vulnerability | Alexander V. Leonov

Lord of the CVEs: NVD crisis. The NVD website currently has a banner:

“NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.”

In fact, NVDs have completely stopped enriching CVE data (CVSS, CWE, CPE). And panic is growing in the global near-VM community. Almost everyone used NVD’s publicly available content and took it for granted. It turned out that everything could stop and consumers of NVD content would have to self-organize and obtain new sources of such data, like the kids in Golding’s Lord of the Flies. 🙂🐚🐷🪰

I still believe that these are temporary difficulties that will be solved by the reorganization of NVD. But if not, then it will be interesting to see where this leads. 🌝

На русском

I reach a wider audience: I talk about trending vulnerabilities in the SecLab News show. 🤩 It’s in Russian, but the automatically generated subtitles combined with automatic translation do a good job. The “Trending VM” section starts at 16:05. 🎞

As for the content, this is the February digest of trending vulnerabilities, but presented in a more lively format: simple phrases, with all sorts of memes, jokes and so on. Typical edutainment. 😏 The level of production demonstrated by the SecLab News team is, of course, amazing. I haven’t seen anything better yet. Very professional guys, it’s a pleasure to work with them. 🔥

In general, this is a trial attempt – the further fate of the section (and maybe not only the section) depends on you 😉.

➡️ Please follow the link, watch the episode, like it, leave a comment about the section. What you liked and what could have been done better.

We are really looking forward to your feedback. 🫠

На русском

CheckPoint released a report about the Magnet Goblin group, which was noted for its rapid exploitation of vulnerabilities in services accessible from the Internet. At the time of exploitation, these vulnerabilities already have patches (that’s why they are 1-day, not 0-day). But because companies tend to be slow to update their systems, Magnet Goblin attackers have been successful in their attacks. 🤷‍♂️

The report mentions the following vulnerabilities exploited by Magnet Goblin:

🔻 Magento (open source e-commerce platform) – CVE-2022-24086
🔻 Qlik Sense (data analytics solution) – CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365
🔻 Ivanti Connect Secure (tool for remote access to infrastructure) – CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893.
🔻 Apache ActiveMQ (message broker) – CheckPoint write that it is “possible” and do not provide CVE, but this is probably about CVE-2023-46604.

На русском

I watched the recording of the Positive Technologies webinar “How to use MaxPatrol VM API: theory and practice“. On the theoretical part, everything is clear: there is a documented API; it is the same for integrations and Web GUI. 🙂

On the practical side they showed:

🔻 How to use the MaxPatrol API in the Nightingale REST client (examples on GitHub).
🔻 Unofficial PTVM SDK. A small Python script with one class for working with the MaxPatrol API.
🔻 Positive CLI for MaxPatrol API. So, automation can be done simply with shell scripts! 😇 A much more functional project than the SDK, also in Python. The screenshots show the vulnerabilities with criticality calculated using FSTEC methodology and trending vulnerabilities with an exploit.
🔻 How to use the MaxPatrol API in the low-code tool n8n (e.g. sending query results to Telegram).

Links to projects are on the addons page.

Show it to your colleagues who work with MaxPatrol VM. 😉

На русском

I watched an episode of Application Security Weekly with Emily Fox about Vulnerability Management. As is common now, the hosts and guest pointed out that there are too many known vulnerabilities, 3-4% of them are actually exploited, and therefore not all vulnerabilities need to be fixed. And in order to understand what exactly does not need to be fixed, you need to

🔹 Take into account security layers that prevent exploitation of vulnerabilities.
🔹 Consider how the risk of exploitation and the type of vulnerable asset are related.
🔹 Assess the likelihood of exploitation in the context of a specific organization.

The words here seem to be all good, and I would even agree with them. But where to find reliable sources of information (about vulnerabilities, infrastructure, security mechanisms) and tools for processing them? And how can we make it all work very reliably?

So that we can give a hand to cut off that this vulnerability 100% does not need to be fixed and this vulnerability will never be actively exploited in attacks. 🙋‍♂️ And do this not just for one vulnerability, but en masse. Are there any brave souls with extra hands? IMHO, if you are not ready to do this, then you should not argue that some vulnerabilities can be left unfixed.

If there is a vulnerability (even potentially) and it can be fixed by an update, then it SHOULD be fixed by an update. As planned or faster than planned. But everything needs to be fixed. At the same time, getting rid of vulnerable assets, software, components, images is quite a good way to fix it. The smaller the attack surface, the better. If updating for some reason is difficult and painful, then first of all you need to resolve this issue. Why is this difficult and painful? What’s wrong with the organization’s basic processes that we can’t do it? Maybe we need to look towards better architecture?

This is better than making unreliable assumptions that perhaps this vulnerability is not critical enough to be fixed. Because, as a rule, we know practically nothing about these vulnerabilities: today it is unexploitable, but tomorrow it will become exploitable, and the day after tomorrow all script kiddies will exploit it. It is possible that this vulnerability has been actively used in targeted attacks for several years now. Who can say that this is not the case?

It is very symptomatic, by the way, that in this episode it was recommended to use EPSS to select the most potentially dangerous vulnerabilities. 🤦‍♂️ A tool that, to my deep regret, simply does not work and shows low values for the probability of an exploit appearing for actively exploited vulnerabilities and high values for those vulnerabilities for which exploits have not appeared for years. 🤷‍♂️

For example, look at my Vulristics report for the February Microsoft Patch Tuesday. Elevation of Privilege – Windows Kernel (CVE-2024-21338) in CISA KEV, and its EPSS values are low (EPSS Probability is 0.00079, EPSS Percentile is 0.32236). 🤡 You can just as easily read tea leaves, maybe it will be even more effective. Therefore, the rest of the “magic of triage” also causes skepticism.

Again:

🔻 All detected vulnerabilities must be fixed in accordance with the vendor’s recommendations.
🔻 First of all, you need to fix what is actually exploited in attacks or will be exploited in the near future (trending vulnerabilities).

На русском

The most magnificent thing about Vulnerabilities and who is behind the magic. What I like the most about software vulnerabilities is how “vulnerability”, as a quality of a real object (and the computer program is real), literally appears from nothing.

Let’s say we have a fully updated server. We turn it off, lock it in a safe and forget about it for half a year. Six months later, we get it, turn it on. It is the same and works absolutely the same. But now it is also exposed to dozens of critical vulnerabilities that, with some (un)luck, can be exploited by any script kiddie. New important characteristic of the material object appeared from nowhere, isn’t this magnificent? ?

Continue reading →

PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Management products. On May 21, I spoke at the PHDays 9 conference. I talked about new methods of Vulnerability Prioritization in the products of Vulnerability Management vendors.

PHDays9 new ways of prioritizing vulnerabilities

During my 15 minutes time slot I defined the problems that this new technology has to solve, showed why these problems could NOT be solved using existing frameworks (CVSS), described what we currently have on the market and, as usual, criticized VM vendors and theirs solutions a little bit. ?

Continue reading →

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: vulnerability

Lord of the CVEs: NVD crisis

I reach a wider audience: I talk about trending vulnerabilities in the SecLab News show

CheckPoint released a report about the Magnet Goblin group, which was noted for its rapid exploitation of vulnerabilities in services accessible from the Internet

I watched the recording of the Positive Technologies webinar “How to use MaxPatrol VM API: theory and practice”

I watched an episode of Application Security Weekly with Emily Fox about Vulnerability Management

The most magnificent thing about Vulnerabilities and who is behind the magic

PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Management products