Would you buy a cellphone with a hardcoded password? Definitely not. I wouldn’t either.
But as is sometimes the case with non-mass-market devices, security can be overlooked in favor of convenience, even if in retrospect it’s clearly a mistake to do so. Fortunately, this story has a happy ending, thanks to responsible disclosure and quick vendor response.
Cross-Site Request Forgery (CSRF) is an attack that tricks the victim’s browser into executing malicious requests designed by the attacker. A successful CSRF attack can force the victim’s browser to perform state-changing requests like transferring funds or changing his email address. Clearly these are attacks that need to be prevented.
Black Hat USA 2014 is one of the most widely attended security conferences of the year and this year there were a number of interesting briefings on a variety of topics such as automotive attack surfaces, POS malware, cloudbots and more. Qualys presented two pieces of research surrounding TSA vulnerabilities as well as hacking physical devices such as keyless cars and home alarm systems.
Qualys announced today that it has received the Frost & Sullivan Global Market Leadership Award in Vulnerability Management for the third consecutive year. The award is based on independent analysis of the global vulnerability management market, including in-depth interviews with customers, partners and vendors.
“Ultimately, vulnerability management solutions must become as dynamic as the threat environment that they are designed to protect against,” stated Chris Kissel, industry analyst for Frost & Sullivan, in the report. He continued, “Qualys maintains its market leadership because of its strong technology cloud platform, ability to scale, and ease of use and deployment. Also, the company has successfully shown that it can rapidly innovate and deliver new capabilities suitable for customers of all sizes across vertical industries. This adaptability has allowed Qualys to consistently stay ahead in the innovation curve.”
Read the full report or the news release.
Last week, the PostgreSQL Project advised its users of an upcoming security patch for a critical security vulnerability in their database server software. All currently supported versions are affected and the patch will be released on Thursday, April 4th. To our knowledge this is the first time that an Open Source project has pre announced a vulnerability and upcoming patch. We expect the release to fix a Remote Code Execution vulnerability in this popular database engine and recommend all PostgreSQL users to upgrade to a secure version as soon as possible, especially if your database server is connected directly to the Internet. The Shodan search engine currently lists over 30,000 systems that have an accessible PostgreSQL server on the Internet.
Underscoring the severity of the vulnerability is an announcement by Heroku, a popular cloud application platform, that has started forcibly upgrading all of customers’ PostgreSQL installations with the patch.
We will update this post as soon as more information becomes available.
Qualys today announced that for the sixth time, readers of SC Magazine have named QualysGuard Vulnerability Management “Best Vulnerability Management Tool." The award was presented on February 26, 2013 at the SC Awards Gala in San Francisco.
“Our readers are on the front lines of information security, and they have recognized QualysGuard Vulnerability Management as a key tool for securing their organizations,” said Illena Armstrong, VP of editorial, SCMagazine. “Without leaders in innovation like Qualys, we would not be able to plan for the future of enterprise security.”
The SC Awards, now in its 16th year, is the premier recognition for IT security professionals and products that fend off the myriad security threats in today’s corporate world. The annual awards showcase the best solutions, services and professionals while recognizing achievement and technical excellence. QualysGuard Vulnerability Management was selected by a panel representing a cross-section of SC Magazine readership, comprised of large, medium and small enterprises from all major vertical markets, including financial services, health care, government, retail, education and other sectors. Read the full announcement.
With QualysGuard 7.8, customers can now create new Vulnerability Scorecard Reports and set remediation goals to measure and monitor the performance of the teams in charge of fixing vulnerabilities in their companies. Enhancements to the Vulnerability Scorecard Reports will help security professionals better monitor the progress of their vulnerability remediation process.
In addition, Dynamic Asset Tagging and Management, which automatically identifies, categorizes and manages large numbers of assets in highly dynamic IT environments, is now integrated with Vulnerability Scorecard Reports. This integration gives security managers and executives always up-to-date reports that measure the number of vulnerable hosts per business unit against a list of vulnerabilities that represent the most important security risks.
These reports also display the groups of assets, or business units, that are meeting their goals in term of fixing these vulnerabilities. Furthermore, Vulnerability Scorecard Reports provide additional vulnerability management metrics and statistics, giving managers and unit managers more visibility into the efficiency of fixing critical and important vulnerabilities that expose their business to IT risks.
The Vulnerability Scorecard Reports offer these new capabilities:
The popular Ruby on Rails (Rails) web application framework has a vulnerability (CVE-2013-0156) in the parsing of XML parameters that allows an attacker to reach code execution on the webserver that runs the Ruby on Rails framework. Attackers are able to bypass authentication, inject and execute SQL or programming code, and can extract data and or gain control over the web application. All Rails applications in general are susceptible to the attack as XML parameter parsing is on by default. There is risk for the businesses running on Rails and more generically the potential for widespread, automated infections.
Exploits are publicly available and are already been integrated into vulnerability testing frameworks such as Metasploit. It underscores the fact that this vulnerability is easy to attack and should be treated as an high priority threat.
If an organization runs an application under the Rails framework, there are two primary risks:
Organizations should not only check on internal applications but also on third party applications that they run and see if they are developed in Rails and if a patch is available. Because Rails is such a popular framework it is quite possible that external applications (think SaaS as for example) are also impacted.
Organizations that have vulnerable installations have a number of choices. The primary option is to upgrade to the latest version of Rails 3.2.11 which addresses this vulnerability. However, there have been some reports of application problems (JSON arrays in particular) introduced by the new version, so one needs to make sure that all aspects of the application continue to function as expected. Application owners that cannot upgrade directly because they run on an older version of Rails (i.e. V2.3, v3.0, V3.1) can apply a patch that has been made available by the Rails team. If the application owner can neither upgrade or patch, the application itself can be hardened to prohibit XML parameters at all, or at least prohibit the parameter conversions that have caused the particular problem (YAML and Symbol), Instruction on how to configure the application are available in the Rails advisory for the vulnerability.
Even organizations that patch their infrastructure might evaluate to implement the hardening of the application in any case. Parsing of XML is notoriously difficult (see the recent MS12-002 for example) and if the application can safely function without that capability it is a good defensive measure to eliminate it.
Qualys detects the vulnerability as QID 12639 – Ruby on Rails Action Pack Multiple Vulnerabilities. We suggest that you scan your entire external perimeter and internal webservers to pinpoint your vulnerable assets.
It’s good to share.
Qualys is a firm believer in the tremendous benefits of sharing information to improve information security. Over the past year, we’ve demonstrated our commitment to industry collaboration with many projects, including the creation of the Ironbee Open Source project, our support of Convergence, and our work with StopBadware. I’m happy to announce today that Risk I/O has joined the community of our partners in sharing.
Risk I/O provides a centralized portal for vulnerability information, reporting, and remediation management. By utilizing the QualysGuard API, Risk I/O makes it easy to get an accurate and up-to-the-minute assessment of your vulnerabilites and share that information using concise charts and reports, improving efficiency and performance of vulnerability management programs. Tickets can be assigned to drive remediation work, and QualysGuard verification scans can be automatically launched to close the loop on remediation activities. Risk I/O can even aggregate QualysGuard results with other standards-based tools in your environment to multiply the value of your data. Since both QualysGuard and Risk I/O are cloud-based solutions, getting started is as easy as signing up for a free trial account. You can read more about the Qualys and Risk I/O partnership on the Risk I/O blog.
We’re excited to work with Risk I/O to help you perform better vulnerability management. Please share your experiences with us; we would love to hear your feedback so we can continue to improve our products and integrations!