Skip navigation
All Places > Nexpose > Blog
1 2 3 4 Previous Next


241 posts

Over the last couple of years, some of the most serious and widely publicized vulnerabilities have been related to the Transport Layer Security (TLS) protocol and its predecessor, Secure Sockets Layer (SSL). Because TLS is so fundamental to keeping network communications secure, new flaws that are discovered can have a disproportionate effect on an organization's risk.


From Heartbleed to POODLE, FREAK to Logjam, system administrators dread the next vulnerability announcement with a catchy name or custom designed logo that will require patching and/or reconfiguring any services using TLS. The October 14th release of Nexpose (6.0.2) contains a number of improvements related to TLS that will make it easier for administrators to track which versions of the protocols are supported by assets, along with which cipher suites are enabled. We've also broken up our weak cipher vulnerability into multiple vulnerabilities to make it clearer why particular cipher suites are flagged as insecure. (Note that we will continue to ship the old ssl-weak-ciphers vulnerability alongside the new ones for a period of time to give customers who typically do content-only updates a chance to get the required product changes without losing coverage.)


Cipher Suite Enumeration


The most significant enhancement with this release is that Nexpose now enumerates the protocol versions (SSLv2 and v3, TLS v1.0, v1.1 and v1.2) and associated cipher suites for each TLS endpoint that gets scanned. This information is stored in the service configuration, accessible by clicking on the Service Name under the SERVICES section of an asset's page:


Click on the Service Name to see catalogued settings related to the service


A number of new configuration settings are available:


Configuration settings related to the service


The new ssl.protocols configuration setting is a comma-delimited list of protocol versions supported by the endpoint. As a convenience, the sslv3, tlsv1_0, tlsv1_1, and tlsv1_2 settings contain "true" if that protocol is supported, or "false" if Nexpose was unable to connect via that version. In this case, we can see that only SSLv3 is supported. The sslv3.ciphers setting is a comma-delimited list of cipher suites available when using SSLv3 to connect to the service. There are also dh.keysize settings indicating the size of the key used by cipher suites that use Diffie-Hellman key exchange.

Exporting Cipher Suite Data


Although having all the cipher suites in the service configuration is convenient for taking a quick look at how a service is configured, it does not lend itself well to bulk or offline analysis. To facilitate this, the data can be exported as a SQL Query Export with a row per cipher suite. This is done by going to the Reports tab, choosing Create a Report, giving it a name (here "ciphersuite export"), choosing the Export tab and then the SQL Query Export template:



Select the SQL Query Export template under the "Export" report type


Next, define the query that will expand the comma-delimited list into individual rows:



The SQL query


The query:

SELECT AS site_name, da.ip_address, da.host_name, dos.asset_type, dasc.port,
       split_part(, '.', 1) protocol_version,
       unnest(string_to_array(dasc.value, ',')) cipher_suite
FROM dim_asset da
   JOIN dim_operating_system dos USING (operating_system_id)
   JOIN dim_host_type dht USING (host_type_id)
   JOIN dim_asset_service_configuration dasc USING (asset_id)
   JOIN dim_site_asset dsa USING (asset_id)
   JOIN dim_site ds USING (site_id)
WHERE ILIKE 'sslv2.ciphers'
   OR ILIKE 'sslv3.ciphers'
   OR ILIKE 'tlsv1_0.ciphers'
   OR ILIKE 'tlsv1_1.ciphers'
   OR ILIKE 'tlsv1_2.ciphers'


will convert the comma-separated list into an array ("string_to_array") and then expand it into a row per cipher suite ("unnest").


Now, select the site and scan of interest, then save and run the report:


Select a site and scan, then save and run the report


Once the report has finished, you can download it as a CSV file containing rows with the site name, host name, IP address, protocol version and cipher suite:



Cipher suite breakdown by asset and protocol version


New Weak Cipher Checks


In addition to the cipher suite enumeration, we have also changed how our vulnerability checks for ciphers are performed. Our old vulnerability checks each connected to the server and requested SSL/TLS handshakes using the vulnerable ciphers. This meant that it was possible for multiple handshakes to be performed with the same cipher if the cipher was listed in multiple vulnerabilities. This led to unnecessary requests to the scan target. With the new cipher enumeration, we are performing the vulnerability checks against the configuration settings of the scan target, without performing any additional requests. This results in better, scalable vulnerability checks.


We have also expanded our three previous vulnerability checks into seven new checks.  This allows more direct explanations as to why a cipher is weak and vulnerable. To accommodate customers who will only perform content updates this release, we are shipping the new vulnerability checks alongside the old checks. This is just for a transition period and it is recommended to update Nexpose to prevent loss of coverage when the old checks are deprecated.


