The IT Nerd

Horizon3.ai today announced the availability of the Horizon3.ai Pentesting Services for Compliance. Horizon3.ai recognizes that demand for pentesting expertise is at an all-time high, and organizations may be struggling to meet their compliance-driven pentesting needs. This advanced, tailored service is designed to fulfill the internal and external pentesting requirements for rigorous regulatory standards that require manual penetration testing to uncover complex logic errors and unknown vulnerabilities.

The demand for manual penetration testing ranges from the Payment Card Industry Data Security Standard (PCI DSS) v4.0 and the updated Self-Assessment Questionnaires (SAQs) to System and Organization Controls (SOC), Digital Operational Resilience Act (DORA), General Data Protection Regulation (GDPR), Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), Cybersecurity Maturity Model Certification (CMMC), and many organizations’ internal requirements.

Horizon3.ai Pentesting Services for Compliance embraces the concept of Human-Machine teaming, where a world-class team of Offensive Security Certified Professional (OSCP) pentesters conduct their pentests to the methodologies specified in each standard, e.g., authenticated and unauthenticated, internal and external perspectives, segmentation checks, and so on. They are equipped with the NodeZero™ autonomous pentesting platform, which leverages artificial intelligence to identify exploitable attack paths that go far beyond the capabilities of vulnerability scanners to add scale, speed, contextual relevance, and consistency to their penetration tests.

The combination of expert human analysis and NodeZero’s autonomous testing results in a comprehensive and actionable evaluation of the network infrastructure being examined. With the service, clients receive a meticulous Pentesting Report and a Fix Action Report with detailed and prioritized guidance. They also have access to their pentest results on the NodeZero platform for 12 months to help guide and streamline their remediation efforts. Clients can even confirm that their corrections are effective with NodeZero’s 1-click verify tool. 1-click verify is targeted retesting of identified weaknesses that the client can execute repeatedly after they remediate to check that an issue is in fact resolved. When the remediation is verified, clients can download an associated report to share with their auditors as essential evidence. That means clients no longer have to schedule additional consulting engagements to verify issues have been remediated. As an additional benefit, the service encompasses rapid response alerts from Horizon3.ai’s accomplished Attack Team about emerging zero-day and N-day vulnerabilities that could impact their environment.

Organizations can also opt to integrate their pentesting engagement with a bundled subscription to NodeZero for continuous security testing, both to move beyond mere “point-in-time” compliance and also to alleviate the remediation burdens of upcoming audit cycles. This allows organizations to assess and improve their security posture with a number of operations beyond internal and external pentesting, such as AD password audit, Phishing Impact testing, N-day testing, and more.

Horizon3.ai Pentesting Services for Compliance are tuned to meet the needs of organizations subject to annual compliance with the PCI DSS v4.0 or the updated SAQs. As of 31 March 2024, PCI DSS v3.2.1 will be retired and v4.0, which introduces more rigorous, continuous security practices, will become the only active version of the standard.

Learn more about the Horizon3.ai Pentesting Services for Compliance.

For more information, send your inquiry to info@horizon3.ai

On February 19, 2023, ConnectWise published a security advisory for their ScreenConnect remote management tool. In the advisory, they describe two vulnerabilities, an authentication bypass with CVSS 10.0 and a path traversal with CVSS 8.4 (both currently without assigned CVE IDs). 

The first vulnerability (auth bypass) was disclosed with a critical base CVSS scoring of 10, as it enables access to the path traversal vuln, which in turn enables unauthorized file access.

James Horseman, Horizon3.ai Exploit Developer, has just published ConnectWise ScreenConnect: Authentication Bypass Deep Dive which dives into the technical details of the authentication bypass, provides indicators of compromise, and includes a link to a Horizon3.i proof of concept auth bypass vulnerability on GitHub here.

Horizon3.ai, a pioneer in autonomous security solutions, today announced the launch of its first-to-market Phishing Impact testing capability within NodeZero. The new capability marks a significant advancement in penetration testing, addressing a critical gap in understanding the real-world implications of phished credentials.

Business leaders often dismiss the threat of entry-level employees who click on malicious links, leading to frustration by IT and security organizations. The Phishing Impact test delivered by NodeZero can help those IT and security teams accurately convey the “blast radius” of those phished credentials, proving that sensitive data was indeed at risk.

Easily Interoperates With Popular Phishing Awareness Solutions

The NodeZero Phishing Impact test is resource-light: it’s easily conducted by IT and security team members by simply adding a few lines of JavaScript generated by NodeZero to their phishing page. Credentials of users “hooked by the lure” are automatically injected into a running NodeZero pentest via the JavaScript copied into the phishing page.

With legitimate credentials in hand, this type of testing reveals if an attacker would next be able to:

• Find and gain access to private data stores
• Gain admin access to other hosts in the network
• Move laterally to compromise cloud environments
• Elevate their privileges and take over domains
• Exploit unpatched vulnerabilities in internal systems
• Conduct other malicious acts

The Phishing Impact test is conducted with Horizon3.ai’s secure methods that ensure clear text credentials are not maintained outside of the test’s ephemeral infrastructure.

Each phished credential is added to the NodeZero platform as a “Notable Event” with a timestamp. Testers see the running list of credentials being tested in the Credentials window in the NodeZero UI.

By adding a few lines of JavaScript code provided by NodeZero to phishing pages created using popular testing tools, organizations can automatically channel captured credentials into an active NodeZero penetration test. This test then utilizes those phished credentials in conjunction with exploitable security weaknesses discovered by NodeZero as part of its attack against the network.

The outcome is a comprehensive report detailing the impact of each phished credential, offering organizations unprecedented insights into their security posture. This not only enhances their understanding of potential threats but also drives effective improvements to safeguard their systems against real-world attacks.

In Rust Won’t Save Us: An Analysis of 2023’s Known Exploited Vulnerabilities, new research from Horizon3.ai, Chief Attack Engineer Zach Hanley analyzes all critical vulnerabilities from the CISA KEV catalog starting from January 2023 through January 2024, categorizing vuln root causes to see whether  current efforts in the information security industry match with the current threat vectors being abused.

He says: “Memory safety issues have plagued the software industry for decades. The Cybersecurity & Infrastructure Security Agency (CISA) has been leading a charge for secure-by-design and encouraging developers and vendors to utilize memory safe languages like Rust to eradicate this vulnerability class.  

“Google Chromium, the engine used by the majority of browsers around the world, reports that approximately 70% of their high severity issues are memory safety issues. Microsoft reports the same percent of issues affecting it’s Windows OS are also memory safety. But, what vulnerabilities are being exploited by threat actors today? CISA maintains and publishes its Known Exploited Vulnerability (KEV) catalog of all vulnerabilities that they have insight into having been exploited by threat actors. 

We have analyzed all critical vulnerabilities from the CISA KEV catalog starting from January 2023 through January 2024, categorized the vulnerability root causes, and attempted to analyze if the current efforts in the information security industry match with the current threat vectors actually being abused.”

Key findings:

1. Insecure Exposed Functions Lead the CISA KEV: Nearly half of vulnerabilities are enabled by insecure exposed functions. Vulnerabilities fall into this category when: a) It is not apparent that the developer made any effort to prevent an unauthenticated user from reaching dangerous code, or b) Often, the exposed dangerous code allows authorization bypass or remote code execution via insecure usage of command execution libraries, unrestricted deserialization, or file operations.  (more online)
2. Rust Won’t Save Us, But It Will Help: Memory safety issues were the second (tied with 3) leading cause of vulnerabilities in the data set, coming in at 20%. Interestingly, 75% of the analyzed memory safety vulnerabilities have been exploited as 0-days by threat actors. Additionally, 25% were discovered by security researchers and retroactively discovered to have been exploited as 0-days. When vulnerabilities are exploited as 0-days they typically have a much more widespread effect on the world given that patches often lag by weeks once they are discovered.
3. Web Routing and Path Abuse Tied for Second: Nearly 20% of vulnerabilities in Figure 1 are the result of routing and path abuse in web applications. These vulnerabilities typically manifest in the “glue” between web frameworks when a developer attempts to route application traffic from one service to another. Vulnerabilities fall into this category when the developer has made an apparent effort to prevent an unauthenticated user from reaching dangerous code – developer mistakes include reverse proxy regex issues, framework filter issues, path normalization issues, and internal application path inspection issues. Similarly, once this code is reached, developers have abandoned defense-in-depth and secure coding practices, which allow abuse of insecure functions.
4. Threat Actors Love Exploiting Appliances: This isn’t a new trend, but it’s clear from the analysis that they are the target of choice coming in at 49%.

Hanley notes: “The lion’s share of vulnerabilities exploited in the last year are trivial to exploit. While memory safe languages like Rust may help eliminate some portion of breaches, there is much work to do to address the risk that comes with building complex software systems. We’re already seeing similar trends in 2024 with the recently exploited Ivanti Connect Secure vulnerabilities back-to-back…” (continues online).

Hanley recommends:

1. Vendors
   1. Develop the depth of knowledge of your engineers in the frameworks they use
   2. Harden, standardize, and audit the use of those frameworks across products
   3. Enable and expose verbose logging for your products
2. Developers
   1. Assume all code you write is reachable from an unauthenticated context
   2. Practice defense-in-depth programming and don’t make it easy for an attacker to shell out
3. Defenders
   1. Reduce any attack surface exposed to the internet if its not needed there
   2. Proactively enable logging, and remote logging if possible, for all products that touch the internet
4. Researchers
   1. Look for bugs in the places frameworks come together

Naveen Sunkavally, chief architect at Horizon3.ai, has just published “CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability,” an analysis of the vulnerability for which Jenkins issued a security advisory on January 24, 2024 re CVE-2024-23897, affecting the Jenkins continuous integration/continuous development (CI/CD) software development tool. 

Naveen notes that the advisory set off alarm bells among the infosec community because the potential impact is huge: Jenkins is widely deployed, with tens of thousands of public-facing installs, and the Jenkins advisory was clear that this vulnerability could lead to remote code execution. Jenkins is a common target for attackers, and, as of this writing, there are four prior Jenkins-related vulnerabilities in CISA’s catalog of Known Exploited Vulnerabilities.

His analysis and advice, issued today for users of Jenkins is: “Don’t panic… unless you need to. This is a textbook example of a vulnerability whose true impact can only be accurately assessed within the context of your environment. The typical Jenkins install will not be exploitable by unauthenticated attackers. However, there are a few factors that could significantly increase the potential for damage, elevating this to a truly critical vulnerability.” 

His post discusses those factors and how to gain an accurate assessment of risk.

Links:

Horizon3.ai Red Team Blog  – CVE-2024-23897: Assessing the Impact of the Jenkins Arbitrary File Leak Vulnerability: https://www.horizon3.ai/cve-2024-23897-assessing-the-impact-of-the-jenkins-arbitrary-file-leak-vulnerability/

Jenkins Security Advisory 2024-01-24 – Arbitrary file read vulnerability through the CLI can lead to RCE – CVE-2024-23897: https://www.jenkins.io/security/advisory/2024-01-24/

NIST National Vulnerability Database – CVE-2024-23897 Detail: https://nvd.nist.gov/vuln/detail/CVE-2024-23897

Horizon3.ai Chief Attack Engineer Zach Hanley and the Horizon3.ai Red Team have just published “CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive,” which includes a proof-of concept-exploit (POC) on the widely-used managed file transfer software along with indicators of compromise (IOCs).

