Category Archives: Vulnerability Management

Microsoft Patch Tuesday July 2020: my new open source project Vulristics, DNS SIGRed, RDP Client and SharePoint

Leave a reply

Microsoft Patch Tuesday July 2020: my new open source project Vulristics, DNS SIGRed, RDP Client and SharePoint. I am doing this episode about July vulnerabilities already in August. There are 2 reasons for this. First of all, July Microsoft Patch Tuesday was published in the middle of the month, as late as possible. Secondly, in the second half of July I spent my free time mostly on coding. And I would like to talk more about this.

Microsoft Patch Tuesday July 2020: my new open source project Vulristics, DNS SIGRed, RDP Client and SharePoint

Vulristics

I decided to release my Microsoft Patch Tuesday reporting tool as part of a larger open source project (github). I named it Vulristics (from “Vulnerability” and “Heuristics”). I want this to be an extensible framework for analyzing publicly available information about vulnerabilities.

Let’s say we have a vulnerability ID (CVE ID) and we need to decide whether it is really critical or not. We will probably go to some vulnerability databases (NVD, CVE page on the Microsoft website, Vulners.com, etc.) and somehow analyze the descriptions and parameters. Right? Such analysis can be quite complex and not so obvious. My idea is to formalize it and make it shareable. It may not be the most efficient way to process data, but it should reflect real human experience, the things that real vulnerability analysts do. This is the main goal.

Continue reading

Barapass, Tsunami scanner, vulnerabilities in Windows DNS Server and SAP products, weird attack on Twitter

1 Reply

Barapass, Tsunami scanner, vulnerabilities in Windows DNS Server and SAP products, weird attack on Twitter. This episode is based on posts from my Telegram channel avleonovcom, published in the last 2 weeks. So, if you use Telegram, please subscribe. I update it frequently.

Barapass, Tsunami scanner, vulnerabilities in Windows DNS Server and SAP products, weird attack on Twitter

Barapass update

I recently released an update to my password manager barapass. BTW, it seems to be my only pet project at the MVP stage, which I use every day.

What’s new:

  1. Now I am sure that it works on Windows 10 without WSL. And you can run it beautifully even with the icon. ? Read more about installation in Windows in this file.
  2. Not only “copy the next value to the clipboard” (or “revolver mode” ) is now possible in the search results section. You can also get the previous value or copy the same value one again if it was somehow erased in the clipboard. Previously, I had to retype the search request each time to do this, and it was quite annoying. By the way, I unexpectedly discovered that the user input history inside the application magically works in the Windows shell (using up and down arrows) without any additional coding. On Linux it does not.
  3. You can set a startup command, for example, to decrypt the container.
  4. The startup command and quick (favorite) commands are now in settings.json and not hard-coded.
  5. settings.json, container files and decrypted files are now in “files” directory. It became more convenient to update barapass, just change the scripts in the root directory and that’s it. I divided the scripts into several files, now it should be more clear how it works.

So, if you need a minimalistic console password manager in which you can easily use any encryption you like – welcome! You can read more about barapass in my previous post.

Continue reading

Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities

1 Reply

Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities. Making the reviews of Microsoft Patch Tuesday vulnerabilities should be an easy task. All vulnerability data is publicly available. Even better, dozens of reviews have already been written. Just read them, combine and post. Right?

Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities

Not really. In fact it is quite boring and annoying. It may be fun to write about vulnerabilities that were already used in some real attacks. But this is a very small part of all vulnerabilities. What about more than a hundred others? They are like “some vulnerability in some component may be used in some attack (or may be not)”. If you describe each of them, no one will read or listen this.

You must choose what to highlight. And when I am reading the reports from Tenable, Qualys and ZDI, I see that they choose very different groups of vulnerabilities, pretty much randomly.

My classification script

That’s why I created a script that takes Patch Tuesday CVE data from microsoft.com and visualizes it giving me helicopter view on what can be interesting there. With nice grouping by vulnerability type and product, with custom icons for vulnerability types, coloring based on severity, etc.

Continue reading

Parsing Nessus v2 XML reports with python

13 Replies

Parsing Nessus v2 XML reports with python. Upd. This is an updated post from 2017. The original script worked pretty well for me until the most recent moment when I needed to get compliance data from Nessus scan reports, and it failed. So I researched how this information is stored in a file, changed my script a bit, and now I want to share it with you.

Previous post about Nessus v2 reports I was writing mainly about the format itself. Now let’s see how you can parse them with Python.

Please don’t work with XML documents the same way you process text files. I adore bash scripting and awk, but that’s an awful idea to use it for XML parsing. In Python you can do it much easier and the script will work much faster. I will use lxml library for this.

So, let’s assume that we have Nessus xml report. We could get it using Nessus API (upd. API is not officially supported in Nessus Professional since version 7) or SecurityCenter API. First of all, we need to read content of the file.

Continue reading

Forrester report for Rapid7: number juggling and an excellent overview of Vulnerability Management problems

Leave a reply

Forrester report for Rapid7: number juggling and an excellent overview of Vulnerability Management problems. I recently read Forrester’s 20-page report “The Total Economic Impact™ Of Rapid7 InsightVM“. It is about the Cost Savings And Business Benefits that Vulnerability Management solution can bring to the organizations.

Forrester report for Rapid7

In short, I didn’t like everything related to money. It seems like juggling with numbers, useless and boring. But I really liked the quotes from customers who criticized existing Vulnerability Management solutions, especially the low quality of the remediation data. These are the real pain points of Vulnerability Management process.

How did Forrester count money?

Forrester interviewed five existing customers of Rapid7 and created a “composite organization”.

This “composite organization” has 12,000 IT assets and spends $223,374 per year on Rapid7 InsightVM ($670,123 for 3 years) including integrations and trainings costs. That means $18 per host. Well, quite a lot, especially when compared to unlimited Nessus Professional for just $2,390 per year. A wonderland of Enterprise Vulnerability Management. 🙂

Continue reading

Crypto AG scandal

Leave a reply

Crypto AG scandal. The article in The Washington Post is really huge, but even a brief glance is enough to see how absolutely amazing this Crypto scandal is. A great example of chutzpah. ?

“Crypto AG was a Swiss company specialising in communications and information security. It was jointly owned by the American CIA and West German intelligence agency BND from 1970 until about 2008. … The company was a long-established manufacturer of [backdoored] encryption machines and a wide variety of cipher devices.”

“You think you do good work and you make something secure,” said Juerg Spoerndli, an electrical engineer who spent 16 years at Crypto. “And then you realize that you cheated these clients.”
¯\_(ツ)_/¯

Now the causes of hysteria around Kaspersky and Huawei become more clear. It is natural to suspect others in the things you practiced yourself.

A completely different company, with a different strategy

And note the disclaimer on the Crypto’s website. A completely different company, with a different strategy. ☝️? Okaaay…

Is Vulnerability Management more about Vulnerabilities or Management?

Leave a reply

Is Vulnerability Management more about Vulnerabilities or Management? I’ve just read a nice article about Vulnerability Management in the Acribia blog (in Russian). An extract and my comments below.

In the most cases Vulnerability Management is not about Vulnerabilities, but about Management. Just filtering the most critical vulnerabilities is not enough.

Practical Cases:

  1. “Oh, yes, we know ourselves that that everything is bad!” – CVE-2013−4786 IPMI password hash disclosure on > 500 servers. Customer just accepted the risks, Acribia proposed an effective workaround (unbrutable user IDs and passwords). It’s often hard to figure out right remediation measures and implement them. Someone should do it!
  2. “We can download OpenVAS without your help!” – CVE-2018-0171 Cisco Smart Install RCE on 350 hosts. Vulnerability detection rules of several Vulnerability Scanners were not good enough to detect this vulnerability. Do not rely on scanners, know how they work and their limitations.
  3. “If the attackers wanted to hack us, they would have already done it!” – CVE-2017-0144 (MS17-010) Windows SMB RCE on domain controller and several other critical servers. Vulnerability was detected in infrastructure several times, the remediation was agreed with the management, but it was ignored by responsible IT guys. As a result, during the next successful WannaCry-like malware attack the servers, including the DC were destroyed. Vulnerability Management is about the willingness to patch anything, very quickly, as often as required. Otherwise, it makes no sense.