Skip to content

Finding Cisco Small Business Switches

Cisco recently disclosed several highly critical vulnerabilities that affect some of their Ethernet switches designed for small businesses. With a CVSSv3 score of 9.8, these vulnerabilities (assigned CVE-2023-20024, CVE-2023-20156, and CVE-2023-20157) are due to various faults in the handling of input to the web-based management interface of these switches. Successfully exploiting one of these vulnerabilities would allow an attacker to create a denial-of-service condition or execute arbitrary code with root privileges.

Along with this disclosure, Cisco announced updated software to address these issues. However, several of the affected models are past their End-of-Life (EOL) dates and no software updates have been released for them. Users are advised to update the software on affected systems as soon as possible and if updates for their devices are available. 

Finding affected devices using runZero

You can locate Cisco switches in your organization by visiting the Asset Inventory and using the following pre-built query:

hw:"Cisco" and type:"switch"

You can also limit your search to only the affected product families, using the following pre-built query:

hw:"Cisco" and type:"switch" and (snmp.modelNames:"CBS" or snmp.modelNames:"SF2" or snmp.modelNames:"SG2" or snmp.modelNames:"SF3" or snmp.modelNames:"SG3" or snmp.modelNames:"SF5" or snmp.modelNames:"SG5")

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

runZero’s week at RSA 2023: killer robots, time machines, and natural disasters

It might sound funny, but these were a few talking points that came up last week during runZero’s two hosted fireside chats, where CEO and Co-Founder Chris Kirsch sat down with Lares CEO Chris Nickerson on Tuesday and then Fortinet Systems Engineer Roger Rustad on Wednesday.

If you’ve had the pleasure of hearing Chris Nickerson tell his pentesting “war stories,” you might already know some of the references here. But for first-time listeners, these narratives cover the potential dangers of a red team member’s (mis)adventures, and the role of asset inventory from an attacker’s perspective. As for natural disasters and time machines, our talk with Roger elaborated on his work with the Information Technology Disaster Resource Center (ITDRC), as well as his view on how runZero’s solution has been helpful to the incident response and forensics teams at Fortinet.

Chris Nickerson Recap

The first fireside chat began over margaritas as Chris Nickerson (CN) joined Chris Kirsch (CK) on stage at our pop-up venue, the runZero Cafe, on Tuesday, April 25. Their chat covered:

  • Why the recon phase is an important stage in pentesting
  • The human element (and fallibility) of IT and security
  • What tools Chris Nickerson uses in his pentesting

And sprinkled humorously throughout the dialogue were moments from Nickerson’s past exploits, including welding people to cars with killer robots.

Specifically, CN talked about how recon (for attackers) and asset inventory (for defenders) are two sides of the same coin. In answer to why the recon phase is important, he noted,


Video transcription

CN: “First off, right, Karate Kid Rule. Man can’t see, man can’t fight. Same exact words for any attacker. I can see things that you can’t see. Good luck. And if that’s what I’m looking for, right, I’m trying to find those lapses in visibility.”

“So in general, right, when you’re thinking about making a process in testing, it’s not always like the voodoo magic and you just sprinkle your hacker dust and then magically like you win. It’s a bunch of really crappy work.”

“It takes a ton of time and you have to have a lot of process into it, it’s not just a hit a button, hope that it expands to find the things. You have to catalog every single thing that you see and be able to start to index and understand this information and what starts to emerge is patterns, right.”

“You start to see, oh, this is kind of where all the old stuff lives; this is where some cool, new stuff lives, this is where some I have no idea what this is. That might be interesting at some point. You might find names. You start to find, you know, indexed pieces of not only networking infrastructure, but I mean, engineers are good. They have naming conventions so that when somebody is like, hey, they want you to steal financial records, it’s like D-E-N, Denver, F-I-N, financial, and then like a bunch of numbers and you’re like, oh it’s probably this server you know, like.”

“So as you start to get yourself familiar, it’s more about situational awareness to figure out what you’re going to do in forward operation then it is go find a vulnerability, scan for something, exploit it, you know, move on to offense success, It’s really about that process of getting that total view of the landscape because you kind of can’t make plays on the field unless you know where the boundaries are.”

In answer to what tools he’s using:


Video transcription

CK: “So how do you, how do you go about that? When you go on a pentest, what are your tools to figure out what’s there, information for your pentest…”

CN: “So obviously lots of things, right? Because we have a great relationship being able to use runZero in that capacity, I think it’s great, especially in massive networks. Because what you find is, you know, in a smaller network I can get a relatively high degree of success, if I’m just using basic, you know, nmap engines and I’m going to be able to find, you know, the scripts that I’m using to to be able to pull information.”

“You don’t get that rich bit of information. right? I know that the host is up, I know that these ports are open. I can probably go grab banners, but now I have to like grep through a bunch of shitty text files. And it’s not super useful. Whereas if all those things are indexed, they are in a searchable database, you have ways to look at that information.”

“It’s now what’s there, what’s available, what’s running, what version is it running? What other things can I start to collect and find out about that box?”

When it comes to testing more fragile environments, CN delved into the problem of legacy technologies lacking resiliency, and the importance of not only understanding the environment as a pentester, but also ensuring companies know what’s on their networks, including “what’s old and going to misbehave.”

As an example of misbehaving machines, here’s CN’s killer robot story:


Video transcription

CN: “We were working on manufacturing facilities, right? And the robotic welding arm things, right? Cool robots are just tech world stuff. Their TCP/IP stack was awful. And it’s, like, I don’t know, somebody from the eighties built it. And it’s just half-open connections that make it harder for people. And I say that like in the most loving way, because like I portscanned it just started !@#$!@#, and just started shooting welds in the air going like this and I was like, ohhh shit, you know, like, I guess I didn’t know but like the…”

CK: “Just to be clear, this wasn’t with runZero?”

CN: “No, no, no, no. No, this is bad scripts that, Chris, again 24 times unsafe, 25th time unsafe. I was like try three and it was now trying to kill people. So again, you know, like those types of tools, whether it’s like the idiot guard for me, which, probably need it more often, especially now that I’m older, but but being able to understand and how you can interrogate a box safely is it’s the hardest thing of testing because if you’re wrong, you’re really wrong.”

“Like it’s a super super bad moment because the whole thing that you’re like, oh, I found the one box that I can compromise. Oh, yeah. Just turned it offline. That’s it, start over, like two weeks of work gone.”

While many companies understand how critical asset inventory is, they still face challenges when trying to implement it; they often lack the knowledge and resources to do it effectively. However, CN points out that if you have the proper tools, you can avoid making tragic mistakes:


Video transcription

CK: “Here’s the thing that kills me, you know like, for a lot of that infrastructure. OT and also like the ERP system and those kinds of things, it’s like it’s both, this is absolutely critical for the business to survive, and this is so fragile and you can’t touch it and never touch it. These two things don’t makes sense to me.”

CN: “But this this is but this is where I appreciate the approach that’s been taken with runZero because they think that not not only are we looking at this like central source of truth and system of record, but the idea that the logic is built in for the grouping and for some of those things starts to create that that map of of where severity could be without having to get into them, you know, robots killing people.”

Yes, getting those parameters is important, and luckily, runZero can give you that right out of the box.

As a final note on the importance of asset management, CN told us:


Video transcription

CN: “I’ve also worked in a lot of other enterprises and consulted all over the planet, and everybody’s trying to change stuff in their network. Well, if I can just come in and give you an inventory. But let’s say, I mean, even if I’m a tester or I just run the network or I’m part of ops in engineering, if if what I can do is come back because you hired this, like, whatever some $4 billion consulting company to come in and like, upgrade your SAP system, they’re going to be like, oh, give a map of everything and the people who run it will give them the maps of like a couple of interfaces and then everything else won’t be there.”

