Skip navigation
All Places > Nexpose > Blog
1 2 3 Previous Next

Nexpose

333 posts

InsightVM customers can now choose to store their InsightVM data in Japan. At Rapid7, we enable customers to comply with policies and preferences by selecting the region where their data is transmitted, processed, and stored. We're excited to announce that Japan joins our existing data centers in the United States and Germany as an option for InsightVM data.

 

When enabling InsightVM cloud features for the first time, customers will see a dialog where they can select which region should store their data:

 

insightvm-cloud-region.png

Each cloud region is isolated from the others. We'll never process or move your data outside of the region you select unless you direct us to do so. For more details on how we manage your data, see rapid7.com/trust.

 

When a customer selects Japan, we'll host your data in multipe data centers in Tokyo. All regions are secured by the same rigorous security processes, and each region fully supports all InsightVM features so you can pick the location that makes the most sense for you.

 

Localization

In addition to hosting in Japan, InsightVM in all regions is localized in English, Korean, Chinese (Traditional), Chinese (Simplified), and Japanese. Currently, over 80% of CVE vulnerability descriptions are localized in Japanese, and we're working to localize more content every day.

 

To learn more...

 

Want a free 30-day trial of InsightVM? Get it here.

Greg Wiseman

Patch Tuesday - July 2017

Posted by Greg Wiseman Employee Jul 12, 2017

Most of the critical vulnerabilities patched this month concern client-side systems, with 14 separate Remote Code Execution (RCE) issues being addressed for the Microsoft Edge browser and five for Internet Explorer. One of the three Adobe Flash Player vulnerabilities being patched is also a critical RCE bug (CVE-2017-3099). Of the 54 Microsoft CVEs addressed, 33 relate to Edge and 14 to Internet Explorer.

 

Browser-based RCE vulnerabilities are a significant attack vector, but they typically require some degree of social engineering in order to convince the user to visit a malicious web page. Similarly with most Microsoft Office bugs (eight CVEs this month), users need to be tricked into opening attachments. More concerning are RCE vulnerabilities that do not require any user interaction. Exploits can be weaponized to quickly spread malware, as we've seen with the recent ransomware outbreaks.

 

This month, Microsoft has fixed CVE-2017-8589, a critical RCE vulnerability that could allow an attacker to take full control of a system by sending specially crafted messages to the Windows Search service. This typically requires access to the target computer. However, in an enterprise setting, it is possible for a remote, unauthenticated actor to trigger the vulnerability via an SMB connection. Fixes for CVE-2017-8589 have been released for all supported versions of Windows, so server administrators aren't off the hook for patching. There is also CVE-2017-8501, which affects SharePoint Enterprise Server 2013.

 

One final point of interest: last month, Microsoft released a fix for CVE-2017-8529 (a browser information disclosure vulnerability whereby an attacker can detect specific files on the user's computer) that broke the printing functionality in Internet Explorer and Edge for some users. Over the next two weeks they released various updates to resolve the printing issue, which ultimately removed the protection against CVE-2017-8529. Microsoft has still not been able to resolve the security issue without reintroducing the printing bug, and customers who take automatic updates will still be vulnerable. As of this writing, the only way to be protected is to have applied the June updates and no others (which is not recommended). The severity of CVE-2017-8529 is considered low (on server systems) to moderate (otherwise). If it is of concern, for example on particularly sensitive systems, a workaround would be to use a different web browser until this vulnerability is correctly patched.

When Nexpose launched in the early 2000s, technology was vastly different from the world we live in today: most people connected to the internet over dial-up modems, personal computers were shared within the household, and televisions were still set-top boxes. Technology has evolved dramatically since then, and Rapid7’s vulnerability management solutions have evolved to meet the needs of security professionals tasked with maintaining the corporate environment of today, including most recently the launch of InsightVM.

 

As I’m sure most people reading this article have experienced, the number of assets connected to the corporate network has grown exponentially in recent years to include such devices as televisions, cameras, and even IP phones. In the following video, you will learn how to manage and maintain an accurate asset count in your environment - as well as how to avoid scanning certain devices that may not be relevant to your vulnerability management practices.

 

Today we’re sharing an update to Remediation Workflow Ticketing capabilities. We are pleased to announce that Remediation Workflow in InsightVM now integrates with ServiceNow.  One of the main benefits of Remediation Workflow Ticketing is to improve collaboration between security and remediation teams by seamlessly feeding existing IT workflows strategically scoped work items. With this most recent update, you can now extend the reach of Remediation Workflow to collaborate with teams using ServiceNow.

 

 

Many of our customers are security teams that interface with multiple IT or remediating groups, each of which uses their own workflow tools. In order to drive more effective remediations across their organizations, security teams need to:

  • Deliver the right message to IT, with solution-centric tickets
  • Automate assigning tickets to the right owners
  • Simply and easily track progress in the system of your choice

 

This new capability will help you improve the efficiency of your remediation workflow.

 

To learn more...

InsightVM users can go to Remediation Workflow today and configure ticketing connection with ServiceNow. As with the JIRA integration, users can leverage Remediation Workflow’s powerful templates to add the just the right amount of security context to tickets automatically, as well as automate ticket assignments via rules.

Here are a few resources to check out:

 

Rapid7 offers multiple ways to integrate with ServiceNow. If Remediation Workflow Ticketing is not your fancy, take a look at Ruby Gem integration and our ServiceNow App in the ServiceNow Store.

 

Want a free 30-day trial of InsightVM? Get it here.

A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several European countries and the US. It is believed that the ransomworm may achieve its initial infection via a malicious document attached to a phishing email, and that it then leverages the EternalBlue and DoublePulsar exploits to spread laterally. Once in place, it takes control of a system and encrypts files. As a reminder, EternalBlue was leveraged for WannaCry as well, so we cannot stress enough the importance of patching against MS17-010 vulnerabilities.

 

For the latest updates on this ransomworm, please see Rapid7’s recommended actions.

 

To help customers understand their risk, we are sharing steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing vulnerabilities; we will update as more information becomes available on other CVEs that may be used to spread the worm. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven’t done so already, download a trial of InsightVM here.

 

Creating a Scan Template

The step-by-step guide to create an InsightVM/Nexpose scan template specifically to look for MS17-010 is as follows:

1.  Under the Administration tab, go to Templates > Manage Templates

 

Admin-ManageTemplates.gif

 

 

2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description.

 

Admin-CopyScantemplate.gif

 

3. First uncheck "Policies". Click on Vulnerability Checks and then "By Individual Checks"

 

Admin-ByIndividualCheck.gif

 

4. Add Check “MS17-010” and click Save:

 

Scantemplate-ms17-010.gif

 

This should return checks that are related to MS17-010. The related CVEs are:

CVE-2017-0143

CVE-2017-0144

CVE-2017-0145

CVE-2017-0146

CVE-2017-0147

CVE-2017-0148

5. Save the template and run a scan to identify all assets with MS17-010.

 

Creating a Dynamic Asset Group

Now that you have scanned your assets, you may want to create a Dynamic Asset Group for reporting and tagging, which will update whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the InsightVM console, just under the search button:

 

Screen Shot 2017-06-27 at 3.55.40 PM.png

Now, use the "CVE ID" filter to specify the CVEs listed below:

Screen Shot 2017-06-27 at 3.42.28 PM.png

This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.

 

Creating a Dashboard

Rapid7 will add a pre-built dashboard for the Petya-like ransomworm, like we did with the recent WannaCry and Samba vulnerabilities.

 

Also, check out the new Threat Feed dashboard which contains a view of your assets that are affected by actively targeted vulnerabilities including those leveraged by this ransomworm.

 

If you want to build your own, here’s how you can build a custom dashboard, with examples taken from the Shadow Brokers leak.  To find your exposure to MS17-010 vulnerabilities, you could use this Dashboard filter:

 

asset.vulnerability.alternateIds <=> ( altId = "MS17-010" )

 

Creating a SQL Query Export

@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: WannaCry - Scanning & Reporting.

 

Creating a Remediation Project

In InsightVM, you can also create a remediation project to track the progress of remediation. To do this, go to the “Projects” tab and click “Create a Project”:

 

 

Give the project a name, and under vulnerability filter type in vulnerability.alternateIds.altId CONTAINS "MS17-010"

 

 

Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability.

 

Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA or ServiceNow, you can also configure the automatic ticketing integration between InsightVM and JIRA/ServiceNow to automatically assign tickets to the right folks.

 

Using these steps, you’ll be able to quickly scan for some of the vulnerabilities leveraged by this ransomworm. If you have any questions please don’t hesitate to let us know!

 

For more information and resources on this ransomworm, please visit this page.

After WannaCry hit systems around the world last month, security experts warned that the underlying vulnerabilities that allowed the ransomworm to spread are still unpatched in many environments, rendering those systems vulnerable to other hacking tools from the same toolset. Rapid7’s Project Heisenberg continues to see a high volume of scans and exploit attempts targeting SMB vulnerabilities:

Heisenberg-smb-3.png

 

DoublePulsar, a backdoor that has infected hundreds of thousands of computers, is one of the most nefarious of these tools: It can not only distribute ransomware but is also able to infect a system’s kernel to gain privileges and steal credentials. Identifying and patching vulnerable systems remains the best way to defend against the DoublePulsar implant. DoublePulsar is often delivered using the EternalBlue exploit package—MS17-010—which is the same vulnerability that gave rise to the widespread WannaCry infections in May. To help customers, we are reiterating the steps we issued for WannaCry on creating a scan, dynamic asset group, and remediation project for identifying and fixing these vulnerabilities. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven’t done so already, you can download a trial of InsightVM here.

 

Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:

 

1. Under the Administration tab, go to Templates > Manage Templates

 

2. Copy the following template: Full Audit without Web Spider. Don’t forget to give your copy a name and description; here, we’ll call it “Double Pulsar and WNCRY Scan Template”

 

3. Click on Vulnerability Checks and then “By Individual Check”

 

4. Add Check "MS17-010" and click save:

This should come back with 195 checks that are related to MS17-010. The related CVEs are:

CVE-2017-0143

CVE-2017-0144

CVE-2017-0145

CVE-2017-0146

CVE-2017-0147

CVE-2017-0148

 

5. Save the template and run a scan to identify all assets with MS17-010.

 

Creating a Dynamic Asset Group for MS17-010

Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the InsightVM console, just under the search button:

 

Now, use the "CVE ID" filter to specify the CVEs listed below:

This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.

 

Creating a DoublePulsar/WannaCry Dashboard

Recently, Ken Mizota posted an article on how to build a custom dashboard to track your exposure to exploits from the Shadow Brokers leak. If you already did that, you're good to go! If you wanted to be specific to WannaCry and DoublePulsar, you could use this Dashboard filter:

asset.vulnerability.title CONTAINS "cve-2017-0143" OR asset.vulnerability.title CONTAINS "cve-2017-0144" OR asset.vulnerability.title CONTAINS "cve-2017-0145" OR asset.vulnerability.title CONTAINS "cve-2017-0101" ORasset.vulnerability.title CONTAINS "cve-2017-0146"asset.vulnerability.title CONTAINS "cve-2017-0147" OR asset.vulnerability.title CONTAINS "cve-2017-0148"

 

Creating a SQL Query Export

@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: WannaCry - Scanning & Reporting. This will also apply to DoublePulsar.

 

Creating a Remediation Project for MS17-010

In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the “Projects” tab and click “Create a Project”:

 

Give the project a name, and under vulnerability filter type in "vulnerability.alternateIds <=> ( altId = "ms17-010" )"

Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability.

 

Now you can give this project a description and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.

 

Using these steps, you’ll be able to quickly scan for the vulnerability that enables both WannaCry and DoublePulsar infections. If you have any questions please don’t hesitate to let us know!

 

For more information and resources on DoublePulsar, please visit this page.

Almost every security or IT practitioner is familiar with the ascent and continued dominance

of Amazon Web Services (AWS). But you only need to peel back a layer or two to find Microsoft Azure growing its own market share and establishing its position as the most-used, most-likely-to-renew public cloud provider. Azure is a force to be reckoned with. Many organizations benefit from this friendly competition and not only adopt Azure but increasingly use both Azure and AWS.

 

In this context, security teams are often caught on the swinging end of the rope. A small shake at the top of the rope triggers big swings at the bottom. A credit card is all that is needed to spin up new VMs, but as security teams know, the effort to secure the resulting infrastructure is not trivial.

 

Built for modern infrastructure

One way you can keep pace is by using a Rapid7 Scan Engine from the Azure Marketplace. You can make use of a pre-configured Rapid7 Scan Engine within your Azure infrastructure to gain visibility to your VMs from within Azure itself.

 

Another way is to use the Rapid7 Insight Agent on your VM images within Azure. With Agents, you get visibility into your VMs as they spin up.

 

This sounds great in a blog post, but since assets in Microsoft Azure are virtual, they come and go without much fanfare. Remember the bottom-of-the-rope metaphor? You’re there now. Security needs visibility to identify vulnerabilities in infrastructure to get on the path to remediation, but this is complicated by a few questions:

  • Do you know when a VM is spun up? How can you assess risk if the VM appears outside your scan window?
  • Do you know when a VM is decommissioned? Are you reporting on VMs that no longer exist?
  • Do you know what a VM is used for? Is your reporting simply a collection of VMs, or do those VMs mean something to your stakeholders?

 

You might struggle with answering these questions if you employ tools that weren’t designed with the behavior of modern infrastructure in mind.

 

Automatically discover and manage assets in Azure

InsightVM and Nexpose offer a new discovery connection to communicate directly to Microsoft Azure. If you know about our existing discovery connection to AWS you’ll find this familiar, but we’ve added new powers to fit the behavior of modern infrastructure:

  1. Automated discovery: Detect when assets in Azure are spun up and trigger visibility when you need it using Adaptive Security.
  2. Automated cleanup: When VMs are destroyed in Azure, automatically remove them from InsightVM/Nexpose. Keep your inventory clean and your license consumption cleaner.
  3. Automated tag synchronization: Synchronize Azure tags with InsightVM/Nexpose to give meaning to the assets discovered in Azure. Eliminate manual efforts to keep asset tags consistent.

 

Getting started

First, you’ll need to configure Azure to allow InsightVM/Nexpose to communicate with it directly. Follow this step-by-step guide in Azure Resource Manager docs.

 

Specifically, you will need the following pieces of information to set up your connection:

Once you have this information, navigate to Administration > Connections > Create

 

 

Select Microsoft Azure from the dropdown menu. Enter a Connection name, your Tenant ID, Application ID and Application Secret key (a.k.a. Authentication Key).

 

 

Next, we’ll select a Site we want to use to contain the assets discovered from Azure.

 

 

We can control which assets we want to import with Azure tags. Azure uses a <name>:<value> format for tags. If you want to enter multiple tags, use + as a delimiter, e.g., Class:Database+Type:Production.

 

Check Import tags to import all tags from Azure. If you don’t care to import all tags in Azure, you can specify exactly which ones to import. The tags on the VM in Azure will be imported and associated automatically with Assets as they are discovered. When there are changes to tag assignment in Azure, InsightVM/Nexpose will automatically synchronize tag assignments.

 

Finally, as part of the synchronization when VMs are destroyed within Azure, the corresponding asset in InsightVM/Nexpose will be deleted automatically, ensuring your view remains as fresh and current as your modern infrastructure.

 

Great success! Now what...?

If you’ve made it this far, you’re at the point where you have your Azure assets synchronized with InsightVM/Nexpose, and you might even have a handful of tags imported. Here are a few ideas to consider when looking to augment your kit:

  1. Create an Azure Liveboard: Use Azure tags as filtering criteria to create a tailored dashboard.
  2. Scan the site or schedule a scan of a subset of the site.
  3. Create Dynamic Asset Groups using tags to subdivide and organize assets.
  4. Create an automated action to trigger a scan on assets that haven't been assessed.

 

All of our innovations are built side-by-side with our customers through the Rapid7 Voice program. Please contact your Rapid7 CSM or sales representative if you're interested in helping us make our products better.

 

Not a customer of ours? Try a free 30- day trial of InsightVM today.

Greg Wiseman

Patch Tuesday - June 2017

Posted by Greg Wiseman Employee Jun 14, 2017

This month sees another spate of critical fixes from Microsoft, including patches for a number of Remote Code Execution (RCE) vulnerabilities. Two of these are already known to be exploited in the wild (CVE-2017-8543 and CVE-2017-8464). Today's patches are so crucial that Microsoft has once again released fixes for end-of-life operating systems, citing "the elevated risk for destructive cyber attacks at this time," and explicitly calling out the threat of nation-state actors. Updates are available for Windows XP, Windows Vista, Windows 8, and Windows Server 2003. They include fixes for MS17-013 (a Security Bulletin from April), as well as 21 CVEs with impact ranging across RCE, information disclosure, and elevation of privilege. Further details are available in Microsoft's Security Advisory 4025685.

 

This month's updates aren't just about severity, but quantity as well, with 94 separate flaws being patched (compared to 66 last month, and 44 in April). This doesn't even include the nine critical Adobe Flash Player RCE vulnerabilities (see APSB17-17 for details) that are also being fixed today and are rated "Priority 1" (meaning there is a high risk of vulnerable systems being targeted in the wild).

 

Most of the vulnerabilities are for Windows, split evenly between desktop and server flavors. All of the Windows CVEs have a severity of Important or Critical, with the bulk of impact being information disclosure, followed by RCE, privilege escalation, and some security feature bypass vulnerabilities in newer versions of Windows (8.1, 10, Server 2012 R2, and Server 2016).

 

Microsoft Office and Office-related software (e.g. SharePoint, Lync/Skype for Business, and Office Web Apps) also have plenty of vulnerabilities being addressed this month, with thirteen information disclosure vulnerabilities and twelve RCEs between them all. In addition to various RCE vulnerabilities for SharePoint being patched, Microsoft has released a defense-in-depth update for SharePoint Enterprise Server 2013 SP1 and Enterprise Server 2016 that harden the products without addressing specific vulnerabilities.

 

As usual, web technologies continue to provide additional attack surface. 16 issues with the Edge browser have been patched: 10 RCE, 3 information disclosure and 3 security feature bypass vulnerabilities. Internet Explorer sees 4 RCE and 2 information disclosure bugs being fixed. Last but not least, two critical RCE vulnerabilities in Silverlight have also been patched (CVE-2017-0283 and CVE-2017-8527, each of which also affects several other products).

 

Hopefully you don't have any obsolete operating systems in your environment. But if you do, be sure to apply this month's patches as attackers often see end-of-life systems as low-hanging fruit, and exploits are already out there. Of course, this means supported systems are also at significant risk. Best get patching!

We often hear that security teams are overwhelmed by the number of vulnerabilities in their environments: every day they are finding more than they can fix. It doesn’t help when rating schemes used for prioritization, like the Common Vulnerability Scoring System (CVSS), don’t really work at scale or take the threat landscape into account. How do you know where to focus if your vulnerability management solution shows that you have 10,000+ vulnerabilities with a critical or high severity rating? And when a high profile vulnerability comes along, how do you quickly gain insight into its impact on your organization?

 

Understanding which vulnerabilities are most likely to be exploited by an attacker is critical for effective prioritization. That’s why the RealRisk score used in InsightVM and Nexpose takes into account whether a vulnerability is targeted by a known exploit or malware kit. In addition, the Rapid7 Critical vulnerability category enables security teams to automatically assess the risk posed by critical threats, particularly 0-days that don’t have a CVSS score yet.

 

But given recent events, there is clearly a need for vulnerability-based threat intelligence, as explained in this blog. Rapid7 already gathers and analyzes data on attacker methodology and emerging threats through the Rapid7 Insight platform, Rapid7 Labs' Project Heisenberg Cloud, our Managed Detection and Response team, and the Metasploit community. We want to make all this data available to our customers to help them better understand their exposure to the constantly changing threat landscape, but in a way that adds real value and not just noise.

 

Introducing the Rapid7 Threat Feed in InsightVM

The Rapid7 Threat Feed is a live, curated feed of vulnerabilities being actively exploited by attackers in the wild; these are the most dangerous vulnerabilities and should be addressed immediately. The feed combines data collected by our Heisenberg honeypots and incident response activity with information from trusted third parties:

 

SourceDescription
HeisenbergAttacks detected by Rapid7 Lab's modern honeypot framework
IR ActivityConfirmed incidents from Rapid7's Managed Detection and Response team
FBIInformation shared as part of the FBI's private sector partnership
InfoSharingInformation shared from a trusted partner tracking this threat
Open SourcePublicly available information

 

In addition to actively monitoring and curating the feed, the Rapid7 Threat Intelligence team adds important context such as threat vector and actor information so you can see how relevant a threat is to your organization.

 

 

Visualizing Threats in Your Environment

But just having information is not enough, it needs to be combined with context about your organization’s environment to make it actionable. We added a new Threat Feed Dashboard template that makes it easy for you to see how exposed your organization is to active threats and where you need to focus to reduce the likelihood of an attack. This dashboard includes information such as the percentage of assets or vulnerabilities in your environment that can be exploited by a novice, the most commonly exploited vulnerabilities, and common exploits and malware kits.

 

 

Specifically, there are two new dashboard cards that leverage the Rapid7 Threat Feed. The Most Common Actively Targeted Vulnerabilities card shows you the most prevalent active threats in your environment. Clicking on this card gives a full list of actively exploited vulnerabilities on your network, which you can drill into for the Rapid7 Threat Feed details. The Assets with Actively Targeted Vulnerabilities card shows you the total number of assets on your network that are affected by active threats and which assets you need to prioritize for remediation.

 

 

Remediating Threats in Your Environment

Finding the most dangerous vulnerabilities in your environment is only half the job—next you need to actually fix them. Clicking on the Assets with Actively Targeted Vulnerabilities card gives a full list of affected assets, which can be added to a Static Remediation Project for driving action. With Remediation Workflow, you can create and assign tickets automatically, provide relevant and actionable information, and track progress from start to finish.

 

 

If you’re an existing InsightVM customer (or haven't upgraded yet and are still using Nexpose Now), you can get started with the Rapid7 Threat Feed by creating a new Threat Feed Dashboard or adding the new cards in the Threat Feed category to an existing dashboard. If you’re not an existing InsightVM customer, you can sign up for a free 30-day trial.

Do you want to see your WannaCry vulns all in one dashboard in Splunk? We've got you covered.

 

 

Before you start, make sure you have these two apps installed in your Splunk App:

Steps

1. Follow the directions in this blog post to create a custom scan template.

2. Scan your targets with the scan template as shown in the blog above.

3. Create a Dynamic Asset Group (DAG) containing the 8 CVEs (as shown in the blog post). In this example I called the Asset Group “Wannacry Assets.”

4. Create a Site in InsightVM or Nexpose, for Assets use Asset Groups and select the DAG you just made.

5. Let your InsightVM or Nexpose to Splunk sync occur (this happens at 4am by default).

 

6. Use Filter on Rapid7 Dashboard to pick that site! In this example I called the Site: Wannacry.

And there you have it: a dashboard of your WannaCry vulns in Splunk, as found by Nexpose or InsightVM. You can also export the dashboard as a PDF report if you would like to share it. Not a customer of ours? Download a free trial of InsightVM to get started.

 

If you're a Splunk customer concerned about security, we can help. InsightIDR, our incident detection and response solution, uses your existing data sources—including Splunk—to identify stealthy attacks and prioritize risk across your environment. Discover how InsightIDR can help your team solve multiple security use cases without worrying about rising data costs or maintaining custom rules and queries. Take an interactive product tour.

By now, if you're reading this blog, you probably have read about WannaCry. If not, please take a moment to review:

With many organizations now taking heed of Microsoft's advice to disable SMBv1, Rapid7 customers have asked: How does this affect my scan capabilities?

 

Tl;dr If your assets have Windows Management Interface (WMI) enabled and the Windows Management Instrumentation firewall rules enabled, the Scan Engine will use SMB/CIFS credentials to authenticate via WMI. If your assets are not part of a domain and the Scan Engine is not on the same subnet as the assets, the WMI firewall rules need to be updated to permit messages from the Scan Engine. 

 

Read this MSDN article to learn how to setup remote WMI connections and configure Windows Firewall Remote Management.

 

Checking your configuration

You can verify if you are using SMB credentials in InsightVM by navigating to Administration > Shared Credentials. You may have a Shared Credential that looks like this:

 

 

If your organization has disabled SMBv1 on your asset you can use your existing SMB credential. You'll want to configure InsightVM to scan port 135, so first verify your Scan Template(s).

 

Navigate to Administration > Scan Templates. Select a Scan Template and review the Service Discovery tab.

 

 

Take a look at the Additional ports field. Our example above has a range that includes port 135 and yours should too.

 

In summary:

  1. Setup WMI for remote connections and enable WMI traffic through Windows Firewall
  2. Make sure your Scan Template includes port 135.

Often the first time the security team knows that credentials have expired is when their scans start to return dramatically fewer vulnerabilities.

 

We all know getting credentialed access yields the best results for visibility. Yet, maintaining access can be difficult. Asset owners change credentials. Different assets have different frequencies for credential updates. Security teams are often left out of the loop.

 

Between the original scan run time, the time it takes the security team to pinpoint that credential status is the cause of the problem, correcting the credential data, and re-running the scan—too much time has elapsed that could have been utilized by security groups.

 

What security teams need is a way to bypass these hassles by leveraging credential management solutions that are currently in play. This way, credentials are not stored in the vulnerability management system and are handled ephemerally, as they should be. This results in not only increased efficiency and less frustration for security teams, but also better security by having credentials be stored and managed centrally via CyberArk.

 

We are pleased to announce that as part of the May 24th, 2017 release, Nexpose and InsightVM (Security Console 6.4.39) have been integrated with CyberArk Enterprise Password Vault to enable credentialed scans while minimizing administrative effort.

 

The CyberArk integration, which is in-product, will work with either specific credentials or shared credentials for a given asset and will allow your team, no matter the size, to spend less time looking after your tools and more time on your security program. You can:

  • Query for credentials dynamically based on:
    • Address: The IP address or fully qualified domain name (FQDN) for the asset.
    • Object Name: The name of the object that stores the credentials.
    • Username: The username for the account that will be retrieved
    • Policy ID: The policy ID that is assigned to the credentials that will be retrieved.
    • Custom Attributes: Custom Key/Value pairs in CyberArk
  • Manage credential management preferences at the Site level or globally.

 

Getting Started

Help documentation, CyberArk Support, or contact your CSM or Rapid7 Support.

Is your security team working on the right things to make your organization safer today? How can you prove it with data?

 

Knowing Versus Doing

Knowing your threat exposure is only half the picture. The other half is knowing which actions to take with your vulnerability management solution to secure your organization against a shifting landscape of threats while also demonstrating—with data—that these actions were the right thing to do and had the right impact for your organization.

 

Making progress is difficult enough, but even when you've moved the bar, you have to show your stakeholders in ways they can understand. It's not easy, but we think it can be simpler.

 

Bringing Agility to Remediation Efforts

InsightVM’s new Remediation Liveboard helps you easily, readily, and confidently answer the following questions:

 

  • What’s new in my world and how effective are my teams at remediating vulnerabilities?
  • What remediation work was recently completed and how much is left?
  • Which projects require my attention because they are past due or about to expire?
  • Who are my top remediators? Who are my remediators requiring assistance?

 

The Remediations Liveboard provides visibility into what has been remediated, who your most effective remediators are, and who needs your assistance and guidance the most. You can take quick temperature reads on overall status and progress of remediation efforts across your organization, and you can also easily drill down to inspect details. This new dashboard helps you get a better handle on remediation burndown and makes sure you're ready to field questions on remediation status at any point in the process.

 

The Remediations Liveboard also brings greater agility to remediation efforts. You’ll know when to adapt and shift gears in order to reallocate resources in response to changes in your environments.  You’ll also have access to the data needed to confidently answer bigger-picture security program questions and analyze what works and what does not work for your teams.

 

How well are we responding to new vulnerabilities found in our organization?

The New vs. Remediated Vulnerabilities card illustrates how your teams are fixing what has been found:

 

“My team has been swamped.

We are focusing this month only on vulnerabilities we know to be exploitable.”

 

Get a high level view of Remediation Projects’ status overall:

 

“No imminent deadlines...time to tackle these overdue projects and get some project completions showing up before my next review.”

 

Deadlines are important for gauging risk, but they don’t tell you whether a project is really at risk since the amount of effort and complexity required to mitigate a vulnerability varies, as does the availability of needed resources (e.g., people and skill level). You need to know the amount of remaining work in a project to see remediation burndown.

 

 

You might want to know which projects are closest to completion based on amount of work; or maybe, if taking down the most risk is your goal, you want to view by total remediations outstanding.

 

 

Success is all about people. There are two cards that inform you of who in your organization is the most effective at remediation...

 

 

...and who needs more support from you and your team.

 

 

Getting Started

The Remediations Liveboard is available today as part of InsightVM. Simply click on the “Create a New Dashboard” drop down list and select “Remediations Dashboard” to get started. Not an InsightVM customer? Download a free trial of InsightVM today!

Summary

Nexpose physical appliances shipped with an SSH configuration that allowed obsolete algorithms to be used for key exchange and other functions. Because these algorithms are enabled, attacks involving authentication to the hardware appliances are more likely to succeed. We strongly encourage current hardware appliance owners to update their systems to harden their SSH configuration using the steps outlined under “Remediation” below. In addition, Rapid7 is working with the appliance vendor to ensure that future appliances will only allow desired algorithms.

 

This vulnerability is classified as CWE-327 (Use of a Broken or Risky Cryptographic Algorithm). Given that the SSH connection to the physical appliances uses the 'administrator' account, which does have sudo access on the appliance, the CVSS base score for this issue is 8.5.

 

Credit

Rapid7 warmly thanks Liam Somerville for reporting this vulnerability to us, as well as providing information throughout the investigation to help us resolve the issue quickly.

 

Am I affected?

All physical, hardware appliances are affected. Virtual appliances (downloadable virtual machines) are NOT affected.

 

Vulnerability Details

Nexpose Physical Appliances

The default SSH configuration of the hardware appliance enables potentially problematic algorithms which are considered obsolete.

 

KEX algorithms:

diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1, 
ssh-dss, ecdsa-sha2-nistp256, ssh-ed25519

 

Encryption algorithms:

arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, 
aes192-cbc, aes256-cbc, arcfour, rijndael-cbc@lysator.liu.se

 

MAC algorithms:

hmac-md5-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64-etm@openssh.com, hmac-ripemd160-etm@openssh.com,
hmac-sha1-96-etm@openssh.com, hmac-md5-96-etm@openssh.com, hmac-md5, hmac-sha1, umac-64@openssh.com, 
hmac-ripemd160, hmac-ripemd160@openssh.com, hmac-sha1-96, hmac-md5-96

 

These are supported by the version of OpenSSH used on the appliance, and should be disabled via explicit configuration that enables only desired algorithms.

 

Nexpose Virtual Appliances

The software appliances (downloadable virtual machines) are NOT affected by this issue. They specify desired algorithms, only allowing those generally recommended.

 

Remediation - Updated 2017/06/02

Before making any updates, first verify that your appliance is running Ubuntu 14.04 or above. You can determine the version by running "lsb_release -r”. If on 14.04, you should see output like “Release: 14.04”.

 

If appliance is running Ubuntu 12.04 or below: OS upgrade required

Please reach out to Rapid7 support for more information on upgrading. Ubuntu 12.04 reached End of Life in April 2017, and we strongly encourage you to update to a supported version. DO NOT continue with the changes below if you are not on 14.04 or above, as some of the configuration options will not be supported by older versions of OpenSSH.

 

If appliance is running Ubuntu 14.04 or above

The version of OpenSSH on base Ubuntu 14.04 (“OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014”) will support the configuration changes below. If you updated from 12.04, you may want to update OpenSSH to the latest available version to ensure you have available security patches, but it is not required for this change. You can check you OpenSSH version by running “ssh -V”. The current latest for 14.04 is “OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8”

 

Note on verification and existing connections

Do not close the SSH session you use to make the configuration change until you first attempt a new connection and verify you are able to connect. This will enable you to stay connected in the event there is a problem with the edit and you need to revert and review, as active SSH sessions should not be closed even across service restarts. If you skip this step, you may lose the ability to connect over SSH, potentially meaning you need physical access or other means to fix the issue.

 

Configuration change

Administrators need to edit the /etc/ssh/sshd_config file on their Nexpose appliance. Before changing the configuration file, copy it (e.g. "sudo cp /etc/ssh/sshd_config /home/administrator") in case there is a problem during editing. Add the following lines (based on the guidelines available here) to the end of the file:

 

# Enable only modern ciphers, key exchange, and MAC algorithms
# https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

 

Please be careful to copy the entirety of the lines above, which may scroll horizontally in your browser. You can also copy from this gist. Depending on the version of SSH you have installed, there may be other configuration lines in that file for "KexAlgorithms", "Ciphers", and "MACs". If that is the case, remove or comment (add a"#" to the beginning of the line) those lines so that the desired configuration you add is sure to be respected.

 

Editing this file will require root access, so the appliance default "administrator" user, or another user with permission to sudo, will need to perform this step.

 

After updating the configuration file, verify that the changes made match the configuration above. This is important, as missing part of the configuration may result in a syntax error on service restart, and a loss of connectivity. You can run this command and compare the three output lines with the configuration block above:

 

egrep "KexAlgorithms|Ciphers|MACs" /etc/ssh/sshd_config

 

After verifying the configuration change, restart the SSH service by running "service ssh restart". Once that completes, verify you can still connect via ssh client to the appliance in a separate terminal. Do not close the original terminal until you’ve successfully connected with a second terminal.

 

This change should not impact connections from Nexpose instances to the physical appliance (SSH is not used for this communication). The main impact is shoring up access by SSH clients such that they cannot connect to the appliance using obsolete algorithms.

 

We apologize for any inconvenience, and would like to warmly thank the customers that worked with us to test and troubleshoot these remediations.

 

Disclosure Timeline

  • Wed, May 10, 2017: Vulnerability reported to Rapid7
  • Wed, May 17, 2017: Vulnerability confirmed by Rapid7
  • Tue, May 23, 2017: Rapid7 assigned CVE-2017-5243 for this issue
  • Wed, May 31, 2017: Disclosed to MITRE
  • Wed, May 31, 2017: Public disclosure

Just when you’d finished wiping away your WannaCry tears, the interwebs dropped another bombshell: a nasty Samba vulnerability, CVE-2017-7494 (no snazzy name as of the publishing of this blog, but hopefully something with a Lion King reference will be created soon).

 

As with WannaCry, we wanted to keep this simple. First, check out Jen Ellis's overview of the Samba vulnerability, and then review the below steps to quickly scan for this vulnerability on your own infrastructure and create a dynamic asset group for tagging and reporting. If you aren’t already a customer, you can use this free trial to scan for the Samba vulnerability across your environment.

 

Authenticated checks are live in Nexpose and InsightVM, as well as unauthenticated and authenticated remote checks.

 

Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for CVE-2017-7494:

 

1. Under administration, go to manage templates.

 

 

2. Copy the following template: Full Audit enhanced logging without Web Spider. Don’t forget to give your copy a name and description!

 

 

3. Click on Vulnerability Checks and then “By Individual Check”

 

 

4. Add Check “CVE-2017-7494” and click save.

 

This should come back with 41 checks that are related to CVE-2017-7494.

 

5. Save the template and run a scan to identify all assets with CVE-2017-7494.

 

Creating a Dynamic Asset Group for CVE-2017-7494

Now that you have your assets scanned, you may want to create a Dynamic Asset Group off of which to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the InsightVM console, just under the search button.

 

 

Now, use the "CVE ID" filter to specify the CVE:

 

 

This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.

 

Using these steps, you’ll be able to quickly scan as well as report on the Samba vulnerability. Let us know if you have any more questions!

Filter Blog

By date: By tag: