Tag Archives: vulners.com

ISACA Moscow Vulnerability Management Meetup 2018

Last Thursday, September 20th, I spoke at ISACA Moscow “Vulnerability Management” Meetup held at Polytechnic University. The only event in Moscow devoted solely to Vulnerability Management. So I just had to take part in it. 🙂

ISACA VM 2018 Alexander Leonov

The target audience of the event – people who implement the vulnerability management process in organizations and the employees of Vulnerability Management vendors. I noticed groups of people from Altex-Soft (Altx-Soft), Positive Technologies and Vulners.

It was very interesting to see such concentration of Vulnerability and Compliance Management specialists in one place. Questions from the audience were relevant and often concerned the weaknesses of competitors. 😉 Here I will make a brief overview of the reports. You can also read here about previous year event at “ISACA Moscow Vulnerability Management Meetup 2017“.

Talking about the audience, there were fewer people than last year, but still a lot:

ISACA VM 2018 auditorium small

The event was recorded. I will add video here as soon as it’s ready.

upd. Video in Russian. My presentation starts at 1:35:56

The event was conducted entirely in Russian, including all the slides. So, maybe I will make English subtitles and voiceover, at least for my part.

Continue reading →

Potential RCE in Nessus 7 and attacks on Vulnerability Scanners

Leave a reply

A few days ago I saw an interesting youtube video (UPD. 14.05.18 Not available anymore) in my Facebook feed. It is demonstrating the exploitation of the RCE vulnerability in Tenable Nessus Professional 7.0.3. Currently we have very few information about this vulnerability: only youtube video, which is mentioned only on ExploitWareLabs facebook page.

Nessus 7.0.3 RCE

While there is no exploit in public access, it’s hard to say how it actually works. It’s also not clear what versions of Nessus are affected. 7.0.3 is the latest version currently. Because of API disabling in Nessus 7 many users are still on 6.11.3. It is not clear whether they are affected or not.

This even can be a fake video. Therefore, I specifically write “potential RCE”. I will update this post when more data is available.

UPD. 14.05.18 In the comments to my Facebook post anonymous account Destring Portal posted a comment with the second video of Nessus RCE exploitation and it seems, that it was made by the same author. In this video, the author runs a remote shell on the Nessus host and executes various commands. I will add review of this second video bellow.

Nessus RCE second video

UPD. 10.05.18 Renaud Deraison, Co-Founder and CTO of Tenable, commented on my post at Linkedin:

Our research team studied the video and we have several reasons to doubt its authenticity. We’ve conducted a thorough audit over the last 48 hours based the few details that are in the video and didn’t find anything. We reached out the researcher and instead of replying he removed the video*. We’ll communicate if indeed there is a risk.

In general, you are right though – the security of scanners is of paramount importance. This actually is a topic I’ve been extremely worried about ever since the early days of Nessus. We have a number of security mechanisms in place (interpreted language for the detection scripts, ciphered temporary files, very limited runtime environment) which really aim to limit the risk of being exploited but also to mitigate the risk should the scanner be compromised. I actually did a few talks in the past about scanning “rogue hosts” and we continue to treat all input as hostile.

Again, we’re continuing to investigate the matter and will let you know if we find anything.

* currently video is still available on the same address; it could be probably blocked for some time. (UPD. 14.05.18 Not available anymore)

In any case, it’s a good reason to talk about vulnerabilities of such kind, how they appear and how to protect Vulnerability Scanners from attackers.

Continue reading →

CISO Forum and the problems of Vulnerability Databases

1 Reply

Last Tuesday, April 24, I was at “CISO FORUM 2020: glance to the future“. I presented there my report “Vulnerability Databases: sifting thousands tons of verbal ore”. In this post, I’ll briefly talk about this report and about the event itself.

CISO Forum 2020

My speech was the last in the program. At the same time, in a parallel stream, there was another interesting presentation by the most famous Russian information security blogger. Thus, there was a real danger of speaking in an empty room. 🙂 But everything went well. There were about 30 spectators and we had an active QA session afterwards.

As I wrote earlier, I started preparing my CyberCentral presentation several months before the event. I did not want to tell the same story again at CISO Forum and PHDays. So I prepared 2 different presentations. At CyberCentral, I was talking about Vulnerability Scanners. And at CISO Forum I was talking mainly about Vulnerable Databases. Of course, I reused some materials, but the accents were different.

Continue reading →

Vulchain scan workflow and search queries

1 Reply

This post will be about my Vulnerability Scanner project – Vulchain. Recently I’ve spent couple of my weekends almost exclusively on coding: refactoring the scan engine, creating API and GUI.

I was doing it because of the conferences, where I will be speaking soon:

April 11-13 CyberCentral in Prague. upd. Read about it at “CyberCentral Summit 2018 in Prague“
April 23–24 CISO Forum. upd. Read about it at “CISO Forum and the problems of Vulnerability Databases”
May 15–16 PHDays in Moscow. upd. Read about it at “PHDays8: Digital Bet and thousands tons of verbal ore“

Pretty intense schedule for a guy who spends most of his time in PyCharm and Linux console. 😉 Very excited! So, it seemed right to add a couple of slides about my project and show that something is already working.

Continue reading →

Vulners Web Vulnerability Scanner plugin for Google Chrome v. 2.0

1 Reply

Vulners Team released today the second version of their Web Vulnerability Scanning plugin for Google Chrome browser. You can read my description of the version 1.0 at “Vulners.com vulnerability detection plugins for Burp Suite and Google Chrome“.

Vulners web vulnerability scanner v.2.0

Killing feature of Vulners web scanner v. 2.0 is that you can now see all vulnerabilities on all scanned sites in a single window. You don’t need to checks all Google Chrome tabs manually.

Moreover, if some sites make request to other servers, for example googleapis.com, these servers will be checked automatically.

The plugin was fully refactored and now it is React driven. It works faster, analysis more data sources and detects vulnerabilities more accurately.

Continue reading →

Tracking changes in CERT bulletins and Nessus plugins using Vulners Time Machine

CERT.org

CERT.org Meltdown and Spectre

For example, in a case of latest Meltdown and Spectre vulnerability. Initial cert.org VU:584653 recommendation was “Replace CPU hardware”. 🙂

Continue reading →

Vulchain Scanner: 5 basic principles

2 Replies

New Year holidays in Russia lasts 10 days this year! Isn’t it an excellent opportunity to start a new project? So, I decided to make my own active network vulnerability scanner – Vulchain.

Why? Well, first of all, it’s fun. You can make the architecture from scratch, see the difficulties invisible from the user side and try something new in software development as well.

Basic principles of the project. This is not a dogma, but rather a general direction.

Data layers. I would like to have this independent sets of data:
- Raw data collections
- Software versions detected from the raw data
- Vulnerabilities detected from the software versions
- Exploitability assessment data for the detected vulnerabilities
Modularity. Most of functionality will be performed by the independent modules which read some data from one data level, and create some data on other data level.
Transparency. Data is stored constantly on the all levels. You can easily figure out how the data was processed, track the errors and modify modules.
Neutrality. All modules are independent and easily replaceable. For example:
- You can use Nmap or other port scanner to detect services. You can refuse active scanning completely and collect data from local agents or from your cmdb.
- You can use the Vulners Burp API and Linux Audit API to detect software vulnerabilities, use can use some other service or you can write your local detection scripts using NVD or Vulners Collections (see also “Vulnerability Assessment without Vulnerability Scanner“).
Rationality. If it is possible to use some security utility, service or product, we will integrate with them, rather than writing our own analogue. We spend resources only on what will give us the maximum profit at a minimum of costs. 😉