1 2 3 4 Previous Next


224 posts

A highlight of the Nexpose 5.15 release is the addition of Infoblox Trinzic DDI to the growing list of Dynamic Discovery sources.  With nearly 8,000 customers worldwide, Infoblox is a market leader in DNS, DHCP and IP address management.  Building upon existing support for Microsoft DHCP log monitoring, released this past spring, Nexpose customers that use Infoblox to manage DHCP activity can now detect previously unknown devices whenever they connect to the network, providing a more complete understanding of their surface area of risk.


Configuring a Dynamic Discovery Connection for Infoblox


The Dynamic Discovery connection for Infoblox works by listening on a TCP or UDP port to receive syslog messages sent from the Infoblox Trinzic appliance to a Nexpose scan engine. Infoblox connections can be configured along with other Dynamic Discovery sources from the Administration page, or during the Site Configuration process, and require the designation of a port and protocol.




Once the connection is in place, assets detected from Infoblox that have not been scanned are automatically imported into Nexpose and visible in the Discovered table of the Assets page.


Identify and Close the Gaps


As I described in a previous blog post, Dynamic Discovery connections in Nexpose enable security professionals to quickly identify gaps in their threat exposure management program. By leveraging the advanced network control capabilities of Infoblox, Nexpose helps you understand your complete attack surface and find vulnerabilities you are missing today.


Patch Tuesday, June 2015

Posted by dpicotte Employee Jun 9, 2015

This month Microsoft has released 8 security bulletins, affecting all supported platforms through remote code execution and elevation of privilege. Of the 8 Microsoft security bulletins, two are critical. Both critical bulletins (MS15-056 and MS15-057) are phishing based attacks requiring execution of a specially crafted website or specially crafted Microsoft Office file. An escalation of privilege could be possible in Microsoft Exchange Server (MS15-064) by means of Server-Side Request Forgery (SSRF) [CVE-2015-1764] and Cross-site Request Forgery (CSRF) [CVE-2015-1771]; Administrators, be sure to patch your Exchange servers ASAP.


Accompanying Microsoft's patch updates, Adobe has also released a security update for Adobe Flash Player and AIR affecting Windows, Macintosh and Linux. These updates result in vulnerability fixes for 13 CVEs that could potentially enable an attacker to control affected systems. 


Overall this is a pretty low key Patch Tuesday release. However, be vigilant that users are paying special attention to phishing attacks.

As of Nexpose 5.13, Nexpose makes it easier for you to gain an asset centric-view of your environment, which will help you with tracking and reporting. An asset is a single device on a network that the application discovers during a scan.  As you may have noticed, Nexpose 5.13 included new functionality: you can now scan asset groups. An asset group is a logical collection of managed assets.

Nexpose enables you to configure your environment in two ways:

  1. Assets can be restricted to their scan group (labeled in the product as a site). This mean that the same asset, in different containers, are considered unique.
  2. Assets can be global across your entire network. Therefore, all assets in all sites are linked.

The following image highlights the two options.

Asset linking diagram

Asset linking is an option that a Global Administrator can set for your entire Nexpose installation. The configuration page describes some scenarios and important considerations for enabling this option. Review the considerations before enabling.

Enable asset linking

In most cases, we highly recommend that you enable the option so you can track your progress in the situation described above: performing different scans of the same distinct individual devices.

Note: Enabling this feature is required if you are going to scan dynamic asset groups in order to ensure that the asset will be updated in multiple sites from a reporting perspective.

With certain network configurations, it may be more beneficial not to enable the option. The case for not enabling it is when you have devices with very similar configurations that do not overlap sites. An example is a chain of retail stores where each store has the same network configuration and IP subnets across their different stores.

For more information, see the Resources section of the Nexpose Help or User's Guide.

Example case

Following is an example of how an organization can use this feature, once it is enabled, to improve their asset tracking.

One typical way to categorize assets is by physical location. You might have an office in Houston, an office in Missoula, and an office in Berlin. You can create a site in Nexpose for each and scan those sites. This is an effective way to arrange your scans, because you can place a Scan Engine in each location to reduce traffic on your network.

