On October 25th the Apache team announced a vulnerability (CVE-2023-46604) in ActiveMQ that could lead to unauthenticated remote code execution. Shortly after the issue was disclosed exploits started to appear and the Rapid7 MDR team posted a blog speculating that this vulnerability is being used to deliver ransomware. The Apache ActiveMQ project scored this as CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H(10.0).
What is Apache ActiveMQ®?
ApacheMQ® is an open source message broker written in Java that supports AMQP, MQTT, STOMP, and JMS clients. Apache ActiveMQ describes itself as “the most popular open source, multi-protocol, Java-based message broker. It supports industry standard protocols so users get the benefits of client choices across a broad range of languages and platforms.”. ActiveMQ is used for custom application development and is often embedded into commercial product stacks.
Are updates available?
The Apache ActiveMQ team has addressed this issue in versions 5.18.3, 5.17.6, 5.16.7, and 5.15.16, with the appropriate update dependent on which minor version is used.
How do I find potentially vulnerable versions of ActiveMQ with runZero?
Apache ActiveMQ services can be found by navigating to the Asset Inventory and using the following query:
port:61616 OR product:activemq OR protocol:activemq
Results from the above query should be triaged to determine if they require patching or vendor intervention.
As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
Upon successful exploitation, this vulnerability (tracked as CVE-2023-20198) can allow attackers to execute arbitrary commands on the vulnerable system. This includes the creation of privileged users, installation of additional modules or code, and, in general, total system compromise.
Are updates or workarounds available?
As of October 16th, 2023, software updates are not available. Cisco recommends disabling the Web UI component of all Internet-facing IOS-XE devices.
How do I find potentially vulnerable Cisco IOS-XE devices with runZero?
From the Services Inventory, use the following query to locate assets running the Cisco IOS-XE operating system in your network that expose a web interface and which may need remediation or mitigation:
(products:nginx OR products:openresty) AND _asset.protocol:http AND protocol:http AND http.body:"window.onload=function%url%=%/webui"
Additional fingerprinting research is ongoing, and additional queries will be published as soon as possible.
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
Upon successful exploitation, this vulnerability (tracked as CVE-2023-22515) can provide privilege escalation to external attackers allowing them to exploit the system and create Confluence administrator accounts, allowing for unrestricted access to affected instances.
Are updates available?
Atlassian has made fixes available and strongly encourages admins to update their hosted instances. If patching in the near term isn’t viable, mitigation strategies to limit exploitation opportunities in addition to recommended steps to check for evidence of compromise are also provided. CISA has added this zero-day to its Known Exploited Vulnerabilities Catalog, advising organizations to check for evidence of compromise and reporting any positive findings back to CISA.
How do I find potentially vulnerable Confluence instances with runZero?
From the Service Inventory, use the following pre-built query to locate assets running Confluence within your network which may need remediation or mitigation:
product:confluence OR (_asset.protocol:http AND protocol:http AND has:http.head.xConfluenceRequestTime)
As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
On September 27th, Progress Sofware announced eight vulnerabilities in the WS_FTP Server software. These issues can lead to a full compromise of exposed WS_FTP systems and their data through the FTP, SSH, and web management services, which are often externally exposed.
The four most serious vulnerabilities in this set:
CVE-2023-40044 (CVSS 10.0). An exposure in the web interface that leads to remote code execution through a .NET deserialization vulnerability. This is the issue most likely to be mass-exploited due to the lack of authentication and likelyhood of this web interface being exposed to untrusted networks. Rapid7 noted that this appears to be exploitable with a single HTTP POST request using an existing pauload from the ysoserial.net project.
CVE-2023-42657 (CVSS 9.0). An exposure in the FTP/SCP (SSH) implementation that enables file operations outside of the WS_FTP data folder through a directory traversal vulnerability. This issue can allow an attacker to access, modify, and delete files on the server, which can expose data, but also allow remote code execution in some configurations.
