I'm evaluating the InisghtVM tool in vulnerability assessment for our small (but certain to grow) Docker container servers. I have not been able to assess the images even though the tool does recognize the servers as container hosts. When I reached out to the group standing up the containers, they explained they are placing and building the images directly on the servers and use no registry. Is it possible for InsightVM to work with this use case?
Posted by Diana Orrick about a year ago
I'm looking at the CVE-2018-6789 CVSS scores in Nexpose checks? They don't make much sense to me and I'm curious how even at a preliminary scoring they ended up being what they are? The current scoring lists the issue as a Local attack vector for a network centric RCE among other issues? Looking at the following example ID ```ubuntu-cve-2018-6789 CVSS 2 (AV:L/AC:M/Au:N/C:P/I:P/A:P)``` Reviewing score sources the Ubuntu link structure is broken. The UI points to https://usn.ubuntu.com/USN-3565-1 but the current call structure is https://usn.ubuntu.com/3565-1/ NVD to date hasn't published a score. Looking at the Debian link has sources like RedHat that include a more appropriate score which is roughly double the current score listed. https://security-tracker.debian.org/tracker/DSA-4110-1 -> https://security-tracker.debian.org/tracker/CVE-2018-6789 -> https://access.redhat.com/security/cve/cve-2018-6789 ```(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)``` The available Nexpose information doesn't seem to aline with the current check's description: https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/ Is this information evaluated by an analyst or a default value for imported issues?
Posted by BrianWGray about a year ago
What goes into the composition of the Vulnerability Risk Score and Vulnerability Severity Level? How are they measured? What is the difference between these 2? Is one considered "better" than the other?
Posted by Kevin Keer about a year ago
I have this problem with windows/smb/ms17_010_eternalblue I use Linux kali 4.14.0-kali3-amd64 #1 SMP Debian 4.14.12-2kali1 (2018-01-08) x86_64 GNU/Linux [*] Started reverse TCP handler on "Lhost:port" [*] "Rhost IP:port" - Connecting to target for exploitation. [+] "Rhost IP:port" - Connection established for exploitation. [+] "Rhost IP:port" - Target OS selected valid for OS indicated by SMB reply [*] "Rhost IP:port" - CORE raw buffer dump (38 bytes) [*] "Rhost IP:port" - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima [*] "Rhost IP:port" - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service [*] "Rhost IP:port" - 0x00000020 50 61 63 6b 20 31 Pack 1 [+] "Rhost IP:port" - Target arch selected valid for arch indicated by DCE/RPC reply [*] "Rhost IP:port" - Trying exploit with 12 Groom Allocations. [*] "Rhost IP:port" - Sending all but last fragment of exploit packet [*] "Rhost IP:port" - Starting non-paged pool grooming [+] "Rhost IP:port" - Sending SMBv2 buffers [+] "Rhost IP:port" - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] "Rhost IP:port" - Sending final SMBv2 buffers. [*] "Rhost IP:port" - Sending last fragment of exploit packet! [*] "Rhost IP:port" - Receiving response from exploit packet [-] "Rhost IP:port" - Did not receive a response from exploit packet [*] "Rhost IP:port" - Sending egg to corrupted connection. [-] "Rhost IP:port" - Errno::ECONNRESET: Connection reset by peer [*] Exploit completed, but no session was created.
Posted by Jhon Dale about a year ago
I am currently configuring a custom policy that I need to be able to run against a SUSE Linux server. I am wondering how I can go about configuring it to scan for say the password conf file and then from there see if the proper complexity settings are in place.
Posted by Derek Scheller about a year ago
Hi, I am looking for an SQL query that will pull the top 25 remediation's from Nexpose and correlate those top 25 remediation's with assets. I was provided with the following query by rapid 7: SELECT ds.summary AS "Solution Summary", proofAsText(ds.fix) AS "Solution Steps", array_to_string(array_agg(da.ip_address), ', ') AS "IP Addresses", array_to_string(array_agg(http://da.host _name),', ') AS "Host Names" FROM fact_remediation(25, 'riskscore DESC') AS fr JOIN dim_solution AS ds ON fr.solution_id = ds.solution_id JOIN dim_asset_vulnerability_solution davs ON fr.solution_id = davs.solution_id JOIN dim_asset AS da ON davs.asset_id = da.asset_id GROUP BY ds.summary, ds.fix The problem with this query is that it does not line up with the top 25 remediation's pdf report in Nexpose and the count of assets associated with that remediation are not the same as in the pdf. I have attempted writing my own query using the following schema: https://help.rapid7.com/nexpose/en-us/warehouse/warehouse-schema.html However when I attempt to look up data from fact tables in the schema, Nexpose says the table does not exist. Can someone please provide a resource to an up to date Nexpose Schema and Provide a top 25 remediation's query that will line up with the top 25 remediation's pdf report in Nexpose? Thank you.
