it-sa 2024 in Nuremberg was a great success not only for the organizers but also for us: three days full of inspiring conversations, new contacts and important insights into the current security requirements of existing and potential customers. As one of the most important trade fairs for IT security in Europe, it-sa was the ideal platform for us to present the latest developments to a broad audience. Our keynote, held by CEO Dr. Jan-Oliver Wagner, attracted numerous trade visitors. Under the title “Be secure and stay secure”, he provided insights into the importance of our portfolio for proactive corporate security.

The Greenbone team at it-sa 2024 was pleased to welcome twice as many visitors as in the previous year.

 

Keynote: Vulnerability Management as the Basis for Cyber Security

In his keynote, Jan-Oliver Wagner spoke about the growing importance of vulnerability management as the fundamental building block of a comprehensive security strategy. Companies and organizations of all sizes are facing the challenge of dealing with the ever-increasing threat of cyber attacks. Especially because the number of attacks has increased dramatically in recent years and that high tens of millions have already been paid in cyber extortion, it is clear that cybersecurity is no longer just “nice to have”, but essential for survival. 

Jan-Oliver Wagner called for threats to be detected as early as possible and for risks to be managed proactively. He presented vulnerability management as “the first line of defense” against attackers. With Greenbone solutions, companies can continuously check their IT infrastructure for security vulnerabilities: “Vulnerability management is the basis of a sustainable and highly effective security strategy.” Security teams are often faced with the difficult task of assessing risks appropriately and making the right decisions. “The goal is to stay one step ahead of attackers. Our solutions not only identify security vulnerabilities, but also help prioritize which vulnerabilities need to be addressed most urgently.”

Inspiring Conversations and New Contacts: the Trade Fair Highlights

The trade fair enabled us to engage directly with industry visitors, customers and partners, answer their questions and better understand their perspectives. With many technical discussions in just three days, the number of visitors to our partner stand at ADN more than doubled compared to last year, reports Ingo Conrads, Chief Sales Officer: “We were particularly pleased about the many new prospects and partners with whom we were able to discuss many new business opportunities.” 

Greenbone CEO Dr. Jan-Oliver Wagner giving the keynote “Be secure and stay secure” at it-sa 2024.

Many visitors already knew Greenbone as a brand, partly by OpenVAS in the past. But new products such as Greenbone Basic were also a discovery for many, showing how comprehensive and scalable our solutions have become – from entry-level to enterprise products for the public sector. The diversity of our portfolio and our services in particular generated surprise and interest. An overview of the various possible uses of our solutions is available on our website.

Thank You for the Successful Trade Fair!

it-sa 2024 was a great success and an inspiring experience for us. Once again, the trade fair showed how important vulnerability management has become and that Greenbone is making an important contribution to IT security. Many thanks to our distribution partner ADN for the excellent cooperation at the partner stand – and many thanks to all visitors for the interesting discussions and valuable feedback!

Together we are working to ensure that companies are secure – and stay secure. 

Next week, it-sa, one of the largest platforms for IT security solutions, will kick off. On the opening day, October 22, 2024, from 11:00 a.m., Greenbone’s CEO Dr. Jan-Oliver Wagner will show how companies can remain capable of managing crisis situations. With the “Action” in Forum 6-B “Be secure and stay secure” he shows ways out of the growing threats posed by cyber risks. It is not for nothing that his overview of the possibilities and potential of vulnerability management is not called a “lecture”, but “action”: action is needed!

Take Action!

In times when ransomware gangs are trying to extort tens of millions of dollars, it’s essential for companies and organizations to act as early as possible to ensure the security of their IT systems, data and business operations. Every investment in cyber security pays off many times over when the acquisition costs of a corresponding proactive solution are compared with the costs incurred by a security breach – the costs of paying ransom are devastating. As with any calculation of interest and compound interest: the earlier the investment, the more it pays off. 

Greenbone’s solutions start at the earliest possible point in the history of cyber risks: the proactive detection of security vulnerabilities in your own IT infrastructure. Proactive vulnerability management goes hand in hand with a well-founded security strategy. Security intelligence is continuously provided, systems are monitored and results are compared and matched to known vulnerabilities.

Gaining a Knowledge Advantage

Because criminals make their attacks on their victims’ networks as impactful and widespread as possible in order to maximize their profits, IT managers should make it as difficult as possible in return. Vulnerability management offers companies a decisive advantage in the race against potential attackers. Vulnerabilities are often exploited before they are publicly announced, but once they are known, the race between attacker and the attacked enters the hot phase: attack vectors should be closed faster than cybercriminals can exploit them.

Manage Risks

To prevent the security risk from escalating, Greenbone solutions now access over 180,000 automated vulnerability tests. This reduces the potential attack surface by 99.9% compared to companies that do not use vulnerability management. These immense opportunities for risk minimization require prudent security management. The more vulnerabilities get uncovered, the more pressing the need for action becomes. Which IT systems require immediate help? Which assets and interaction paths in the company are particularly critical and which security measures should be prioritized? 

Only those who have plausible answers to these questions will be able to keep the overall risk of cyber attacks as low as possible in the long term. Jan-Oliver Wagner will identify top priorities and how a corresponding “triage” can be practiced among data and systems in day-to-day operations in the it-sa action “Be secure and stay secure”. Join us!

Visit us at our booth 6-346 or make an appointment right away and get your free ticket to the trade show. We look forward to your visit!

Make an appointment!

While the German government has yet to implement the necessary adjustments for the NIS2 directive, organizations shouldn’t lose momentum. Although the enforcement is now expected in Spring 2025 instead of October 2024, the core requirements remain unchanged. While there remains a lot of work for companies, especially operators of critical infrastructure, most of it is clear and well-defined. Organizations must still focus on robust vulnerability management, such as that offered by Greenbone.

Missed Deadlines and the Need for Action

Initially, Germany was supposed to introduce the NIS2 compliance law by October 17, 2024, but the latest drafts failed to gain approval, and even the Ministry of the Interior does not anticipate a timely implementation. If the parliamentary process proceeds swiftly, the law could take effect by Q1 2025, the Ministry announced.

A recent study by techconsult (only in German), commissioned by Plusnet, reveals that while 67% of companies expect cyberattacks to increase, many of them still lack full compliance. NIS2 mandates robust security measures, regular risk assessments and rapid response to incidents. Organizations must report security breaches within 24 hours and deploy advanced detection systems, especially those already covered under the previous NIS1 framework.

Increased Security Budgets and Challenges

84% of organizations plan to increase their security spending, with larger enterprises projecting up to a 12% rise. Yet only 29% have fully implemented the necessary measures, citing workforce shortages and lack of awareness as key obstacles. The upcoming NIS2 directive presents not only a compliance challenge but also an opportunity to strengthen cyber resilience and gain customer trust. Therefore, 34% of organizations will invest in vulnerability management in the future.

Despite clear directives from the EU, political delays are undermining the urgency. The Bundesrechnungshof and other institutions have criticized the proposed exemptions for government agencies, which could weaken overall cybersecurity efforts. Meanwhile, the healthcare sector faces its own set of challenges, with some facilities granted extended transition periods until 2030.

Invest now to Stay Ahead

Latest since the NIS2 regulations impend, businesses are aware of the risks and are willing to invest in their security infrastructure. As government action lags, companies must take proactive measures. Effective vulnerability management solutions, like those provided by Greenbone, are critical to maintaining compliance and security.

A 2023 World Economic Forum report surveyed 151 global organizational leaders and found that 93% of cyber leaders and 86% business leaders believe a catastrophic cyber event is likely within the next two years. Still, many software vendors prioritize rapid development and product innovation above security. This month, CISA’s Director Jen Easterly stated software vendors “are building problems that open the doors for villains” and that “we don’t have a cyber security problem – we have a software quality problem”. Downstream, customers benefit from innovative software solutions, but are also exposed to the risks from poorly written software applications; financially motivated ransomware attacks, wiper malware, nation-state espionage and data theft, costly downtime, reputational damage and even insolvency.

However astute, the Director’s position glosses over the true cyber risk landscape. For example, as identified by Bruce Schneier back in 1999; IT complexity increases the probability of human error leading to misconfigurations [1][2][3]. Greenbone identifies both known software vulnerabilities and misconfigurations with industry leading vulnerability test coverage and compliance tests attesting CIS controls and other standards such as the BSI basic controls for Microsoft Office.

At the end of the day, organizations hold responsibility to their stakeholders, customers and the general public. They need to stay focused and protect themselves with fundamental IT security activities including Vulnerability Management. In September 2024’s Threat Tracking blog post, we review the most pressing new developments in the enterprise cybersecurity landscape threatening SMEs and large organizations alike.

SonicOS Exploited in Akira Ransomware Campaigns

CVE-2024-40766 (CVSS 10 Critical) impacting SonicWall’s flagship OS SonicOS, has been identified as a known vector for campaigns distributing Akira ransomware. Akira, originally written in C++, has been active since early 2023. A second Rust-based version became the dominant strain in the second half of 2023. The primary group behind Akira is believed to stem from the dissolved Conti ransomware gang. Akira is now operated as a Ransomware as a Service (RaaS) leveraging a double extortion tactic against targets in Germany and across the EU, North America, and Australia. As of January 2024, Akira had compromised over 250 businesses and critical infrastructure entities, extorting over 42 million US-Dollar.

Akira’s tactics include exploiting known vulnerabilities for initial access such as:

Greenbone includes tests to identify SonicWall devices vulnerable to CVE-2024-40766 [1][2] and all other vulnerabilities exploited by the Akira ransomware gang for initial access.

Urgent Patch for Veeam Backup and Restoration

Ransomware is the apex cyber threat, especially in healthcare. The US Human and Healthcare Services (HHS) reports that large breaches increased by 256% and ransomware incidents by 264% over the past five years. Organizations have responded with more proactive cybersecurity measures to prevent initial access and more robust incident response and recovery, including more robust backup solutions. Backup systems are thus a prime target for ransomware operators.

Veeam is a leading vendor of enterprise backup solutions globally and promotes its products as a viable safeguard against ransomware attacks. CVE-2024-40711 (CVSS 10 Critical), a recently disclosed vulnerability in Veeam Backup and Recovery is especially perilous since it could allow hackers to target the last line of protection against ransomware – backups. The vulnerability was discovered and responsibly reported by Florian Hauser of CODE WHITE GmbH, a German cybersecurity research company. Unauthorized Remote Code Execution (RCE) via CVE-2024-40711 was quickly verified by security researchers within 24 hours of the disclosure, and proof-of-concept code is now publicly available online, compounding the risk.

Veeam Backup & Replication version 12.1.2.172 and all earlier v12 builds are vulnerable and customers need to patch affected instances with urgency. Greenbone can detect CVE-2024-40711 in Veeam Backup and Restoration allowing IT security teams to stay one step ahead of ransomware gangs.

Blast-RADIUS Highlights a 20 Year old MD5 Collision Attack

RADIUS is a powerful and flexible authentication, authorization, and accounting (AAA) protocol used in enterprise environments to validate user-supplied credentials against a central authentication service such as Active Directory (AD), LDAP, or VPN services. Dubbed BlastRADIUS, CVE-2024-3596 is a newly disclosed attack against the UDP implementation of RADIUS, accompanied by a dedicated website, research paper, and attack details. Proof-of-concept code is also available from a secondary source.

Blast-RADIUS is an Adversary in The Middle (AiTM) attack that exploits a chosen-prefix collision weakness in MD5 originally identified in 2004 and improved in 2009. The researchers exponentially reduced the time required to spoof MD5 collisions and released their improved version of hashclash. The attack can allow an active AiTM positioned between a RADIUS client and a RADIUS server to trick the client into honoring a forged Access-Accept response despite the RADIUS server issuing a Access-Reject response. This is accomplished by computing an MD5 collision between the expected Access-Reject and a forged Access-Accept response allowing an attacker to approve login requests.

Greenbone can detect a wide array vulnerable RADIUS implementations in enterprise networking devices such as F5 BIG-IP [1], Fortinet FortiAuthenticator [2] and FortiOS [3], Palo Alto PAN-OS [4], Aruba CX Switches [5] and ClearPass Policy Manager [6], and on the OS level in Oracle Linux [7][8], SUSE [9][10][11], OpenSUSE [12][13], Red Had [14][15], Fedora [16][17], Amazon [18], Alma [19][20], and Rocky Linux [21][22] among others.

Urgent: CVE-2024-27348 in Apache HugeGraph-Server

CVE-2024-27348 (CVSS 9.8 Critical) is a RCE vulnerability in the open-source Apache HugeGraph-Server that affects all versions of 1.0 before 1.3.0 in Java8 and Java11. HugeGraph-Server provides an API interface used to store, query, and analyze complex relationships between data points and is commonly used for analyzing data from social networks, recommendation systems and for fraud detection.

CVE-2024-27348 allows attackers to bypass the sandbox restrictions within the Gremlin query language by exploiting inadequate Java reflection filtering. An attacker can leverage the vulnerability by crafting malicious Gremlin scripts and submitting them via API to the HugeGraph /gremlin endpoint to execute arbitrary commands. The vulnerability can be exploited via remote, adjacent, or local access to the API and can enable privilege escalation.