The seven vulnerabilities are:

  1. ssl-anon-ciphers: The server is configured to support anonymous cipher suites with no key authentication. These ciphers are highly vulnerable to man in the middle attacks.
  2. ssl-cbc-ciphers: The server is configured to support Cipher Block Chaining (CBC) ciphers. These ciphers have problems with the way TLS implements CBC mode and can be vulnerable to multiple attacks. Known attacks include the "BEAST" attack (CVE-2011-3389) and the "Lucky Thirteen" (CVE-2013-0169).
  3. ssl-des-ciphers: Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on DES (Data Encryption Standard) and IDEA (International Data Encryption Algorithm) algorithms. DES and IDEA are no longer recommended for general use in TLS, and have been removed from TLS version 1.2.
  4. ssl-export-ciphers: The TLS/SSL server supports export cipher suites, intentionally crippled to conform to US export laws. Symmetric ciphers used in export cipher suites typically do not exceed 56 bits.
  5. ssl-null-ciphers: The TLS/SSL server supports null cipher suites. Null cipher suites do not provide any data encryption and/or data integrity.
  6. ssl-rsa-export-ciphers: The TLS/SSL server supports RSA-based cipher suites intentionally weakened due to export control regulations. This may enable an attacker to launch man-in-the-middle attacks and monitor or tamper with sensitive data against clients susceptible to the FREAK vulnerability. These cipher suites can typically be identified by the word "EXP" or "EXPORT" in their name.
  7. rc4-cve-2013-2566: Recent cryptanalysis results exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. As a result, RC4 can no longer be seen as providing a sufficient level of security for SSL/TLS sessions. It has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.


Note that ssl-rsa-export-ciphers and rc4-cve-2013-2566 already exist in Nexpose. The more generic ssl-weak-ciphers vulnerability will be deprecated in an upcoming release.



Along with all these additions, this release fixes various outstanding issues with Nexpose's TLS coverage. These changes also lay the groundwork for further TLS improvements, coming soon!


Update Tuesday, October 2015

Posted by anowak Employee Oct 13, 2015

This month is dominated by remote code execution vulnerabilities enabling information disclosure if a user opens/visits specifically crafted content. The vulnerabilities affect Internet Explorer, Edge, Windows Shell and Microsoft Office. It is advisable for users and administrators to patch the affected platforms.


Microsoft includes 6 security bulletins, half of which are rated critical, resolving a total of 19 vulnerabilities. All of the critical bulletins (MS15-106, MS15-108, MS15-109) are remote code execution issues affecting Internet Explorer, Edge, VBScript & JScript Engines, Windows Shell, Office, Office Services and Apps as well as Microsoft Server Software.


MS15-106 is the bulletin to watch out for this month. It is rated Critical for Internet Explorer 7 - 11 on Windows clients and Moderate for Internet Explorer 7 - 11 on Windows servers. If a user views a maliciously crafted webpage using Internet Explorer, an attacker could gain the same rights as the current user. Users with administrative rights beware.


Users should always be wary of untrusted sources as maliciously crafted content could disclose personal/sensitive information. Your best protection against these threats is to patch as quickly as possible.


Vulnerability Reference:


Adaptive Security is a new feature released in Nexpose 6.0 that dynamically collects and analyzes the important network changes with minimal configuration needed from the user. This new feature allows you to create workflows called automated actions that can respond to various behaviors occurring in your environment automatically. For further explanation, please feel free to read Adaptive Security Overview.


Triggers and Actions

Currently Adaptive Security offers 3 triggers:

  • New coverage available
  • New asset discovered
  • Known asset available


Each trigger will be accompanied by an action which handle events that the trigger initiates within a workflow. Following represents a summary of all three triggers and associated available actions:


Configuration parameters
TriggerNew coverage availableFilter by: CVSS score, risk, severityInitiates the workflow once a new vulnerability coverage is detected that meets certain criteria defined by filters
ActionScan for new vulnerabilitiesAn existing Nexpose siteThe detected vulnerability is scanned within the selected site.


Configuration parameters
TriggerNew asset discoveredDiscovery connectionInitiates the workflow once a new asset is discovered from the selected discovery connection. An asset is considered as new if Nexpose has never seen the hostname of the discovered asset before.
ActionAdd to site and scanAn existing Nexpose siteThe detected asset is added to the selected site and scanned.
Add to siteAn existing Nexpose siteThe detected asset is added to the selected site.


