value for our clientele
  • Provide great products and services
  • Continuously increase the satisfaction of our employees
  • Promote and manage our growth

When we decided to certify information security and quality in our company according to ISO 27001 and ISO 9001 standards, we took the specifics of an agile company into account from the very beginning.

ISO-certified management systems and agile management seem to be a contradiction, but they are not. In this article, we will briefly explain how these two worlds complement each other perfectly and how we combine the respective advantages in one company.

Although agility is not a goal in itself, we were aware that we wanted to run an agile company in an agile way. We understand it like this:

  • We have a common goal.
  • Clarity and explicitness in communication are prerequisites for results-oriented action.
  • Hierarchies are tools, not status functions.
  • Processes are paths to the goal, not goals themselves.

We have recognized that ideally we can use a toolbox that is as universal as possible in the different areas of our organization, which on the one hand helps us to organize our processes in the best possible way, and on the other hand leaves enough room for the different needs of the different teams and areas.

The concepts from worlds as different as “ISO” and “Agile” have helped us and continue to help us. What they have in common is that the concepts require management systems that are more similar in their basic structure than one might think.

It is always about:

  • Focus on sufficiently clearly defined objectives
  • Reliable and appropriate guidelines
  • Comprehensibly defined and helpful processes
  • Measuring points to evaluate, adjust and change as necessary
  • Supportive team members and servant leaders who operate within this structure
  • A continuous improvement process

This is what we call a management system and its inherent agility is defined by the context and purpose when it is applied. It allows us to measure the results and the quality of the processes through a system of objectives and performance indicators.

We are proud and happy that we could now certify our management systems very successfully for the aspects “Quality” (ISO 9001) and “Information Security” (ISO 27001). It helps us and it also helps you as our clientele. It measurably documents two very important characteristics that you expect from us and our products and services and that you ultimately want to ensure by using our products in your own organization, namely:

  • Security, and
  • Quality of information technology systems.

It’s our mission at Greenbone to ensure this through one of the leading vulnerability management products. We do it every day, in over 100,000 organizations around the world.


Contact Free Trial Buy Here Back to Overview

Greenbone’s vulnerability management finds applications with Log4j vulnerabilities in systems that definitely need to be patched or otherwise protected. Depending on the type of systems and vulnerability, these can be found better or worse. Detection is also constantly improving and being updated. New breaches are found. Therefore, there may always be more systems with Log4Shell vulnerabilities in the network. For this reason, it is worthwhile to regularly update and scan all systems. The Greenbone vulnerability management offers appropriate automation functions for this purpose. But how are vulnerabilities found, and where can they be hidden? Why are vulnerabilities not always directly detectable? The following article will give you a brief insight into how scanning for vulnerabilities like Log4Shell works.

A vulnerability scanner makes specific queries to systems and services and can read from the responses what kind of systems and services they are, but also what products are behind them. This also includes information such as their versions or even settings and other properties. In many cases, this makes it possible to determine whether a vulnerability exists and whether it has already been eliminated. In practice, these are sometimes highly complicated and nested queries, but above all they are also very, very many. Entire networks are scanned for thousands of different vulnerabilities.

The Log4j vulnerability “Log4Shell” (CVE-2021-44228) is a flawed program library used in many web services products. Therefore, partly it is directly visible through a vulnerability scan, but partly it is hidden behind other elements. That is why there is not only one vulnerability test for Log4j, but several. More are added all the time because the manufacturers of the respective products share relevant information and also provide updates to close the gaps. The list of systems affected by Log4Shell is constantly updated at https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592.

Some of the vulnerability tests require an authenticated scan. This means that the scanner must first log into a system and then detect the vulnerability in the system. An authenticated scan can provide more details about vulnerabilities on the scanned system.

The vulnerability tests that are suitable to find the Log4j vulnerability are provided collectively in a scan configuration. Greenbone keeps this “Log4j” scan configuration continuously up-to-date in order to keep adding new tests. As a result, a scan may report a Log4j vulnerability tomorrow that was not found today. It is therefore advisable to configure the Log4j scan to run automatically on a regular basis. This is especially important in the next weeks, when many software vendors are gathering more findings. Greenbone continuously integrates these findings into the tests and the scan configuration.

scanning for vulnerabilities like Log4Shell
Does a Vulnerability Have to Be Exploited to Find It?

Exploiting a vulnerability to find it is not advisable. And fortunately, it is not necessary either. Doing so could cause the very damage that should be avoided at all costs. Moreover, a product vendor that provides vulnerability exploitation as a feature would potentially strongly encourage misuse of that feature, which raises further – not only legal – issues. Therefore, Greenbone’s vulnerability management does not include such features.

Exploitation of the Log4j vulnerability as attackers would do is also not required to prove the existence of the vulnerability. Greenbone has developed several tests to prove Log4Shell, each of which looks at systems in different depths. Several tests can detect the Log4j vulnerability with 100 % certainty, most with 80 % to 97 % certainty. Some tests also collect indicators of 30 % where they do not get close enough to the vulnerability. Each test at Greenbone makes a statement about detection certainty, which is stated as “Quality of Detection.”

What Is the Role of Software Product Vendors?

Manufacturers of a wide variety of products can use Log4j libraries, which are now vulnerable with it. Product manufacturers have included Log4j in different ways. Usually, a deep scan can find Log4j without the vendor’s help. However, most manufacturers also support the process through public vulnerability reports. These can then be used to write vulnerability tests that can provide a reliable vulnerability statement even with less deep scans. The reason for this is that the scans can use simpler configurations through vendor information. In addition, they also run faster.

In principle, however, a vulnerability scanner can also check and find vulnerabilities without the manufacturer publishing a vulnerability report.

Conclusion

Vulnerability management is an indispensable part of IT security. It can find risks and provides valuable information on how to fix them. However, no single measure provides 100 % security, not even vulnerability management. To make a system secure, many elements are used, which in their entirety should provide the best possible security.

This is comparable to a vehicle, where the passenger compartment, seat belts, airbags, brake support, assistance systems and much more increase safety, but can never guarantee it. Vulnerability management makes risks controllable.


Contact Free Trial Buy Here Back to Overview