Vulnerabilities

7K

Solutions

8K

Contributors

A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.

Share tech news, updates, or what's on your mind.

Sign up to Post

We have quite a handful (about 3 dozen) staff who bring our corporate laptops to
our China branch & they're based there for months.  We enable local admin for
them (as sometimes when they're there, they need to install certain softwares as
 there's no PC/end-user support there) & we enable their laptops to connect to
hotel/public places' Wifi.

They'll often VPN back to the local head-office here to join our domain for Intranet
services and this is when their PCs are found to have malwares or when they are
back here locally, their PCs were found to have numerous malwares: we never
know what happen that why their PCs' AV signatures are not updated while they're
in China.

I'm proposing an apps whitelisting (that some of our critical PCs are mandated to
have) installed as AV is a 'blacklisting' solution while apps whitelistg is more effective
but my colleague supporting apps whitelisting has concern below:

"Not really suitable. Gotta be connected to vpn at least 2 hrs for baseline to complete, n if sth really breaks and they cant initiate vpn back, the whole laptop is as good as totally disconnected from network already. High risk thing to do. Wont be able to remotely change app whitelist settings unless they manage to connect back to vpn network. Main worry is if user hit prob doing vpn. "


Q1:
Is the limitation/concern above valid & isn't there a way to overcome it?

Q2:
What other mitigations can we do for this group of users assuming we can't
take …
0
I need to run a scan on one IP address within Rapid7.  What's the best way to go about this if creating a report?
0
I'm using Rapid7 and would like to run a scan against my network of all machines. I'd like to pull a report of all machines that have Acrobat and Reader installed as well as the version of both of those products.  Can you walk me through step-by-step on how to produce this scan report?  Any input is GREATLY appreciated!
0
We are getting alternate AV count readings on assets that have AV installed on them and assets that do not.   Three different platforms are each providing different counts i.e. AD, Rapid7 Sophos and SCCM.  Obviously, this is alarming to say the least, especially from a compliance perspective.  What would you guys recommend is the best approach in handling something like this?
0
Anyone has a sample table (which I need to submit in monthly
ppt slide) for covering patching metrics?

I plan to have a column for virtual patches (as we use NIDS &
endpoint IPS) included, so columns like the following:

a) date vulnerability published by product principal
b) date virtual patch is released, tested in our UAT &
    implemented in Prod  (which I'll indicate as 'NA'
    if not available
c) date actual principal product (ie Oracle, , RHEL, Fwall
    vendor) release their patches & date scheduled to
    test in UAT & date to deploy in Prod

Any other information/columns that I miss?
 

In particular I have the following products to cover:
a) Solaris OS 10
b) Weblogic  middleware 12.2.1.3
c) Firewall
d) WAF
e) Oracle DB
f) RHEL 6
0
Hello Experts!

    Can anyone tell me if Rapid7 NESSUS requires domain admin level access?  If it does, can you tell me for what functions it would need this level of access for?  Thanks a million for your help!
0
Hi,

This may sound a bit crazy, but is there a way to protect sensitive data from programmers while there are developing the application? (sounds crazy because the programmers has to see the data).  For example,  we are compiling social data of staff like family components, relationships, members income, health issues, etc.  Management want to protect the data from IT support techs that will support this apps and from programmers that will be developing the apps.  If there is no way, and IT has to see all the data, what can a company do to manage this situation where very sensitive data is projected to in the system?

What we have come up with is using dumb data (not real data) for developers to create the applications.  We will use this data from creation up to validation stage.  In data import, the tech responsible has to see this data (so here must be some sort signed agreement) in the support stage since the tech has to see the problem, they have to see data but will not have a test environment with real data.

What u guys think? - any Experts with this type of experience fully appreciated you input
1
Hi All,

We use WatchGuard Friebox as our firewall. Last couple of days it has detected and blocked a relatively high for us(1oo hits) of activity it labels as MASSCAN Activity. I have traced this back to a handful of IP addresses. These tried to attack a couple of our web server that we have to publish on the internet. Only ports 80 and 443 are open on these connections.

Is there anything etc I can/need to do to help stop this activity, or is it one of those things I have to live with as long as WatchGuard is blocking it.

Cheers,
Paul
0
I keep seeing yourpdf.online in the "Notifications" area of a users PC.  I have run MWB and Adwcleaner and they don't find or remove that.  Any idea what that is?  What's weird about it is that it seems to be showing different articles online, as if it is notifying her that there are things to see and read.

