Tag Archive for: Vulnerability Scanning

Joseph Lee

July 2024 Threat Tracking: Summer Break for Vulnerabilities?

Vulnerability disclosures took a summer vacation in July; only 3,135 new CVES were published, down almost 40% from May 2024’s record setting month. Last month we talked about cybersecurity on the edge, referring to the increasing number of attacks against perimeter network devices. That post’s title also hinted that globally, IT may be skirting catastrophic failure. Greenbone’s CMO Elmar Geese compiled a nice assessment of CrowdStrike’s failed update that crashed Windows systems around the world on Friday, July 19th.

Back in 2021, Gartner predicted that rampant cyber attacks would be causing death and mayhem by 2025. The bad news is we are ahead of Gartner’s schedule, but the further bad news is that we didn’t need a cyber attack to get there. In this month’s threat tracking news, we will review some of the top actively exploited vulnerabilities and critical risks introduced in July 2024.

Ransomware Distributed via VMware Vulnerability

This month, two vulnerabilities in VMware’s ESXi hypervisor and vCenter Server products were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog and one, CVE-2024-37085 in ESXi, was observed distributing Akira and Black Basta ransomware. VMware’s virtualization solutions are critical to the global IT ecosystem. In the past, the vendor has claimed over 80 percent of virtualized workloads operate on its technology including all the Fortune 500 and Fortune Global 100 enterprises.

CVE-2024-37085 (CVSS 6.8 Medium) was discovered by Microsoft who revealed that ESXi is wildly insecure by design, granting full administrative access to any user in an Active Directory (AD) domain group named “ESX Admins” by default without proper validation. Just in case you can’t believe what you just read, I’ll clarify: any user in an arbitrary AD group named “ESX Admins” is granted full admin rights on an ESXi instance – by design. We should all be aghast and thunderstruck.

Considering CVE-2024-37085 is being leveraged for ransomware attacks, be reminded that maintaining secured backups of production ESXi hypervisor configurations and virtual machines, and conducting table-top and functional exercises for incident response can help ensure a swift recovery from a ransomware attack. Closing security gaps by scanning for known vulnerabilities and applying remediation can help prevent ransomware attacks from being successful in the first place.

CVE-2022-22948 (CVSS 6.5 Medium), also actively exploited, is another insecure-by-design flaw in VMware products, this time vCenter Server caused by improper default file permissions [CWE-276] allowing the disclosure of sensitive information.

Greenbone can actively detect vulnerable versions of VMware ESXi and vCenter Server with separate vulnerability tests for CVE-2024-37085 [1] and CVE-2022-22948 [2] since it was first disclosed in 2022.

New Batch of Cisco CVEs Includes one Actively Exploited plus two Critical Severity

In July 2024, 12 total vulnerabilities, two of critical and three of high severity, were disclosed in 17 different Cisco products. CVE-2024-20399 in Cisco NX-OS is being actively exploited and was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. CISA also referenced CVE-2024-20399 in a secure-by-design alert released in July. The alert advises software vendors to inspect their products for OS (operating system) command injection vulnerabilities [CWE-78]. Greenbone includes a remote version check for the actively exploited CVE-2024-20399.

Here is a summary of the most impactful CVEs:

  • CVE-2024-20399 (CVSS 6.7 Medium): A command-injection vulnerability in Cisco NX-OS’s Command-Line Interface (CLI) allows authenticated administrative users to execute commands as root on the underlying OS due to unsanitized arguments being passed to certain configuration commands. CVE-2024-20399 can only be exploited by an attacker who already has privileged access to the CLI. Greenbone includes a remote version check for CVE-2024-20399.
  • CVE-2024-20419 (CVSS 10 Critical): The authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) allows an unauthenticated, remote attacker to change the password of any user, including administrators, via malicious HTTP requests. Greenbone includes a remote version detection test for CVE-2024-20419.
  • CVE-2024-20401 (CVSS 10 Critical): A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the device via e-mail attachments if file analysis and content filters are enabled. CVE-2024-20401 allows attackers to create users with root privileges, modify the device configuration, execute arbitrary code, or disable the device completely. Greenbone is able to detect vulnerable devices so defenders can apply Cisco’s recommended mitigation.

Other CVEs disclosed for flagship Cisco products in July 2024 include:

CVE

Product

VT

CVE-2024-20400 (CVSS 5.0 M)

Cisco Expressway Series

detection test

CVE-2024-6387 (CVSS 8.1 H)

Cisco Intersight Virtual Appliance

detection test

CVE-2024-20296 (CVSS 5.8 M)

Cisco Identity Services Engine (ISE)

detection test

CVE-2024-20456 (CVSS 6.5 M)

Cisco IOS XR Software

detection test

CVE-2024-20435 (CVSS 6.8 M)

Cisco Secure Web Appliance

detection test

CVE-2024-20429 (CVSS 7.7 H)

Cisco Secure Email Gateway

detection test

CVE-2024-20416 (CVSS 7.7 H)

Cisco Dual WAN Gigabit VPN Routers

detection test

ServiceNow Actively Exploited for Data Theft and RCE

As July closed, two critical vulnerabilities in ServiceNow – CVE-2024-4879 and CVE-2024-5217, were added to CISA’s KEV list. Both CVEs are rated CVSS 9.8 Critical. ServiceNow was also assigned a third on the same day, July 10th; CVE-2024-5178 (CVSS 6.8 Medium). The trio are being chained together by attackers to achieve unauthenticated Remote Code Execution (RCE). Data from over 100 victims is reportedly being sold on BreachForums; a cybercrime platform for exchanging stolen data.

