Category Archives: Topics

AM Live Vulnerability Management Conference Part 2: What was I talking about there

Hello all! It is the second part about AM Live Vulnerability Management conference. In the first part I made the timecodes for the 2 hours video in Russian. Here I have combined all my lines into one text.

What is Vulnerability Management?

Vulnerability Management process is the opposite of the admin’s saying “If it works – don’t touch it!”. The main idea of this process is to somehow fix the vulnerabilities. How do you achieve this is not so important. Maybe you will have a nice Plan-Do-Check-Act process and strict policies. Maybe not. The main thing is that you fix vulnerabilities! And the main problem is to negotiate this regular patching with system administrators and service owners.

Continue reading

AM Live Vulnerability Management Conference Part 1: Full video in Russian + Timecodes in English

Hello all! 2 weeks ago I participated in the best online event fully dedicated to Vulnerability Management in Russia. It was super fun and exciting. Thanks to all the colleagues and especially to Lev Paley for the great moderation! I have talked out completely. Everything I wanted and the way I wanted. It seems that not a single hot topic was missed.

AM LIve: Vulnerability Management conference

You can see the two hours video below. It is in Russian. And it’s pretty complicated to translate it all. I won’t event try. ūüėÖ If you don’t understand Russian you can try auto-generated and auto-translated subtitles on YouTube, but the quality is far from ideal.

To give you the idea what we were talking about I added the timecodes in English.

Timecodes

Section 1. Vulnerability Management Process and Solutions

  • 5:18¬†Vulnerability Management Process Definition
  • 10:53¬†Vulnerability Management is the opposite of the admin’s saying “If it works – don’t touch it!” The main thing in the process is to somehow fix the vulnerabilities. (Leonov)
  • 12:30¬†Sometimes a basic vulnerability scanner and Jira is already a Vulnerability Management solution (Leonov)
  • 13:30¬†Difference between Vulnerability Management Solutions and Vulnerability Scanners
  • 17:09¬†Vulnerability Management and Vulnerability Scanners:¬†in our restaurant we call rusks “croutons”, because a rusk cannot cost $8, but crouton can”¬†(Leonov)
  • 23:00¬†Licensing schemes, delivery options and costs
  • 28:48¬†Module-based licensing and the situations when modules can be excluded from the subscription (Paley)
  • 30:24¬†Commercial Vulnerability Management solutions are expensive, especially when licensed per host (Leonov)
  • 31:00¬†Maxpatrol unlimited licenses (Bengin)
  • 34:08¬†Perimeter scanning: very critical, low reliability of banner-based detections, it’s better to assess hosts accessible from the Internet with internal authenticated scans. Criticality of the network as an element of scoring. (Leonov)
  • 36:50¬†The impact of Regulators on the Vulnerability Management Market, a free¬†ScanOVAL¬†tool
  • 39:10¬†What to do with vulnerabilities in local software products that are not supported by foreign VM vendors?
  • 44:00¬†When it’s enough to use a free scanner? Could there be a full-functional and free vulnerability scanner? In theory, yes, but it is not clear how the vendor will finance the maintenance of the knowledge base. In practice, we see how such stories collapse. You need to understand the limitations of free products (such as OpenVAS). Including the completeness of the scan results and the ease of building the VM process. (Leonov)
  • 47:19¬†Poll: what is used in your organization?
Continue reading

Vulristics: Beyond Microsoft Patch Tuesdays, Analyzing Arbitrary CVEs

Hello everyone! In this episode I would like to share an update for my Vulristics project.

For those who don’t know, in this project I am working on an alternative vulnerability scoring based on publicly available data to highlight vulnerabilities that need to be fixed as soon as possible. Roughly speaking, this is something like Tenable VPR, but more transparent and even open source. Currently it works with much less data sources. It mainly depends on the type of vulnerability, the prevalence of vulnerable software, public exploits and exploitation in the wild.

Elevation of Privilege - Windows Win32k

I started with Microsoft PatchTuesday Vulnerabilities because Microsoft provides much better data than other vendors. They have the type of vulnerability and the name of the vulnerable software in the title.

Elevation of Privilege - Windows Win32k MS site

But it’s time to go further and now you can use Vulristics to analyze any set of CVEs. I changed the scirpts that were closely related to the Microsoft datasource and added new features to get the type of vulnerability and name of the software from the CVE description.

Elevation of Privilege - Sudo (CVE-2021-3156) - High [595]
Continue reading

My projects that are not related to Information Security: Yennysay TTS and PyTouchOk companion app

Thanks to the long New Year holidays in Russia, I had time to work on my own projects that are not related to information security. I released them on github and recorded short demos (by the way, Zoom is quite convenient for this! ūüėÖ).

Yennysay is a GUI text-to-speach tool that uses a free offline TTS engine in Windows 10. This was my first experience with Tkinter and it turned out to be quite successful. I use this tool a lot now. Yennysay can read English and Russian texts aloud, show progress, track clipboard, retrieve text from copied URL, open YouTube URL in SMPlayer, and so on.

Check out the video

and sources on github

PyTouchOk is also a Tkinter application for automating routine actions with GUI (similar to SikuliX and AutoIt). The idea was to create a companion app that would track the content of the screen and, under certain conditions, take control to perform routine actions. As an example of such a routine action, I implemented the export of slides from LibreOffice Impress in svg format via pyautogui by automatically clicking in the interface. This operation cannot be performed for all slides through the GUI, and LibreOffice API is quite difficult to work with. But the main goal was to create a companion app that could be easily expanded with new skills. And it succeeded, the program “understands” that LibreOffice Impress is open on the screen and starts automatic actions.
Here is the demo on youtube

–įnd the sources on github.

Microsoft Patch Tuesday September 2020: Zerologon and other exploits, RCEs in SharePoint and Exchange

I would like to start this post by talking about Microsoft vulnerabilities, which recently turned out to be much more serious than it seemed at first glance.

Older Vulnerabilities with exploits

“Zerologon” Netlogon RCE (CVE-2020-1472)

One of them is, of course, the Netlogon vulnerability from the August 2020 Patch Tuesday. It’s called “Zerologon”. I would not say that Vulnerability Management vendors completely ignored it. But none of them (well, maybe only ZDI) emphasized in their reports that this vulnerability would be a real disaster.

Continue reading

Microsoft Patch Tuesday August 2020: vulnerabilities with Detected Exploitation, useful for phishing and others

This time I would like to review not only the vulnerabilities that were published in the last August Microsoft Patch Tuesday, but also the CVEs that were published on other, not Patch Tuesday, days. Of course, if there are any.

But let’s start with the vulnerabilities that were presented on MS Patch Tuesday on August 11th. There were 120 vulnerabilities: 17 of them are Critical and 103 Important. My vulristics script could not find public exploits for these vulnerabilities on Vulners.com.

Continue reading

Microsoft Patch Tuesday July 2020: my new open source project Vulristics, DNS SIGRed, RDP Client and SharePoint

I am doing this episode about July vulnerabilities already in August. There are 2 reasons for this. First of all, July Microsoft Patch Tuesday was published in the middle of the month, as late as possible. Secondly, in the second half of July I spent my free time mostly on coding. And I would like to talk more about this.

Microsoft Patch Tuesday July 2020: my new open source project Vulristics, DNS SIGRed, RDP Client and SharePoint

Vulristics

I decided to release my Microsoft Patch Tuesday reporting tool as part of a larger open source project (github). I named it Vulristics (from ‚ÄúVulnerability‚ÄĚ and ‚ÄúHeuristics‚ÄĚ). I want this to be an extensible framework for analyzing publicly available information about vulnerabilities.

Let’s say we have a vulnerability ID (CVE ID) and we need to decide whether it is really critical or not. We will probably go to some vulnerability databases (NVD, CVE page on the Microsoft website, Vulners.com, etc.) and somehow analyze the descriptions and parameters. Right? Such analysis can be quite complex and not so obvious. My idea is to formalize it and make it shareable. It may not be the most efficient way to process data, but it should reflect real human experience, the things that real vulnerability analysts do. This is the main goal.

Continue reading