Configuration parameters
TriggerKnown asset availableDiscovery connectionInitiates the workflow once a known asset is discovered from the selected discovery connection. An asset is considered as known if Nexpose has seen the hostname of the discovered asset before.
ActionAdd to site and scanAn existing Nexpose siteThe detected asset is added to the selected site and scanned.
Add to siteAn existing Nexpose siteThe detected asset is added to the selected site.
TagNexpose tagThe detected asset is tagged with the selected tags.
ScanN/AThe detected asset is scanned with scan template of the site which the asset is located in.


Let's configure an Automated Action

Let's configure an Automated Action that will initiate a scan when new coverage is available that meets to a certain criteria. In this example, we want to initiate a scan on a specific site when a new coverage which has a risk score of 4 or higher becomes available.


In order to configure the Automated Action, we will use Automated Actions widget. The widget is located on the top right hand corner of Nexpose user interface marked with red square, shown on the screenshot 1:


                                                                                                      screenshot 1  


To create a new Automated Action with "New coverage available" as the trigger and "Scan for new vulnerabilities" as the action:

     1. Click on "NEW ACTION" button marked with green rectangle in the screenshot 1.

     2. In the drop down menu marked "TRIGGER", select "New coverage available".

     3. In the "Filter By" drop down menu, pick a criteria, i.e. "Risk Score".

     4. Enter a valid value in the text box, i.e. 4 is a valid value for "Risk Score" is 0-1000.

     5. Once a valid value is entered in the text box, the "NEXT" button will become enabled, click on the button to move on to the action selections.

     6. Choose "Scan for new vulnerabilities" from the "ACTION" drop down menu.

     7. Once the "Scan for new vulnerabilities" action is chosen, the site selection drop down will appear, choose the desired site and click on the "NEXT" button.

     8. A text box appears for the name of the action, name the action and click on the "SAVE" button.


Overview of the UI with step numbers from above marked on screenshot 2:

Screen Shot 2015-10-07 at 12.42.00 PM.png                                                                                                              screenshot 2


Once the Automated Action is configured and saved, then the trigger will simply wait for respective event to occur in order to kick off the action. The Automated Action will stay enable until you turn if off or delete it all together manually. Currently, there is no process can turn off or delete an Automated Action automatically.


As we continue to develop Adaptive Security, we will be adding additional filters and actions in order to provide better surface area coverage for your needs.


Now, please go ahead and play with this new feature and have fun. As always, we are here to listen any feedback you wish to give.

In Nexpose 6, we are introducing Adaptive Security, a smarter way to automate actions taken based on security incidents as they occur in your environment. The ultimate goal is to give back to security teams the time spent configuring tools to respond to a threat and automating the tedious and repetitive tasks taken to understand changes in the asset inventory and the threat landscape.


With Adaptive Security, you can create workflows called automated actions that respond to new and existing assets coming online, assets that are missed on scan windows, and more importantly, to instantly understand the surface area of a critical threat that is adding risk to the environment. Imagine a world where you know exactly what the affected assets are for a recently published Zero-day vulnerability. A world where your team have answers to questions like "How is the new celebrity Zero-day vulnerability affecting our environment?" or "What risk does an unauthorized asset adds to our security program?" as soon as the vulnerability is found or when the device comes online. Today, with Adaptive Security you do not need to imagine that world anymore. It is a reality, security teams now have the ability to work smarter and faster to take action in an automated way and focus on strategies to address the risk as opposed to finding it.


One of the more powerful aspects of this new features is that is highly configurable. Security teams can eliminate the noise generated  by just continuous monitoring and create filters and rules to intelligently react to threats and asset discovery in a way that makes sense and meet the particular needs of each of the customer environments managed by their security team. Not all findings or threats are born the same and they should be treated and addressed in the context that they live in.


Adaptive Security brings in a set of triggers that kick off automated actions. Differing actions based on the selected triggers are available allowing users to easily customize the response to a change on the environment or the threat landscape. Customization such as filtering the scope of the action or the area of the environment that needs to be addressed. The possibilities that this feature opens for efficiency and productivity are enormous and will make the usage of Nexpose even more enjoyable and useful than ever before.


Looking forward to hearing from you, new triggers and actions will be added and existing ones refined based on your feedback. Please check out our introductory video: Meet your newest asset: Adaptive Security


My name is JF Boisvert - NEXPOSE Senior UX Architect. In this role, I see opportunities everyday to improve our user flows, visual design, and customer usage.

I am excited to share with you valuable insights into the NEXPOSE 6 product development process, and how we are making a better, more usable product.



With NEXPOSE 6, we are laying a new foundation which will percolate across all of our product line to eventually unify the look, experience, and interactions our customers will experience.


By using NEXPOSE as the foundation for the new look and feel, we are:

  • Moving towards standardized interface guidelines
  • Creating reusable interface artifacts
  • Improving our development velocity
  • And producing consistent user experiences.

In less than a few months, Engineering, Product Management, Product Marketing, and UX came together to bring dramatic user experience changes to NEXPOSE 6.


Why did we change the interface in the first place?

  • First off, NEXPOSE 5x was due for a major makeover.
  • We wanted to modernize the application and create a common design language for all of our Rapid7 products.
  • We also wanted to remove clutter and noise, with a strong emphasis on readability.


What are the steps involved in creating amazing user experiences?

  • UX Discovery
    • First we look at the customer problem.
    • Talk to users via discovery calls.
    • Identify their needs, pain points, and contextual limits.
    • We survey their technical environments to understand what is possible.
    • We work in concert with Engineering, Product Marketing, and Product Management leads to understand all the elements involved in creating a world class solution.


  • UX Solutions
    • Once we have a clear understanding of all the above parameters we:
      • Create user flows to understand how the experience will unfold.
      • Define access points for the experience.
      • Create wireframes describing the interface.
      • Create interactive prototypes to uncover any flaws and to explain how it will work to our partners.
      • Create high-fidelity visual design artifacts.
      • Validate the proposed solutions with customers, using live interviews and prototypes.
      • Make appropriate edits and revisions.
      • Socialize our learnings with all parties involved.
      • Create final design specifications.
      • And proceed towards implementation support.



If you’re familiar with NEXPOSE or have been using it over the past 5+ years, you probably became aware of the various visual design updates that were given to the product over time. Through these various development cycles, we realized that, in order for us to build a winning brand image and improve usability, we would need to invest in the development of a unified user experience strategy.



Screen Shot 2015-10-01 at 8.44.23 AM.png



The first step towards delivering a more efficient experience, was to simplify the navigation. In NEXPOSE 6, the global navigation has been redesigned to maximize working space while providing easy access to global features like notifications and user settings.

To improve readability, NEXPOSE is giving users an improved look and feel focused on providing better contrast and information priority.



“Information presentation is a critical step in designing for security. Attackers depend on invisibility. We intend to counter that by not only showing you key data, but delivering it visually in a way that enables you to connect the dots easily. The overall design of NEXPOSE places the focus on the content, enabled by the navigation in a secondary role. This redesigned navigation and enhanced look and feel are important steps toward unifying the experience across all of our products.” Neil Estacio, UX Visual Design Manager




Our DESIGN PARTNERS PROGRAM is led by Even Jacobs and Ger Joyce. Ger is our resident UX Research Lead.

Every time we need to validate a thesis, we schedule time with our customers through our DESIGN PARTNERS PROGRAM. By listening to our customers, Ger and his team validate thesis, uncover usability issues and provide clues that will eventually translate into better experiences. To support UX Architects and Leads, Ger's team can organize a variety of activities such as:

  • Focus Group
  • Surveys
  • And On-site Customer Validations.

“We find key insights when we engage with our customers, and validate them by testing iterations with our DESIGN PARTNERS PROGRAM. Our customers not only engage with us to give these insights, but also engage with the products prior to release, resulting in a refined necessary experience that meets their work needs.” Ger Joyce, UX Research Lead












NEXPOSE 6 is the first product to adopt the new user experience strategy. In coming months, we will continue to improve consistency, usability, and product experiences across all products in the portfolio. With the growing involvement of the UX product team in the creation of world class experiences, expect exciting updates to all the Rapid7 products in a very near future.

This month, Microsoft includes 12 security bulletins, comprised of 52 CVEs, with five bulletins being rated critical. All five critical bulletins (MS15-094, MS15-095, MS15-097, MS15-098, MS15-099) and MS15-100 are remote code execution issues affecting Internet Explorer, Edge, Microsoft Graphics, Windows Journal, Microsoft Office and Media Center. Users can be affected by the remote execution issues by viewing a specially crafted web page, journal file, office file or media center link (.mcl).


CVE-2015-2506, CVE-2015-2510 and CVE-2015-2545 are Office vulnerabilities actively being exploited in the wild. The positive news is exploitation of these vulnerabilities requires user interaction. As always users should be aware of the document origins whenever they open Office documents, particularly for documents received via email or downloaded from an untrusted online source.


Users, remember to be wary of untrusted sources. Your best bet for resolving these is to get patching quickly.

As the IT landscape evolves, and as companies diversify the assets they bring to their networks - including on premise, cloud and personal assets - one of the biggest challenges becomes maintaining an accurate picture of which assets are present on your network. Furthermore, while the accurate picture is the end goal, the real challenge becomes optimizing the means to obtain and maintain that picture current. The traditional discovery paradigm of continuous discovery sweeps of your whole network by itself is becoming obsolete. As companies grow, sweeping becomes a burden on the network. In fact, in a highly dynamic environment, traditional sweeping approaches pretty quickly become stale and irrelevant.


Our customers are dealing with networks made up of thousands of connected assets. Lots of them are decommissioned and many others brought to life multiple times a day from different physical locations on their local or virtual networks. In a world where many assets are not 'owned' by their organization, or unauthorized/unmanaged assets connect to their network (such as mobile devices or personal computers), understanding the risk those assets introduce to their network is paramount to the success of their security program.


Rapid7 believes this very process of keeping your inventory up to date should be automated and instantaneous. Our technology allows our customers to use non-sweeping technologies like monitoring DHCP, DNS, Infoblox, and other relevant servers/applications. We also enable monitoring through technology partners such as vSphere or AWS for virtual infrastructure, and mobile device inventory with ActiveSync.. In addition, Rapid7's research team through its Sonar project technology (this topic deserves it's own blog) is able to scan the internet and understand our customer's external presence. All of these automated techniques provide great visibility and complements the traditional approaches such that our customer's experiences on our products revolves around taking action and reducing risk as opposed to configuring the tool.


Why should you care? It really comes down to good hygiene and good security practices. It is unacceptable not to know about the presence of a machine that is exfiltrating data off of your network or rogue assets listening on your network. And beyond being unacceptable, it can take you out of business. Brand damage, legal and compliance risks are great concerns that are not mitigated by an accurate inventory alone, however, without knowing those assets exists in your network in a timely manner it is impossible to assess the risk they bring and take action.


SANS Institute has this topic rated as the Top security control They bring up key questions that companies should be asking to their security teams: How long does it take to detect new assets on their networks? How long does it take their current scanner to detect unauthorized assets? How long does it take to isolate/remove unauthorized assets from the network? What details (location, department) can the scanner identify on unauthorized devices? and plenty more.


Let Rapid7 technology worry about inventory. Once you've got asset inventory covered, then you can move to remediation, risk analysis, and other much more fun security topics with peace of mind that if it's in your network then you will detect it in a timely manner.

One of the exciting but challenging aspects of working in the security industry is how quickly things change. You have to protect critical data while physical and virtual devices are coming on and offline, and new threats are announced on a regular basis.


Advanced features in Nexpose are designed to help you respond to these complicated situations. The ability to scan dynamic assets allows you to keep on top of your network even when addresses may be in flux. By scheduling scans, you can use more than one scan template per site, and perform regular scans with no manual effort on your part. Criticality tags help you track your most essential assets amid all the data you receive. This post shows how to access a few of these key features and explains when and why to use them.


Scanning dynamic assets

In some cases, your assets may shift constantly. In the case of virtual or cloud assets, they may come and go or change addresses due to the nature of the environment. In others, you may have a busy office with a lot of employees coming and going, and connecting via virtual private network (VPN).


You can configure Nexpose to keep track of these kinds of constantly changing assets, and scan them on a schedule you specify. For instance, if you have virtual assets, you can create a connection to your vSphere instance, and scan assets discovered through that connection.

Configuring a connection to discover assets

Creating multiple schedules

You can create as many automated scheduled scans as you want. One advantage of creating multiple schedules is that you can scan the same site with different templates. For example, you can scan the same set of assets one day with a standard template such as Full Audit without Web Spider, and another day with another type of template, such as a custom template that checks only for certain types of vulnerabilities. One potential use for this feature is to scan your existing sites for newly announced zero-day vulnerabilities.

Multiple schedules configured for a site

Tagging all assets in a site

You can apply a tag to all the assets in a site. For instance, if you want to tag all the assets in the site with a Very High criticality tag, you can do that in the site configuration. This is an efficient way to set up tags that can help you with tracking and reporting later.

Applying a tag to all assets in a site

To learn more about any of these features, see the Nexpose Help or User’s Guide.


Shooting gallery photo from jeremyriad via flickr under a Creative Commons attribution license. No changes were made.

Relax while Nexpose does the work for you

You may have received notifications that you need to update your Nexpose database soon in order to continue receiving product updates. You may have been putting it off because it sounds like a pain.


Good news: it’s simple!


Have you seen the Staples commercials with the “easy button?” Nexpose basically has that for the update. You don’t have to go in to your database and mess around with an upgrade wizard. Nexpose handles all that for you. All you have to do is open up Nexpose and make a few clicks.


On the migration page, click a few buttons in the indicated order. Sit back and relax while you wait for the migration steps to complete.


To see how easy it is, check out this short video:

Migrating to the latest version of PostgreSQL


To learn more about the cool stuff you can get once you migrate, see the previous blog post “Get on the Path to Superpowers in only 1 hour!

Relax and enjoy your updated Nexpose!


Update Tuesday, August 2015

Posted by dpicotte Employee Aug 13, 2015

This month’s update includes 14 Microsoft security bulletins (52 CVEs), with three being rated as critical. One of these vulnerabilities has already affected MS office (MS15-081) and has been detected as being exploited in the wild. As per the norm, Adobe has also released a high priority Air\Flash security patch (APSB15-19) to address 34 CVEs on multiple affected platforms (IE, Edge, Windows, Macintosh, Android and iOS).


Microsoft seems to have implemented a new strategy for Windows 10, as they are now releasing a single KB specific to the platform that addresses all applicable bulletins (in this case 6 of the 14). For administrators this allows a single patch to be installed for addressing all security issues – greatly reducing the burden of patch implementation. We see this is a very positive step forward for Microsoft and will be interested to see what, if any, additional changes the make to the patch process moving forward.


  • MS15-079: resolves 13 CVEs on all supported versions (7-11) of Internet Explorer (likely to be exploited in the near future).
  • MS15-080: resolves 16 CVEs in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight.
  • MS15-081: resolves 8 CVEs in Microsoft Office (2007 – 2016) on both Windows and Mac and SharePoint servers (2010, 2013).
  • MS15-082: resolves 2 CVEs in nearly all supported platforms (Windows 10 being the only exception) that could allow remote code execution via the remote desktop protocol (RDP) functionality. This bulletin is rated “Important” as it is not believed that exploitation is occurring in the wild. CVE-2015-2472 requires a man-in-the-middle (MiTM) attack to exploit (decreasing the likelihood of a successful attack) and CVE-2015-2473 requires user interaction to exploit.
  • MS15-083: resolves 1 CVE in Vista SP2 and Server 2008 SP2 systems that support SMB and requires authentication credentials (a valid session).
  • MS15-084: resolves 3 CVEs in nearly all supported platforms (Windows 10 being the only exception). The vulnerability impacts systems supporting SSLv2 with MSXML and the “fix” is simply to use a secure communication protocol.
  • MS15-085: resolves 1 CVE on all Windows platforms, exploitation in the wild has been detected however to exploit this vulnerability, an attacker would have insert a malicious USB device into a target system. The physical access requirements of this exploit make mass exploitation far less likely (remind your users to not plug in randomly found USB devices).
  • MS15-086: resolves 1 CVE in System Center Operations Manager (SCOM) 2012, the cross-site scripting (XSS) vulnerability requires user interaction with a maliciously crafted URL. Exploitation of this vulnerability is not likely.
  • MS15-087: resolves 1 CVE in Windows 2008 and Microsoft BizTalk Server (2010 -2013 R2), he cross-site scripting (XSS) vulnerability requires user interaction with a maliciously crafted URL. Exploitation of this vulnerability is not likely.
  • MS15-088: resolves 1 CVE on all Windows platforms, exploitation of this information disclosure vulnerability has not yet been detected in the wild however exploitation in the near future is likely (requires the chaining of multiple IE vulnerabilities for exploitation).
  • MS15-089: resolves 1 CVE in nearly all supported platforms (Windows 10 being the only exception) that could allow WebDAV SSLv2 sessions to be partially decrypted. Exploitation is unlikely to occur.
  • MS15-090: resolves 3 CVEs in nearly all supported platforms (Windows 10 being the only exception) that could allow an elevation of privilege due to a vulnerability in the sandboxing functionality of the Windows Object Manager or Windows Registry or Windows Filesystem.
  • MS15-091: resolves 4 CVEs in Edge on Windows 10 (that’s a first since RTM) that could allow remote code execution (RCE), exploitation of these vulnerabilities requires a user to visit a maliciously crafted webpage. Exploitation of this vulnerability in the near future is rated as likely.
  • MS15-092: resolves 3 CVEs on all Windows platforms running .NET 4.6 (likely only Windows 10 systems at this point in time). The exploitation of elevation of privilege vulnerability in the RyuJIT compiler would grant the same permissions as the running user.

Welcome to the Windows 10 era, administrators enjoy patching yet another platform.

A couple of weeks back I told you all about the new capability to add custom protocol support in Nexpose.  At first we had opened the github repo up as invitation only.  I'm excited to tell you that since then we've expanded the testability, added more protocols, and  as of last week we opened it to the public.


One of the best things about improving protocol detection is increased scan speed.  Getting accurate detection reduces the amount of time it takes before Nexpose gives up trying to identify an unknown service.  In the demo I was showing at Black Hat last week, we saw hosts go from an 8 minute scan to a 5s scan (96x faster), simply by adding support for a single unknown port.


As with before, we are eager for our users (and other interested parties) to fork the repo for your own projects.  If you are working on detection for a custom protocol, or just something that Nexpose is not identifying well in your environment, we're here to help.

The deadline to update your PostgreSQL 9.4.1 is almost here!


For users who have not updated their Nexpose deployment to PostgreSQL 9.4.1 the deadline to upgrade – August 27th - is quickly approaching and time is running out.


Why Upgrade?

So what’s the big deal about PostgreSQL 9.4.1? While the upgrade itself will not grant you superpowers, it is the first step in getting your superhero cape and tights.


Here are 3 reasons why:

1. Many customers have reported significant performance improvements after migrating (though the performance impact also depends upon your underlying infrastructure).  And who wouldn’t want enhanced speed and performance?


2. It lays the foundation for your Nexpose deployment to support, and scale with new powerful Nexpose features and enhancements in future Nexpose releases. 


3. In fact – the upgrade is so integral to future Nexpose versions that without PostgreSQL 9.4.1, you will not be able to apply product updates after Aug 27, 2015. If you do not migrate by that date, you will not be able to take advantage of these superpower-like future Nexpose features.

How To

Our step-by-step instructions and intuitive wizard make the upgrade process a breeze.  And depending upon the size and complexity of your environment will take you between 20 and 90 minutes to complete – from beginning to end.


View the steps to migrate to the latest version now:

Migrating to the latest version of PostgreSQL

In the webinar, “Detecting the Bear in Camp: How to Find your True Vulnerabilities”, Jesika McEvoy and Ryan Poppa discussed what it takes to be successful in a vulnerability centric world. Many companies fall short when it comes to remediation after spending too much time trying to scan everything and find every vulnerability. Jesika and Ryan shared best practices for how to avoid this mistake and focus on remediation that matters the most to your organization’s vulnerability management program. Read on for the top takeaways from this webinar:


1) Simply Communicate – Good communication can’t be overvalued – not just within your own team, but across all remediation teams, leadership, auditors, and more. Handing out large, general vulnerability reports won’t drive any progress. Never distribute information without context. Make sure your results are delivered in a targeted and actionable format to the teams they’re relevant to (ie. desktop results to the desktop team, network results to the network team, etc.). Steps given out must be actionable so that a repeatable process is created, and so teams have a real idea of how to create a solid plan for getting the remediation done right. Be able to give a summary to business leaders that have ownership over different remediation teams so they can coordinate, drive, and prioritize tasks as needed.


2) Set Clear-Cut Goals – Set goals that drive remediation and success. Incorporate your process into the overall workflow at your organization in a timely manner that teams can come to expect, and include assignment dates for accountability. It’s up to you to understand where your greatest risks are when formulating goals. Think about where your focus needs to be to get the best bang for your buck when reducing risk at your organization. Progress can be big and sweeping, or small and incremental, as long as the importance and impact of each change is communicated and understood across teams.


3) Measure & More – Be able to prioritize assets, measure overall success, and demonstrate success to others. Have a standard that is easy to measure against and that can provide visibility into what is being accomplished overall, and how your organization may need to invest from a security and training perspective to drive improvement. If progress isn’t being made on a certain team, find out whether it’s due to laziness or being overworked. Create competition among remediation teams wherever possible to foster a competitive spark and allow them to understand if and where they’re improving and contributing to the organization’s progress.


For the in-depth view of how to improve remediation and optimize your vulnerability management program (and for some great bear analogies): view the on-demand webinar now.


Learn more on this subject and all things security all summer long at Rapid7’s free Security Summer Camp.


Patch Tuesday, July 2015

Posted by dpicotte Employee Jul 16, 2015

Administrators and security teams are in for a hectic week tackling 14 Microsoft security bulletins, 2 Adobe updates addressing 4 CVEs for Flash\Shockwave and Oracle has released their quarterly update for 63 of their product suites (including Java, Oracle DB, MySQL and Solaris).


Of the 14 Microsoft security bulletins, 4 remote code execution vulnerabilities are rated as “Critical” including an Internet Explorer (IE) vulnerability that affects all known versions (v6 - v11) and CVE-2015-2373 a vulnerability in remote desktop allowing remote code execution. Overall a ton of updates but nothing that initially comes across as out of the ordinary. The remaining bulletins address elevation of privilege vulnerabilities and are rated as important by Microsoft.


Summary of Oracle’s Critical Patch Update Advisory:

  • Oracle Database Server: 10 new security fixes (highest CVSS score: 9.0)
    • Including 2 remotely exploitable vulns that don’t require authentication
  • Oracle Fusion Middleware: 39 new security fixes (highest CVSS score: 7.5)
    • 36 of these vulnerabilities may be remotely exploitable without authentication
  • Oracle Hyperion: 4 new security fixes (highest CVSS score: 7.5)
  • Oracle Enterprise Manager Grid Control: 3 new security fixes (highest CVSS score: 5.5)
  • Oracle E-Business Suite: 13 new security fixes (highest CVSS score: 5.0)
  • Oracle Supply Chain Products Suite: 7 new security fixes (highest CVSS score: 5.0)
  • Oracle PeopleSoft Products: 8 new security fixes (highest CVSS score: 6.2)
  • Oracle Siebel CRM: 5 new security fixes (highest CVSS score: 9.3)
  • Oracle Commerce Platform: 2 new security fixes (highest CVSS score: 6.4)
  • Oracle Communications Applications: 2 new security fixes (highest CVSS score: 10.0)
  • Oracle Java SE: 25 new security fixes (highest CVSS score: 10.0)
  • Oracle Sun Systems Products: 21 new security fixes (highest CVSS score: 10.0)
  • Oracle Virtualization: 11 new security fixes (highest CVSS score: 7.8)
  • Oracle MySQL: 18 new security fixes (highest CVSS score: 6.5)
  • Oracle Berkeley DB: 25 new security fixes (highest CVSS score: 6.9)


Reminder to all: 2015-07-14 was the last update for Windows Server 2003, it is now at end-of-life (EOL) and will no longer received updates unless you’ve aquired an extended support contract from Microsoft.

Enjoy the patching frenzy.

A growing threat to many organizations is personal mobile devices used by employees at work and the risk of data loss created by these devices accessing sensitive company information. After a program is in place to effectively manage vulnerabilities in PCs, organizations should begin to take a look at other areas of exposure and mobile is a leading candidate.


We recently added mobile device discovery and vulnerability assessment capabilities to Nexpose to support organizations that are looking to shore up their security program and help reduce the risk of data exposure from mobiles.  This new capability is free to all Nexpose Enterprise and Ultimate customers with mobile assets not counting against your licensed IPs.


How it works



We work with a companys Microsoft Exchange - on-premise or Office365 - to discover and identify the device and its operating system.  The discovery process uses Microsoft’s PowerShell technology to query Exchange for devices that have established an ActiveSync connection with the server, or alternatively, LDAP to query ActiveDirectory for the same information. The query collects data that is used in conjunction with our extensive mobile device fingerprint database to identify the device along with its mobile operating system.



Once the operating system version and device type is known we are then able to assess the device for vulnerability risk and provide a risk score like other assets scanned by Nexpose.  One of the nice benefits of this integration through Exchange is that a traditional physical scan of the device is not required. It’s more of a virtual scan based on information already provided to Exchange as part of the ActiveSync protocol.




Step 1: Mobile Connection

To setup a mobile site in Nexpose you’ll need to first create an “Exchange ActiveSync” connection.  In the Assets tab of the Site Configuration wizard select the “Connection” button and then the “Create Connection” sub menu.  Here you’ll notice three different Exchange ActiveSync connection type options – LDAP, WinRM/Powershell and WinRM/Office365.  While the LDAP may be the easiest set-up, we recommend using the Win/RM options if possible as it provides more detailed information (such as when the device last connected) which enable users to zero in on the most relevant device data, ignoring “stale” devices.




This option is only available for on-premise Exchange installations.  It requires the FQDM of your AD server and credentials for a user that has been granted rights to view msExchActiveSyncDevice objects.


The WinRM/Powershell and WinRM/Office365

These connection types are very similar.  The WinRM/Powershell option is meant for on-premise Exchange installations and the Office365 is for organizations that are on Microsoft’s hosted solution.  Both options require two sets of credentials as well as the FQDN name of an on-premise Windows server that has WinRM enabled and configured.  Access to a WinRM enabled machine is required to allow Nexpose to run the PowerShell scripts used to query Exchange.  One of the credentials are for a user that has been granted access to WinRM on the specified WinRM server and the other is for a user that has been granted View-Only Organization Management access on the Exchange server.  Finally, for on-premise installation the FQDN of the Exchange server is also required.


Step 2: Creating a site

Once your mobile connection has been created it can then be used in the creation of a site.  When the site is setup you’ll then need to perform a scan.  During the scanning process Nexpose will query the Exchange server and import any new devices as well as reassess the devices based on the current content release. Once the scan is complete, mobile assets with their associated risk score will be displayed.  These assets behave like any other asset discovered by Nexpose and can be tagged, placed in dynamic asset groups, and all other standard Nexpose asset features.




We’re excited to be providing this new capability to Nexpose and hope that you’ll take advantage of it.  By expanding your vulnerability assessment capabilities to mobile you’ll be ahead of the curve and well prepared in protecting your organization from this new threat vector.

Filter Blog

By date: By tag: