Skip navigation

Qualys Blogs

1,088 Posts 1 2 Previous Next
0
0

OracleCPU.jpg

 

Oracle released another massive critical patch update (CPU) today which contains 104 new security fixes. Java SE took the lion’s share of fixes followed by Fusion Middleware and MySQL. Only two vulnerabilities were fixed in the flagship Database Server 11g and 12c and both the vulnerabilities need credentials to be exploited remotely.

 

Java fixes include FX and SE, as well as SE Embedded. Out of the 37 Java vulnerabilities that were fixed, CVE-2014-2398 can be exploited remotely without authentication and we recommend you patch that immediately.

 

All vulnerabilities in the Fusion Middleware can be exploited over the web using HTTP, and 13 out of the 20 can be exploited remotely without authentication.

 

MySQL version 5.5 and 5.6 was patched, and out of the 14 vulnerabilities only CVE-2014-2431 is exploitable remotely without authentication.

 

PeopleSoft received 8 vulnerability fixes, and 5 of them can be exploited remotely without authentication if left unpatched.

 

The large update covering multiple products will be easier to install if a good map of the current versions exists. In any case we recommend addressing vulnerabilities on systems that are Internet accessible first.

5

The Heartbleed OpenSSL bug (CVE-20-14-0160) caught everybody by surprise last week, and the scope and impact of the issue can't be overstated.  Mitigating the impact of Heartbleed is a daunting process since it has been in the wild since March 2012 and because attacks that use it leave no footprints.

 

Last week Qualys created detection capabilities for Heartbleed within 24 hours of its discovery.  Today we have released a new Heartbleed reporting capability within the QualysGuard Certificates Dashboard so that organizations can move efficiently through the patching and certificate cleanup process.  Within the Certificates Dashboard, a specific “Heartbleed” selection has been added to the Filters menu that outputs the details of any certificates associated with assets that either have a current HeartBleed detection or had a HeartBleed detection and their certificate issue date lies before the fix date. In addition the administrator can search for certificates that were issued any time before the systems were patched, which constitute the “at risk” population of certificates that should be revoked and replaced.

 

Our ability to deliver detection and reporting to our entire QualysGuard customer so quickly after the discovery of Heartbleed demonstrates the flexibility of our cloud-based platform.  We will continue to iterate and improve our capabilities to make the recovery from Heartbleed as painless as possible for our customers.

 

Heartbleed Remediation Reporting Step-by-Step

  1. Navigate to the Assets section of QualysGuard.

    fig1-assets-section.png

  2. Select the Certificates tab, click the Filters dropdown and choose Heartbleed to see all affected hosts.

    fig2-certificates-tab.png

  3. After you have patched some or all of the affected hosts, click Search and select Fixed to list only remediated hosts that can be issued new certificates.

    fig3-search.png

  4. Search for all certificates issued before the patch date to identify certificates that may need to be replaced (in this example 14 April 2014).

    fig4-replace.png

  5. To share with others, export the data in the format of your choice.

    fig5-export.png

0

This update to QualysGuard 8.0 includes improvements to the QualysGuard API, allowing you to integrate your programs and API calls with QualysGuard Vulnerability Management (VM) and QualysGuard Policy Compliance (PC).

 

What’s New

 

 

 

QualysGuard API Server URL.

The QualysGuard API documentation and sample code use the API server URL for QualysGuard US Platform 1. If your account is located on another platform, please replace this URL with the appropriate server URL for your account.

 

 

Account LocationAPI Server URL for login
QualysGuard US Platform 1https://qualysapi.qualys.com
QualysGuard US Platform 2https://qualysapi.qg2.apps.qualys.com
QualysGuard EU Platformhttps://qualysapi.qualys.eu
QualysGuard Private Cloud Platformhttps://qualysapi.<customer_base_url>


 

QualysGuard API Documentation. API user guides and other documentation are available in your account’s Resources section (Help > Resources > API). Note: The service enforces limits on the API calls users can make within a subscription. See “QualysGuard API Limits” for details.

 

 


Vulnerability Management (VM)

“Security Risk Score” summary added to  XML and CSV reports

With this release vulnerability scan reports include a security risk score summary for the report and per host, in all report formats - earlier this was not in XML or  CSV. As before the risk score summary appears when your report template is configured for host based findings (automatic data) and the Text Summary option is selected. The asset_data_report.dtd was updated - we’ll show you the changes.

 

Tell me about the Security Risk Score. The score for the overall report is the average security risk for all hosts in the report. The score for each host is the average severity level detected (the default) or the highest severity level detected. Managers can configure the calculation method for the subscription by going to Reports > Setup > Security Risk. Are you an Express Lite user? If yes the average severity level is always used.

 

Sample reports. These reports were created using a scan report template configured with host based findings and Text Summary is selected (under Display > Detailed Results).

 

CSV report

New rows show you the security risk score summary for the report and per host.

8.0Image.png

 

XML report

New XML elements show you the security risk summary for the report (see  <RISK_SCORE_SUMMARY>)  and per host <see RISK_SCORE_PER_HOST>.

 

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE ASSET_DATA_REPORT SYSTEM https://qualysguard.qualys.com/asset_data_report.dtd>
<ASSET_DATA_REPORT>
  <HEADER>
    <COMPANY><![CDATA[Qualys, Inc.]]></COMPANY>
    <USERNAME>USERNAME</USERNAME>
    <GENERATION_DATETIME>2014-03-11T23:56:22Z</GENERATION_DATETIME>
    ...
    <RISK_SCORE_SUMMARY>
      <TOTAL_VULNERABILITIES>14</TOTAL_VULNERABILITIES>
      <AVG_SECURITY_RISK>2.6</AVG_SECURITY_RISK>
      <BUSINESS_RISK>13/100</BUSINESS_RISK>
    </RISK_SCORE_SUMMARY>
  </HEADER>
<RISK_SCORE_PER_HOST>
  <HOSTS>
    <IP_ADDRESS>10.10.24.104</IP_ADDRESS>
    <TOTAL_VULNERABILITIES>4</TOTAL_VULNERABILITIES>
    <SECURITY_RISK>2.5</SECURITY_RISK>
  </HOSTS>
  <HOSTS>
    <IP_ADDRESS>10.10.24.106</IP_ADDRESS>
    <TOTAL_VULNERABILITIES>10</TOTAL_VULNERABILITIES>
    <SECURITY_RISK>2.6</SECURITY_RISK>
  </HOSTS>
</RISK_SCORE_PER_HOST>
  <HOST_LIST>
    <HOST>
      <IP>10.10.24.104</IP>
      <TRACKING_METHOD>IP</TRACKING_METHOD>
...

 

 

DTD updates

You’ll see the updated asset_data_report.dtd below.  There are new elements RISK_SCORE_PER_HOST and RISK_SCORE_SUMMARY.

 

<!-- QUALYS ASSET DATA REPORT DTD -->

<!ELEMENT ASSET_DATA_REPORT (ERROR | (HEADER, RISK_SCORE_PER_HOST?, HOST_LIST?, GLOSSARY?, APPENDICES?))>

<!ELEMENT ERROR (#PCDATA)*>
<!ATTLIST ERROR number CDATA #IMPLIED>


<!-- HEADER -->


<!ELEMENT HEADER (COMPANY, USERNAME, GENERATION_DATETIME, TEMPLATE,
                  TARGET, RISK_SCORE_SUMMARY?)>

<!ELEMENT COMPANY (#PCDATA)>
<!ELEMENT USERNAME (#PCDATA)>
<!ELEMENT GENERATION_DATETIME (#PCDATA)>
<!ELEMENT TEMPLATE (#PCDATA)>
<!ELEMENT TARGET (USER_ASSET_GROUPS?, USER_IP_LIST?, COMBINED_IP_LIST?, 
                  ASSET_TAG_LIST?)>

<!ELEMENT USER_ASSET_GROUPS (ASSET_GROUP_TITLE+)>
<!ELEMENT ASSET_GROUP_TITLE (#PCDATA)>

<!ELEMENT USER_IP_LIST (RANGE*)>
<!ELEMENT RANGE (START, END)>
<!ELEMENT START (#PCDATA)>
<!ELEMENT END (#PCDATA)>

<!ELEMENT COMBINED_IP_LIST (RANGE*)>

<!ELEMENT ASSET_TAG_LIST (INCLUDED_TAGS, EXCLUDED_TAGS?)>

<!ELEMENT INCLUDED_TAGS (ASSET_TAG*)>
<!ATTLIST INCLUDED_TAGS scope CDATA #IMPLIED>

<!ELEMENT EXCLUDED_TAGS (ASSET_TAG*)>
<!ATTLIST EXCLUDED_TAGS scope CDATA #IMPLIED>

<!-- AVERAGE RISK_SCORE_SUMMARY -->
<!ELEMENT RISK_SCORE_SUMMARY (TOTAL_VULNERABILITIES, AVG_SECURITY_RISK,
                              BUSINESS_RISK)>
<!ELEMENT TOTAL_VULNERABILITIES (#PCDATA)>
<!ELEMENT AVG_SECURITY_RISK (#PCDATA)>
<!ELEMENT BUSINESS_RISK (#PCDATA)>

<!-- RISK_SCORE_PER_HOST -->
<!ELEMENT RISK_SCORE_PER_HOST (HOSTS+)>
<!ELEMENT HOSTS (IP_ADDRESS, TOTAL_VULNERABILITIES, SECURITY_RISK)>
<!ELEMENT IP_ADDRESS (#PCDATA)>
<!ELEMENT SECURITY_RISK (#PCDATA)>

<!-- HOST_LIST -->

<!ELEMENT HOST_LIST (HOST+)>
...

 

 

Manage the EC2 Scan Workflow using the API

You can now manage the special Amazon EC2 Scan workflow in Vulnerability Management using the QualysGuard API. You’ll use the VM Scan API v2 (/api/2.0/fo/scan/) to launch EC2 scans and manage them within your account just like other vulnerability scans.

 

The Amazon EC2 Scan workflow using QualysGuard is pre-authorized by AWS. This workflow integrates with EC2 APIs, targets EC2 assets by their Instance ID, and allows scanning in Amazon EC2 Classic and EC2-VPC without the need to request pre-approval from AWS through their scan authorization request form. Want to learn more? Check out our Help Center for Amazon Web Services at the Qualys Community.

 

A few things to consider...

  • EC2 Scanning and EC2 Connector features must be enabled for your QualysGuard account.
  • Only a Manager user can launch EC2 scans.
  • You must have deployed an instance of the virtual scanner appliance using a QualysGuard appliance AMI published in AWS Marketplace.  Don’t have this? Log in to the user interface and go to VM > Scans > Appliances and select New > Virtual Scanner Appliance. When using the EC2 Scan workflow be certain to deploy the “Pre-Authorized Scanning” appliance and not the standard appliance.  Please see Choosing The Correct Scanner AMI (Amazon Machine Image) for more.
  • You need an EC2 Connector that you’ve configured using the user interface in QualysGuard Asset Management. Want to do this? Go to AM (Asset Management) > Connectors and select Actions > Create EC2 Connector. Our wizard will help you do this quickly. You’ll select EC2 hosts to scan and assign them asset tags. (Tip - When you launch an EC2 scan you’ll select EC2 host tags for the scan target.)

 

Ready to launch an EC2 scan? Here are the settings you’ll use. Many of the input parameters are also available for all vulnerability scans.

 

SettingParameters
Request

action=launch (Required)

echo_request (Optional)

Scan Titlescan_title (Optional)
EC2 environment

connector_name={value}

(Required) The name of the EC2 connector for the AWS integration you want to run the scan on.

ec2_endpoint={value}

(Required) The EC2 region code or the ID of the Virtual Private Cloud (VPC) zone. Need to find the region code? See: AWS Documentation-Region and Availability Zone Concepts

Option Profile

option_title={value} -or-

option_id={value}

(Required) The scan settings to be used for the scan, saved as an option profile.

Scanner Appliance

iscanner_name={value} -or-

iscanner_id={value}

(Required) The scanner appliance to be used for the scan.

Target Hosts

target_from={tags}

(Required) Use tags to select the EC2 hosts you want to scan.

use_ip_nt_range_tags={0}

The default setting is “0”.  Important - This cannot be set to “1” for EC2 scanning.

These tag parameters are used to select tags:

tag_set_include={tag1,tag2,...} (Required)

tag_set_exclude={tag1,tag2,...} (Optional)

tag_include_selector={any|all} (Default in bold)

tag_exclude_selector={any|all} (Default in bold)

tag_set_by={id|name} (Default in bold)

 

 

Show me a sample API request

This request will launch an EC2 vulnerability scan using the connector “EC2_Connector” on assets that match tags with IDs 1558997 and 1559222. You’ll notice the XML output uses the simple return DTD (simple_return.dtd).

 

API request

curl -H "X-Requested-With: Curl" -u "USERNAME:PASSWORD" -X "POST" -d "action=launch&scan_title=My+EC2+Scan&connector_name=EC2_Connector&ec2_endpoint=us-east-1&target_from=tags&use_ip_nt_range_tags=0&tag_include_selector=any&tag_set_by=id&tag_set_include=1558997,1559222&option_id=43165&iscanner_name=EC2-1" "https://qualysapi.qualys.com/api/2.0/fo/scan/" > outputfile.txt

 

XML output

cat outputfile.txt

 

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE SIMPLE_RETURN SYSTEM https://qualysapi.qualys.com/api/2.0/simple_return.dtd>
<SIMPLE_RETURN>
  <RESPONSE>
    <DATETIME>2014-02-25T21:32:40Z</DATETIME>
    <TEXT>New vm scan launched</TEXT>
    <ITEM_LIST>
      <ITEM>
        <KEY>ID</KEY>
        <VALUE>136992</VALUE>
      </ITEM>
      <ITEM>
        <KEY>REFERENCE</KEY>
        <VALUE>scan/1358285558.36992</VALUE>
      </ITEM>
    </ITEM_LIST>
  </RESPONSE>
</SIMPLE_RETURN>

 

 

 


Policy Compliance (PC)

 

Limit Policy Reports to Selected IPs

Want your policy reports to show certain IPs only? Now you can select the IP addresses to report on each time you create a policy report. This way your report will show you compliance data for selected IPs only, instead of all IPs associated with your policy.

 

Ready to create your report? You’ll use the Report Share API (/api/2.0/fo/report/ with the parameter action=launch) to launch your policy report. Just add the “ips”input parameter and enter the IPs/ranges you want to include in your report -these IPs/ranges must be assigned to the policy you’re reporting on.

 

API request

This request launches a policy report on these IP addresses: 10.10.10.21,10.10.10.40-10.10.10.46. These IPs are assigned to policy ID 12345 and will be included in the report.

 

curl -u"USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X"POST" -d"action=launch&report_title=My+Policy+Report&policy_id=12345&output_format=xml&ips=10.10.10.21,10.10.10.40-10.10.10.46""https://qualysapi.qualys.com/api/2.0/fo/report/"

 

Compliance Scorecard Report XML - added NetBIOS name and DNS name

The Compliance Scorecard Report now lists the NetBIOS name and/or DNS name for each host listed under top hosts with changes, when this is available in your account. Be sure you’ve selected the layout option “Hosts with changes” in your report template.

 

We’ve updated the report DTD (compliance_scorecard_report.dtd) to include the new subelements NETBIOS and DNS (under HOST).

 

XML output

...
    <TOP_HOST_WITH_CHANGES>
     <TOP><![CDATA[10]]></TOP>
      <CHANGED_TO_PASS>
        <HOST>
         <IP_ADDRESS><![CDATA[10.10.10.29]]></IP_ADDRESS>
         <NETBIOS><![CDATA[XPSP3-10-29-1]]></NETBIOS>
         <DNS><![CDATA[xpsp3-10-29-1.corp10.com]]></DNS>
         <ASSET_GROUP_NAME><![CDATA[ComplianceHosts]]></ASSET_GROUP_NAME>
          <TECHNOLOGY>Windows XPdesktop</TECHNOLOGY>
         <NUMBER_OF_POLICIES>1</NUMBER_OF_POLICIES>
         <PASSED_TOTAL>12</PASSED_TOTAL>
         <PASSED_CHANGED>12</PASSED_CHANGED>
         <COMPLIANCE>100%</COMPLIANCE>
        </HOST>
      </CHANGED_TO_PASS>
      <CHANGED_TO_FAIL>
        <HOST>
         <IP_ADDRESS><![CDATA[10.10.10.29]]></IP_ADDRESS>
          <NETBIOS><![CDATA[XPSP3-10-29-1]]></NETBIOS>
         <DNS><![CDATA[xpsp3-10-29-1.corp123.com]]></DNS>
     ...       </HOST>
      </CHANGED_TO_FAIL>
...

 

DTD update

...
<!ELEMENT HOST(IP_ADDRESS, NETBIOS,DNS,NETWORK?, ASSET_GROUP_NAME?, ASSET_TAG_NAME?, TECHNOLOGY, NUMBER_OF_POLICIES,PASSED_TOTAL?, PASSED_CHANGED?, FAILED_TOTAL?, FAILED_CHANGED?, ERROR_TOTAL?,ERROR_CHANGED?, COMPLIANCE)>
...
<!ELEMENT NETBIOS (#PCDATA)>
<!ELEMENT DNS (#PCDATA)>

 

 

Policy XML updated to remove control checksum requirement

Now it’s possible to manually import policies without the requirement to have a checksum for control configurations. We’ve updated the XML output of the EVALUATE element. We’ll use the new XML output without the checksum when you export policies. No changes were made to the policy export output DTD (https://<baseurl>/api/2.0/fo/compliance/policy/policy_export_output.dtd).


Tell me about the changes

In previous releases the EVALUATE element included the checksum attribute and the content was text, like this:

 

<EVALUATEchecksum="3982342715fb297713b21d2baee13649e36f8f42cde75a2dbaf521b2ce584674">&lt;CTRL&gt;&lt;DP&gt;&lt;K&gt;ap00.system.cgi.scriptalias&lt;/K&gt;&lt;CD&gt;matches&lt;/CD&gt;&lt;OP&gt;xre&lt;/OP&gt;&lt;V&gt;&lt;![CDATA[.*]]&gt;&lt;/V&gt;&lt;FVset=&quot;1&quot;&gt;161803399999999&lt;/FV&gt;&lt;FVset=&quot;1&quot;&gt;314159265358979&lt;/FV&gt;&lt;/DP&gt;&lt;/CTRL&gt;</EVALUATE>

 

With this release the EVALUATE element does not include the checksum and the content isXML (not text), like this:

 

<EVALUATE>
    <CTRL><DP><K>ap00.system.cgi.scriptalias</K><CD>matches</CD><OP>xre</OP><V><![CDATA[.*]]></V><FVset="1">161803399999999</FV><FV set="1">314159265358979</FV></DP></CTRL>
</EVALUATE>

 

Can I still import policy XML with the checksum?

Yes, you can still do this - no problem.  Remember if you export your policy we’ll use the new XML output and the checksum attribute will be removed.

 

 

Posture Info API improvements

We’ve made improvements to the XML output of the Compliance Posture Info API v2 (resource/api/2.0/fo/compliance/posture/info/ with action=list). This gives you more details about the controls evaluated on your hosts and their posture. A new summary section tells you more about the control instances (posture info records) like the number of assets, controls and control instances evaluated.  We also report the percentage of controls that passed for each host.

 

Want to see the new details?  Be sure to specify the parameter details=All.  We’ve added more content to the XML output and the posture_info_list_output.dtd has been updated.

 

API request

curl -u"USERNAME:PASSWORD" -H "X-Requested-With: Curl" -d "action=list&policy_ids=10649&details=All&asset_group_ids=423117,423147""https://qualysapi.qualys.com/api/2.0/fo/compliance/posture/info/"

 

XML output

<?xmlversion="1.0" encoding="UTF-8" ?>
<!DOCTYPEPOSTURE_INFO_LIST_OUTPUT SYSTEM 
https://qualysapi.qualys.com/api/2.0/fo/compliance/posture/info/posture_info_list_output.dtd>
<POSTURE_INFO_LIST_OUTPUT>
  <RESPONSE>
   <DATETIME>2014-04-09T05:00:46Z</DATETIME>
    <POLICY>
    <ID>10649</ID>
   <DATETIME>2014-04-09T05:00:46Z</DATETIME>
    <INFO_LIST>
      <INFO>
        <ID>1794005</ID>
        <HOST_ID>2154769</HOST_ID>
       <CONTROL_ID>1061</CONTROL_ID>
       <TECHNOLOGY_ID>6</TECHNOLOGY_ID>
        <INSTANCE></INSTANCE>
        <STATUS>Passed</STATUS>
        <EVIDENCE>
          <BOOLEAN_EXPR><![CDATA[:dp_1match_all $tp_1]]></BOOLEAN_EXPR>
          <DPV_LIST>
            <DPVlastUpdated="2014-02-09T23:30:35Z">
              <LABEL>:dp_1</LABEL>
             <V><![CDATA[161803399999999]]></V>
              <TM_REF>@tm_1</TM_REF>
            </DPV>
          </DPV_LIST>
        </EVIDENCE>
      </INFO>
      <INFO>
        <ID>1794006</ID>
        <HOST_ID>2154769</HOST_ID>
       <CONTROL_ID>1071</CONTROL_ID>
       <TECHNOLOGY_ID>6</TECHNOLOGY_ID>
        <INSTANCE></INSTANCE>
        <STATUS>Passed</STATUS>
        <EVIDENCE>
         <BOOLEAN_EXPR><![CDATA[(:dp_2 in #fv_1 or :dp_2 >= $tp_2)]]></BOOLEAN_EXPR>
          <DPV_LIST>
            <DPVlastUpdated="2014-02-09T23:30:35Z">
              <LABEL>:dp_2</LABEL>
             <V><![CDATA[0]]></V>
            </DPV>
          </DPV_LIST>
        </EVIDENCE>
      </INFO>
...
    </INFO_LIST>
    <SUMMARY>
     <TOTAL_ASSETS>1</TOTAL_ASSETS>
     <TOTAL_CONTROLS>199</TOTAL_CONTROLS>
      <CONTROL_INSTANCES>
       <TOTAL>98</TOTAL>
       <TOTAL_PASSED>84</TOTAL_PASSED>
       <TOTAL_FAILED>14</TOTAL_FAILED>
       <TOTAL_ERROR>0</TOTAL_ERROR>
       <TOTAL_EXCEPTIONS>0</TOTAL_EXCEPTIONS>
      </CONTROL_INSTANCES>
    </SUMMARY>
    <GLOSSARY>
      <HOST_LIST>
        <HOST>
          <ID>2154769</ID>
          <IP>10.10.10.34</IP>
         <TRACKING_METHOD>IP</TRACKING_METHOD>
         <DNS><![CDATA[aix-53-10-34.vuln.qa.qualys.com]]></DNS>
          <OS><![CDATA[AIX5.3]]></OS>
          <LAST_VULN_SCAN_DATETIME>2014-01-19T17:49:27Z</LAST_VULN_SCAN_DATETIME>
         <LAST_COMPLIANCE_SCAN_DATETIME>2014-02-09T23:30:35Z</LAST_COMPLIANCE_SCAN_DATETIME>
          <PERCENTAGE><![CDATA[85.71% (84 of98)]]></PERCENTAGE>
        </HOST>
      </HOST_LIST>
      <CONTROL_LIST>
        <CONTROL>
          <ID>1061</ID>
          <STATEMENT><![CDATA[Statusof the existence of plus sign or '+' entries in the host's password-relatedfiles]]></STATEMENT>
...
    </GLOSSARY>
  </POLICY>
  </RESPONSE>
</POSTURE_INFO_LIST_OUTPUT>

 

DTD updates

1) The new SUMMARY subelement gives details for the request (in RESPONSE) and per policy (in POLICY). The summary tells you statistics about the control instances (posture info records) returned in the XML output including the total number of: assets, controls and control instances.  For control instances you’ll find the total number of: instances, instances having the status passed, failed and error, plus the instance defined as exceptions.

 

2) The new PERCENTAGE subelement (in HOST) tells you you the percentage of controls having the status passed. For example “85.71% (84 of 98)” mean 85.71% of the controls passed, 84 controls passed and 98 controls were evaluated.

 

...
<!ELEMENT RESPONSE(DATETIME, ((INFO_LIST?, SUMMARY?, WARNING_LIST?, GLOSSARY?) | POLICY+))>

<!ELEMENT POLICY(ID, DATETIME, INFO_LIST?, SUMMARY?, WARNING_LIST?, GLOSSARY?)>
...
<!ELEMENT HOST_LIST(HOST+)>
<!ELEMENT HOST (ID,IP, TRACKING_METHOD, DNS?, NETBIOS?, OS?, OS_CPE?,
                  LAST_VULN_SCAN_DATETIME?,LAST_COMPLIANCE_SCAN_DATETIME?, 
                PERCENTAGE?)>
...
<!ELEMENTPERCENTAGE (#PCDATA)>
...
<!ELEMENT SUMMARY(TOTAL_ASSETS, TOTAL_CONTROLS, CONTROL_INSTANCES)>
<!ELEMENT TOTAL_ASSETS(#PCDATA)>
<!ELEMENTTOTAL_CONTROLS (#PCDATA)>
<!ELEMENTCONTROL_INSTANCES (TOTAL, TOTAL_PASSED, TOTAL_FAILED,
                             TOTAL_ERROR,TOTAL_EXCEPTIONS)>
<!ELEMENT TOTAL(#PCDATA)>
<!ELEMENTTOTAL_PASSED (#PCDATA)>
<!ELEMENTTOTAL_FAILED (#PCDATA)>
<!ELEMENTTOTAL_ERROR (#PCDATA)>
<!ELEMENTTOTAL_EXCEPTIONS (#PCDATA)>

 

 

 


Vulnerability Management (VM) and Policy Compliance (PC)

 

Select Multiple Scanner Appliances for Scans

With this release you can select multiple scanner appliances for your internal vulnerability and compliance scans. This is especially useful when scanning a large number of hosts because it allows you to distribute the scan task across scanner appliances.

 

How do I launch a scan? For a vulnerability scan, use the VM Scan API v2 (resource/api/2.0/fo/scan/ with action=launch). For a compliance scan use PC Scan API v2 (resource /api/2.0/fo/scan/compliance/ with action=launch).

 

Want to select multiple appliances? Simply tell us the appliance IDs or friendly names when making your launch scan request.

 

Parameter

Description

iscanner_id={value}

 

(Optional)  The IDs of the scanner appliances to be used. Multiple entries are comma  separated.


These  parameters are mutually exclusive and cannot be specified in the same  request: iscanner_id and iscanner_name.

iscanner_name={value}

 

(Optional)  The friendly names of the scanner appliances to be used. Multiple entries are  comma separated.

These  parameters are mutually exclusive and cannot be specified in the same  request: iscanner_id and iscanner_name.

 

 

A few notes...

  • One of these parameters must be specified in a request for an internal scan: iscanner_name, iscanner_id, default_scanner, scanners_in_ag. (Note: The parameters default_scanner and scanners_in_ag have not changed. Refer to the API v2 User Guide for details on these parameters.)
  • For an Express Lite user, Internal Scanning must be enabled in the user’s account.

 

Show me a sample API request  This request will launch a vulnerability scan on the IP address range 10.10.10.2-10.10.10.255 using these scanner appliances:scanner1, scanner2 and scanner3. You’ll notice the XML output uses the simple return DTD (simple_return.dtd).

 

API request

curl -H"X-Requested-With: Curl" -u "USERNAME:PASSWORD" -X"POST" -d 
"action=launch&scan_title=My+Vulnerability+Scan&ip=10.10.10.2-10.10.10.255&option_id=43165&iscanner_name=scanner1,scanner2,scanner3""https://qualysapi.qualys.com/api/2.0/fo/scan/"

 

XML output

<?xmlversion="1.0" encoding="UTF-8" ?>
<!DOCTYPESIMPLE_RETURN SYSTEM https://qualysapi.qualys.com/api/2.0/simple_return.dtd>
<SIMPLE_RETURN>
  <RESPONSE>
   <DATETIME>2014-02-26T21:32:40Z</DATETIME>
    <TEXT>New vm scanlaunched</TEXT>
    <ITEM_LIST>
      <ITEM>
        <KEY>ID</KEY>
        <VALUE>136992</VALUE>
      </ITEM>
      <ITEM>
        <KEY>REFERENCE</KEY>
       <VALUE>scan/1358285558.36992</VALUE>
      </ITEM>
    </ITEM_LIST>
  </RESPONSE>
</SIMPLE_RETURN>

 

 

Launch Reports using Asset Tags

We’ve made it easier for you to launch reports by selecting asset tags for the hosts you want to report on using the Report Share API (/api/2.0/fo/report/ with action=launch). It’s possible to select asset tags for both vulnerability and compliance reports. Use the following tag parameters:

 

Parameter

Description

use_tags={0|1}

 

(Optional)  Specify “1” when your report target will include asset tags. Specify “0” (the  default) when your report target will include IP addreses/ranges and/or asset  groups. When not specified, use_tags=0 is used.

 

tag_include_selector=

{all|any}

 

(Optional)  Specify “any” (the default) to include hosts that match at least one of the  selected tags. Specify “all” to include hosts that match all of the selected  tags.

 

tag_include_selector  is valid only when use_tags=1 is specified.

 

tag_exclude_selector=

{all|any}

 

(Optional)  Specify “any” (the default) to exclude hosts that match at least one of the  selected tags. Specify “all” to exclude hosts that match all of the selected  tags.

 

tag_exclude_selector  is valid only when use_tags=1 is specified.

 

tag_set_by={id|name}

 

(Optional)  Specify “id” (the default) to select a tag set by providing tag IDs. Specify  “name” to select a tag set by providing tag names.

 

tag_set_by  is valid only when use_tags=1 is specified.

 

tag_set_include={value}

 

(Optional)  Specify a tag set to include. Hosts that match these tags will be included.  You identify the tag set by providing tag name or IDs. Multiple entries are  comma separated.

 

tag_set_include  is valid only when use_tags=1 is specified.

 

tag_set_exclude={value}

 

(Optional)  Specify a tag set to exclude. Hosts that match these tags will be excluded.  You identify the tag set by providing tag name or IDs. Multiple entries are  comma separated.

 

tag_set_exclude  is valid only when use_tags=1 is specified.

 

 

API request

This request launches a report on hosts with the asset tag Windows. The XML output uses the simple return DTD (simple_return.dtd).

 

curl -u"USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X"POST" -d"action=launch&template_id=55469&report_title=My+Windows+Report&output_format=pdf&use_tags=1&tag_set_by=name&tag_set_include=Windows"
"https://qualysapi.qualys.com/api/2.0/fo/report/"

 

 

XML output

<?xmlversion="1.0" encoding="UTF-8" ?>
<!DOCTYPE GENERICSYSTEM https://qualysapi.qualys.com/api/2.0/simple_return.dtd>
<SIMPLE_RETURN>
  <RESPONSE>
   <DATETIME>2014-02-20T21:45:23Z</DATETIME>
    <TEXT>New reportlaunched</TEXT>
    <ITEM_LIST>
      <ITEM>
        <KEY>ID</KEY>
        <VALUE>1665</VALUE>
      </ITEM>
    </ITEM_LIST>
  </RESPONSE>
</SIMPLE_RETURN>

 

 


QualysGuard Cloud Platform

 

Manage your Virtual Scanners using the API

The Scanner Appliance API v2 (/api/2.0/fo/appliance) includes multiple updates to help you manage all your scanner appliances - both physical and virtual. We’ve updated the list action to return all appliances in your account and you can filter the list by friendly name and appliance IDs. New actions allow Managers and Unit Managers to create, update and delete virtual scanners.

 

Tell me about Permissions. Managers can perform all actions on all virtual scanners(list, create, update, delete). Unit Managers can perform all actions on virtual scanners in their business unit. Scanners and Readers can list virtual scanners assigned to their accounts.

 

List all your Scanner Appliances - physical and virtual

Use the parameter action=list to return a list of scanner appliances in your account,as in previous releases. Now your virtual scanner appliances will be included.  We’ve added these new parameters:

 

Parameter

 

Description

 

name={string}

 

(Optional)  List only scanner appliances (physical and virtual) that have names matching  the string provided. Tip - Substring match is supported. For example, if you  have 2 appliances named “myscanner” and “anotherscanner” and you supply the  string “name=scan” both appliance both appliances will be returned in the XML  output.

 

ids={id1,id2,..}

 

(Optional)  List only scanner appliances (physical and virtual) that have certain IDs.  Multiple IDs are comma separated.

 

include_license_info={0|1}

 

(Optional)  Set to 1 to return virtual scanner license information in the XML output.  This tells you the number of licenses you have and the number used. This  information is not returned by default. When specified the XML output will  include the LICENSE_INFO element.

 

 

API request

curl -u"USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X"POST" -d "action=list&echo_request=1&ids=777,1127,1131&include_license_info=1" "https://qualysapi.qualys.com/api/2.0/fo/appliance/"


 

XML output

<?xmlversion="1.0" encoding="UTF-8" ?>
<!DOCTYPEAPPLIANCE_LIST_OUTPUT SYSTEM 
https://qualysapi.qualys.com/api/2.0/fo/appliance/appliance_list_output.dtd>
<APPLIANCE_LIST_OUTPUT>
    <RESPONSE>
       <DATETIME>2014-01-02T09:26:01Z</DATETIME>
        <APPLIANCE_LIST>
            <APPLIANCE>
                <ID>777</ID>
               <NAME>scanner1</NAME>
                <SOFTWARE_VERSION>2.6</SOFTWARE_VERSION>
               <RUNNING_SCAN_COUNT>0</RUNNING_SCAN_COUNT>
               <STATUS>Online</STATUS>
            </APPLIANCE>
            <APPLIANCE>
                <ID>1127</ID>
               <NAME>scanner2</NAME>
               <SOFTWARE_VERSION>2.6</SOFTWARE_VERSION>
               <RUNNING_SCAN_COUNT>0</RUNNING_SCAN_COUNT>
               <STATUS>Online</STATUS>
            </APPLIANCE>
            <APPLIANCE>
                <ID>1131</ID>
               <NAME>scanner3</NAME>
               <SOFTWARE_VERSION>2.6</SOFTWARE_VERSION>
               <RUNNING_SCAN_COUNT>0</RUNNING_SCAN_COUNT>
               <STATUS>Offline</STATUS>
            </APPLIANCE>
        </APPLIANCE_LIST>
        <LICENSE_INFO>
           <QVSA_LICENSES_COUNT>10</QVSA_LICENSES_COUNT>
           <QVSA_LICENSES_USED>3</QVSA_LICENSES_USED>
        </LICENSE_INFO>
    </RESPONSE>
</APPLIANCE_LIST_OUTPUT>

 

DTD update:

<!-- QUALYSAPPLIANCE_LIST_OUTPUT DTD -->
<!ELEMENTAPPLIANCE_LIST_OUTPUT (REQUEST?,RESPONSE)>

<!ELEMENT REQUEST(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?,
                   POST_DATA?)>
...
<!ELEMENT RESPONSE(DATETIME, APPLIANCE_LIST?, LICENSE_INFO?)>
...
<!ELEMENT LICENSE_INFO (QVSA_LICENSES_COUNT, QVSA_LICENSES_USED)>
<!ELEMENT QVSA_LICENSES_COUNT (#PCDATA)>
<!ELEMENT QVSA_LICENSES_USED (#PCDATA)>

 

 

Add New Virtual Scanner

Use these parameters:

 

Parameter

Description

action=create

 

(Required)  The POST method must be used.

 

name={string}

 

(Required)  The friendly name. This name can’t already be assigned to an appliance in  your account. It can be a maximum of 15 characters, spaces are not allowed.

 

polling_interval={value}

 

(Optional)  The polling interval, in seconds. A valid value is 60 to 3600 (we recommend  180 which is the default). This is the frequency that the virtual scanner  will attempt to connect to our Cloud Security Platform. The appliance calls  home to provide health updates/heartbeats to the platform, to get software  updates from the platform, to learn if new scan jobs have been requested by  users, and to upload scan results data to the platform, if applicable.

 

 

API request

curl -u"USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X"POST" -d "action=create&echo_request=1&name=scanner1" "https://qualysapi.qualys.com/api/2.0/fo/appliance/"

 

 

XML output

<?xmlversion="1.0" encoding="UTF-8" ?>
<!DOCTYPEAPPLIANCE_LIST_OUTPUT SYSTEM 
https://qualysapi.qualys.com/api/2.0/fo/appliance/appliance_create_output.dtd>
<APPLIANCE_CREATE_OUTPUT>
    <RESPONSE>
       <DATETIME>2014-01-02T09:26:01Z</DATETIME>
        <ID>777</ID>
        <NAME>scanner1</NAME>
        <ACTIVATION CODE>ACTIVATION-CODE</ACTIVATIONCODE>
       <REMAINING_QVSA_LICENSES>4</REMAINING_QVSA_LICENSES>
    </RESPONSE>
</APPLIANCE_CREATE_OUTPUT>

 

New DTD:

<!-- QUALYSAPPLIANCE_CREATE_OUTPUT DTD -->
<!ELEMENTAPPLIANCE_CREATE_OUTPUT (REQUEST?,RESPONSE)>

<!ELEMENT REQUEST(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?,
                   POST_DATA?)>
<!ELEMENT DATETIME(#PCDATA)>
<!ELEMENTUSER_LOGIN (#PCDATA)>
<!ELEMENT RESOURCE(#PCDATA)>
<!ELEMENTPARAM_LIST (PARAM+)>
<!ELEMENT PARAM(KEY, VALUE)>
<!ELEMENT KEY(#PCDATA)>
<!ELEMENT VALUE(#PCDATA)>
<!-- if returned,POST_DATA will be urlencoded -->
<!ELEMENT POST_DATA(#PCDATA)>

<!ELEMENT RESPONSE(DATETIME, APPLIANCE)>

<!ELEMENT APPLIANCE(ID, FRIENDLY_NAME, ACTIVATION_CODE,
                     REMAINING_QVSA_LICENSES)>
<!ELEMENT ID(#PCDATA)>
<!ELEMENTFRIENDLY_NAME (#PCDATA)>
<!ELEMENTACTIVATION_CODE (#PCDATA)>
<!ELEMENTREMAINING_QVSA_LICENSES (#PCDATA)>

 

 

Update a Virtual Scanner

Use these parameters:

 

Parameter

Description

action=update

 

(Required)  The POST method must be used.

 

id={id}

 

(Required)  A valid ID of a virtual scanner.

 

name={string}

 

(Optional)  The friendly name. This name can’t already be assigned to an appliance in  your account.  It can be a maximum of  15 characters, spaces are not allowed.

 

polling_interval={value}

 

(Optional)  The polling interval, in seconds. A valid value is 60 to 3600 (we recommend  180 which is the default). This is the frequency that the virtual scanner  will attempt to connect to our Cloud Security Platform. The appliance calls  home to provide health updates/heartbeats to the platform, to get software  updates from the platform, to learn if new scan jobs have been requested by  users, and to upload scan results data to the platform, if applicable.

 

comment={value}

 

(Optional)  User-defined comments.

 

 

API request

 

curl -u"USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X"POST" -d "action=update&echo_request=1&id=12345&name=scanner15" "https://qualysapi.qualys.com/api/2.0/fo/appliance/"

 

 

XML output

The XML output uses the simple return (/api/2.0/simple_return.dtd).

 

<?xmlversion="1.0" encoding="UTF-8" ?>
<!DOCTYPESIMPLE_RETURN SYSTEM https://qualysapi.qualys.com/api/2.0/simple_return.dtd>
<SIMPLE_RETURN>
    <RESPONSE>
       <DATETIME>2014-04-03T12:12:45Z</DATETIME>
        <TEXT>Virtual scanner updatedsuccessfully</TEXT>
        <ITEM_LIST>
            <ITEM>
                <KEY>ID</KEY>
               <VALUE>17110</VALUE>
            </ITEM>
        </ITEM_LIST>
    </RESPONSE>
</SIMPLE_RETURN>

 

 

Delete a Virtual Scanner

Deleting a virtual scanner appliance results in these actions: 1) The virtual scanner will be removed from associated Asset Groups, and 2) Scheduled Scans using this virtual scanner will be deactivated.

 

Is your virtual scanner running scans? If yes it’s not possible to delete it. We recommend you check to be sure the virtual scanner you want to delete is not running scans.

 

Use these parameters:

 

Parameter

Description

action=delete

 

(Required)  The POST method must be used.

 

id={id}

 

(Required)  A valid ID of a virtual scanner.

 

 

 

API request

 

curl -u"USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X"POST" -d "action=delete&echo_request=1&id=12345" "https://qualysapi.qualys.com/api/2.0/fo/appliance/"

 

 

XML output

The XML output uses the simple return (/api/2.0/simple_return.dtd). If schedules and/or asset groups were impacted we’ll list them so you can update them as needed.

 

<?xmlversion="1.0" encoding="UTF-8" ?>
<!DOCTYPEAPPLIANCE_LIST_OUTPUT SYSTEM 
https://qualysapi.qualys.com/api/2.0/fo/simple_return.dtd>
<SIMPLE_RETURN>
    <RESPONSE>
       <DATETIME>2014-01-02T09:26:01Z</DATETIME>
        <TEXT>Virtual scanner deletedsuccessfully</ID>
        <ITEM_LIST>
             <ITEM>
                  <KEY>ID<KEY>
                  <VALUE>115<VALUE>
             </ITEM>
             <ITEM>
                 <KEY>DEACTIVATED_SCHEDULED_SCANS<KEY>
                 <VALUE>None<VALUE>
             </ITEM>
             <ITEM>
                 <KEY>AFFECTED_ASSET_GROUPS<KEY>
                 <VALUE>None<VALUE>
             </ITEM>
        <ITEM_LIST>
    </RESPONSE>
</SIMPLE_RETURN>

 

Network (Overlapping IP) Support

We’ve made several improvements and updates to the Network Support API for customers who have this feature turned on in their accounts. For users who do not have this feature, these changes have no impact - new input parameters are not available, and changes to DTDs and XML output are not visible.

 

Set Up Networks

 

Scanner Appliance List API v2 - filter by network ID

The Scanner Appliance List API v2 (resource /api/2.0/fo/appliance/ with action=list) returns scanner appliances in your account. Now you can use the new input parameter “network_id” (optional) to return a list of scanner appliances for a certain network. Specify 0 for the Global Default Network or a custom network ID.

 

API request

curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" "https://qualysapi.qualys.com/api/2.0/fo/appliance/?action=list&network_id=1002"

 


 

XML output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE APPLIANCE_LIST_OUTPUT SYSTEM
https://qualysapi.qualys.com/api/2.0/fo/appliance/appliance_list_output.dtd>
<APPLIANCE_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2014-04-01T05:42:29Z</DATETIME>
    <APPLIANCE_LIST>
      <APPLIANCE>
        <ID>15242</ID>
        <NAME>vscanner1</NAME>
        <NETWORK_ID>1002</NETWORK_ID>
        <SOFTWARE_VERSION>2.6</SOFTWARE_VERSION>
        <RUNNING_SCAN_COUNT>0</RUNNING_SCAN_COUNT>
        <STATUS>Offline</STATUS>
      </APPLIANCE>
      <APPLIANCE>
        <ID>15235</ID>
        <NAME>vscanner2</NAME>
        <NETWORK_ID>1002</NETWORK_ID>
        <SOFTWARE_VERSION>2.6</SOFTWARE_VERSION>
        <RUNNING_SCAN_COUNT>1</RUNNING_SCAN_COUNT>
        <STATUS>Online</STATUS>
      </APPLIANCE>
    </APPLIANCE_LIST>
  </RESPONSE>
</APPLIANCE_LIST_OUTPUT>

 

 

Organize Assets by Network

 

Asset Group List API v1 - network ID added to group’s IPs / domains

The Asset Group List API v1 (/msp/asset_group_list.php) is used to retrieve a list of asset groups in your account. We added a new attribute “network_id” to the subelements /SCANIPS/IP and MAPDOMAINS/DOMAIN in the XML output (asset_group_list.dtd). This appears for an All asset group that is not the same as the subscription’s All asset group.

 

Have multiple All asset groups? Yes you might. There is always 1 All asset group for the subscription - this includes all assets, visible to Managers. If you have business units, there is 1 unique All asset group for each business unit. If you have Scanners and/or Readers, there is 1 unique All asset group for each Scanner/Reader account. (There is no All asset group for a network.)

 

XML output

Sample XML output showing an All asset group that is not the subscription’s All asset group:

 

...
<ASSET_GROUP>
  <ID>5010</ID>
  <TITLE><![CDATA[All]]></TITLE>
  <SCANIPS>
    <IP network_id="0"> 10.0.0.0-10.10.10.11</IP>
    <IP network_id="0"> 10.10.10.13-10.10.10.247</IP>
    <IP network_id="1193"> 10.0.0.0-10.10.10.11</IP>
    <IP network_id="1193"> 10.10.10.13-10.10.10.247</IP>
...
  <MAPDOMAINS>
    <DOMAIN network_id="0">qualys-test.com</DOMAIN>
    <DOMAIN network_id="0" netblock="10.10.10.10, 10.10.10.17">mydomain1.com</DOMAIN>
    <DOMAIN network_id="1193">qualys-test.com</DOMAIN>
  </MAPDOMAINS>
...

 

DTD update

New “network_id” attribute added to the subelements /IP and /DOMAIN.

 

...
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP network_id CDATA 0>
...
<!ATTLIST DOMAIN
          netblock CDATA #IMPLIED
          network_id CDATA 0
...

 

 

Asset Inventory

 

Support for IP List API v2

The IP List API v2 (resource /api/2.0/fo/asset/ip/ with action=list) is used to retrieve a list of IP addresses in your account. Use the new input parameter “network_id” (optional) to return a list of IPs for a certain network.

 

The XML output now lists the network ID for each IP address/range when the request is made by a sub-user with access to multiple networks. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (ip_list_output.dtd).

 

Good to know:

 

  • Managers will not see the “network_id” attribute for any IP or IP_RANGE elements in the output since Managers can see all IPs for all networks.
  • Any sub-user with access to only a single network (the Global Default Network or a custom network) will not see the “network_id” attribute either. This is for consistency with the UI, where these users do not see the network workflows.

 

XML output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE IP_LIST_OUTPUT SYSTEM https://qualysapi.qualys.com/api/2.0/fo/asset/ip/ip_list_output.dtd>
<IP_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2014-02-14T22:47:32Z</DATETIME>
    <IP_SET>
      <IP_RANGE network_id="0">1.0.0.0-10.10.10.14</IP_RANGE>
      <IP_RANGE network_id="0">10.10.10.17-10.10.10.29</IP_RANGE>
      <IP network_id="0">10.10.10.32</IP>
    </IP_SET>
  </RESPONSE>
</IP_LIST_OUTPUT>

 

 

DTD updates

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

 

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
  network_id  CDATA  0
>
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
  network_id  CDATA  0
>
...

 

 

Support for Excluded IP List API v2

The Excluded IP List API v2 (/api/2.0/fo/asset/excluded_ip/ with action=list) returns a list of excluded hosts.

Use the new input parameter “network_id” (optional) to return a list of excluded IPs for a certain network.

The XML output now identifies the network ID for each IP address/range when your subscription has at least 1 network defined. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (ip_list_output.dtd).

 

XML output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE IP_LIST_OUTPUT SYSTEM https://qualysapi.qualys.com/api/2.0/fo/asset/excluded_ip/ip_list_output.dtd>
<IP_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2014-03-20T20:49:19Z</DATETIME>
    <IP_SET>
      <IP network_id="0">10.10.10.19</IP>
      <IP_RANGE network_id="1275">10.10.50.6-10.10.50.10</IP_RANGE>
    </IP_SET>
  </RESPONSE>
</IP_LIST_OUTPUT>

 

 

DTD updates

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

 

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
  network_id  CDATA  0
>
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
  network_id  CDATA  0
>
...

 

Support for Excluded IP Change History API v2

The excluded IP change history V2 API (/api/2.0/fo/asset/excluded_ip/history/ with action=list) returns a change history for excluded hosts.

Use the new input parameter “network_id” (optional) to return a list of change history for excluded hosts for a certain network.

The XML output now identifies the network ID for each IP address/range when your subscription has at least 1 network defined. We added a new attribute “network_id” to the subelements /IP_SET/IP and /IP_SET/IP_RANGE in the XML output (history_list_output.dtd).

 

XML output

...
<HISTORY_LIST>
      <HISTORY>
        <ID>1441</ID>
        <IP_SET>
          <IP_RANGE network_id="0">10.10.10.234-10.10.10.235</IP_RANGE>
        </IP_SET>
        <ACTION>Added</ACTION>
...

 

DTD updates

New “network_id” attribute added to the subelements /IP_SET/IP and /IP_SET/IP_RANGE.

 

...
<!ELEMENT IP_SET ((IP|IP_RANGE)+)>
<!ELEMENT IP (#PCDATA)>
<!ATTLIST IP
    network_id  CDATA  0
...
<!ELEMENT IP_RANGE (#PCDATA)>
<!ATTLIST IP_RANGE
    network_id  CDATA  0
...

 

 

Scan Configuration

 

Support for IPv6 List API v2

The IPv6 List API v2 (resource /api/2.0/fo/asset/ip/v4_v6/ with action=list) is used to view a list of IPv6 mapping records in your account. The XML output now identifies the network ID for each IPv6 mapping when the user’s account has more than 1 network. We added a new NETWORK_ID element to the XML output (ip_map_list_output.dtd).

 

XML output

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE IP_MAP_LIST_OUTPUT SYSTEM
https://qualysapi.qualys.com/api/2.0/fo/asset/ip/v4_v6/ip_map_list_output.dtd>
<IP_MAP_LIST_OUTPUT>
<RESPONSE>
   <DATETIME>2014-03-27T19:42:10Z</DATETIME>
   <IP_MAP_LIST>
     <IP_MAP>
       <ID>46947</ID>
       <V4>0.0.0.7</V4>
       <V6>2001:db8:85a3::8a2e:370:84</V6>
       <NETWORK_ID>1234</NETWORK_ID>
     </IP_MAP>
     <IP_MAP>
       <ID>47036</ID>
       <V4>0.0.0.1</V4>
       <V6>2001:db8:85a3::8a2e:370:77</V6>
       <NETWORK_ID>0</NETWORK_ID>
     </IP_MAP>
   </IP_MAP_LIST>
</RESPONSE>
</IP_MAP_LIST_OUTPUT>

 

 

 

DTD update

 

New NETWORK_ID subelement added for the subelement /IP_MAP.

 

...
<!ELEMENT RESPONSE (DATETIME, IP_MAP_LIST?, WARNING?)>


<!ELEMENT IP_MAP_LIST (IP_MAP+)>
<!ELEMENT IP_MAP (ID, V4, V6, NETWORK_ID?)>
<!ELEMENT ID (#PCDATA)>
<!ELEMENT V4 (#PCDATA)>
<!ELEMENT V6 (#PCDATA)>
<!ELEMENT NETWORK (#PCDATA)>
<!ELEMENT NETWORK_ID (#PCDATA)>

 

 

Support for Authentication Record List by Type

The Authentication Record List by Type API v2 (resource /api/2.0/fo/auth/<type>/ with action=list) is used to view a list of authentication records visible to the user for a specific authentication type (Unix, VMware, Windows etc).

 

The XML output now identifies the network ID for each record when the user’s account has more than 1 network. We added a new NETWORK_ID subelement for AUTH_<type> subelements (like AUTH_UNIX, AUTH_WINDOWS, AUTH_VMWARE, etc). 12 DTDs were updated.

 

 

XML output (Unix Record List)

 

<AUTH_UNIX_LIST_OUTPUT>
  <RESPONSE>
    <DATETIME>2014-03-27T13:32:17Z</DATETIME>
    <AUTH_UNIX_LIST>
      <AUTH_UNIX>
        <ID>678</ID>
        <TITLE><![CDATA[My Unix Record]]></TITLE>
        <USERNAME><![CDATA[username]]></USERNAME>
        <ROOT_TOOL>Sudo</ROOT_TOOL>
        <CLEARTEXT_PASSWORD>0</CLEARTEXT_PASSWORD>
        <IP_SET>
          <IP_RANGE>10.10.10.168-10.10.10.195</IP_RANGE>
        </IP_SET>
        <NETWORK_ID>0</NETWORK_ID>
        <CREATED>
            <DATETIME>2014-02-20T01:01:01</DATETIME>
            <BY>username</BY>
        </CREATED>
...

 

DTD update - Unix Record List

<baseurl>/api/2.0/fo/auth/unix/auth_unix_list_output.dtd
...
<!ELEMENT AUTH_UNIX (ID, TITLE, USERNAME, CLEARTEXT_PASSWORD, ROOT_TOOL, RSA_PRIVATE_KEY?, DSA_PRIVATE_KEY?, PORT?, IP_SET, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?, USE_AGENTLESS_TRACKING?, AGENTLESS_TRACKING_PATH?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

DTD update - Windows Record List

<baseurl>/api/2.0/fo/auth/windows/auth_windows_list_output.dtd
...
<!ELEMENT AUTH_WINDOWS (ID, TITLE, USERNAME, NTLM?, WINDOWS_DOMAIN?, WINDOWS_AD_DOMAIN?, WINDOWS_AD_TRUST?, IP_SET?, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?, USE_AGENTLESS_TRACKING?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

DTD update - VMware Record List

<baseurl>/api/2.0/fo/auth/vmware/auth_vmware_list_output.dtd
<!ELEMENT AUTH_VMWARE (ID, TITLE, USERNAME, PORT, SSL_VERIFY, HOSTS?, IP_SET, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
..
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

DTD update - SNMP Record List

<baseurl>/api/2.0/fo/auth/snmp/auth_snmp_list_output.dtd
...
<!ELEMENT AUTH_SNMP (ID, TITLE, USERNAME?, AUTH_ALG?, PRIV_ALG?, SEC_ENG?, CONTEXT_ENG?, CONTEXT?, COMMUNITY_STRINGS?, VERSION, IP_SET, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

DTD update - Oracle Record List

<baseurl>/api/2.0/fo/auth/oracle/auth_oracle_list_output.dtd
...
<!ELEMENT AUTH_ORACLE (ID, TITLE, USERNAME, (SID|SERVICENAME), PORT, IP_SET, PC_ONLY?, WINDOWS_OS_CHECKS, WINDOWS_OS_OPTIONS?, UNIX_OPATCH_CHECKS, UNIX_OS_CHECKS, UNIX_OS_OPTIONS?, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

Oracle Listener Record List

<baseurl>/api/2.0/fo/auth/oracle_listener/auth_oracle_listener_list_output.dtd
...
<!ELEMENT AUTH_ORACLE_LISTENER (ID, TITLE, IP_SET, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

MS SQL Record List

<baseurl>/api/2.0/fo/auth/ms_sql/auth_ms_sql_list_output.dtd
...
<!ELEMENT AUTH_MS_SQL (ID, TITLE, USERNAME, (INSTANCE | AUTO_DISCOVER_INSTANCES), (DATABASE | AUTO_DISCOVER_DATABASES), (PORT|AUTO_DISCOVER_PORTS), DB_LOCAL, WINDOWS_DOMAIN?, IP_SET, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

MS IIS Server Record List

<baseurl>/api/2.0/fo/auth/ms_iis/auth_ms_iis_list_output.dtd
...
<!ELEMENT AUTH_MS_IIS (ID, TITLE, IP_SET, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

IBM WebSphere Record List

<baseurl>/api/2.0/fo/auth/ibm_websphere/auth_ibm_websphere_list_output.dtd 
...
<!ELEMENT AUTH_IBM_WEBSPHERE (ID, TITLE, IP_SET, UNIX_INSTLLATION_DIRECTORY, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

IBM DB2 Record List

<baseurl>/api/2.0/fo/auth/ibm_db2/auth_ibm_db2_list_output.dtd 
...
<!ELEMENT AUTH_IBM_DB2 (ID, TITLE, USERNAME, DATABASE, PORT, IP_SET, PC_ONLY?, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

HTTP Record List

<baseurl>/api/2.0/fo/auth/http/auth_http_list_output.dtd 
...
<!ELEMENT AUTH_HTTP (ID, TITLE, USERNAME, SSL, (REALM|VHOST), IP_SET?, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

Apache Web Server Record List

<baseurl>/api/2.0/fo/auth/apache/auth_apache_list_output.dtd 
...
<!ELEMENT AUTH_APACHE (ID, TITLE, IP_SET, UNIX_CONFIGURATION_FILE, UNIX_CONTROL_COMMAND, NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS?)>
...
<!ELEMENT NETWORK_ID (#PCDATA)>
...

 

 

 

0

A new release of QualysGuard, Version 8.0, will be available in production on QualysGuard US Platform 2 on April 29, 2014. The deployment is completely transparent to users and will require no downtime. The release will occur between 12:00 PM PDT (20:00 UTC) and 6:00 PM PDT (02:00 UTC next day).


Featured Enhancement: Overlapping IP Support

QualysGuard 8.0 brings support for managing overlapping IP ranges within a single QualysGuard subscription, providing the user with the ability to define discrete private Networks to keep overlapping blocks isolated from each other.

 

Also in 8.0, QualysGuard enhances its support in Vulnerability Management (VM) for SSL Certificate status reporting and for maintaining multiple PCI Option Profiles at different performance levels.

 

QualysGuard Policy Compliance (PC) receives improvements to the organizational structure of golden images.  QualysGuard Express receives a variety of usability enhancements.  All solutions benefit from an improved method for defining and selecting groups of IP addresses in the UI.

 

API enhancements include the addition of virtual appliance lifecycle management and automation of the Amazon EC2 Scan workflow.

 

See QualysGuard 8.0 New Features and QualysGuard® API Release Version 8.0 - 15 day notification for more details.

 

To continue to receive notifications by email, please subscribe at

https://community.qualys.com/community/notifications-us2

2

QualysGuard 8.0 adds the following capabilities to the QualysGuard Cloud Platform and its suite of services:

 

  • Featured Enhancement: Overlapping IP support
  • Vulnerability Management
    • Improvements to the SSL Certificates List
    • Configure Multiple PCI Option Profiles
    • Security Risk Score Summary Added to XML and CSV Reports
  • Policy Compliance
    • Golden Image Policy Organized Into Sections
    • Select Individual IPs for Your Policy Reports
    • Control Checksum Requirement Removed from Policy XML
  • QualysGuard Platform
    • New Look and Feel for QualysGuard Express
    • Improved IP Selection
    • QualysGuard API Enhancements

 

QualysGuard 8.0 will be released in production in the coming weeks and  includes enhancements to QualysGuard Vulnerability Management (VM) and  Policy Compliance (PC), QualysGuard Cloud Platform and the API.

 

For release notifications containing details about the release dates  for specific platforms and to subscribe to release notifications by  email, please see the following:

 

 

 

Featured Enhancement: Overlapping IP Support

With QualysGuard 8.0 customers can now manage overlapping IP ranges within a single QualysGuard subscription, providing the user with the ability to define discrete private networks to keep overlapping blocks isolated from each other.  This is a common need that appears in many use cases including:

 

  • M&A events;
  • Air gap networks;
  • Business continuity/disaster recovery
  • Dev/test,
  • IaaS environments;
  • "Cloned" small office networks.

 

These different network zones can now be easily defined and separated within QualysGuard through the UI and API.

 

To take advantage of this new capability, the administrator uses the new “Networks” tab under Assets, defines a new network, and assigns a scanner.   Once defined, one can perform asset discovery, launch a vulnerability scan, run reports, and track mitigation on that network as a specific entity.  Assigning scanners to networks resolves the issue of duplicate IP addresses occurring in different networks, but allows the administrator to maintain centralized management across the entire organization.

 

 

Create a Network

2.create a new network.png

 

 

Discover Assets on Your New Network

4.new network wizard.png

 

 

Scan Your Network

5.scan launch showing networks.png

 

 

QualysGuard Vulnerability Management (VM)

Improvements to the SSL Certificates List

We’ve made several improvements to the SSL Certificates list to make managing your certificates even easier.  Relationships are now maintained between a given certificate and the ports, services, or even different hosts on which it is found, which helps prevent duplicate entries and simplifies reporting and remediation efforts.  The reason for an invalid status now appears in a preview pane.

 

certificates_list.png

 

Configure Multiple PCI Option Profiles

With the QualysGuard 8.0 release you can configure multiple PCI option profiles with different performance settings.  For example, you can create one profile set to High performance, another set to Normal performance, and a third set to Low performance. Then apply the appropriate profile to each scan based upon your network requirements.

 

pci_profile_new_menu_cropped.png

 

 

Security Risk Score Summary Added to XML and CSV Reports

With this release vulnerability scan reports now include a security risk score summary for the report as a whole and per host, in all available report formats.  Previously security risk metrics were not included in XML or CSV output types.  As before, the risk score summary appears when your report template is configured for host based findings (automatic data) and the Text Summary option is selected. The corresponding asset_data_report.dtd was updated.

scan_report_csv.jpg

 

 

 

QualysGuard Policy Compliance (PC)

Golden Image Policy Organized Into Sections

When you create a golden image policy, we automatically add controls to the policy for you. In the QualysGuard 8.0 release we now go one step further and organize those controls into sections based on the control category, giving your policy structure within the Policy Editor.

 

policy_sections.png

 

 

Select IPs for Your Policy Reports

You can now select individual IP addresses or ranges to include in your policy compliance report.  Simply select the policy you want to report on and click the “Select IPs in policy” option. Then tell us which IPs/ranges from the policy you want to include in the report.

 

policy_report_select_ips.png

 

 

Control Checksum Requirement Removed from Policy XML

Now it’s possible to manually import policies without the requirement to have a checksum for control configurations. We’ve updated the XML output of the EVALUATE element. We’ll use the new XML output without the checksum when you export policies. No changes were made to the policy export output DTD (https://<base_URL>/api/2.0/fo/compliance/policy/policy_export_output.dtd).

 

 

QualysGuard Cloud Platform

New Look and Feel for QualysGuard Express

The QualysGuard Express UI has a new look and feel – you’ll notice more tips and details throughout the UI to help you with your configurations and tasks.

 

express_quick_start_tips.png

 

Here’s a look at the Scans section. Helpful details and links are shown on the screen to help you understand the different scan configuration options available to you in the Scans section. Similar details appear in the Reports and Remediation sections.

 

express_scans.png

 

 

Improved IP Selection

You’ll now see a simple text field where you can directly enter IPs/ranges or paste them in. This new method for IP selection is used throughout the UI. You’ll see it when setting up your asset groups, configuring approved hosts lists for your domains, removing IPs from your subscription, and so on. If it seems familiar that’s because we introduced this change in authentication records in the last release.

 

ip_selection_callouts.png

 

 

QualysGuard API Enhancements

The QualysGuard API delivers these new capabilities and enhancements with this release.  More information is available at QualysGuard® API Release Version 8.0 - 15 day notification.

 

  • VM – “Security Risk Score” summary added to XML and CSV reports
  • VM – Manage the EC2 Scan Workflow using the API
  • VM and PC – Select Multiple Scanner Appliances for Scans
  • VM and PC – Launch Reports using Asset Tags
  • PC – Limit Policy Reports to Selected IPs
  • PC – Compliance Scorecard Report XML – added NetBIOS name and DNS name
  • PC – Policy XML updated to remove control checksum requirement
  • PC – Posture Info API improvements
  • Cloud Security Platform – Manage your Virtual Scanners using the API
  • Cloud Security Platform – Network Support API

 

VM – “Security Risk Score” summary added to XML and CSV reports
VM – Manage the EC2 Scan Workflow using the API
VM and PC – Select Multiple Scanner Appliances for Scans
VM and PC – Launch Reports using Asset Tags
PC – Limit Policy Reports to Selected IPs
PC – Compliance Scorecard Report XML – added NetBIOS name and DNS name
PC – Policy XML updated to remove control checksum requirement
PC – Posture Info API improvements
Cloud Security Platform – Manage your Virtual Scanners using the API
Cloud Security Platform – Network Support API

aly

5

Update: Today, Thursday 4/10/2014 we released a further improvement to QID 42430 "OpenSSL Memory Leak Vulnerability (Heartbleed bug)". We have tuned the remote, unauthenticated probes to improve the detection rate for a number of edge cases, OpenSSL implementations that behaves differently from standard setups. The changes are included in Signature version 2.2.703-5.

 

4/9/2014: An active, unauthenticated detection is now live on all platforms in the external scanners as of 4/9/2014 - 7:00 PM PST. The detection reports to the same QID as before: 42430 "OpenSSL Memeory Leak Vulnerability (Heartbleed bug)". This detection is vendor independent and detects vulnerable instances of OpenSSL wherever in use, for instance webservers, vpn servers and appliances. The simplest way to scan your vulnerable websites is to limit your scan to this QID. Take a look at our How-to doc that explains how to set up the scan. BTW, the version that implements that detection is in "Scanner version: 7.6.34-1", which you can confirm under Help - About. Scanner Appliances update on a slightly slower schedule. You can verify their version on the Appliance page and trigger a manual update if necessary.

 

Original: The “heartbleed” vulnerability (CVE-2014-0160) was published on April 7, 2014. The vulnerability affects the ”heartbeat” extension in TLS 1.2 in OpenSSL, and has been present in the V1.0.1 version since its implementation about 2 years ago. A successful exploitation of the vulnerability leads to inadvertent disclosure of memory on the targeted machine, which can contain confidential information such as session-cookies, usernames, passwords and encryption keys. The vulnerability is well documented and researched and a number of proof-of-concepts for its exploitation were published within a day of the release.

 

Qualys has implemented the following tools to help you detect the vulnerability and track the remediation efforts:

  • on April 8, an active check for the vulnerability through our SSL Labs service. It can be used to test external website in an ad-hoc, interactive manner.
  • on April 8, QID 42430 a check in QualysGuard VM, PCI, and Freescan. The check uses the banner information returned by Apache to determine whether a vulnerable OpenSSL version is in use. It is a potential vulnerability since banner information is often not reliable.
  • on April 9, QIDs 121887, 121888, 121889, 121890, 121891, 195443 (for RedHat, Fedora, Debian, CentOS, OpenSuSe and Ubuntu) that use package information to determine whether the version of OpenSSL installed is vulnerable. These QIDs require authentication. See tips on using these QIDs.

 

An active detection in QualysGuard for “heartbleed” that requires no authentication, similar to SSL Labs,  is currently in QA and we are working on getting it out to as soon as possible. Stay tuned to this post for updates.

 

For our production environment on the shared QualysGuard platforms, we have investigated CVE-2014-0160, and determined that the systems that comprise the platforms are not vulnerable.  We used a number of factors including an analysis of OpenSSL versions in use and technical testing for the vulnerability through the QualysGuard Vulnerability Management service, the Qualys SSL Labs Server Test, and other tools that have been made available.

 

Please comment on how you are using these tools either here or you can contact me via e-mail at: wkandek@qualys.com.

16

Heartbleed is a name for a critical vulnerability in OpenSSL, a very widely deployed SSL/TLS stack. A coding error had been made in the OpenSSL 1.0.1 code, which was subsequently released in March 2012. The vulnerability is in the rarely used heartbeat mechanism, specified in RFC 6520. The error allows an attacker to trick the server into disclosing a substantial chunk of memory, repeatedly. As you can imagine, process memory is likely to contain sensitive information, for example server private keys for encryption. If those are compromised, the security of the server goes down the drain, too.

 

Your server is probably vulnerable if it's running any version in the OpenSSL 1.0.1 branch. If you'd like to verify if you're vulnerable, today I released a new version of the SSL Labs Server Test. I went through a lot of effort to implement a test that doesn't attempt exploitation (no server data is retrieved). So it should be safe to use. Despite the availability of the test, if you can identify the library version number, I would urge to assume that you are vulnerable, even if the test is not showing a problem.

 

It's difficult to underestimate the impact of this problem. Although we can't conclusively say what exactly can leak in an attack, it's reasonable to assume that your private keys have been compromised. Addressing this issue requires at least three steps: 1) patch, 2) replace the key and certificate, and 3) revoke the old certificate. After that you will need to consider if any additional data might have been leaked too, and take steps to mitigate the leak.

 

Unless your server used Forward Secrecy (only about 7% do), it is also possible that any past traffic could be compromised, but only if you are faced with a powerful adversary who has means to record and store encrypted traffic. If you did not before Forward Secrecy before, now is a great time to ensure you do support it from now on. If this topic is new for you, you can follow my advice here and here.

 

For more details on the nature of this OpenSSL blog, have a look at this post from Matthew Green.

0

Tuesday, April 8, 2014 - today Microsoft came out with the bulletins for April Patch Tuesday.  It is a small release with only four bulletins, MS14-017 to MS14-020, a light patch Tuesday for the second month in a row.

 

But the Microsoft bulletin is not the most important item this month (even though MS14-017 fixes the current Word 0-day), but rather two other items:  the new HeartBleed bug that impacts OpenSSL, and the arrival of Windows XP end of life.  I will tackle each in turn:

 

Heartbleed
Yesterday a vulnerability in OpenSSL was disclosed that actually overshadows this Microsoft Patch Tuesday. The so-called “Heartbleed” vulnerability (CVE-2014-0160) is present in all recent OpenSSL versions and can be used to get information from the server that uses OpenSSL, for example, your web server. A remote attacker can get access to your private encryption key and would then be able to decipher the encrypted traffic to and from the website. A patch is available in OpenSSL 1.0.1g, alternatively one can recompile the OpenSSL version in use without the vulnerable “heartbeat” extension. Look to your Linux distro maintainer for updates. We have added the detection for the issue into SSLLabs and into QualysGuard, but stay tuned as we will be providing more information on affected distribution and products.

 

heartbleed.png

 

Windows XP End of Life
Windows XP first came to market in 2001 and was by all measures a tremendously successful operating system. It is fast, user friendly and intuitive.   With the introduction of Service Pack 2 in 2004 several important security features were added, such as a default-on firewall (which severely curtailed the spread of network worms) and the Security Center, a one-stop shop for the security settings - firewall, automatic updates and AV protection. This year, after a 13 year run, it is “game over” for Windows XP.  Microsoft has introduced 3 new operating systems since (Vista, Windows 7 and Windows 8) and all are better equipped than XP, at least as far as security is concerned.

 

Not all of you have migrated away from Windows XP; our measurements show over 10% of you are still on XP, both in the Enterprise sector:

 

bp3_2.png

 

and also in the SMB/home sector (Qualys BrowserCheck users)

 

xp_in_bc.png

 

That is better than the 30% often quoted for general Internet users (admittedly Qualys users are probably more security-conscious than the average user), but is still a very unhealthy posture. I expect Windows XP defensibility to deteriorate quickly over the next few weeks and months as attackers will find ways to exploit certain aspects of the operating system, internet browser, mail programs, office software (Office 2003 is also EOL) and even third-party programs such your PDF reader (Adobe says they will not update Adobe Reader on XP anymore). There are certainly ways to harden the setup, including using a different browser and e-mail program, installing EMET (http://support.microsoft.com/kb/2458544) and implementing additional safeguards such as whitelisting, but the question remains: Isn’t this more work than upgrading to a fully supported system in the first place?

 

But let’s get back to our bulletins for today:

 

  • MS14-017, the top bulletin, addresses 3 vulnerabilities in Microsoft Word, including the 0-day in the RTF (Rich Text Format) parser. The problem was first disclosed by Microsoft in KB2953095 on March 24, where Microsoft acknowledges the existence of exploits in the wild. Microsoft credits the Google Security team with the discovery. As a workaround Microsoft recommends disabling the opening of RTF files with Word, which can be automated with the provided FixIt MSI. The exploit has since been circulated widely and can be found on VirusTotal, meaning we are pretty close to a much wider usage by attackers. The attack vector is a self-contained RTF document that the user has to open with Microsoft Word, resulting in Remote Code Execution (RCE).  Our recommendation: Patch Microsoft Word as quickly as possible.
  • MS14-018, the second critical bulletin addresses six vulnerabilities in Internet Explorer (IE) and affects all versions from IE6 to IE11. Microsoft gives this bulletin an exploitability index rating of “1”, meaning that attacks can be expected with the next 30 days. The attack vector would be a malicious webpage that the user has to browse. Patch together with MS14-017.
  • MS14-019 and MS14-020 are bulletins that cover Windows and Microsoft Publisher. Both provide Remote Code Execution to an attacker, but have lower viability than MS14-017 or MS14-018. The Windows vulnerability only works under very special conditions and Publisher in only sparsely installed and does not have any known exploits. Patch within your normal patch cycle.

 

Together with the detection for MS14-017 to MS14-020 we are also releasing two additional QIDs that "detect" the end-of-life status for both Windows XP and Office 2003:

  • 105543 EOL/Obsolete Operating System: Microsoft Windows XP Detected
  • 105544 EOL/Obsolete Software: Microsoft Office 2003 Detected

 

Adobe is releasing a new version of their Flash player in APSB14-09 which addresses four vulnerabilities, including one that was disclosed at the PWN2OWN contest last month. It is rated critical for Windows and Macintosh and should be high on your list to patch.

0

Tomorrow marks the end of support for Windows XP by Microsoft. There are multiple reasons why we still see XP in use today: the cost of upgrading can be daunting and machines may run critical legacy apps dependent on XP. There is also a lack of awareness of the size and state of the XP device population. Lastly, there are governments and other large organizations who have chosen to buy extended support for the OS from Microsoft. 

 

In 2013, more than 70% of Microsoft’s security patches affected Windows XP, and after April 8,  this trend will continue even though Microsoft will not explicitly state this.  XP use is dropping quickly, but according to BrowserCheck XP data from last month, we’re still seeing 14% usage across enterprises.

 

According to international data from Qualys’ BrowserCheck comprising more than 100,000 monthly vulnerability scans, Windows XP usage in Q1 2014 ranges from 7% to 13% in the U.S., the UK, Germany and France. 

 

bp4_1.pngPercentage of Scans Reporting XP

 

United States and United Kingdom

The UK and US have made the most progress of the countries we studied, reducing exposure in enterprises by more than half since Q1 2013 – down to 8% this quarter from 18%. 

 

France

While French businesses have reduced exposure by nearly half, the country is most at risk with 13 percent of enterprises still using XP, down from 23 percent in Q1 2013 – significantly higher than the other countries we studied. At this rate, it will take at least an entire calendar year for XP exposure to be eliminated. 

 

Germany

Enterprise PCs only had 12 percent of scans showing usage in Q1 2013. However, it has had the slowest progress in reducing exposure – with 7% of scans showing usage in Q1 2014.  At the current rate of decline, it’s likely that it will take Germany at least another year and a half before machines running XP are either retired or upgraded.

 

So how long will XP survive?  Certainly into 2015 and maybe beyond.  A linear extrapolation of the data, which leads one to believe in 2015 as an endpoint,  is too optimistic given that companies and governments will buy extended support from Microsoft and there will be operational barriers in other organizations.

 

In a separate scan of QualysGuard data from 6,700 companies, we identified substantial differences in XP usage by industry:

 

  • Finance: Use of XP is at 21 percent of scans, levels that are too high, especially for an industry dealing with such sensitive data
  • Transport: 14% of scans show usage – though this industry accounts for the sharpest drop (from 55% to 14% in the last twelve months)
  • Retail: 14% of scans show usage
  • Services: 7% usage rate
  • Healthcare: 3% usage rate

 

There’s clearly a large install base relying upon XP right now, and for these organizations I have two pieces of advice: Upgrade your software or decommission it. While some uses of XP can’t simply be upgraded, examine if it is a critical component to your system. Isolate XP as much as possible, and limit dangerous activity on these devices  (including surfing the web and using email). Secondly, install Microsoft’s EMET – this is a hardening tool and is one that I’ve personally used and recommend. It monitors activity, identifies irregular behavior and aborts suspicious programs. It’s worked against all 0-days I’ve seen this year, and has prevented exploitation of vulnerabilities. It’s not widely publicized, but has very nice capabilities.

 

Of course there is the option to sign up for Extended Support, it is expensive, in the millions of US$ if one has enough machines such as the UK NHS or Dutch government that were recently in the news, but it might be necessary to assure the security and consistency of their respective infrastructures and buy the time needed for the migration.

0

Update2: McAfee published an analysis of an exploit for CHE-2014-1761. Very interesting and eye-opening, as everything is controlled through the RTF document itself:

  • The attackers use an listoverridecount level of 25, which is outside of the 0,1 or 9 specified in the standard. This confuses the RTF handler in Word and makes it possible to control the content of the program counter of the processor.
  • This gives the attacker the basis for arbitrary code execution. In this case the attackers are able to point the program counter to machine code that is included in the document itself, which makes the exploit very self-contained, no additional setup files are needed.

Conclusion: Patch this as quickly as possible, i.e. next Tuesday. The attacks are real and happening now. The exploit does not look that hard to replicate with the information provided. Beyond patching it makes sense to disable RTF opening any way, which is what the FixIt in KB2953095 does. It certainly looks as if there is more potential for this type of vulnerability that can be found with relatively little investment into file fuzzing. See Charlie Miller's presentation on "dumb fuzzing" for some initial reading.

 

Update: Microsoft published a post on the SRD blog with more details, including some test data of the exploit with EMET. It seems that EMET ASLR enforcements efficiently counters the exploit. Good stuff!

 

Original: Microsoft acknowledged today in KB2953095 a vulnerability present in Microsoft Word and Microsoft Outlook that is being exploited in the wild. The vulnerability CVE-2014-1761 is in the file format parser for RTF (Rich Text Format) and could be used by an attacker to gain remote access to the targeted system. The attack vector is a document in RTF format that the victim would have to open with Word. If the target uses Outlook 2007, 2010 or 2013 for e-mail, please be aware that Word is the default viewer for e-mails, and that even looking at the e-mail in the preview pane could lead to an infection through this attack.

 

The current workaround is to disable RTF as a supported format in Microsoft Office. The advisory contains a link to FixIt 51010 that performs the action for the end-user here. A secondary recommended action is to work with plain text in e-mails, which is generally a recommended safeguard that prevents the "drive-by" characters of these types of attacks. It is described in this knowledgebase article at the Microsoft site.

 

Microsoft credits Drew Hintz, Shane Huntley, and Matty Pellegrino from the Google Security team with the discovery.

 

Please note that Mac users are affected. The advisory lists Microsoft Office for the Mac 201 as vulnerable.

 

Stay tuned for more news as the situation is developing.

0

April’s Patch Tuesday Preview has just come out and we are having another light Patch Tuesday with only four bulletins: MS14-017 to MS14-020. This low total number is very atypical, and at least 30% under the numbers for last year -- in April of 2013 we were at 36 bulletins and in 2012 we had 20 bulletins. At the same time there is no shortage of vulnerabilities as we have seen at last month’s CanSecWest, where literally all software packages (Java excepted) fell to security researchers who received cash prizes between $75,000 and $100,000.

 

But back to this month. Four bulletins, two rated critical and two rated important, but all of them enable “Remote Code Execution”, which is something that attackers are ultimately after. Bulletin #1 addresses the current 0-day vulnerability (KB2953095) in Microsoft Word and is applicable to all versions of Word starting with 2003 to the latest 2013, and includes Mac OS X as well. By the way, Office 2003 together with Windows XP are going to be end-of-life after this Patch Tuesday and will stop receiving security updates.  The end of life for XP has received plenty of coverage already, but this vulnerability is a good reminder not to focus only on Windows XP, and that this Office version also deserves attention.

 

Bulletin #2 is a new version of Internet Explorer, applicable to all versions of IE starting with IE6 on XP to IE11 on Windows 8.1 and RT. The only version not affected is IE10 under Windows 7 and I expect it to contain the fixes for the vulnerabilities disclosed at PWN2OWN at CanSecWest.

 

Bulletin #3 and Bulletin #4 are the both rated “important,” but Bulletin #3 is the more urgent one. It affects all versions of Windows and can be used to gain Remote Code Execution. Bulletin #4 addresses a problem in Publisher 2003 and 2007, which is a software package that we do not see widely installed.

0

Next week, Microsoft will deliver its last set of public security patches for Windows XP.

 

bp3_1.png

 

The end-of-life for XP which has been announced for a number of years now, means that computers running XP will be very attackable in the near future. Over 70% Microsoft’s security bulletins in 2013 affected XP, and there is no reason to assume that this will change in the near future. XP will be affected by a large percentage of the problems exposed in May, June and July, but there will be no remedy (except for companies that pay for extended support - an option that is at least US$ 100,000/year).

 

The best solution is to migrate away from this outdated (designed in the 90s) operating system to a newer version, with the best candidates being Windows 7 and Windows 8. Organizations have focused a large amount of resources and money on updating their infrastructures, and we have seen the percentage of Windows XP machines drop from 35% in January 2013 to 14% in February 2014. We now project to be at 10% of Windows XP machines by the end of this month.

 

bp3_2.png

 

Different industry sectors show different XP migration profiles. For example, transportation dropped impressively fast from 55% in January 2013 to 14% in February.

 

bp3_3.png

 

while Healthcare has been consistently low in the ratio of Windows XP in their organizations’ networks.

 

bp3_4.png

 

Both of these industry sectors had significant challenges to overcome, especially in regards to specialized (non-IT managed) equipment that is connected to their networks and that frequently cannot simply be updated. Many industrial control systems and medical devices, configurations that typically have much longer useful lifespans (>10 years) than pure computer equipment (<4 years), have Windows XP systems as vital components in their setups that cannot simply be updated. Nevertheless, these systems are full XP and as attackable as your average office machine if they are used in similar fashion, for email and web browsing. Moving these machines into network segments that do not have direct Internet access and introducing additional firewalls that curb that type of usage are ways to improve security.

 

Stay tuned for more updates on the final days of XP.

0

Updating your computer software for security purposes should be a no-brainer, after all we have been working on this issue for the last 10+ years and it should be a solved problem. Nevertheless, many people use their PCs basically as they received it, ignoring patch warnings, thinking it does not apply to them:

 

bp2_0.png

(from a recent dialogue that I had on a news/comment site) or believe they have more important things to do:

 

 

bp2_1.png

 

The Top 4 Audit gives us the information on Operating System and other Microsoft software in Control 3 - in my case I am missing updates for Internet Explorer, Windows, .NET, Office and others, all pretty much unavoidable since they get updated almost every month, and any new installation will be behind almost automatically.

 

bp2_2.png

 

Anyway, getting the Operating System up-to-date is straightforward, simply run Microsoft Update (the more complete version of Windows Update) a couple of times until all pending updates are applied, and in the process, configure it for automatic installation going forward.

 

bp2_3.png

 

You can do this without leaving your newly set up standard user (for me “wolfgang”, see last week's post), but you will have to give the credentials for your administrator user every once in a while. From Desktop, access the Control Panel, and then click on System and Security, under Windows Updates, click on Check for Updates. If you have not done so before, also opt-in to automatic updates from here on. My first run of Windows Update gave me 920 MB to download, which took about 45 minutes to install.

 

bp2_4.png

 

After installing these 84 patches and rebooting, a second run gave me another 600 MB, which took roughly 30 minutes to install plus reboot. A third run gave me 5 MB and was just the latest Flash player update embedded in Internet Explorer 10, a really important 2-week old update as it fixes a 0-day vulnerability. But my Top 4 Score now looks quite a bit better: A in Control 4 and A in Control 3 for an overall score of “C”.

 

bp2_5.png

 

and even better from now on updates should be relatively easy and quick. Just need to pay pay attention at Patch Tuesday every month and let the machine update itself.

 

Next step: Application Patching - Control 2 - getting rid of that “D”.

0

At the RSA conference a few weeks ago, we introduced a new free service - the Top 4 Control audit.  This service focuses on how to help computer end users and small- to medium-sized companies implement the top 4 security measures first suggested by the Australian government's ASD division. In their internal forensics, using the four measures were able to prevent over 85% of the incidents that had occurred in the government agencies that they were responsible for. In the last year, the Top 4 controls have been starting to gain acceptance, with both the SANS Institute and the Council on CyberSecurity supporting their implementation. CSIS’s Jim Lewis gave them a very favorable mention in his 2013 paper “Raising the Bar for Cybersecurity”.

 

I have used our new Top 4 service on a new machine that I received recently. It was a new laptop, a Lenovo T430. It came with Windows 8.1 installed, an ideal and updated target to work with.

 

In essence, the Top 4 consists of:

 

  1. Whitelisting, which prevents the execution of downloaded malware, as it is not contained in the approved list of software
  2. Patching applications, which shrinks the attack surface in the installed applications focusing directly on the software most abused in recent months: Java, Adobe Flash, Adobe Reader , Microsoft Office and Apple Quicktime
  3. Patching the operating system, which fixes known vulnerabilities in Windows and further shrinks the available attack surface
  4. Running as a standard user, which  makes it harder for malware to install itself permanently on the system, as this usually requires administrator privileges

 

Overall, it is a small, but pretty promising set of controls to try out. Nothing better than a brand new machine to test a quick setup to see how practical the whole suggestion of running the Top 4 audit really is.

 

When I first booted up my new machine, I was prompted to use my Hotmail account at Microsoft, but I opted to use a local account because I felt I would rather maintain a clear separation between my online and local machine accounts. (Hint, click on "Create a new account," then "Sign in without a Microsoft account.")

 

I proceeded to install the Top4 service plugin through the URL retrieved through my account on Qualys BrowserCheck Business Edition (http://tinyurl.com/qgbe4 or https://browsercheck.qualys.com/?uid=de39b22f468a147906fd65041b56719e). If you want to use the Top 4 service, you should really create an account in the Business Edition backend tool and get your personalized URL to get better reporting and trending on your results, but feel free to use the above URL if that is too much effort for you at the moment.

 

Then, after logging into Windows with the newly created user “wkandek”, I clicked on the Desktop tile and started Internet Explorer on the familiar desktop interface and went to the URL tinyurl.com/qgbe4, clicked on “install plugin” and accepted the Terms of Service. Then, I answered “Yes”, and “Yes” to the prompts by Windows. You also need to add the “https://browsercheck.qualys.com” site into your trusted sites in Internet Explorer by clicking on “Tools” (the little gear icon in the top right corner), “Internet Options,” “Security,” “Trusted Sites,” “Sites” and then “Add.” Then select “Advanced Scan” in the drop-down menu in the top right corner and hit the “Scan” (or “Re-Scan”) button.

 

The first scan gave me a pretty bad grade: overall “D”, composed of 2 * “F” grades, and a “D” and a “B”.

 

bp1_1.png

 

I decided to attack "control 4" from the Top 4 list first, because it should be simple to address. I started the control panel, clicked on ‘Users and Accounts” and created a second local user “wolfgang” that would serve as my day to day account. Logging out of my admin account “wkandek” and into the account “wolfgang”, I reran the scan by going to http://tinyurl.com/qgbe4 (I had to add http://browsercheck.qualys.com to my trusted sites again) and got a better score, an “A” in item 4: “User Privileges”, but still a “D” for overall security, mainly caused by the two “F” grades in controls 1 and 2.

 

bp1_2.png

 

OK, that was straightforward; so far under 30 minutes spent on getting better. Moving on to the next controls. Let’s do Windows Operating System Patching next.