This vulnerability showed up on a credentialed scan of a RHEL7.6 machine. All of the documentation shows that this applies to RHEL6 using the LILO bootloader but there are no guidelines showing for RHEL7+ using GRUB2 & systemd, which has replaced init.d. Is this a false positive or is there a fix for this issue in RHEL7.6?
Posted by James Kern 2 months ago
I have two Discovery scans set up using the same Scan Template. SCAN A scans 172.16.0.0/12, while SCAN B scans for specified known subnets in the 172.16.0.0/12 range which have been identified by previous scans*. SCAN B identifies subnets totalling about 20k IPs, against the 1m or so specified by 172.16.0.0/12 SCAN A returns significantly fewer assets than SCAN B, even though the IP range is much larger and covers the same assets. This is not time-dependent - I have run the scans concurrently and see the same results. SCAN A returns ~1900 assets while SCAN B returns ~2600 (also in a much faster time due to the more limited asset scope). 25% is a significant difference. I have seen the same issue with one scan looking at 10.0.0.0/8 vs another scan looking at specific known subnets in the 10.0.0.0/8 range. The broader scan returned fewer significantly fewer assets than the more tightly defined scan. Is this a known issue with scanning large subnets? Is there a recommended Template or method I should be using when doing so? I have tried a customised template and one of the out-of-the-box discovery template, same results. * I'm using this approach as recommended by R7 - do a broad, light discovery scan initially and peridoically thereafter, then do tighter, more regular scans for assets in known subnets
Posted by Tim Lovegrove 2 months ago
I am trying to install the ir_agent on a Raspberry Pi. I followed the install instructions at https://insightagent.help.rapid7.com/docs/install It fails trying to extract the image. Unable to find and extract image [ERROR] Are the agent supported on, Linux raspberrypi 4.14.79-v7+ #1159 SMP Sun Nov 4 17:50:20 GMT 2018 armv7l GNU/Linux? Here is the complete install information. root@raspberrypi:/home/pi/Downloads/agents-linux# sudo ./agent_installer.sh install_start Checking for dependencies [INFO] Checking installer dependencies [INFO] Building directory: /opt/rapid7/ir_agent/components/bootstrap/common [INFO] Building directory: /opt/rapid7/ir_agent/components/bootstrap/common/ssl [INFO] Building directory: /opt/rapid7/ir_agent/components/insight_agent/common [INFO] Building directory: /opt/rapid7/ir_agent/components/insight_agent/22.214.171.124 [INFO] Extracting agent files to --> /opt/rapid7/ir_agent/components/insight_agent/126.96.36.199 [INFO] Attempting to load armv7l archive from catalog [INFO] Attempting to load armv7l archive from catalog [INFO] Unable to find and extract image [ERROR] Checking agent base installation for removal [INFO] Base installation directory exists: /opt/rapid7 Pre-existing installation found - will not remove
Posted by Doug Dellinger 2 months ago
Seeing several machines flagging the below set of vulnerabilities. They already have the IE Cumulative Update listed in the remediation section applied. I think this is a detection issue. Issues: Microsoft CVE-2018-0891: Scripting Engine Information Disclosure Vulnerability Microsoft CVE-2018-0927: Microsoft Browser Information Disclosure Vulnerability Microsoft CVE-2018-0929: Internet Explorer Information Disclosure Vulnerability Microsoft CVE-2018-0932: Microsoft Browser Information Disclosure Vulnerability Microsoft CVE-2018-0935: Scripting Engine Memory Corruption Vulnerability Microsoft CVE-2018-0942: Internet Explorer Elevation of Privilege Vulnerability Proof: Vulnerable software installed: Microsoft Internet Explorer 11.0.9600.19236 Vulnerable OS: Microsoft Windows Server 2012 R2 Datacenter Edition Based on the following 3 results: 1.Microsoft patch KB4089187 is not installed. 2.Microsoft patch KB4088876 is not installed. 3. ◦HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion◦UBR - value does not exist Remediation: 2019-01 Cumulative Security Update for Internet Explorer 11 for Windows Server 2012 R2 for x64-based systems (KB4480965)
Posted by Mark Payne 2 months ago
I have deployed my agent to many endpoints, no problems. I am currently running InsightIDR and they are reporting in properly. My question is this: soon I will be deploying InsightVM. I was told that the agent is the same and performs double duty. So, will these deployed agents automatically report back to the VM console? Will need to redeploy an agent to them? How will the existing agents know to start sending info to the VM console once it is up and running? Thanks
Posted by Kerry LeBlanc 2 months ago
I've deployed the agent to two workstations. They checked in within about 24 hours, but ever since they have been ghosts. The service is still installed and running, but they never check back in. Has anyone else experienced this issue?
Posted by Josh Shourds 2 months ago
Recently create new Nexpose Engine, when I try to scan sites with this engine it's return following error "Scan failed to start on engine: Connection reset by peer: socket write error". Do you have an idea why that's might happening ?
Posted by Brunnen_G 2 months ago
mrx001@linux:~$ msfconsole Traceback (most recent call last): 24: from /usr/local/bin/msfconsole:48:in `<main>' 23: from /usr/local/bin/msfconsole:48:in `require' 22: from /opt/metasploit-framework/lib/msf/core/payload_generator.rb:2:in `<top (required)>' 21: from /opt/metasploit-framework/lib/msf/core/payload_generator.rb:2:in `require' 20: from /opt/metasploit-framework/lib/msf/core/payload/apk.rb:3:in `<top (required)>' 19: from /opt/metasploit-framework/lib/msf/core/payload/apk.rb:3:in `require' 18: from /opt/metasploit-framework/lib/msf/core.rb:17:in `<top (required)>' 17: from /home/mrx001/.rvm/gems/ruby-2.3.5/gems/backports-3.11.4/lib/backports/std_lib.rb:9:in `require_with_backports' 16: from /home/mrx001/.rvm/gems/ruby-2.3.5/gems/backports-3.11.4/lib/backports/std_lib.rb:9:in `require' 15: from /opt/metasploit-framework/lib/rex.rb:102:in `<top (required)>' 14: from /home/mrx001/.rvm/gems/ruby-2.3.5/gems/backports-3.11.4/lib/backports/std_lib.rb:9:in `require_with_backports' 13: from /home/mrx001/.rvm/gems/ruby-2.3.5/gems/backports-3.11.4/lib/backports/std_lib.rb:9:in `require' 12: from /opt/metasploit-framework/lib/rex/proto.rb:2:in `<top (required)>' 11: from /home/mrx001/.rvm/gems/ruby-2.3.5/gems/backports-3.11.4/lib/backports/std_lib.rb:9:in `require_with_backports' 10: from /home/mrx001/.rvm/gems/ruby-2.3.5/gems/backports-3.11.4/lib/backports/std_lib.rb:9:in `require' 9: from /opt/metasploit-framework/lib/rex/proto/http.rb:4:in `<top (required)>' 8: from /home/mrx001/.rvm/gems/ruby-2.3.5/gems/backports-3.11.4/lib/backports/std_lib.rb:9:in `require_with_backports' 7: from /home/mrx001/.rvm/gems/ruby-2.3.5/gems/backports-3.11.4/lib/backports/std_lib.rb:9:in `require' 6: from /opt/metasploit-framework/lib/rex/proto/http/response.rb:5:in `<top (required)>' 5: from /home/mrx001/.rvm/gems/ruby-2.3.5/gems/backports-3.11.4/lib/backports/std_lib.rb:9:in `require_with_backports' 4: from /home/mrx001/.rvm/gems/ruby-2.3.5/gems/backports-3.11.4/lib/backports/std_lib.rb:9:in `require' 3: from /home/mrx001/.rvm/gems/ruby-2.3.5/gems/nokogiri-1.10.1/lib/nokogiri.rb:28:in `<top (required)>' 2: from /home/mrx001/.rvm/gems/ruby-2.3.5/gems/nokogiri-1.10.1/lib/nokogiri.rb:32:in `rescue in <top (required)>' 1: from /home/mrx001/.rvm/gems/ruby-2.3.5/gems/backports-3.11.4/lib/backports/std_lib.rb:9:in `require_with_backports' /home/mrx001/.rvm/gems/ruby-2.3.5/gems/backports-3.11.4/lib/backports/std_lib.rb:9:in `require': libruby.so.2.3: cannot open shared object file: No such file or directory - /home/mrx001/.rvm/gems/ruby-2.3.5/gems/nokogiri-1.10.1/lib/nokogiri/nokogiri.so (LoadError)
Posted by mrx001 2 months ago
When is Nexpose going to start parsing the Cisco configurations to verify whether a vulnerability is applicable? This issue causes a lot of angst around here because Nexpose currently only looks at the running IOS/NX-OS and flags a device vulnerable when in fact the device is not vulnerable due to configuration. Thanks
Posted by Ken Plummer 3 months ago
Could you guys please have a look at a query I created? The size of the data was about 20 MB until I added the new column "summary". Every since I added that column, the size became 20 times bigger so around 200 MB. I would like to understand why this specific column causes an enormous data increase. SELECT favi.asset_id, da.host_name, da.ip_address, dt.tag_name, round(dv.cvss_score::numeric) AS cvss_score, dv.exploits, dv.severity, ds.scan_id, ds.started, dvc.category_name, dv.title, ds2.summary FROM fact_asset_vulnerability_finding favi JOIN dim_asset da ON favi.asset_id = da.asset_id JOIN dim_tag_asset dta ON favi.asset_id = dta.asset_id JOIN dim_tag dt ON dta.tag_id = dt.tag_id JOIN dim_vulnerability dv ON favi.vulnerability_id = dv.vulnerability_id JOIN fact_asset fa ON favi.asset_id = fa.asset_id JOIN dim_scan ds ON ds.scan_id = fa.last_scan_id JOIN dim_vulnerability_category dvc ON dv.vulnerability_id = dvc.vulnerability_id JOIN dim_vulnerability_solution dvs ON dvs.vulnerability_id = favi.vulnerability_id JOIN dim_solution ds2 on dvs.solution_id = ds2.solution_id
Posted by Donggun Kim 3 months ago
I was playing around someday and saw that it is possible to take snapshots with the Meterpreter, i tried to run it, and it works! Not even the LED is turning on, but, there is my question, I don't think that Rapid7 wrote dozens of firmwares or dlls because they did something brilliant but what? What is their secret to keep off the webcam LED's?
Posted by ImJustTestingDontMindMe 3 months ago
Does anyone have a query that will give me my Top 10 Vulnerabilities by category? List would be based off of critical severity, risk score, and asset count. I can do this manually, but it is very time consuming. I'm looking for a way to roll up vulnerabilities into categories, meaning, if I have several different Adobe vulnerabilities, roll all of those up to an Adobe category, which would be 1 of the top 10 on the list. Thanks in advance...
Posted by Doug Dergan 3 months ago
When running scans I'm getting a Java.Lang.RuntimeException Error "This site is in use and cannot be locked for this request. Does anyone have a solution to this error? I've contacted the help desk and sent logs but still have not had the issue resolved.
Posted by Keith E Allen 3 months ago