Skip navigation
All Places > Nexpose > Blog
1 2 3 Previous Next

Nexpose

259 posts

Today I'd like to highlight an often overlooked but very handy analysis option in Nexpose - filtering assets based on their discovered vulnerability CVSS Impact Metrics (Confidentiality, Integrity, Availability).

 

We will use RealContext tags and Filtered Asset Search to answer the following questions:

  • Are there any Availability Impact findings on High Availability systems? (i.e. web servers, authentication servers)
  • Are there any Confidentiality Impact findings on systems with Highly Confidential data? (i.e. HR systems, finance systems)
  • Are there any Integrity Impact findings on systems which should be High Integrity? (i.e. security systems, credential management systems, domain controllers)

 

Filtered Asset Search

You can get to the Filtered Asset search feature using the Filter icon in the upper right of the UI or by selecting "Dynamic Asset Group" in the Create menu at the top.

 

ImpactAnalysis1.png

 

The Filtered Asset search feature allows you to search for assets based on the specific CVSS Impact Metrics of the asset's discovered vulnerabilities. The same goes for CVSS Exploitability Metrics. Take a look:

 

ImpactAnalysis2.png

RealContext Tagging

RealContext asset tagging allows you to add your specific business context information to the technical data gathered by Nexpose. All you need to do is get a list of all High Availability (or High Confidentiality, or High Integrity) systems in your environment and tag those assets accordingly in Nexpose.

 

Putting It Together - High Availability Risk Analysis

When you combine the RealContext tag data with the CVSS Impact Metric filtering option in Nexpose, things get really interesting. You can set up a search to explicitly find High Availability assets which have Availability Impact findings on them, like this:

 

ImpactAnalysis3.png

 

You can save your search results in an Asset Group (either Dynamic or Static) or as a dynamic RealContext tag for ongoing analysis. I would call this group 'High Availability Risk' myself, but you can choose any name you like.  If you configure a Dynamic Asset Group, this list will automatically update with each new scan.

 

High Availability Risk Reporting

Nexpose provides the ability to filter vulnerability findings in a report.  This is a great feature which lets you filter by severity and vulnerability category. Unfortunately for our immediate purposes, the report filtering does not let us filter on CVSS Impact Metrics. But don't worry!

 

For advanced reporting needs, Nexpose has a flexible SQL Query Export option.  You can find this by going to "Create a report" and selecting the Export tab within the Reports view.

ImpactAnalysis4.png

Here's a query that lists all vulnerabilities with Partial or Complete Availability Impact findings, and the solutions for those vulnerabilities.  Note the use of the cvss_availability_impact_id field from the dim_vulnerability table and the use of the dim_cvss_availability_impact table:

 

SELECT dsite.name AS "Site", da.ip_address AS "Asset IP", da.host_name AS "Asset Hostname", dv.title  AS "Vulnerabiltiy", ds.summary AS "Solution", dcai.description AS "CVSS Availability Impact"
FROM fact_asset_vulnerability_instance AS fav
JOIN fact_vulnerability AS fv ON fav.vulnerability_id = fv.vulnerability_id
JOIN dim_vulnerability AS dv ON fav.vulnerability_id = dv.vulnerability_id
JOIN dim_site_asset AS dsa ON fav.asset_id = dsa.asset_id
JOIN dim_site AS dsite ON dsa.site_id = dsite.site_id
JOIN dim_asset AS da ON fav.asset_id = da.asset_id
JOIN dim_vulnerability_solution AS dvs ON fv.vulnerability_id = dvs.vulnerability_id
JOIN dim_solution AS ds ON dvs.solution_id = ds.solution_id
JOIN dim_cvss_availability_impact AS dcai ON dv.cvss_availability_impact_id = dcai.type_id
WHERE dv.cvss_availability_impact_id = 'P' OR dv.cvss_availability_impact_id = 'C'
GROUP by dsite.name, da.ip_address, da.host_name, dv.title, ds.summary, dcai.description
ORDER by dsite.name ASC

 

If you save this Custom SQL Export query and set the scope using the 'High Availability Risk' asset group from earlier, you will get a targeted list of the Partial and Complete Availability Impact vulnerabilities on your High Availability assets.

 

To learn more about working with SQL Query Exports in Nexpose, and some example queries, see this Nexpose Reporting area of the Rapid7 Community site.

 

Success!

One of the initial questions posed was, "are there any Availability Impact findings on High Availability systems?" By leveraging the Filtered Asset Search and RealContext Tag features, we are able to create a 'High Availability Risk' asset group and a 'High Availability Risk' CSV report - with solutions included. This definitively answers the question and provides remediation recommendations. I call that a win!