Posted by George about a year ago
Our InsightVM console is alerting for: You've used over 110% of your licensed assets which may impact the performance of the product. Please contact your Rapid7 CSM to increase your license. We already increased our licenses to cover ALL assets in our organization. Need help checking on this.
Posted by Marco Lisboa about a year ago
I have been working on and testing the following check (text content to be improved). The following has been working well so far in my test environment. I have seen at least response instance where I did not receive a STAT command back but it was early in my testing so it may have been a poorly formed request on my end. What I'm running into within my test environment is that the memcached service on 11211 is only showing as TCP in the UI and the system is listening on 11211/udp and tcp on the test server. The check below (unless I miss-understand the logic) should only trigger if the query is successful on UDP. The signature is firing and the proof shows 11211 TCP. If the same port 11211 is available on both TCP and UDP does the UI fail to show one or does my check potentially have an error? I'm also looking to see if the XML schema has any hints to further restrict the NetworkService to be UDP only. *I'm open to any improvements. ``` <VulnerabilityCheck id="cmty-memcached-amplification" scope="endpoint" potential="0"> <NetworkService type="memcached"/> <UDPCheck> <UDPRequestResponse> <UDPRequest><value format="base64">AAEAAAABAABzdGF0cw0KCg==</value></UDPRequest> <UDPResponse><regex ctags="REG_DOT_NEWLINE,REG_MULTILINE">STAT</regex></UDPResponse> </UDPRequestResponse> </UDPCheck> </VulnerabilityCheck> ``` [cmty-memcached-amplification.xml](https://github.com/BrianWGray/cmty-nexpose-checks/blob/master/cmty-memcached-amplification.xml) [cmty-memcached-amplification.vck](https://github.com/BrianWGray/cmty-nexpose-checks/blob/master/cmty-memcached-amplification.vck) [memcached-restrict.sol](https://github.com/BrianWGray/cmty-nexpose-checks/blob/master/memcached-restrict.sol)
Posted by BrianWGray about a year ago
We trying to update older Nexpose Appliance from ubantu version 8 to 10 so we can at least get it to version 12 via a usb drive. When we power up the appliance it run thru POST and all we get is cursor on the monitor and on the display system bootup message. Is their any options of rebuilding the server?
Posted by Alfredo Martinez about a year ago
Hello, I am researching what CVSS version is being reported in my reports on Nexpose. When I manually view asset vulnerabilities in the console, I see a v2 and a v3 of the CVSS. Are my reports (the default Nexpose reports) reflecting the CVSS v2 or is it the v3? I looked into writing my own SQL query and I found (dv.cvss_score) but again I am not sure if that is v2 or v3. Any help is appreciated. My goal is to make sure my reports are reflecting v2 only and not v3. Thank you, Scott
Posted by Scott Walker about a year ago
There is a question about the scan delay of Nexpose. I have previously sent inquiries regarding the delay in scanning speed. I know I need to modify the Discovery Performance values in the scan template settings to improve the scan speed. However, there was no difference in scan speed when the Discovery Performance values were modified. I wonder if there are any factors that could affect Nexpose's scan performance apart from Discovery Performance values. I would also like to ask if you can solve this problem.
Posted by yryim about a year ago
Looking for some assistance with this incident that is appearing on several of our systems. Proof: Vulnerable OS: Microsoft Windows Server 2008 R2, Datacenter Edition SP1 Microsoft patch KB4025337 installed According to the Microsoft Security Guidance, updated patches were released in September. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8529 This particular system has both the September IE11 Cumulative Update installed, as well as the Security only update rollup. The vulnerability proof is calling out that a particular patch is installed. While there were issues with that patch, several patches superseded it. I'm not sure where to start at trying to resolve this.
Posted by Mark Payne about a year ago