The IT Nerd

Horizon3.ai, a leading provider of autonomous security solutions, today announced the appointment of Jill Passalacqua as Chief Legal Officer (CLO), effective immediately. 

As Chief Legal Officer, Jill leads Horizon3.ai’s legal department, bringing extensive experience in advising prominent public and private technology companies. Her expertise is crucial for Horizon3.ai during its rapid growth phase, driven by the global adoption of their autonomous penetration testing solution, NodeZero™. This solution empowers IT teams, security professionals, consulting pentesters, medium and large enterprises, and MSSPs to continuously perform autonomous cyber risk assessments for themselves and their clients.

Before joining Horizon3.ai, Jill was the Chief Legal Officer at JumpCloud, where she played a pivotal role in shaping the company’s legal framework. She also held General Counsel positions at Harness and Avi Networks where she led the corporate legal strategy and operations, and facilitated substantial growth, including a successful acquisition by VMware. 

Before Avi Networks, Jill was at FireEye, where she managed the commercial team, built the global compliance and legal operations functions, and managed international expansion and M&A integration. Prior to FireEye, Jill spent 12 years at NetApp and was a key contributor to the growth and expansion of the legal department. She was responsible for corporate securities, public company reporting and compliance, commercial contracts, and building the company-wide commercial legal team. 

Jill serves on the board of directors of the Palisades Tahoe Community Foundation and has offered invaluable guidance as an advisor to several early-stage technology companies. Jill received her B.A. from the University of California, Los Angeles and her J.D. (Juris Doctor) from Santa Clara University.

The Horizon3.ai Attack Research team has just published “CVE-2023-48788: Revisiting Fortinet FortiClient EMS to Exploit 7.2.X” which discusses the differences in exploitation between FortiClient EMS’s two mainline versions: 7.0.x and 7.2.x. Today’s post updates an SQL injection exploit analysis for Fortinet FortiClient EMS.   

Horizon3.ai Senior N-Day Vulnerability Researcher Luke Harding details exploitation obstacles and payload crafting between the two mainline versions of the software. It is an update to Horizon3.ai’s March 21, 2024 post “CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive” and POC which as it turns out only worked on 7.0.x versions.

Harding notes “When writing exploits for different versions of vulnerable software, the differences in the exploit are usually small, such as different offsets, renamed parameters, or changed endpoints. Exploitation of the 7.2.x attack path for CVE-2023-48788 was an interesting challenge, because the core vulnerability and endpoint being attacked were the same, but the code path traversed was largely different.”

Harding walks through the updated exploit in the post which is online now. 

Horizon3.ai, a leader in autonomous security solutions, is pleased to announce the appointments of Erick Dean and Vice President of Product Management and Drew Mullen as Vice President of Revenue Operations. These key executive hires underscore the management team Horizon3.ai continues to build, fueling significant growth.

Erick Dean leverages over 20 years of product development experience, where he has demonstrated a consistent ability to develop effective product strategies and foster growth in both startups and large organizations.  Known for being an accomplished product management leader, Dean will specialize in assembling and guiding a high-performance team across the domains of product management and UX design to further accelerate the capabilities of Horizon3.ai’s flagship product, NodeZero. He has a well-established record of crafting go-to-market strategies and successfully launching early-stage hardware and cloud products, and is passionate about building innovative products that leverage analytics and ML to improve everyday experiences.

Drew Mullen brings over 15 years of experience in sales management, operations, enablement, and strategy. Known for his proven track record in driving revenue growth, optimizing resource allocation, and enhancing sales performance, he will effectively support go-to-market strategies and operations throughout the entire customer lifecycle, from demand generation to customer acquisition. Passionate about cybersecurity, Mullen possesses a deep understanding of market dynamics, customer needs, and the competitive landscape. He leverages his analytical, communication, and leadership skills to align and empower cross-functional teams, deliver executive-level insights and presentations, and champion process improvements and best practices.

Dean and Mullen share a profound passion for Horizon3.ai’s NodeZero platform and the critical issues it addresses for both public and private entities. Both view their involvement with the company as a once-in-a-career opportunity. They are eager to contribute to the scaling of the go-to-market (GTM) motion and the organization, as the company aims to achieve new milestones in the cybersecurity industry.

Horizon3.ai Chief Attack Engineer Zach Hanley and the Horizon3.ai Red Team Zach Hanley has just published CVE-2023-34992: Fortinet FortiSIEM Command Injection Deep-Dive with indicators of compromise and a link to the team’s proof of concept exploit on GitHub to blindly execute commands as root on vulnerable FortiSIEM appliances.  

Hanley said: “Several issues were discovered during this audit that ultimately lead to unauthenticated remote code execution in the context of the root user. The vulnerabilities were assigned CVE-2023-34992 with a CVSS3.0 score of 10.0 given that the access allowed reading of secrets for integrated systems, allowing for pivoting into those systems.”

