vulnerability | Alexander V. Leonov

CheckPoint released a report about the Magnet Goblin group, which was noted for its rapid exploitation of vulnerabilities in services accessible from the Internet. At the time of exploitation, these vulnerabilities already have patches (that’s why they are 1-day, not 0-day). But because companies tend to be slow to update their systems, Magnet Goblin attackers have been successful in their attacks. 🤷‍♂️

The report mentions the following vulnerabilities exploited by Magnet Goblin:

🔻 Magento (open source e-commerce platform) – CVE-2022-24086
🔻 Qlik Sense (data analytics solution) – CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365
🔻 Ivanti Connect Secure (tool for remote access to infrastructure) – CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893.
🔻 Apache ActiveMQ (message broker) – CheckPoint write that it is “possible” and do not provide CVE, but this is probably about CVE-2023-46604.

На русском

I watched the recording of the Positive Technologies webinar “How to use MaxPatrol VM API: theory and practice“. On the theoretical part, everything is clear: there is a documented API; it is the same for integrations and Web GUI. 🙂

On the practical side they showed:

🔻 How to use the MaxPatrol API in the Nightingale REST client (examples on GitHub).
🔻 Unofficial PTVM SDK. A small Python script with one class for working with the MaxPatrol API.
🔻 Positive CLI for MaxPatrol API. So, automation can be done simply with shell scripts! 😇 A much more functional project than the SDK, also in Python. The screenshots show the vulnerabilities with criticality calculated using FSTEC methodology and trending vulnerabilities with an exploit.
🔻 How to use the MaxPatrol API in the low-code tool n8n (e.g. sending query results to Telegram).

Links to projects are on the addons page.

Show it to your colleagues who work with MaxPatrol VM. 😉

На русском

I watched an episode of Application Security Weekly with Emily Fox about Vulnerability Management. As is common now, the hosts and guest pointed out that there are too many known vulnerabilities, 3-4% of them are actually exploited, and therefore not all vulnerabilities need to be fixed. And in order to understand what exactly does not need to be fixed, you need to

🔹 Take into account security layers that prevent exploitation of vulnerabilities.
🔹 Consider how the risk of exploitation and the type of vulnerable asset are related.
🔹 Assess the likelihood of exploitation in the context of a specific organization.

The words here seem to be all good, and I would even agree with them. But where to find reliable sources of information (about vulnerabilities, infrastructure, security mechanisms) and tools for processing them? And how can we make it all work very reliably?

So that we can give a hand to cut off that this vulnerability 100% does not need to be fixed and this vulnerability will never be actively exploited in attacks. 🙋‍♂️ And do this not just for one vulnerability, but en masse. Are there any brave souls with extra hands? IMHO, if you are not ready to do this, then you should not argue that some vulnerabilities can be left unfixed.

If there is a vulnerability (even potentially) and it can be fixed by an update, then it SHOULD be fixed by an update. As planned or faster than planned. But everything needs to be fixed. At the same time, getting rid of vulnerable assets, software, components, images is quite a good way to fix it. The smaller the attack surface, the better. If updating for some reason is difficult and painful, then first of all you need to resolve this issue. Why is this difficult and painful? What’s wrong with the organization’s basic processes that we can’t do it? Maybe we need to look towards better architecture?

This is better than making unreliable assumptions that perhaps this vulnerability is not critical enough to be fixed. Because, as a rule, we know practically nothing about these vulnerabilities: today it is unexploitable, but tomorrow it will become exploitable, and the day after tomorrow all script kiddies will exploit it. It is possible that this vulnerability has been actively used in targeted attacks for several years now. Who can say that this is not the case?

It is very symptomatic, by the way, that in this episode it was recommended to use EPSS to select the most potentially dangerous vulnerabilities. 🤦‍♂️ A tool that, to my deep regret, simply does not work and shows low values for the probability of an exploit appearing for actively exploited vulnerabilities and high values for those vulnerabilities for which exploits have not appeared for years. 🤷‍♂️

For example, look at my Vulristics report for the February Microsoft Patch Tuesday. Elevation of Privilege – Windows Kernel (CVE-2024-21338) in CISA KEV, and its EPSS values are low (EPSS Probability is 0.00079, EPSS Percentile is 0.32236). 🤡 You can just as easily read tea leaves, maybe it will be even more effective. Therefore, the rest of the “magic of triage” also causes skepticism.

Again:

🔻 All detected vulnerabilities must be fixed in accordance with the vendor’s recommendations.
🔻 First of all, you need to fix what is actually exploited in attacks or will be exploited in the near future (trending vulnerabilities).

На русском

The most magnificent thing about Vulnerabilities and who is behind the magic. What I like the most about software vulnerabilities is how “vulnerability”, as a quality of a real object (and the computer program is real), literally appears from nothing.

Let’s say we have a fully updated server. We turn it off, lock it in a safe and forget about it for half a year. Six months later, we get it, turn it on. It is the same and works absolutely the same. But now it is also exposed to dozens of critical vulnerabilities that, with some (un)luck, can be exploited by any script kiddie. New important characteristic of the material object appeared from nowhere, isn’t this magnificent? ?

Continue reading →

PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Management products. On May 21, I spoke at the PHDays 9 conference. I talked about new methods of Vulnerability Prioritization in the products of Vulnerability Management vendors.

PHDays9 new ways of prioritizing vulnerabilities

During my 15 minutes time slot I defined the problems that this new technology has to solve, showed why these problems could NOT be solved using existing frameworks (CVSS), described what we currently have on the market and, as usual, criticized VM vendors and theirs solutions a little bit. ?

Continue reading →

Vulnerability Life Cycle and Vulnerability Disclosures. Vulnerability Life Cycle diagram shows possible states of the vulnerability. In a previous post I suggested to treat vulnerabilities as bugs. Every known vulnerability, as same as every bug, was implemented by some software developer at some moment of time and was fixed at some moment of time later. What happens between this two events?

Right after the vulnerability was implemented in the code by some developer (creation) nobody knows about it. Well, of course, if it was done unintentionally. By the way, making backdoors look like an ordinary vulnerabilities it’s a smart way to do such things. 😉 But let’s say it WAS done unintentionally.

Time passed and some researcher found (discovery) this vulnerability and described it somehow. What’s next? It depends on who was that researcher.

Continue reading →

What is a vulnerability and what is not? It looks like a pretty simple question. I used it to started my MIPT lecture. But actually the answer is not so obvious. There are lots of formal definitions of a vulnerability. For example in NIST Glossary there are 17 different definitions. The most popular one (used in 13 documents) is:

Vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source
NISTIR 7435 The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems

But I prefer this one, it’s from the glossary as well:

Vulnerability is a bug, flaw, weakness, or exposure of an application, system, device, or service that could lead to a failure of confidentiality, integrity, or availability.

I think the best way to talk about vulnerabilities is to treat them as bugs and errors. Because people deal with such entities more often in a form of software freezes and BSODs. 😉

You probably heard a joke, that a bug can be presented as a feature if it is well-documented and the software developers don’t want to fix it.

Vulnerability is also a specific bug that can lead to some security issues. Or at least it is declared.

Continue reading →

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: vulnerability

CheckPoint released a report about the Magnet Goblin group, which was noted for its rapid exploitation of vulnerabilities in services accessible from the Internet

I watched the recording of the Positive Technologies webinar “How to use MaxPatrol VM API: theory and practice”

I watched an episode of Application Security Weekly with Emily Fox about Vulnerability Management

The most magnificent thing about Vulnerabilities and who is behind the magic

PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Management products

Vulnerability Life Cycle and Vulnerability Disclosures

What is a vulnerability and what is not?