“But if you can add value to go back and go, oh, this is absolutely every single thing that we have that as a SAP vendors, be able to group them, be able to categorize them, be able to explain to them that like, well, this one was from the 90s, this one was from the 2000s, all of them don’t follow the naming conventions, half of these aren’t in DNS.”

“Like you’re now making a graceful transition, which is huge because being a consultant, like the worst problem is information right? And if you can do that, you can give them accurate inventory, like they might actually get the job done on time. Probably never on cost, but at least quickly.”

So happy hunting to you, Chris! And many thanks for your entertaining insights on asset inventory from an attacker’s perspective.

Roger Rustad Recap

During Roger and Chris’s fireside chat, we heard about Roger’s journey in finding an asset management solution both for Fortinet and the volunteer group the Information Technology Disaster Resource Center (ITDRC).


Video transcription

CK: “Now for asset inventory. I think you, well, you brought in runZero, that’s why you’re here. But can you tell us a little bit about how you were doing asset inventory before you brought in runZero?”

RR: “I think probably the easiest way to put it is very poorly. We leveraged a lot of open source tools, mainly the command line tools, you know, nmap and mass scan are kind of something we use regularly. And we went through a lot of logs manually, you know, to go back and try to find things. I think that became very laborious. And doing our threat hunting sessions one time we had to kick off an nmap scan that was going to take forever. One of us said there’s got to be a better way than this. and so we started Googling and found you guys and here we find ourselves today.”

Roger elaborated that other methods and solutions involved waiting for results, and interpreting the data – even though there was often consensus on his team, sometimes the interpretations got lost in translation when presented to other teams.

As Roger and his team looked to find different approaches to the problem, they looked at attack surface management solutions. Unfortunately, many of these tools require agents or APIs, and because Fortinet is more of a hacker culture internally, they preferred command line tools. They wanted to start there and wanted something that started there, too. He noted that runZero’s agentless solution made it very easy for his team to get a quick 30,000 ft view and then trim it appropriately.

As for first steps on how they began their runZero journey, Roger stated,


Video transcription

RR: “Literally, we just downloaded it and played with it. Each one of us ran it in our home network and we were just amazed at what it found. You know, we liked the fact that you can export everything straight into nmap format or XML format or interact with the API. I think that made it really easy. Then it was really just kind of figuring out how we were going to start implementing it internally.”

Once they had runZero up and running, Roger provided some insight into how the solution has been helpful in specific use cases:


Video transcription

RR: “Yes. So oftentimes we need to find an owner of an asset. I mean, everyone has the challenge of on certain networks finding owners is difficult. The extra information that we can look through or see who maybe was on that IP first. You know, I don’t think of runZero so much as an asset tool but sometimes as a time machine where we can go back and see who was on that network or on that device at a particular time. That’s been incredibly helpful for our incident response and our forensics team.”

CK: “How do you, give me an example of when you have an incident that you are investigating, how would you leverage runZero in that respect?”

RR: “So there could be a time in which we saw that a certain IP, let’s say, certificate on an IP, we could see what the certificate was. We could then pull that certificate and pivot across and see who else had that certificate.”

“I think when it comes to our FortiGates, we can tell by that type of certificate what version it is, what this may be running, and then that’s helped as we’ve gone through and patched certain things. Just seeing them, getting more details. But even the web page itself, being able to get a screenshot on that web page has been really helpful with runZero.”

We’re so glad we could help you at Fortinet, Roger, but we’re also happy to help with your work at ITDRC. This volunteer group is a nonprofit that builds IT solutions in areas affected by disasters, with no cost to the communities using these solutions. Roger explained that a lot of the work involves setting up simple connectivity, including setting up satellites and access points so first responders, shelters, kitchens, and churches can have access to their networks.

How does runZero help the ITDRC?


Video transcription

RR: “And runZero has been really good for helping us kind of figure out what’s on the network before we put stuff on, once we put stuff on. We often forget where we put stuff because as you can imagine, asset inventory is a bigger pain in the butt. Whenever you’re, you know, it’s a volunteer thing at the end of your day that you’re not keeping good tabs on.”

And for how the ITDRC plans to use runZero in the future:


Video transcription

CK: “When you think about how you want to mature and evolve that, looking to the future for disaster relief, etc., how are you planning to use runZero in the future?”

RR: “So I think, you know, one thing we’re starting to see is, as we start to partner with bigger companies like ZPE and other companies, we’re starting to leverage edge compute devices a lot more.”

“So the fact that runZero can run on such a tiny footprint becomes really helpful in figuring out what else has been added or taken off of the network. As we start to at some of these sites, do things like check the fuel levels of the generator or check the voltage level of the battery, we can do all that right off of runZero console access.”

“So as we start to do those things, it just makes sense to just throw a container on it, just see what else is on the network and it might be compromising. So I think when we talk about security for a lot of our other projects, you know, the CIA triad, the one we’re most concerned about is availability. The others don’t matter so much, and we kind of see runZero being really helpful for just making sure things are up and we know what else is running on the networks that we kind of throw out spontaneously.”

With all of the work that Roger does, we’re so happy that we can take off some of the strain in both his day-to-day job and volunteering. Thank you, Roger, for chatting with us during RSA!

RSA Venue Recap

In summary, the runZero team had a great time at our venue during the RSA conference, and we were grateful we could host these informative discussions with Roger Rustad and Chris Nickerson. We were also glad we could welcome many other cybersecurity professionals throughout the week to join us for drinks, tacos, digital caricatures, and faraday bag giveaways.

If we were lucky enough to see you at the venue, thank you for stopping by! We hope you had a wonderful time. And if we missed you during RSA week, we’d love to catch you at Black Hat in August. Feel free to shoot us a message if you’d like to coordinate a meeting at our Mandalay Bay suite!

Either way, if you are interested in learning more about how runZero can help your company with cyber asset management, please let us know by reaching out via our contact us form.

Build your asset inventory in minutes

Sign up for a free account to get started.

Try runZero now

Learn more about runZero

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

runZero 3.8: Identify and triage your riskiest assets, track goals, identify even more things, and delete your password

What’s new with runZero 3.8?

Identify and triage risky assets

runZero customers can now identify risky assets across their environment and assign them to users for triage and remediation. Asset risk and criticality are presented as new fields in the inventory that can be used for both queries and alerts. The asset risk field is automatically set to the highest risk level of associated vulnerabilities; this data can be sourced from third-party vulnerability management imports as well as runZero queries. Asset risk can be overridden individually in the asset detail page or by applying a new risk level to assets matching a query. In addition to the changes above, a new Asset risk report is now available, which summarizes asset risk across each level of criticality.

The 3.8.0 release includes 34 new queries that automatically apply vulnerability records to matching assets. These queries are shown in the screenshot below and the full list can be found at the end of this post.

Although the new runZero queries are focused on unintended exposure, any query can be used to associate vulnerabilities to the corresponding asset, which also updates the asset risk level, and ties into the Security Ownership model for triage.

These queries can run against the assets, services, software, and vulnerability inventories. If you are importing software inventory through an integration, you can now create a query that automatically associates a vulnerability with assets with specific software installed.

As an example, if you would like to identify and remove all instances of Photoshop in your environment, create a new software query for name:photoshop, enable the new vulnerability association setting, and provide a unique vulnerability ID for the query. On the next update, a new vulnerability will be associated with every matching asset, and these vulnerabilities can be assigned through the console.

Queries can also be used to prioritize existing vulnerabilities. To add a critical finding when a low-risk vulnerability is reported on an asset with a public IP address, create a new vulnerability inventory query using the public:true asset filter, add additional conditions for the specific vulnerabilities that you would like to match, provide a unique vulnerability ID, and finally set the risk to Critical. On the next update, any assets with the specified vulnerabilities will have an additional critical risk finding attached if they also have a public IP address.

Users can find a list of assigned assets in the asset and vulnerability inventory pages by clicking their owner name in the inventory table or by viewing their user detail page under Your Team > Users.

Once a vulnerability has been remediated, the next update will remove the vulnerability from the asset and update the risk of the associated asset. Risky asset triage and query-based vulnerability associations are available to all runZero Professional and runZero Enterprise users.

Public preview of goal tracking

Measuring progress toward your security and organizational goals can be challenging and difficult to communicate to leadership. With the introduction of goals, runZero customers can set time-bound and query-driven goals that are customizable to what matters most to your team. Goals can be used with new features like asset risk as well as existing features like asset ownership. If you can query for it in runZero, it can now be a goal!

Some examples of goals could include:

  • Managing expiring TLS certificates
  • Remediating critical risk vulnerabilities on assets within a set timeframe
  • Keeping insecure management services off external networks

This feature is in a public preview and we would love your feedback via email or through the in-product support form.

Protocol improvements

The default TCP port list has grown to almost 600 ports (from ~500) for better coverage. Protocol support has been added for Brother’s proprietary scanner protocol, allowing us to identify Brother scanners or Brother multi-function devices that include a scanner. SNMP enumeration is more configurable through the disable-bulk-walk and max-repetitions settings in the advanced scan configuration. Protocol detection has also been improved for TNS Listener and Android Debug Bridge services.

New and improved fingerprints

New fingerprints were added for products by Advantech, Amazon, Apache, ASUSTeK, AV Costar, Avaya, AVM, Bosch, Canon, Canonical, Cisco, Citrix, Codonics, Cognosys, CostarHD, Cradlepoint, Cubic Transportation Systems, DataDirect Networks, Dahua, Daktronics, Datamax, Debian, Dell, DigitalOcean, Eaton, Econolite, EnGenius, Entrust, EVGA, ExaGrid, F5, Fortinet, Getinge, Glenayre, Grandstream, HP, HPE, Huawei, iCAD, Kali, LAVA, March Networks, Microsoft, Moen, MSI, MultiTech, Multitone, Netgear, Oce, Okidata, OpenLogic, The Ottawa Hospital Cancer Center, Palo Alto Networks, Panasonic, PaperCut, Proxim, Prusa, Qualys, Red Hat, RICOH, The Royal Marsden NHS Foundation Trust, Saulmatics, Schneider Electric, Somfy, Sonos, SUSE, Ubiquiti, VMware, and ZTE.

Other research improvements

We published a Rapid Response post and new query for finding servers running the PaperCut MF and ND software.

In addition to the above protocol and fingerprinting improvements, we improved our normalization of x509 certificate issuer and subject values, allowing us to more consistently apply fingerprints regardless of ordering/formatting variants found in the field or due to tech stacks.

Passwordless logins

We don’t want your password.

From the beginning, runZero has supported single sign (SSO) for all users, including the free Starter Edition. From this version (3.8.0) of runZero onward we now support using a one-time authentication link in addition to any configured MFA token.

This feature is no less secure than an email-based password reset and prevents runZero from storing even the hashed and encrypted passwords on our servers. If you are unable to set up SSO, using passwordless logins with a WebAuthn token is the next best thing.

See runZero 3.8 in action

Watch the video to see a demonstration of the newest features in runZero, including asset risk and criticality, goal tracking, and applying vulnerabilities from queries.

Release notes

The runZero 3.8 release includes a rollup of all the 3.7.x updates, which includes all of the following features, improvements, and updates.

New features

  • Risk and criticality levels can now be assigned to assets through third-party integrations, the asset inventory, and custom rules.
  • runZero Preview Program: Goal tracking helps users with Professional and Enterprise licenses track progress toward completing their security initiatives. Use built-in goals for asset ownership coverage or system queries, or create goals with custom queries to fit your needs.
  • runZero system and custom queries can now be used to create vulnerability records.
  • Passwordless authentication is now available, allowing users to request one-time authentication links via email rather than storing a password. This provides a secure authentication alternative when SSO cannot be configured.
  • Added support for Azure and Intune GCC, GCC High, and DoD environments.
  • Improved compatibility with WireGuard and Tailscale on macOS and *BSD.
  • Added support for searching software attributes.
  • Alert channels now support more than one email address.
  • Asset limit warnings have been updated to be more clear about whether or not scans will be affected.
  • A bug preventing explorer reassigned to a previous organization and picking up assigned tasks has been resolved.
  • A bug causing software search links to navigate to a 404 page has been resolved.
  • A bug causing task-failed events to ignore the site restriction has been resolved.
  • A bug causing the hostname override tag to not update the hostname displayed has been resolved.
  • A bug that prevented clearing Insights from the dashboard has been resolved.
  • A bug where the copy scan button was cut off in the recurring tasks tab has been resolved.

New vulnerability queries

  • Application: Apache HTTP Server versions vulnerable to CVE-2021-41773 or CVE-2021-42013
  • Application: HPE iLO 4 authentication bypass
  • Application: HPE iLO 5 firmware versions known to be vulnerable
  • Application: OMI WSMAN versions vulnerable to OMIGOD
  • Application: OpenSSH servers vulnerable to CVE-2023-25136
  • Application: SolarWinds Serv-U MFT
  • Application: VMware ESXi vulnerable to CVE-2021-21974 (OpenSLP)
  • Hardware: Accellion legacy file transfer appliances
  • Hardware: Cisco VPN routers vulnerable to CVE-2022-20825
  • Policy: Android debug bridge
  • Policy: Cassandra (unauthenticated)
  • Policy: CouchDB (unauthenticated)
  • Policy: Distributed Ruby service
  • Policy: Elastic Search (unauthenticated)
  • Policy: HTTP directory index
  • Policy: InfluxDB (unauthenticated)
  • Policy: IPMI cipher type zero authentication bypass
  • Policy: Java RMI service
  • Policy: Memcached (unauthenticated)
  • Policy: MongoDB (limited)
  • Policy: MongoDB (unauthenticated)
  • Policy: Neo4J (unauthenticated)
  • Policy: NFS world-readable exports
  • Policy: Redis (unauthenticated)
  • Policy: Remote desktop service on internet-facing host
  • Policy: Riak (unauthenticated)
  • Policy: SMB signing not required
  • Policy: SMB v1 enabled
  • Policy: SNMP default communities
  • Policy: SSH password authentication on internet-facing host
  • Policy: SSLv2 / SSLv3 services
  • Policy: Windows management service on internet-facing host
  • Policy: Zabbix agent without ACL
  • Policy: Zookeeper (unauthenticated)

Product improvements

  • Improved error message when attempting to delete a scan template twice
  • Grace period for tasks can now be configured from the task template page.
  • Improved asset correlation for multi-source assets.
  • Public API endpoints to view hosted zones have been added.
  • The API endpoints for managing scan tasks now accept an argument to select a hosted zone.
  • Validation for stored queries has been improved to prevent saving queries with warnings or errors.
  • Excerpts of task log messages are now available on the task details page for tasks that are in error status.
  • The display of datagrid warning and error messages has been improved.
  • Improved asset processing when FortiGuard endpoints with “Policy Override Authentication” enabled are present.
  • Self-hosted installs now support an option to disable TLS validation between Explorers and the console application
  • The max-repetitions and disable-bulk parameters have been added to SNMP probes.
  • Task failures are now reported in the Task details pane.
  • All queries, including runZero-provided system queries, can now be copied.
  • The configuration for runZero-provided system queries can be modified.

Integration improvements

  • Credential verification is now allowed only after all required fields have been completed.
  • Third-party vulnerability integrations now support a more granular risk filter.
  • Third-party integrations now support more granular vulnerability filters.
  • Crowdstrike will now use Connection IP and Connection MAC for asset matching.

Bug fixes

  • A bug that could result in a panic while performing a scan has been resolved.
  • A bug that could prevent the API from creating valid scan tasks has been resolved.
  • A bug that negatively impacted fingerprinting via TLS certificates has been resolved.
  • A bug preventing TLS negotiation in some cases has been resolved.
  • A bug that was triggered when submitting Azure credentials for verification with a subscription ID has been resolved.
  • A bug that could cause deadlocks in the TCP LDAP probe and Active Directory integration has been resolved.
  • A bug that caused an infinite redirect when clicking on site breadcrumbs has been resolved.
  • A bug causing recurring tasks to be incorrectly sorted by start time on the tasks page has been resolved.
  • A bug allowing “Verify & save” on the credentials update page to error has been resolved.
  • A bug where Dell laptops were identified as desktops or servers has been resolved.
  • A bug preventing TLS negotiation in some cases has been resolved.
  • A bug that caused imported queries to be parsed improperly has been resolved.
  • A bug with the default webhook Slack alert template has been resolved.
  • A recent update in Explorer and Scanner behavior which could inadvertently trigger CrowdStrike EDR detection has been disabled
  • A bug regarding Intune rate limiting and intermittent failures has been resolved.
  • A bug where certain tasks could not be edited has been resolved.
  • A bug regarding erroneously returned results from unscanned runZero assets when searching the asset inventory has been resolved.
  • A bug marking assets “unscanned” has been resolved.
  • A bug that resulted in a 500 error when running the asset attribute report has been resolved
  • A bug that could prevent custom integration results from merging into existing assets has been resolved.
  • A bug that could cause the save button on the credential edit form to be disabled has been resolved.
  • A bug where clicking links on the Query page of a self-hosted instance may return a 500 has been resolved.
  • A bug where clicking links in the Tasks column of the Credentials page would result in an error has been resolved.
  • A bug where paginated results could display Viewing 0 – N for the first page has been resolved to now display Viewing 1 – N.
  • A bug that could result in duplicate offline assets has been resolved.
  • A bug that prevented CSV exports of assets when using free text search has been resolved.
  • A bug where the number of hops could be incorrectly set to zero when ARP is present as a service has been resolved.
  • A bug that prevented searching assets using the task search key has been resolved.

Want to take runZero for a spin?

Sign up today to test out these capabilities free for 21 days.

Get runZero now

Join our team

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Finding PaperCut MF and NG servers

PaperCut recently revealed that two products in its popular line of print server software contain severe vulnerabilities currently being exploited in the wild. Reported via the Trend Micro Zero Day Initiative, these vulnerabilities can be exploited by unauthenticated attackers to achieve remote code execution as the SYSTEM user (CVE-2023-27350/ZDI-CAN-18987) or information disclosure, including user information and password hashes (CVE-2023-27351/ZDI-CAN-19226).

What is the impact?

With a CVSS score of 9.8 (“critical”), CVE-2023-27350/ZDI-CAN-18987 exists in the SetupCompleted class and can be leveraged for unauthenticated remote code execution due to improper access control. The Application Server and Site Server components of PaperCut MF and NG product versions 8.0 and later contain this flaw.

CVE-2023-27351/ZDI-CAN-19226 has been assigned a CVSS score of 8.2 (“high”) and exists in the SecurityRequestFilter class as a flaw in the authentication algorithm, allowing for unauthenticated information disclosure. The Application Server component of PaperCut MF and NG product versions 15.0 and later contain this flaw.

PaperCut’s website claims over 130 million users of their products across almost 90,000 organizations in almost 200 countries, including government, commercial, and educational users. Coupled with the substantial list of affected product versions and exploitation of these vulnerabilities already observed happening in the wild, the impact could be quite broad. Trend Micro will defer disclosing more details on these vulnerabilities until next month in order to give PaperCut customers time to patch.

While a definitive indicator of compromise doesn’t exist in detecting exploitation of these vulnerabilities on a target, PaperCut does offer some clues one can look for.

Are updates available?

Last month, PaperCut released patched versions 20.1.7, 21.2.11, and 22.0.9 which fix these vulnerabilities. Older unsupported/end-of-life versions will not be receiving a patched update.

For admins who cannot patch immediately, PaperCut does provide a mitigation for CVE-2023-27351/ZDI-CAN-19226, but none is available currently for CVE-2023-27350/ZDI-CAN-18987.

How do I find potentially vulnerable PaperCut services with runZero?

From the Services inventory, use the following prebuilt query to locate all PaperCut MF and NG servers in your network:

_asset.protocol:http and protocol:http and (http.body:"PaperCut MF is a print management system" OR last.http.body:"PaperCut MF is a print management system" OR http.body:"PaperCut NG is a print management system" OR last.http.body:"PaperCut NG is a print management system")

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Asset inventory is foundational to security programs

Think of the technological ecosystem an organization relies on to operate efficiently and effectively: desktop workstations, mobile devices, IT/IoT/OT devices, virtual systems, web apps, data, cloud infrastructure–just to name a few. Keeping track of every single one of these devices feels impossible.

As the number and types of assets continue to grow exponentially, organizations need help staying on top of these devices. Left unmanaged, these devices can act as potential footholds for malicious actors. Security teams need to be able to discover and identify unmanaged assets if they ever want to secure or protect them. How could they effectively secure and protect their organization if there are assets they don’t know about–what they do, where they are, or what their status is?

 

Cybersecurity frameworks and regulations start with a comprehensive asset inventory

Asset inventory is the foundation of a strong cybersecurity posture. It is often considered the first step in identifying potential risks to your organization’s security. This is why it is a key recommendation in many cybersecurity frameworks, including the NIST Cybersecurity Framework (CSF) and CIS Controls. By maintaining an up-to-date inventory of all hardware, software, users, and digital assets across your organization, you can better understand your attack surface and take proactive measures to protect against potential threats.

Let’s take a look at some of the major frameworks and regulations that require an asset inventory.

CIS Controls

The Center for Internet Security (CIS) provides a list of recognized standards for defending your systems and data against modern cyber threats. Cybersecurity professionals and subject matter experts use a consensus-based process to establish these controls. Organizations such as ISC2 and the SANS Institute contribute to the process.

You can consider the CIS Controls an essential safety check that ensures you have your house in order by following security best practices. It speaks volumes that the first control on the list, seen as foundational for good cyber hygiene, is “Inventory and Control of Enterprise Assets.” The rationale is that you need an up-to-date inventory to know what to monitor and protect within the enterprise. An asset inventory also helps you identify unauthorized and unmanaged assets to remove or remediate.

NIST CSF

The NIST Cybersecurity Framework (NIST CSF) is a set of cybersecurity guidelines developed by a non-regulatory agency of the United States government. The NIST CSF is about guidance and best practices with a framework centered around five core functions: Identify, Protect, Detect, Respond, and Recover.

It’s in the Identify function of this framework that asset inventories get flagged as vital for modern cybersecurity programs. According to the framework, the Identify function is all about “risk to systems, people, assets, data, and capabilities.” A big part of this is knowing what assets you actually have.

SOC2

SOC2 is a voluntary compliance standard, but it’s often required to land vendor contracts, particularly with SaaS and B2B companies. Compliance with SOC2 shows clients and partners that your company maintains the highest standards of information security. Meeting SOC2 requirements can make all the difference in whether you succeed in various industries and types of services.

Effective IT asset management is pivotal for obtaining SOC2 certification. In particular, the certification looks for your ability to safeguard assets against unauthorized access and reliably assign owners and users to assets.

HIPAA

Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is essential in the healthcare industry. High standards of security must protect sensitive patient healthcare information. Violations of HIPAA are costly from a financial standpoint, and the penalty involved depends on the level of negligence.

Healthcare providers and business associates need IT asset inventories in order to track the location of electronic health information (ePHI). This reliable, up-to-date asset inventory helps comply with the regulation’s Security Rule.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a mandatory regulation aimed at protecting cardholder data. Companies that store, process, or transmit cardholder data must comply with PCI DSS. In requirement 2.4 of PCI DSS, the regulation requires companies to maintain an inventory of physical devices, software, user accounts, and more.

The elusive single-source-of-truth for assets

An asset inventory is like the blueprint of a house–without it, there isn’t a clear understanding of what needs protecting. But just like how blueprints can change over time with additions and renovations, an inventory can also become outdated as assets get added or removed from the network.

Networks change constantly, with users logging into enterprise platforms from personal devices or rapidly spinning up new cloud infrastructure that often gets forgotten about. Unsanctioned shadow applications get stood up or accessed by different departments. Add remote work and the continued proliferation of IoT devices to the mix, and you have a more complex IT ecosystem that’s harder to track than ever.

A couple of statistics that drive home the challenges include:

  • Shadow IT cloud usage is estimated to be 10x the size of known cloud usage.
  • One survey found just 28 percent of companies thought their asset inventories were more than 75 percent complete.

Why do asset inventories pose such a challenge for so many organizations? Part of the challenge is that many companies use outdated processes, like spreadsheets, for tracking and managing their cyber assets. As a result, gaps in visibility emerge regularly in today’s dynamic IT ecosystems and risky security scenarios are commonplace. For these reasons, it’s crucial to have a system in place that allows for continuous discovery and monitoring of assets.

The risks of not having an accurate asset inventory

If you’re not proactively maintaining and analyzing your asset inventory, you’re putting your organization at risk. An up-to-date and comprehensive asset inventory is essential for you to make informed business decisions and ensure operational efficiency. Let’s take a look at some of the common issues you’ll encounter when your asset inventory is lacking.

Issue 1: Misalignment between IT and security teams

IT and security teams end up counting different numbers of assets, depending on how they track and update their inventories. This makes it hard to discern the truth of what your IT ecosystem looks like and reduce risks.

Issue 2: Weak security controls coverage

Given the lack of a single source of truth, gaps are more likely to arise in security control coverage. Different teams take responsibility for various areas of security. If these teams lack alignment you’ll end up with a lack of visibility into security controls coverage, leaving you unaware of:

  • Endpoints not covered by an endpoint detection and response solution (EDR), such as CrowdStrike.
  • Missing hosts from the SIEM tools used by security operations teams to correlate events and proactively respond to more advanced threats.

Issue 3: Failure to manage risky assets

An asset inventory is crucial for identifying and responding to security risks. Not all assets pose the same level of risk, and a comprehensive inventory helps to identify those that do. For example, an isolated device with encrypted traffic may be less risky than an internet-facing asset with insecure configurations. By keeping track of all assets, organizations can respond quickly to zero-day vulnerabilities that require immediate attention. For example, the Log4 vulnerability affected up to 3 billion devices, highlighting the importance of maintaining an up-to-date inventory for efficient vulnerability response.

Issue 4: Lack of asset ownership

Asset ownership is a critical component of asset inventory, as it defines who is responsible for managing and securing each asset. The Equifax breach serves as a prime example of the consequences of not having proper asset ownership in place–without clear ownership over a legacy internet-facing system, no one took responsibility for ensuring that it was scanned and patched regularly. To avoid similar incidents, organizations must prioritize establishing clear lines of asset ownership and incorporating them into their overall security program.

Build the foundation for your security program

Given the modern threat landscape and the fluid nature of IT environments, organizations must regard an accurate and up-to-date asset inventory as a basic tenet of an effective security program. Given the challenges and risks involved, it’s time to move on from manual processes that provide point-in-time static snapshots that often don’t resemble the true state of your network.

Take the first step towards improving your security posture by moving to cyber asset management solutions that can keep pace with the assets connected to your network. A truly effective cyber asset management solution offers advanced fingerprinting techniques and leverages asset data from multiple sources to provide a comprehensive view of your asset inventory–from IT to OT devices, on-premise to cloud to remote environments.

How runZero can help

runZero can help you to gain visibility into all the assets connected to your network, so you can proactively defend against cyber threats. First, you can identify all the assets connected to your network, including those that may have been forgotten or overlooked. Second, you can track changes made to these assets over time. Third, you can assess the risk associated with each asset and prioritize remediation efforts accordingly. As a result, you can improve your organization’s overall security posture by having a complete understanding of your asset inventory.

Ready to take the next step? runZero is the fastest and easiest way to get to full asset inventory across IT, OT, on-premise, cloud, and remote environments.

Build your asset inventory in minutes

runZero is a cyber asset management solution that delivers full cyber asset inventory–quickly, easily, and safely. The solution enriches existing IT & security infrastructure data–from vuln scanners, EDRs, and cloud service providers–with detailed asset and network data from a purpose-built unauthenticated active scanner. No credentials required. Just deploy an Explorer and start scanning.

Get runZero for free

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

runZero partners with Abira Security

runZero partners with Abira Security, a full service cybersecurity advisor 
and managed services provider.

runZero is excited to announce our partnership with Abira Security, a market-leading provider of comprehensive cybersecurity solutions. As part of this partnership, Abira will be offering runZero as a solution to solve the challenges of cyber asset management. runZero’s asset inventory and discovery capabilities are the key to delivering a complete security package.

At runZero, we believe network visibility and asset inventory is a foundational part of maintaining a strong security posture. Abira offers a complete portfolio of cybersecurity solutions, paired with exceptional strategy expertise and real-world experience. Partnering with Abira Security allows runZero to expand and reach more organizations that are searching for a complete security strategy that includes deep network visibility and comprehensive asset inventory.

Eric Goldstein, Director of Channel at runZero, says, “We’re thrilled to be partnering with Abira Security to deliver cyber asset management to our joint customers. A comprehensive asset inventory is essential for any security program and is often the very first step in a security assessment. Together with runZero, Abira will help customers achieve their security goals and maximize their security tech stack value.”

“Abira is a pure play cybersecurity services firm and a true VAR. Our quality, flexibility, and cost structure is hard to beat,” says Ray Harrison, Sales Director at Abira Security.

Organizations today face ever-increasing cyber threats that can compromise their sensitive data and operations. The first step in securing any network is developing a complete asset inventory that accounts for all devices: managed or unmanaged; IT, OT, or IoT; cloud, on-prem, or remote. Combining runZero’s asset inventory capabilities and Abira’s cybersecurity expertise, customers have the benefit of an end-to-end solution that helps them identify, secure, and manage all of their assets, no matter where they exist, safely and effectively.

For more information, visit https://abirasecurity.com/.

Strengthen your security posture with cyber asset management

runZero is a cyber asset management solution that delivers full cyber asset inventory–quickly, easily, and safely. The solution enriches existing IT & security infrastructure data–from vuln scanners, EDRs, and cloud service providers–with detailed asset and network data from a purpose-built unauthenticated active scanner. No credentials required. Just deploy an Explorer and start scanning.

Get runZero for free 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

runZero 3.7: Custom integrations and SDK

What’s new with runZero 3.7?

  • Custom integrations and Python SDK
  • ServiceNow Service Graph Connector for runZero
  • Protocol improvements
  • New and improved fingerprints

Custom integrations and Python SDK

runZero Enterprise customers can now import assets from custom sources using the runZero SDK. The new Python SDK supports runZero’s custom integration API functions for ease of automation and use for those familiar with Python. These custom integrations allow for creating and importing asset types not previously supported within runZero, along with assigning the integration a name, description, and custom icon. Once imported, you can manage these custom integration sources from the runZero UI, and remove them from assets if desired. This will allow you to build new integrations and further enrich the asset data within runZero.

ServiceNow Service Graph Connector for runZero

The runZero Service Graph connector is now available in the ServiceNow marketplace. The connector can automatically pull your runZero asset data into your CMDB, merging with your ServiceNow data to improve asset visibility and accuracy. This connector does not replace the ServiceNow IntegrationHub ETL integration; both the connector and integration are available to Enterprise customers. ServiceNow Service Graph connector for runZero

Protocol improvements

The 3.7 release includes improved support for the Checkmk host agent. Checkmk is an open source host monitoring service and is deployed as part of many solutions and network appliances. Customers with Checkmk in their environment will benefit from improved software inventory and EDR detection for these assets. The accuracy of operating system fingerprinting has also been improved using available Checkmk data. The scanner now supports the Steam In-Home Streaming Discovery Protocol, allowing for identification of devices running the Steam client from Valve Software.

New and improved fingerprints

A number of fingerprints and fingerprint capabilities have been improved in this release. These improvements include fingerprinting of TLS stacks, better coverage of Roku devices based on AirPlay responses, and improved OS fingerprinting of devices speaking the BACnet protocol. New fingerprints were added for products by Abbott, Aruba, Audioscan, Bayer, Canon, Ciena, Cisco, Crestron, FloLogic, GE HealthCare, GE MDS, Google, H3C, Huawei, IBM, Keyence, Meross, Logitech, NetApp, Panduit, Proofpoint, Roku, Quantum, Raritan, Roku, Shelly, SonicWall, Tesla, TP-Link, and VMware.

See runZero 3.7 in action

Watch the video to see a preview of some of the newest features in runZero, including the ServiceNow connector, Checkmk protocol parser, and custom integrations leveraging the Python SDK.

Release notes

The runZero 3.7 release includes a rollup of all the 3.6.x updates, which includes all of the following features, improvements, and updates.

New features

  • Customers with an enterprise license can now create custom integrations and import assets from any external asset data source using the runZero Python SDK.
  • Improved performance and reliability of metrics calculations.
  • Improved performance of the vulnerabilities inventory.
  • AWS permission errors are now more detailed to make troubleshooting easier.
  • A bug where the asset ownership tag was not able to be changed successfully has been resolved.
  • A bug where email addresses were case sensitive on sign in has been resolved.
  • A bug where the “Create Organization” button appeared disabled but was still clickable has been resolved.
  • A bug preventing the Asset Ownership goals toggle from being clickable has been resolved.
  • Upgraded npcap to version 1.73
  • Fingerprint updates.

Security fixes

  • A bug that could show cross-tenant Queries and their associated author email addresses was resolved. This issue only applied to a cloud-hosted version of the runZero platform that was live for slightly more than two hours on March 29th, 2023. Any customers affected by this issue received a detailed notice. This affected version 3.6.14.
  • A bug that could allow an organization admin to see the names of other organizations in the tenant, even without explicit access, has been resolved. This affected versions 3.6.0 to 3.6.5.
  • A bug that could expose limited information about an organization to cross-tenant users has been resolved. This issue could have allowed an attacker that guessed the v4 UUID of an organization to view the name, description, and top-level statistics (asset count, service count, task count, etc.) without appropriate authorization. This affected versions 3.6.0 to 3.6.4.

Product improvements

  • Improved quality of errors reported by the CLI Scanner.
  • Improved user experience of user management.
  • Improved user experience of organization management.
  • Packets sent/received are now visible from the tasks preview.
  • Enterprise customers can now scan all ports and up to a /8 at a time using the hosted scan engines.
  • Attribute searches and reports are now faster in large organizations.
  • It is now possible to download the task log for a failed scan.
  • Hosted scans no longer ignore responses from common firewalls.
  • Daily asset expiration now records an assets-expired event with the count.
  • The task-failed event now includes information about the associated Explorer.
  • Scans can now configure specific probes for Subnet and Host pings.
  • Asset queries can now surface overlaps in asset names, IP addresses, and MAC addresses across inventory.
  • Behavior around parent/child organizations has been improved.
  • A change to Chrome which caused web screenshots to fail has been addressed.
  • Alert rules now support software and vulnerability queries.
  • Asset ownership now supports references to runZero users and groups.
  • Vulnerability inventory now includes an Exploit status, indicating whether the vulnerability is known exploitable. The Exploit status will only be populated for vulnerabilities imported after this release.
  • Datagrids across the UI no longer use the incorrect theme.
  • Task WLAN listing functionality has been improved to enforce a timeout if the underlying utility is slow or unresponsive.
  • The maximum time to complete an SNMP walk is now configurable.
  • The default maximum time to complete an SNMP walk has been increased to 5 minutes from 1 minute.
  • The maximum results for an SNMP walk have been increased to 8k from 4k.
  • Assets owned by a runZero user will now be displayed on the user details page.
  • The Reason column in the failed tasks table will now properly persist the hidden state between page loads.
  • Saved queries can now be created for software, vulnerabilities, and screenshots.
  • Attribute reports now group unique values within a single key.
  • The View More link is now accessible for in-progress tasks.
  • Asset owner names now suggest auto-complete options.
  • Accessibility improvements.
  • Client-side timezone updates.
  • Improved performance of the organization details page.

Integration improvements

  • The AWS integration now supports the GovCloud partition for assumed roles.
  • Validation warnings for internal IPs when using LDAP and InsightVM integrations has been improved.
  • Filtering of non-unique MAC addresses has been improved to better support Cisco virtual MAC addresses.
  • Cisco virtual MAC addresses are now handled more consistently.
  • Increased timeouts for the Tenable integration.
  • Improved reliability of CrowdStrike credentials verification.
  • The API response for a PUT request to /org/sites now returns the details of the new site.
  • Improved reliability of the Tenable integration.
  • API requests to apply tags to one or more assets now complete much faster.

Bug fixes

  • A race condition that could occur during self-hosted installation has been resolved.
  • A bug that could cause the Tenable connector to fail intermittently for some customers has been resolved.
  • A bug that could cause task details not to render on the task overview screen has been resolved.
  • A bug that could prevent organization administrators from creating new projects has been resolved.
  • A bug that could prevent some CrowdStrike software from importing successfully has been resolved.
  • A bug that caused misaligned values when exporting assets to CSV has been resolved.
  • A bug that could cause the SSO page to render off screen has been resolved.
  • A bug that could prevent asset modifications triggered by alert rules has been resolved.
  • A bug that could prevent the dashboard from loading successfully has been resolved.
  • A bug that caused misaligned values when exporting assets to CSV has been resolved.
  • A bug that could cause assets to incorrectly merge has been resolved.
  • A bug that could prevent validation of hostname scan targets has been resolved.
  • A bug that could lead to inaccurate asset correlation has been resolved.
  • A bug which could result in runZero attributes being removed from Offline assets has been resolved.
  • A bug that could prevent subnet stats from being exported has been resolved.
  • A bug that could prevent analysis queries from running for directory users and groups has been resolved
  • A bug that prevented match counts from being displayed on the queries page has been resolved
  • A bug that could prevent updating assets with a large number of vulnerabilities has been resolved
  • A bug that prevented access to runZero canned Queries has been resolved.
  • A bug that could lead to the self-hosted installer not removing temporary files has been resolved.
  • A bug that led to slow SNMP scans of specific Cisco switches has been resolved.
  • Addresses bug where recurring tasks that are “Removed” were still showed in the tasks page after the associated site is deleted
  • A bug preventing asset owners from being updated has been resolved.
  • A bug that could result in inaccurate vulnerability counts for assets has been resolved.
  • A bug that could prevent a subset of vulnerabilities from being saved for multi-source assets has been resolved.
  • A bug that caused errors for Crowdstrike integrations with large amounts of applications has been resolved.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Introducing runZero’s new ServiceNow Service Graph integration: Get greater data accuracy for your CMDB

Big news: runZero now integrates with ServiceNow Service Graph. The runZero Service Graph integration offers a robust solution for organizations who need to get a comprehensive and up-to-date view of asset data across IT (information technology), OT (operational technology), cloud, and remote environments. This new integration will quickly and easily enrich CMDBs with high-fidelity, contextualized asset details, superseding the existing ETL integration.

The importance of data quality in CMDBs

According to Gartner, nearly one third of CMDB challenges stem from data completeness or quality concerns, which highlights the importance of prioritizing data quality in an organization’s configuration management database (CMDB). This is not just a theoretical concern: Gartner also notes that 99% of organizations using CMDB tooling who do not address configuration item data quality gaps will experience visible business disruption. This makes sense when you consider that IT infrastructure and services are critical components of most modern businesses. Without accurate information about these assets, it becomes difficult to make informed decisions related to security, compliance, risk management, and more.

To deliver better and complete visibility across your environment, the Service Graph Connector brings your runZero asset inventory into your ServiceNow CMDB. With better data quality in your CMDB, you can ensure they get managed in accordance with your organization’s policies. By leveraging runZero’s ServiceNow Service Graph integration, you can improve your CMDB accuracy and reduce the likelihood of costly disruptions caused by inaccurate data. You can be confident that you’re operating on every asset–even the ones your CMDB didn’t know about.

Eliminate data quality gaps and improve IT/IoT/OT asset visibility with runZero’s ServiceNow Service Graph integration

Many organizations are turning to Cyber Asset Management (CAM) solutions to gain better visibility into IT, IoT, and OT assets. These solutions can help proactively identify unmanaged devices and uncover security risks within networks. By using both API data sources and unauthenticated active scanning, runZero is one of the few solutions capable of discovering unmanaged IT, IoT, and OT devices. This approach is especially valuable in OT environments, where visibility may be limited.

runZero’s ServiceNow integration provides you with a powerful tool to improve your asset inventory and cyber asset management. With this integration, you can gain better visibility into IT, IoT, and OT assets, as well as identify and address data quality gaps. This can help you reduce the cost of downtime, improve labor productivity, and get more value from your CMDB investments. In addition, runZero’s active scanner is safe to use in OT environments, ensuring that you can get the most out of your cyber asset management solutions without compromising the safety of your systems. Dozens of organizations are using runZero’s combination of integrations and active discovery, including those in manufacturing, healthcare and utilities, to achieve full asset inventory.

How Capgemini helped their client get better quality data for their CMDB

Let’s take a look at the real world implications of not having a dedicated cyber asset management solution in place.

Capgemini, a global IT consulting firm, was contracted by a French manufacturer and retailer of luxury products to deploy an asset discovery solution and set up the integration with the new CMDB to store the company’s IT asset inventory. However, they were struggling to get the data they needed using MID Servers–especially for managed assets such as routers and switches. They knew they had to explore other asset discovery options.

One of the primary requirements established for the project was unauthenticated asset discovery. The IT department, part of the holding company, was having a hard time collecting credentials for service accounts for many parts of the business. Without credentials, ServiceNow was struggling to inventory most assets. As Capgemini looked into other solutions, they discovered runZero, which delivered everything their client needed: speed, accuracy, a rich API, and unauthenticated scans. runZero’s asset discovery was fast, efficient, and worked without credentials. With runZero, they found 2.5x as many devices as ServiceNow.

After seeing the results with runZero, Capgemini has other ideas for capitalizing on its capabilities. As they work with clients in future projects, runZero will give them an accurate picture of their client’s asset inventory enabling them to provide precise project plans with known scope, schedule, and cost estimates.

Ready to get better results from your CMDB investments? To get started, sign up for runZero and then get the ServiceNow Service Graph integration on the SNOW marketplace.

Be confident in your CMDB’s data quality

runZero is a cyber asset management solution that delivers full asset inventory–quickly, easily, and safely. The solution enriches CMDBs with detailed asset and network data from a purpose-built unauthenticated active scanner. Discover every asset–even the ones your CMDB didn’t know about.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

runZero 3.6: Introducing organizational hierarchies

What’s new with runZero 3.6?

Organizational hierarchies

Organizational hierarchies help streamline user and permission management. When creating and editing organizations, you can define an organizational hierarchy that allows for inherited user permissions.

The users assigned to the selected parent organization will maintain the highest assigned permission in the child organization unless specified in their user permissions. For instance, if a user is a viewer in the parent organization, but an administrator in the child organization, they will maintain their admin status in the child organization when the parent-child relationship is created.

Organization hierarchies can be three levels deep, and user permissions in a child organization can be upgraded, not downgraded, from the currently set permissions in the parent organization.

CrowdStrike integration improvements

The CrowdStrike integration now populates asset software information from Falcon Discover. Additionally, IP addresses imported by CrowdStrike are now considered primary addresses and will be used for correlation, and the CrowdStrike credential verification is now seperated by service.

Operating system CPE assignment

The operating system Common Platform Enumeration (CPE) field is a string describing detected operating system software aligned to the CPE naming scheme. This field is queried using the syntax os.cpe23:<text>. In cases where runZero was able to fingerprint the operating system but the NIST database does not contain an official matching entry, an unofficial CPE will be generated and include r0_unofficial in the other field of the CPE.

New protocols and fingerprints

The runZero scanner now reports legacy RDP authentication, decodes additional ISAKMP/IKEv2 fields, and improves the fingerprinting of AirPlay devices.

Additional fingerprints were added for products by 2N, Aastra, Alien Technology, AMI, Arista, Asterisk, Avaya, Canon, Cisco, D-Link, Dell, Eaton, Echelon, Fortnet, FreePBX, GAI-Tronics, Grandstream, Hillrom, Honeywell, HP, HPE, Intel, Jenkins, Lantronix, Lenovo, LG, Logic Controls, Logitech, Meinberg, Mitel, Moxa, Netgear, NetApp, Quantum, Palo Alto Networks, Panasonic, Poly, QNAP, Samsung, Sierra Wireless, SoundCom, Spectralink, STARFACE, Tektronix, Thomson, Ubiquiti, VTech, Wahsega, Yealink, ZTE, Zultys, and Zyxel.

New Rapid Response queries

A new query was added to quickly identify OpenSSH 9.1 Servers affected by a memory double-free vulnerability.

See runZero 3.6 in action

Watch the video to see a preview of some of the newest features in runZero, including organizational hierarchies, research updates, software inventory from CrowdStrike, and OS CPE information.

Release notes

The runZero 3.6 release includes a rollup of all the 3.5.x updates, which includes all of the following features, improvements, and updates.

New features

  • Organizational hierarchies are available allowing for permissions to be inherited by child organizations based on an established parent.
  • runZero now identifies the CPE associated with fingerprinted assets and assigns an unofficial CPE where an official match is not found in the NIST database.

Product improvements

  • A new query was added for OpenSSH 9.1 servers affected by a memory double-free vulnerability.
  • Improved SNMP fingerprint coverage capabilities and added new attributes for SNMP protocol version (at the asset level) and authentication details (at the service level).
  • Improved handling of invalid multi-valued subjectAlternativeNames on x.509 certificates.
  • The scanner now supports identifying RDP authentication methods, including legacy and NLA, supported by target hosts.
  • The scanner now supports the ability to decode ISAKMP/IKEv2 replies
  • A new canned query for OpenSSH 9.1 servers which contain a memory double-free vulnerability has been added.
  • Performance of the Active Directory (LDAP), Azure AD, and Google Workspace integrations has been improved.
  • SNMP protocol versions are now tracked at the asset level.
  • SNMP services will now keep track of how they authenticated and using what protocols.
  • Hostname extraction from malformed subjectAlternativeNames on TLS certificates has been improved.
  • Site scopes with subnets ending in /32 (for IPv4) and /128 (for IPv6) are no longer parsed to single IPs and will appear as CIDR entries in the subnets list.
  • Improved error validation UX around email addresses when setting up an email alert channel.
  • Services, Screenshots, and Software inventory pages now include associated site subnet tags.
  • runZero now identifies the CPE associated with fingerprinted assets and assigns an unofficial CPE where an official match is not found in the NIST database

Integration improvements

  • Improved fingerprinting of operating systems imported via the LDAP and VMware integrations.
  • Stability and performance of VMware asset correlation has been improved.
  • VMware assets are now merged across sites.
  • The Intune integration has been improved to better handle Intune API rate limiting.
  • IP addresses reported by CrowdStrike are now considered primary addresses, and will be used for asset correlation.
  • CrowdStrike credentials verification is now separated by service

Bug fixes

  • A bug that could prevent automatic metric calculations from completing has been resolved.
  • A bug that could prevent stale assets from being automatically removed on subsequent task runs has been resolved.
  • Several minor bug fixes and UX improvements have been made to the redesigned task page.
  • A bug that prevented OS fingerprinting and information extraction over RDP has been resolved.
  • A bug preventing users from copying or editing connector and analysis tasks has been resolved.
  • A bug causing new recurring tasks to display an incorrect first run date has been resolved.
  • A bug causing the dashboard asset trends graph tooltips to appear away from the graph has been resolved.
  • A bug causing task page inspection cards to automatically collapse has been resolved.
  • A bug that could result in build-up of frequently recurring tasks has been resolved.
  • A bug that could cause extremely large tasks to remain queued for processing indefinitely has been resolved.
  • A bug that could prevent export of service attribute reports has been resolved.
  • A bug preventing license requirement indicators from being visible on some pages has been resolved.
  • A bug preventing saving of credentials due to bad org-access settings has been resolved.
  • A bug preventing recalculation of the next scheduled run time for a scan has been resolved.
  • A bug that could cause inaccurate asset counts in the Organization Overview report has been resolved.
  • A bug that could cause site import to fail when missing optional fields has been resolved.
  • A bug that could prevent the VMWare connector task page from loading has been resolved.
  • A bug that could cause duplicate MSDefender attributes on an asset has been resolved.
  • A bug where firewalls (and similar devices) responding to many non-asset IP addresses during scanning would lead to unexpected assets in inventory has been resolved.
  • A bug preventing the active scans dashboard widget from navigating to the associated task on click has been resolved.
  • A bug preventing site subnet tags from appearing in the dashboard Asset tags widget has been resolved.
  • A bug that could cause CrowdStrike tasks to fail when missing software permissions has been resolved.
  • A bug that could prevent bogus services from certain firewalls from being completely filtered has been resolved
  • A bug that could lead to a browser crash in the latest release of Chromium based browsers on MacOS has been circumvented.
 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

How to streamline user permissions with organizational hierarchies

A common challenge for many businesses is efficiently managing user permissions as new solutions are deployed and adopted. How do you ensure that the right people have the right permissions to access the data they need for their jobs? Missteps on provisioning permissions can lead to unauthorized access to data, creating major headaches for IT and security teams. One way around this challenge is to start with solid user and permission management practices that help you assign access to your users, such as role-based access control (RBAC). RBAC is a security approach that authorizes and restricts users’ access based on their roles within an organization. While RBAC is an effective way to manage user access control at scale, you can add extra layers of protection to ensure that the right roles are being assigned. A good example of this would be using hierarchies to propagate the inheritance of permissions. Let’s take a look at how you can use runZero organizations for data segmentation and hierarchies to streamline user permission management.

The role of organizations

Organizations are a powerful feature that allow you to create separate entities for your assets and control what users can do with the organizational data. In runZero, you can use organizations to group and manage asset data, Explorers, tasks, sites, and scan configurations. The flexibility of organizations allows you to segment your data by company, department, customers, or however you like. For example, you might want to set up different organizations for each environment you have – such as development and production – because you want to segment the data. Or if you’re a service provider, you may have an organization for each one of your customers. In some cases, your business may want to set up multiple organizations to manage asset data as well as streamline permissions management. Imagine having to review and assign organizational access for each user. That’s time-consuming and prone to user error. So how can you ensure consistent provisioning of user permissions throughout your organizations?

Introducing organizational hierarchies

runZero 3.6 introduces organizational hierarchies, which enables you to create parent-child relationships between organizations. This approach is based on a top-down permissions distribution model, where the child organizations inherit the permissions configured within the parent organization. The parent organization sets the minimum permission level a user has to that organization and any children. Child organizations with lower permissions than the parent organization will inherit the effective higher permission. For example, if the parent organization has a user’s permissions set to annotator, then the child organizations can be upgraded to user or administrator, but downgraded permissions won’t have any effect. Imagine you have a parent organization called Mom Org that has a child organization called Baby Org. Within Mom Org, a user named Chris has been assigned an administrator role. As a result, Chris can access the Baby Org organization as an administrator. Let’s take a look at how you can set up organizational hierarchies in runZero.

How to set up organizational hierarchies in runZero

To set up an organizational hierarchy, you can either create a new organization or modify an existing one. You can always edit your organizations and assign a new parent (or no parent at all). Here’s how you can assign a parent organization:
  1. Create a new organization or edit an existing organization.
  2. Make sure to provide a name and description for the organization. This information captures context about the organization and the type of data it contains.
  3. Make sure to set any expiration dates for stale assets, offline assets, and scan data. This determines how long these data types are stored by runZero.
  4. Under parent settings:
    • If you want to add the organization under a parent organization, choose an organization to assign as the parent. You can choose a child organization to be a parent as well – runZero supports up to three levels of nesting.
    • If you don’t want to assign a parent to the organization, choose None. You can add child organizations later, if needed.
  5. Save your organization.
After you save your changes, the new hierarchical permissions will take effect. From the Organizations page, you can see how many children each organization has. Additionally, you can view the details page for a specific organization to see the parent hierarchy.

How to view user permissions

To see what a user’s permissions look like, you can view a user’s details to see their role for each organization.
  1. Go to your Users page and click the name of the user whose permissions you want to view.
  2. The user details page shows a table that contains all of the organizations that the user has access to and the role that they are assigned.
If the role is listed in the Assigned role column, then it was explicitly configured for the user. If the role is listed in the Inherited role column, then the permissions were set by the default role or parent organization. The higher level of the two columns will be the effective access that the user has to that organization.

Simplify the complexities of user access management with organizational hierarchies

As your business continues to grow and scale, so does the need for control over complexity. To protect and secure your data, you need to have the right systems and measures in place for effective user access management. Once you have solid RBAC practices in place, you can add extra layers of protection, such as organizational hierarchies, to ensure that the right roles are being propagated to users. Ready to get a stronger handle on user and permission management in runZero? Try out organizational hierarchies today.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.