 

You can apply the same approach for High Confidentiality and High Integrity risk analysis following the steps below:

  • Tag your High Confidentiality or High Integrity assets accordingly
  • Use the Filtered Asset Search feature to create 'High Confidentiality Risk' and 'High Integrity Risk' Dynamic Asset Groups
  • Set up a SQL report for your findings. Adjust the query above - swap out the 'availability' fields and tables for the corresponding 'confidentiality' and 'integrity' fields and tables.

 

If you'd like to see this reporting capability baked in to the vulnerability filtering possible in the Nexpose Reporting UI - so would I!  I've created an idea in our Idea Portal.  All you have to do is click here, log in with your customer (or employee) support credentials, and vote!

 

Custom Targeted Analytics

If your organization wants deep analytics customized to your priorities, the Rapid7 Global Services team is always happy to help! We develop targeted analytics for: custom reports, custom SQL queries, custom dashboards, custom integrations (i.e. ticketing systems, asset management systems), and more. Your Customer Success Manager (CSM) can get the conversation started about requirements, scoping, and all that fun stuff.

 

Thanks, and stay tuned for more!

anowak

Patch Tuesday, May 2016

Posted by anowak Employee May 11, 2016

May continues a long-running trend with Microsoft where the majority of bulletins (10) address remote code execution (RCE) vulnerabilities; the remaining address elevation of privilege (2), information disclosure (2) and security feature bypass. All critical bulletins are remote code execution issues affecting a variety of products and platforms including Adobe Flash Player, Edge, Internet Explorer, .NET Framework, Office, Office Services and Web Apps and Windows (client and server).

 

Looking back at the last 12 months of security bulletins, a resounding trend emerges; the majority of these bulletins address remote code execution vulnerabilities. Microsoft is unable to permanently address these vulnerabilities, which predominantly affect consumer applications such as Edge, Internet Explorer, Microsoft Office and .NET. Unfortunately, this leads to one of the single largest attack vectors, consumers/end-users. Fortunately, Microsoft actively works on resolving these issues as witnessed in the overwhelming number of critical RCE bulletins.

 

This month, Microsoft resolves 33 vulnerabilities across 16 bulletins with MS16-051, MS16-052, MS16-053, MS16-055, and MS16-062 as the bulletins to watch out for, addressing 20 vulnerabilities. Users should pay particular attention to the following bulletins as they resolve X vulnerabilities that have been known to be exploited (CVE-2016-0149, CVE-2016-0189):

 

  • MS16-051 - Cumulative Security Update for Internet Explorer
  • MS16-053 - Cumulative Security Update for JScript and VBScript
  • MS16-065 - Security Update for .NET Framework

 

Users should also be wary of untrusted sources, as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as your user account. Your best protection against these threats is to patch as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration and prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins.

 

Resolved Vulnerability Reference:

This year’s 2016 Verizon Data Breach Investigations Report has plenty of juicy data to pour over and for the past week we’ve been providing recommendations for ways to improve your security program and stop attackers. The report didn’t provide any huge surprises, except for the fact that everything that was bad just keeps getting worse. Thus, we’ve had some great posts from my teammates focused on the Verizon Data Breach Investigations Report and how it affects the incident detection and response landscape with Eric Sun and the web app security space from Kim Dinerman. But today it’s time to talk vulnerability management.

 

Vulnerability Management has been around for a long time, and if there’s one thing we’ve learned, practically every attack outlined in the Verizon Data Breach Investigations Report or any other industry report still involves an exploited vulnerability at some point. The DBIR provides some key controls to implement to get a handle on the never ending growth of new vulnerabilities, and wouldn’t you know it, they match up perfectly to some of the key reasons our customers love Nexpose.

 

1. Focus on what the bad guys look for first

The DBIR describes patching vulnerabilities as a “Sisyphean struggle," with more vulnerabilities being released every week. Keeping pace is difficult. To stop endlessly running up that hill (bonus points if you get the 80s Kate Bush reference), they recommend you “establish a process for vulnerability remediation that targets vulnerabilities which attackers are exploiting in the wild, followed by vulnerabilities with known exploits or proof-of-concept code." Basically, prioritize the vulnerabilities and get that stuff done first, but one must remember that you have to look beyond CVSS.

 

Here to help: This is what Nexpose is all about! We’re still the only solution that automatically factors known exploits into our risk scoring (including how easy the exploit is to use), and with Metasploit Pro, you can validate your vulnerabilities to see which ones an attacker could exploit in real time. Check out this quick video to see how easy it is to scan for vulnerabilities with Nexpose and then validate your vulnerabilities with Metasploit Pro.

