Vulnerability Management - Applied Microsoft patches not getting detected

Recently tools like MECM, which are used for patch management in environments where Windows OS is used, are showing status as compliant when patches are pushed via them. But when scanned using a vulnerability management solution, the same systems are showing missing patches.

Now that the context is set, I would like to discuss the cause.

It is because of UBR (Update Build Revision) number. VM solutions are looking for UBR number to check if the latest patch is applied or not. UBR can be read from registry at key "HKLM:\SOFTWARE\Microsoft\Windows". Microsoft always changes the UBR value and updates it when there is a new patch. So ensure, whenever patches are pushed using patching solutions, UBR numbers are updated accordingly.

Following are some troubleshooting steps I found using simple Google search 😬:

1. Check for updates: Make sure that systems are configured to check for updates automatically and that they are connected to the internet. You can check for updates manually by going to Settings > Update & Security > Windows Update and clicking “Check for updates”.
2. Restart the Windows Update service: If the Windows Update service is not functioning properly, you can try restarting the service. To do this, open the Services console (services.msc) and locate the Windows Update service. Right-click on the service and select “Restart”.
3. Reset the Windows Update components: If restarting the service does not resolve the issue, you can try resetting the Windows Update components. Microsoft provides a script that can automate this process.
4. Manually install updates: If the UBR value is still not updating properly, you can try manually installing the updates on the affected server. You can download the updates from the Microsoft Update Catalog and install them manually.
5. Check for errors in the event logs: Check the Event Viewer logs for any errors or warnings related to the Windows Update service or the installation of updates. These logs may provide additional clues about the cause of the issue.
6. If using MECM, you can try reinstalling the MECM clients on affected servers.

Please refer the below URLs for more details:
https://www.vcloudinfo.com/2020/12/how-to-decode-windows-version-numbers.html

https://community.spiceworks.com/t/windows-ubr-value-not-updating-after-windows-update/948275

https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0094555

Happy Learning
hashtag#vulnerabilitymanagement hashtag#cybersecurity

Vulnerability Management - Vulnerabilities vs Vulnerable Instance (Rapid7)

Rapid7 considers a vulnerability different from a vulnerable instance.

Vulnerabilities:

A “vulnerability” is a unique, defined, and publicly disclosed software weakness. Each vulnerability is typically identified by an enumeration system, barring a few exceptions based on the type of software. Although multiple enumeration systems exist, the Common Vulnerabilities and Exposures (CVE) system is the most widely used and accepted system today.

Vulnerability Instances:

A “vulnerability instance” refers to the specific condition on an asset that causes it to be vulnerable to a vulnerability. An asset can be vulnerable to the same vulnerability in multiple ways. Common causes for this scenario are:

1. Having multiple versions of the same software installed on an asset at the same time; all of which are vulnerable to the same vulnerability.
2. Being vulnerable to the same vulnerability through multiple network ports.

So just be careful when you are comparing numbers between raw reports and InsightVM's dashboards. Raw reports will always show more numbers (if you have selected 'Vulnerability Proof' and 'Service Port' column) than what the dashboard is showing. I did not observe this kind of distinction in Qualys and Tenable yet.

Please refer below URL for more details:
https://docs.rapid7.com/insightvm/vulnerability-metrics-explained/

Happy Learning
hashtag#vulnerabilitymanagement hashtag#cybersecurity

Vulnerability Management - Orphan Vulnerabilities

The vulnerabilities with unknown status are known as orphan vulnerabilities. So the question is why we cannot know the status of such vulnerabilities ?

Suppose you ran an authenticated scan against a server. Some vulnerabilities were detected which required authentication. Now, if because of some reason you discontinue to run authenticated scans then the scanner has no way to know whether the vulnerabilities detected in previous scan still exist or not. So, even if you remediate these vulnerabilities they will still exist in the database. The only way would be to manually purge the asset data or run authenticated scan once again. Even if an agent is installed on the server still the vulnerabilities will exist in the database (because VM solutions track data collected by a scanning appliance and an agent separately).

If you are scanning the same server with agent as well then the following action can be taken (in case of Rapid7 InsightVM):
You can enable complementary scanning (i.e. Scanner will skip authenticated checks wherever agent is installed).

Please refer below URLs for more details:
In case of Rapid7:
https://docs.rapid7.com/insightvm/using-the-insight-agent-with-insightvm/

In case of Qualys:
https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/host_assets/agent_merge_data.htm

Happy Learning !!
hashtag

Vulnerability Management - Mass target vulnerability remediation

We all know about various prioritization techniques used for targeted vulnerability remediation.

But how will you bring down a huge number of vulnerability count ?

Following are the ways which I observed till now:

1. Increase compliance percentage for patch management (ensure all the in scope assets are onboarded to patch management solution and patches are getting pushed regularly).
2. Disable deprecated protocols such as SMBv1.0 and SMBv1.1 etc.
3. Remove softwares which are no longer used in your environment.
4. Decommission EOL operating systems (of course after running scream test).

I still think if you are not breaking anything then you are not remediating 😅. Joke apart, above mentioned points are easy wins or so called low hanging fruits hence easy to target.

Happy Learning !!
hashtag

Vulnerability Management - Suppress Vulnerabilities

Today I will share with you a way by which you can ignore 99.9% of vulnerabilities in your environment. Ha ha ... Just kidding.

But on a serious note there are few vulnerabilities which you can suppress. Let's see them one by one.

1. SSL related vulnerabilities on systems in LAN network:

e.g. SSL Certificate Cannot Be Trusted (https://www.tenable.com/plugins/nessus/51192)

e.g. SSL Self-Signed Certificate (https://www.tenable.com/plugins/nessus/57582)

e.g. SSL Certificate with Wrong Hostname (https://www.tenable.com/plugins/nessus/45411) 

Reason -> Organizations use use self-signed certificates for systems in LAN.

2. Vulnerabilities which are difficult to exploit due to enforcement of policy

e.g. Microsoft Office Trust Access to VBA Project Model Object Enabled (https://www.tenable.com/plugins/nessus/123461)

Reason -> VBA can be disabled using GPO.

3. Vulnerabilities due to how a OS vendor handles their patching regime and discloses vulnerabilities

e.g. CentOS vulnerabilities on Tenable Core not being mitigated (https://community.tenable.com/s/article/CentOS-vulnerabilities-on-Tenable-Core-not-being-mitigated?language=en_US)

4. In almost all organizations patching on Windows servers is done via various patching tools (not via automatic updates)

e.g. MS KB3119884: Improperly Issued Digital Certificates Could Allow Spoofing (https://www.tenable.com/plugins/nessus/87313)

The plugin was flagged on Windows 2012 R2 servers but was fixed in Windows server 2016 

5. Non availability of patches from OS vendors

e.g. Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039) for Windows 10 and Windows 11 OS (https://learn.microsoft.com/en-us/answers/questions/1387774/curl-7-84-(-8-2-1-header-dos-(cve-2023-38039)-for)

(https://www.tenable.com/plugins/nessus/181409)

e.g. Curl 7.69 < 8.4.0 Heap Buffer Overflow (https://www.tenable.com/plugins/nessus/182875)

Reason -> Platform support teams will not update packages from open source projects as it might break things and they will not get vendor support.

I know this is not much but as the saying goes "a little help is worth much more for the wretched". Ultimately you need to use EPSS, CISA KEV, and various threat intel sources for prioritization to reduce actionable vulnerabilities.

Happy Learning !!

Vulnerability Management - Scanning approach to Load Balancers

As we all know how much important are high availability solutions these days. A load balancer (LB) is one such system which provides high availability apart from various other features such as security, scalability and performance. 

A LB is a device or software that sits between clients and servers in a network. It distributes incoming traffic across multiple servers to ensure that the load is balanced and network services remain available. LBs are by their very nature intended to hide what is behind them. 

But scanning through a LB can create unwanted results. As it directs network traffic intelligently among multiple servers, when you scan THROUGH a LB using a VIP, you will get different results for the same VIP address for multiple scans. 

Following issues may arise while scanning through LB:

• Scanning LBs will show any vulnerabilities of the LBs themselves, which may lead you to thinking that the vulnerability is on the actual server when it is not.

• Scanning through LBs, assuming there are multiple servers behind those LBs, may give you different results each time you scan the IP. For example, the first scan you hit Server1, then second scan you hit Server2. If those servers are not completely the same the results can show variations.

• Suppose you are scanning a /24 subnet with 10 assets or so, due to high intensity of the scan, LBs may go into hardware protection mode and just send a reply for every single query that a scanner makes to it. This will result in 255 assets showing alive. 

Hence, you should never scan THROUGH a LB. Either deploy agents, or place a scanner on the inside network of the LB. To scan a LB itself you would need to use its management IP address. 

When scanning using a Virtual IP Address (VIP), currently from scanning solution's perspective, there isn't a way to tell whether an IP address is a VIP or not. You would need to write a script to pull the configs from the LBs and pull the VIPs. 

Please refer the below URLs for more details:

What is a LB? (https://aws.amazon.com/what-is/load-balancing/#:~:text=Load%20balancers%20increase%20the%20fault,or%20upgrades%20without%20application%20downtime)

Scanning approach to LBs (https://community.tenable.com/s/question/0D5f200005YPgFsCAL/scanning-approach-to-load-balancers?language=en_US)

What is a Virtual IP Address (VIP)? (https://www.pubconcierge.com/blog/virtual-ip-what-is-it-and-how-it-works/) 

Happy Learning !!

Vulnerability Management - Vulnerability Dashboard using Power BI

Was playing with Power BI today. Created a simple dashboard using CISA KEV vulnerability data from https://nucleussec.com/cisa-kev/ (Nucleus Security)

What’s the difference between Power BI and Excel?

Will not comment rather I would say "What’s the difference between an alligator and a crocodile? You’ll see one later and one in a while." 😁

Happy Learning !!

CyberSecurity - Why do we need standard data formats ?

As we all know there are data formats for various standards related to storage, representation and exchange of information in CyberSecurity domain for e.g.

For

1. Vulnerability - CVE

2. Platform - CPE, SWID and PURL

3. Configuration - CCE

4. Vulnerability Scoring - CVSS

5. SBOM - CycloneDX and SPDX

6. Identity Information - SAML and JWT

7. Malware Information - MAEC and MISP

8. Threat Information - STIX and TAXII

9. Log File - CSV, JSON, KVP (Key Value Pair) and CEF (Common Event Format)

and the list goes on.

Standard data formats are necessary because of the following reasons:

1. Enables correlation, integration and automation

2. Exchanging information among security vendors; among security researchers

3. Allows for the faster development of countermeasures (signatures and security patches)

4. Reduces potential duplication of malware and vulnerability analysis efforts by researchers

Happy Learning !!

Vulnerability Management - Basics for beginners

Beginners in Vulnerability Management domain have doubts such as from where to begin or what to study. I have created a document and tried to answer such doubts. It is always good to learn basics and then move towards advanced concepts. I have tried to provide links to corresponding points in the document as much as I can. Cases where you don't find any link or the link present is expired, you can always google :).

Following are the points I want to highlight through this post:

1. For beginners please don't try to search interview questions directly. First create a theoretical base and realize the concepts by performing practicals.
2. Slow and steady wins the race, so, give 4-6 months of time. While going through the document you can observe, 40%-60% concepts are basics, hence you will not be wasting time by learning them. After some time if you don't find Vulnerability Management interesting, you can always navigate to other subdomains like incident response and penetration testing.
3. You will get hands-on on enterprise solutions once you join an organization. You will face a different set of challenges there. Many on LinkedIn create posts to address such challenges but first clear your basics to understand such posts/articles.
4. Once you have performed above steps, you can search interview questions and start appearing for interviews.
5. I do not recommend directly going for global certifications as a lot of content is there on internet.

Finally, I find articles from Balint F. very interesting.

https://www.linkedin.com/in/balint-fazakas/recent-activity/articles/

Happy Learning !!