FortiSIEM is Fortinet’s security information and event management (SIEM) with user and entity behavior analytics (UEBA), with the functionality typical to SIEM solutions such as log collection, correlation, automated response, and remediation. It also allows for simple and complex deployments ranging from a standalone appliance to scaled out solutions for enterprises and MSPs.

Horizon3.ai today announced the appointment of Matt Hartley as Chief Revenue Officer (CRO), effective immediately. With a robust background in sales and cybersecurity, he joins at a crucial phase to help drive the company’s global expansion and reinforce its market leadership in autonomous security solutions.

Hartley brings over 20 years of sales and operations excellence with a proven track record of building go-to-market (GTM) teams that achieve rapid scale and predictability across the revenue lifecycle. He is passionate about helping customers leverage technology to generate demonstrable business value, and his experience in cybersecurity and managing sales organizations in mid-stage companies is unmatched.

Matt joins Horizon3.ai during a period of rapid expansion, driven by its pioneering role as the premier provider of autonomous penetration testing solutions. This innovation empowers IT, cybersecurity, and Managed Security Service Providers (MSSPs) to minimize security risks effortlessly and continuously. NodeZero™ assists in identifying exploitable vulnerabilities, provides precise recommendations for prioritizing and addressing these issues, and facilitates immediate validation of the effectiveness of their remedies.

Driven by its consistent revenue growth, Horizon3.ai is actively increasing its workforce in all areas, including additional key leadership roles. The company expressed sincere thanks to Bob Cariddi, the former CRO, who led all GTM initiatives through this tremendous growth period before moving on to a key advisory role within the company.

Hartley’s appointment continues his role in leading key growth aspects for companies with solutions that are widely adopted by Fortune 1000 organizations and targeted sectors. Prior to joining Horizon3.ai, Matt served as the Chief Revenue Officer at HYPR, a leader in phishing-resistant authentication, and at iboss, a company focused on SASE/SSE. Before iboss, he was a sales leader at Forescout, where he built their US Federal unit and later scaled the business as the VP of Americas Sales. Earlier, he was General Manager at Optio Labs, head of Federal sales at MobileIron, and held regional sales positions at various technology companies.

Horizon3.ai, a pioneer in autonomous security solutions, today announced the launch of its Rapid Response service, now part of the NodeZero™ platform. This one-of-a-kind capability marks a significant advancement in autonomous penetration testing solutions by addressing a critical gap in measuring the real-world impact of exploitable vulnerabilities within the software many organizations have come to rely on. Now, organizations can gain a clear understanding of their ‘likelihood of exploitability’ for the most critical vulnerabilities being announced.

As organizations continue to contend with both zero-day and N-day vulnerabilities, the window of time between the public disclosure of a vulnerability and threat actors exploiting them in the wild is steadily shrinking. Knowing this predicament, organizations spend vast amounts of time, money, and resources patching the software they use after hearing of a vendor vulnerability announcement. Yet, how often are organizations expending considerable effort not knowing if a vulnerability is actually exploitable or not? The answer to that is, “quite often.”

So far in 2024, the U.S. National Vulnerability Database (NVD) has tracked 11,709 new vulnerabilities in publicly released software. A common challenge for organizations is determining whether any software they are using that is identified as vulnerable is actually exploitable within their specific environments, a judgment often contingent on how the software is deployed. Since organizations often lack a proven method to assess the ‘exploitability’ of software, they may find themselves updating software that does not require immediate patching. NodeZero addresses this issue with its Rapid Response service, which is specifically tailored to manage many of the most critical vulnerabilities more effectively. The following outlines the workings of the Rapid Response service.

As Horizon3.ai’s attack team conducts original research and uncovers new vulnerabilities, they also keep an eye on public vulnerability disclosures. They assess the exploitability of these vulnerabilities, considering factors such as the ease of exploitation, their severity, and the prevalence of the vulnerable software. Following their assessment, they develop proof of concept (POC) exploits, integrate them into NodeZero as new attack content, and notify customers about these emerging vulnerabilities. With NodeZero, customers can probe their systems using this new attack content to gain immediate insights into their level of exploitability. Furthermore, Horizon3.ai alerts customers if known vulnerable software is present in their production environments and warns them about NodeZero being able to exploit these weaknesses.

The Rapid Response service doesn’t just focus on vulnerabilities; it zeroes in on the exploitability of known issues in production environments. As part of this service, organizations receive proactive measures to keep abreast of cyberattacks. The vulnerabilities that flow through this program typically revolve around publicly accessible assets since they are the most likely targets for exploitation.

Recognizing the critical role of response time to emerging exploits in the wild, Horizon3.ai’s Rapid Response service is designed to provide organizations with a proactive defense mechanism to stay ahead of evolving cyberattacks as they’re discovered or trending in the wild. The fundamentals of this type of rapid response effort are concentrated on enabling organizations to preemptively mitigate nascent vulnerabilities before threat actors target them. 

