Tag Archives: Nessus

Free High-Tech Bridge ImmuniWeb Application Discovery service

Today I would like to talk about another service for application security analysis by High-Tech Bridge. It’s called ImmuniWeb Application Discovery.

This service can get information about your web and mobile applications available from the Internet. Believe me, this is not so obvious for a large organization. And, what is especially pleasant, it works automatically and free of charge. 😉

High-Tech Bridge ImmuniWeb Free Application Discovery

ImmuniWeb Application Discovery will also show the basic security problems with SSL connection, web-server headers, potential phishing issues for all founded web services. You can read more about this part in my posts about High-Tech Bridge services and APIs for SSL/TLS server testing and for searching cybersquatting, typosquatting and phishing domains.

From the same interface you can order an advanced audit of your web applications by High-Tech Bridge as well.

Continue reading

Vulnerability Databases: Classification and Registry

What publicly available Vulnerability Databases do we have? Well, I can only say that there are a lot of them and they are pretty different. Here I make an attempt to classify them.

It’s quite an ungrateful task. No matter how hard you try, the final result will be rather inaccurate and incomplete. I am sure someone will be complaining. But this is how I see it. 😉 If you want to add or change something feel free to make a comment bellow or email me@avleonov.com.

The main classifier, which I came up with:

  • There are individual vulnerability databases in which one identifier means one vulnerability. They try to cover all existing vulnerabilities.
  • And others are security bulletins. They cover vulnerabilities in a particular product or products. And they usually based on on patches. One patch may cover multiple vulnerabilities.

I made this diagram with some Vulnerability Databases. Note that I wanted to stay focused, so there are no exploit DBs, CERTs, lists of vulnerabilities detected by some researchers (CISCO Talos, PT Research, etc.), Media and Bug Bounty sites.

Vulnerability Databases classification

For these databases the descriptions of vulnerabilities are publicly available on the site (in html interface or downloadable data feed), or exist in a form of paid Vulnerability Intelligence service (for example, Flexera).

On one side there are databases of individual vulnerabilities, the most important is National Vulnerability Database. There are also Chinese, Japanese bases that can be derived from NVD or not.

On the other side we have security bulletins, for example RedHat Security Advisories.

And in the middle we have a Vulnerability Databases, for which it is not critical whether they have duplicated vulnerability IDs or not.

Continue reading

Potential RCE in Nessus 7 and attacks on Vulnerability Scanners

A few days ago I saw an interesting youtube video (UPD. 14.05.18 Not available anymore) in my Facebook feed. It is demonstrating the exploitation of the RCE vulnerability in Tenable Nessus Professional 7.0.3. Currently we have very few information about this vulnerability: only youtube video, which is mentioned only on ExploitWareLabs facebook page.

Nessus 7.0.3 RCE

While there is no exploit in public access, it’s hard to say how it actually works. It’s also not clear what versions of Nessus are affected. 7.0.3 is the latest version currently. Because of API disabling in Nessus 7 many users are still on 6.11.3. It is not clear whether they are affected or not.

This even can be a fake video. Therefore, I specifically write “potential RCE”. I will update this post when more data is available.

UPD. 14.05.18 In the comments to my Facebook post anonymous account Destring Portal posted a comment with the second video of Nessus RCE exploitation and it seems, that it was made by the same author. In this video, the author runs a remote shell on the Nessus host and executes various commands. I will add review of this second video bellow.

Nessus RCE second video

UPD. 10.05.18 Renaud Deraison, Co-Founder and CTO of Tenable, commented on my post at Linkedin:

Our research team studied the video and we have several reasons to doubt its authenticity. We’ve conducted a thorough audit over the last 48 hours based the few details that are in the video and didn’t find anything. We reached out the researcher and instead of replying he removed the video*. We’ll communicate if indeed there is a risk.

In general, you are right though – the security of scanners is of paramount importance. This actually is a topic I’ve been extremely worried about ever since the early days of Nessus. We have a number of security mechanisms in place (interpreted language for the detection scripts, ciphered temporary files, very limited runtime environment) which really aim to limit the risk of being exploited but also to mitigate the risk should the scanner be compromised. I actually did a few talks in the past about scanning “rogue hosts” and we continue to treat all input as hostile.

Again, we’re continuing to investigate the matter and will let you know if we find anything.

* currently video is still available on the same address; it could be probably blocked for some time. (UPD. 14.05.18 Not available anymore)

In any case, it’s a good reason to talk about vulnerabilities of such kind, how they appear and how to protect Vulnerability Scanners from attackers.

Continue reading

CISO Forum and the problems of Vulnerability Databases

Last Tuesday, April 24,  I was at “CISO FORUM 2020: glance to the future“. I presented there my report “Vulnerability Databases: sifting thousands tons of verbal ore”. In this post, I’ll briefly talk about this report and about the event itself.

CISO Forum 2020

My speech was the last in the program. At the same time, in a parallel stream, there was another interesting presentation by the most famous Russian information security blogger. Thus, there was a real danger of speaking in an empty room. 🙂 But everything went well. There were about 30 spectators and we had an active QA session afterwards.

As I wrote earlier, I started preparing my CyberCentral presentation several months before the event. I did not want to tell the same story again at CISO Forum and PHDays. So I prepared 2 different presentations. At CyberCentral, I was talking about Vulnerability Scanners. And at CISO Forum I was talking mainly about Vulnerable Databases. Of course, I reused some materials, but the accents were different.

Continue reading

My short review of “IDC Worldwide Security and Vulnerability Management Market Shares 2016”

On February 12 IDC published new report about Security and Vulnerability Management market. You can buy it on the official website for $4500. Or you can simply download free extract on Qualys website (Thanks, Qualys!). I’ve read it and now I want to share my impressions.

IDC Worldwide Security and Vulnerability Management Market Shares 2016

I think it’s better start reading this report from the end, from “MARKET DEFINITION” section. First of all, IDC believe that there is a “Security and Vulnerability Management” (SVM) market. It consists of two separate “symbiotic markets”: security management and vulnerability assessment (VA).

Continue reading