All Posts

1509 posts

Automated and Scalable Audit Workflows with Qualys Security Assessment Questionnaire

Risk and compliance management is a multi-faceted domain with concentrated endeavors towards reducing unacceptable risk potential that could disrupt business, or otherwise negatively impact business performance. IT GRC (Governance, Risk and Compliance) comprises many tasks related to business and IT across an entire enterprise. The compliance laws and requirements are put in place to not only protect your business, but also your customers.

The Qualys Cloud Platform, with its expansive solutions, helps you to conform to various regulatory mandates such as HIPAA, SOX, PCI-DSS, Sarbanes-Oxley and so on.

Continue reading …

Microsoft Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796)

This month’s Patch Tuesday, Microsoft disclosed a remote code execution vulnerability in SMB 3.1.1 (v3) protocol. Even though initial release of the Patch Tuesday did not mention this vulnerability, details of the issue (CVE-2020-0796) were published accidentally on another security vendor’s blog. Microsoft published security advisory ADV200005  and technical guidance soon after the accidental disclosure of the vulnerability.

UPDATE March 12, 2020: Microsoft updated ADV200005 to include CVE-2020-0796 and released patches for affected Windows systems.

Continue reading …

Detect Apache Tomcat AJP File Inclusion Vulnerability (CVE-2020-1938) using Qualys WAS

As previously reported, a severe vulnerability exists in Apache Tomcat’s Apache JServ Protocol. The Chinese cyber security company Chaitin Tech discovered the vulnerability, named “Ghostcat”, which is tracked using CVE-2020-1938 and rated critical severity with a CVSS v3 score of 9.8.

This blog post details how web application security teams can detect this vulnerability using Qualys Web Application Scanning (WAS). This new Qualys WAS detection complements the detection that uses Qualys VMDR®.

Continue reading …

March 2020 Patch Tuesday – 115 Vulns, 26 Critical, Microsoft Word and Workstation Patches

This month’s Microsoft Patch Tuesday addresses 115 vulnerabilities with 26 of them labeled as Critical. Of the 26 Critical vulns, 17 are for browser and scripting engines, 4 are for Media Foundation, 2 are for GDI+ and the remaining 3 are for LNK files, Microsoft Word and Dynamics Business. Microsoft also issued a patch for an RCE in Microsoft Word. Adobe has not posted any patches for Patch Tuesday.

On the basis of volume and severity this Patch Tuesday is heavy in weight.

See details of the new detections, including description, consequence and solution.

Continue reading …

Policy Compliance Library Updates, March 2020

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

The March release introduces 3 CIS Benchmark policies, 6 DISA STIG policies, and provides updates to several existing policies in the Qualys Content Library.

Qualys’ Certification Page at CIS has been updated.

Continue reading …

Identifying Let’s Encrypt Revoked Certificates

Let’s Encrypt is a free, automated, open certificate authority (CA) run for the public’s benefit as a service from the Internet Security Research Group (ISRG). It provides free digital certificates to enable HTTPS (SSL/TLS) for websites via user-friendly means.

Earlier this week, Let’s Encrypt announced that a bug in its validation code forced it to revoke more than 3 million certificates. The bug allowed subscribers (under specific circumstances and for a limited period) to issue certificates to a domain name even after the domain name holder explicitly prohibited the issuance of certificates through the use of DNS CAA.

This blog explains the implications of the incident. It provides details on the impact it can have on organizations utilizing Let’s Encrypt revoked certificates. It outlines steps for remediation and provides a link to Qualys CertView, a free tool that can be used to identify all affected certificates in users’ environments.

Continue reading …

Qualys Cloud Platform 2.44 New Features

This release of the Qualys Cloud Platform version 2.44 includes updates and new features for Cloud Agent and Web Application Scanning, highlights as follows.

Continue reading …

Automatically Discover, Prioritize and Remediate Apache Tomcat AJP File Inclusion Vulnerability (CVE-2020-1938) using Qualys VMDR

A severe vulnerability exists in Apache Tomcat’s Apache JServ Protocol. The Chinese cyber security company Chaitin Tech discovered the vulnerability, which is named “Ghostcat” and is tracked using CVE-2020-1938The security issue has received a critical severity rating score of 9.8 based on CVSS v3 Scoring system. 

Vulnerability Details:
Due to a file inclusion defect in the AJP service (port 8009) that is enabled by default in Tomcat, an attacker can construct a malicious request package for file inclusion operation, and then read the web directory file on the affected Tomcat server. If the system allows users to upload files, an attacker can upload malicious code to the server, and gain the ability to perform remote code execution.

Continue reading …

Policy Compliance Library Updates, February 2020

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

The February release includes 8 CIS Benchmark policies, 4 Qualys Security Configuration and Compliance policies, and 1 mandate [MARS-Ev2] policy. Apart from adding a new technology support, it also provides updates to several existing policies in the Qualys Content Library.

Qualys’ Certification Page at CIS at CIS has been updated.

Continue reading …

Detections Released for ESU Updates on EOL Windows 7, 2008 and 2008 R2

For the February 2020 Patch Tuesday, Microsoft released security updates for Windows 7, 2008 and 2008 R2 systems which are already end of life. Qualys released Patch Tuesday detections (QIDs) which check for these new ESU patches as well.

Update: Qualys released IG QID 45424 to identify the presence of ESU on Windows 7, 2008/R2 systems.

Continue reading …