I also keep seeing "askbobrankin.com".  Is that guy legit?  Seems fishy.

MWB and Adwcleaner had removed Total AV as PUP and a few adware things I can't remember...that was a few days ago. Now when I run Adwcleaner, it doesn't find any adware. It only recommends resetting the Winsock or something like that and when I have it do it, I can't see that it actually did anything.
0
We are having loads of trouble configuring a Site2Site VPN with a pair of Watchguard T35 firewalls.
Neither is configured pretty much outside of the initial setup wizard.
The current site 2 site vpn is stock from the vpn configuration guide from Watchguard.

We tried a number of different configs, but have currently deleted them to restart fresh.
Also we are trying to set the connection to initiate from SiteB to SiteA just to limit randomness, but can set bidirection or SiteA to SiteB as initiator.  Doesn't really matter to us

My theories may be off, so I'll just throw out the logs from each to see what you may think is happening.

Thank you in advance.


Site A
*** WG Diagnostic Report for Gateway "AA-to-TC-Gateway" ***
Created On: Tue Oct 29 09:22:49 2019

[Conclusion]
	Error Messages for Gateway Endpoint #1(name "AA-to-TC-Gateway")
		        Oct 29 09:22:35 2019 ERROR  0x02030015 Message retry timeout. Check the connection between local and remote gateway endpoints.


[Gateway Summary]
	Gateway "AA-to-TC-Gateway" contains "1" gateway endpoint(s). IKE Version is IKEv1.
	  Gateway Endpoint #1 (name "AA-to-TC-Gateway") Enabled
		Mode: Main
		PFS: Disabled 	AlwaysUp: Disabled
		DPD: Enabled 	Keepalive: Disabled
		Local ID<->Remote ID: {IP_ADDR(A.A.A.A) <-> IP_ADDR(B.B.B.B)}
		Local GW_IP<->Remote GW_IP: {A.A.A.A <-> B.B.B.B}
		Outgoing Interface: eth0 (ifIndex=4)
			ifMark=0x10000
			linkStatus=0 (0:unknown, 1:down, 2:up)
		Stored user messages:
		        

Open in new window

0
Hi, I'm using the Quarantine feature from Watchguard and this creates a Quarantine website users can log onto. But the problem is that it's an intranet server and as such doesn't have an 'official' SSL certificate. I tried to create a self-signed one etc but I keep on failing ... could someone please give me step-by-step instructions on how to create a self-signed certificate and attach it to that website so that the browsers won't throw their security warnings anymore? Thanks!
0
Hi,

I am using 1.1.1.1 Application  WARP apps in iPhone.  I just got this message; do any expert knows what it means? Help please.

Warp message
0
I have a concern of installing apps where they request my iPhone/iPad password.  So some questions:

  • When an apps request authenticating their apps with my iPhone password, it it possible that apps extract the password?
  • Also, using a Two-factor authentication for Apple ID, would that protect my Apple data even though I gave the password to the apps requesting it?

(sorry for my ignorance and maybe is nothing to worry about, but wanted the expert input on this - so any help would be greatly appreciated).
0
Can someone share the exact steps (step by step) on how to set
X-frame-options in Weblogic (10.3.6, 12.1.3, 12.2.1.3)  & Tomcat
to SAMEORIGIN to fix XFS/clickjacking?


I'm running Solaris 10 & RHEL 6  OS
0
Our apps architect recommends  Alpine Linux for our
microservices/container environment.

Some time back, a patch management vendor told us
that patching for Alpine can't be managed by Satellite
or BigFix  ie we have to manually download & patch.

Q1:
is the above true or is there something like 'yum' in
RHEL to patch Alpine.

Q2:
Also, there's no CIS hardening benchmark nor any
docs that standardize what to harden for Alpine.

Q3:
Architect further points out that Alpine is the most
secure & efficient Linux to use for microservices;
is this true?  Does Alpine has good development
team that constantly check for vulnerabilities &
release advisories/patches (at least like RHEL)?

https://alpinelinux.org/about/
https://en.wikipedia.org/wiki/Alpine_Linux

Q4:
Where can I view past Alpine's CVEs/vulnerabilities
list & how can we assess how good are support
for Alpine?  Don't want a case where we log a
case for support & there's lack of response &
no solution
0
Hi All,

We use WatchGuard as our firewall and have Dimensions setup for reporting. What is the easiest way to find out and possibly monitor all users that have some form of file transfer either ftp, or web/app based such as dropbox etc?

Can this be done / how best to view this info or set this up?

Cheers,
Paul
0
https://jonlabelle.com/snippets/view/javascript/jquery-1124-xss-patch
https://www.cadence-labs.com/2018/07/magento-outdated-jquery-version-how-to-patch-without-upgrading-cve-2015-9251/

Referring to 2nd link above, we're using jquery (though may not be magento).

As instructed above, to run in Chrome console (Alt-Shift-I  or  F12 to invoke console) & enter:
  jQuery.get('https://sakurity.com/jqueryxss');

Q1:
So to verify my URL, I replace sakurity.com  with my URL or I load in the Chrome'
browser my URL & in the console, I enter the above jQuery.get ...  ?  
How do I use it to verify my URL?

Q2:
Tried several URLs & got various returns below, are they pop-ups or what's the
expected value (in the pop-ups) that will indicate my URL is vulnerable or what
other values mean?   The values returned that I got so far:

a)
jQuery.get('https://www.myURL.com/jqueryxss');
{readyState: 1, getResponseHeader: ƒ, getAllResponseHeaders: ƒ, setRequestHeader: ƒ, overrideMimeType: ƒ, …}

b)
jQuery.get('https://sakurity.com/jqueryxss');
{readyState: 1, getResponseHeader: ƒ, getAllResponseHeaders: ƒ, setRequestHeader: ƒ, overrideMimeType: ƒ, …}

c)
jQuery.get('https://www.google.com');
{readyState: 1, getResponseHeader: ƒ, getAllResponseHeaders: ƒ, setRequestHeader: ƒ, overrideMimeType: ƒ, …}
(index):1 Access to XMLHttpRequest at 'https://www.google.com/' from origin 'https://www.jp.com.sg' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is …
0
jQuery (Javascript libraries) are bundled with a number of our
softwares (Weblogic, a supplier app, mobile app): quite a number
of XSS vulnerabilities were found by our pentester.

Q1:
One app vendor replied that updating (ie patching) or upgrading
jQuery may destabilize their app?  So are we supposed to wait
for these vendors to release their next release app so as to
bundle in newer & patched jQuery or we can get the patches/
updates from Oracle & just update/patch it??   Or by doing so,
we'll lose the support of the app vendor?

Q2:
In the case of Weblogic 12.2.1.3, jQuery ver 3.2 is bundled.
Since both Weblogic & jQuery are from Oracle, is it supported
if we just update jQuery (or there's no patch/update ie we
just have to upgrade jQuery to ver 3.3 or 3.4)?

Q3:
Is jQuery vulnerabilities the same as javascript (read at Oracle
site that jQuery is actually  javascript library) vulnerabilities?
0
Hi,

I recently ran a Nessus scan and have been working through the output, I'm trying to is how to fix one of the vulnerabilities

The web server running on the remote host appears to be using Microsoft ASP.NET, and may be affected by a denial of service vulnerability. Requesting a URL containing an MS-DOS device name can cause the webserver to become temporarily unresponsive. An attacker could repeatedly request these URLs, resulting in a denial of service. Additionally, there is speculation that this vulnerability could result in code execution if an attacker with physical access to the machine connects to a serial port.

Solution
Use an ISAPI filter to block requests for URLs with MS-DOS device names.

I have been researching how to resolve this but can't find the answer, do I need to install a Microsoft patch or something, any help would be appreciated

The server is running 201r2
0
I have (2) Watchguard M270's configured in a firecluster.

Interface 0 is the External interface configured with a /28 block.
Interface 1 is the LAN

We have consumed all of our IP's so I ordered another /28 block from our datacenter today. As soon as I configure Interface 2 for our new IP block, outbound traffic for the most part ceases to work on our network, however some things do work.. so we'll call it intermittent. As an example, I can ping out to 4.2.2.2 but can't ping 8.8.8.8. As soon as I disable Interface 2 that is configured for the new IP block, I am able to ping 8.8.8.8 again.

I'm assuming this is because we now have 2 WAN interfaces configured and outbound traffic doesn't know which interface it should be sending traffic out on but I couldn't be sure. I've made 4 calls to Watchguard support and nobody can identify the problem. I even had our datacenter issue us a different IP block just to rule out any kind of odd conflict but the problem persists with a new IP block.

Am I going about this all wrong trying to have 2 IP block's configured on our Watchguard? Is the better solution to just order a bigger block of IP's and re-IP everything? I was trying to avoid that hassle by just adding an additional block of IP addresses but it seems that what I'm trying to do here isn't working..

I would appreciate any advice or input that someone could give on this. Thank you!!
0
Hi,

Does macbook has the same ports as windows computer?  
(for example Windows port 80 = HTTP, port 443 = SSL, etc.)

And what ports should be closed in a wifi router for better protection?
0
Two separate businesses using the same domain name have now merged into one.
This is the first time I've ran into this and hope someone could shed some light. We've recently acquired a new client who at one point had two domain controllers. Server 2008 and Server 2012. They moved Server 2012 over to a new location as part of a different business, but kept the same domain name. Server 2008 AD sees the 2012 as a DC, However 2012 doesn't see 2008 as a DC. They are now on different networks, but recently was configured to tunnel back to corporate to share resources.

What I'm trying to accomplish: Join a 2016 DC to their corporate to decommission 2008.

Error I'm getting when promoting 2016 to a DC: "Active Directory preparation failed. The schema master did not complete a replication cycle after the last reboot."



What I've gathered so far.

Server 2008 - DC - samedomain.local - Corporate Office

At one point was replicating to 2012.
Server 2012 - DC - samedomain.local - Remote Office

No longer replicating from 2008.
Recently a WatchGuard VPN was put in so the two locations could talk and share resources. Different IP schemes, and they don't know about each other.

My Question: Can I safely remove 2012 DC from 2008 to stop attemping replication and at the same time continue to operate both under the same domain names, but seperate?

Remote Office will still use 2012 to authenticate locally until we can sit down and plan out a migration plan several …
0
Is there a way to emulate threat traffic in a controlled environment?  We would then use this information for common use cases.  I was thinking anything along the lines that could include log files that could give an indication of different attack signatures.  This method is obviously safer than injecting a virus on a test box and then introducing it to a customers network.  Any suggestions are GREATLY APPRECIATED!
0
Q1:
I'm making comparison for IPS brands that give the most virtual patches
for various CVEs for MS (Windows, Outlook, .Net,  MS SQL, IIS & MSOffice) ,
Oracle (Weblogic, Database, Java, Solaris), Linux (various Linux esp RHEL,
Ubuntu, Debian, CentOS used in microservices) & a couple Opensource
softwares (eg: PHP, Apache, Struts, Wordpress).

Reason is it's difficult to get downtime & lead time to patch can often
stretch to almost a year.   Currently, Trendmicro claims its Deep Security
is endorsed by MS as giving the most virtual patches for MS products.

Q2:
What about TippingPoint NIDS (acquired by Trendmicro) in terms of
its number of virtual patches for various products above?

Q3:
What about other products (esp coverage for Oracle & Linux-related ones)?
McAfee, Checkpoint, Sophos, ... ?

Q4:
Also, continued availability of obsolete versions of softwares are crucial
for us as we have a long lead time to tech refresh obsolete (ie principals/
developers don't release patches for it anymore) softwares.

Q5:
There's an argument that ultimately product patch still need to be applied?
What could be the possible reasons for these?   Heard that for NIDS, if
PCs got infected/compromised, the attacker could bypass NIDS & WAF to
attack the unpatched endpoint servers.  Guess an IPS with agent inside
the endpoint will mitigate, right?
0
i have traffic coming from outside world to watchguard  firewall to citrix netscaler which goes to internal  asa firewall  and then to internal network.

our citrix netscaler also has the  same certificate for sts.domain.com ( service communication certificate)  which is being hosted on our internal ADfs server ( windows server R2)

we dont have ADFS proxy server as of now

recently we had password spray attack on our internal ADFS server

and we could not determine source IP on our internal ADFS server

i wanted to know following:

1) i read in articles  that windows server 2012 r2 has extranet lock out feature and adfs 2016 server also has extranet lock out feature so is there any difference between the 2 as far as
protection from password spray attack is concerned.

im the scenario i explained regarding traffic coming from outside to watchguard firewall - netscaler- asa firewall, where should i place WAP server and how it can help in mitigating password spray attack


are there any good tutorials for upgrading windows server 2012 to 2016 adfs server and how proxy adfs should be configured

we have mailboxes in 365 and ad accounts are synced through aad sync to azure AD.

i came to know from Microsoft that messages are being redirected from office 365 to internal ADFS sever and it is not authenticating , so what other steps i should take

to protect from spray attack just proxy ADFS server is sufficient or some conditional policy should be applied …
0

Vulnerabilities

7K

Solutions

8K

Contributors

A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.