By leveraging Horizon3.ai’s expertise in using ‘offense to inform defense,’ and leaning into NodeZero’s autonomous capabilities, customers can schedule and/or immediately launch NodeZero using a single exploit-check to gain early detection of exploitability from an attacker’s perspective. Once finished, NodeZero prioritizes the most critical and exploitable vulnerabilities that must be patched because they have been deemed completely exploitable by the NodeZero platform.

Horizon3.ai’s Rapid Response service is a groundbreaking step forward in the field of cybersecurity, offering organizations an unprecedented level of preparedness against cyber threats. With its cutting-edge technology and proactive strategy, Horizon3.ai is redefining the landscape of cyber defense, providing a critical service that ensures organizations are not only aware of their vulnerabilities but are also equipped to address exploitability with unmatched speed and efficiency. This service, seamlessly integrated into the NodeZero platform, solidifies Horizon3.ai’s position as a leader in autonomous security solutions, empowering organizations to fortify their defenses against the unpredictable nature of cyber threats.

Learn more about the Horizon3.ai Rapid Response service here. 

In a recent PSIRT, Fortinet acknowledged CVE-2023-48788 – a SQL injection in FortiClient EMS that can lead to remote code execution. FortiClient EMS is an endpoint management solution for enterprises that provides a central location for administering enrolled endpoints. 

Today, Horizon3.ai Exploit Developer James Horseman published “CVE-2023-48788: Fortinet FortiClientEMS SQL Injection Deep Dive” detailing the vulnerability and indicators of compromise, and linking to the proof of concept.

“This SQL injection vulnerability is caused by user controlled strings that are passed directly into database queries. In this post we will examine the internal workings of the exploit,” Horseman said. 

Stephen Gates, Principal SME at Horizon3.ai, added: “NodeZero has incorporated protections for CVE-2023-48788. It can discover where organizations are exploitable, enabling them to mitigate and protect against the issues, and confirm with 1-click verify that they are no longer exploitable.”

The Horizon3.ai POC can be found here.

Horizon3.ai this morning published “Fortinet FortiWLM Deep-Dive, IOCs, and the Almost Story of the “Forti Forty” disclosing several vulnerabilities effecting the #Fortinet #FortiWLM (Wireless LAN Manager). The vulnerabilities span from command injection, SQL injection, to file reads. While most were patched late last year, 2 remained unpatched as of March 13, 2024, after 307 days from Horizon3.ai’s initial report.

This blog details several of the issues discovered in the FortiWLM that have since been patched:

1. CVE-2023-34993 – Multiple Unauthenticated Command Injections – PSIRT-23-140
2. CVE-2023-34991 – Unauthenticated SQL Injection – PSIRT-23-142
3. CVE-2023-42783 – Unauthenticated Arbitrary File Read – PSIRT-23-143
4. CVE-2023-48782 – Authenticated Command Injection – PSIRT-23-450

Additionally two vulnerabilities that have not received patches leading to appliance compromise:

1. Unauthenticated Limited Log File Read – Allows retrieval of arbitrary log files which contain administrator session ID tokens
2. Static Session ID Vulnerability – Session IDs do not change between sessions for users. Chained with the above issue allows trivial compromise of the device.

This morning’s blog post includes paths to remote code execution and indicators of compromise. 

Zach Hanley, Horizon3ai Chief Attack Engineer, has just published CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive, a deep dive with a proof of concept link and indicators of compromise on the vuln in Progress Software’s OpenEdge application development suite.

The post follows the February 27, 2024, security advisory Progress issued for OpenEdge, their application development and deployment platform suite, warning of an auth bypass vuln impacting some platform components, stemming from a failure to properly handle username and password. Certain unexpected content passed into the credentials enables unauthorized access without authentication.  

The Progress advisory linked below notes: “When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that uses the OS local authentication provider to grant user-id and password logins on operating platforms supported by active releases of OpenEdge, a vulnerability in the authentication routines may lead to unauthorized access on attempted logins. Similarly, when an AdminServer connection is made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM), it also utilizes the OS local authentication provider on supported platforms to grant user-id and password logins that may also lead to unauthorized login access.”

Links:

• Blog – CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive: https://www.horizon3.ai/attack-research/cve-2024-1403-progress-openedge-authentication-bypass-deep-dive/
• Horizon3.ai Proof of Concept on GitHib – CVE-2024-1403 Progress OpenEdge Authentication Bypass: https://github.com/horizon3ai/CVE-2024-1403
• Progress Software February 27, 2024 advisory – Important Security Update for OpenEdge Authentication Gateway and AdminServer: https://community.progress.com/s/article/Important-Critical-Alert-for-OpenEdge-Authentication-Gateway-and-AdminServer
• NIST CVE-2024-1403 Detail: https://nvd.nist.gov/vuln/detail/CVE-2024-1403
• Progress Software OpenEdge: https://www.progress.com/openedge