Sites by location

There are many other ways to categorize assets. For instance, these could include IP address range, operating system, business context (which might be represented by user-added tags), and more. In Nexpose, you can use asset groups to contain these categorized assets.

Create asset group by operating system

As of Nexpose 5.13, you can scan asset groups. You can do this by configuring a site in Nexpose to scan the asset group or groups. This allows you to scan assets according to business context or other categories.

Configuring a scan of an asset group

An option to scan each asset with the engine most recently used for that asset allows you to scan such logical groupings while using the Scan Engine that makes the most logistical sense for the asset.

Scan with most recently used engine

Even if you are categorizing and scanning the same assets in different ways, you may want to view and report on the entire scan history of an asset, no matter how it was scanned. Also as of Nexpose 5.13, if you have enabled asset linking, you can review the comprehensive history, no matter how the asset was scanned. As the scan occurs, Nexpose will compare the asset to assets in other scans. If enough characteristics match, the assets will be identified as the same asset.

Asset history including different scans

At Rapid7, we are always looking to improve Nexpose based on customer requests. We hope you enjoy using this new feature.

Recently in Computerworld, a security manager reported on a frightening realization about the user account he was using in his unnamed vulnerability scanner.

The product I use relies on a user account to connect to our Microsoft Windows servers and workstations to check them for vulnerable versions of software, and that user account had never been configured properly. As a result, the scanner has been blind to a lot of vulnerabilities.

For more details, see http://www.computerworld.com/article/2908938/uncovering-a-vulnerabilities-blind- spot.html


Making sure you use the correct credentials is an important way to check what someone could reach on your network. Nexpose leverages credentials to gain accurate version and configuration information. The vast majority of all vulnerabilities are only detectable with authenticated device access: this is true of all vulnerability scanning products and is a result of the secure design of devices on your network. Should you choose to scan your environment without properly configured credentials, bear in mind that you'll likely be missing the majority of vulnerabilities (false negatives) and the results obtained are more likely to be inaccurate (false positives).


In addition, Nexpose uses an expert system at the core of its scanning technology in order to chain multiple actions together to get the best results when scanning. For example, if it is able to use default configurations to get local access to an asset, then it will trigger additional actions using that access. The effect of the expert system is that you may see scan results beyond those directly expected from the credentials you provided; for example, if some scan targets cannot be accessed with the specified credentials, but can be accessed with a default password, you will also see the results of those checks. This behavior is similar to the approach of a hacker and enables Nexpose to find vulnerabilities that other scanners may not.


To help you avoid a similar situation to that anonymous security manager's and get the most from your Nexpose installation, here are some resources we offer:

- The Nexpose Help and User's Guide provide information on what credentials are needed. This information is in the Configuring Scan Credentials section.

- There is an option to test your credentials in the Scan Configuration in the Nexpose interface, in the Authentication tab. You can enter the address of a computer, and Nexpose will test whether it can successfully use those credentials to access that computer.


In addition, you can intentionally conduct a test for a situation such as the one described in the article. You can select an application you know should be able to be accessed on a particular machine with particular credentials, scan that machine with those credentials, and confirm that it indeed finds the expected results.


Another option is to run a report on vulnerabilities, such as the XML Export report. In the Scope section, select Vulnerability Filters. Under By Check Results, select Vulnerable and non-vulnerable. After running the scan and report, look for checks that look at software versions. If your credentials are configured correctly, these checks will appear with a "not vulnerable" result. If the credentials are not configured correctly, these checks will not appear in the report at all.


By making sure you are using a correctly configured username and password to scan for vulnerabilities, you increase your ability to find and fix things you didn't know about, and keep them from hurting you.

Originally posted April 24, 2015


We found out on Tuesday night that we won the SC Magazine Awards for Best Vulnerability Management Solution. I am extremely honored and glad that we won, and we owe it entirely to our amazing customers who have stayed with us over the years and helped us shape Nexpose into what it is today. We truly believe that customers are at our core and they are our partners—not in crime, but in anti-crime.


I can't help but reflect on how much Rapid7 and Nexpose have grown since I started at Rapid7 around 4 years ago.


Vulnerability management has been around since the 90's and the market is mature, but it's still a problem that isn't 'solved.'  Security teams still have way too many vulnerabilities to remediate and need to prioritize what matters to the business in order to be effective. The target is constantly moving with the modern network that includes virtualization, mobile, and cloud assets that introduce risks at lightning speed.  And the threat landscape isn't slowing down either, look at all the 'celebrity' vulnerabilities that have come out in the past year including Heartbleed, Poodle, Sandworm, Bashbug (aka shellshock).  However, you can't forget about old vulnerabilities, as according to the Verizon DBIR, '99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published,' even some published way back in in 1999.

'About half of the CVEs exploited in 2014 went from publish to pwn in less than a month.' - Verizon DBIR 2015


The adversary is no longer a script kiddie playing around in their mom's basement; now there's an entire ecosystem of tools and providers for the adversary.  There are multiple layers: From malware authors, to distributors, to markets to purchase stolen credentials, credit cards, or health records.  Almost anyone can rent botnets to perform DDoS for a couple hundred dollars.  They've even done the weaponizing for you and you buy exploit kits that are fully supported.  This is dangerous as even those kits are containing zero days like Angler exploiting an Adobe 0-day.

'No matter how high or smart walls, focused adversaries will find other ways over, under, around, and through,' Yoran said. 'You must understand what matters to your business and what is mission critical [and] defend it with everything you have.'
-Amit Yoran, RSA Keynote 2015


Don't make it easy for the adversary.  Breaches are not going away—just look at all the recent breaches at Anthem, JP Morgan Chase, Home Depot, Sony, and Target.  As Amit said, you must understand what matters and defend it with everything you have.


Our mission is to help our customers to manage their threat exposure to reduce the chance of a breach.  This is why we've combined Nexpose and Metasploit under our overarching Threat Exposure Management solution. And because of this last October, we introduced Nexpose Ultimate, a new Edition of Nexpose, and the first and only unified solution for vulnerability management, vulnerability validation, and controls effectiveness testing.  Nexpose and Metasploit are available in a single package and the only tool to offer integrated closed-loop vulnerability validation.  RealContext allows you to focus on reducing the risk that matters to your business, quickly and efficiently.  And RealRisk provides a granular risk scoring system based on threat intelligence, such as malware and exploit exposure, CVSSv2 and temporal risk metrics.  Only Nexpose Ultimate combines both offensive and defensive technologies to understand what threats really matter to your organization.

'A CVE being added to Metasploit is probably the single most reliable predictor of exploitation in the wild.'
-- Verizon DBIR 2015

Winning this award means a lot to all of us here at Rapid7 and we've won it for 2 years in a row.  We've all worked very hard innovating and building a solution that gives our customers the best chance at reducing the risk of a breach.  We can't wait to keep delivering value and solving challenges our customers are facing.


Special thanks to our product management team for continuing to innovate and drive the product forward, engineering team for building an amazing product, and our customer service and customer success management team for being there for our customers.

And again, we'd like to thank our customers who've stayed with us and help us improve our products.


View the full report and all the other winners of SC Magazine US Awards 2015

Recently, I had the opportunity to speak with a Rapid7 customer from a Fortune 100 company.  Any security professional charged with protecting an organization of this size and complexity faces no shortage of challenges, so I was particularly struck by one statement from our conversation.


"The most difficult thing that befalls security teams is knowing what to scan."

This lack of visibility can hamstring security efforts at organizations large and small.  With trends such as BYOD, virtualization and cloud (part of what Gartner refers to as 'The Nexus of Forces') becoming ever more prevalent, maintaining an accurate view of the risk surface area is proving to be an increasingly difficult proposition.


Improving Visibility With Dynamic Discovery

To help mitigate this problem, Rapid7 is continuing to expand the Dynamic Discovery capabilities of Nexpose.  With the recent release of Nexpose 5.13, there are now four discovery connection types to help uncover assets that may otherwise elude a traditional scheduled scanning strategy.

Amazon Web Services
Exchange ActiveSync
Microsoft DHCP
VMware vSphere

By establishing a connection to Exchange ActiveSync, Nexpose is now able to identify and evaluate mobile devices that access the network through a mail server, addressing a class of assets that is often a blind spot for security teams.  Similarly, by monitoring DHCP log activity, Nexpose can now detect previously unknown devices whenever they connect to the network.


These new connection methods, in conjunction with the existing connections to VMware vSphere and Amazon Web Services, help security pros stay on top of their constantly evolving environment.




To see Dynamic Discovery in action, watch this recent Feature Friday video.


Closing the Gap

With Dynamic Discovery connections in place, users can quickly identify any gaps that exist in their threat exposure management program.  The Assets page includes a pie chart that displays the total count of known assets and which of these assets have not been assessed for vulnerabilities or compliance.




To help close these gaps, Nexpose offers the ability to create a dynamic site.  Rather than defining the scope of a scan by an IP range or some other method of grouping a collection of known assets, a dynamic site determines site membership based on a Dynamic Discovery connection.  As a result, scanning strategies can evolve as the network evolves to meet current and future business needs.


Moving to Adaptive Security

Rapid7 is helping customers evolve to Adaptive Security, an approach to building a security program that adapts to the changing  IT and threat landscape.  Knowing your weak points is the first step.  Over the next few weeks and months we'll be adding even more Adaptive Security capabilities to Nexpose. For example, what if you could detect when that conference room laptop that always seems to miss its scan window connects to the network, and then automatically scan it?  Or is that virtual machine that just got turned on adding significant risk because it missed patching cycles?


Sound interesting?  If you're a current Rapid7 customer, make plans to join us at the Rapid7 UNITED Security Summit in June to learn more about our approach to Adaptive Security.


Nexpose Gem 1.0 Released

Posted by gavin Employee Jun 5, 2015

As of April 8th, 2015, version 1.0 of the Nexpose gem (nexpose-client) is available.

Big Numbers Mean Big Changes

Nexpose 5.13 brings new API 2.1 features and following on that the 1.0 version of the Nexpose gem uses these new features. Because of this, the new version of the gem includes some changes that are not backwards compatible with older versions of the gem or Nexpose. A migration guide is available to help you get your scripts and applications that rely on the gem to be compatible with 1.0. Note that upgrading to version 1.0 is not yet required. The 0.9.x versions will continue to work, but the new API features will not be available.

What is required for version 1.0?

With Ruby 1.9 in end-of-life status, we're no longer going to ensure that the gem is compatible. We've settled on Ruby 2.1 as the new minimum version we'll support as it brings some important new features over Ruby 2.0. In order to use version 1.0 of the Nexpose gem, you must be running Ruby 2.1 or later. We recommend version 2.1.5 or 2.2.1 as of this writing.

Nexpose 5.13 is also required to use most of the site related features of the gem.

What changed?

The 1.0 version of the gem includes significant changes to the way you use Sites, Schedules, and Credentials. Many of these changes required breaking backwards compatibility, so this is where the migration guide will come in handy. For a full list of changes, see the release notes on Github.

Old Versions

For those of you who are not ready to migrate your scripts or applications to be 1.0 compatible, you can still use the older versions of the gem for now. Be sure to pin the version in your Gemfile if you expect to be running bundle to install or update gems. Note that we will not provide ongoing support or updates for older versions of the Nexpose gem.

Bugs and Feature Requests

If you run into any bugs when using nexpose-client 1.0 with Nexpose 5.13, please submit an issue on Github. Feature requests for the gem should also be submitted as a Github issue. Pull requests are also apppreciated!

Documentation Updates

Documentation for the gem is an ongoing effort. Check the Github wiki for new and updated pages - note that the wiki can be updated by anyone. You can also find the gem's API documentation on RubyDoc.

In the 5.13 release of Nexpose, you will notice some new functionality when configuring a site. In addition to being able to scan addresses or range of addresses, as we have done in the past, you now have the ability to define asset groups that you wish to be scanned.