It is being actively exploited in hacking campaigns. Proof-of-concept exploit code [1][2][3] and an in-depth technical analysis are publicly available giving cyber criminals a head start in developing attacks. Greenbone includes an active check and version detection test to identify vulnerable instances of Apache HugeGraph-Server. Users are advised to update to the latest version.

Ivanti has Been an Open Door for Attackers in 2024

Our blog has covered vulnerabilities in Invati products several times this year [1][2][3]. September 2024 was another hot month for weaknesses in Ivanti products. Ivanti finally patched CVE-2024-29847 (CVSS 9.8 Critical), a RCE vulnerability impacting Ivanti Endpoint Manager (EPM), first reported in May 2024. Proof-of-concept exploit code and a technical description are now publicly available, increasing the threat. Although there is no evidence of active exploitation yet, this CVE should be considered high priority and patched with urgency.

However, in September 2024, CISA also identified a staggering four new vulnerabilities in Ivanti products being actively exploited in the wild. Greenbone can detect all of these new additions to CISA KEV and previous vulnerabilities in Ivanti products. Here are the details:

Summary

In this month’s Threat Tracking blog, we highlighted major cybersecurity developments including critical vulnerabilities such as CVE-2024-40766 exploited by Akira ransomware, CVE-2024-40711 impacting Veeam Backup and the newly disclosed Blast-RADIUS attack that could impact enterprise AAA. Proactive cybersecurity activities such as continuous vulnerability management and compliance attestation help to mitigate risks from ransomware, wiper malware, and espionage campaigns, allowing defenders to close security gaps before adversaries can exploit them.

The cybersecurity risk environment has been red hot through the first half of 2024. Critical vulnerabilities in even the most critical technologies are perpetually open to cyber attacks, and defenders face the continuous struggle to identify and remediate these relentlessly emerging security gaps. Large organizations are being targeted by sophisticated “big game hunting” campaigns by ransomware gangs seeking to hit the ransomware jackpot. The largest ransomware payout ever was reported in August – 75 million Dollar to the Dark Angels gang. Small and medium sized enterprises are targeted on a daily basis by automated “mass exploitation” attacks, also often seeking to deliver ransomware [1][2][3].

A quick look at CISA’s Top Routinely Exploited Vulnerabilities shows us that even though cyber criminals can turn new CVE (Common Vulnerabilities and Exposures) information into exploit code in a matter of days or even hours, older vulnerabilities from years past are still on their radar.

In this month’s Threat Tracking blog post, we will point out some of the top cybersecurity risks to enterprise cybersecurity, highlighting vulnerabilities recently reported as actively exploited and other critical vulnerabilities in enterprise IT products.

The BSI Improves LibreOffice’s Mitigation of Human Error

OpenSource Security on behalf of the German Federal Office for Information Security (BSI) recently identified a secure-by-design flaw in LibreOffice. Tracked as CVE-2024-6472 (CVSS 7.8 High), it was found that users could enable unsigned macros embedded in LibreOffice documents, overriding the “high security mode” setting. While exploitation requires human interaction, the weakness addresses a false sense of security, that unsigned macros could not be executed when “high security mode” enabled.

KeyTrap: DoS Attack Against DNSSEC

In February 2024, academics at the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt disclosed “the worst attack on DNS ever discovered”. According to German researchers, a single packet can cause a “Denial of Service” (DoS) by exhausting a DNSSEC-validating DNS resolver. Dubbed “KeyTrap”, attackers can exploit the weakness to prevent clients using a compromised DNS server from accessing the internet or local network resources. The culprit is a design flaw in the current DNSSEC specification [RFC-9364] that dates back more than 20 years [RFC-3833].

Published in February 2024 and tracked as CVE-2023-50387 (CVSS 7.5 High), exploitation of the vulnerability is considered trivial and proof-of-concept code is available on GitHub. The availability of exploit code means that low skilled criminals can easily launch attacks. Greenbone can identify systems with vulnerable DNS applications impacted by CVE-2023-50387 with local security checks (LSC) for all operating systems.

CVE-2024-23897 in Jenkins Used to Breach Indian Bank

CVE-2024-23897 (CVSS 9.8 Critical) in Jenkins (versions 2.441 and LTS 2.426.2 and earlier) is being actively exploited and used in ransomware campaigns including one against the National Payments Corporation of India (NPCI). Jenkins is an open-source automation server used primarily for continuous integration (CI) and continuous delivery (CD) in software development operations (DevOps).

The Command Line Interface (CLI) in affected versions of Jenkins contains a path traversal vulnerability [CWE-35] caused by a feature that replaces the @-character followed by a file path with the file’s actual contents. This allows attackers to read the contents of sensitive files including those that provide unauthorized access and subsequent code execution. CVE-2024-23897 and its use in ransomware attacks follows a joint CISA and FBI alert for software vendors to address path traversal vulnerabilities [CWE-35] in their products. Greenbone includes an active check [1] and two version detection tests [2][3] for identifying vulnerable versions of Jenkins on Windows and Linux.

2 New Actively Exploited CVEs in String of Apache OFBiz Flaws

Apache OFBiz (Open For Business) is a popular open-source enterprise resource planning (ERP) and e-commerce software suite developed by the Apache Software Foundation. In August 2024, CISA alerted the cybersecurity community to active exploitation of Apache OFBiz via CVE-2024-38856 (CVSS 9.8 Critical) affecting versions before 18.12.13. CVE-2024-38856 is a path traversal vulnerability [CWE-35] that affects OFBiz’s “override view” functionality allowing unauthenticated attackers Remote Code Execution (RCE) on the affected system.

CVE-2024-38856 is a bypass of a previously patched vulnerability, CVE-2024-36104, just published in June 2024, indicating that the initial fix did not fully remediate the problem. This also builds upon another 2024 vulnerability in OFBiz, CVE-2024-32113 (CVSS 9.8 Critical), which was also being actively exploited to distribute Mirai botnet. Finally, in early September 2024, two new critical severity CVEs, CVE-2024-45507 and CVE-2024-45195 (CVSS 9.8 Critical) were added to the list of threats impacting current versions of OFBiz.

Due to the notice of active exploitation and Proof-of-Concept (PoC) exploits being readily available for CVE-2024-38856 [1][2] and CVE-2024-32113 [1][2] affected users need to patch urgently. Greenbone can detect all aforementioned CVEs in Apache OFBiz with both active and version checks.