ServiceNow is a leading IT service management (ITSM) platform featuring incident management, problem management, change management, asset management, and workflow automation, and extending into general business management tools such as human resources, customer service, and security operations. ServiceNow is installed either as a Software as a Service (SaaS) or self-hosted by organizations themselves. Shodan reports roughly 20,000 exposed instances online, and Resecurity has observed attacks against private sector companies and government agencies globally.

Greenbone included vulnerability tests (VTs) [1][2] for all three CVEs before active exploitation was alerted by CISA. Hotfixes are available [3][4][5] from the vendor and self-hosting customers should apply them with urgency.

Critical Vulnerability in Adobe Commerce and Magento eCommerce Platforms

Adobe Commerce and Magento versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by CVE-2024-34102 (CVSS 9.8 Critical), resulting from improper restriction of XML External Entity Reference (‘XXE’) [CWE-611]. An attacker could exploit the weakness without user interaction by sending a malicious XML file to read sensitive data from within the platform.

CVE-2024-34102 is being actively exploited and a basic proof-of-concept exploit code is available on GitHub [1]. Malicious exploit code [2] for the CVE has also been removed from GitHub due to the platform’s policies against malware, but attackers are actively sharing it via dark-web forums and hacker channels on Telegram. Also, the CVE’s Exploit Prediction Scoring System (EPSS) score increased prior to its induction into CISA KEV, giving credit to EPSS as an early warning metric for vulnerability risk.

Magento is an open-source PHP-based eCommerce platform for small to medium-sized businesses. Acquired by Adobe in 2018, Adobe Commerce is essentially the enterprise version of Magento Open Source with additional features for larger businesses. Being an e-commerce platform, there’s risk that attackers may be able to steal payment card information or other sensitive personal information from a website’s customers in addition to inducing costly downtime due to lost sales for the site owner.

Greenbone includes an active check and version detection vulnerability tests (VTs) for identifying vulnerable versions of this high risk vulnerability.

GeoServer Actively Exploited for Remote Code Execution

A CVSS 9.8 Critical CVE was found in GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2. GeoServer is an open-source application for sharing, editing, and displaying geospatial data. Tracked as CVE-2024-36401, the vulnerability is being actively exploited and can lead to arbitrary Remote Code Execution (RCE). Exploit code is publicly available [1][2] compounding the risk. CERT-EU has issued an alert for all EU institutions, agencies, and member states. Greenbone includes remote detection tests to identify CVE-2024-36401 allowing users of affected GeoServer products to be notified.

The vulnerability, classified as “Dependency on Vulnerable Third-Party Component” [CWE-1395], lies in the GeoTools component – an open-source Java library that serves as the foundation for various geospatial projects and applications, including GeoServer. Therefore, similarly to how Log4Shell impacted an unknown number of applications using the Log4j 2.x library, the same is true for GeoTools. Various OGC (Open Geospatial Consortium) request parameters (including WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests) forfeit RCE since the GeoTools library API unsafely passes property/attribute names to the commons-jxpath library which has the capability to execute arbitrary code [CWE-94].

Users should update to GeoServer versions 2.23.6, 2.24.4, or 2.25.2 which contain a patch for the issue. For those who cannot update, removing the ‘gt-complex-<version>.jar’ file will eliminate the vulnerable code, but may break functionality if the gt-complex module is required.

Summary

July 2024 saw a decline in vulnerability disclosures, yet significant threats emerged. Notably, CVE-2024-37085 in VMware’s ESXi was observed being exploited for ransomware attacks, due to insecure design flaws. Cisco’s new vulnerabilities include CVE-2024-20399, actively exploited for command injection, and two critical flaws in its products. ServiceNow’s CVEs, including CVE-2024-4879 and CVE-2024-5217, are being used to distribute ransomware and steal data. Adobe Commerce’s CVE-2024-34102 and GeoServer’s CVE-2024-36401 also pose severe risks. Organizations must prioritize patching, vulnerability management, and incident response to mitigate these threats.

Contact Test Now Buy Here Back to Overview

/by
Elmar Geese

AI and cybersecurity: The promise of artificial intelligence

,

How is artificial intelligence (AI) changing the cybersecurity landscape? Will AI make the cyber world more secure or less secure? I was able to explore these questions at the panel discussion during the “Potsdam Conference for National Cybersecurity 2024” together with Prof. Dr. Sandra Wachter, Dr. Kim Nguyen, Dr. Sven Herpig. Does AI deliver what it promises today? And what does the future look like with AI?

Four experts discuss the opportunities and risks of artificial intelligence in cybersecurity during a panel at the 2024 Potsdam Conference on National Cybersecurity at the Hasso Plattner Institute.
Cybersecurity is already difficult enough for many companies and institutions. Will the addition of artificial intelligence (AI) now make it even more dangerous for them or will AI help to better protect IT systems? What do we know? And what risks are we looking at here? Economic opportunities and social risks are the focus of both public attention and currently planned legislation. The EU law on artificial intelligence expresses many of the hopes and fears associated with AI.

Hopes and fears

We hope that many previously unresolved technical challenges can be overcome. Business and production processes should be accelerated, and machines should be able to handle increasingly complex tasks autonomously. AI can also offer unique protection in the military sector, saving many lives, for example in the form of AI-supported defense systems such as the Iron Dome.

On the other, darker side of AI are threats such as mass manipulation through deepfakes, sophisticated phishing attacks or simply the fear of job losses that goes hand in hand with any technical innovation. More and more chatbots are replacing service employees, image generators are replacing photographers and graphic designers, text generators are replacing journalists and authors, and generated music is replacing musicians and composers. In almost every profession, there is a fear of being affected sooner or later. This even applies to the IT sector, where a rich choice of jobs was previously perceived as a certainty. These fears are often very justified, but sometimes they are not.

