Update January 31, 2020: Client testing is now available at clienttest.ssllabs.com.

Update January 15, 2020: Detection dashboard now available.

Today, Microsoft released patch for CVE-2020-0601, aka Curveball, a vulnerability in windows “crypt32.dll” component that could allow attackers to perform spoofing attacks. This was discovered and reported by National Security Agency (NSA) Researchers. The vulnerability affects Windows 10 and Windows Server 2016/2019 systems.

This is a serious vulnerability and patches should be applied immediately. An attacker could exploit this vulnerability by using a spoofed code-signing certificate, meaning an attacker could let you download and install malware that pretended to be something legit, such as software updates, due to the spoofed digital signature. Examples where validation of trust may be impacted include:

• HTTPS connections
• Signed files and emails
• Signed executable code launched as user-mode processes

Exploits/PoC:

There are no reports of active exploitation or PoC available in public domain at this point of time. However, per NSA advisory “Remote exploitation tools will likely be made quickly and widely available.”

Continue reading …

Update January 17, 2020: A new detection in Qualys Web Application Scanning was added. See “Detecting with Qualys WAS” below.

Citrix released a security advisory (CVE-2019-19781) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.

During the week of January 13, attacks on Citrix appliances have intensified. Because of the active attacks and the ease of exploitation, organizations are advised to pay close attention.

Continue reading …

The Qualys Training team has expanded the AssetView & Threat Protection course, and added two new training series: CertView and Troubleshooting Scanner Appliance Error Codes.

These new additions build on last month’s update, when we introduced the new Vulnerability Management learning path, which takes you from the fundamentals through advanced topics, and ensures you have a complete foundation in Qualys technology.

The Qualys Training team brings you these updates to help you learn quickly how to get the most value from your Qualys subscription. Read on for more detail on what’s new this month.

Continue reading …

This release of the Qualys Cloud Platform version 2.28 includes updates and new features for Cloud Agent, AssetView, Threat Protection, Security Assessment Questionnaire and Web Application Scanning, highlights as follows:

Continue reading …

BAI Security, a nationally-recognized security consultancy specializing in highly regulated industries, sees a big opportunity to further differentiate itself: threat prioritization.

Helping its customers pinpoint which vulnerabilities they must remediate right away is a natural expansion of the security auditing and compliance services it provides, such as breach risk, compromise and comprehensive IT security assessments.

“A lot of our competitors are just providing the vulnerability details without a lot of prioritization based on real world exploit activity,” says Michael Bruck, President and CTO of BAI Security.

At best, many security consultancies offer rudimentary prioritization analysis that, while better than nothing, still leaves customers with a lot of manual risk analysis on their hands. “So many organizations have dozens if not hundreds or thousands of ‘level 4’ and ‘level 5’ vulnerabilities,” Bruck says. “For IT departments with limited resources, tackling that is a huge challenge.”

Continue reading …

Qualys Cloud Platform release 2.17 includes updates and new features for:

• AssetView (version 2.17.0)
• Cloud Agent Platform (version 1.8.0)
• Continuous Monitoring (version 1.16.0)
• Security Assessment Questionnaire (version 2.2.0)

Continue reading …

If you are an information security professional, you’ve probably experienced vulnerability disclosure overload. We’re referring to that acute sense of feeling burdened that can afflict even the best infosec teams. This ailment strikes when infosec pros grapple with the constant release of vulnerability announcements, amounting to thousands per year.

Continue reading …