Fortra’s GoAnywhere MFT file transfer software is widely used in finance, finance, healthcare, engineering, gaming, logistics, manufacturing, public sector/government, higher education and other sectors to automate and encrypt data between an organization and its trading partners, centralizing file transfer activity and monitoring while improving costs. 

On January 22, 2024, Fortra published a security advisory on CVE-2024-0204, warning of an authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 that allows an unauthorized user to remotely create an admin user via the administration portal. Customers were made aware of the issue by an internal security advisory post and patch made available on December 4, 2023, in which researchers malcolm0x and Islam Elrfai were originally credited with the discovery. In 2023, file transfer applications were a top target by threat actors.

Links

Horizon3.ai’s “CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive” also includes indicators of compromise (IOCs) and remediation recommendations.

Horizon3.ai “CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive” (January 23, 2024): https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/

Horizon3.ai Proof of Concept for CVE-2024-0204: https://github.com/horizon3ai/CVE-2024-0204

Fortra “FI-2024-001 – Authentication Bypass in GoAnywhere MFT” (January 22, 2024): https://www.fortra.com/security/advisory/fi-2024-001

Horizon3.ai Chief Architect Naveen Sunkavally has just released “Writeup for CVE-2023-43208: NextGen Mirth Connect Pre-Auth RCE” (linked below), which includes a proof of concept exploiting the vulnerability. 

Mirth Connect is considered the Swiss Army knife of healthcare integration engines, specifically designed for HL7 message integration. It provides the necessary tools for developing, testing, deploying, and monitoring interfaces, and supports data exchange and communications across various systems.

Sunkavally said: “In Oct. 2023, we released an advisory for CVE-2023-43208, a pre-authenticated remote code execution vulnerability affecting NextGen Mirth Connect. Mirth Connect is an open source data integration platform widely used by healthcare companies. This post dives into the technical details behind this vulnerability, which is ultimately related to insecure usage of the Java XStream library for unmarshalling XML payloads. If you’re a user of Mirth Connect and haven’t patched yet, we strongly encourage you to upgrade to the 4.4.1 patch release or later. This is an easily exploitable vulnerability that our own pentesting product, NodeZero, has exploited successfully against a number of healthcare organizations.

CVE-2023-37679: CVE-2023-43208 arises from an incomplete patch for CVE-2023-37679, also a pre-auth RCE, reported by IHTeam. CVE-2023-37679 was reportedly patched in Mirth Connect 4.4.0, which was released on Aug 2, 2023. In the release notes for 4.4.0, we found it odd that this vulnerability was reported to affect only Mirth Connect versions running Java 8.

Naveen added: “At the time of our advisory in October, there were ~1300 Internet-facing installs of Mirth Connect. Attackers would most likely exploit this vulnerability for initial access or to compromise sensitive healthcare data. On Windows systems, where Mirth Connect appears to be most commonly deployed, it typically runs as the SYSTEM user.”

Links:

CVE-2023-43208: NextGen Mirth Connect Pre-Auth RCE: https://www.horizon3.ai/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/ (includes proof of concept, dated January 12, 2024)

NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208): https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/

Horizon3.ai Chief Architect Naveen Sunkavally has just published “Writeup for CVE-2023-39143: PaperCut WebDAV Vulnerability,” a deep dive into the technical details behind a critical vulnerability that affects Windows installs of the PaperCut NG/MF print management software, and brute force explanation. The vuln can be exploited to download and delete arbitrary files, and in certain configurations upload files, leading to remote code execution.

Naveen notes that the vuln is “something that a patient determined attacker may choose to exploit in certain targeted scenarios and an interesting case study of how a bunch of seemingly minor issues can be chained together to achieve total compromise.”

The deep dive details brute forcing, and notes that CVE-2023-39143 is made possible by a series of seemingly minor issues:

• Weak authentication to the WebDAV endpoint
• Lack of rate limiting of authentication attempts to the WebDAV endpoint
• Not limiting HTTP methods invoked over WebDAV
• Path traversal in the third party net.sf.webdav package
• Path traversal in the CustomReportExample servlet
• Using UUIDs to authenticate a site server to a PaperCut server
• Hardcoded credentials to access the External Device XMLRPC API

PaperCut users exposing it to the Internet that haven’t yet updated to 22.1.3+ are urged to do so, and the deep dive also recommends mitigation steps if upgrading is not immediately possible.

Horizon3.ai Writeup for CVE-2023-39143: PaperCut WebDAV Vulnerability: https://www.horizon3.ai/writeup-for-cve-2023-39143-papercut-webdav-vulnerability/

Horizon3.ai August 4, 2023 Advisory: CVE-2023-39143: PaperCut Path Traversal/File Upload RCE Vulnerability: https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/

PaperCut NG/MF Security Bulletin (July 2023): https://www.papercut.com/kb/Main/securitybulletinjuly2023/

Horizon3.ai, a leading provider of autonomous security solutions, today announced that Torie Runzel has joined as Vice President of People, effective immediately.

Runzel brings extensive experience in developing both strong and successful teams through the structures, culture, and programs that attract top talent. She joins Horizon3.ai at a time of high growth, fueled by its breakthrough position as the first company to deliver a fully autonomous penetration testing solution to organizations worldwide. NodeZero™ enables IT, cybersecurity, and MSSP pros to continuously reduce security risk. Using NodeZero, organizations find their exploitable weaknesses, receive detailed guidance about how to prioritize and fix the discovered issues, and verify that their fixes are effective.

As VP of People, Torie will focus on implementing strategic HR initiatives to set the operational foundation for growth and build a culture that attracts, retains, and develops top talent. She’ll focus on systems and practices for recruitment, team alignment, professional and organizational development, performance management, and total rewards, having previously guided startups successfully through similar innovation and high-growth cycles. Torie brings strategic leadership and a hands-on approach to people operations that will play a crucial role in shaping the company’s culture and ensuring achievement of its ambitious growth objectives. Further, with her experience driving diversity and inclusion, she will lead efforts to create a positive and inclusive workplace that reflects Horizon3.ai’s commitment to excellence and opportunity.

The appointment continues Runzel’s role in guiding key growth aspects for companies with solutions that are broadly adopted by Fortune 1000 organizations and targeted sectors. She was most recently VP of People with Divvy Homes, where she built a performance-driven culture and the systems supporting it, scaling out a team of 100 to over 325, and carefully aligning talent and objectives. Prior to that, she was Head of People Operations and Chief of Staff at fintech start-up Bolt Financial, spearheading the advancement and overhaul of recruitment, evaluation, compensation and professional development. She has also served as Chief Operating Officer at CoLane Logistics, where she fulfilled pivotal human resources, operations, legal and sales functions.

Horizon3.ai’s Exploit Developer James Horseman has just published Cisco IOS XE CVE-2023-20198: Deep Dive and POC

Horizon3.ai Exploit Developer James Horseman said: “Previously, we explored the patch for CVE-2023-20273 and CVE-2023-20198 affecting Cisco IOS XE and identified some likely vectors an attacker might have used to exploit these vulnerabilities. Now, thanks to SECUINFRA FALCON TEAM’s honeypot, we have further insight into these vulnerabilities.”

Horseman also notes: “An attack would use CVE-2023-20273 to elevate to root and write an implant to disk. However, even without CVE-2023-20273, this POC essentially gives full control over the device. Cisco’s method for fixing this vulnerability seems a bit unconventional. We would have expected them to fix the path parsing vulnerability instead of adding a new header. This makes us wonder if there are other hidden endpoints that can be reached with this method.”

Today’s post is a follow up to Horizon3.ai’s October 25, 2023 theory crafting post on CVE -2023-20198.