Vulristics Vulnerability Score, Automated Data Collection and Microsoft Patch Tuesdays Q4 2020

In this episode I would like to make a status update of my Vulristics project. For those who don’t know, in this project I retrieve publicly available vulnerability data and analyze it to better understand the severity of these vulnerabilities and better prioritize them. Currently, it is mainly about Microsoft Patch Tuesday vulnerabilities, but I have plans to go further. Also in this episode I want to demonstrate the new Vulristics features on Microsoft Patch Tuesday reports for October, November and December 2020.

Vulristics Vulnerability Scores, automated data collection and Microsoft Patch Tuesday Q4 2020

Patch Tuesdays Automated Data Collection

First of all, I dealt with the annoying collecting of the data for Microsoft Patch Tuesdays reports. Previously it took pretty long time. I had to go to Microsoft website and search for CVE IDs. After that, I had to get the comments from various Vulnerability Management vendors and researchers blogs (Tenable, Qualys, Rapid7, ZDI). I wanted this to be as much automated as possible. I have added some code to make CVE search requests on the Microsoft website for a date range (including the second Tuesday of the month). I also figured out how to make searches on the Vulnerability Management vendors blogs. So, now to get a Microsoft Patch Tuesday report it’s only necessary to set the year and month.

Continue reading

My projects that are not related to Information Security: Yennysay TTS and PyTouchOk companion app

Thanks to the long New Year holidays in Russia, I had time to work on my own projects that are not related to information security. I released them on github and recorded short demos (by the way, Zoom is quite convenient for this! 😅).

Yennysay is a GUI text-to-speach tool that uses a free offline TTS engine in Windows 10. This was my first experience with Tkinter and it turned out to be quite successful. I use this tool a lot now. Yennysay can read English and Russian texts aloud, show progress, track clipboard, retrieve text from copied URL, open YouTube URL in SMPlayer, and so on.

Check out the video

and sources on github

PyTouchOk is also a Tkinter application for automating routine actions with GUI (similar to SikuliX and AutoIt). The idea was to create a companion app that would track the content of the screen and, under certain conditions, take control to perform routine actions. As an example of such a routine action, I implemented the export of slides from LibreOffice Impress in svg format via pyautogui by automatically clicking in the interface. This operation cannot be performed for all slides through the GUI, and LibreOffice API is quite difficult to work with. But the main goal was to create a companion app that could be easily expanded with new skills. And it succeeded, the program “understands” that LibreOffice Impress is open on the screen and starts automatic actions.
Here is the demo on youtube

аnd the sources on github.

MaxPatrol VM: An Ambitious Vision for Vulnerability Management Transformation

In this episode, I would like to share my thoughts about the new Vulnerability Management product by Positive Technologies – MaxPatrol VM. It was presented on November 16th, at the Standoff365 online conference (full video in Russian). The presentation and concept of the product were very good. I really liked them. However, as it always happens on vendor’s events, some critical topics were not covered. So I also want to highlight them. I will try to be as objective as possible. Although it is difficult for me, since I have worked in the company for 6 years, and many of my good friends work there.

MaxPatrol VM

Positive Technologies is best known in the Russian Vulnerability Management market. The volume of the Russian VM market in 2019 is $40-46 million. The volume of the world market, according to IDC, is $1.2 billion. So the Russian market is ~3% of the world market. And 78% of it is occupied by Positive Technologies products: Maxpatrol 8 and XSpider. Disclaimer: all numbers are from the Maxpatrol VM presentation and I haven’t done fact checking. But in this case, the numbers are not so important.

Continue reading

Nessus Essentials with offline registration and plugin updates

In this episode, I would like to talk about Nessus Essentials and, in particular, how to register and update it without direct internet access. Nothing complicated, but there are a couple of pitfalls that I would like to share.

Nessus Essentials with offline updates

Let’s say you need to scan a host in a critical autonomous segment where Internet access is strictly prohibited. In such scenarios, Nessus Essentials is really suitable. It is a fully functional network vulnerability scanner with a good vulnerability knowledgebase. It can be registered and updated offline! And most importantly, it’s free even for corporate use! There is, of course, a 16 IP addresses limit, but in this case it is not really important.

Continue reading

Microsoft Patch Tuesday September 2020: Zerologon and other exploits, RCEs in SharePoint and Exchange

I would like to start this post by talking about Microsoft vulnerabilities, which recently turned out to be much more serious than it seemed at first glance.

Older Vulnerabilities with exploits

“Zerologon” Netlogon RCE (CVE-2020-1472)

One of them is, of course, the Netlogon vulnerability from the August 2020 Patch Tuesday. It’s called “Zerologon”. I would not say that Vulnerability Management vendors completely ignored it. But none of them (well, maybe only ZDI) emphasized in their reports that this vulnerability would be a real disaster.

Continue reading

Microsoft Patch Tuesday August 2020: vulnerabilities with Detected Exploitation, useful for phishing and others

This time I would like to review not only the vulnerabilities that were published in the last August Microsoft Patch Tuesday, but also the CVEs that were published on other, not Patch Tuesday, days. Of course, if there are any.

But let’s start with the vulnerabilities that were presented on MS Patch Tuesday on August 11th. There were 120 vulnerabilities: 17 of them are Critical and 103 Important. My vulristics script could not find public exploits for these vulnerabilities on Vulners.com.

Continue reading

Microsoft Patch Tuesday July 2020: my new open source project Vulristics, DNS SIGRed, RDP Client and SharePoint

I am doing this episode about July vulnerabilities already in August. There are 2 reasons for this. First of all, July Microsoft Patch Tuesday was published in the middle of the month, as late as possible. Secondly, in the second half of July I spent my free time mostly on coding. And I would like to talk more about this.

Microsoft Patch Tuesday July 2020: my new open source project Vulristics, DNS SIGRed, RDP Client and SharePoint

Vulristics

I decided to release my Microsoft Patch Tuesday reporting tool as part of a larger open source project (github). I named it Vulristics (from “Vulnerability” and “Heuristics”). I want this to be an extensible framework for analyzing publicly available information about vulnerabilities.

Let’s say we have a vulnerability ID (CVE ID) and we need to decide whether it is really critical or not. We will probably go to some vulnerability databases (NVD, CVE page on the Microsoft website, Vulners.com, etc.) and somehow analyze the descriptions and parameters. Right? Such analysis can be quite complex and not so obvious. My idea is to formalize it and make it shareable. It may not be the most efficient way to process data, but it should reflect real human experience, the things that real vulnerability analysts do. This is the main goal.

Continue reading