CVE-2022-0185 in the Linux Kernel Actively Exploited

CVE-2022-0185 (CVSS 8.4 High), an heap-based buffer overflow vulnerability in the Linux kernel, was added to CISA KEV in August 2024. Publicly available PoC-exploit-code and detailed technical descriptions of the vulnerability have contributed to the increase in cyber attacks exploiting CVE-2022-0185.

In CVE-2022-0185 in Linux’s “legacy_parse_param()” function within the Filesystem Context functionality the length of supplied parameters is not being properly verified. This flaw allows an unprivileged local user to escalate their privileges to the root user.

Greenbone could detect CVE-2022-0185 since it was disclosed in early 2022 via vulnerability test modules covering a wide set of Linux distributions including Red Hat, Ubuntu, SuSE, Amazon Linux, Rocky Linux, Fedora, Oracle Linux and Enterprise products such as IBM Spectrum Protect Plus.

New VoIP and PBX Vulnerabilities

A handful of CVEs were published in August 2024 impacting enterprise voice communication systems. The vulnerabilities were disclosed in Cisco’s small business VOIP systems and Asterisk, a popular open-source PBX branch system. Let’s dig into the specifics:

Cisco Small Business IP Phones Offer RCE and DoS

Three high severity vulnerabilities were disclosed that impact the web-management console of Cisco Small Business SPA300 Series and SPA500 Series IP Phones. While underscoring the importance of not exposing management consoles to the internet, these vulnerabilities also represent a vector for an insider or dormant attacker who has already gained access to an organization’s network to pivot their attacks to higher value assets and disrupt business operations.

Greenbone includes detection for all newly disclosed CVEs in Cisco Small Business IP Phone. Here is a brief technical description of each:

  • CVE-2024-20454 and CVE-2024-20450 (CVSS 9.8 Critical): An unauthenticated, remote attacker could execute arbitrary commands on the underlying operating system with root privileges because incoming HTTP packets are not properly checked for size, which could result in a buffer overflow.
  • CVE-2024-20451 (CVSS 7.5 High): An unauthenticated, remote attacker could cause an affected device to reload unexpectedly causing a Denial of Service because HTTP packets are not properly checked for size.

CVE-2024-42365 in Asterisk PBX Telephony Toolkit

Asterisk is an open-source private branch exchange (PBX) and telephony toolkit. PBX is a system used to manage internal and external call routing and can use traditional phone lines (analog or digital) or VoIP (IP PBX). CVE-2024-42365, published in August 2024, impacts versions of asterisk before 18.24.2, 20.9.2 and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2. An exploit module has also been published for the Metasploit attack framework adding to the risk, however, active exploitation in the wild has not yet been observed.

Greenbone can detect CVE-2024-42365 via network scans. Here is a brief technical description of the vulnerability:

  • CVE-2024-42365 (CVSS 8.8 High): An AMI user with “write=originate” may change all configuration files in the “/etc/asterisk/” directory. This occurs because they are able to curl remote files and write them to disk but are also able to append to existing files using the FILE function inside the SET application. This issue may result in privilege escalation, Remote Code Execution or blind server-side request forgery with arbitrary protocols.

Browsers: Perpetual Cybersecurity Threats

CVE-2024-7971 and CVE-2024-7965, two new CVSS 8.8 High severity vulnerabilities in the Chrome browser, are being actively exploited for RCE. Either CVE can be triggered when victims are tricked into simply visiting a malicious web page. Google acknowledges that exploit code is publicly available, giving even low skilled cyber criminals the ability to launch attacks. Google Chrome has seen a steady stream of new vulnerabilities and active exploitation in recent years. A quick inspection of Mozilla Firefox shows a similar continuous stream of critical and high severity CVEs; seven Critical and six High severity vulnerabilities were disclosed in Firefox during August 2024, although active exploitation of these has not been reported.

The continuous onslaught of vulnerabilities in major browsers underscores the need for diligence to ensure that updates are applied as soon as they become available. Due to Chrome’s high market share of over 65% (over 70% considering Chromium-based Microsoft Edge) its vulnerabilities receive increased attention from cyber criminals. Considering the high number of severe vulnerabilities impacting Chromium’s V8 engine (more than 40 so far in 2024), Google Workspace admins might consider disabling V8 for all users in their organization to increase security. Other options for hardening browser security in high-risk scenarios include using remote browser isolation, network segmentation and booting from secure baseline images to ensure endpoints are not compromised.

Greenbone includes active authenticated vulnerability tests to identify vulnerable versions of browsers for Linux, Windows and macOS.

Summary

New critical and remotely exploitable vulnerabilities are being disclosed at record shattering rates amidst a red hot cyber risk environment. Asking IT security teams to manually track newly exposed vulnerabilities in addition to applying patches imposes an impossible burden and risks leaving critical vulnerabilities undetected and exposed. Vulnerability management is considered a fundamental cybersecurity activity; defenders of large, medium and small organizations need to employ tools such as Greenbone to automatically seek and report vulnerabilities across an organization’s IT infrastructure. 

Conducting automated network vulnerability scans and authenticated scans of each system’s host attack surface can dramatically reduce the workload on defenders, automatically providing them with a list of remediation tasks that is sortable according to threat severity.

OpenVAS began in 2005 when Nessus transitioned from open source to a proprietary license. Two companies, Intevation and DN Systems adopted the existing project and began evolving and maintaining it under a GPL v2.0 license. Since then, OpenVAS has evolved into Greenbone, the most widely-used and applauded open-source vulnerability scanner and vulnerability management solution in the world. We are proud to offer Greenbone as both a free Community Edition for developers and also as a range of enterprise products featuring our Greenbone Enterprise Feed to serve the public sector and private enterprises alike.

As the “old-dog” on the block, Greenbone is hip to the marketing games that cybersecurity vendors like to play. However, our own goals remain steadfast – to share the truth about our product and industry leading vulnerability test coverage. So, when we reviewed a recent 2024 network vulnerability scanner benchmark report published by a competitor, we were a little shocked to say the least.

As the most recognized open-source vulnerability scanner, it makes sense that Greenbone was included in the competition for top dog. However, while we are honored to be part of the test, some facts made us scratch our heads. You might say we have a “bone to pick” about the results. Let’s jump into the details.

What the 2024 Benchmark Results Found

The 2024 benchmark test conducted by Pentest-Tools ranked leading vulnerability scanners according to two factors: Detection Availability (the CVEs each scanner has detection tests for) and Detection Accuracy (how effective their detection tests are).

The benchmark pitted our free Community Edition of Greenbone and the Greenbone Community Feed against the enterprise products of other vendors: Qualys, Rapid7, Tenable, Nuclei, Nmap, and Pentest-Tools’ own product. The report ranked Greenbone 5th in Detection Availability and roughly tied for 4th place in Detection Accuracy. Not bad for going up against titans of the cybersecurity industry.

The only problem is, as mentioned above, Greenbone has an enterprise product too, and when the results are recalculated using our Greenbone Enterprise Feed, the findings are starkly different – Greenbone wins hands down.

Here is What we Found

Greenbone Enterprise leads the pack of vulnerability scanners.

 

Our Enterprise Feed Detection Availability Leads the Pack

According to our own internal findings, which can be verified using our SecInfo Portal, the Greenbone Enterprise Feed has detection tests for 129 of the 164 CVEs included in the test. This means our Enterprise product’s Detection Availability is a staggering 70.5% higher than reported, placing us heads and tails above the rest.

To be clear, the Greenbone Enterprise Feed tests aren’t something we added on after the fact. Greenbone updates both our Community and Enterprise Feeds on a daily basis and we are often the first to release vulnerability tests when a CVE is published. A review of our vulnerability test coverage shows they have been available from day one.

Our Detection Accuracy was far Underrated

And another thing. Greenbone isn’t like those other scanners. The way Greenbone is designed gives it strong industry leading advantages. For example, our scanner can be controlled via API allowing users to develop their own custom tools and control all the features of Greenbone in any way they like. Secondly, our Quality of Detection (QoD) ranking doesn’t even exist on most other vulnerability scanners.

The report author made it clear they simply used the default configuration for each scanner. However, without applying Greenbone’s QoD filter properly, the benchmark test failed to fairly assess Greenbone’s true CVE detection rate. Applying these findings Greenbone again comes out ahead of the pack, detecting an estimated 112 out of the 164 CVEs.

Summary

While we were honored that our Greenbone Community Edition ranked 5th in Detection Availability and tied for 4th in Detection Accuracy in a recently published network vulnerability scanner benchmark, these results fail to consider the true power of the Greenbone Enterprise Feed. It stands to reason that our Enterprise product should be in the running. Afterall, the benchmark included enterprise offerings from other vendors.

When recalculated using the Enterprise Feed, Greenbone’s Detection Availability leaps to 129 of the 164 CVEs on the test, 70.5% above what was reported. Also, using the default settings fails to account for Greenbone’s Quality of Detection (QoD) feature. When adjusted for these oversights, Greenbone ranks at the forefront of the competition. As the most used open-source vulnerability scanner in the world, Greenbone continues to lead in vulnerability coverage, timely publication of vulnerability tests, and truly enterprise grade features such as a flexible API architecture, advanced filtering, and Quality of Detection scores.

Every business has mission critical activities. Security controls are meant to protect those critical activities to ensure business operations and strategic goals can be sustained indefinitely. Using an “Install and forget”-approach to security provides few assurances for achieving these objectives. An ever-changing digital landscape means a security gap could lead to a high stakes data breach. Things like privilege creep, server sprawl, and configuration errors tend to pop-up like weeds. Security teams who don’t continuously monitor don’t catch them – attackers do. For this reason, cyber security frameworks tend to be iterative processes that include monitoring, auditing, and continuous improvement.

Security officers should be asking: What does our organization need to measure to gain strong assurances and enable continuous improvement? In this article we will take you through a rationale for Key Performance Indicators (KPI) in cyber security outlined by industry leaders such as NIST and The SANS Institute and define a core set of vulnerability management specific KPIs. The most fundamental KPIs covered here can serve as a starting point for organizations implementing a vulnerability management program from scratch, while the more advanced measures can provide depth of visibility for organizations with mature vulnerability management programs already in place.

Cyber Security KPI Support Core Strategic Business Goals

KPI are generated by collecting and analyzing relevant performance data and are mainly used for two strategic goals. The first is to facilitate evidence-based decision making. For example, KPI can help managers benchmark how vulnerability management programs are performing in order to assess the overall level of risk mitigation and decide whether to allocate more resources or accept the status-quo. The second core strategic goal that KPIs support is to provide accountability of security activities. KPI can help identify causes of poor performance and provide an early warning of insufficient or poorly implemented security controls. With proper monitoring of vulnerability management performance, the effectiveness of existing procedures can be evaluated, allowing them to be adjusted or supplemented with additional controls. The evidence collected while generating KPIs can also be used to demonstrate compliance with internal policies, mandatory or voluntary cyber security standards, or any applicable laws and regulations by evidencing cyber security program activities.

The scope of measuring KPI can be enterprise-wide or focused on departments or infrastructure that is critical to business operations. This scope can also be adjusted as a cybersecurity program matures. During the initial stages of starting a vulnerability management, only basic information may be available to build KPI metrics from. However, as a program matures, data collection will become more robust, supporting more complex KPI metrics. More advanced measures may also be justified to gain high visibility for organizations with increased risk.

Types of Cyber Security Measures

NIST SP 800-55 V1 (and it’s predecessor NIST SP 800-55 r2) focuses on the development and collection of three types of measures:

  • Implementation Measures: These measure the execution of security policy and gauge the progress of implementation. Examples include: the total number of information systems scanned and the percentage of critical systems scanned for vulnerabilities.
  • Effectiveness/Efficiency Measures: These measure the results of security activities and monitor program-level and system-level processes. This can help gauge if security controls are implemented correctly, operating as intended, and producing a desirable outcome. For example, the percentage of all identified critical severity vulnerabilities that have been mitigated across all operationally critical infrastructure.
  • Impact Measures: These measure the business consequences of security activities such as cost savings, costs incurred by addressing security vulnerabilities, or other business related impacts of information security.

Important Indicators for Vulnerability Management

Since vulnerability management is fundamentally the process of identifying and remediating known vulnerabilities, KPI that provide insight into the detection and remediation of known threats are most appropriate. In addition to these two key areas, assessing a particular vulnerability management tool’s effectiveness for detecting vulnerabilities can help compare different products. Since these are the most logical ways to evaluate vulnerability management activities, our list has grouped KPI into these three categories. Tags are also added to each item indicating which purpose specified in NIST SP 800-55 the metric satisfies.

While not an exhaustive list, here are some key KPIs for vulnerability management:

Detection Performance Metrics

  • Scan Coverage (Implementation): This measures the percentage of an organization’s total assets that are being scanned for vulnerabilities. Scan coverage is especially relevant at the early stages of program implementation for setting targets and measuring the evolving maturity of the program. Scan coverage can also be used to identify gaps in an organization’s IT infrastructure that are not being scanned putting them at increased risk.
  • Mean Time to Detect (MTTD) (Efficiency): This measures the average time to detect vulnerabilities from when information is first published and when a security control is able to identify it. MTTD may be improved by adjusting the frequency of updating a vulnerability scanner’s modules or frequency of conducting scans.
  • Unidentified Vulnerabilities Ratio (Effectiveness): The ratio of vulnerabilities identified proactively through scans versus those discovered through breach or incident post-mortem analyses. A higher ratio suggests better proactive detection capabilities.
  • Automated Discovery Rate (Efficiency): This metric measures the percentage of vulnerabilities identified by automated tools versus manual discovery methods. Higher automation can lead to more consistent and faster detection.

Remediation Performance Metrics

  • Mean Time to Remediate (MTTR; Efficiency): This measures the average time taken to fix vulnerabilities after they are detected. By tracking remediation times organizations can gauge their responsiveness to security threats and evaluate the risk posed by exposure time. A shorter MTTR generally indicates a more agile security operation.
  • Remediation Coverage (Effectiveness): This metric represents the proportion of detected vulnerabilities that have been successfully remediated and serves as a critical indicator of effectiveness in addressing identified security risks. Remediation coverage can be adjusted to specifically reflect the rate of closing critical or high severity security gaps. By focusing on the most dangerous vulnerabilities first, security teams can more effectively minimize risk exposure.
  • Risk Score Reduction (Impact): This metric reflects the overall impact that vulnerability management activities are having to risk. By monitoring changes in the risk score, managers can evaluate how well the threat posed by exposed vulnerabilities is being managed. Risk Score Reduction is typically calculated using risk assessment tools that provide a contextual view of each organization’s unique IT infrastructure and risk profile.
  • Rate Of Compliance (Impact): This metric represents the percentage of systems that comply with specific cyber security regulations, standards, or internal policies. It serves as an essential measure for gauging compliance status and provides evidence of this status to various stakeholders. It also serves as a warning if compliance requirements are not being satisfied, thereby reducing the risk of penalties and ensuring the intended security posture put forth by the compliance target.
  • Vulnerability Reopen Rate (Efficiency): This metric measures the percentage of vulnerabilities that are reopened after being marked as resolved. Reopen rate indicates the efficiency of remediation efforts. Ideally, once a remediation ticket has been closed, the vulnerability does not issue another ticket.
  • Cost of Remediation (Impact): This metric measures the total cost associated with fixing detected vulnerabilities, encompassing both direct and indirect expenses. Cost analysis can aid decisions for budgeting and resource allocation by tracking the amount of time and resources required to detect and apply remediation.

Vulnerability Scanner Effectiveness Metrics

  • True Positive Detection Rate (Effectiveness): This measures the percentage of vulnerabilities that can be accurately detected by a particular tool. True positive detection rate measures the effective coverage of a vulnerability scanning tool and allows two vulnerability scanning products to be compared according to their relative value.
  • False Positive Detection Rate (Effectiveness): This metric measures the frequency at which a tool incorrectly identifies non-existent vulnerabilities as being present. This can lead to wasted resources and effort. False positive detection rate can gauge the reliability of a vulnerability scanning tool to ensure it aligns with operational requirements.

Key Takeaways

By generating and analyzing Key Performance Indicators (KPIs), organizations can satisfy fundamental cybersecurity requirements for continuous monitoring and improvement. KPI also supports core business strategies such as evidence-based decision making and accountability.

With quantitative insight into vulnerability management processes, organizations can better gauge their progress and more accurately evaluate their cyber security risk posture. By aggregating an appropriate set of KPIs, organizations can track the maturity of their vulnerability management activities, identify gaps in controls, policies, and procedures that limit the effectiveness and efficiency of their vulnerability remediation, and ensure alignment with compliance with internal risk requirements and relevant security standards, laws and regulations.

References

National Institute of Standards and Technology. Measurement Guide for Information Security: Volume 1 — Identifying and Selecting Measures. NIST, January 2024, https://csrc.nist.gov/pubs/sp/800/55/v1/ipd

National Institute of Standards and Technology. Performance Measurement Guide for Information Security, Revision 2. NIST, November 2022, https://csrc.nist.gov/pubs/sp/800/55/r2/iwd

National Institute of Standards and Technology. Assessing Security and Privacy Controls in Information Systems and Organizations Revision 5. NIST, January 2022, https://csrc.nist.gov/pubs/sp/800/53/a/r5/final

National Institute of Standards and Technology. Guide for Conducting Risk Assessments Revision 1. NIST, September 2012, https://csrc.nist.gov/pubs/sp/800/30/r1/final

National Institute of Standards and Technology. Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology Revision 4. NIST, April 2022, https://csrc.nist.gov/pubs/sp/800/40/r4/final

SANS Institute. A SANS 2021 Report: Making Visibility Definable and Measurable. SANS Institute, June 2021, https://www.sans.org/webcasts/2021-report-making-visibility-definable-measurable-119120/

SANS Institute. A Guide to Security Metrics. SANS Institute, June 2006, https://www.sans.org/white-papers/55/

Greenbone Basic: Small Businesses Can Now Easily Protect Themselves from Vulnerabilities

Cyber attacks have become the greatest threat to modern businesses of all sizes. An abundant amount of attacks have caused a stir, cost billions, and resulted in production downtime and significant damage all over the world. Not a lot has changed in 2024, and the threat situation is the same for small and large companies: Studies show that nine out of ten businesses are aware of the danger and intend to invest in protection against attackers, malware, and ransomware.
Only modern vulnerability management, as provided by us can offer professional protection. For many years, the products of our company have proven their reliability and quality under highest demands, every single day, in critical infrastructures, government agencies, corporations, and organisations. Now, we are launching a tailor-made solution for small and medium-sized enterprises (SMEs).

The Full Power of Greenbone’s Vulnerability Management for SMEs

What large organizations have been deploying for a long time, is now also available for smaller companies: We are launching a new version of our proven Greenbone Vulnerability Management: Greenbone Basic is perfect for small and medium-sized businesses, is more affordable than the competition, is based on our tried and tested Greenbone Enterprise Products, and offers the well-known, strong protection for everyone.

At a entry level price, Greenbone Basic delivers many of the features of the larger product, while remaining significantly more affordable than comparable competitor offerings. Like the Greenbone Enterprise Products, Greenbone Basic also comes with the best detection rate for vulnerabilities, the fastest zero-day protection, and ease of use.

Greenbone Basic excels with fast deployment, ease of use and efficient operation – qualities that professional vulnerability management demands in today’s infrastructures.

“We tailored Greenbone Basic specifically to the needs of SMEs because we were increasingly approached by representatives of smaller and medium-sized companies. SMEs have very specific requirements but today face the same challenges as large enterprises.”

Hannes Nordlohne, Business Development Manager

Greenbone Basic scans up to 200 IP addresses within 24 hours and comes with Greenbone’s proven and continuously updated CVE tests for predictive scanning. Administrators can quickly and easily deploy the software, which is prepared for various platforms. Basic supports common server virtualization such as Microsoft’s Hyper-V, VMware, or Oracle Virtualbox, with integration also covering functions like mandatory regular backups.

Features and Functionality

For many years, we have been market leader in open-source vulnerability management. This extensive experience and knowledge now is utilized in Greenbone Basic, delivering features indispensable in small and medium-sized environments – such as the intuitive and clear browser-based user interface.

Start page Scan results

The graphical web interface not only provides a constantly updated overview of the system’s status and performance, but it also allows for the comfortable management and initiation of scans, and integrates reporting plugins with filters, sorting, notes, and risk assessment. A dedicated module handles certificate management, scans can be automated via schedules, and after completion, Greenbone Basic automatically provides administrators with all relevant information. These reports are available in PDF, HTML, text, and XML formats.

Modern vulnerability management aims to identify, assess, prioritize, and remediate security gaps (vulnerabilities) in IT systems, networks, applications, and devices. This process is crucial to ensure the security of a company’s or organizations IT infrastructure and to minimize risks from cyber attacks or data loss.

Greenbone identifies vulnerabilities using customized tests and proprietary scanners, as well as proven open-source software, to classify threats and suggest solutions, patches, configuration changes, workarounds, or updates to the administrator.

“Greenbone has one of the largest databases and the best algorithms for vulnerability detection. Greenbone Basic customers benefit from the fastest zero-day protection on the market – we respond faster than other providers, and our system almost always detects new vulnerabilities on the first day. Greenbone Basic brings all these advantages to small businesses as well.”

Benjamin Höner, Chief Product Officer, Greenbone

High Performance at entry level price: Greenbone Basic

For just €2,450 per year, small and medium-sized businesses can now afford the same protection that large companies use to safeguard their infrastructure. Especially in comparison to the free version “Greenbone Free“, Greenbone Basic offers significantly more security and numerous extra features: In addition to the many scans and tests required by enterprise customers (for Oracle, Microsoft, Cisco, VMware, Palo Alto, Trend Micro, Fortinet, Juniper, and many more), there are also automatic scans and the essential integration into enterprise directories like LDAP and RADIUS.

Feature comparison (Greenbone Free, Greenbone Basic, Greenbone Enterprise)

However, for those who need sensors, API access, remediation tickets, and other enterprise features, and who also want to purchase support from Greenbone, the classic Greenbone Enterprise, is the right choice, suitable for businesses of all sizes. You can request the Greenbone Basic entry-level product here and test it free of charge for seven days.

On October 22, the “it-sa Expo&Congress” will open its doors again in Nuremberg. The trade fair is now one of the largest platforms for IT security solutions worldwide. Last year, it set new records with 19,449 trade visitors from 55 countries and 795 exhibitors from 30 countries. This year, Greenbone will be at the ADN partner stand in Hall 6, booth 6-346. Our CEO Jan-Oliver Wagner will be giving a live presentation at the Forum 6-B on the opening day (11:00 – 11:15).

  • Opening hours: 
    • Tuesday, October 22, 2024: 09:00 – 18:00
    • Wednesday, October 23, 2024: 09:00 – 18:00
    • Thursday, October 24, 2024: 09:00 – 17:00
  • Location: Nuremberg, Exhibition Center 
  • Information: Tickets, exhibitors, hall plan

Visit us at our booth or schedule an appointment with the security experts from Greenbone. We look forward to seeing you at the fair!

Vulnerability disclosures took a summer vacation in July; only 3,135 new CVES were published, down almost 40% from May 2024’s record setting month. Last month we talked about cybersecurity on the edge, referring to the increasing number of attacks against perimeter network devices. That post’s title also hinted that globally, IT may be skirting catastrophic failure. Greenbone’s CMO Elmar Geese compiled a nice assessment of CrowdStrike’s failed update that crashed Windows systems around the world on Friday, July 19th.

Back in 2021, Gartner predicted that rampant cyber attacks would be causing death and mayhem by 2025. The bad news is we are ahead of Gartner’s schedule, but the further bad news is that we didn’t need a cyber attack to get there. In this month’s threat tracking news, we will review some of the top actively exploited vulnerabilities and critical risks introduced in July 2024.

Ransomware Distributed via VMware Vulnerability

This month, two vulnerabilities in VMware’s ESXi hypervisor and vCenter Server products were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog and one, CVE-2024-37085 in ESXi, was observed distributing Akira and Black Basta ransomware. VMware’s virtualization solutions are critical to the global IT ecosystem. In the past, the vendor has claimed over 80 percent of virtualized workloads operate on its technology including all the Fortune 500 and Fortune Global 100 enterprises.

CVE-2024-37085 (CVSS 6.8 Medium) was discovered by Microsoft who revealed that ESXi is wildly insecure by design, granting full administrative access to any user in an Active Directory (AD) domain group named “ESX Admins” by default without proper validation. Just in case you can’t believe what you just read, I’ll clarify: any user in an arbitrary AD group named “ESX Admins” is granted full admin rights on an ESXi instance – by design. We should all be aghast and thunderstruck.

Considering CVE-2024-37085 is being leveraged for ransomware attacks, be reminded that maintaining secured backups of production ESXi hypervisor configurations and virtual machines, and conducting table-top and functional exercises for incident response can help ensure a swift recovery from a ransomware attack. Closing security gaps by scanning for known vulnerabilities and applying remediation can help prevent ransomware attacks from being successful in the first place.

CVE-2022-22948 (CVSS 6.5 Medium), also actively exploited, is another insecure-by-design flaw in VMware products, this time vCenter Server caused by improper default file permissions [CWE-276] allowing the disclosure of sensitive information.

Greenbone can actively detect vulnerable versions of VMware ESXi and vCenter Server with separate vulnerability tests for CVE-2024-37085 [1] and CVE-2022-22948 [2] since it was first disclosed in 2022.

New Batch of Cisco CVEs Includes one Actively Exploited plus two Critical Severity

In July 2024, 12 total vulnerabilities, two of critical and three of high severity, were disclosed in 17 different Cisco products. CVE-2024-20399 in Cisco NX-OS is being actively exploited and was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. CISA also referenced CVE-2024-20399 in a secure-by-design alert released in July. The alert advises software vendors to inspect their products for OS (operating system) command injection vulnerabilities [CWE-78]. Greenbone includes a remote version check for the actively exploited CVE-2024-20399.

Here is a summary of the most impactful CVEs:

  • CVE-2024-20399 (CVSS 6.7 Medium): A command-injection vulnerability in Cisco NX-OS’s Command-Line Interface (CLI) allows authenticated administrative users to execute commands as root on the underlying OS due to unsanitized arguments being passed to certain configuration commands. CVE-2024-20399 can only be exploited by an attacker who already has privileged access to the CLI. Greenbone includes a remote version check for CVE-2024-20399.
  • CVE-2024-20419 (CVSS 10 Critical): The authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) allows an unauthenticated, remote attacker to change the password of any user, including administrators, via malicious HTTP requests. Greenbone includes a remote version detection test for CVE-2024-20419.
  • CVE-2024-20401 (CVSS 10 Critical): A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the device via e-mail attachments if file analysis and content filters are enabled. CVE-2024-20401 allows attackers to create users with root privileges, modify the device configuration, execute arbitrary code, or disable the device completely. Greenbone is able to detect vulnerable devices so defenders can apply Cisco’s recommended mitigation.

Other CVEs disclosed for flagship Cisco products in July 2024 include:

CVE

Product

VT

CVE-2024-20400 (CVSS 5.0 M)

Cisco Expressway Series

detection test

CVE-2024-6387 (CVSS 8.1 H)

Cisco Intersight Virtual Appliance

detection test

CVE-2024-20296 (CVSS 5.8 M)

Cisco Identity Services Engine (ISE)

detection test

CVE-2024-20456 (CVSS 6.5 M)

Cisco IOS XR Software

detection test

CVE-2024-20435 (CVSS 6.8 M)

Cisco Secure Web Appliance

detection test

CVE-2024-20429 (CVSS 7.7 H)

Cisco Secure Email Gateway

detection test

CVE-2024-20416 (CVSS 7.7 H)

Cisco Dual WAN Gigabit VPN Routers

detection test

ServiceNow Actively Exploited for Data Theft and RCE

As July closed, two critical vulnerabilities in ServiceNow – CVE-2024-4879 and CVE-2024-5217, were added to CISA’s KEV list. Both CVEs are rated CVSS 9.8 Critical. ServiceNow was also assigned a third on the same day, July 10th; CVE-2024-5178 (CVSS 6.8 Medium). The trio are being chained together by attackers to achieve unauthenticated Remote Code Execution (RCE). Data from over 100 victims is reportedly being sold on BreachForums; a cybercrime platform for exchanging stolen data.

ServiceNow is a leading IT service management (ITSM) platform featuring incident management, problem management, change management, asset management, and workflow automation, and extending into general business management tools such as human resources, customer service, and security operations. ServiceNow is installed either as a Software as a Service (SaaS) or self-hosted by organizations themselves. Shodan reports roughly 20,000 exposed instances online, and Resecurity has observed attacks against private sector companies and government agencies globally.

Greenbone included vulnerability tests (VTs) [1][2] for all three CVEs before active exploitation was alerted by CISA. Hotfixes are available [3][4][5] from the vendor and self-hosting customers should apply them with urgency.

Critical Vulnerability in Adobe Commerce and Magento eCommerce Platforms

Adobe Commerce and Magento versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by CVE-2024-34102 (CVSS 9.8 Critical), resulting from improper restriction of XML External Entity Reference (‘XXE’) [CWE-611]. An attacker could exploit the weakness without user interaction by sending a malicious XML file to read sensitive data from within the platform.

CVE-2024-34102 is being actively exploited and a basic proof-of-concept exploit code is available on GitHub [1]. Malicious exploit code [2] for the CVE has also been removed from GitHub due to the platform’s policies against malware, but attackers are actively sharing it via dark-web forums and hacker channels on Telegram. Also, the CVE’s Exploit Prediction Scoring System (EPSS) score increased prior to its induction into CISA KEV, giving credit to EPSS as an early warning metric for vulnerability risk.

Magento is an open-source PHP-based eCommerce platform for small to medium-sized businesses. Acquired by Adobe in 2018, Adobe Commerce is essentially the enterprise version of Magento Open Source with additional features for larger businesses. Being an e-commerce platform, there’s risk that attackers may be able to steal payment card information or other sensitive personal information from a website’s customers in addition to inducing costly downtime due to lost sales for the site owner.

Greenbone includes an active check and version detection vulnerability tests (VTs) for identifying vulnerable versions of this high risk vulnerability.

GeoServer Actively Exploited for Remote Code Execution

A CVSS 9.8 Critical CVE was found in GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2. GeoServer is an open-source application for sharing, editing, and displaying geospatial data. Tracked as CVE-2024-36401, the vulnerability is being actively exploited and can lead to arbitrary Remote Code Execution (RCE). Exploit code is publicly available [1][2] compounding the risk. CERT-EU has issued an alert for all EU institutions, agencies, and member states. Greenbone includes remote detection tests to identify CVE-2024-36401 allowing users of affected GeoServer products to be notified.

The vulnerability, classified as “Dependency on Vulnerable Third-Party Component” [CWE-1395], lies in the GeoTools component – an open-source Java library that serves as the foundation for various geospatial projects and applications, including GeoServer. Therefore, similarly to how Log4Shell impacted an unknown number of applications using the Log4j 2.x library, the same is true for GeoTools. Various OGC (Open Geospatial Consortium) request parameters (including WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests) forfeit RCE since the GeoTools library API unsafely passes property/attribute names to the commons-jxpath library which has the capability to execute arbitrary code [CWE-94].

Users should update to GeoServer versions 2.23.6, 2.24.4, or 2.25.2 which contain a patch for the issue. For those who cannot update, removing the ‘gt-complex-<version>.jar’ file will eliminate the vulnerable code, but may break functionality if the gt-complex module is required.

Summary

July 2024 saw a decline in vulnerability disclosures, yet significant threats emerged. Notably, CVE-2024-37085 in VMware’s ESXi was observed being exploited for ransomware attacks, due to insecure design flaws. Cisco’s new vulnerabilities include CVE-2024-20399, actively exploited for command injection, and two critical flaws in its products. ServiceNow’s CVEs, including CVE-2024-4879 and CVE-2024-5217, are being used to distribute ransomware and steal data. Adobe Commerce’s CVE-2024-34102 and GeoServer’s CVE-2024-36401 also pose severe risks. Organizations must prioritize patching, vulnerability management, and incident response to mitigate these threats.