In the area of cyber security, however, it is not yet clear to what extent autonomous AI can create more security and replace the urgently needed security experts or existing solutions. This applies to both attackers and defenders. Of course, the unfair distribution of tasks remains: While defenders want (and need) to close as many security gaps as possible, a single vulnerability is enough for the attackers to launch a successful attack. Fortunately, defenders can fall back on tools and mechanisms that automate a lot of work, even today. Without this automation, the defenders are lost. Unfortunately, AI does not yet help well enough. This is demonstrated by the ever-increasing damage caused by conventional cyber attacks, even though there are supposedly already plenty of AI defenses. On the other hand, there is the assumption that attackers are becoming ever more powerful and threatening thanks to AI.

For more cyber security, we need to take a closer look. We need a clearer view of the facts.

Where do we stand today?

So far, we know nothing about technical cyber attacks generated by artificial intelligence. There are currently no relevant, verifiable cases, only theoretically constructed scenarios. This may change, but as things stand today, this is the case. We don’t know of any AI that could currently generate sufficiently sophisticated attacks. What we do know is that phishing is very easy to implement with generative language models and that these spam and phishing emails appear to us to be more skillful, at least anecdotally. Whether this causes more damage than the already considerable damage, on the other hand, is not known. It is already terrible enough today, even without AI. However, we know that phishing is only ever the first step in accessing a vulnerability.

Elmar Geese, Greenbone board member, speaks at the 2024 Potsdam Conference on National Cybersecurity at the Hasso Plattner Institute about the opportunities and risks of artificial intelligence in cybersecurity.

Member of the Greenbone Board Elmar Geese at the Potsdam Conference for national cybersecurity at Hasso-Plattner-Institute (HPI), picture: Nicole Krüger

How can we protect ourselves?

The good news is that an exploited vulnerability can almost always be found and fixed beforehand. Then even the best attack created with generative AI would come to nothing. And that’s how it has to be done. Because whether I am under threat from a conventional attack today or an AI in my network the day after tomorrow, a vulnerability in the software or in the security configuration will always be necessary for an attack to succeed. Two strategies then offer the best protection: firstly, being prepared for the worst-case scenario, for example through backups together with the ability to restore systems in a timely manner. The second is to look for the gaps yourself every day and close them before they can be exploited. Simple rule of thumb: every gap that exists can and will be exploited. 

Role and characteristics of AI

AI systems are themselves very good targets for attacks. Just like the internet, they were not designed with “security by design” in mind. AI systems are just software and hardware, just like any other target. Only in contrast to AI systems, conventional IT systems, whose functionality can be more or less understood with sufficient effort, can be repaired in a manner comparable to surgical interventions. They can be “patched”. This does not work with AI. If a language model does not know what to do, it does not produce a status or even an error message, it “hallucinates”. However, hallucinating is just a fancy term for lying, guessing, inventing something or doing strange things. Such an error cannot be patched, but requires the system to be retrained, for example, without being able to clearly identify the cause of the error.

If it is very obvious and an AI thinks dogs are fish, for example, it is easy to at least recognize the error. However, if it has to state a probability as to whether it has detected a dangerous or harmless anomaly on an X-ray image, for example, it becomes more difficult. It is not uncommon for AI products to be discontinued because the error cannot be corrected. A prominent first example was Tay, a chatbot launched unsuccessfully twice by Microsoft, which was discontinued even faster the second time than the first.

What we can learn from this: lower the bar, focus on trivial AI functions and then it will work. That’s why many AI applications that are coming onto the market today are here to stay. They are useful little helpers that speed up processes and provide convenience. Perhaps they will soon be able to drive cars really well and safely. Or maybe not.

The future with AI

Many AI applications today are anecdotally impressive. However, they can only be created for use in critical fields with a great deal of effort and specialization. The Iron Dome only works because it is the result of well over ten years of development work. Today, it recognizes missiles with a probability of 99% and can shoot them down – and not inadvertently civilian objects – before they cause any damage. For this reason, AI is mostly used to support existing systems and not autonomously. Even if, as the advertising promises, they can formulate emails better than we can or want to ourselves, nobody today wants to hand over their own emails, chat inboxes and other communication channels to an AI that takes care of the correspondence and only informs us of important matters with summaries.

Will that happen in the near future? Probably not. Will it happen at some point? We don’t know. When the time perhaps comes, our bots will be writing messages to each other, our combat robots will be fighting our wars against each other, and AI cyber attackers and defenders will be competing against each other. When they realize that what they are doing is pointless, they might ask themselves what kind of beings they are hiring to do it. Then perhaps they will simply stop, set up communication lines, leave our galaxy and leave us helpless. At least we’ll still have our AI act and can continue to regulate “weak AI” that hasn’t made it away.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Vulnerability management in 12 minutes

Why is Greenbone not a security provider like any other? How did Greenbone come about and what impact does Greenbone’s long history have on the quality of its vulnerability scanners and the security of its customers? The new video “Demystify Greenbone” provides answers to these questions in an twelve-minute overview. It shows why experts need […]

Read more
/by
Markus Feilner

“Security crises are like earthquakes” – Greenbone CEO Jan-Oliver Wagner at the PITS Congress 2024

“Support for early crisis detection” was the topic of a high-profile panel on the second day of this year’s PITS Congress. On stage: Greenbone CEO Jan-Oliver Wagner together with other experts from the Federal Criminal Police Office, the German Armed Forces, the Association of Municipal IT Service Providers VITAKO and the Federal Office for Information Security.

Panel discussion at the PITS Congress 2024 on the topic of early crisis detection with Greenbone CEO Dr. Jan-Oliver Wagner and representatives from the BSI, Bundeswehr, BKA and VITAKO.

Once again this year, Behörden Spiegel organized its popular conference on Public IT Security (PITS). Hundreds of security experts gathered at the renowned Hotel Adlon in Berlin for two days of forums, presentations and an exhibition of IT security companies. In 2024, the motto of the event was “Security Performance Management” – and so it was only natural that Greenbone, as a leading provider of vulnerability management, was also invited (as in 2023), for example in the panel on early crisis detection, which Greenbone CEO Dr. Jan-Oliver Wagner opened with a keynote speech.

In his presentation, Jan-Oliver Wagner explained his view on strategic crisis detection, talking about the typical “earthquakes” and the two most important components: Knowing where vulnerabilities are, and providing technologies to address them.

Greenbone has built up this expertise over many years, also making it vailable to the public, in open source, always working together with important players on the market. For example, contacts with the German Federal Office for Information Security (BSI) were there right from the start: “The BSI already had the topic of vulnerability management on its radar when IT security was still limited to firewalls and antiviruses,” Wagner is praising the BSI, the German government’s central authority for IT security.

Today, the importance of two factors is clear: “Every organization must know how and where it is vulnerable, know its own response capabilities and has to keep working on improving them continuously. Cyber threats are like earthquakes. We can’t prevent them, we can only prepare for them and respond to them in the best possible way.”

“A crisis has often happened long before the news break”

According to Jan-Oliver Wagner’s definition, the constant cyber threat evolves into a veritable “crisis” when, for example, a threat “hits a society, economy or nation where many organizations have a lot of vulnerabilities and a low ability to react quickly. Speed is very important. You have to be faster than the attack happens.” The other participants on the panel also addressed this and used the term “getting ahead of the wave”.

The crisis is often already there long before it is mentioned in the news, individual organizations need to protect themselves and prepare themselves so that they can react to unknown situations on a daily basis. “A cyber nation supports organizations and the nation by providing the means to achieve this state,” says Jan-Oliver Wagner.

Differences between the military and local authorities

Major General Dr Michael Färber, Head of Planning and Digitalization, Cyber & Information Space Command, explained the Bundeswehr’s perspective: According to him, a crisis occurs when the measures and options for responding are no longer sufficient. “Then something develops into a crisis.”

From the perspective of small cities and similar local authorities, however, the picture is different, according to Katrin Giebel, Head of VITAKO, the Federal Association of Municipal IT Service Providers. “80 percent of administrative services take place at the municipal level. Riots would already occur when the vehicle registration is not available.” Cities and municipalities keep being hit hard by cyber attacks, and crises start much earlier here: “For us, threats are almost the same as a crisis.”

Massive negligence in organizations is frightening, says BSI

The BSI, on the other hand, defines a “crisis” as when an individual organization is unable or no longer able to solve a problem on its own. Dr Dirk Häger, Head of the Operational Cyber Security Department at the BSI: “As soon as two departments are affected, the crisis team convenes. For us, a crisis exists as soon as we cannot solve a problem with the standard organization.” This is giving a crucial role to those employees who decide whether to call together a meeting or not. “You just reach a point where you agree: now we need the crisis team.”

Something that Häger finds very frightening, however, is how long successful attacks continue to take place after crises have actually already been resolved, for example in view of the events surrounding the Log4j vulnerability. “We put a lot of effort into this, especially at the beginning. The Log4j crisis was over, but many organizations were still vulnerable and had inadequate response capabilities. But nobody investigates it anymore,” complains the head of department from the BSI.

How to increase the speed of response?

Asked by moderator Dr. Eva-Charlotte Proll, editor-in-chief and publisher at Behörden Spiegel, what would help in view of these insights, he describes the typical procedure and decision-making process in the current, exemplary checkpoint incident: “Whether something is a crisis or not is expert knowledge. In this case, it was a flaw that was initiated and exploited by state actors.” Action was needed at the latest when the checkpoint backdoor was beginning to be exploited by other (non-state) attackers. Knowledge of this specific threat situation is also of key importance for those affected.

Also Jan Oliver Wagner once again emphasized the importance of the knowledge factor. Often the threat situation is not being discussed appropriately. At the beginning of 2024, for example, an important US authority (NIST) reduced the amount of information in its vulnerability database – a critical situation for every vulnerability management provider and their customers. Furthermore, the fact that NIST is still not defined as a critical infrastructure shows that action is needed.

The information provided by NIST is central to the National Cyber Defense Center’s ability to create a situational picture as well, agrees Färber. This also applies to cooperation with the industry: several large companies “boast that they can deliver exploit lists to their customers within five minutes. We can improve on that, too.”

Carsten Meywirth, Head of Department at the BKA, emphasized the differences between state and criminal attacks, also using the example of the supply chain attack on Solarwinds. Criminal attackers often have little interest in causing a crisis because too much media attention might jeopardize their potential financial returns. And security authorities need to stay ahead of the wave – which requires intelligence and the potential to disrupt the attackers’ infrastructure.

BKA: International cooperation

According to Major General Färber, Germany is always among the top 4 countries in terms of attacks. The USA is always in first place, but states like Germany end up in the attackers’ dragnets so massively simply because of their economy’s size. This is what makes outstanding international cooperation in investigating and hunting down perpetrators so important. “Especially the cooperation of Germany, the USA and the Netherlands is indeed very successful, but the data sprints with the Five Eyes countries (USA, UK, Australia, Canada and New Zealand) are also of fundamental importance, because that is where intelligence findings come to the table, are being shared and compared. “Successful identification of perpetrators is usually impossible without such alliances,” says Michael Färber. But Germany is well positioned with its relevant organizations: “We have significantly greater redundancy than others, and that is a major asset in this fight.” In the exemplary “Operation Endgame“, a cooperation between the security authorities and the private sector launched by the FBI, the full power of these structures is now becoming apparent. “We must and will continue to expand this.”

“We need an emergency number for local authorities in IT crises”

Getting ahead of the situation like this is still a dream of the future for the municipalities. They are heavily reliant on inter-federal support and a culture of cooperation in general. An up-to-date picture of the situation is “absolutely important” for them, Katrin Giebel from VITAKO reports. As a representative of the municipal IT service providers, she is very familiar with many critical situations and the needs of the municipalities – from staff shortages to a lack of expertise or an emergency number for IT crises that is still missing today. Such a hotline would not only be helpful, but it would also correspond to the definition from Wagner’s introductory presentation: “A cyber nation protects itself by helping companies to protect themselves.”

BSI: prevention is the most important thing

Even if the BSI does not see itself in a position to fulfil such a requirement on its own, this decentralized way of thinking has always been internalized. But whether the BSI should be developed into a central office in this sense is something that needs to be discussed first, explains Dirk Häger from the BSI. “But prevention is much more important. Anyone who puts an unsecured system online today will quickly be hacked. The threat is there. We must be able to fend it off. And that is exactly what prevention is.”

Wagner adds that information is key to this. And distributing information is definitely a task for the state, which is where he sees the existing organizations in the perfect role.

Sponsor wall of the PITS Congress 2024 with logos of leading IT security companies such as Greenbone, Cisco, HP and other partners from government and industry.

Contact Test Now Buy Here Back to Overview

/by
Dirk Boeing

NIS2: From impending doom to effective measures

Winter is coming: The motto of House Stark from the series “Game of Thrones” indicates the approach of an undefined disaster. One could also surmise something similar when reading many articles that are intended to set the mood for the upcoming NIS2 Implementation Act (NIS2UmsuCG). Is NIS2 a roller of ice and fire that will bury the entire European IT landscape and from which only those who attend one of the countless webinars and follow all the advice can save themselves?

NIS2 as such is merely a directive issued by the EU. It is intended to ensure the IT security of operators of important and critical infrastructures, which may not yet be optimal, and to increase cyber resilience. Based on this directive, the member states are now called upon to create a corresponding law that transposes this directive into national law.

What is to be protected?

The NIS Directive was introduced by the EU back in 2016 to protect industries and service providers relevant to society from attacks in the cybersphere. This regulation contains binding requirements for the protection of IT structures in companies that operate as critical infrastructure (KRITIS) operators. These are companies that play an indispensable role within society because they operate in areas such as healthcare services, energy supply and transport. In other words, areas where deliberately caused disruptions or failures can lead to catastrophic situations – raise your hand if your household is equipped to survive a power outage lasting several days with all its consequences…

As digitalisation continues to advance, the EU had to create a follow-up regulation (NIS2), which on the one hand places stricter requirements on information security, but on the other hand also covers a larger group of companies that are “important” or “particularly important” for society. These companies are now required to fulfil certain standards in information security.

Although the NIS2 Directive was already adopted in December 2022, the member states have until 17 October 2024 to pass a corresponding implementing law. Germany will probably not make it by then. Nevertheless, there is no reason to sit back. The NIS2UmsuCG is coming, and with it increased demands on the IT security of many companies and institutions.

Who needs to act now?

Companies from four groups are affected. Firstly, there are the particularly important organisations with 250 or more employees or an annual turnover of 50 million euros and a balance sheet total of 43 million euros or more. A company that fulfils these criteria and is active in one of the following sectors: energy, transport, finance/insurance, health, water/sewage, IT and telecommunications or space is particularly important.

In addition, there are the important organisations with 50 or more employees or a turnover of 10 million euros and a balance sheet total of 10 million euros. If a company fulfils these criteria and is active in one of the following sectors: postal/courier, chemicals, research, manufacturing (medical/diagnostics, IT, electrical, optical, mechanical engineering, automotive/parts, vehicle construction), digital services (marketplaces, search engines, social networks), food (wholesale, production, processing) or waste disposal (waste management), it is considered important.

In addition to particularly important and important facilities, there are also critical facilities, which continue to be defined by the KRITIS methodology. Federal facilities are also regulated.

What needs to be done?

In concrete terms, this means that all affected companies and institutions, regardless of whether they are “particularly important” or “important”, must fulfil a series of requirements and obligations that leave little room for interpretation and must therefore be strictly observed. Action must be taken in the following areas:

Risk management

Affected companies are obliged to introduce comprehensive risk management. In addition to access control, multi-factor authentication and single sign-on (SSO), this also includes training and incident management as well as an ISMS and risk analyses. This also includes vulnerability management and the use of vulnerability and compliance scans.

Reporting obligations

All companies are obliged to report “significant security incidents”: these must be reported to the BSI reporting centre immediately, but within 24 hours at the latest. Further updates must be made within 72 hours and 30 days.

Registration

Companies are obliged to determine for themselves whether they are affected by the NIS2 legislation and to register themselves within a period of three months. Important: Nobody tells a company that it falls under the NIS2 regulation and must register. The responsibility lies solely with the individual companies and their directors.

Evidence

It is not enough to simply take the specified precautions; appropriate evidence must also be provided. Important and particularly important facilities will be inspected by the BSI on a random basis, and appropriate documentation must be submitted. KRITIS facilities will be inspected on a regular basis every three years.

Duty to inform

In future, it will no longer be possible to sweep security incidents under the carpet. The BSI will be authorised to issue instructions to inform customers about security incidents. The BSI will also be authorised to issue instructions on informing the public about security incidents.

Governance

Managing directors are obliged to approve risk management measures. Training on the topic will also become mandatory. Particularly serious: Managing directors are personally liable with their private assets for breaches of duty.

Sanctions

In the past, companies occasionally preferred to accept the vague possibility of a fine rather than making concrete investments in cyber security measures, as the fine seemed quite acceptable. NIS2 now counters this with new offences and in some cases drastically increased fines. This is further exacerbated by the personal liability of managing directors.

As can be seen, the expected NIS2 implementation law is a complex structure that covers many areas and whose requirements can rarely be covered by a single solution.

What measures should be taken as soon as possible?

Continuously scan your IT systems for vulnerabilities. This will uncover, prioritise and document security gaps as quickly as possible. Thanks to regular scans and detailed reports, you create the basis for documenting the development of the security of your IT infrastructure. At the same time, you fulfil your obligation to provide evidence and are well prepared in the event of an audit.

On request, experts can take over the complete operation of vulnerability management in your company. This also includes services such as web application pentesting, which specifically identifies vulnerabilities in web applications. This covers an important area in the NIS2 catalogue of requirements and fulfils the requirements of § 30 (risk management measures).

Conclusion

There is no single, all-encompassing measure that will immediately make you fully NIS2-compliant. Rather, there are a number of different measures that, taken together, provide a good basis. One component of this is vulnerability management with Greenbone. If you keep this in mind and put the right building blocks in place in good time, you will be on the safe side as an IT manager. And winter can come.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

Protection of Office Suites: Greenbone Integrates Additional BSI Basic and CIS Guidelines

The IT-Grundschutz-Compendium of the Federal Office for Information Security (BSI) has, in recent years, provided clear guidelines for users of Microsoft Office. Since April 2024, Greenbone’s enterprise products have integrated tests to verify whether a company is implementing these instructions. The BSI guidelines are aligned with the Center for Internet Security (CIS) guidelines.

In the section “APP:Applications 1.1. Office Products” the BSI specifies the “requirements for the functionality of Office product components.” The goal is to protect the data processed and used by the Office software. While Microsoft Office is likely the primary reference due to its widespread market penetration, the model behind the BSI guidelines aims to apply to any office product “that is locally installed and used to view, edit, or create documents, excluding email applications.”

BSI Guidelines

The module explicitly builds on the requirements of the “APP.6 General Software” component and refers to the modules “APP.5.3 General Email Client,” “APP.4.3 Relational Databases,” and “OPS.2.2 Cloud Usage,” although it expressly does not consider these.

The BSI identifies three main threats to Office suites:

  • Lack of customization of Office products to the institution’s needs
  • Malicious content in Office documents
  • Loss of integrity of Office documents

The components listed in the BSI IT-Grundschutz-Compendium include 16 points, some of which have since been removed. Greenbone has developed several hundred tests, primarily addressing five of the basic requirements, including “Secure opening of documents from external sources” (APP.1.1. A3) and “Use of encryption and digital signatures” listed in APP.1.1. A15. The BSI specifies:

“All documents obtained from external sources MUST be checked for malware before being opened. All file formats deemed problematic and all unnecessary within the institution MUST be banned. If possible, they SHOULD be blocked. Technical measures SHOULD enforce that documents from external sources are checked.”

Regarding encryption, it states: “Data with increased protection requirements SHOULD only be stored or transmitted in encrypted form. Before using an encryption method integrated into an Office product, it SHOULD be checked whether it offers sufficient protection. Additionally, a method SHOULD be used that allows macros and documents to be digitally signed.”

CIS Guidelines Enhance Basic Protection

In addition to the requirements listed in the BSI Basic Protection Manual, the CIS Benchmark from the Center for Internet Security (CIS) for Microsoft Office includes further and more specific suggestions for securing Microsoft products. The CIS guidelines are developed by a community of security experts and represent a consensus-based best practice collection for Microsoft Office.

As one of the first and only vulnerability management providers, Greenbone now offers tests on security-relevant features mentioned in the CIS guidelines, uniting CIS and BSI instructions in numerous, sometimes in-depth tests, such as on ActiveX Control Initialization in Microsoft Office. The Greenbone Vulnerability Management tests whether this switch is set to “enabled”, but also many other settings, for example, whether “Always prevent untrusted Microsoft Query files from opening” is set to “Enabled” among many others.

Many tests focus on external content, integrating macros, and whether and how these external contents are signed, verifiable, and thus trustworthy or not, and whether administrators have done their homework in configuring Microsoft Office. According to the BSI, one of the most significant threats (and the first mentioned) is the lack of adaptation of Office products to the reality and the business processes in the company. Greenbone’s new tests ensure efficient compliance with regulations, making it harder for attackers and malware to establish a foothold and cause damage in the company.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

PITS 2024 Public IT Security

Save the date: The “German Congress for IT and Cyber Security in Government and Administration” (June 12 to 13, 2024) provides information on current trends, strategies and solutions in IT security.

In the main program: “IT support for early crisis detection” (Moderation: Dr. Eva-Charlotte Proll, Editor-in-Chief and Publisher, Behörden Spiegel).

Participants:

  • Dr. Jan-Oliver Wagner, Chief Executive Officer Greenbone
  • Carsten Meywirth, Head of the Cybercrime Division, Federal Criminal Police Office
  • Generalmajor Dr. Michael Färber, Head of Planning and Digitization, Cyber & Information Space Command
  • Katrin Giebel, Branch Manager, VITAKO Bundesverband kommunaler IT-Dienstleister e.V.
  • Dr. Dirk Häger, Head of the Operational Cybersecurity Department, Federal Office for Information Security (BSI)

Where? Berlin, Hotel Adlon Kempinski, Unter den Linden 77
When? 13.06.2024; 9:40 a.m.

Vulnerabilities in IT systems are increasingly being exploited by malicious attackers. You can protect your IT systems with vulnerability management. Visit us in our lounge at stand 44 – we look forward to seeing you!

Registration: https://www.public-it-security.de/anmeldung/

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

Municipalities, authorities and companies under pressure: serious attacks on the rise, NIS2 becomes mandatory

After experts noticed a rapid increase in cyberattacks on local authorities and government agencies in 2023, the horror stories don’t stop in 2024. The pressure to act is enormous, as the EU’s NIS2 Directive will come into force in October and makes risk and vulnerability management mandatory.

“The threat level is higher than ever,” said Claudia Plattner, President of the German Federal Office for Information Security (BSI), at Bitkom in early March. The question is not whether an attack will be successful, but only when. The BSI’s annual reports, for example the most recent report from 2023, also speak volumes in this regard. However, according to Plattner, it is striking how often local authorities, hospitals and other public institutions are at the centre of attacks. There is “not a problem with measures but with implementation in companies and authorities”, said Plattner. One thing is clear: vulnerability management such as Greenbone’s can provide protection and help to avoid the worst.

US authorities infiltrated by Chinese hackers

In view of the numerous serious security incidents, vulnerability management is becoming more important every year. Almost 70 new security vulnerabilities have been added every day in recent months. Some of them opened the door to attackers deep inside US authorities, as reported in the Greenbone Enterprise Blog:

According to the media, US authorities have been infiltrated by Chinese hacker groups such as the probably state-sponsored “Volt Typhoon” for years via serious security gaps. The fact that Volt Typhoon and similar groups are a major problem was even confirmed by Microsoft itself in a blog back in May 2023. But that’s not all: German media reported that Volt Typhoon is taking advantage of the abundant vulnerabilities in VPN gateways and routers from FortiNet, Ivanti, Netgear, Citrix and Cisco. These are currently considered to be particularly vulnerable.

The fact that the quasi-monopolist in Office, groupware, operating systems and various cloud services also had to admit in 2023 that it had the master key for large parts of its Microsoft cloud let stolen destroyed trust in the Redmond software manufacturer in many places. Anyone who has this key doesn’t need a backdoor for Microsoft systems any longer. Chinese hackers are also suspected in this case.

Software manufacturers and suppliers

The supply chain for software manufacturers has been under particular scrutiny by manufacturers and users not only since log4j or the European Cyber Resilience Act. The recent example of the attack on the XZ compression algorithm in Linux also shows the vulnerability of manufacturers. In the case of the “#xzbackdoor”, a combination of pure coincidence and the activities of Andres Freund, a German developer of open source software for Microsoft with a strong focus on performance, prevented the worst from happening.

An abyss opened up here: It was only thanks to open source development and a joint effort by the community that it came to light that actors had been using changing fake names with various accounts for years with a high level of criminal energy and with methods that would otherwise be more likely to be used by secret services. With little or no user history, they used sophisticated social scams, exploited the notorious overload of operators and gained the trust of freelance developers. This enabled them to introduce malicious code into software almost unnoticed. In the end, it was only thanks to Freund’s interest in performance that the attack was discovered and the attempt to insert a backdoor into a tool failed.

US officials also see authorities and institutions as being particularly threatened in this case, even if the attack appears to be rather untargeted and designed for mass use. The issue is complex and far from over, let alone fully understood. One thing is certain: the usernames of the accounts used by the attackers were deliberately falsified. We will continue to report on this in the Greenbone blog.

European legislators react

Vulnerability management cannot prevent such attacks, but it provides indispensable services by proactively warning and alerting administrators as soon as such an attack becomes known – usually before an attacker has been able to compromise systems. In view of all the difficulties and dramatic incidents, it is not surprising that legislators have also recognised the magnitude of the problem and are declaring vulnerability management to be standard and best practice in more and more scenarios.

Laws and regulations such as the EU’s new NIS2 directive make the use of vulnerability management mandatory, including in the software supply chain. Even if NIS2 only actually applies to around 180,000 organisations and companies in the critical infrastructure (KRITIS) or “particularly important” or “significant” companies in Europe, the regulations are fundamentally sensible – and will be mandatory from October. The EU Commission emphasises that “operators of essential services” must “take appropriate security measures and inform the competent national authorities of serious incidents”. Important providers of digital services such as search engines, cloud computing services and online marketplaces must fulfil the security and notification requirements of the directive.”

Mandatory from October: A “minimum set of cyber security measures”

The “Directive on measures for a high common level of cybersecurity across the Union (NIS2)” forces companies in the European Union to “implement a benchmark of minimum cybersecurity measures”, including risk management, training, policies and procedures, also and especially in cooperation with software suppliers. In Germany, the federal states are to define the exact implementation of the NIS2 regulations.

Do you have any questions about NIS2, the Cyber Resilience Act (CRA), vulnerability management in general or the security incidents described? Write to us! We look forward to working with you to find the right compliance solution and give your IT infrastructure the protection it needs in the face of today’s serious attacks.

To make our ecological progress even more sustainable, we keep up to date with regular internal training courses on energy efficiency. In this way, we are helping to make the world even “greener” outside of Greenbone.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

CISA warning: Serious Security Vulnerability in MS Sharepoint

Two security vulnerabilities in Sharepoint – both from last year – are currently causing trouble for Sharepoint administrators. Because attackers are increasingly exploiting a combination of the two vulnerabilities, the Cybersecurity Infrastructure Security Agency CISA is now also issuing a warning. Affected customers of the Greenbone Enterprise Feed have been warned since June 2023.

Tracking-News: Critical Vunerability in MS Sharepoint

Remote Privilege Execution

The two vulnerabilities CVE-2023-29357 and CVE-2023-24955 together allow attackers to remotely gain administrator rights in a company’s SharePoint server. Details of the attack were published back in September 2023 at the Pwn2Own conference in Vancouver 2023 and can be found on the Singapore Starlabs blog, for example.

Massive attacks have now led to CISA recently issuing a warning about these vulnerabilities and including CVE-2023-29357 in its catalog of known exploited vulnerabilities. However, Greenbone has already had authenticated version checks for both CVEs since around June 2023 and an active check for CVE-2023-29357 since October 2023. Customers of the enterprise products have been receiving these CVEs as a threat for several months – in authenticated and unauthenticated scan mode.

Microsoft advises its customers on its website to update to the SharePoint Server 2019 version of June 13, 2023, (KB5002402), which fixes five critical vulnerabilities, including the first CVE mentioned by CISA. Furthermore, all administrators should install the antivirus software AMSI and activate Microsoft Defender in the SharePoint server. Otherwise, attackers could bypass authentication with fake authentication tokens and gain administrator rights.

Recognising and detecting vulnerabilities in the company at an early stage is important, as the many reports of damaging vulnerabilities show. Greenbone products can take on a lot of work here and ensure security – as a hardware- or as a virtual appliance. The Greenbone Enterprise Feed, which feeds all Greenbone security products, receives daily updates and therefore covers a high percentage of risks.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Tracking News: Juniper Junos Vulnerabilities

5 Known Juniper Junos Vulnerabilities Being Actively Exploited

CISA has added 5 CVEs relating to Juniper Junos (aka Junos OS), to its Known Exploited Vulnerabilities (KEV) catalog. The full exploit chain involves combining several lower-severity CVEs to achieve pre-authentication remote code execution (RCE). The 5 CVEs range in severity from CVSS 9.8 Critical to CVSS 5.3 Medium. Greenbone is equipped with vulnerability tests to identify affected systems.

Understanding the timeline of events should help network defenders grasp how rapidly cyber threats can escalate. In this case a proof-of-concept (PoC) was published just 8 days after the vendor Juniper released its security advisory. Security researchers observed active exploitation just 12 days after the disclosure. Still, it was not until several months later that CISA acknowledged active exploitation. Greenbone Enterprise vulnerability feed added detection tests [1][2] for all impacted versions of the two affected product lines (EX Series Series Ethernet Switches and SRX Series Series Services Gateways) on August 18, 2023, immediately after they were disclosed.

Here is a brief description of each CVE:

  • CVE-2023-36844 (CVSS 5.3 Medium): A PHP External Variable Modification [CWE-473] vulnerability exists in J-Web, a tool used for remote configuration and management of Junos OS. The vulnerability allows an unauthenticated, network-based attacker to modify sensitive PHP environment variables. CVE-2023-36844 allows chaining to other vulnerabilities that lead to unauthenticated RCE.
  • CVE-2023-36845 (CVSS 9.8 Critical): A PHP External Variable Modification vulnerability [CWE-473] in J-Web allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request that sets the variable PHPRC an attacker is able to modify the PHP execution environment to inject and execute code.
  • CVE-2023-36846 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity with a specific request to user.php via J-Web. Without authentication, an attacker is able to upload arbitrary files [CWE-434] which allows chaining to other vulnerabilities including unauthenticated RCE.
  • CVE-2023-36847 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity. With a malicious request to installAppPackage.php via J-Web an attacker is able to upload arbitrary files [CWE-434] without authentication, which may allow chaining to other vulnerabilities that lead to RCE.
  • CVE-2023-36851 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity. With a specific request to webauth_operation.php that doesn’t require authentication, an attacker is able to upload arbitrary files via J-Web [CWE-434], leading to a loss of integrity for a certain part of the file system and chaining to other vulnerabilities.

Understanding The Attack Trajectory

Several of the CVEs listed above are classified as Missing Authentication for Critical Function [CWE-306] vulnerabilities meaning that various functions of the J-Web device management web application do not implement proper authentication checks.

Here is a summary of how these vulnerabilities were chained together for unauthenticated RCE:

The J-Web application is written in PHP which, as the watchTowr researchers noted, is known for its usability at the cost of security. In the case of CVE-2023-36846, J-web’s `webauth_operation.php` file implemented a different method for authentication than the rest of the application. This file instead invokes the `sajax_handle_client_request()` function and submits the value of ‘false’ as the `doauth` parameter, resulting in no authentication being performed. The aforementioned `sajax_handle_client_request()` function is designed to execute J-web’s built-in functions by specifying them as a $_POST variable, including the `do_upload()` function, used to upload files.

CVE-2023-36845 is a vulnerability in the Junos web server that allows system environment variables to be set via the `name` field of an HTTP POST request when a`Content-Type: multipart/form-data` header is used. Two exploits matching the description of CVE-2023-36845 were previously disclosed for the GoAhead IoT web server and tracked as CVE-2017-17562 and CVE-2021-42342, indicating that the Junos web server likely implements the GoAhead proprietary web-server.

Executing the uploaded file is possible by setting the PHPRC environment variable, using it to load an unauthorized PHP configuration `php.ini` file also uploaded via CVE-2023-36846 that contains a malicious `auto_prepend_file` setting directing PHP to execute the first uploaded file every time a page is loaded. Here is the complete example chain

Mitigation Of Recent Juniper Junos Vulnerabilities

The 5 new CVEs affect Juniper Networks Junos OS on EX Series Series Ethernet Switches and SRX Series Series Services Gateways. Specifically Junos OS version 20.4 and prior, 21.1, 21.2, 21.3, 21.4, 22.1, 22.2, 22.3, 22.4 and 23.2 on the EX and SRX Series appliances.

The best mitigation option is to install the security patches to Junos OS. If you cannot install the official provided security patches, completely disabling the J-Web interface, or configuring firewalls with an accept list to restrict access to only trusted hosts can prevent exploitation. In general, strictly limiting access to critical servers and network appliances to only client IP addresses that require access can prevent exploitation of similar yet undiscovered remotely exploitable zero-day vulnerabilities.

Contact Test Now Buy Here Back to Overview

/by