Markus Feilner

Vulnerability scanner Notus supports Amazon Linux

Most virtual servers in the Amazon Elastic Compute Cloud EC2 run a version of Linux that has been specially customised for the needs of the cloud. The latest generation of scanners from Greenbone has also been available for the Amazon Web Services operating system for a few weeks now. Over 1,900 additional, customised tests for the latest versions of Amazon Linux (Linux 2 and Linux 2023) have been integrated in recent months, explains Julio Saldana, Product Owner at Greenbone.

Significantly better performance thanks to Notus

Greenbone has been supplementing its vulnerability management with the Notus scan engine since 2022. The innovations in the architecture are primarily aimed at significantly increasing the performance of the security checks. Described as a “milestone” by Greenbone CIO Elmar Geese, the new scanner generation works in two parts: A generator queries the extensive software version data from the company’s servers and saves it in a handy Json format. Because this no longer happens at runtime, but in the background, the actual scanner (the second part of Notus) can simply read and synchronise the data from the Json files in parallel. Waiting times are eliminated. “This is much more efficient, requires fewer processes, less overhead and less memory,” explain the Greenbone developers.

Amazon Linux

Amazon Linux is a fork of Red Hat Linux sources that Amazon has been using and customising since 2011 to meet the needs of its cloud customers. It is largely binary-compatible with Red Hat, initially based on Fedora and later on CentOS. Amazon Linux was followed by Amazon Linux 2, and the latest version is now available as Amazon Linux 2023. The manufacturer plans to release a new version every two years. The version history of the official documentation also includes a feature comparison, as the differences are significant: Amazon Linux 2023 is the first version to also use Systemd, for example. Greenbone’s vulnerability scan was also available on Amazon Linux from the very beginning.

Contact Free Trial Buy Here Back to Overview

/by
Joseph Lee

CVE-2024-31497: PuTTY Forfeits Client ECDSA Private Keys

Public-key cryptography underpins enterprise network security and thus, securing the confidentiality of private keys is one of the most critical IT security challenges for preventing unauthorized access and maintaining the confidentiality of data. While Quantum Safe Cryptography (QSC) has emerged as a top concern for the future, recent critical vulnerabilities like CVE-2024-3094 (CVSS 10) in XZ Utils and the newly disclosed CVE-2024-31497 (CVSS 8.8) in PuTTY are here and now – real and present dangers.

Luckily, the XZ Utils vulnerability was caught before widespread deployment into Linux stable release branches. However, by comparison, CVE-2024-31497 in PuTTY represents a much bigger threat than the aforementioned vulnerability in XZ Utils despite its lower CVSS score. Let’s examine the details to understand why and review Greenbone’s capabilities for detecting known cryptographic vulnerabilities.

A Primer On Public Key Authentication

Public-key infrastructure (PKI) is fundamental to a wide array of digital trust services such as Internet and enterprise LAN authentication, authorization, privacy, and application security. For public-key authentication both the client and server each need a pair of interconnected cryptographic keys: a private key, and a public key. The public keys are openly shared between the two connecting parties, while the private keys are used to digitally sign messages sent between them, and the associated public keys are used to decrypt those messages. This is how each party fundamentally verifies the other’s identity and how a single symmetric key is agreed upon for continuous encrypted communication with an optimal connection speed.

In the client-server model of communication, if the client’s private key is compromised, an attacker can potentially authenticate to any resources that honor it. If the server’s private key is compromised, an attacker can potentially spoof the server’s identity and conduct Adversary-in-the-Middle (AitM) attacks.

CVE-2024-31497 Affects All Versions of PuTTY

CVE-2024-31497 in the popular Windows SSH client PuTTY allows an attacker to recover a client’s NIST P-521 secret key by capturing and analyzing approximately 60 digital signatures due to biased ECDSA nonce generation. As of NIST SP-800-186 (2023) NIST ECDSA P-521 keys are still classified among those offering the highest cryptographic resilience and recommended for use in various applications, including SSL/TLS and Secure Shell (SSH) applications. So, a vulnerability in an application’s implementation of ECDSA P-521 authentication is a serious disservice to IT teams who have otherwise applied appropriately strong encryption standards.

In the case of CVE-2024-31497, the client’s digital signatures are subject to cryptanalysis attacks that can reveal the private key. While developing an exploit for CVE-2024-31497 is a highly skilled endeavor requiring expert cryptographers and computer engineers, a proof-of-concept (PoC) code has been released publically, indicating a high risk that CVE-2024-31497 may be actively exploited by even low skilled attackers in the near future.

Adversaries could capture a victim’s signatures by monitoring network traffic, but signatures may already be publicly available if PuTTY was used for signing commits of public GitHub repositories using NIST ECDSA P-521 keys. In other words, adversaries may be able to find enough information to compromise a private key from publicly accessible data, enabling supply-chain attacks on a victim’s software.

CVE-2024-31497 affects all versions of PuTTY after 0.68 (early 2017) before 0.81 and affects FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6, and potentially other products.

On the bright side, Greenbone is able to detect the various vulnerable versions of PuTTY with multiple Vulnerability Tests (VTs). Greenbone can identify Windows Registry Keys that indicate a vulnerable version of PuTTY is present on a scan target, and has additional tests for PuTTY for Linux [1][2][3], FileZilla [4][5], and versions of Citrix Hypervisor/XenServer [6] susceptible to CVE-2024-31497.

Greenbone Protects Against Known Encryption Flaws

Encryption flaws can be caused by weak cryptographic algorithms, misconfigurations, and flawed implementations of an otherwise strong encryption algorithm, such as the case of CVE-2024-31497. Greenbone includes over 6,500 separate Network Vulnerability Tests (NVTs) and Local Security Checks (LSCs) that can identify all types of cryptographic flaws. Some examples of cryptographic flaws that Greebone can detect include:

  • Application Specific Vulnerabilities: Greenbone can detect over 6500 OS and application specific encryption vulnerabilities for which CVEs have been published.
  • Lack Of Encryption: Unencrypted remote authentication or other data transfers, and even unencrypted local services pose a significant risk to sensitive data when attackers have gained an advantageous position such as the ability to monitor network traffic.
  • Support For Weak Encryption Algorithms: Weak encryption algorithms or cipher suites no longer provide strong assurances against cryptanalysis attacks. When they are in use, communications are at higher risk of data theft and an attacker may be able to forge communication to execute arbitrary commands on a victim’s system. Greenbone includes more than 1000 NVTs to detect remote services using weak encryption algorithms.
  • Non-Compliant TLS Settings And HTTPS Security Headers: Greenbone has NVTs to detect when HTTP Strict Transport Security (HSTS) is not configured and verify web-server TLS policy.

Summary

SSH public-key authentication is widely considered one of the most – if not the most secure remote access protocol, but two recent vulnerabilities have put this critical service in the spotlight. CVE-2024-3094, a trojan planted in XZ Utils found its way into some experimental Linux repositories before it’s discovery, and CVE-2024-31497 in PuTTY allows a cryptographic attack to extract a client’s private key if an attacker can obtain roughly 60 digital signatures.

Greenbone can detect emerging threats to encryption such as CVE-2024-31497 and includes over 6,500 other vulnerability tests to identify a range of encryption vulnerabilities.

Contact Free Trial Buy Here Back to Overview

/by
Elmar Geese

AI and cybersecurity: The promise of artificial intelligence

,

How is artificial intelligence (AI) changing the cybersecurity landscape? Will AI make the cyber world more secure or less secure? I was able to explore these questions at the panel discussion during the “Potsdam Conference for National Cybersecurity 2024” together with Prof. Dr. Sandra Wachter, Dr. Kim Nguyen, Dr. Sven Herpig. Does AI deliver what it promises today? And what does the future look like with AI?

HPI Security Panel
Cybersecurity is already difficult enough for many companies and institutions. Will the addition of artificial intelligence (AI) now make it even more dangerous for them or will AI help to better protect IT systems? What do we know? And what risks are we looking at here? Economic opportunities and social risks are the focus of both public attention and currently planned legislation. The EU law on artificial intelligence expresses many of the hopes and fears associated with AI.

Hopes and fears

We hope that many previously unresolved technical challenges can be overcome. Business and production processes should be accelerated, and machines should be able to handle increasingly complex tasks autonomously. AI can also offer unique protection in the military sector, saving many lives, for example in the form of AI-supported defense systems such as the Iron Dome.

On the other, darker side of AI are threats such as mass manipulation through deepfakes, sophisticated phishing attacks or simply the fear of job losses that goes hand in hand with any technical innovation. More and more chatbots are replacing service employees, image generators are replacing photographers and graphic designers, text generators are replacing journalists and authors, and generated music is replacing musicians and composers. In almost every profession, there is a fear of being affected sooner or later. This even applies to the IT sector, where a rich choice of jobs was previously perceived as a certainty. These fears are often very justified, but sometimes they are not.

In the area of cyber security, however, it is not yet clear to what extent autonomous AI can create more security and replace the urgently needed security experts or existing solutions. This applies to both attackers and defenders. Of course, the unfair distribution of tasks remains: While defenders want (and need) to close as many security gaps as possible, a single vulnerability is enough for the attackers to launch a successful attack. Fortunately, defenders can fall back on tools and mechanisms that automate a lot of work, even today. Without this automation, the defenders are lost. Unfortunately, AI does not yet help well enough. This is demonstrated by the ever-increasing damage caused by conventional cyber attacks, even though there are supposedly already plenty of AI defenses. On the other hand, there is the assumption that attackers are becoming ever more powerful and threatening thanks to AI.

For more cyber security, we need to take a closer look. We need a clearer view of the facts.

Where do we stand today?

So far, we know nothing about technical cyber attacks generated by artificial intelligence. There are currently no relevant, verifiable cases, only theoretically constructed scenarios. This may change, but as things stand today, this is the case. We don’t know of any AI that could currently generate sufficiently sophisticated attacks. What we do know is that phishing is very easy to implement with generative language models and that these spam and phishing emails appear to us to be more skillful, at least anecdotally. Whether this causes more damage than the already considerable damage, on the other hand, is not known. It is already terrible enough today, even without AI. However, we know that phishing is only ever the first step in accessing a vulnerability.

Member of the Greenbone Board Elmar Geese at the Potsdam Conference for national cybersecurity at Hasso-Plattner-Institute (HPI), picture: Nicole Krüger

How can we protect ourselves?

The good news is that an exploited vulnerability can almost always be found and fixed beforehand. Then even the best attack created with generative AI would come to nothing. And that’s how it has to be done. Because whether I am under threat from a conventional attack today or an AI in my network the day after tomorrow, a vulnerability in the software or in the security configuration will always be necessary for an attack to succeed. Two strategies then offer the best protection: firstly, being prepared for the worst-case scenario, for example through backups together with the ability to restore systems in a timely manner. The second is to look for the gaps yourself every day and close them before they can be exploited. Simple rule of thumb: every gap that exists can and will be exploited. 

Role and characteristics of AI

AI systems are themselves very good targets for attacks. Just like the internet, they were not designed with “security by design” in mind. AI systems are just software and hardware, just like any other target. Only in contrast to AI systems, conventional IT systems, whose functionality can be more or less understood with sufficient effort, can be repaired in a manner comparable to surgical interventions. They can be “patched”. This does not work with AI. If a language model does not know what to do, it does not produce a status or even an error message, it “hallucinates”. However, hallucinating is just a fancy term for lying, guessing, inventing something or doing strange things. Such an error cannot be patched, but requires the system to be retrained, for example, without being able to clearly identify the cause of the error.

If it is very obvious and an AI thinks dogs are fish, for example, it is easy to at least recognize the error. However, if it has to state a probability as to whether it has detected a dangerous or harmless anomaly on an X-ray image, for example, it becomes more difficult. It is not uncommon for AI products to be discontinued because the error cannot be corrected. A prominent first example was Tay, a chatbot launched unsuccessfully twice by Microsoft, which was discontinued even faster the second time than the first.

What we can learn from this: lower the bar, focus on trivial AI functions and then it will work. That’s why many AI applications that are coming onto the market today are here to stay. They are useful little helpers that speed up processes and provide convenience. Perhaps they will soon be able to drive cars really well and safely. Or maybe not.

The future with AI

Many AI applications today are anecdotally impressive. However, they can only be created for use in critical fields with a great deal of effort and specialization. The Iron Dome only works because it is the result of well over ten years of development work. Today, it recognizes missiles with a probability of 99% and can shoot them down – and not inadvertently civilian objects – before they cause any damage. For this reason, AI is mostly used to support existing systems and not autonomously. Even if, as the advertising promises, they can formulate emails better than we can or want to ourselves, nobody today wants to hand over their own emails, chat inboxes and other communication channels to an AI that takes care of the correspondence and only informs us of important matters with summaries.

Will that happen in the near future? Probably not. Will it happen at some point? We don’t know. When the time perhaps comes, our bots will be writing messages to each other, our combat robots will be fighting our wars against each other, and AI cyber attackers and defenders will be competing against each other. When they realize that what they are doing is pointless, they might ask themselves what kind of beings they are hiring to do it. Then perhaps they will simply stop, set up communication lines, leave our galaxy and leave us helpless. At least we’ll still have our AI act and can continue to regulate “weak AI” that hasn’t made it away.

Contact Free Trial Buy Here Back to Overview

/by
Greenbone AG

Vulnerability management in 12 minutes

Why is Greenbone not a security provider like any other? How did Greenbone come about and what impact does Greenbone’s long history have on the quality of its vulnerability scanners and the security of its customers? The new video “Demystify Greenbone” provides answers to these questions in an twelve-minute overview. It shows why experts need their own specialised vocabulary for detecting vulnerabilities and what it means.

Greenbone is a technology-focussed company that promotes the open source idea to achieve maximum security for companies and institutions. In the video you will learn how Greenbone uses open source code to create a customised portfolio and which solutions are best suited to optimally secure your network. How do the feeds affect the solutions? What deployment models does Greenbone offer? Discover it. Discover Greenbone. Demystify Greenbone!

Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

“Security crises are like earthquakes” – Greenbone CEO Jan-Oliver Wagner at the PITS Congress 2024

“Support for early crisis detection” was the topic of a high-profile panel on the second day of this year’s PITS Congress. On stage: Greenbone CEO Jan-Oliver Wagner together with other experts from the Federal Criminal Police Office, the German Armed Forces, the Association of Municipal IT Service Providers VITAKO and the Federal Office for Information Security.

On security crises f.l.t.r.: Dr. Jan-Oliver Wagner, CEO (Greenbone), Dr. Dirk Häger, Head of Operational Cyber Security Department (Federal Office for Information Security), Katrin Giebel, Head of Office (VITAKO Federal Association of Municipal IT Service Providers), Major General Dr. Michael Färber, Head of Planning and Digitization Department (Cyber & Information Command) and Carsten Meywirth, Head of Cybercrime Department (Federal Criminal Police Office).

Once again this year, Behörden Spiegel organized its popular conference on Public IT Security (PITS). Hundreds of security experts gathered at the renowned Hotel Adlon in Berlin for two days of forums, presentations and an exhibition of IT security companies. In 2024, the motto of the event was “Security Performance Management” – and so it was only natural that Greenbone, as a leading provider of vulnerability management, was also invited (as in 2023), for example in the panel on early crisis detection, which Greenbone CEO Dr. Jan-Oliver Wagner opened with a keynote speech.

In his presentation, Jan-Oliver Wagner explained his view on strategic crisis detection, talking about the typical “earthquakes” and the two most important components: Knowing where vulnerabilities are, and providing technologies to address them.

Greenbone has built up this expertise over many years, also making it vailable to the public, in open source, always working together with important players on the market. For example, contacts with the German Federal Office for Information Security (BSI) were there right from the start: “The BSI already had the topic of vulnerability management on its radar when IT security was still limited to firewalls and antiviruses,” Wagner is praising the BSI, the German government’s central authority for IT security.

Today, the importance of two factors is clear: “Every organization must know how and where it is vulnerable, know its own response capabilities and has to keep working on improving them continuously. Cyber threats are like earthquakes. We can’t prevent them, we can only prepare for them and respond to them in the best possible way.”

“A crisis has often happened long before the news break”

According to Jan-Oliver Wagner’s definition, the constant cyber threat evolves into a veritable “crisis” when, for example, a threat “hits a society, economy or nation where many organizations have a lot of vulnerabilities and a low ability to react quickly. Speed is very important. You have to be faster than the attack happens.” The other participants on the panel also addressed this and used the term “getting ahead of the wave”.

The crisis is often already there long before it is mentioned in the news, individual organizations need to protect themselves and prepare themselves so that they can react to unknown situations on a daily basis. “A cyber nation supports organizations and the nation by providing the means to achieve this state,” says Jan-Oliver Wagner.

Differences between the military and local authorities

Major General Dr Michael Färber, Head of Planning and Digitalization, Cyber & Information Space Command, explained the Bundeswehr’s perspective: According to him, a crisis occurs when the measures and options for responding are no longer sufficient. “Then something develops into a crisis.”

From the perspective of small cities and similar local authorities, however, the picture is different, according to Katrin Giebel, Head of VITAKO, the Federal Association of Municipal IT Service Providers. “80 percent of administrative services take place at the municipal level. Riots would already occur when the vehicle registration is not available.” Cities and municipalities keep being hit hard by cyber attacks, and crises start much earlier here: “For us, threats are almost the same as a crisis.”

Massive negligence in organizations is frightening, says BSI

The BSI, on the other hand, defines a “crisis” as when an individual organization is unable or no longer able to solve a problem on its own. Dr Dirk Häger, Head of the Operational Cyber Security Department at the BSI: “As soon as two departments are affected, the crisis team convenes. For us, a crisis exists as soon as we cannot solve a problem with the standard organization.” This is giving a crucial role to those employees who decide whether to call together a meeting or not. “You just reach a point where you agree: now we need the crisis team.”

Something that Häger finds very frightening, however, is how long successful attacks continue to take place after crises have actually already been resolved, for example in view of the events surrounding the Log4j vulnerability. “We put a lot of effort into this, especially at the beginning. The Log4j crisis was over, but many organizations were still vulnerable and had inadequate response capabilities. But nobody investigates it anymore,” complains the head of department from the BSI.

How to increase the speed of response?

Asked by moderator Dr. Eva-Charlotte Proll, editor-in-chief and publisher at Behörden Spiegel, what would help in view of these insights, he describes the typical procedure and decision-making process in the current, exemplary checkpoint incident: “Whether something is a crisis or not is expert knowledge. In this case, it was a flaw that was initiated and exploited by state actors.” Action was needed at the latest when the checkpoint backdoor was beginning to be exploited by other (non-state) attackers. Knowledge of this specific threat situation is also of key importance for those affected.

Also Jan Oliver Wagner once again emphasized the importance of the knowledge factor. Often the threat situation is not being discussed appropriately. At the beginning of 2024, for example, an important US authority (NIST) reduced the amount of information in its vulnerability database – a critical situation for every vulnerability management provider and their customers. Furthermore, the fact that NIST is still not defined as a critical infrastructure shows that action is needed.

The information provided by NIST is central to the National Cyber Defense Center’s ability to create a situational picture as well, agrees Färber. This also applies to cooperation with the industry: several large companies “boast that they can deliver exploit lists to their customers within five minutes. We can improve on that, too.”

Carsten Meywirth, Head of Department at the BKA, emphasized the differences between state and criminal attacks, also using the example of the supply chain attack on Solarwinds. Criminal attackers often have little interest in causing a crisis because too much media attention might jeopardize their potential financial returns. And security authorities need to stay ahead of the wave – which requires intelligence and the potential to disrupt the attackers’ infrastructure.

BKA: International cooperation

According to Major General Färber, Germany is always among the top 4 countries in terms of attacks. The USA is always in first place, but states like Germany end up in the attackers’ dragnets so massively simply because of their economy’s size. This is what makes outstanding international cooperation in investigating and hunting down perpetrators so important. “Especially the cooperation of Germany, the USA and the Netherlands is indeed very successful, but the data sprints with the Five Eyes countries (USA, UK, Australia, Canada and New Zealand) are also of fundamental importance, because that is where intelligence findings come to the table, are being shared and compared. “Successful identification of perpetrators is usually impossible without such alliances,” says Michael Färber. But Germany is well positioned with its relevant organizations: “We have significantly greater redundancy than others, and that is a major asset in this fight.” In the exemplary “Operation Endgame“, a cooperation between the security authorities and the private sector launched by the FBI, the full power of these structures is now becoming apparent. “We must and will continue to expand this.”

“We need an emergency number for local authorities in IT crises”

Getting ahead of the situation like this is still a dream of the future for the municipalities. They are heavily reliant on inter-federal support and a culture of cooperation in general. An up-to-date picture of the situation is “absolutely important” for them, Katrin Giebel from VITAKO reports. As a representative of the municipal IT service providers, she is very familiar with many critical situations and the needs of the municipalities – from staff shortages to a lack of expertise or an emergency number for IT crises that is still missing today. Such a hotline would not only be helpful, but it would also correspond to the definition from Wagner’s introductory presentation: “A cyber nation protects itself by helping companies to protect themselves.”

BSI: prevention is the most important thing

Even if the BSI does not see itself in a position to fulfil such a requirement on its own, this decentralized way of thinking has always been internalized. But whether the BSI should be developed into a central office in this sense is something that needs to be discussed first, explains Dirk Häger from the BSI. “But prevention is much more important. Anyone who puts an unsecured system online today will quickly be hacked. The threat is there. We must be able to fend it off. And that is exactly what prevention is.”

Wagner adds that information is key to this. And distributing information is definitely a task for the state, which is where he sees the existing organizations in the perfect role.

Contact Free Trial Buy Here Back to Overview

/by
Dirk Boeing

NIS2: From impending doom to effective measures

Winter is coming: The motto of House Stark from the series “Game of Thrones” indicates the approach of an undefined disaster. One could also surmise something similar when reading many articles that are intended to set the mood for the upcoming NIS2 Implementation Act (NIS2UmsuCG). Is NIS2 a roller of ice and fire that will bury the entire European IT landscape and from which only those who attend one of the countless webinars and follow all the advice can save themselves?

NIS2 as such is merely a directive issued by the EU. It is intended to ensure the IT security of operators of important and critical infrastructures, which may not yet be optimal, and to increase cyber resilience. Based on this directive, the member states are now called upon to create a corresponding law that transposes this directive into national law.

What is to be protected?

The NIS Directive was introduced by the EU back in 2016 to protect industries and service providers relevant to society from attacks in the cybersphere. This regulation contains binding requirements for the protection of IT structures in companies that operate as critical infrastructure (KRITIS) operators. These are companies that play an indispensable role within society because they operate in areas such as healthcare services, energy supply and transport. In other words, areas where deliberately caused disruptions or failures can lead to catastrophic situations – raise your hand if your household is equipped to survive a power outage lasting several days with all its consequences…

As digitalisation continues to advance, the EU had to create a follow-up regulation (NIS2), which on the one hand places stricter requirements on information security, but on the other hand also covers a larger group of companies that are “important” or “particularly important” for society. These companies are now required to fulfil certain standards in information security.

Although the NIS2 Directive was already adopted in December 2022, the member states have until 17 October 2024 to pass a corresponding implementing law. Germany will probably not make it by then. Nevertheless, there is no reason to sit back. The NIS2UmsuCG is coming, and with it increased demands on the IT security of many companies and institutions.

Who needs to act now?

Companies from four groups are affected. Firstly, there are the particularly important organisations with 250 or more employees or an annual turnover of 50 million euros and a balance sheet total of 43 million euros or more. A company that fulfils these criteria and is active in one of the following sectors: energy, transport, finance/insurance, health, water/sewage, IT and telecommunications or space is particularly important.

In addition, there are the important organisations with 50 or more employees or a turnover of 10 million euros and a balance sheet total of 10 million euros. If a company fulfils these criteria and is active in one of the following sectors: postal/courier, chemicals, research, manufacturing (medical/diagnostics, IT, electrical, optical, mechanical engineering, automotive/parts, vehicle construction), digital services (marketplaces, search engines, social networks), food (wholesale, production, processing) or waste disposal (waste management), it is considered important.

In addition to particularly important and important facilities, there are also critical facilities, which continue to be defined by the KRITIS methodology. Federal facilities are also regulated.

What needs to be done?

In concrete terms, this means that all affected companies and institutions, regardless of whether they are “particularly important” or “important”, must fulfil a series of requirements and obligations that leave little room for interpretation and must therefore be strictly observed. Action must be taken in the following areas:

Risk management

Affected companies are obliged to introduce comprehensive risk management. In addition to access control, multi-factor authentication and single sign-on (SSO), this also includes training and incident management as well as an ISMS and risk analyses. This also includes vulnerability management and the use of vulnerability and compliance scans.

Reporting obligations

All companies are obliged to report “significant security incidents”: these must be reported to the BSI reporting centre immediately, but within 24 hours at the latest. Further updates must be made within 72 hours and 30 days.

Registration

Companies are obliged to determine for themselves whether they are affected by the NIS2 legislation and to register themselves within a period of three months. Important: Nobody tells a company that it falls under the NIS2 regulation and must register. The responsibility lies solely with the individual companies and their directors.

Evidence

It is not enough to simply take the specified precautions; appropriate evidence must also be provided. Important and particularly important facilities will be inspected by the BSI on a random basis, and appropriate documentation must be submitted. KRITIS facilities will be inspected on a regular basis every three years.

Duty to inform

In future, it will no longer be possible to sweep security incidents under the carpet. The BSI will be authorised to issue instructions to inform customers about security incidents. The BSI will also be authorised to issue instructions on informing the public about security incidents.

Governance

Managing directors are obliged to approve risk management measures. Training on the topic will also become mandatory. Particularly serious: Managing directors are personally liable with their private assets for breaches of duty.

Sanctions

In the past, companies occasionally preferred to accept the vague possibility of a fine rather than making concrete investments in cyber security measures, as the fine seemed quite acceptable. NIS2 now counters this with new offences and in some cases drastically increased fines. This is further exacerbated by the personal liability of managing directors.

As can be seen, the expected NIS2 implementation law is a complex structure that covers many areas and whose requirements can rarely be covered by a single solution.

What measures should be taken as soon as possible?

Continuously scan your IT systems for vulnerabilities. This will uncover, prioritise and document security gaps as quickly as possible. Thanks to regular scans and detailed reports, you create the basis for documenting the development of the security of your IT infrastructure. At the same time, you fulfil your obligation to provide evidence and are well prepared in the event of an audit.

On request, experts can take over the complete operation of vulnerability management in your company. This also includes services such as web application pentesting, which specifically identifies vulnerabilities in web applications. This covers an important area in the NIS2 catalogue of requirements and fulfils the requirements of § 30 (risk management measures).

Conclusion

There is no single, all-encompassing measure that will immediately make you fully NIS2-compliant. Rather, there are a number of different measures that, taken together, provide a good basis. One component of this is vulnerability management with Greenbone. If you keep this in mind and put the right building blocks in place in good time, you will be on the safe side as an IT manager. And winter can come.

Contact Free Trial Buy Here Back to Overview

/by
Joseph Lee

May 2024 Threat Tracking: Global CVE Disclosures Continue to Heat up

May 2024 made April’s record breaking CVE mountain into a mole-hill. The previous record for most CVEs published in a month grew by 36.9%. In total, a staggering 5061 vulnerabilities were added in May 2024. Considering the potentially high cost of a data breach, security teams need to stay in the loop with current cybersecurity trends, and the latest vulnerabilities. In this month’s threat tracker post, we will review several high profile enterprise software vendors suffering from newly discovered vulnerabilities in bulk and cover some of the latest known exploited vulnerabilities.

But first, we relay some news about one of our own – Christian Kuersteiner, a member of Greenbone’s vulnerability test development team, who’s responsible disclosure means that fewer vulnerabilities exist in the wild for attackers to take advantage of.

Greenbone’s Own Facilitating Responsible Disclosure

In May, Christian Kuersteiner, a software developer on the Greenbone team disclosed a vulnerability he had discovered in the Telerik Report Server. Telerik Report Server is a proprietary centralized Windows-based platform for managing and distributing reports. Rated as CVSS 5.5, the vulnerability could allow an unauthorized attacker to gain access to sensitive admin configuration data [CWE-200], and has since been published as CVE-2024-4837.

We asked Christian to describe what responsible security researchers do upon finding a bug. Here is what he had to say:

“Greenbone’s goal is to keep our customers safe. So naturally, we try to report vulnerabilities we find directly to the vendor with the details so they can provide fixes to their customers before attackers can take advantage. The people from Progress / Telerik and BugCrowd were very fast in responding, acknowledging, and fixing the vulnerability. The vulnerability was fixed, and a public advisory released within one week after reporting.”
Christian Kuersteiner, Security Researcher and Vulnerability Test Developer at Greenbone

In this instance, Christian’s contribution exemplifies how the bug reporting, aka responsible disclosure, process is meant to work. A vendor’s internal disclosure process triggers when a security researcher informs them of a bug. Since honorable software engineers are not the only people who may discover the bug, it could become a doorway for bad actors to gain a foothold on a network to steal data or deploy ransomware. In many cases, the damage extends to the general public as in the recent Change Healthcare breach.

Vendors are advised to follow best practices by posting a security.txt file [RFC-9116] at the root of their company domain, including a SECURITY.md file in public GitHub repositories, and enabling an email address such as security@example.com [RFC-2142] for receiving security related information.

Our story ends here on a positive note. Telerik has quickly released a security update that fixes the vulnerability. Users should update their instance of Report Server to version 2024 Q2 (10.1.24.514) or later to protect against CVE-2024-4837. Finally, CVE-2024-4837 can be detected by Greenbone with both an active check and a version detection test.

Cisco Reports 21 New Vulnerabilities – 10 High Severity; 2 Actively Exploited

May was a rough month for Cisco products with respect to vulnerabilities. A total of 21 new vulnerabilities were disclosed across a variety of Cisco products. Of these, ten were high severity. This follows on intel from late April, when 2 vulnerabilities in Cisco products were added to CISA’s known exploited vulnerabilities (KEV) catalog. Cisco Talos reported that these recent vulnerabilities are part of a nation-state cyber espionage campaign dubbed “ArcaneDoor” targeting perimeter network devices that began in January 2024.

  • CVE-2024-20353 (CVSS 8.6 High): A denial of service (DoS) vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software caused by incomplete error checking when parsing an HTTP header, may allow an attacker remotely exploit a vulnerable system. CVE-2024-20353 is known to be actively exploited.
  • CVE-2024-20359 (CVSS 6.0 High): A vulnerability in Cisco ASA and Cisco FTD Software allows an authenticated, local attacker to execute arbitrary code with root-level privileges after uploading a malicious file from flash memory and reloading the system to alter its configuration. CVE-2024-20359 is known to be actively exploited.
  • CVE-2024-20356 (CVSS 8.7 High): A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) allows an attacker with admin access to the web-based management interface the ability to perform command injection attacks with system level privileges on the affected device. This potentially allows an attacker to perform actions outside the intended scope of the management interface to install malware or a rootkit. Furthermore, while CVE-2024-20356 has not been added to CISA’s KEV catalog yet, proof-of-concept (PoC) exploit code is publicly available.

Greenbone is able to identify impacted versions of Cisco’s ASA [1][2], Cisco FTD Software [3][4] and Cisco IMC [5] as well as other recently disclosed vulnerabilities in Cisco products.

GitLab Community and Enterprise Actively Exploited

First publicly disclosed in January 2024, a weakness in GitLab Community and Enterprise editions tracked as CVE-2023-7028 (CVSS 10 Critical) was tagged as actively exploited by CISA on May 1st, 2024. Remediating known actively exploited critical vulnerabilities should be top priority for enterprise IT security teams. In total, 13 new vulnerabilities affecting GitLab were disclosed in May 2024.

CVE-2023-7028 results from a failure to properly implement access controls [CWE-284] and allows an attacker to trigger password reset emails to be sent to an arbitrary email address. Exploitation allows an attacker to access administrator accounts on GitLab’s Community Edition (CE) and Enterprise Edition (EE), a web-based DevOps lifecycle tool and Git repository manager.

CVE-2023-7028 is present in all major versions of GitLab from 16.1 through to 16.7 that do not have the most recent patches installed. At least one publicly available PoC exploit, and a detailed technical description mean this vulnerability should be categorized as trivial to exploit going forward.

CVE-2024-4835 also stood out from the pile of May vulnerabilities in GitLab. With a CVSS of 8.0, CVE-2024-4835 is a cross-site scripting (XSS) vulnerability VS web-based code editor affecting GitLab in all versions of 15.11 though 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging CVE-2024-4835, an attacker can craft a malicious page to exfiltrate sensitive user information.

35 New Adobe CVEs Stand Out Against The May Landscape

In May, Adobe disclosed a total of 45 vulnerabilities across various products. Out of these, a stunning 32 were classified as high severity with a CVSS score of 7.8 or above. All the high severity vulnerabilities are exploited by tricking a victim into opening a malicious file and may result in arbitrary code execution on behalf of an attacker.

These vulnerabilities are prime candidates for use in social engineering attacks such as malspam, phishing, spear phishing, and drive-by-download campaigns by major cybercrime groups, especially initial access brokers (IAB) to gain unauthorized initial access to victim’s computers and internal networks. Users are urged to update their software to the latest versions to mitigate the risks and more generally to be very cautious of any software not procured from the original vendor, and of opening any documents from untrusted sources.

Here is a summary of affected products:

  • Adobe Acrobat Reader: Acrobat Reader received a total of 11 new vulnerabilities. Of these, 9 were classified as high severity, each carrying a CVSS of 7.8. These vulnerabilities affect Adobe Acrobat Reader versions 20.005.30574, 24.002.20736, and earlier.
  • Adobe Framemaker: Adobe Framemaker received 8 new vulnerabilities, 5 of which are high severity. The affected versions include Adobe Framemaker 2020.5, 2022.3, and earlier.
  • Adobe Animate: Animate saw 7 vulnerabilities disclosed in May, with 5 classified as high severity. The vulnerabilities affect Animate versions 24.0.2, 23.0.5, and earlier.

A Typhoon Of Critical CVEs Hit ArubaOS

In May, HPE Aruba Networking disclosed a total of 28 vulnerabilities for its ArubaOS operating system. A staggering 16 of these were assessed as CVSS 9.8 high severity or above. ArubaOS has only one previously disclosed CVE so far in 2024, which was released in March making this month’s disclosure an anomaly. ArubaOS is considered a leader in WLAN management, security appliances including intrusion detection and prevention systems. As an indication of ArubaOS’s market share, Aruba Networking, a Hewlett-Packard subsidiary, posted revenue of $7.2B USD in Q2-2024.

The affected products include various services and protocols accessed via the PAPI protocol. Among the most affected components of ArubaOS, the command line interface (CLI) service and Central Communications service stood out, both with multiple high-severity vulnerabilities that could potentially offer attackers arbitrary code execution. Users are advised to apply the latest updates and follow the vendor’s resolution guide to mitigate affected products.

Greebone includes vulnerability tests to identify vulnerable ArubaOS instances, allowing IT security teams to identify, prioritize, and remediate these vulnerabilities by installing the security updates.

Apache ActiveMQ 6.x Deemed Insecure By Design

In late 2023, we covered an actively exploited CVSS 9.8 Critical vulnerability in Apache ActiveMQ. ActiveMQ is a message broker service that allows processes in a distributed architecture to share information in a queued list.

In May 2024, ActiveMQ came under fire again. This time its default configuration was assigned CVE-2024-32114 (CVSS 8.5 High), an unauthenticated exposure in the ActiveMQ management API’s Jolokia JMX REST API and Message REST API. The vulnerability allows attackers to freely interact with the broker to produce or consume messages (via the Jolokia JMX REST API) or purge or delete destinations (via the Message REST API).

Greenbone can detect CVE-2024-32114 by identifying vulnerable versions of ActiveMQ. To mitigate, users are recommended to add a security constraint to the default conf/jetty.xml configuration file to require authentication or upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default.

According to CISA’s Security By Design principles and the EU’s tough new Cyber Resilience Act, products must be delivered with a secure default configuration as vendors, even open-source software vendors, are asked to take more responsibility for security outcomes imposed by their products.

Ivanti Fixes Multiple Vulnerabilities in Avalanche MDM System

Ivanti has previously been featured in Greenbone’s security advisories. Just last month, our April 2024 Threat Tracking reviewed how The MITRE Corporation suffered a breach via two previously disclosed Ivanti vulnerabilities in Ivanti Connect Secure VPN. Ivanti is now the subject of another critical vulnerability in its Avalanche Mobile Device Management (MDM) system.

Avalanche is designed to help organizations secure and manage their mobile devices, including smartphones, tablets, and other mobile endpoints. Tracked as CVE-2024-29204 with a CVSS of 9.8 Critical, the vulnerability is a heap overflow [CWE-122] in Avalanche’s WLAvalancheService component that could allow an unauthenticated remote attacker to execute arbitrary commands. All versions of Ivanti Avalanche before 6.4.3 are affected, and Greenbone’s Enterprise feed includes a version detection test to identify vulnerable instances.

Summary

May 2024 saw a significant rise in disclosed vulnerabilities, surpassing April’s record by 36.9% with a total of 5061 CVEs. In this month’s summary report, we have highlighted how one of Greenbone’s own developers participated in the responsible disclosure process to ensure vulnerabilities are identified and patched.

This month, high severity vulnerabilities were reported across many enterprise software and hardware products including various Cisco products, GitLab, Adobe’s suite of creative design products, HP’s ArubaOS, Apache ActiveMQ, and Ivanti’s Avalanche MDM system. Organizations must stay vigilant by staying current with vulnerability intelligence and making their best efforts to identify, prioritize, and patch exploitable weaknesses in their IT infrastructure.

Contact Free Trial Buy Here Back to Overview

/by
Joseph Lee

Proactive Cybersecurity Reduces the Cost of a Breach

From a bird’s eye view, the cumulative cost of cyber-crime is estimated to reach 9.2 Trillion USD globally in 2024. According to the 2023 IBM X-Force Cost of a Data Breach Report, a single breach imposes an average of 4.45M USD of financial damage on a victim and while US firms incur more than double the global average, German organizations fared on par with the global average.

The most staggering costs are incurred by post-breach remediation activities such as incident response, digital forensics, system recovery, and mandatory disclosure reporting, while regulatory fines can also significantly add to cyber breach costs. Change Healthcare has forecasted an expected loss of 1.6B USD this year due to a breach that occurred in March 2024 and as discussed below, regulatory fines may be pending.

These potential damages highlight the importance of proactive security measures for preventing successful cyber attacks but also mitigating the financial impact should one occur​. The Ponemon Institute found that missing security patches accounted for 57% of cyber attacks. Getting breached less often is an obvious benefit of implementing preventative cybersecurity measures, but according to IBM, organizations with proactive risk-based vulnerability management (RBVM), also experience lower than average expenses post-breach (3.98M USD) compared to organizations without such measures (4.45M USD), those suffering from a skills shortage (5.36M USD), or those deemed non-compliant with cybersecurity regulations (5.05M USD).

Cost Of The Change Healthcare Post Ransomware Attack

In March, 2024 Change Healthcare suffered a ransomware attack that has so far burdened the company with roughly 872M USD in damages, and delayed 6B USD in health insurance payments. Change Healthcare forecasts an annual expected loss of 1.6B USD due to the incident. Established in 2007, Change Healthcare is a leading healthcare technology company selling revenue cycle management, payment accuracy, and clinical data exchange services globally​. A 2022 acquisition saw the company valued at 8B USD​.

HIPAA Compliance Investigation Into Change Healthcare

On top of that steep damage, the US HHS Office for Civil Rights, the entity responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), has opened an investigation into the attack seeking to determine whether Change Healthcare violated its compliance requirements. The HIPAA Security Rules require covered entities to implement “recognized security practices” to protect ePHI against reasonably anticipated security threats.

Continuous vulnerability management activities are a fundamental component of all modern cybersecurity frameworks. If it can be called a bright side, the most severe penalties for HIPPA non-compliance are capped at a mere 2M USD; short change in comparison to the overall cost of response and recovery for this particular incident.

The Greenbone Vulnerability Management platform is capable of implementing customized compliance tests to meet any framework including CIS, DISA STIG, HIPAA, and more, and Greenbone is certified for both its information security management systems ISMS (ISO 27001), quality management (ISO 9000), and most recently, environmental management (ISO-14001).

Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

Protection of Office Suites: Greenbone Integrates Additional BSI Basic and CIS Guidelines

The IT-Grundschutz-Compendium of the Federal Office for Information Security (BSI) has, in recent years, provided clear guidelines for users of Microsoft Office. Since April 2024, Greenbone’s enterprise products have integrated tests to verify whether a company is implementing these instructions. The BSI guidelines are aligned with the Center for Internet Security (CIS) guidelines.

In the section “APP:Applications 1.1. Office Products” the BSI specifies the “requirements for the functionality of Office product components.” The goal is to protect the data processed and used by the Office software. While Microsoft Office is likely the primary reference due to its widespread market penetration, the model behind the BSI guidelines aims to apply to any office product “that is locally installed and used to view, edit, or create documents, excluding email applications.”

BSI Guidelines

The module explicitly builds on the requirements of the “APP.6 General Software” component and refers to the modules “APP.5.3 General Email Client,” “APP.4.3 Relational Databases,” and “OPS.2.2 Cloud Usage,” although it expressly does not consider these.

The BSI identifies three main threats to Office suites:

  • Lack of customization of Office products to the institution’s needs
  • Malicious content in Office documents
  • Loss of integrity of Office documents

The components listed in the BSI IT-Grundschutz-Compendium include 16 points, some of which have since been removed. Greenbone has developed several hundred tests, primarily addressing five of the basic requirements, including “Secure opening of documents from external sources” (APP.1.1. A3) and “Use of encryption and digital signatures” listed in APP.1.1. A15. The BSI specifies:

“All documents obtained from external sources MUST be checked for malware before being opened. All file formats deemed problematic and all unnecessary within the institution MUST be banned. If possible, they SHOULD be blocked. Technical measures SHOULD enforce that documents from external sources are checked.”

Regarding encryption, it states: “Data with increased protection requirements SHOULD only be stored or transmitted in encrypted form. Before using an encryption method integrated into an Office product, it SHOULD be checked whether it offers sufficient protection. Additionally, a method SHOULD be used that allows macros and documents to be digitally signed.”

CIS Guidelines Enhance Basic Protection

In addition to the requirements listed in the BSI Basic Protection Manual, the CIS Benchmark from the Center for Internet Security (CIS) for Microsoft Office includes further and more specific suggestions for securing Microsoft products. The CIS guidelines are developed by a community of security experts and represent a consensus-based best practice collection for Microsoft Office.

As one of the first and only vulnerability management providers, Greenbone now offers tests on security-relevant features mentioned in the CIS guidelines, uniting CIS and BSI instructions in numerous, sometimes in-depth tests, such as on ActiveX Control Initialization in Microsoft Office. The Greenbone Vulnerability Management tests whether this switch is set to “enabled”, but also many other settings, for example, whether “Always prevent untrusted Microsoft Query files from opening” is set to “Enabled” among many others.

Many tests focus on external content, integrating macros, and whether and how these external contents are signed, verifiable, and thus trustworthy or not, and whether administrators have done their homework in configuring Microsoft Office. According to the BSI, one of the most significant threats (and the first mentioned) is the lack of adaptation of Office products to the reality and the business processes in the company. Greenbone’s new tests ensure efficient compliance with regulations, making it harder for attackers and malware to establish a foothold and cause damage in the company.

Contact Free Trial Buy Here Back to Overview

/by
Andreas Bergler

Potsdam conference for national cyber security 2024

On 19 and 20 June 2024, it’s all about the big picture: high-ranking IT specialists and decision-makers from politics, business and science will meet in Potsdam to provide an overview of “National Cybersecurity”. One of the biggest, widespread challenges is the rapid development of artificial intelligence (AI). Elmar Geese, CEO of Greenbone, will discuss its influence on IT security with Dr Christoph Bausewein (CrowdStrike), Dr Sven Herpig (Stiftung Neue Verantwortung) and Dr Kim Nguyen (Bundesdruckerei) on the podium.

  • Time: 19 June 2024; 13:45
  • Place: Hasso Plattner Institute, Potsdam, Prof.-Dr.-Helmert-Straße 2-3 (Griebnitzsee campus)
  • Topic: How is artificial intelligence changing the cybersecurity landscape?
  • Moderation: Prof Dr Sandra Wachter, University of Oxford

The Potsdam Conference on National Cybersecurity will take place on 19 and 20 June 2024. Visit us at our stand at the conference!

Registration: https://hpi.de/das-hpi/bewerbung/2024/potsdam-cybersecurity-conference/

Contact Free Trial Buy Here Back to Overview

/by