Traditionally, it has been recommended for customers to scan an entire network or range of networks, as opposed to specifying targets individually, This is to ensure proper coverage and to prevent the need to continually reconcile a master asset list of assets against what is being scanned in Nexpose. That being said, it is often desireable for customers to target scan groups of assets. This may be due to specific change control requirements and scan windows. For example, scanning all assets belonging to Application A, or all Windows or Linux assets, in a given site and schedule. In the following use case, we will learn how to leverage some existing Nexpose functionality in conjunction with the new asset group scanning to facilitate this need, while making it self-maintaining.

Use Case:

The customer datacenter has multiple networks with a mix of assets ranging from Windows, Linux, Routers, Switches, etc. The requirement is to be able to scan all 'like' platforms on a defined scan schedule.

Step 1. Create a discovery scan of the desired network ranges in the DC. Run the discovery to identify and fingerprint all assets in the DC. Schedule the discovery scan to run on a periodic basis to find newly connected assets.

Note: For more accurate OS fingerprinting, define credentials for each asset/platform-type and select one vulnerability check in the scan template to be tested. This will allow Nexpose to utilize the provided credentials and fingerprint the OS with 100% certainty.

Step 2. Create a dynamic asset group based on the discovery site results and filter on OS. Create a dynamic asset group for each platform-type/grouping. You can get creative and utilize asset tags in conjunction with dynamic asset groups to get more granular and group based on asset context (i.e. assets that belong to Finance, or are critical assets).

Step 3. Create a new site and under the Assets heading, select the newly created Dynamic Asset Group, i.e. Windows Server Assets.

Step 4. Schedule the site to run at the desired time.

What you'll end up with is a discovery scan that will regularly identify assets on dynamically changing networks. The discovery will feed the dynamic asset groups by platform or other desired grouping, keeping the assets in those groups current and accurate. We can then scan those asset groups at on our desired schedule.

One thing to be aware of is that when you scan an asset group, those assets my not all be in the same site and could potentially utilize different scan engines deployed across your environment. In the site configuration, make note of the option to scan all assets with either a selected engine, OR the last engine to scan each asset.


Patch Tuesday, May 2015

Posted by dpicotte Employee Jun 5, 2015

This month Microsoft has released 13 security bulletins, once again this affects all supported platforms and includes remote code execution and elevation of privilege vulnerabilities. To accompany these patch updates, Adobe has released new versions of Reader, Acrobat and Flash Player resulting in vulnerability fixes for 52 CVEs (most of which are rated as critical). Of the 13 Microsoft bulletins, 3 are rated as critical and require user interaction for exploitability, this is typical of attacks performed via phishing (remind your users to be vigilant with emailed files and malicious links).


Sliding in slightly under the radar this month is MS15-055 which resolves an information disclosure vulnerability (CVE-2015-1716) in Schannel when the configuration allows a weak DHE key length of 512bits on an encrypted TLS session. This information disclosure vulnerability is nothing serious for now, but expect that over time as security researchers study this exploit path, it'll result in far more serious flaws. Take a look at: https://support.microsoft.com/en-us/kb/3061518 for steps required to configure the ClientMinKeyBitLength DWord registry entry.


Overall this is a pretty low key update Tuesday, fortunately that clears the way for administrators to focus their attention of the recently published VENOM vulnerability (CVE-2015-3456), you can find more info on VENOM here: https://youtu.be/JeqJSK3NXWU.


Patch Tuesday, April 2015

Posted by dpicotte Employee Jun 5, 2015

Administrators and security teams are in for a busy couple days tackling 11 Microsoft security bulletins, 3 Adobe updates and Oracle updates for 43 of their product suites (including Java, Databases and Solaris).

Of the 11 Microsoft bulletins, 4 are rated as 'Critical' and affect virtually all supported desktop/server platforms and all supported installations of MS Office (including Office for Mac 2011). These 11 bulletins address 26 CVEs, with the exploitation of CVE-2015-1641 being detected in the wild, this bulletin is known as MS15-033 and addresses a publically disclosed Office memory corruption vulnerability. Exploitation of this vulnerability requires that a user open a specially crafted malicious office file, which grants the user the same permissions as the currently running user. As were all well aware, users are extremely susceptible to phishing attacks, now might be a good time to remind your users to be vigilant and focus your patching efforts on this actively exploited vulnerability.