 

2. Identify what can’t be fixed, and come up with a plan to mitigate it

Many companies have critical systems running on legacy software that they can’t update without impacting their business; that doesn’t mean you can ignore the risk. Use a defense-in-depth policy to create mitigating controls for these flaws, so that if you have to leave a hole in the wall open, make damn sure it’s fortified (think the wall tunnel in Game of Thrones).                                                                                                                                                                                                                                                       

Here to help: Nexpose makes it really easy to create exceptions for these vulnerabilities and remove them from reports, as well as set expiration dates and approval chains to make sure you revisit them when you can. You can also use Metasploit to validate those compensating controls and make sure they’re blocking the bad guys the way they should.

 

 

 

 

 

 

 

 

     Mag the Mighty, only slightly scarier than attackers

 

3. Use vulnerability management to figure out what’s new in your environment

Regular vulnerability scanning is like flossing in between going to the dentist; it’s a great way to keep up on security hygiene, and the DBIR suggests you use it to identify unknown assets and deviations from standard configurations.

 

Here to help: Nexpose has baseline comparison and trending reports to make it easy to see what’s new, and with adaptive security you set up Nexpose to automatically scan and catalog new devices as they enter the network, removing a lot of the legwork that comes with today’s rapidly shifting environments. To learn more about adaptive security, check out this on-demand webcast.

 

We’d love to hear your thoughts on these controls and how you’re meeting them now! If you haven’t already, be sure to get a trial of Nexpose and/or Metasploit and take them for a spin!

 

Over the past year our Nexpose team has taken on the challenge of overhauling our product and internal processes to enable more frequent and seamless content releases. The objective is simple, get customers content to their consoles faster without disrupting their workflow and currently running or scheduled scans. This enables security teams to respond to industry trends much faster and coupled with our new adaptive security feature enables low impact delta scans of just the new or updated vulnerabilities. This ensures that the cumulative view of your assets are always fresh with current vulnerability findings. Add in some automated alerts, auto generated reports, custom dashboards and you’ve got a workflow for staying on top of your network.

 

Content updates include:

  • New or updated vulnerability descriptions, vulnerability checks, remediation guidance (solutions).
  • New vulnerability categories (new platforms, applications).
  • New or updated software fingerprints (operating systems and applications).
  • Updated vulnerability correlation, exploit, malware, supersedence, etc. metadata.

 

Our Content Delivery Vision

To react accurately and quickly to vendor releases of security advisories and industry trends, allowing stakeholders to contextualize risk and affected scope with minimal effort and operational impact, then take action and validate the remediation efforts.

 

Where Are We Now

We’re happy to share the news that for over a month now, we’ve been quietly releasing content updates to our customers as quickly as feasible and at minimum, on a daily basis (Monday – Friday and on weekends as needed). We’ve built automation that enables the generation, testing, packaging and seamless delivery of new content far more frequently (with no scanning impact, nor need to restart your consoles and engines). Moving forward you can expect more of the same as we continue progress towards the vision shared above.

 

How Do I Use This

So how do you take advantage of the increased update cadence? If your running Nexpose and have updates enabled you’ll automatically be receiving the latest and greatest product and content enhancements. The good news is you’ve already started taking advantage of these new capabilities. Take a look at our blog post on adaptive security and automatically triggering delta scans when updated vulnerability content is released. If you’re interested, dig in a little deeper to find out how adaptive security fits into your Vulnerability Management Program. Combining frequent updates, adaptive security, our built-in alerting and reporting capabilities, you’ve got a potent workflow to stay on top of the risk in your environment.

 

As always, we’ll continue building the functionality our customers ask for (feedback is always appreciated), we’ve got an exciting pipeline of enhancements planned that’ll further streamline the workflow to reduce your risk of a breach.

 

Onwards and upwards!

David Picotte

Manager of Engineering, Security

Starting this week, we have added a new vulnerability category: Rapid7 Critical.

 

When we examine a typical vulnerability, each vulnerability comes with various pieces of information such as CVE id, CVSS score, and others. These pieces of information can be very handy especially when you set up Automated Actions in Nexpose. Here is an example:

Screen Shot 2016-04-18 at 11.17.21 AM.png

As you can see the example on the right, this trigger will initiate a scan action if there is a new coverage available that meets the criteria of CVSS score is 8 or above. This Automated Action is ideal for assessing for high-risk vulnerabilities right away. With Rapid7 Critical vulnerability category, we are giving you another indicator for high-risk vulnerabilities.

 

You might be thinking that the above Automated Action is good enough to catch high-risk vulnerabilities given the criteria is to take action as soon as a vulnerability with CVSS score 8 and above is released. Yes, you are right! For most circumstances, the above Automated Action would be good enough. However, the Rapid7 Critical vulnerability category ensures that you do not miss any high-risk vulnerabilities at all especially when the vulnerability is brand new.

 

When a vulnerability is new, it may not always have a CVSS score assigned it to it yet. When that happens, the above Automated Action may not be fully capable of assessing the new high-risk vulnerability simply because there is no CVSS score to check. With Rapid7 Critical vulnerability category, we are making sure that even if there no CVSS score yet for the vulnerability, you can still assess it with Adaptive Security right away.

 

Let me show you how you can use the Rapid7 Critical vulnerability category in Automated Actions.

 

Screen Shot 2016-04-18 at 11.18.00 AM.png

As you can see the example on the right, you would just create a new Automated Action, and select only one filter*; Vulnerability Category is Rapid7 Critical. This Automated Action will ensure that Nexpose initiates a scan for the high-risk vulnerability even though the vulnerability does not have a CVSS score assigned to it yet.

 

If you already have an Automated Action similar to the first example in this blog post which uses CVSS score as a filter, you should not delete it. The second Automated Action that you created will simply catch those critical vulnerabilities in case there is no CVSS score available yet.

 

As always, feel free to drop us any comments below, or reach out to Rapid7 Support if you have any questions.

 

 

* We do not recommend using any other filter along with Rapid7 Critical vulnerability category filter to make sure that the Automated Action initiates a scan for all critical vulnerabilities that are marked by Rapid7.

 

Eray Yilmaz

Sr. Product Manager

anowak

Update Tuesday, April 2016

Posted by anowak Employee Apr 12, 2016

April continues a long-running trend with Microsoft where the majority of bulletins (9) address remote code execution (RCE) vulnerabilities; the remaining address elevation of privilege (2), security feature bypass and denial of service (DOS). All critical bulletins are remote code execution issues affecting a variety of products and platforms including Adobe Flash Player, Edge, Internet Explorer, .NET Framework, Office, Office Services and Web Apps, Skype for Business, Lync and Windows (client and server). '

 

Looking back at the last 12 months of security bulletins, a resounding trend emerges: the majority of these bulletins address remote code execution vulnerabilities. Microsoft is unable to permanently address these vulnerabilities, which predominantly affect consumer applications such as Edge, Internet Explorer, Microsoft Office and .NET. Unfortunately, this leads to one of the single largest attack vectors, consumers/end-users. Fortunately, Microsoft actively works on resolving these issues as witnessed in the overwhelming number of critical RCE bulletins.

 

This month Microsoft resolves 29 vulnerabilities across 13 bulletins with MS16-037, MS16-038, MS16-039 and MS16-042 as the bulletins to watch out for, addressing 19 vulnerabilities. Users should pay particular attention to MS16-039 - Security Update for Microsoft Graphics Component as this bulletin resolves two vulnerabilities that have been known to be exploited (CVE-2016-0165 and CVE-2016-0167). Microsoft has also provided a resolution to the Named vulnerability Badlock (CVE-2016-2118), addressed by Microsoft in MS16-047 - Security Update for SAM and LSAD Remote Protocols. Since a wide range of products are affected this month, all Microsoft users should be on alert.

 

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as your user account. Your best protection against these threats is to patch as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins.

 

Resolved Vulnerability Reference:

Since I started working on Rapid7’s Information Security team, I’ve had firsthand experience with what is arguably the hardest part of vulnerability management: Creating and updating a complete inventory of your assets and their vulnerabilities. While you’ll never be able to achieve perfection in this regard, Adaptive Security in Nexpose makes it significantly easier for InfoSec teams to improve their current vulnerability management program with automation and orchestration.

 

For my team, Adaptive Security’s “New Asset” and “Known Asset” triggers provide us new ways to get up-to-date vulnerability data about remote assets that rarely connect to our corporate networks. While experimenting with these triggers in my Adaptive Security workflows, I’ve come up with some optimal ways to deploy them that I figured would be worth sharing with our customers.

 

Optimization Prerequisites

You might not have all of these prerequisites in place (e.g., Scan Engines dedicated for Adaptive Security scans), but hopefully being able to use some of them will put you and your team in a better position to leverage Adaptive Security’s New Asset and Known Asset triggers.

 

Create Discovery Connections

This is necessary for Adaptive Security to use asset-based Triggers. For this blog post I’ll be focusing on use cases involving DHCP Dynamic Discovery.

 

Enable Asset Linking

When known assets come back online after being disconnected from your corporate network for awhile, they’ll likely have different IP addresses over time. Asset Linking allows you to maintain one record for an asset that has multiple IP addresses assigned to it throughout its lifecycle on your corporate network.

 

Create new Static Sites dedicated to Adaptive Security scans

Think about this scenario: you have multiple employees that regularly travel to remote offices. You also have Static Sites for each remote office that run on a regular schedule. If you use Adaptive Security’s “Known asset” Trigger with the “add to site and scan” Action, and you use your existing Static Sites, you run the risk of cluttering your Static Sites with these traveling assets. The next time your Static Site’s scan runs, it will try to scan assets that Adaptive Security added to the Static Site Asset scope. Chances are those assets aren’t actually in that Site anymore, so your Engine will be wasting precious time and resources.

 

| Related Content – How to setup automated actions in Nexpose 6 |

 

These dedicated Sites also give you the ability to see Adaptive Security’s historical scan activity. Likewise, it provides opportunities for automatically tagging assets that Adaptive Security has scanned.

 

Use Scan Engines dedicated to Adaptive Security scans

This might be the hardest prerequisite to fulfill, but it helps make sure Adaptive Security doesn’t overload an existing scan engine that’s running a scheduled scan, thus minimizing scan failures.

 

Here’s an example of Site Configuration details for Static Sites dedicated to Adaptive Security “Known Assets” scanning:

  • Name: Austin DHCP – Known Assets (AS)
  • Custom Tags: Stale
    For the “Known Assets” use case, I use this to get an idea of which assets don’t touch our corporate network frequently to make sure they receive patches and updated security configurations in a timely fashion from our patch management solution.
  • Assets: 127.0.0.1
    When defining these dedicated sites, you need to put in an IP address so the Site can be saved. Since we won’t be running this site on a recurring schedule, put in a “dummy” IP. Also it’s better to put in 127.0.0.1 in case you or another Nexpose admin ever “accidentally” clicks the “Scan Now” button for the site). Here's an example:Screen Shot 2016-04-06 at 12.58.28 PM.png
  • Engines: Austin (Adaptive Security)
  • Schedule: None
    Since Adaptive Security will be adding assets individually to the Site configuration and then automatically initiating scans of those individual assets, we don’t need the Site to ever be scanned on a schedule

 

And here’s an example of the Automated Action details for “Known Assets” scanning:

Screen Shot 2016-04-06 at 12.57.22 PM.png

 

Hopefully this helps you and your team improve your vulnerability management programs. I’m interested to see if anyone else finds this useful or has other tips to make these use cases work better, so please leave your comments and feedback below

With Nexpose, you can assess your network for secure configurations at the same time as vulnerabilities, giving you a unified view of your risk and compliance posture. The latest version of Nexpose focuses on making it easier to understand how well you’re doing and the actions to take to improve overall compliance.

 

Starting with Nexpose 6.2.0, users now have access to two brand new policy reports that help you take control of your compliance program and focus on what is important.

 

The first report is the Policy Rule Breakdown Report, which provides a rule by rule breakdown of a policy for each asset. This allows you to understand which rules have passed and which have failed, giving you a high level view of how compliant each of your assets are and which rules to focus on.

 

rulebreakdownsmall.jpg

 

The second report is the Top Compliance Remediations Report, which provides a prioritized list of remediations to help you drive your compliance program. This list is prioritized based on the actions that will have the greatest impact in improving overall compliance across all your assets.

 

topcomplianceremediationssmall.jpg

By default, this report will show the Top 25 Remediations prioritized by Nexpose, but you can to change this to a number that meets your needs. In the sample report above, remediating all of the identified issues will increase overall compliance by 12% within the scope of the report. You’ll notice that in this example the top 25 issues are identified based on 671 rules across 10 assets, which is the scope of this particular report. All of this information is rule driven with a detailed breakdown of how remediating  specific rules will impact your overall compliance score. As you work through the remediation efforts identified, you can expect to see these numbers get smaller and smaller.

As most, if not all, current Intel Security customers are aware, Intel has announced the End-of-Life of the McAfee Vulnerability Manager, aka. MVM. Coupled with that announcement, Intel also announces it has partnered with Rapid7 and is recommending that current, and future Intel Security customers, leverage Rapid7's Nexpose to fill their vulnerability and threat exposure management needs.

 

To aid in the transition from MVM to Nexpose, Rapid7, has developed a Migration Toolkit. The Toolkit contains documentation to walk a customer through a typical pre-deployment/deployment tasks, pre-migration tasks, migration tasks, and post-migration tasks.

 

Screen Shot 2016-04-01 at 1.59.36 PM.png

You may download the Migration Related Documentation from the community at:

https://community.rapid7.com/docs/DOC-3375

 

The Migration Toolkit also contains a set of utility scripts to export relevant configuration and data from MVM and import it into Nexpose.

The Migration Utilitywill migrate the following:

  • Scan Configurations; including included and excluded assets, and scan schedule
  • Asset Groups and associated assets
  • Asset Tags applied to assets; including criticality, owner and custom tags
  • Asset Inventory; including IP address, host name, OS, discovered ports and services
  • Scan Credentials (i.e. Credential Sets)
  • Users

 

Example:

Exporting of MVM Scan Configurations:

Screen Shot 2016-04-01 at 2.14.13 PM.png

Importing of Scan Configurations into Nexpose:

Screen Shot 2016-04-01 at 2.13.30 PM.png

 

The Migration Utility is free to MVM customers that have purchased Nexpose, and is available as a virtual machine for simple setup, configuration and migration. If you are a former MVM customer and are moving to Nexpose, ask your Account Executive or Customer Success Manager about obtaining the Migration Utility. If you purchased Deployment Services, your Global Services Project Manager will advise you where to download the latest Migration Utility.

As we have reached out to customers for feedback on Adaptive Security use cases (see: Adaptive Security Overview for details on this feature), we have found that many customers would like to control the outcome of the “New Asset discovered” trigger. They want to be able to not just kick a scan since they either have some restrictions as to when to scan, or they don’t scan everything that comes out of DHCP (or other dynamic source of assets), for some networks they do spot checking and don’t want to scan everything.

 

The video below illustrates the usage of adaptive security’s “New Asset Discovered” trigger and how to pick the actions taken when new assets are added to your environment. The video shows that you can do multiple things to answer to the trigger:

  • Add the assets to a site and scan them
  • Add the assets to a site and not scan right away
  • Add assets that meet a certain rule (ie. ip range 10.1.0.0 - 10.1.255.255) to a site and scan, while assets that meet another rule (ie. ip range 10.2.0.0 - 10.2.255.255) to be added to the site but not immediately scanned.

 

The video shows how a Dynamic Site based on a DHCP connection is different than a Static site with Automated actions for new assets discovered. Furthermore the video explains that you have full control of your scanning windows and the fact that a “New Asset Discovered” action triggered does not mean you have to scan the asset right away, you have full control. Also, blackouts, both site level and global are ALWAYS respected by the Adaptive security feature, therefore, if a trigger that starts a scan happens in between a blackout, the scan will be held/queued until the blackout is completed and then kicked.

 

I hope you enjoy the video and you can put in practice these concepts to automate further the Vulnerability Management program at your organization.

Introduction

 

DROWN is a cross-protocol attack against OpenSSL. The attack uses export cipher suites and SSLv2 to decrypt TLS sessions. SSLv2 was developed by Netscape and released in February 1995. Due to it containing a number of security flaws, the protocol was completely redesigned and SSLv3 was released in 1996. Even though SSLv2 was declared obsolete over 20 years ago, there are still servers supporting the protocol. What’s both fascinating and devastating about the DROWN attack, is that servers not supporting SSLv2 can also be vulnerable if they use the same RSA key as a server that does support SSLv2. Since SSL/TLS is application agnostic, it is possible to decrypt HTTPS traffic between clients and a server that doesn’t support SSLv2 if it’s using the same RSA key as, for example, an email server that supports SSLv2.

 

We have implemented a DROWN vulnerability check in Nexpose to detect if an endpoint is vulnerable to the attack by allowing SSLv2 connections. The check has the Nexpose ID ssl-cve-2016-0800. To find other services that don’t support SSLv2 but are also vulnerable to DROWN as they are using the same RSA key as a vulnerable endpoint, we need to use the power of all the data collected by Nexpose during a scan.

 

 

Generate a report of vulnerable endpoints

 

After a scan of our site, we can see that we have 44 instances of the vulnerability.

drown1.png

---

drown2.png

 

The report is generated by selecting SQL Query Export as the report model and pasting the SQL query we generated above. This will give us a csv file with the exported data which shows us that we actually have 70 endpoints affected by the DROWN attack.

drown3.png

 

Generate the SQL Query

 

There are a few steps we have to complete to generate our DROWN report. First, we need to get the vulnerability ID used by Nexpose internally. We can get the ID from the dim_vulnerability table using the Nexpose ID.

 

SELECT vulnerability_id
      FROM dim_vulnerability
      WHERE nexpose_id = 'ssl-cve-2016-0800'

 

Now when we have the vulnerability ID, we need to find all the vulnerable assets and get the certificate fingerprint. The certificate fingerprint is stored in the table dim_asset_service_configuration and all the vulnerabilities for an asset are stored in the table fact_asset_vulnerability_instance. We are ensuring we are only getting the certificate fingerprints from the vulnerable endpoints by matching the port for the vulnerability instance and the port for the service configuration.

 

SELECT dasc.value
  FROM dim_asset_service_configuration dasc
JOIN fact_asset_vulnerability_instance favi USING     (asset_id)
WHERE dasc.name = 'ssl.cert.sha1.fingerprint' AND dasc.port = favi.port)

Finally, we put it all together and select all assets which are using the vulnerable certificates:

 

WITH
   drown_vulnerability AS (
      SELECT vulnerability_id
      FROM dim_vulnerability
      WHERE nexpose_id = 'ssl-cve-2016-0800'
   )
SELECT da.ip_address, dasc.port, dasc.value
FROM dim_asset_service_configuration dasc
   JOIN dim_asset da USING (asset_id)
WHERE dasc.value IN (
   SELECT dasc.value
   FROM dim_asset_service_configuration dasc
      JOIN fact_asset_vulnerability_instance favi USING (asset_id)
   WHERE vulnerability_id = (SELECT vulnerability_id FROM drown_vulnerability) AND dasc.name = 'ssl.cert.sha1.fingerprint' AND dasc.port = favi.port)
ORDER BY dasc.value, da.ip_address, dasc.port

Remediation steps

 

Start by disabling SSLv2 on the endpoints which have it enabled and generate new certificates with a new private key for affected endpoints.

Have you ever run a Nexpose scan and had the wrong operating system identified for an asset? Perhaps the incorrect TCP/IP stack fingerprint was used, or you scanned an embedded device we haven't seen before. The March 9th release of Nexpose (6.1.14) has a new feature that allows you easily report such fingerprinting errors to Rapid7 and helps us to improve fingerprinting accuracy. No need to open a support ticket!

 

A new feedback button (circled below), available on the Asset detail page next to the OS, will open a dialog with fields to correct the vendor, OS, and/or version:

asset_detail with dialog.png

 

The vendor and OS fields will autocomplete products we already know about, so once you begin typing you can choose a suggestion from the drop-down that appears:

autocomplete.png

 

We recommend that you use these suggestions if an appropriate one is shown. This will help reduce inconsistencies in submitted reports, allowing us to more effectively analyze them and correct Nexpose's fingerprinting behaviour.

 

Clicking "Send Now" will transfer the most recent scan log for the misfingerprinted asset to Rapid7 (for context), along with the corrections provided in the dialog. Feel free to close the dialog at any time after this; the information will continue to be sent in the background. If you want to be notified when the information has successfully been sent, keep the dialog open until the confirmation message is shown:

thank you.png

 

We strive to have the most accurate fingerprinting possible in Nexpose, so your reports are greatly appreciated!

anowak

Update Tuesday, March 2016

Posted by anowak Employee Mar 8, 2016

March continues this quarter’s trend with the majority of bulletins (8) addressing remote code execution (RCE) vulnerabilities; the remaining address elevation of privilege (4) and security feature bypass. All of the critical bulletins are remote code execution issues affecting a variety of products and platforms including Edge, Internet Explorer, Office, Office for Mac, Office Web Apps, SharePoint and releases of Microsoft Windows (Client and Server).

 

This month Microsoft resolves 39 vulnerabilities across 13 bulletins, with MS16-023, MS16-024, MS16-028, MS16-029, MS16-034 as the bulletins to watch out for, addressing 28 vulnerabilities. Since a wide range of products are affected this month almost all Microsoft users should been alert. Fortunately at this time, no vulnerabilities are known to have been exploited in the wild.

 

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as your user account. Your best protection against these threats is to patch as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this month’s updates. At a minimum, ensure to patch systems affected by critical bulletins.

 

Resolved Vulnerability Reference:

 

Rapid7’s Nexpose just became the first Threat Exposure Management solution to complete AWS’ new rigorous pre-authorized scanning certification process!

 

Normally, a customer must request permission from AWS support to perform vulnerability scans. This request must be made for each vulnerability scan engine or penetration testing tool and renewed every 90 days. The new pre-authorized Nexpose scan engine streamlines the process. When a pre-authorized scan engine is launched from the AWS Marketplace, permission is instantly granted.

 

This AWS certification effort is a proof point of our continued dedication to securing organizations’ data and reducing their risk, and to ensuring our solutions address real customer needs and market trends.

 

Cloud is increasingly an essential part of the today’s modern business networks and an area in which our customers invest. In October 2015 IDC reported that spend on public cloud IT infrastructure was on track to increase by 29.6% year over year, totaling $20.5 billion(1).

 

The new AWS certification underscores our commitment to ease of use and provides customers with assets in AWS the same level of security and experience as an on-premise deployment.

 

Organizations can easily gain visibility of their entire attack surface – regardless where their asset sits. The new Nexpose certifications means that customers can simply use our pre-authorized AMI to scan their AWS assets without any of the authorization or permissions required for non-authorized solutions.

 

Learn more:

 

(1) IDC’s Worldwide Quarterly Cloud IT Infrastructure Tracker, October 2015.

Rapid7 is excited to announce that you can now find a Nexpose Scan Engine AMI on the Amazon Web Services Marketplace making it simple to deploy a pre-authorized Nexpose Scan Engine from the AWS Marketplace to scan your AWS assets!

 

What is an AMI ?

An Amazon Machine Image (AMI) allows you to launch a virtual server in the cloud. This means you can deploy Nexpose Scan Engines via the Amazon marketplace without having to go through the process of configuring and installing it yourself.

 

What are the benefits ?

The Marketplace includes a specially configured Nexpose Scan Engine that is pre-authorized for scanning AWS assets. This provides Rapid7 customers the ability to scan AWS assets immediately, or on a recurring schedule without having to contact Amazon in advance for permission – a process that can take a number of days.  Using a Nexpose Scan Engine deployed within the AWS network also allows you to scan private IP addresses and collect information which may not be available with public IP addresses (such as internal databases).  Additionally, scanning private IPs eliminates the need to pay for elastic IP’s.

 

How do I deploy a pre-authorized Scan Engine ?

Current Nexpose customers can deploy the pre-authorized Nexpose Scan Engine as a remote scan engine for scanning AWS assets only.  When creating your AWS discovery connection simply check the box denoting that your scan engine is in the AWS network.

aws_scanengine.PNG

You'll need a set of IAM credentials with permission to list assets in your AWS account.  A minimal IAM policy to allow this looks like:

{

  "Version": "2012-10-17",

  "Statement": [{

      "Sid": "NexposeScanEngine",

      "Effect": "Allow",

      "Action": [

        "ec2:DescribeInstances",

        "ec2:DescribeImages",

        "ec2:DescribeAddresses"

      ],

      "Resource": [ "*" ]

  }]

}

 

The pre-authorized scan engine must use the "engine-to-console" communication direction.  This means the Scan Engine will initiate communication with the Nexpose Console.  Preparing your Nexpose Console to pair with a pre-authorized Scan Engine is simple:

  1. Ensure the pre-authorized Scan Engine can communicate with your Nexpose Console on port 40815.  You may need to open a firewall port to allow this.
  2. Generate a temporary shared secret on your console.  This is used to authorize the Scan Engine.  A shared secret can be generated from the Administration -> Scan Options -> Engines -> manage screen.  Scroll to the bottom and use the Generate button.  Keep this page open, you'll need the secret when launching your Scan Engine.
    shared-secret.png

Now you are ready to deploy your pre-authorized Nexpose Scan Engine.  Sign into your AWS console and navigate to the Nexpose Scan Engine (Pre-authorized) AWS Marketplace listing.  You must use EC2 user data to tell your engine how to pair with your console.  Follow these steps to launch the engine:

  1. Click Continue on the AWS Marketplace listing.
  2. Accept the terms using the Accept Software Terms button.
  3. It can take up to 10 minutes for Amazon to process your request.  You'll receive an email from Amazon when you can launch the AMI.
  4. After you receive the email, refresh the marketplace page.  You should see several blue "Launch with EC2 Console" buttons.
  5. Click the Launch with EC2 Console button in your desired AWS region.
  6. Proceed with the normal process of launching an EC2 instance.  When you get to the Instance Details screen, expand the Advanced Details section.  Provide the following EC2 user data.  Replace the bracketed sections with information about your Nexpose Console:
    NEXPOSE_CONSOLE_HOST=<hostname or ip of your console>
    NEXPOSE_CONSOLE_PORT=40815
    NEXPOSE_CONSOLE_SECRET=<shared secret generated earlier>
  7. Finish launching the EC2 instance.
  8. Once the instance boots, it can take 10-15 minutes to pair with the console.
  9. Verify the engine pairs with the console via the engine listing in the console (Administration -> Scan Options -> Engines -> manage).

 

With this one-time configuration set, you can create a schedule to scan your AWS assets.

Filter Blog

By date: By tag: