Tag Archives: IBM

Remote Code Execution – IBM QRadar / Robin Weser Fast Loops (CVE-2024-39008)

Remote Code Execution - IBM QRadar / Robin Weser Fast Loops (CVE-2024-39008)

Remote Code Execution – IBM QRadar / Robin Weser Fast Loops (CVE-2024-39008). On August 14, a security bulletin for QRadar Suite Software and IBM Cloud Pak for Security was published on the IBM website. It lists fixed vulnerabilities in IBM QRadar itself and its open source components: Node.js, Jinja, kjd/idna, robinweser/fast-loops. The vulnerability of the last project is the most interesting.

🔻 robinweser/fast-loops – a set of compact utilities for faster work with JavaScript arrays and objects. This is not a very popular project, only 25 stars and 3 forks on GitHub.

🔻 The vulnerability CVE-2024-39008 allows an attacker to send special requests and, potentially, cause a DoS and RCE. There are technical details and a PoC.

Ok, the open source component is vulnerable. But how to exploit the vulnerability in QRadar itself? It is still unknown. 🤷‍♂️ But it is better not to wait for the details to appear, but to update QRadar in advance. 😉

На русском

Microsoft Patch Tuesday December 2022: SPNEGO RCE, Mark of the Web Bypass, Edge Memory Corruptions

Microsoft Patch Tuesday December 2022: SPNEGO RCE, Mark of the Web Bypass, Edge Memory Corruptions. Hello everyone! This episode will be about Microsoft Patch Tuesday for December 2022, including vulnerabilities that were added between November and December Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities.

Alternative video link (for Russia): https://vk.com/video-149273431_456239112

But let’s start with an older vulnerability. This will be another example why vulnerability prioritization is a tricky thing and you should patch everything. In the September Microsoft Patch Tuesday there was a vulnerability Information Disclosure – SPNEGO Extended Negotiation (NEGOEX) Security Mechanism (CVE-2022-37958), which was completely unnoticed by everyone. Not a single VM vendor paid attention to it in their reviews. I didn’t pay attention either.

Continue reading

Vulnerability Management Product Comparisons (October 2019)

Vulnerability Management Product Comparisons (October 2019). Here I combined two posts [1.2] from my telegram channel about comparisons of Vulnerability Management products that were recently published in October 2019. One of them was more marketing, published by Forrester, the other was more technical and published by Principled Technologies.

Vulnerability Management Product Comparisons (October 2019)

I had some questions for both of them. It’s also great that the Forrester report made Qualys, Tenable and Rapid7 leaders and Principled Technologies reviewed the Knowledge Bases of the same three vendors.

Let’s start with Forrester.

Continue reading

MIPT/PhysTech guest lecture: Vulnerabilities, Money and People

MIPT/PhysTech guest lecture: Vulnerabilities, Money and People. On December 1, I gave a lecture at the Moscow Institute of Physics and Technology (informally known as PhysTech). This is a very famous and prestigious university in Russia. In Soviet times, it trained personnel for Research Institutes and Experimental Design Bureaus, in particular for the Soviet nuclear program.

MIPT open lecture about vulnerabilities

Nowadays MIPT closely cooperates with Russian and foreign companies, trains business people, software developers and great scientists. For example, the researchers who discovered Graphene and won Nobel Prize for this in 2010 were once MIPT graduates.

This is a very interesting place with a rich history. So it was a great honor for me to speak there.

Continue reading

A few words about Gartner’s “Magic Quadrant for Application Security Testing” 2018

A few words about Gartner’s “Magic Quadrant for Application Security Testing” 2018. February and March are the hot months for marketing reports. I already wrote about IDC and Forrester reports about Vulnerability Management-related markets. And this Monday, March 19, Gartner released new “Magic Quadrant for Application Security Testing”. You can buy it on the official website for $ 1,995.00 USD or download it for free from the vendor’s sites. For example, Synopsys or Positive Technologies. Thank you, dear vendors, for this opportunity!

I’m not an expert in Application Security. I am more in Device Vulnerability Assessment (IDC term) or Vulnerability Management. However, these field are related. And well-known Vulnerability Management vendors often have products or functionality for Web Application scanning and Source Code analysis as well. Just see Qualys, Rapid7 and Positive Technologies at the picture!

Gartner AST MQ 2018

I have already mentioned in previous posts that grouping products in marketing niches is rather mysterious process for me. For example, Gartner AST niche is for SAST, DAST and IAST products:

  • SAST is for source code or binary analysis
  • DAST is basically a black box scanning of deployed applications. it can be also called WAS (Web Application Scanning)
  • IAST is a kind of analysis that requires agent in the test runtime environment. Imho, this thing is still a pretty exotic.

As you can see, these are very different areas. But, the market is the same – AST.

Continue reading

My short review of “The Forrester Wave: Vulnerability Risk Management, Q1 2018”

My short review of “The Forrester Wave: Vulnerability Risk Management, Q1 2018”. Last week, March 14, Forrester presented new report about Vulnerability Risk Management (VRM) market. You can purchase it on official site for $2495 USD or get a free reprint on Rapid7 site. Thanks, Rapid7! I’ve read it and what to share my impressions.

Forrester VRM report2018

I was most surprised by the leaders of the “wave”. Ok, Rapid7 and Qualys, but BeyondTrust and NopSec? That’s unusual. As well as seeing Tenable out of the leaders. 🙂

The second thing is the set of products. We can see there traditional Vulnerability Management/Scanners vendors, vendors that make offline analysis of configuration files and vendors who analyse imported raw vulnerability scan data. I’m other words, it’s barely comparable products and vendors.

Continue reading

My short review of “IDC Worldwide Security and Vulnerability Management Market Shares 2016”

My short review of “IDC Worldwide Security and Vulnerability Management Market Shares 2016”. On February 12 IDC published new report about Security and Vulnerability Management market. You can buy it on the official website for $4500. Or you can simply download free extract on Qualys website (Thanks, Qualys!). I’ve read it and now I want to share my impressions.

IDC Worldwide Security and Vulnerability Management Market Shares 2016

I think it’s better start reading this report from the end, from “MARKET DEFINITION” section. First of all, IDC believe that there is a “Security and Vulnerability Management” (SVM) market. It consists of two separate “symbiotic markets”: security management and vulnerability assessment (VA).

Continue reading