Since the release of MS15-034 both attackers and whitehats have actively been working on finding detection and exploit paths for the IIS HTTP.sys vulnerability, a public exploit is imminent if not already available. A detection POC using curl can be found here:  https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/

MS15-032 addresses 10 Internet Explorer CVEs and is rated as 'Critical' with exploitation being quite likely however not yet detected in the wild. Microsoft really need to get Spartan released so that their browser auto patches itself like all the other browser platforms.

The remaining bulletins are rated as important and include privilege elevation, security feature bypass and denial of service vulnerabilities affecting SharePoint, AD federation services, all versions of .Net and Hyper-V. The Hyper-V bulletin (MS15-042 - CVE-2015-1647) in particular could pose a challenge to administrators as it requires a restart, the downstream affects being that hosted VMs will need to be migrated or brought offline for this patching to occur. Administrators might want to hold off until a scheduled maintenance window for MS15-042, as the exploit only results in a denial of service (DoS) and exploitation is rated as 'less likely' by Microsoft.

Just to increase the fun factor for administrators, Adobe released APSB15-06 a high priority security update for Flash that addresses 22 CVEs that impacts all previous versions on both Windows and Mac operating systems. Other Adobe products receiving lower priority updates are ColdFusion and Flex.

Oracle has provided a hefty breakdown of the vulnerabilities being addressed by their major quarterly update, more details can be found here: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Enjoy the patching frenzy. ;)

Patch Tuesday last week saw the release of Microsoft security bulletin MS15-034, which addresses CVE-2015-1635, a remote code execution vulnerability in Microsoft Internet Information Services (IIS) running on Windows 7 / Server 2008 R2 and later. This vulnerability can be trivially exploited as a denial of service attack by causing the infamous Blue Screen of Death (BSoD) with a simple HTTP request.


In order to provide better assessment of your assets' threat exposure to this vulnerability, we have released a safe remote check for MS15-034 in the Nexpose 5.13.3 update. This check does not require credentials and runs against IIS versions 7.5 and higher.


How do I run the MS15-034 remote check against my assets?

This remote check is automatically included in the default "Full Audit without Web Spider" scan template. To enable this check in a custom scan template, simply go to the Vulnerability Checks section of your scan template configuration to add individual checks. Search for the vulnerability ID "windows-hotfix-ms15-034" to bring up a list of all MS15-034 checks, sort them by "Category", and select the check that is not labeled "Local".




Will this remote check cause a BSoD on my server?

The range header value used in this check, "bytes=0-18446744073709551615", is considered by the security community to be a safe parameter for deterrmining the vulnerability status of CVE-2015-1635. Several other values are known to cause BSoDs on the target server and are not used by Nexpose.


What are some limitations of this remote check?

The remote check is configured to send a request to the root page of the web server, which is a valid resource in most common deployments. If your IIS deployment is configured to handle requests to root differently (e.g., error 404), then this check may not be able to accurately detect the vulnerability.


Patch Tuesday, March 2015

Posted by dpicotte Employee Mar 10, 2015

This month Microsoft has released 14 new bulletins, 5 of which are rated as “Critical” and another 9 as “Important”. As a déjà vu from last month, a critical remote code execution vulnerability (MS15-018) affecting all supported Internet Explorer versions (6-11) is being patched, which addresses 12 CVEs. The patch addresses issues with Internet Explorer’s memory management that could allow the remote corruption of memory and result in the execution of malicious code as the current user. As always users should be mindful of phishing campaigns that may attempt to leverage this vulnerability.


Also released this month is MS15-022, a remote execution vulnerability in a cross platform component of office. This affects all supported versions of MS Office, docx/xls viewers, SharePoint and Office Web Apps. Bundled into this bulletin is a fix for a set of cross site scripting (XSS) vulnerabilities, namely CVE-2015-1633 and CVE-2015-1636, applying these fixes will likely be the most time consuming patch for administrators as it may require a restart of critical SharePoint infrastructure systems.


MS15-026 is a XSS vulnerability in OWA enabling a privilege escalation attack and affects all editions of Exchange Server 2013; its severity is listed as “Important” and doesn’t require a system restart. Hopefully this will translate to a quick win for administrators as this patch contains only fixes for the issue being addressed and doesn’t bundle in additional enhancements.


Microsoft has released update 3044132 as an enhancement to security advisory 2755801 which further addresses issues in Adobe Flash affecting Internet Explorer 10 and 11, further details will be provided in Adobe’s Security bulletin APSB15-05 which in scheduled for release on March 12th.


Happy patching

While using our products, we want you to have the best possible experience. The Design team at Rapid7 is focusing a lot on UX Research and analyzing all the feedback you have been providing us. As designers, we want to fix everything at once. However, after doing a reality check with product leads, it’s clear that we have to take an incremental approach. That way you do not have to wait long for our new releases and updates. The first thing you use Nexpose for is to collect data. Everything else comes later. So we decided to start with simplifying the scanning experience.



Existing Product

Site configuration had multi-level navigation, which was a bit confusing, and sometimes this was time-consuming to configure.

For example, in the screenshot “A” of the old system, you can see that there are multiple ways to navigate, whereby clicking “Previous” and “Next” buttons will do the same thing as clicking through the Site Configuration sub-menu. In the screenshot “B”, you can see that there are multiple vital, yet disparate sections hidden away in the scan setup section, when less important sections, such as alerting and credentials are part of the Site Configuration navigation.




Simplified Minimalist Design

So that you do not have to remember more jargon, we removed the words “Dynamic” and “Static” from sites. Now, you will find it much more intuitive to configure sites in this wizard as the wizard will ask you to either provide Asset ID or connect to another source like AWS or vSphere to provide the scope of the site. We also added a few subtle features for you to get your job accomplished quickly:

  • Five out of seven steps in the wizard are prefilled with the default configuration, so if you are in a rush and are fine with default settings, just hit the “Run Now” button on the top to run a quick scan without tabbing through each step.
  • For error prevention and faster configuration, we have added an indicator on top of each step (tab) to represent if that step has any required fields. Thus, attention seeking tabs have a red line, which turns to green once the required field is complete.
  • Clean minimalistic design with bold icons are used to indicate tab contents.



One Site, Unlimited Templates and Schedules

That’s right! In the new site configuration wizard, you have the ability to use multiple templates and assign multiple schedules per site.


I was reading a book the other day called “The Power of Customer Misbehavior” in which the author explains how users find ways to use products in the most unintended ways, and how we as product designers can learn from this behavior.

Some of our related leanings are:

  • Customers create multiple copies of the same site to scan the same assets with different templates.
  • A lot of our customers also use Nexpose as an asset inventory tool, so they like to scan the same site with both a discovery template (for inventory) and for instance, a more robust audit template (for vulnerability management).



We hope you enjoy using the new design! We will continue to build on top of this design and to add more robust features to make the scan experience seamless and automated.


For a video of the new interface, check out: Exploring the Nexpose Site Creation Interface. We would love to hear from you. Leave us your comments and suggestions!


Patch Tuesday, February 2015

Posted by rbarrett Employee Feb 11, 2015

For the second straight month Microsoft is holding fast to their blockade of information.  Customers with “Premier” support are getting a very sparse advance notification 24 hours before the advisories drop, and “myBulletins” continues to be useless because it is not updated until well after the patch Tuesday release.  Microsoft called this an evolution, and I can certainly see why – they are applying a squeeze to security teams that will eliminate the weak members of the herd.


This month we are on the receiving end of nine advisories.  The almost ubiquitous critical cumulative patch for all supported versions of Internet Explorer is back (MS15-009) after a one month hiatus, clearly Microsoft was saving up from last month because this advisory addresses 41 CVEs including CVE-2014-8967 which has been publically disclosed and CVE-2015-0071 which is under limited targeted attack.


The IE CVE free-for-all is paired up with two critical remote code execution issues affecting all supported versions of Windows, except Server Core variants.  For MS15-010 this includes CVE-2015-0010 which has been publically disclosed and is the probably reason for the Critical designation here, even though over all Microsoft deems this vulnerability as less likely to be exploited.  MS15-011 relates to how group policy is applied and is deemed as likely to be exploitable.  The three Critical issues will undoubtedly be the patching priorities due to their public exposure and risk of exploitation.


This month’s fellowship (‘cause there are nine, get it?) is rounded out by two Important issues affecting Office or components thereof, and three Important ones affecting the majority of supported Windows versions.   Interestingly, MS15-013 with the single CVE-2014-6362 is only listed as Important, even though it has been publically disclosed and exploitation is considered likely – this is probably due to it being “only” a Security Feature Bypass, meaning it would have to be used in conjunction with some other attack or other information to negatively impact a system.  Definitely worth patching any and all Office vulnerabilities as they are found.


The curveball this month is MS15-017, which is an Important Elevation of Privilege that applies to "Microsoft System Center Virtual Machine Manager 2012 R2” (Update Rollup 4).  Hypervisor and Virtual Machine management applications are often overlooked in routine patching  and can be a challenge for Administrators to locate on their network.  Those going to patch may find the system requires an update rollup or other patches prior to this patch being offered, which could hide a vulnerable state.

The Nexpose 5.12 release included many enhancements, which you can read about in Nexpose release notes -  January 2015. In this blog post I'll focus on the changes made to TLS/SSL scanning in particular.


Custom Root Certificate Authority Certificates

First I'd like to go over the new feature that allows you to import your internal root CA certificates to Nexpose. For internal scans where your systems are likely to use a corporate certificate authority, which would not be included in any public trust stores, Nexpose can now identify your internally signed certificates as trusted. In future updates, Nexpose will use the latest public root CA certificates as trusted by modern web browsers as well. If you can't wait and have some scans where valid certificates are not currently trusted by Nexpose, you can also import public root CA certificates.


Note that while intermediate CA certificates can be imported, they will not change scan results if the root CA certificate is not already trusted. In general your assets' TLS/SSL services should be configured to present the full certificate chain as instructed by your signing authority, and the root of that chain must be trusted by Nexpose.


To import a root CA certificate into Nexpose, navigate to Administration and select the manage link next to Root Certificates - at the bottom right of the Scan Options section. You can also use the keyboard shortcut by typing R and then M while on the Administration page. Note: The Configure Global Settings permission is required to add or remove certificates, however any user with access to the Administration page can view certificates.


Then click the Import Certificates button and paste one or more PEM format root CA certificates into the dialog. Click the Import button to complete the process.


Imported certificates will be used by local and remote scan engines automatically. Note: Remote scan engines must have product version 5.12 or later to use the imported certificates during a scan.


X.509 Certificate Subject Alternative Names and other details

Another enhancement in Nexpose 5.12 is support for the Subject Alternative Name extension in SSL/TLS certificates. This means that an asset with a host name, fully qualified domain name (FQDN), or IP address that does not match the certificate's Common Name (CN), but does match one of the Subject Alternative Names (SAN) will not be flagged as having a name mismatch on the certificate. Along with this change new information is being stored in the Service Configuration details for an asset's service:

  • Subject Alternative Name(s)
  • Certificate's SHA1 fingerprint
  • Certificate's X.509 certificate version (as of Nexpose 5.12.2)

The service configuration information is also available in the reporting data model, so you can query for all of this information with a SQL Query Export report. Here is what it looks like in the web interface for an HTTPS service:



Vulnerability Checks Affected

The following vulnerability checks were updated in the 5.12 release to take advantage of these enhancements:

  • Untrusted TLS/SSL server X.509 certificate (tls-untrusted-ca)
  • X.509 Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch)

The proofs for these vulnerabilities have also changed. The Untrusted TLS/SSL server X.509 certificate proof no longer contains the list of trusted certificates now that this information is available from the root certificate management page. This reduces the amount of space taken up in the interface and reports for this vulnerability. The X.509 Certificate Subject CN Does Not Match the Entity Name proof will contain additional items if a certificate has Subject Alternative Names, but the asset's host name, FQDN, or IP address does not match any of them.

Filter Blog

By date: By tag: