Vulnerability Management – Page 8 – CyberSecurity Confabulation

What’s New in InsightVM and Nexpose: Q1 2023 in Review

Posted 2 years ago by Roshnee Mistry Shah

In Q1, our team continued to focus on driving better customer outcomes with InsightVM and Nexpose by further improving efficiency and performance. While many of these updates are under the hood, you may have started to notice faster vulnerability checks available for the recent ETRs or an upgraded user interface for the console Admin page. Let’s take a look at some of the key updates in InsightVM and Nexpose from Q1.

[InsightVM and Nexpose] View expiration date for Scan Assistant digital certificates

Scan Assistant, a lightweight service deployed on the asset, leverages the Scan Engine and digital certificates to securely deliver the core benefits of authenticated scanning without the need to manage traditional account-based credentials.

Customers can now easily determine the validity of a Scan Assistant digital certificate by viewing the Expiration Date on the Shared Scan Credential Configuration page.

[InsightVM and Nexpose] A new look for the Console Administration page

We updated the user interface (UI) of the Console Administration page to facilitate a more intuitive and consistent user experience across InsightVM and the Insight Platform. You can even switch between light mode and dark mode for this page. This update is part of our ongoing Security Console experience transformation to enhance its usability and workflow—stay tuned for more updates!

[InsightVM and Nexpose] Checks for notable vulnerabilities

Rapid7’s Emergent Threat Response (ETR) program flagged multiple CVEs this quarter. InsightVM and Nexpose customers can assess their exposure to many of these CVEs with vulnerability checks, including:

Oracle E-Business Suite CVE-2022-21587: Added to the CISA Known Exploited Vulnerabilities (KEV) catalog, this vulnerability affected a collection of Oracle enterprise applications and can lead to unauthenticated remote code execution. Part of our recurring coverage, learn more about the vulnerability and our response.
VMware ESXi Servers CVE-2021-21974: VMware ESXi is used by enterprises to deploy and serve virtual computers. VMware ESXi servers worldwide were targeted by a ransomware that leveraged CVE-2021-21974. Part of our recurring coverage, learn more about the vulnerability and our response.
ManageEngine CVE-2022-47966: ManageEngine offers a variety of enterprise IT management tools to manage IT operations. At least 24 on-premise ManageEngine products were impacted from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability. Learn more about the vulnerability and our response.
Control Web Panel CVE-2022-44877: Control Web Panel is a popular free interface for managing web servers. In early January, security researcher Numan Türle published a proof-of-concept exploit for CVE-2022-44877, an unauthenticated remote code execution vulnerability in Control Web Panel (CWP, formerly known as CentOS Web Panel). Learn more about the vulnerability and our response.
GoAnywhere MFT CVE-2023-0669: Fortra’s GoAnywhere MFT offers managed file transfer solutions for enterprises. CVE-2023-0669, an actively exploited zero-day vulnerability affected the on-premise instances of Fortra’s GoAnywhere MFT. Learn more about the vulnerability and our response.
Jira Service Management Products CVE-2023-22501: Atlassian’s Jira Service Management Server and Data Center offerings were impacted by CVE-2023-22501, a critical broken authentication vulnerability that allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances. Learn more about the vulnerability and our response.
ZK Framework CVE-2022-36537: The vulnerability in ZK Framework, an open-source Java framework for creating web applications, was actively exploited due to its use in ConnectWise R1Soft Server Backup Manager, and allowed remote code execution and the installation of malicious drivers that function as backdoors. Learn more about the vulnerability and our response.

Want to know how you can refine your existing vulnerability management practices and use InsightVM to improve your readiness for the next emergent threat? Join our upcoming webinar:

Responding to Emergent Threats with InsightVM

Up Next for InsightVM | Custom Policies with Agent-Based Policy Assessment

Guidelines from Center for Internet Security (CIS) and Security Technical Implementation Guides (STIG) are widely used industry benchmarks for configuration assessment. However, a benchmark or guideline as-is may not meet the unique needs of your business. Very soon (next quarter soon), you can start using Agent-Based Policy for custom policy assessment.

Patch Tuesday – March 2023

Posted 2 years ago by Adam Barnett

Microsoft is offering fixes for 101 security issues for March 2023 Patch Tuesday, including two zero-day vulnerabilities; the most interesting of the two zero-day vulnerabilities is a flaw in Outlook which allows an attacker to authenticate against arbitrary remote resources as another user.

CVE-2023-23397 describes a Critical Elevation of Privilege vulnerability affecting Outlook for Windows, which is concerning for several reasons. Microsoft has detected in-the-wild exploitation by a Russia-based threat actor targeting government, military, and critical infrastructure targets in Europe.

An attacker could use a specially-crafted email to cause Outlook to send NTLM authentication messages to an attacker-controlled SMB share, and can then use that information to authenticate against other services offering NTLM authentication. Given the network attack vector, the ubiquity of SMB shares, and the lack of user interaction required, an attacker with a suitable existing foothold on a network may well consider this vulnerability a prime candidate for lateral movement.

The vulnerability was discovered by Microsoft Threat Intelligence, who have published a Microsoft Security Research Center blog post describing the issue in detail, and which provides a Microsoft script and accompanying documentation to detect if an asset has been compromised using CVE-2023-23397.

Current self-hosted versions of Outlook – including Microsoft 365 Apps for Enterprise – are vulnerable to CVE-2023-23397, but Microsoft-hosted online services (e.g., Microsoft 365) are not vulnerable. Microsoft has calculated a CVSSv3 base score of 9.8.

The other zero-day vulnerability this month, CVE-2023-24880, describes a Security Feature Bypass in Windows SmartScreen, which is part of Microsoft’s slate of endpoint protection offerings. A specially crafted file could avoid receiving Mark of the Web and thus dodge the enhanced scrutiny usually applied to files downloaded from the internet.

Although Microsoft has detected in-the-wild exploitation, and functional exploit code is publicly available, Microsoft has marked CVE-2023-24880 as Moderate severity – the only one this month – and assessed it with a relatively low CVSSv3 score of 5.4; the low impact ratings and requirement for user interaction contribute to the lower scoring. This vulnerability thus has the unusual distinction of being both an exploited-in-the-wild zero-day vulnerability and also the lowest-ranked vulnerability on Microsoft's severity scale in this month's Patch Tuesday. Only more recent versions of Windows are affected: Windows 10 and 11, as well as Server 2016 onwards.

A further five critical Remote Code Execution (RCE) vulnerabilities are patched this month in Windows low-level components. Three of these are assessed as Exploitation More Likely, and most of them affect a wide range of Windows versions, with the exception of CVE-2023-23392 which affects only Windows 11 and Windows Server 2022. Only assets where HTTP/3 has been enabled are potentially vulnerable – it is disabled by default – yet Microsoft still assesses this vulnerability as Exploitation More Likely, perhaps because HTTP endpoints are typically accessible.

CVE-2023-21708 is a Remote Procedure Call (RPC) vulnerability with a base CVSSv3 of 9.8. Microsoft recommends blocking TCP port 135 at the perimeter as a mitigation; given the perennial nature of RPC vulnerabilities, defenders will know that this has always been good advice.

Another veteran class of vulnerability makes a return this month: CVE-2023-23415 describes an attack involving a fragmented packet inside the header of another ICMP packet. Insufficient validation of ICMP packets has been a source of vulnerabilities since the dawn of time; the original and still-infamous Ping of Death vulnerability, which affected a wide range of vendors and operating systems, was one of the first vulnerabilities to be assigned a CVE back in 1999.

Rounding out the remaining Critical RCEs this month are a malicious certificate attack leading to Arbitrary Code Execution (ACE), and an attack against Windows Remote Access Server (RAS) which happily requires the attacker to win a race condition and is thus harder to exploit.

Microsoft has addressed two related vulnerabilities introduced via the Trusted Platform Module (TPM) 2.0 reference implementation code published by the Trusted Computing Group industry alliance. CVE-2023-1017 is an out-of-bounds write, and CVE-2023-1018 is an out-of-bounds read. Both may be triggered without elevated privileges, and may allow an attacker to access or modify highly-privileged information inside the TPM itself. Defenders managing non-Microsoft assets should note that a wide range of vendors including widely used Linux distros are also affected by this pair of vulnerabilities.

Admins who still remember the aptly-named PrintNightmare vulnerability from the summer of 2021 may well raise a wary eyebrow at this month’s batch of 18 fixes for the Microsoft PostScript and PCL6 Class Printer Driver, but there’s no sign that any of these are cause for the same level of concern, not least because there has been no known public disclosure prior to Microsoft releasing patches.

Azure administrators who update their Service Fabric Cluster manually should note that CVE-2023-23383 describes a spoofing vulnerability in the web management client where a user clicking a suitably-crafted malicious link could unwittingly execute actions against the remote cluster. Azure estates with automatic upgrades enabled are already protected.

Summary charts

Summary tables

Apps vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-24890	Microsoft OneDrive for iOS Security Feature Bypass Vulnerability	No	No	6.5

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-23383	Service Fabric Explorer Spoofing Vulnerability	No	No	8.2
CVE-2023-23408	Azure Apache Ambari Spoofing Vulnerability	No	No	4.5

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-24892	Microsoft Edge (Chromium-based) Webview2 Spoofing Vulnerability	No	No	7.1
CVE-2023-1236	Chromium: CVE-2023-1236 Inappropriate implementation in Internals	No	No	N/A
CVE-2023-1235	Chromium: CVE-2023-1235 Type Confusion in DevTools	No	No	N/A
CVE-2023-1234	Chromium: CVE-2023-1234 Inappropriate implementation in Intents	No	No	N/A
CVE-2023-1233	Chromium: CVE-2023-1233 Insufficient policy enforcement in Resource Timing	No	No	N/A
CVE-2023-1232	Chromium: CVE-2023-1232 Insufficient policy enforcement in Resource Timing	No	No	N/A
CVE-2023-1231	Chromium: CVE-2023-1231 Inappropriate implementation in Autofill	No	No	N/A
CVE-2023-1230	Chromium: CVE-2023-1230 Inappropriate implementation in WebApp Installs	No	No	N/A
CVE-2023-1229	Chromium: CVE-2023-1229 Inappropriate implementation in Permission prompts	No	No	N/A
CVE-2023-1228	Chromium: CVE-2023-1228 Insufficient policy enforcement in Intents	No	No	N/A
CVE-2023-1224	Chromium: CVE-2023-1224 Insufficient policy enforcement in Web Payments API	No	No	N/A
CVE-2023-1223	Chromium: CVE-2023-1223 Insufficient policy enforcement in Autofill	No	No	N/A
CVE-2023-1222	Chromium: CVE-2023-1222 Heap buffer overflow in Web Audio API	No	No	N/A
CVE-2023-1221	Chromium: CVE-2023-1221 Insufficient policy enforcement in Extensions API	No	No	N/A
CVE-2023-1220	Chromium: CVE-2023-1220 Heap buffer overflow in UMA	No	No	N/A
CVE-2023-1219	Chromium: CVE-2023-1219 Heap buffer overflow in Metrics	No	No	N/A
CVE-2023-1218	Chromium: CVE-2023-1218 Use after free in WebRTC	No	No	N/A
CVE-2023-1217	Chromium: CVE-2023-1217 Stack buffer overflow in Crash reporting	No	No	N/A
CVE-2023-1216	Chromium: CVE-2023-1216 Use after free in DevTools	No	No	N/A
CVE-2023-1215	Chromium: CVE-2023-1215 Type Confusion in CSS	No	No	N/A
CVE-2023-1214	Chromium: CVE-2023-1214 Type Confusion in V8	No	No	N/A
CVE-2023-1213	Chromium: CVE-2023-1213 Use after free in Swiftshader	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-23946	GitHub: CVE-2023-23946 mingit Remote Code Execution Vulnerability	No	No	N/A
CVE-2023-23618	GitHub: CVE-2023-23618 Git for Windows Remote Code Execution Vulnerability	No	No	N/A
CVE-2023-22743	GitHub: CVE-2023-22743 Git for Windows Installer Elevation of Privilege Vulnerability	No	No	N/A
CVE-2023-22490	GitHub: CVE-2023-22490 mingit Information Disclosure Vulnerability	No	No	N/A

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-21708	Remote Procedure Call Runtime Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-23415	Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-23405	Remote Procedure Call Runtime Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-24908	Remote Procedure Call Runtime Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-24869	Remote Procedure Call Runtime Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-23401	Windows Media Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-23402	Windows Media Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-23420	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-23421	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-23422	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-23423	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-23410	Windows HTTP.sys Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-23407	Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability	No	No	7.1
CVE-2023-23414	Windows Point-to-Point Protocol over Ethernet (PPPoE) Remote Code Execution Vulnerability	No	No	7.1
CVE-2023-23385	Windows Point-to-Point Protocol over Ethernet (PPPoE) Elevation of Privilege Vulnerability	No	No	7
CVE-2023-24861	Windows Graphics Component Elevation of Privilege Vulnerability	No	No	7
CVE-2023-24862	Windows Secure Channel Denial of Service Vulnerability	No	No	5.5
CVE-2023-23394	Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability	No	No	5.5
CVE-2023-23409	Client Server Run-Time Subsystem (CSRSS) Information Disclosure Vulnerability	No	No	5.5

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-24922	Microsoft Dynamics 365 Information Disclosure Vulnerability	No	No	6.5
CVE-2023-24919	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	5.4
CVE-2023-24879	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	5.4
CVE-2023-24920	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	5.4
CVE-2023-24891	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	5.4
CVE-2023-24921	Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability	No	No	4.1

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-23397	Microsoft Outlook Elevation of Privilege Vulnerability	Yes	No	9.8
CVE-2023-24930	Microsoft OneDrive for MacOS Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-23399	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2023-23398	Microsoft Excel Spoofing Vulnerability	No	No	7.1
CVE-2023-23396	Microsoft Excel Denial of Service Vulnerability	No	No	6.5
CVE-2023-23391	Office for Android Spoofing Vulnerability	No	No	5.5
CVE-2023-24923	Microsoft OneDrive for Android Information Disclosure Vulnerability	No	No	5.5
CVE-2023-24882	Microsoft OneDrive for Android Information Disclosure Vulnerability	No	No	5.5
CVE-2023-23395	Microsoft SharePoint Server Spoofing Vulnerability	No	No	3.1

Microsoft Office ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-24910	Windows Graphics Component Elevation of Privilege Vulnerability	No	No	7.8

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-23389	Microsoft Defender Elevation of Privilege Vulnerability	No	No	6.3

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-23392	HTTP Protocol Stack Remote Code Execution Vulnerability	No	No	9.8
CVE-2023-24871	Windows Bluetooth Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-23388	Windows Bluetooth Driver Elevation of Privilege Vulnerability	No	No	8.8
CVE-2023-23403	Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-23406	Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-23413	Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-24867	Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-24907	Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-24868	Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-24909	Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-24872	Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-24913	Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-24876	Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability	No	No	8.8
CVE-2023-24864	Microsoft PostScript and PCL6 Class Printer Driver Elevation of Privilege Vulnerability	No	No	8.8
CVE-2023-1018	CERT/CC: CVE-2023-1018 TPM2.0 Module Library Elevation of Privilege Vulnerability	No	No	8.8
CVE-2023-1017	CERT/CC: CVE-2023-1017 TPM2.0 Module Library Elevation of Privilege Vulnerability	No	No	8.8
CVE-2023-23416	Windows Cryptographic Services Remote Code Execution Vulnerability	No	No	8.4
CVE-2023-23404	Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability	No	No	8.1
CVE-2023-23418	Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-23419	Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-23417	Windows Partition Management Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-23412	Windows Accounts Picture Elevation of Privilege Vulnerability	No	No	7.8
CVE-2023-24859	Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability	No	No	7.5
CVE-2023-23400	Windows DNS Server Remote Code Execution Vulnerability	No	No	7.2
CVE-2023-23393	Windows BrokerInfrastructure Service Elevation of Privilege Vulnerability	No	No	7
CVE-2023-23411	Windows Hyper-V Denial of Service Vulnerability	No	No	6.5
CVE-2023-24856	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	6.5
CVE-2023-24857	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	6.5
CVE-2023-24858	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	6.5
CVE-2023-24863	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	6.5
CVE-2023-24865	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	6.5
CVE-2023-24866	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	6.5
CVE-2023-24906	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	6.5
CVE-2023-24870	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	6.5
CVE-2023-24911	Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability	No	No	6.5
CVE-2023-24880	Windows SmartScreen Security Feature Bypass Vulnerability	Yes	Yes	5.4

Note that Microsoft has not provided CVSSv3 scores for vulnerabilities in Chromium, which is an open-source software consumed by Microsoft Edge. Chrome, rather than Microsoft, is the assigning CNA for Chromium vulnerabilities. Microsoft documents this class of vulnerability in the Security Upgrade Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

Vulnerability Management vs. Vulnerability Assessment

Posted 2 years ago by Marla Rosner

Evolving networks and evolving threats

Vulnerability Management vs. Vulnerability Assessment

When it comes to protecting your cloud or hybrid networks, what you don't know can most certainly hurt your enterprise. Today's NetOps teams are tasked with monitoring the health and performance of both on-premises and cloud applications, as well as software, devices, and instances. As if this wasn't complicated enough, malicious threat actors relentlessly seek to capitalize on the vulnerabilities in an enterprise's network.

These attacks affect enterprises across all industries. Recently, Gartner predicted that 45% of global organizations will have experienced attacks on their software supply chains by 2025. Statista also reported that approximately 15M data records were exposed worldwide through data breaches in the third quarter of 2022. This staggering figure represented a quarterly increase of over 37%.

Network attacks are costly, too. In fact, the average cost of a data breach increased to $9.44M in the United States in 2022. Keep in mind, this figure doesn't include the frustration, lost productivity, and negative impact on brand reputation that often accompany cyber attacks.

Vulnerability assessment (VA) and vulnerability management (VM) are two of the best ways to protect your enterprise against threats, but these terms are often used incorrectly and interchangeably. A better understanding of these concepts and how they relate to one another can help you significantly boost the security posture of your hybrid and cloud environments.

What is a vulnerability assessment?

TechTarget defines vulnerability assessment as “the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures." These vulnerabilities usually fall into one of three categories:

Hardware: Hardware refers to the physical devices in your network infrastructure, such as servers or routers. These require firmware upgrades and patches to remain secure. Vulnerabilities result from failure to perform upgrades and using outdated devices.
Software: Software refers to the applications an organization uses. Software vulnerabilities might be a flaw, glitch, or weakness in the software code. Again, patching and other updates are required to maintain security.
Human: These vulnerabilities stem from user security issues like weak (or leaked) passwords, clicking links on malicious websites, and human error such as opening a phishing email. Of the three categories, this is often the hardest for NetOps teams to control and enforce.

Vulnerability assessments scan your network for potential issues in each of these categories, and provide your team with crucial insight into the weaknesses of your IT infrastructure. Ideally, a vulnerability assessment will also prioritize the risks by level of severity, showing your team which to address first.

Enterprises looking to shift from reactive security measures like firewalls to a more proactive security approach look to vulnerability assessment as the first step in building an information security program.

What is vulnerability management?

Vulnerability management is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. Sounds a lot like vulnerability assessment, right? The key difference between the two, however, is that vulnerability management is a continuous cycle that includes vulnerability assessment. Where VA identifies and classifies the risks in your network infrastructure, VM goes a step further and includes decisions on whether to remediate, mitigate, or accept risks. VM is also concerned with general infrastructure improvement and reporting.

According to Gartner, vulnerability management runs on a cycle—a five-step process (not including pre-work like selecting vulnerability assessment tools) that most organizations follow.

The vulnerability management cycle

Assess: Here's where vulnerability assessments come in. In this step of the cycle, NetOps teams will identify assets, scan them, and build a report.
Prioritize: The report generated in the first phase is used to prioritize risks. The NetOps team will also add threat context to the risks, which requires a thorough knowledge of the existing threat landscape as well as consideration of how threats may evolve over time.
Act: The prioritized threats are then sorted into remediate, mitigate, and accept buckets. Remediation calls for removing the threat completely, if possible. Mitigation, on the other hand, reduces the likelihood of a vulnerability being exploited. Mitigation may be used if remediation is too disruptive to the system or if a patch isn't available yet. You may also have threats that fall under the acceptance category. These may include devices/software soon to be replaced, which wouldn't require any action.
Reassess: Once the team has processed the risks according to their final recommendations, they'll need to rescan and validate that the risks have been properly remediated, mitigated, or accepted.
Improve: In this final step, the team should evaluate their metrics, checking that they're accurate and up to date to ensure that they're correctly assessing risks. Additionally, this phase should be used to eliminate any other underlying issues that may be contributing to system vulnerabilities.

Benefits of vulnerability management and vulnerability assessment

Vulnerability assessments are an important part of the vulnerability management cycle, and the VM cycle should be a key component of your NetOps team's security strategy. Organizations today simply can't afford to ignore the risks in their network infrastructure. As networks grow more complex, teams struggle to maintain visibility into their network. This creates an ideal environment for threat actors looking to exploit system vulnerabilities. Often, risks and attacks go unnoticed until they've caused irreparable damage at considerable cost to the organization.

VM has benefits that extend beyond security. For example, regularly evaluating your network's devices and applications can help your team identify outdated technology or potential patches that will not only improve the general security of the network, but also optimize its performance. VM can also help your organization meet federal and internal compliance requirements. Regularly identifying and resolving risks through vulnerability assessments and the VM cycle can help your organization stay ahead of changing compliance requirements and prevent non-compliance penalties like fines.

Get started with vulnerability assessment and vulnerability management

With the obvious benefits, it should be clear that vulnerability assessment and vulnerability management are crucial to reducing overall risk in an organization's infrastructure. And yet, many NetOps teams struggle to implement these processes. Whether your team is just getting started with vulnerability management, or looking to optimize your VM cycle to meet the challenges of an increasingly complex network and threat landscape, Rapid7 has the solutions that will empower your team to tackle vulnerabilities head on.

Ready to see the benefits of the vulnerability management cycle in your network?

Our report, Best Practices for Vulnerability Management in an Evolving Threat Landscape, can show you how!

Active Exploitation of ZK Framework CVE-2022-36537

Posted 2 years ago by Stephen Fewer

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

Rapid7 is aware of active exploitation of CVE-2022-36537 in vulnerable versions of ConnectWise R1Soft Server Backup Manager software. The root cause of the vulnerability is an information disclosure flaw in ZK Framework, an open-source Java framework for creating web applications. ConnectWise uses ZK Framework in its popular R1Soft and Recovery products; the vulnerability is being used for remote code execution and the installation of malicious drivers that function as backdoors. After initial access is obtained, attackers have reportedly been able to execute commands on all systems running the agent connected to the R1Soft server.

The advisory and NVD entry for CVE-2022-36537 indicate that ostensibly, the flaw is merely an information disclosure vulnerability. Rapid7 believes this categorization significantly downplays the risk and the impact of CVE-2022-36537 and should not be used as a basis for lower prioritization.

Overview

In May 2022, software company Potix released an update to ZK Framework, an open-source Java framework used to create enterprise web and mobile applications in pure Java. The update addressed CVE-2022-36537, which had been reported to Potix by Code White GmbH’s Markus Wulftange. The vulnerability arises from an issue in ZK Framework’s AuUploader component that allows an attacker to forward a HTTP request to an internal URI. Successful exploitation allows an attacker to obtain sensitive information or target an endpoint that might otherwise be unreachable. Since ZK Framework is a library, CVE-2022-36537 is likely to affect a range of other products in addition to the core framework itself.

In October 2022, security firm Huntress published a blog on a Lockbit 3.0 ransomware incident that included exploitation of CVE-2022-36537 in ConnectWise R1Soft Server Backup Manager software. Threat actors exploited the vulnerability to bypass authentication, deployed a malicious JDBC database driver that allowed for arbitrary code execution, and finally used the REST API to send commands to registered agents—commands that instructed the agents to push ransomware to downstream systems. The malicious JDBC driver also functions as a backdoor into compromised systems.

On February 22, 2023, the NCC Group’s FOX IT team published a similar account of an incident where they had observed threat actors exploiting CVE-2022-36537 against ConnectWise R1Soft servers as far back as November 29, 2022. According to FOX IT’s research, several hundred R1Soft servers were backdoored as of January 2023, of which more than 140 remain compromised. They have a full account of the attack chain and a list of IOCs here.

FOX IT said that the adversary used R1Soft “as both an initial point of access and as a platform to control downstream systems connected via the R1Soft Backup Agent. This agent is installed on systems to support being backed up by the R1Soft server software and typically runs with high privileges. This means that after the adversary initially gained access via the R1Soft server software it was able to execute commands on all systems running the agent connected to this R1Soft server.”

Shodan reports 3,643 instances of ConnectWise R1Soft Server Backup Manager as of March 1, 2023. Multiple public proof-of-concept (PoC) exploits are available dating back to December 2022. On February 27, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-36537 to its Known Exploited Vulnerabilities (KEV) list and published a warning that “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.”

As mentioned above, the primary advisory and NVD entry for CVE-2022-36537 both note that the core vulnerability in ZK Framework is an information disclosure flaw (hence the 7.5 CVSSv3 score). In the context of ConnectWise R1Soft, however, the impact of the flaw is remote code execution, not merely information disclosure.

The public PoCs include code that uses the vulnerability to leak the contents of the file /Configuration/database-drivers.zul and expose a unique ID value that is intended to be secret. Once the attacker has this ID value, they can exploit the vulnerability once more to reach an otherwise inaccessible endpoint and upload the malicious database driver.

Affected products

ZK Framework (core)

All versions of ZK Framework from 9.6.1 and below are vulnerable to CVE-2022-36537. Potix released version 9.6.2 to fix this issue on May 4, 2022, alongside several hotfixes for earlier branches (9.6.0, 9.5.1, 9.0.1, and 8.6.4).

Fixed versions of ZK Framework are:

9.6.2
9.6.0.2 (security release)
9.5.1.4 (security release)
9.0.1.3 (security release)
8.6.4.2 (security release)

Workarounds are available, but as always, we strongly recommend applying patches. See Potix’s advisory for further details on affected ZK Framework versions.

ConnectWise products

According to ConnectWise’s advisory, CVE-2022-36537 affects the following products and versions:

ConnectWiseRecover v2.9.7 and earlier versions are vulnerable
ConnectWise R1Soft Server Backup Manager (SBM): SBM v6.16.3 and earlier versions are vulnerable

ConnectWise R1Soft users should upgrade the server backup manager to SBM v6.16.4 released October 28, 2022 using the R1Soft upgrade wiki.

The advisory also indicates that “affected ConnectWise Recover SBMs have automatically been updated to the latest version of Recover (v2.9.9)” as of October 28, 2022.

Mitigation guidance

ConnectWise R1Soft Server Backup Manager users should update their R1Soft installations to a fixed version (v6.16.4) on an emergency basis, without waiting for a regular patch cycle to occur, and examine their environments for signs of compromise. Both Huntress and FOX IT have information on observed indicators of compromise.

ZK Framework users should likewise update to a fixed version immediately, without waiting for a regular patch cycle to occur. As with many library vulnerabilities, assessing exposure may be complex. It’s likely there are additional applications that implement ZK Framework; downstream advisories may include other information about ease or impact of exploitation.

Since ConnectWise R1Soft appears to be the primary vector for known attacks as of March 1, 2023, we strongly advise prioritizing those patches.

Rapid7 customers

Our researchers are currently evaluating the feasibility of adding a vulnerability check for InsightVM and Nexpose.

A Shifting Attack Landscape: Rapid7’s 2022 Vulnerability Intelligence Report

Posted 2 years ago by Tom Caiazza

Each year, the research team at Rapid7 analyzes thousands of vulnerabilities in order to identify their root causes, broaden understanding of attacker behavior, and provide actionable intelligence that guides security professionals at critical moments. Our annual Vulnerability Intelligence Report examines notable vulnerabilities and high-impact attacks from 2022 to highlight trends that drive significant risk for organizations of all sizes.

Today, we’re excited to release Rapid7’s 2022 Vulnerability Intelligence Report—a deep dive into 50 of the most notable vulnerabilities our research team investigated throughout the year. The report offers insight into critical vulnerabilities, widespread threats, prominent attack surface area, and changing exploitation trends.

2022 attack trends

The threat landscape today is radically different than it was even a few years ago. Over the past three years, we’ve seen zero-day exploits and widespread attacks chart a meteoric rise that’s strained security teams to their breaking point and beyond. While 2022 saw a modest decline in zero-day and widespread exploitation from 2021’s record highs, the multi-year trend of rising attack speed and scale remains strikingly consistent overall.

Report findings include:

Widespread exploitation of new vulnerabilities decreased 15% year over year in 2022, but mass exploitation events were still the norm. Our 2022 vulnerability intelligence dataset tracks 28 net-new widespread threats, many of which were used to deploy webshells, cryptocurrency miners, botnet malware, and/or ransomware on target systems.
Zero-day exploitation remained a significant challenge for security teams, with 43% of widespread threats arising from a zero-day exploit.
Attackers are still developing and deploying exploits faster than ever before. More than half of the vulnerabilities in our report dataset were exploited within seven days of public disclosure—a 12% increase from 2021 and an 87% increase over 2020.
Vulnerabilities mapped definitively to ransomware operations dropped 33% year over year—a troubling trend that speaks more to evolving attacker behavior and lower industry visibility than to any actual reprieve for security practitioners. This year’s report explores the growing complexity of the cybercrime ecosystem, the rise of initial access brokers, and industry-wide ransomware reporting trends.

How to manage risk from critical vulnerabilities

In today’s threat landscape, security teams are frequently forced into reactive positions, lowering security program efficacy and sustainability. Strong foundational security program components, including vulnerability and asset management processes, are essential to building resilience in a persistently elevated threat climate.

Have emergency patching procedures and incident response playbooks in place so that in the event of a widespread threat or breach, your team has a well-understood mechanism to drive immediate action.
Have a defined, regular patch cycle that includes prioritization of actively exploited CVEs, as well as network edge technologies like VPNs and firewalls. These network edge devices continue to be popular attack vectors and should adhere to a zero-day patch cycle wherever possible, meaning that updates and/or downtime should be scheduled as soon as new critical advisories are released.
Keep up with operating system-level and cumulative updates. Falling behind on these regular updates can make it difficult to install out-of-band security patches at critical moments.
Limit and monitor internet exposure of critical infrastructure and services, including domain controllers and management or administrative interfaces. The exploitation of many of the CVEs in this year’s report could be slowed down or prevented by taking management interfaces off the public internet.

2022 Vulnerability Intelligence Report

Read the report to see our full list of high-priority CVEs and learn more about attack trends from 2022.

DOWNLOAD NOW

Patch Tuesday – February 2023

Posted 2 years ago by Adam Barnett

It’s Patch Tuesday again. Microsoft is addressing fewer individual vulnerabilities this month than last, but there’s still plenty to keep admins and defenders occupied.

Three zero-day vulnerabilities are vying for your attention today: a lone Microsoft Publisher vulnerability as well as a couple affecting Windows itself. None is marked as publicly disclosed, but Microsoft has already observed in-the-wild exploitation of all three.

One zero-day vulnerability is a Security Features Bypass vulnerability in Microsoft Publisher. Successful exploitation of CVE-2023-21715 allows an attacker to bypass Office macro defenses using a specially-crafted document and run code which would otherwise be blocked by policy. Only Publisher installations delivered as part of Microsoft 365 Apps for Enterprise are listed as affected.

CVE-2023-23376 describes a vulnerability in the Windows Common Log File System Driver which allows Local Privilege Escalation (LPE) to SYSTEM. Although Microsoft isn’t necessarily aware of mature exploit code at time of publication, this is worth patching at the first opportunity, since it affects essentially all current Windows hosts.

CVE-2023-21823 is described as a Remote Code Execution (RCE) vulnerability in Windows Graphics Component, but has Attack Vector listed as Local. This apparent inconsistency is often accompanied with a clarification like: “The word Remote in the title refers to the location of the attacker. [...] The attack itself is carried out locally.” No such clarification is available in this case, but this is likely applicable here also. Microsoft also notes the existence of mature exploit code.

Microsoft is also releasing patches for nine critical RCE vulnerabilities. A more varied selection than last month, February 2023 includes critical RCE in an SQL Server ODBC driver, the iSCSI Discovery Service, .NET/Visual Studio, three in network authentication framework PEAP, one in Word, and two in Visual Studio only. Microsoft has not observed in-the-wild exploitation for any of these vulnerabilities, nor is any of them marked as publicly disclosed. Microsoft predicts that most of these are less likely to be exploited, with the exception of the PEAP vulnerabilities.

Microsoft’s recent announcement about the potential inclusion of CBL-Mariner CVEs in the Security Update Guide is now reflected in the list of covered products, but there aren’t any CBL-Mariner vulnerabilities this Patch Tuesday.

SharePoint Server makes another appearance today with CVE-2023-21717, which allows an authenticated user with the Manage List permission to achieve RCE. Admins responsible for a SharePoint Server 2013 instance may be interested in the FAQ, which includes what Microsoft optimistically describes as a clarification of the existing servicing model for SharePoint Server 2013.

This is the first Patch Tuesday after the end of Extended Security Updates (ESU) for Windows 8.1. Admins responsible for Windows Server 2008 instances should note that ESU for Windows Server 2008 is now only available for instances hosted in Azure or on-premises instances hosted via Azure Stack. Instances of Windows Server 2008 hosted in a non-Azure context will no longer receive security updates, so will forever remain vulnerable to any new vulnerabilities, including the two zero-days covered above.

Summary charts