CVE-2023-40046 (CVSS 8.2). An exposure in the web interface that allows for database access through a SQL injection vulnerability. It’s not clear if a valid user account is required to access this code path, but an attacker could use this to read and modify database contents, which in turn can lead to a full server compromise.
CVE-2023-40049 (CVSS 5.3). An exposure in the web interface that exposes file and directory lists within the WebServiceHost folder. Although this does not lead to remote code execution on it’s own, it may be an important exposure in that it will help attackers identify systems vulnerable to the more serious issues above.
What is Progress Software WS_FTP Server?
WS_FTP is a product that allows customers to easily share files between teams and organizations. Progress Software (formerly ipswitch) describes WS_FTP as:
WS_FTP Professional is the safest and easiest way to securely upload and download files. Enjoy SFTP transfers with the highest levels of encryption, ease of use, customization, and low administrative overhead.
Are updates available?
Progress Software has patched these issues in version 8.8.2.
How do I find potentially vulnerable versions of WS_FTP with runZero?
Assets with the WS_FTP FTP, SSH, and web services enabled can be found by navigating to the Service Inventory and using the following pre-built query:
product:ws_ftp OR (_asset.protocol:http AND (http.head.location:"/ThinClient/WTM/" OR html.title:="Web Transfer Client"))
To determine if the the instance has the WS_FTP Ad Hoc module installed, browse to https://[instance-host:port]/AHT/AHT_UI/public/index.html.
If the module is installed, this page will include an image like the one shown below:
As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
On September 27th, Trend Micro’s Zero Day Initiative (ZDI) published details of a critical zero-day vulnerability that allows an unauthenticated attacker the ability to remotely execute arbitrary code within the context of an Exim SMTP service account. In addition, ZDI disclosed five additional zero-day vulnerabilities with lower severity rankings:
Exim mail is an open source, message transfer agent (MTA) that runs on Unix/Linux operating systems. Exim is also the default MTA configured on Debian Linux distributions.
Are updates available?
Recently, maintainers of the Exim mail server issued a 4.96.1 patch that appears to resolve four of the six vulnerabilities listed above. Although the maintainers are still working to resolve the remaining vulnerabilities, if you are running Exim mail servers on your network, you should apply the security patch immediately.
How do I find potentially vulnerable Exim mail servers with runZero?
A Shodan search showed nearly 3.5 million Exim servers exposed to the internet. Their accessibility makes these mail transfer agents targets for attackers.
With runZero, you can find Exim mail servers in your inventory with this pre-built query. This query searches for any live asset that has the exim product exposed over SMTP.
product:exim
As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
The new and improved runZero Platform represents the culmination of four years of innovation, so it’s only fitting this is version 4.0 of our technology! Over the last few years, runZero has evolved and matured from an innovative asset inventory and network discovery product to a world-class CAASM (cyber asset attack surface management) solution. We couldn’t have reached this major milestone without our community and our awesome customers, and we thank you for supporting us on this journey.
The new Platform introduces passive discovery functionality, making runZero the only CAASM solution to combine proprietary active scanning, native passive discovery, and API integrations. Unifying all of these approaches makes runZero unique in its ability to deliver comprehensive coverage across managed and unmanaged devices, including the full spectrum of IT, OT, IoT, cloud, mobile, and remote assets.
With the introduction of the runZero Platform, we also have a new Community Edition that will replace Starter Edition effective immediately. Community Edition is a completely free version of the runZero Platform that is perfect for small businesses, individuals, and security researchers who have 100 or fewer assets.
You might be asking, is this just a name change for the free version? It’s not. It’s much better than that! We want all runZero users to benefit from the full power of the runZero Platform and our new Community Edition makes that possible. See the details below.
We hope the new Platform will help you better manage risk and exposure by giving you the most complete visibility possible across all your environments. Let’s dive into the details.
runZero Platform, Community Edition: CAASM for everyone #
The Community Edition is an improved version of the free Starter Edition. It now includes three important discovery approaches: unauthenticated active scanning, API integrations, and passive discovery.
Here’s why this is a significant leap forward:
Complete coverage: With three different discovery methods available, you can achieve a complete view of all your assets across IT, OT, IoT, cloud, mobile, and remote environments. runZero helps you uncover your unknowns and provides visibility across your internal network and external attack surface, consolidating everything into a single view.
Cost-efficiency: The Community Edition remains completely free, ensuring that advanced CAASM capabilities are accessible to organizations of all sizes and budgets.
runZero Platform: Unleash the full power of CAASM #
Our new runZero Platform brings together all of the features you know and love from our legacy Enterprise Edition with new functionality like passive discovery that is designed to provide the most complete security visibility possible. It includes:
Complete feature set: The Platform provides you with every tool in the runZero arsenal, ensuring you can tackle all the CAASM use cases like building a comprehensive asset inventory, eliminating security controls gaps, understanding vulnerabilities and identifying insecure configurations in your attack surfaces.
Unparalleled flexibility: API integrations, active scanning, and passive discovery are seamlessly integrated, offering you unparalleled flexibility to manage exposures of your ever-evolving attack surfaces.
Priority support: Platform customers can unlock premium support, also known as runZero Care, which enjoys priority access to our support team, ensuring you have expert guidance whenever you need it.
Scale to fit your needs: The Platform is perfect for organizations that manage a large number of assets. Whether you have thousands, hundreds of thousands, or even millions of assets to manage, runZero Platform can handle the load.
Current customers will receive further information about migrations.
Unlike other CAASM solutions, runZero offers visibility into OT environments, through both safe active scanning and now a passive discovery capability called traffic sampling. Traditional passive network monitoring tools require significant effort to deploy and compute resources to collect and analyze all network traffic. runZero’s passive traffic sampling only examines a small fraction of network traffic for asset discovery and fingerprinting, which customers can leverage with existing Explorers. This feature allows companies who have a policy against active scanning to build an asset inventory by analyzing traffic observed through SPAN ports, TAP interfaces, and broadcast. Passive traffic sampling is also helpful for organizations with scan windows that are too short to enable active discovery of the entire environment. Both active and passive approaches use the same fingerprinting database that was developed using data collected across tens of thousands of environments and OT devices.
We are very excited to introduce this novel approach to passive discovery as a complement to our reinvention of active scanning. We love a good challenge and like to rethink how we can improve on what’s already out there. Unlike traditional passive discovery solutions, runZero’s passive traffic sampling is faster, easier, and more cost-effective to deploy — and doesn’t require expensive dedicated hardware appliances. Our innovative approach to traffic sampling enables runZero Explorers to process existing network traffic as a software deployment on existing hardware or virtual machines.
Updates to the runZero interface make it easier than ever to leverage all the flexible discovery capabilities available to you. runZero is the only CAASM solution that provides comprehensive asset inventory coverage for managed and unmanaged devices, including IT, OT, IoT, cloud, mobile, and remote assets. This is only possible by combining three specific data sources: proprietary active scanning, native passive discovery, and API integrations. These combined capabilities give customers ultimate flexibility in a single, unified solution, eliminating the need for multiple siloed tools.
With 4.0, you can now enrich your inventory with an authenticated API connection to Tenable Security Center, similar to existing integrations with Tenable.io and Nessus. This allows you to search for Tenable attributes, and vulnerabilities in runZero, as well as find assets not monitored by Tenable Security Center. runZero automatically correlates Tenable assets to runZero assets based on unique fields. Vulnerability data can be viewed in the asset details, as well as a dedicated inventory tab. Vulnerability attributes include CVSS score, relevant CVEs, vulnerability description, and any recommended remediation actions.
You asked and we delivered. Now you can quickly see the matching field that runZero used to merge data into existing records. Consolidating asset and exposure information from disparate sources into a single normalized view makes it easier for you to manage your ever-changing environment. As networks grow in complexity, sometimes it is not obvious how the correlation engine merges data from a new source and this important quality-of-life improvement shows what field and value was used, as well as the specific task, and time of the merge.
Take a look at any recently-updated asset with multiple sources to check it out!
Improved new user workflow
New to runZero? You’ll be greeted by an updated onboarding flow that introduces all of runZero’s discovery capabilities and makes it easier than ever to get started.
New users will automatically see the new flow. Existing users can check it out too.
We continue to add new methods of discovery and to improve fingerprinting. Here’s what’s new in this latest version:
Support for EtherNet/IP probing and the MODBUS/TCP protocol, improving discovery and fingerprinting for OT networks.
Support for MQTT, improving discovery and fingerprinting for IoT devices constrained by resources or bandwidth
Improved fingerprinting of devices using the Mopria Alliance eSCL protocol, such as paper scanners and multifunction printers
Improved discovery for VoIP endpoints using the Voice Services Discovery Protocol (VSDP)
Improved fingerprinting for SMBv1 endpoints, assets based on AzureAD, Microsoft Intune, Microsoft 365 Defender, and NFS data, BACnet devices, devices that provide UPnP information, and devices that use Spotify Connect
See runZero 4.0 in action
Release notes
The runZero 4.0 release includes a rollup of all the 3.10.x updates, which includes all of the following features, improvements, and updates.
Moved to a new versioning scheme for the Console and Explorers, <major>.<minor>.<yymmdd>.<revision>.
New features
Build your inventory through passive discovery
Discover assets the way you want to
Integrate with Tenable Security Center
Understand correlations quickly
Improved new user workflow
Integration improvements
A bug that could cause some long-running connection tasks to restart repeatedly has been resolved.
A bug that could prevent Intune assets from merging with other sources has been resolved.
A bug that could prevent Tenable Security Center syncs from completing has been resolved.
A bug that could result in an incorrect ts attribute for Azure AD, Google Workspace, and Microsoft Intune has been resolved.
A bug that could result in invalid Shodan credentials still validating has been resolved.
A bug that prevented some queries from correctly matching Intune assets has been resolved.
A bug where existing assets were incorrectly fingerprinted after importing data from Microsoft 365 Defender has been resolved.
A performance regression when processing third-party assets has been resolved.
A rotation date for stored credentials is now available through both console and API via a new secret_updated_at field.
CrowdStrike and Azure AD assets will no longer be merged if they have a different globally unique ID. This may lead to more offline assets being generated if devices are frequently reimaged and given new GUIDs.
Custom Integrations now support the exclude unknown option.
Error logging for the Shodan integration has been improved.
Improved handling of API request retries for the Microsoft Intune integration.
The Tenable integration has been updated to reduce the possibility of asset and vulnerability export timeouts.
The Tenable integration has been updated to reduce the possibility of vulnerability export timeouts.
The request timeout has been increased for the Microsoft Intune and Azure AD integrations.
Inventory management improvements
A bug causing inconsistent navigation for Explorer configuration editing has been resolved.
A bug causing incorrect assertion of Microsoft Defender for Endpoint in edr.name has been resolved.
A bug causing pending new tasks to be seen as editable has been resolved, so that only new tasks scheduled to start in the future can be modified.
A bug causing project expiration to be miscalculated has been resolved.
A bug causing tasks in the process of stopping to be seen as dismissible has been resolved, so that only failed and completely stopped tasks can be dismissed.
A bug that could cause foreign service attributes to be attributed to the wrong source has been resolved.
A bug that could cause tasks to be copied with an incorrect discovery scope has been resolved.
A bug that could lead to improper stale service removal on rescan has been resolved.
A bug that could lead to orphaned tasks when an Explorer is removed has been resolved.
A bug that could prevent import of wireless networks has been resolved.
A bug that could prevent in-scope, unscanned addresses from being cleared on runZero assets has been resolved.
A bug that could prevent queries containing mixed-case search terms from returning results has been resolved.
A bug that could result in an unnecessary screenshot warning for connector tasks has been resolved.
A bug that could result in duplicate service warnings has been resolved.
A bug that could result in duplicate software entries for some sources has been resolved.
A bug that could result in orphaned tasks when removing an explorer has been resolved.
A bug that enabled SNMP credentials when modifying or copying existing scan tasks has been resolved.
A bug that prevented SNMPv3 credentials from being saved has been resolved.
A bug that prevented the scan.explorer_id value from being populated in alert templates has been resolved.
A bug that prevented the Find assets in this site icon from working properly in some cases has been resolved.
A bug that resulted in the Nmap XML Export having a zero start time has been resolved.
An issue that caused the asset details page to load very slowly has been resolved.
An issue that could result in an empty dashboard until a metrics recalculation was triggered has been resolved.
An issue that could result in an empty dashboard when selecting a single site has been resolved.
An update for improved asset matching for tasks importing both scan and third-party data sources has been added.
An update to the runZero Explorer now logs when the host operating system receives an interrupt or terminate signal, such as when the OS reboots.
Event rules now support conditions for Explorer and task type, where relevant.
Exports of task data now include timestamps which differentiate time spent acquiring data from time spent processing data.
Improved merging of assets with NetBIOS or SMB services.
Improved performance when deleting large organizations, projects, or sites.
License-based size limits are now applied to file imports.
Recurring tasks now stop with an error if they use a task template that has been deleted.
Task name and description can now be modified for tasks created via file imports.
Task processing times are improved.
Tasks in the stopping state are now included in the Processing section of the Tasks overview.
The maximum number of ownership types has been increased from 10 to 25.
The tasks CSV export now includes the template_name column.
The tasks JSON export and API responses now include the site_name, agent_name, and template_name columns.
New vulnerability queries
Hardware: MegaRAC BMC
Hardware: Citrix NetScaler
Scan and monitor engine improvements
A bug that could cause a memory leak in the Explorer between stopped tasks has been resolved.
A bug that could lead to bogus assets appearing in scans through Fortigate proxies has been resolved.
A bug that could prevent bogus services from certain firewalls from being completely filtered has been resolved.
A bug that could prevent some Windows-based Explorers from connecting with the same ID has been resolved.
A bug that could prevent the Explorer from reading the .env configuration file has been resolved.
A number of small parsing bugs in the protocol parsing engine have been resolved.
A bug which could leave SYN and LAYER2 probes in a perpetual error condition loop has been resolved.
A warning is now recorded for scan tasks if a host is ignored for responding on too many ports.
An issue that could result in stalled scans has been resolved.
Improved automatic asset filtering for certain web proxy assets.
Improved detection of spurious services when scanning certain firewalls.
Passive traffic sampling tasks now set source:sample instead of source:passive for assets.
The Explorer now uses the “runZero” brand by default (and matching filesystem/registry locations).
The TCP SYN scanner is now friendlier to stateful firewalls in the network path.
The scanner now supports a new syn-reset-sessions option that can be used to reduce session usage in middle boxes.
Self-hosted platform improvements
The self-hosted console now defaults to PostgreSQL 15 and provides an install option to select a version.
The self-hosted console now uses the “runZero” brand (and runzeroctl command) by default.
A bug causing the user details page to display permissions incorrectly has been resolved.
A bug in the user permissions display interface has been resolved.
A bug preventing some users from being able to manage their user’s group membership has been resolved.
A bug that could cause scan templates to be hidden when configured with invalid permissions has been resolved.
A bug that could prevent new SSO users from authenticating has been resolved.
A bug that could result in the wrong hostname being used in password reset links has been resolved.
A bug where users logging in for the first time with SSO would not have access to any organizations from the SSO group mappings has been resolved.
A security improvement has been added to clear password reset tokens after a password change or when link-based authentication is requested.
An issue that could result in login errors for invited users using Single Sign-On has been resolved.
API improvements
The api/v1.0/org/sites/{site_id}/import route now returns the proper 400 http status code error when the request body is empty instead of a status code 500.
UI/UX improvements
A bug causing app banners to not be visible has been resolved.
A bug causing the datepicker to close when navigating by year has been resolved.
A bug preventing columns from retaining their custom ordering has been resolved.
A bug that prevented display of the user permissions table in the User Details screen has been resolved.
A bug that prevented download commands from being displayed on the redesigned scanner page has been resolved.
On-screen text explaining the interaction between a user’s default organization role and the granted per-org role is clearer.
The Explorer and scanner download pages have been redesigned for improved UX and performance.
The Integrate page now shows active and suggested integrations for the current organization.
The asset details screen now has pagination when viewing an asset with more than 30 services.
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
How to find Ivanti Endpoint Manager Mobile (EPMM) with runZero
On July 24th, Ivanti announced that their Endpoint Manager Mobile (EPMM, formerly MobileIron Core) product versions 11.10 and prior contain a critical authentication bypass vulnerability. Successfully exploiting this vulnerability would allow an unauthenticated remote attacker to access users’ personally identifiable information (PII) and make changes to the vulnerable server.
There is evidence that this vulnerability is being exploited in the wild.
What is Ivanti Endpoint Manager Mobile (EPMM)?
Ivanti Endpoint Manager Mobile (EPMM) is a mobile management software product that helps organizations set policies for mobile devices, applications, and content. It was formerly known as MobileIron Core. What is the impact? An unauthenticated remote attacker who successfully exploited this vulnerability would be able to retrieve users’ personally identifiable information (PII) and make changes to the vulnerable server. This is due to an authentication bypass vulnerability, meaning that in some cases an attacker can bypass authentication controls.
With a CVSS score of 10.0, this vulnerability is considered critical. There is evidence that this vulnerability is being exploited in the wild and this vulnerability has been added to the CISA Known Exploited Vulnerabilities catalog.
Are updates available?
Ivanti has released a patch for this vulnerability and issued guidance for customers on how to upgrade.
How do I find potentially vulnerable Ivanti Endpoint Management Mobile services with runZero?
EPMM can be found by navigating to the Services Inventory and using the following pre-built query to locate EPMM services on your network:
_asset.protocol:http AND protocol:http AND html.title:"Ivanti User Portal: Sign In"
Starting with runZero 3.10.10, from the Asset Inventory use the following pre-built query to locate EPMM services on your network:
product:”Ivanti Endpoint Manager Mobile”
Results from the above query should be triaged to determine if they require patching. As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
IT and security teams rely on an array of cybersecurity tools to manage their network assets. However, these tools often fall short of providing a comprehensive and detailed asset inventory. Consequently, as an organization’s attack surface evolves, the risk of undiscovered or unmanaged assets increases, heightening the potential for network infiltration.
The 2023 State of Cyber Assets Report uncovered a remarkable 133% year-over-year growth in cyber assets for organizations, surging from an average of 165,000 in 2022 to 393,419 in 2023. This rapid increase in assets resulted in a staggering 589% rise in security vulnerabilities or unresolved findings, accentuating the snowball effect caused by more than doubling the number of assets.
As organizations incorporate an ever-growing number of devices, their attack surface inevitably expands. Thus, gaining a comprehensive understanding of the status of each connected asset becomes crucial.
Each article linked below highlights the limitations of various types of cybersecurity tools for asset management, contrasting them with runZero—an all-encompassing cyber asset management solution that surpasses them all by comparison.
EDR works well for endpoint protection but not asset inventory. When incident responders find assets that are compromised but can’t find them in the asset inventory, many teams realize that they went down the wrong path.
Microsoft Excel and Google Sheets can be an easy first step to track asset data for an IT environment, but they fail entirely as an efficient cyber asset management solution. Spreadsheets require manual data collection resulting in inconsistent attributes, outdated information, lack of detail and incomplete inventory.
Some try to build an asset inventory using vulnerability scanners. Beyond a lack of detail, vulnerability scanners sometimes simply get it wrong; crashing devices, providing a backward-looking view, finding phantom assets, among other concerns. Leading vulnerability scanners simply do not provide a full, accurate, current asset inventory in everyday practice.
CMDBs are designed to track data relating to managed IT assets, such as routers, switches, or servers. However, according to Gartner, only 25% of organizations achieve meaningful value with their CMDBs. Beyond incompleteness, data inaccuracy is also a major concern. If you are relying on your CMDB to be a source of truth, you need to be able to trust the information in it. The data in a CMDB will only be as good as its sources.
IT and security teams often depend on data from NAC’s and associated network aggregation tools for asset inventory. However, they are designed to control access to the network, an entirely different task from building a comprehensive inventory of devices on the network. If a compromised asset cannot be found in the inventory, it indicates that NACs are suboptimal for asset discovery; a fundamental component of cyber asset management.
Free network scannersMost free network scanners don’t scale easily out of the box, often requiring custom databases and scripts to make them suitable for continuous monitoring and collecting inventory from multiple segments or sites.
Why effective cyber asset management matters
In the ever-changing digital landscape of an organization, prioritizing cyber asset management is essential for ensuring the resilience and continuity of operations, as well as safeguarding the reputation and trust of the organization, its stakeholders and the data with which it governs.
It’s foundational to cybersecurity
You simply need to know about the assets on your network before you can manage them. Before effective asset management can take place, it is crucial to have a comprehensive understanding of the assets on your network. By accurately identifying, tracking, and protecting critical assets, organizations can proactively defend against cyber threats, minimize vulnerabilities, and ensure the confidentiality, integrity, and availability of sensitive information.
Preparation is key
IBM’s Cost of a Data Breach Report 2023 shares that the global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years.
By integrating a comprehensive asset inventory into business continuity planning, organizations can effectively identify and prioritize the protection of vital assets crucial for maintaining operations during disasters or disruptions. This proactive strategy enhances the organization’s resilience during times of crisis.
It’s required by regulations and insurance
Various industries, including healthcare, energy, financial services, and government, are all subject to specific regulatory or insurance requirements related to asset management and data protection. A comprehensive asset inventory helps organizations ensure compliance. It enables them to demonstrate their efforts in safeguarding sensitive information and critical infrastructure, thereby avoiding legal penalties and reputational damage.
Take the SolarWinds supply chain attack in 2020, for example. This sophisticated attack involved hackers compromising the software supply chain of SolarWinds, a prominent IT management software provider. The attackers injected malicious code into SolarWinds’ Orion platform updates, which were then distributed to thousands of the company’s customers, major corporations, the Department of Defense, the Department of State, and the Department of Homeland Security to name just a few.
Not only did SolarWinds report upwards of $3.5 million in expenses related to incident investigation and remediation, they were subject to numerous lawsuits, domestic and foreign. Including an investigation into the possible breach of the European Union’s General Data Protection Regulation and other data protection and privacy regulations.
It’s the bedrock of business operations
On the financial aspect, maintaining an asset inventory empowers organizations to monitor their IT investments and infrastructure effectively. Comprehensive knowledge of all assets enables teams to make informed decisions regarding upgrades or replacements for outdated assets, prioritize patching and updates, and avoid unnecessary expenses on redundant or non-essential devices.
Presidio, a global digital services and solutions found immediate success with runZero, using it to onboard clients to their managed service programs. With runZero, they were able to eliminate spreadsheets, thereby reducing the amount of time spent manually collecting client data. Instead, they can focus on delivering outcomes for their clients.
runZero: a complete cyber asset management solution
runZero is a cyber asset management solution that includes CAASM functionality. It combines integrations with EDR and other sources with a proprietary network scanner that is fast and safe even on fragile IoT and OT networks.
runZero scales up to millions of devices, and it’s easy to try. The free 21-day trial even downgrades to a free version for personal use or organizations with less than 256 devices.
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
The OT (Operational Technology) sector faces significant challenges when it comes to network scanning. OT systems frequently utilize proprietary protocols that may not be compatible with legacy scanners. Consequently, this incompatibility significantly hinders the effective scanning and information gathering from OT devices. As a result, the asset inventory obtained is often incomplete or inaccurate, posing a major security risk.
Fortunately, runZero avoids aggressive scan tactics, which could destabilize certain IT and OT devices. With runZero, organizations of all types can safely create comprehensive and detailed asset inventories without any disruptions.
How does runZero safely scan OT environments?
runZero employs an innovative incremental fingerprinting approach specifically designed to identify and handle fragile devices effectively. When a fragile device is detected, the method is automatically adjusted to ensure safe scanning. Unlike other scanners that may utilize security probes, runZero’s proprietary scan technology solely utilizes well-formed IP packets. This approach eliminates the risk of disrupting critical operations or causing downtime.
Thanks to its unique and reliable method, runZero has garnered a large and satisfied customer base in various industries including manufacturing, energy, and healthcare. These customers confidently conduct regular scans in their OT environments without encountering any issues.
For a more in-depth understanding of runZero’s approach to OT environments, we invite you to listen to the two podcasts below, featuring runZero founders HD Moore and Chris Kirsch, respectively.
runZero’s approach to scanning ‘fragile devices’ – HD Moore and Dale Peterson on Unsolicited Response podcast
In this episode HD Moore and Dale Peterson spend the first third of the show talking about Metasploit; early reaction, OT modules, and whether Metasploit is still necessary and useful today.
The conversation then shifts to creating asset inventories in IT and OT environments, a core feature of runZero.
Below is a summary of the main talking points in this podcast:
Why HD decided to run back into the cybersecurity startup world?
How it started as a solo shop with HD writing all the code.
How HD thinks Shodan and runZero are different.
What technique runZero uses to ‘scan’. A term that many fear in OT.
The OT reaction to this type of scanning.
What role uses the runZero product?
runZero adds passive scanning for OT networks – Chris Kirsch on the Risky Business podcast
In this Risky Business News sponsor interview Tom Uren talks to Chris Kirsch about how runZero has evolved from an IT network active scanning product to one that can now discover assets on OT and cloud environments using both active and passive scanning approaches.
The top three players will win one of the following prizes:
Flipper Zero
Bash Bunny
Alfa Wifi Card
runZero is safe for OT environments, but legacy scanners are not!
In this game, you are a legacy scanner with 30 seconds (and ten total attempts) to recon the network without getting noticed in the fastest time. Just don’t crash any OT devices!
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
MegaRAC baseboard management controllers (BMCs) provide “lights out” management capabilities for remotely monitoring and managing servers. Manufactured by American Megatrends International (AMI), MegaRAC BMCs include a service processor and network connection that operate separately from the server they are connected to. Modern MegaRAC BMC firmware includes support for the Redfish API.
What is the impact?
These two newly disclosed vulnerabilities involve the Redfish service running on the MegaRAC:
CVE-2023-34329 can be exploited with specially crafted HTTP headers to trick the Redfish service into believing the request is coming from an interface that does not require authentication, such as USB0. On systems which have the No Auth option enabled, these spoofed headers will allow attackers to access and interact with any Redfish API endpoints.
CVE-2023-34330 can be exploited via an HTTP POST action to execute arbitrary code on the MegaRAC processor. While this code-execution-via-POST was an intentional design choice by AMI, it likely was intended for internal development only. However, it is enabled by default in vulnerable versions of the firmware, making it available to a broader audience.
Chaining exploitation of the two above vulnerabilities together can provide attackers with unauthenticated remote code execution and full control over a vulnerable MegaRAC target. Following successful exploitation, attackers can establish persistence, perform data exfiltration, perform lateral movement in the network, deploy malware, and more. Attackers can also perform a denial of service by forcing the server into a reboot loop or even bricking the system so it will no longer properly function.
Are updates available?
AMI has made patched firmware available in versions SPx_12.4 and SPx_13.2. Admins should update MegaRAC BMCs to the newer firmware as soon as possible.
Eclypsium Research also shared mitigations to help reduce the chance of a successful attack, including:
Ensuring all remote server management network interfaces are NOT exposed externally and operate on networks dedicated to management traffic only.
Ensuring access to remote server management network interfaces is restricted to administrative users via ACLs or firewalls per Zero Trust Architecture principles.
Results from the above query should be triaged to verify if those assets are running updated firmware versions.
As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.
About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.