Tag Archive for: Schwachstelle

Joseph Lee

CVE-2025-34028: Commvault Command Center Actively Exploited for RCE

CVE-2025-34028 (CVSS 10) is a maximum severity flaw in Commvault Command Center, a popular admin console for managing IT security services such as data protection and backups across enterprise environments. As of April 28th, CVE-2025-34028 has been flagged as actively exploited. CVE-2025-34028 also presents heightened risk due to the existence of publicly available proof-of-concept (PoC) exploit code and the fact that Command Center manages the backups and other security configurations for many prominent organizations.

The flaw allows unauthenticated attackers to perform Remote Code Execution (RCE) and to take complete control of a Command Center environment. Given the sensitivity and criticality of IT tasks managed by Commvault, forfeiting complete control has a high potential for disastrous impacts. For example, if backups are disabled, an organization could lose their ability to recover from a ransomware attack. This makes CVE-2025-34028 an attractive target for ransomware operators and financially motivated attackers.

The vulnerability, discovered by Sonny Macdonald of watchTowr Labs, exploits a server-side request forgery (SSRF) [CWE-918] weakness in Command Center’s deployWebpackage.do endpoint. In a successful attack, an adversary uploads a poisoned ZIP archive to a publicly accessible path. The malicious ZIP file is automatically extracted allowing attackers to trigger execution via HTTP GET request to the extracted payload.

CVE-2025-34028 affects versions 11.38.0 to 11.38.19 on both Linux and Windows platforms. Greenbone is able to detect CVE-2025-34028 with an active check that sends a crafted HTTP POST request and checks if the target connects back to the scanner host indicating that it is vulnerable to exploitation. Users of affected versions are urged to apply patches immediately. Let’s further examine the risk posed by CVE-2025-34028.

What is Commvault Command Center?

Commvault Command Center is a web-based interface written in Java that enables organizations to manage data protection, backup, and recovery operations across enterprise environments. Commvault markets itself as a single platform with modular components such as Commvault Complete Backup & Recovery, Commvault HyperScale X and Commvault Disaster Recovery. Most of Commvault’s products rely on the Command Center as their primary management interface. As such, Command Center is used to configure backup jobs, monitor systems, restore data and administer user roles and access.

As of 2025, Commvault maintains roughly 6.2% of the Backup And Recovery market share category, serving over 10,000 organizations globally, across various industries such as banking, healthcare, government and technology. Most of its customers are large enterprises, with 42% having more than 1,000 employees. With Commvault’s adoption among critical sectors including healthcare, government and Fortune 500 companies, the potential impact of this vulnerability is widespread and significant.

A Technical Description of CVE-2025-34028

The discovery and disclosure of CVE-2025-34028 was accompanied by a full technical description and PoC code. Here is a brief summary of the root cause and attack vector for CVE-2025-34028:

The root cause of CVE-2025-34028 is classified as Server-Side Request Forgery (SSRF) [CWE-918]. SSRF vulnerabilities arise when an application is tricked into accessing a remote resource without properly validating it. By exploiting SSRF flaws, an attacker can potentially bypass access controls [CWE-284] such as firewalls that prevent the attackers from accessing the URLs directly. You can think of it as “bouncing” a request off the target in order to bypass security measures. In the case of CVE-2025-34028, the SSRF flaw allows an Unrestricted Upload of File with Dangerous Type [CWE-434].

Here is how the exploit process for CVE-2025-34028 works:

Mixed among the Command Center application endpoints, the researcher found 58 that do not require any form of authentication. Inspecting these unrestricted APIs, researchers discovered the deployWebpackage.do endpoint included a parameter named commcellName, which was used to define the hostname of a URL and which was not filtered for scope. Another parameter, servicePack, defines the local path where the HTTP response to that URL should be stored.

Using a simple directory traversal technique, i.e. prepending the servicePack parameter with “../../” the researcher was able to achieve arbitrary file upload to a custom destination. The Command Center application used a hardcoded filename dist-cc.zip, indicating that the program was expecting a ZIP archive.

When supplying a ZIP archived Java executable (.jsp file), and specifying an unauthenticated route via the servicePack param, a malicious .jsp payload was uploaded, automatically extracted, where it could be accessed directly via an HTTP GET request. This results in execution of the .jsp file by Command Center’s Apache Tomcat web server and unauthenticated, arbitrary RCE on behalf of the attacker.

Mitigating CVE-2025-34028

CVE-2025-34028 affects Commvault Command Center versions 11.38.0 through 11.38.19 on both Linux and Windows platforms and has been resolved in versions 11.38.20 and 11.38.25, with patches released on April 10, 2025. For those unable to update immediately, Commvault recommends isolating the Command Center installation from external network access as a temporary mitigation.

Commvault’s Innovation releases, which are frequent, feature-rich update tracks, are typically updated automatically by the system on a predefined schedule without requiring user action. This is in contrast to Long Term Support (LTS) versions which require manual updates.

Summary

CVE-2025-34028 is a critical severity unauthenticated RCE flaw in Commvault Command Center that doesn’t require user interaction. The vulnerability has been flagged as actively exploited by CISA as of April 2025. CVE-2025-34028 affects Command Center versions 11.38.0–11.38.19 and enables attackers to take full control of backup systems. Commvault is relied upon by many large companies globally for key backup and restoration capabilities making CVE-2025-34028 a hot target for ransomware threat actors. Greenbone is able to detect affected Command Center instances with an active test that uses an HTTP POST request to verify vulnerability.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

AMI BMC Flaw: Remote Takeover and DoS of Server Infrastructure

A new critical vulnerability of the highest possible severity score – CVE-2024-54085, CVSS 10 – has just been disclosed. It is found in the widely used American Megatrends’ (AMI) MegaRAC BMC (Baseboard Management Controller) software allowing authentication bypass and exploitation. Due to AMI’s dominant role in the motherboard supply chain, dozens of major hardware vendors are likely impacted. The vulnerability has a full technical explanation and proof-of-concept (PoC) further increasing the risk.

The PoC can effectively create a service account for the Redfish management console, and thus allows unauthenticated access to all remote BMC features. The exploit was verified against HPE Cray XD670, Asus RS720A-E11-RS24U, and ASRockRack. Other analysts have noted that although this CVE was released in 2025 its ID (CVE-2024-54085) was likely reserved in 2024.

CVE-2024-54085 allows an attacker to:

  • Exploit and remotely control a server
  • Install malware on the server including ransomware
  • Modify firmware for tampering
  • Potentially brick motherboard components (BMC or potentially BIOS/UEFI)
  • Cause physical damage via over-voltage
  • Induce indefinite reboot loops causing DoS conditions

Greenbone is able to detect affected servers with a remote vulnerability test that actively probes for a vulnerable BMC.

Potential Scope of the Impact

The particular interface for the MegaRAC BMC (Baseboard Management Controller), called Redfish, is just one of several BMCs that support remote server management. The Redfish standard has seen significant adoption in the enterprise server market as a modern replacement for legacy management interfaces like IPMI. This scope of the impact will include all products including OT, IoT or IT devices using AMI’s MegaRAC. When similar flaws were previously discovered in MegaRAC, the scope included products from Asus, Dell, Gigabyte, Hewlett Packard Enterprise, Lanner, Lenovo, NVIDIA and Tyan. AMI released patches on March 11, 2025, with HPE and Lenovo already issuing updates for affected.

A Technical Description of CVE-2024-54085

CVE-2024-54085 is a flaw in AMI’s SPx (Service Processor) firmware stack. More specifically SPx is part of AMI’s MegaRAC BMC solution. BMCs are microcontrollers embedded on a server’s motherboard that enable remote management and monitoring of the server, even when the system is powered off or unresponsive.

CVE-2024-54085 is classified as a “Authentication Bypass by Spoofing” [CWE-290] flaw. Using a client’s IP address for authentication is a typical scenario when CWE-290 occurs, since the source IP address can often be spoofed by the sender. Although AMI’s advisory is thin on details, Eclypsium researchers, attributed with the discovery, have provided a detailed article explaining the root cause. CVE-2024-54085 in fact does stem from using an IP address as a means for authentication. Redfish’s Lua-based access control logic uses HTTP headers, either the X-Server-Addr header or Host specification to determine whether an HTTP request is internal or external; automatically trusting internal requests as authenticated.

In BMC systems like MegaRAC, the “host interface” refers to a logical and physical connection between the BMC and the main server system (the host). For simplicity, this could be compared to the loopback interface (often named lo) with the IP address 127.0.0.1 and hostname localhost. In this case, the interface that communicates between the BMC chip and the host is assigned an address from the link-local IP range (169.254.0.0 to 169.254.255.255). Furthermore, this IP address is included in a list of trusted addresses during MegaRAC’s HTTP authentication process and successfully spoofing it results in authentication bypass. By reverse engineering the MegaRAC firmware, researchers discovered the link-local address 169.254.0.17 being used across several BMC chips.

The flaw also depends on the implementation of a regular expression that extracts all text from the X-Server-Addr header before the first colon character, and verifies if this text matches the trusted IPs stored in a Redis database. The BMC chips use Lighttpd as an embedded web server which was found to automatically add its own X-Server-Addr value. If a request already includes this header supplied by the client, Lighttpd appends its value after the user supplied one, allowing the attacker to provide a specially crafted header and control the value extracted by the regex. By supplying an X-Server-Addr value that matches the Host system’s link-local address, followed by a colon, (such as 169.254.0.17:) an attacker can trick the BMC into treating the request as though it comes from the internal host interface, bypassing authentication entirely.

Once authentication is bypassed, the rest of the HTTP request is processed, allowing the attacker to execute arbitrary API actions such as creating privileged accounts to gain full remote control over the server’s BMC and access its admin web-interface.

Steps for Mitigating CVE-2024-54085

Organizations must track their hardware vendor’s advisories closely and download the correct firmware updates when they become available. As a temporary safeguard, organizations can inspect their device manuals to determine if Redfish can be disabled if it’s not in use. Since BMCs can remain active even when the main server is powered down, affected systems must be treated as persistently exposed until the firmware is patched, unless Redfish is disabled, or the system is also air-gapped (disconnected from the network). Security teams may also develop new firewall rules or IPS rules to block attempts to exploit this flaw and protect vulnerable BMC management interfaces.

Because the flaw lies in an embedded proprietary firmware, patching is more complex than simply applying a routine operating system or application update. Unlike conventional software, BMC firmware resides on the motherboard’s dedicated chip. Therefore, BMC updates typically require a specialized software utility provided by the device vendor to “flash” the updated firmware. This process also results in downtime since administrators may need to boot into a special environment and reboot the system after the firmware update has been completed.

Summary

CVE-2024-54085 poses an extreme risk to enterprise infrastructure, allowing unauthenticated remote control of servers from major vendors like HPE and Lenovo. Given AMI’s dominant presence in data centers, exploitation could lead to mass outages, bricked hardware, or persistent downtime – making urgent detection and firmware patching essential for all affected systems.

Greenbone is able to detect affected servers with a remote vulnerability test that actively probes for an exploitable BMC interface.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Apache Camel Case-Sensitive Flaw May Forfeit Remote Command Execution

Two new CVEs in Apache Camel have been disclosed warranting immediate attention from users. On March 9, 2025, Apache disclosed CVE-2025-27636 (CVSS 5.6), a Remote Code Execution (RCE) flaw. Two days later, on March 11th, Akamai’s Security Intelligence Group (SIG) reported a bypass technique for the original patch, resulting in CVE-2025-29891 (CVSS 4.2) being published on March 12th.

Green graphic with stylised camel in a desert landscape. To the right is a button with the inscription ‘RCE in Apache Camel’.

Although the two vulnerabilities have only been assigned moderate CVSS severity scores by CISA-ADP (CISA’s Authorized Data Publisher), they could be severe impact vulnerabilities depending on the targeted Camel instance’s configuration. Both CVEs have the same root cause: improper filtering of HTTP headers or HTTP parameters when communicating to an Apache Camel instance. As the article’s title suggests, parameters were filtered using case-sensitive methods, while the arguments themselves were being applied in a non-case-sensitive manner.

Furthermore, publicly available proof-of-concept (PoC) code and a relatively complete technical description adds to the risk. Greenbone can detect both CVE-2025-27636 and CVE-2025-29891 with vulnerability tests that actively check for exploitable HTTP endpoints. Let’s review the details.

What Is Apache Camel?

Apache Camel is a popular open-source Java library for integrating different components of a distributed enterprise system architecture such as APIs or microservices. In a nutshell, Camel is a versatile platform for routing and mediation based on the Enterprise Integration Patterns (EIPs) concept of enterprise system architecture design. Apache Camel is heavily based on EIPs and provides an implementation of these patterns via its domain-specific languages (DSL) that include Java, XML, Groovy, YAML and others.

As of 2021, Apache Camel held approximately 3.03% of the Enterprise Application Integration market. The software is used by over 5,600 companies, roughly half being US-based. Camel’s market share is predominantly in the Information Technology and Services industry (33%), Computer Software industry (12%) and Financial Services industry (6%).

Two New CVEs in Apache Camel May Allow RCE

When any of Camel’s HTTP-based components handle requests, a default filter is supposed to prevent exposure of sensitive data or execution of internal commands. However, due to a flawed case-sensitive filtering rule, only exactly matched headers were filtered. However, downstream in the program logic, these headers were being applied in a non-case-sensitive manner, allowing filter bypass. Changing the case of the first character of the header name, an attacker could bypass the filter to inject arbitrary headers.

The good news is that either the camel-bean or camel-exec component must be enabled in combination with an http-based component such as such as camel-http, camel-http4, camel-rest, camel-servlet or others. Also, exploitation is limited to internal methods within the scope declared in the HTTP request URI. One final saving grace is that this flaw has not been implicated as an unauthenticated vulnerability. Therefore, unless the system designers have implemented any authentication and authorization for a Camel HTTP API, it is not exploitable.

At the high-end of the risk spectrum, if the Camel Exec component is enabled and targeted, an attacker can achieve arbitrary RCE as the user controlling the Camel process. RCE is achieved by sending the CamelExecCommandExecutable header to specify an arbitrary shell command, overriding the commands configured on the back-end. If exploitable Camel HTTP APIs are Internet accessible, the risk is especially high, however, this flaw could also be used for lateral movement within a network by an insider, or by attackers who have gained initial access to an organization’s internal network.

A technical description of the exploit chain and proof-of-concept (PoC) has been provided by Akamai.

What Is the Appropriate CVSS Score?

Although CVE-2025-27636 (CVSS 5.6) and CVE-2025-29891 (CVSS 4.2) have been assigned moderate severity scores, they could have a critical impact if either the camel-bean or camel-exec components are enabled in combination with http-based components. The situation highlights some limitations of the scoring by CVSS (Common Vulnerability Scoring System).

Akamai researchers report that the flaw is trivial to exploit and have published proof-of-concept (PoC) code, increasing the risk. This implies that the CVSS Attack Complexity (AC) metric should be set to Low (L). However, CISA-ADP has assessed attack complexity as high (AC:H) given these facts. Red Hat has accounted for these factors and increased the CVSS for CVE-2025-27636 to 6.3.

Also, the CISA-ADP assessed no impact to confidentiality for CVE-2025-29891, despite the potential for arbitrary RCE. However, if an Apache Camel instance has a vulnerable configuration, a high impact assessment for Confidentiality (C), Integrity (I) and Availability (A), is justified further increasing the criticality to CVSS 9.8.

On the other hand, the CISA-ADP assigned a Privileges Required (PR) value of None (N). However, although Akamai’s PoC does not use an HTTPS connection or authentication, it would be extremely negligent to operate an unencrypted and unauthenticated API. Apache Camel supports Java Secure Socket Extension (JSSE) API for Transport Layer Security (TLS) or using a KeyCloak Single Sign-On (SSO) authorization server. Camel instances with some form of client authentication enabled would be protected against exploitation. For most cases, the PR value should be adjusted to Low (L) or High (H) resulting in a diminished CVSS of 7.3 or 8.8.

Furthermore, the CVEs were assigned a Scope value Unchanged (UC). According to the CVSS v3.1 specification: “The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.” Execution of arbitrary shell commands on the compromised system is typically assigned the value of Changed (C). If the Camel process is owned by the Linux/Unix root or a Windows administrator user, an attacker would have virtually unlimited control of a compromised system. Accounting for the variety of possible CVSS assessments, CVE-2025-27636 and CVE-2025-29891 should be considered critical severity vulnerabilities if an instance meets the configuration requirements and does not apply authentication.

Mitigating the CVEs in Apache Camel

CVE-2025-27636 and CVE-2025-29891 affect Apache Camel version 4.10 before 4.10.2, version 4.8 before 4.8.5 and version 3 before 3.22.4. Users should upgrade to 4.10.2, 4.8.5 or 3.22.4 or implement custom header filtering using removeHeader or removeHeaders in Camel routes. It should be noted that Camel versions 4.10.0, 4.10.1, 4.8.0 to 4.8.4, and 3.10.0 to 3.22.3 are still vulnerable although they were considered security updates that addressed the flaw.

Also, it is strongly recommended that all HTTP endpoints in a distributed architecture employ strong authentication. For Apache Camel, options include: using Java Secure Socket Extension (JSSE) API for TLS with Camel components or using a KeyCloak OAuth 2.0 SSO authorization server. For legacy systems, a minimum of HTTP Basic Authentication should be configured.

Summary

Apache Camel users should immediately upgrade to versions 4.10.2, 4.8.5 or 3.22.4 to mitigate the newly published CVEs affecting Apache Camel. Alternatively, implement custom header filtering using removeHeader or removeHeaders in Camel routes. Strong authentication on all HTTP endpoints is also highly recommended for security best-practices. Apache Camel supports the JSSE API for TLS or KeyCloak SSO solutions. Greenbone is able to detect both CVE-2025-27636 and CVE-2025-29891 with vulnerability tests that actively check for exploitable HTTP endpoints.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Greenbone Detects CVE-2025-0994: Actively Exploited Flaw in Trimble Cityworks

Trimble Cityworks, an enterprise asset management (EAM) and public works management software is actively under attack. The campaign began as an unknown (zero-day) vulnerability, but is now tracked as ​​CVE-2025-0994 with a CVSS of 8.6. The vulnerability is a deserialization flaw [CWE-502] that could allow an authenticated attacker to execute arbitrary code remotely (Remote Code Execution; RCE). Greenbone includes detection for CVE-2025-0994 in the Enterprise Feed.

Active exploitation of CVE-2025-0994 is a real and present danger. Trimble has released a statement acknowledging the attacks against their product. Thanks to the vendor’s transparency, CISA (Cybersecurity and Infrastructure Security Agency) has added CVE-2025-0994 to their catalog of Known Exploited Vulnerabilities (KEV), published an ICS advisory as well as a CSAF 2.0 document. CSAF 2.0 advisories are machine readable advisory documents for decentralized sharing of cybersecurity intelligence.

Although many media reports and some threat platforms indicate that a public proof-of-concept (PoC) exists, the only search result for GitHub is simply a version detection test. This means it is less likely that low-skilled hackers will easily participate in attacks. The misinformation is likely due to poorly designed algorithms combined with lack of human oversight before publishing threat intelligence.

Who Is at Risk due to CVE-2025-0994?

Trimble Cityworks is designed for and used primarily by local governments and critical infrastructure providers including water and wastewater systems, energy, transportation systems, government industrial facilities and communications agencies. Cityworks enhances Geographic Information Systems (GIS) by integrating asset management and public works solutions directly with Esri ArcGIS. The software is meant to help organizations manage infrastructure, schedule maintenance and improve operational efficiency. In addition to CISA, several other government agencies have issued alerts regarding this vulnerability including the US Environment Protection Agency (EPA), the Canadian Centre for Cyber Security and New York State.

Trimble Cityworks has reported serving over 700 customers across North America, Europe, Australia and the Middle East in 2019. While specific numbers for municipal governments in the U.S., Canada and the EU are not publicly disclosed, a Shodan search and Censys map both reveal only about 100 publicly exposed instances of Cityworks. However, the application is considered to have a high adoption rate by local governments and utilities. If publicly exposed, CVE-2025-0994 could offer an attacker initial access [T1190]. For attackers who already have a foothold, the flaw is an opportunity for lateral movement [TA0008] and presents an easy mark for insider attacks.

A Technical Description of CVE-2025-0994

CVE-2025-0994 is a deserialization vulnerability [CWE-502] found in versions of Trimble Cityworks prior to 15.8.9 and Cityworks with Office Companion versions prior to 23.10. The vulnerability arises from the improper deserialization of untrusted serialized data, allowing an authenticated attacker to execute arbitrary code remotely on a target’s Microsoft Internet Information Services (IIS) web server.

Serialization is a process whereby the software code or objects are encoded to be transferred between applications and then reconstructed into the original format used by a programming language. When Trimble Cityworks processes serialized objects, it does not properly validate or sanitize untrusted input. This flaw allows an attacker with authenticated access to send specially crafted serialized objects, which can trigger arbitrary code execution on the underlying IIS server. Deserializing data from unauthenticated sources seems like a significant design flaw in itself, but failing to properly sanitize serialized data is especially poor security.

Exploitation CVE-2025-0994 could lead to:

  • Unauthorized access to sensitive data
  • Service disruption of critical infrastructure systems
  • Potential full system compromise of the affected IIS web server

Mitigating CVE-2025-0994 in Trimble Cityworks

Trimble has released patched versions of Cityworks that address the deserialization vulnerability. These patches include Cityworks 15.8.9 and Cityworks 23.10. On-premise users must immediately upgrade to the patched version, while Cityworks Online (CWOL) customers will receive these updates automatically.

Trimble noted that some on-premise deployments are running IIS with overprivileged identity permissions, which increases the attack surface. IIS should not have local or domain-level administrative privileges. Follow Trimble’s guidance in the latest Cityworks release notes to adjust IIS identity configurations properly.

Users of on-premises Trimble Cityworks should:

  • Update Cityworks 15.x versions to 15.8.9 and 23.x versions to 23.10.
  • Audit IIS identity permissions to ensure that they align with the principle of least privilege.
  • Limit attachment directory root configuration to only folders which only contain attachments.
  • Use a firewall to restrict IIS server access to trusted internal systems only.
  • Use a VPN to allow remote access to Cityworks rather than publicly exposing the service.

Summary

CVE-2025-0994 represents a serious security risk to Trimble Cityworks users, which largely comprise government and critical infrastructure environments. With active exploitation already observed, organizations must prioritize immediate patching and implement security hardening measures to mitigate the risk. Greenbone has added detection for CVE-2025-0994 to the Enterprise Feed, allowing customers to gain visibility into their exposure.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Vulnerability management in 12 minutes

Why is Greenbone not a security provider like any other? How did Greenbone come about and what impact does Greenbone’s long history have on the quality of its vulnerability scanners and the security of its customers? The new video “Demystify Greenbone” provides answers to these questions in an twelve-minute overview. It shows why experts need […]

Read more
/by
Markus Feilner

Protection of Office Suites: Greenbone Integrates Additional BSI Basic and CIS Guidelines

The IT-Grundschutz-Compendium of the Federal Office for Information Security (BSI) has, in recent years, provided clear guidelines for users of Microsoft Office. Since April 2024, Greenbone’s enterprise products have integrated tests to verify whether a company is implementing these instructions. The BSI guidelines are aligned with the Center for Internet Security (CIS) guidelines.

In the section “APP:Applications 1.1. Office Products” the BSI specifies the “requirements for the functionality of Office product components.” The goal is to protect the data processed and used by the Office software. While Microsoft Office is likely the primary reference due to its widespread market penetration, the model behind the BSI guidelines aims to apply to any office product “that is locally installed and used to view, edit, or create documents, excluding email applications.”

BSI Guidelines

The module explicitly builds on the requirements of the “APP.6 General Software” component and refers to the modules “APP.5.3 General Email Client,” “APP.4.3 Relational Databases,” and “OPS.2.2 Cloud Usage,” although it expressly does not consider these.

The BSI identifies three main threats to Office suites:

  • Lack of customization of Office products to the institution’s needs
  • Malicious content in Office documents
  • Loss of integrity of Office documents

The components listed in the BSI IT-Grundschutz-Compendium include 16 points, some of which have since been removed. Greenbone has developed several hundred tests, primarily addressing five of the basic requirements, including “Secure opening of documents from external sources” (APP.1.1. A3) and “Use of encryption and digital signatures” listed in APP.1.1. A15. The BSI specifies:

“All documents obtained from external sources MUST be checked for malware before being opened. All file formats deemed problematic and all unnecessary within the institution MUST be banned. If possible, they SHOULD be blocked. Technical measures SHOULD enforce that documents from external sources are checked.”

Regarding encryption, it states: “Data with increased protection requirements SHOULD only be stored or transmitted in encrypted form. Before using an encryption method integrated into an Office product, it SHOULD be checked whether it offers sufficient protection. Additionally, a method SHOULD be used that allows macros and documents to be digitally signed.”

CIS Guidelines Enhance Basic Protection

In addition to the requirements listed in the BSI Basic Protection Manual, the CIS Benchmark from the Center for Internet Security (CIS) for Microsoft Office includes further and more specific suggestions for securing Microsoft products. The CIS guidelines are developed by a community of security experts and represent a consensus-based best practice collection for Microsoft Office.

As one of the first and only vulnerability management providers, Greenbone now offers tests on security-relevant features mentioned in the CIS guidelines, uniting CIS and BSI instructions in numerous, sometimes in-depth tests, such as on ActiveX Control Initialization in Microsoft Office. The Greenbone Vulnerability Management tests whether this switch is set to “enabled”, but also many other settings, for example, whether “Always prevent untrusted Microsoft Query files from opening” is set to “Enabled” among many others.

Many tests focus on external content, integrating macros, and whether and how these external contents are signed, verifiable, and thus trustworthy or not, and whether administrators have done their homework in configuring Microsoft Office. According to the BSI, one of the most significant threats (and the first mentioned) is the lack of adaptation of Office products to the reality and the business processes in the company. Greenbone’s new tests ensure efficient compliance with regulations, making it harder for attackers and malware to establish a foothold and cause damage in the company.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

PITS 2024 Public IT Security

Save the date: The “German Congress for IT and Cyber Security in Government and Administration” (June 12 to 13, 2024) provides information on current trends, strategies and solutions in IT security.

In the main program: “IT support for early crisis detection” (Moderation: Dr. Eva-Charlotte Proll, Editor-in-Chief and Publisher, Behörden Spiegel).

Participants:

  • Dr. Jan-Oliver Wagner, Chief Executive Officer Greenbone
  • Carsten Meywirth, Head of the Cybercrime Division, Federal Criminal Police Office
  • Generalmajor Dr. Michael Färber, Head of Planning and Digitization, Cyber & Information Space Command
  • Katrin Giebel, Branch Manager, VITAKO Bundesverband kommunaler IT-Dienstleister e.V.
  • Dr. Dirk Häger, Head of the Operational Cybersecurity Department, Federal Office for Information Security (BSI)

Where? Berlin, Hotel Adlon Kempinski, Unter den Linden 77
When? 13.06.2024; 9:40 a.m.

Vulnerabilities in IT systems are increasingly being exploited by malicious attackers. You can protect your IT systems with vulnerability management. Visit us in our lounge at stand 44 – we look forward to seeing you!

Registration: https://www.public-it-security.de/anmeldung/

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

The new SMP federal portal in partnership with the Federal Office for Information Security (BSI)

We at Greenbone are excited to introduce the innovative Greenbone SMP-Bund-Portal in collaboration with the Federal Office for Information Security (BSI). As a leading provider of IT security solutions, we are proud to offer this platform specifically tailored to the needs of federal agencies.

A Portal Setting Standards

The Greenbone SMP-Bund-Portal is the central point of contact for IT security and vulnerability management. It has been developed to provide agencies with concrete support in addressing current IT security challenges.

Many Advantages for Federal Agencies

  1. Easy-to-Understand Insights: The portal offers clear and user-friendly information about vulnerability management. It is ideal for both beginners and experts in IT security.
  2. Exclusive Framework Contract Conditions: Federal agencies enjoy special offers and benefits. The obligation to issue public tenders is eliminated, saving time and resources.
  3. Personal Support: Our competent support team is always at our customers’ side to answer questions and ensure support.
  4. Direct Access to the Agency Sales Team: Expert advice from our team, which is well-versed in the specific requirements of federal agencies. We look forward to furthering our trusted collaboration with the BSI and are available for any questions.
  5. Opportunity for Exchange: Use the shared forum to share your experiences and questions.

https://smp-bund.greenbone.net/

Contact Free Trial Buy Here Back to Overview

/by
Greenbone AG

The Confluence of Open Source and Cybersecurity in companies: Insights from Greenbone at #OSXP2023 in Paris

International panel discussion on effective cybersecurity at #OSXP2023

At the esteemed #OSXP2023 event, that took place in Paris, our participation in the “Cybersécurité et open source” roundtable brought forward critical discussions on improving cybersecurity in companies. The panel, including distinguished experts from the academic and governmental sectors, delved into strategies and points of vigilance essential for robust cybersecurity.

Panel discussion at the Open Source Experience 2023 in Paris on 'Cybersécurité et open source' with international experts and audience.

1. The Mindset of Security

Security by Design: A Leadership Commitment

  • The panel emphasized the importance of incorporating security from the initial stages of development. This approach requires a commitment from the top management to prioritize security in all business operations.

A Mentality Focused on Secure and Protected Solutions

  • Companies must cultivate a culture where security is an integral part of the thinking process, aiming to deliver solutions that are inherently secure and protected.

2. Implementing Key Processes

Adherence to Standards and Automation

  • The importance of adhering to established cybersecurity standards was underscored, with a recommendation to automate processes wherever possible to ensure consistency and efficiency.

No Deployment Without Security Compliance

  • It was strongly advised that no deployments or actions should proceed without meeting the necessary security requirements.

3. Resources: Empowering Teams and Enhancing Vigilance

Dedicated Security Teams and Training

  • Having specialized security teams and conducting regular training sessions were identified as crucial for maintaining a high level of security awareness and preparedness.

Vigilance as a Continuous Effort

  • Continuous vigilance was highlighted as a key resource, ensuring that security measures are always up-to-date and effective.

4. Essential Tools and Technologies

Mandatory Multi-Factor Authentication (MFA)

  • Implementing MFA as a compulsory measure we recommend enhancing account security significantly.

Vulnerability Scanners and Dependance Management

  • Utilizing vulnerability scanners and managing dependencies and configurations were suggested as vital tools. While platforms like GitHub Enterprise may be costly, they offer comprehensive solutions for these needs.

Conclusion: Education, Awareness, and the Use of Open-Source Tools

In conclusion, the panel at #OSXP2023, including our expert Corentin Bardin, a cyber security specialist and pen tester, highlighted the importance of continuous education and staying updated in the rapidly evolving cybersecurity landscape. They advocated for the use of open-source tools to bolster security measures.

The key takeaway from the discussion is the commitment to offering secure services. It’s not just about the tools and processes; it’s about the mindset and ongoing effort to stay vigilant and informed.


Contact Free Trial Buy Here Back to Overview

/by
Elmar Geese

Supposedly pro-Russian hackers try to exploit Sharepoint vulnerability

Update from 2023-12-06:

Last week, we reported on pro-Russian hacktivists scanning for vulnerable SharePoint Servers to exploit a critical vulnerability (CVE-2023-29357).

New findings suggest that the group, calling themselves “Zarya”, is undertaking various exploit-attempts, including directory traversal and targeting specific vulnerabilities in systems such as OpenWRT-Routers. The IP address 212.113.106.100, associated with these activities, has been observed in several different exploit attempts. In addition to simple reconnaissance, specific attacks on configuration files and Admin-APIs have been detected. This case re-emphasizes the importance of securing systems against such threats and shows, how unprotected or poorly configured systems can become targets of such attacks.

A critical vulnerability for Sharepoint (CVE-2023-29357), is being targeted by presumably pro-Russian attackers who are trying to exploit this vulnerability.

The Internet Storm Center has discovered corresponding activity on its honeypots. The severity for this vulnerability is critical (a score of 9.8 out of 10), and the attack complexity is very low, making this vulnerability particularly dangerous. Greenbone customers can benefit from the automatic detection of this vulnerability in our Enterprise Feed. Microsoft offers a security update since June 12, 2023, Microsoft customers who missed the update should install it now.


Contact Free Trial Buy Here Back to Overview

/by