Tenable Ranked Number One in Device Vulnerability Management Market Share by Leading Analyst Firm

June 3, 2020

NEW DELHI, India/COLUMBIA, MD – June 3, 2020 – Tenable®, Inc., the Cyber Exposure company, today announced that it has been ranked #1 for device vulnerability management for 2019 market share in the IDC, Worldwide Device Vulnerability Management Market Shares, 2019: Finding the Transitional Elements Between Device Assessment Scanning and Risk-Based Remediation (doc # US46284720, May 2020) report.

According to the report, Tenable is ranked number one in global market share and revenue for 2018 and 2019 and is growing more than twice as fast as its closest competitor. The IDC market share report credits Tenable’s success to the company’s focused innovation and continued investments in delivering the best-of-breed enterprise vulnerability management platform:

  • Tenable Lumin™, a first-of-its-kind innovation, empowers organizations to translate technical data into business insights by visualizing, analyzing, measuring and benchmarking cyber risk alongside other key risk metrics.
  • Tenable’s leadership in zero-day research coupled with its rapid plugin release cycle for newly discovered flaws bolsters its detection capabilities and helps its customers find and fix vulnerabilities faster and more accurately. Tenable reports the largest Common Vulnerabilities Exposure (CVE) library among vulnerability management vendors and uncovered over 100 zero-day threats in 2019.
  • Tenable’s acquisition of industrial security leader, Indegy, combined two pioneers of IT vulnerability management and industrial cybersecurity to deliver Tenable.ot™, the industry’s first unified, risk-based view of IT and operational technology (OT) security.
  • Tenable’s market-leading passive monitoring capabilities and data collection sensors uniquely provide holistic visibility across modern computing environments, including IT, cloud and OT.

Customers have overwhelmingly chosen Tenable as the number one vulnerability management platform and that’s reflected in our market share and revenue,” said Amit Yoran, Chairman and CEO at Tenable. “We’re laser-focused on providing our more than 30,000 customers with a best-of-breed platform for understanding cyber exposure and risk across IT, OT, web applications, DevOps environments and the cloud. Tenable is committed to continuous innovation, market-leading research and market-defining solutions to assess, understand and manage risk across today’s entire attack surface.”

The IDC market share report underscores Tenable’s track record of raising the bar for cybersecurity and driving industry change. According to the report, “Tenable is working toward moving its customers away from vulnerability management as a compliance-based reporting medium into a risk-based solution designed to help organizations manage and measure cyber-risk across the modern attack surface.”

To read the report excerpt, visit https://www.tenable.com/idc-report.

 

# # #

About Tenable

Tenable®, Inc. is the Cyber Exposure company. Over 30,000 organizations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®, Tenable extended its expertise in vulnerabilities to deliver the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include more than 50 percent of the Fortune 500, more than 30 percent of the Global 2000 and large government agencies. Learn more at www.tenable.com.


Instacart Patches SMS Spoofing Vulnerability Discovered by Tenable Research

May 7, 2020

As grocery delivery services have seen an increase in traffic from users during the coronavirus pandemic, Tenable Research identified an SMS spoofing flaw that could have allowed an attacker to send spoofed messages to any mobile number.

Background

On May 1, Instacart, the popular grocery delivery and pickup service that saw a ten-fold boost in sales growth in March 2020, patched an SMS spoofing vulnerability that could have been exploited by attackers to send malicious links to arbitrary phone numbers by abusing a feature on Instacart’s website. This vulnerability was identified and reported to Instacart by Jimi Sebree, staff engineer with Tenable’s Zero Day Research Team.

Downloading mobile applications via text

Users who visit popular services via a web browser may be prompted to download the mobile application on their device as a more user-friendly alternative. Some websites offer users the option to send themselves a text message with a link to download the application.

On Instacart, after a user has placed an order via the company’s website, they’re directed to a page offering them the ability to “upgrade” their experience using the Instacart mobile app. Users are asked to provide their mobile number to receive a short message service (SMS) message with a link to download the mobile app.

While this feature seems harmless, it is ripe for exploitation. Researchers at Check Point disclosed a similar vulnerability through TikTok’s website earlier this year.

Analysis

Investigating the vulnerable “request_invite” endpoint

When a user provides their mobile number using this feature on Instacart’s website, a request is made to Instacart’s “request_invite” endpoint.

The request contains parameters such as the warehouse_id and zone_id, which are associated with a store’s ID and regional location. The actual payload of the request includes the phone number entered into the field, as well as a unique link to download the Instacart mobile application.

In analyzing this endpoint, we found that we could re-purpose the existing request to send an SMS to anyone by modifying the phone number and link parameters, and it would appear as though the message originated from Instacart.

Modifying parameters in the request

In this spoofing scenario, the end user receives an SMS message asking them to download the Instacart App from a fake website.

The message sent to users through this form always includes the “Download the Instacart App:” message at the beginning, but the attacker would be able to control the link and any text included after it.

Capturing request information after placing an order

In order to leverage this flaw in the request_invite endpoint, the attacker would need to place an order using the Instacart website first. Once the order has been placed, the attacker will be able to capture the request information, including the required security headers, such as the x-csrf-token and HTTP cookie. These headers are needed in order to replay the modified request back to the vulnerable endpoint.

Unintended mitigation: Session limitation

In our research, we found that this information was valid only for a limited period of time, so an attacker would need to utilize this window of opportunity in order to send their malicious messages. However, they could cancel their existing order and simply place a new order every time they wanted to capture the request from an active session.

SMS messages and the real-world impact of this vulnerability

Exploitation of this vulnerability would allow an attacker to send SMS messages to unsuspecting users, attempting to convince them to install malware or imposter applications onto their mobile device, or direct them to phishing websites designed to steal their credentials. As the attacker can control the URL sent to a victim, they could point to a host under their control and embed code within the target URL to attempt various exploits determined by the user-agent passed by the victim’s web browser.

Unsolicited SMS messages aren’t new, but they create a unique problem for end users as there’s no way to validate the links they’ve received are, in fact, legitimate. This is further complicated by the use of URL shortening services, which ensure attackers can disguise links to malicious websites.

Impact

At the time of this writing, there is no evidence that this flaw has been used by malicious actors. However, if exploited, an attacker could have used this vulnerability to distribute malware or attempt phishing campaigns.

Vendor response

Tenable notified Instacart of this vulnerability on April 28. Instacart quickly responded to our disclosure, acknowledging and fixing the issue on May 1.

Tenable reviewed additional endpoints on Instacart’s website and found they functioned as expected, and were not susceptible to tampering like the request_invite endpoint.

Solution

As of May 1, this issue has been fixed. Since the flaw was server-side on Instacart’s infrastructure, no updates or action is required by users of their service.

Instacart’s fix simply removes the link parameter from the request so that it cannot be tampered with.

Despite the lack of the link parameter, the user will still receive a link to download the Instacart mobile application.

Protecting against SMS spoofing vulnerabilities

Other services are likely affected by similar SMS spoofing flaws. Until those services address them, the only recourse end users have is to be wary of unsolicited links sent to their mobile devices, even if they originate from a trusted number for a service they’ve used before.


Critical Vulnerabilities You Need to Find and Fix to Protect the Remote Workforce

April 14, 2020

As uncertain times lead to a shift in how we work, identifying, prioritizing and addressing critical flaws that have been exploited in the wild is paramount.

We recently shared some insights into how the worldwide response to COVID-19 has expanded the attack surface for businesses. These insights, shaped by our own research and open-source intelligence, provide a glimpse into some of the key areas organizations need to address given the dynamics of a changing workforce.

With tens of thousands of vulnerabilities being discovered each year, honing in on the highest-risk issues is key.

The state of CVSS

The Common Vulnerability Scoring System (CVSS) is an industry-standard system used to provide valuable insight into the scope and severity of vulnerabilities. CVSS scores are typically defined at the time they were generated for a CVE. However, they don’t always account for changes to the impact of a vulnerability until much later.

For example, a vulnerability in the Pulse Connect Secure Secure Socket Layer (SSL) Virtual Private Network (VPN), identified as CVE-2019-11510, was originally assigned a CVSS score of 8.8 on May 9, 2019, resulting in the flaw being categorized as a high-severity vulnerability. However, despite the availability of a proof of concept for the vulnerability on August 21, 2019, the CVSS score was not updated to reflect the critical nature of the flaw until a month later on September 20, 2019.

Similarly, a vulnerability in the FortiGuard SSL VPN, identified as CVE-2018-13379, initially received a CVSS score of 7.5 on June 5, 2019. However, its CVSS score was not updated until September 19, 2019, one month after research about the flaw became publicly available on August 9 as well as the external attempts to identify the vulnerability in the wild along with CVE-2019-11510 on August 22.

CVSS scores are a useful indicator of a vulnerability’s severity and should not be disregarded, but relying solely upon them to prioritize vulnerabilities for remediation can at times be problematic.

Prioritize patching these vulnerabilities

Through Tenable’s Predictive Prioritization, vulnerabilities are given a Vulnerability Priority Rating (VPR) that not only factors in CVSS, but also leverages a machine learning algorithm coupled with threat intelligence to prioritize vulnerabilities. To aid in protecting the expanding attack surface, we are providing the following list of the vulnerabilities our team and the data science team have identified as the most critical for organizations to patch along with their VPR.

Facilitating remote work

SSL VPN software like Pulse Connect Secure, FortiGate, GlobalProtect and Citrix Application Delivery Controller and Gateway is used by organizations to provide secure access to a company’s network. Several vulnerabilities have been discovered in these applications and they’ve been exploited in the wild by threat actors. Therefore, it is increasingly important that organizations using any of these SSL VPNs ensure they’ve been appropriately patched.

Additionally, Remote Desktop Services enables individuals to virtually connect to machines within the company’s environment as if they were physically present in front of the system. CVE-2019-0708, a remote code execution vulnerability in Remote Desktop Services, dubbed “BlueKeep,” is another flaw that received considerable attention because of its potential to facilitate the next “WannaCry” attacks. While such attacks never came to fruition, reports did emerge that it had been exploited in the wild several months later. However, Remote Desktop in and of itself is an area organizations should be routinely monitoring for exploitation attempts as well as identifying exposed RDP targets.

CVE Product CVSS v3.x VPR* Threat Intensity
CVE-2019-11510 Pulse Connect Secure 10 10 Very High
CVE-2018-13379 FortiGate SSL VPN 9.8 9.6 Very High
CVE-2019-1579 Palo Alto Networks GlobalProtect 8.1 9.4 High
CVE-2019-19781 Citrix Application Delivery Controller and Gateway 9.8 9.9 Very High
CVE-2019-0708 Remote Desktop Services 9.8 9.9 Very High

*Please note Tenable VPR scores are calculated nightly. This blog post was published on April 13 and reflects VPR at that time.

Vulnerabilities used in malicious emails and exploit kits

As cybercriminals seized on COVID-19 fears, one of the most popular vulnerabilities leveraged in malicious documents is CVE-2017-11882, a stack overflow vulnerability in the Equation Editor component of Microsoft Office. It has been a fixture in malicious email campaigns for years, and will remain one of the common tools in the toolbox for threat actors.

Another tool in the threat actor arsenal is the use of exploit kits, software designed by cybercriminals to fingerprint the presence of popular software applications on a victim’s machine and select the most appropriate vulnerability to exploit. While vulnerabilities in Adobe Flash Player, such as CVE-2018-15982 and CVE-2018-4878, have been a staple in several exploit kits, the pending end-of-life for Adobe Flash Player coupled with the shift toward HTML5 has forced some exploit kits to drop Flash Player vulnerabilities entirely and search for other vulnerabilities to utilize instead. CVE-2018-8174, a use-after-free vulnerability in the VBScript Engine, dubbed “Double Kill” by researchers because it corrupts two memory objects, is one such vulnerability that has become favored in exploit kits.

CVE Product CVSS v3.x VPR* Threat Intensity
CVE-2017-11882 Microsoft Office 7.8 9.9 Very High
CVE-2018-15982 Adobe Flash Player 9.8 9.9 Very High
CVE-2018-8174 Internet Explorer (VBScript Engine) 7.5 9.9 Very High
CVE-2018-4878 Adobe Flash Player 7.5 9.8 Very High
CVE-2017-0199 Microsoft Office 7.8 9.9 Very High

*Please note Tenable VPR scores are calculated nightly. This blog post was published on April 13 and reflects VPR scores at that time.

Other vulnerabilities exploited in the wild

For organizations using certain versions of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, it is important to patch CVE-2018-0296, a denial-of-service flaw in the web interface of these devices, causing unexpected reloads. Cisco cautions that certain vulnerable versions of ASA won’t reload, but an unauthenticated attacker could view sensitive system information on the device. At the end of 2019, reports emerged that exploitation attempts for this vulnerability had spiked.

Additionally, CVE-2019-0604, an improper input validation vulnerability in Microsoft SharePoint, the popular collaboration platform used for document storage and management, has been exploited in the wild since May 2019. Initially, this flaw was given a CVSSv3 score of 7.8. It was revised in June 2019 to an 8.8, and updated again in December 2019 to 9.8. If your organization uses Microsoft SharePoint, it is critical that this flaw gets patched.

CVE Product CVSS v3.x VPR* Threat Intensity
CVE-2018-0296 Cisco ASA and Firepower 7.5 8.8 Very Low
CVE-2019-0604 Microsoft SharePoint 9.8 9.4 Low

*Please note Tenable VPR scores are calculated nightly. This blog post was published on April 13 and reflects VPR scores at that time.

Navigating through a sea of uncertainty

With all the changes to how we work during these uncertain times, organizations need to understand how the attack surface shifts and how best to respond. Knowledge is power, both in understanding your risk by knowing what assets you have in your environment, but also the insights to make risk-based decisions. Implementing a risk-based vulnerability management program within your organization can help you navigate through these uncharted waters.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here.


Zoom Patches Multiple Flaws and Responds to Security and Privacy Concerns

April 6, 2020

The increased remote working footprint and reliance on Zoom has led to a wave of mischief makers dropping in uninvited on insecure Zoom meetings to play offensive material, such as pornography, via Zoom’s screen-sharing feature. They’re also verbally insulting and threatening meeting participants using profane or racist language. These acts, dubbed “Zoom-bombing,” have steadily increased over the last few months. In addition, Zoom also received scrutiny from the security community concerning the data collection and privacy implications of using the application.

Following these mounting security concerns, Zoom released version 4.6.9 of its Windows and macOS clients to address several of the flaws reported over the last few weeks. Eric Yuan, Zoom’s Chief Executive Officer, published a blog talking about several of the privacy and security issues that were raised about Zoom over the last several weeks and how they’ve addressed them.

In a full analysis by Tenable, the company proposes the following solution:

  • When creating Zoom meeting rooms, do not make them public.
  • When configuring a meeting, opt for Zoom to create a randomly generated ID, rather than checking the personal meeting ID option.
  • Set meetings to private and be sure to require a password.
  • Also, disable the join before host option to prevent potential trouble before hosts arrive at the meeting, assign a co-host to help moderate the meeting and enable the Waiting Room to view attendees before the meeting commences.

Additional precautions include disabling allow removed participants to rejoin and file transfer


Font Parsing Remote Code Execution Vulnerabilities Exploited in the Wild

March 26, 2020

On March 23, Microsoft released an advisory for two vulnerabilities in Adobe Type Manager (ATM) Library, an integrated PostScript font library found in all versions of Windows. Although the name of the ATM library came from an Adobe developed tool, ATM Light, Microsoft included native support for the ATM fonts with the release of Windows Vista in 2007. These vulnerabilities, therefore, exist within Windows’ native integration for support of PostScript fonts.

Exploitation of these vulnerabilities could lead an attacker to gain code execution on a vulnerable machine after a user on that machine opens a specially crafted document or viewed that document in the Windows Preview pane.

Microsoft’s advisory reports that due to active exploitation of un-patched vulnerabilities in the Adobe Type Manager Library, Windows users are urged to apply Microsoft’s suggested workarounds to reduce risk until a proper fix can be made available in April’s Patch Tuesday.

Tenable provides a full analysis here.


%d bloggers like this: