Exploitation of Barracuda Email Security Gateway (ESG) appliances has made the news recently, including on-going investigation into the attacks. Leveraging a zero-day vulnerability as far back as October 2022, attackers compromised ESG targets to deploy malware that created persistent backdoor access on victim networks. This unauthorized access could have been used by attackers as a foothold for further network exploration or lateral movement, and evidence does exist that some attackers stole data via these compromised ESG targets. Barracuda identified the exploited vulnerability (known as CVE-2023-2868 with a “critical” CVSS score of 9.8) and has pushed fixes out to ESG devices worldwide, but even with these fixes, unauthorized presence on compromised networks can still exist if attackers already located and leveraged another exploitable target on the victim network. CISA has also added this vulnerability to their KEV catalog, with a BOD 22-01 due date of June 16th, 2023.
What is the Barracuda Email Security Gateway?
The Barracuda Email Security Gateway (ESG) is offered as a complete email management solution. In addition to traditional email service and management, ESGs provide security-focused capabilities such as message encryption and email filtering (for catching threats and data exfiltration). ESGs exist as both physical appliances and virtual appliances.
What is the impact?
Barracuda identified a command injection vulnerability (CVE-2023-2868, CVSS score 9.8) that exists in ESG versions 5.1.3.001 through 9.2.0.006. Due to ineffective input sanitization, a specially crafted tar archive file can be sent to vulnerable ESG targets to trigger unauthorized command execution as the ESG user. While Barracuda has made software updates available, the possibility that attackers used exploited ESG targets to pivot to – and potentially establish persistence on – other systems in a victim network is a real threat.
Are updates available?
On May 20th, Barracuda pushed out a fix to all ESGs worldwide. This was followed by a script pushed out on May 21st to “contain the incident and counter unauthorized access methods.” Barracuda continues to push security patches as part of their containment strategy. Owners or admins of Barracuda Email Security Gateway appliances should verify their ESG instances are accepting and applying current updates being sent out by Barracuda, and can also check for indicators of compromise.
How do I find potentially vulnerable Barracuda Email Security Gateways with runZero?
From the Asset inventory, use the following prebuilt query to locate all Barracuda Email Security Gateway instances in your network:
hw:"Barracuda Email Security Gateway"
Results from the above query should be triaged to verify they are running Barracuda’s latest patches.
As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.
Get runZero for free
Don’t have runZero and need help finding potentially vulnerable Barracuda devices?
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
Last month, Zyxel disclosed a remote command execution vulnerability affecting a handful of their product families. This vulnerability has been assigned CVE-2023-28771, and with a CVSSv3 score of 9.8, this vulnerability is considered highly critical. Attackers who send a specially crafted packet to UDP port 500 on an affected Zyxel device could execute arbitrary commands or create a denial-of-service condition.
Along with this disclosure, Zyxel announced updated software to address this issue; information about the update is available here.
There are reports that this vulnerability is being actively exploited in the wild. In the device’s default configuration, the vulnerable port is often exposed to the public Internet.
Finding affected devices using runZero
You can locate Zyxel devices with the exposed by visiting the Asset Inventory and using the following pre-built query:
hw:"Zyxel" and udp_port:500
The devices found by this query should be checked to make sure they are running a patched version of their firmware.
As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
Cisco recently disclosed several highly critical vulnerabilities that affect some of their Ethernet switches designed for small businesses. With a CVSSv3 score of 9.8, these vulnerabilities (assigned CVE-2023-20024, CVE-2023-20156, and CVE-2023-20157) are due to various faults in the handling of input to the web-based management interface of these switches. Successfully exploiting one of these vulnerabilities would allow an attacker to create a denial-of-service condition or execute arbitrary code with root privileges.
Along with this disclosure, Cisco announced updated software to address these issues. However, several of the affected models are past their End-of-Life (EOL) dates and no software updates have been released for them. Users are advised to update the software on affected systems as soon as possible and if updates for their devices are available.
Finding affected devices using runZero
You can locate Cisco switches in your organization by visiting the Asset Inventory and using the following pre-built query:
hw:"Cisco" and type:"switch"
You can also limit your search to only the affected product families, using the following pre-built query:
hw:"Cisco" and type:"switch" and (snmp.modelNames:"CBS" or snmp.modelNames:"SF2" or snmp.modelNames:"SG2" or snmp.modelNames:"SF3" or snmp.modelNames:"SG3" or snmp.modelNames:"SF5" or snmp.modelNames:"SG5")
As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
It might sound funny, but these were a few talking points that came up last week during runZero’s two hosted fireside chats, where CEO and Co-Founder Chris Kirsch sat down with Lares CEO Chris Nickerson on Tuesday and then Fortinet Systems Engineer Roger Rustad on Wednesday.
If you’ve had the pleasure of hearing Chris Nickerson tell his pentesting “war stories,” you might already know some of the references here. But for first-time listeners, these narratives cover the potential dangers of a red team member’s (mis)adventures, and the role of asset inventory from an attacker’s perspective. As for natural disasters and time machines, our talk with Roger elaborated on his work with the Information Technology Disaster Resource Center (ITDRC), as well as his view on how runZero’s solution has been helpful to the incident response and forensics teams at Fortinet.
Chris Nickerson Recap
The first fireside chat began over margaritas as Chris Nickerson (CN) joined Chris Kirsch (CK) on stage at our pop-up venue, the runZero Cafe, on Tuesday, April 25. Their chat covered:
Why the recon phase is an important stage in pentesting
The human element (and fallibility) of IT and security
What tools Chris Nickerson uses in his pentesting
And sprinkled humorously throughout the dialogue were moments from Nickerson’s past exploits, including welding people to cars with killer robots.
Specifically, CN talked about how recon (for attackers) and asset inventory (for defenders) are two sides of the same coin. In answer to why the recon phase is important, he noted,
Video transcription
CN: “First off, right, Karate Kid Rule. Man can’t see, man can’t fight. Same exact words for any attacker. I can see things that you can’t see. Good luck. And if that’s what I’m looking for, right, I’m trying to find those lapses in visibility.”
“So in general, right, when you’re thinking about making a process in testing, it’s not always like the voodoo magic and you just sprinkle your hacker dust and then magically like you win. It’s a bunch of really crappy work.”
“It takes a ton of time and you have to have a lot of process into it, it’s not just a hit a button, hope that it expands to find the things. You have to catalog every single thing that you see and be able to start to index and understand this information and what starts to emerge is patterns, right.”
“You start to see, oh, this is kind of where all the old stuff lives; this is where some cool, new stuff lives, this is where some I have no idea what this is. That might be interesting at some point. You might find names. You start to find, you know, indexed pieces of not only networking infrastructure, but I mean, engineers are good. They have naming conventions so that when somebody is like, hey, they want you to steal financial records, it’s like D-E-N, Denver, F-I-N, financial, and then like a bunch of numbers and you’re like, oh it’s probably this server you know, like.”
“So as you start to get yourself familiar, it’s more about situational awareness to figure out what you’re going to do in forward operation then it is go find a vulnerability, scan for something, exploit it, you know, move on to offense success, It’s really about that process of getting that total view of the landscape because you kind of can’t make plays on the field unless you know where the boundaries are.”
In answer to what tools he’s using:
Video transcription
CK: “So how do you, how do you go about that? When you go on a pentest, what are your tools to figure out what’s there, information for your pentest…”
CN: “So obviously lots of things, right? Because we have a great relationship being able to use runZero in that capacity, I think it’s great, especially in massive networks. Because what you find is, you know, in a smaller network I can get a relatively high degree of success, if I’m just using basic, you know, nmap engines and I’m going to be able to find, you know, the scripts that I’m using to to be able to pull information.”
“You don’t get that rich bit of information. right? I know that the host is up, I know that these ports are open. I can probably go grab banners, but now I have to like grep through a bunch of shitty text files. And it’s not super useful. Whereas if all those things are indexed, they are in a searchable database, you have ways to look at that information.”
“It’s now what’s there, what’s available, what’s running, what version is it running? What other things can I start to collect and find out about that box?”
When it comes to testing more fragile environments, CN delved into the problem of legacy technologies lacking resiliency, and the importance of not only understanding the environment as a pentester, but also ensuring companies know what’s on their networks, including “what’s old and going to misbehave.”
As an example of misbehaving machines, here’s CN’s killer robot story:
Video transcription
CN: “We were working on manufacturing facilities, right? And the robotic welding arm things, right? Cool robots are just tech world stuff. Their TCP/IP stack was awful. And it’s, like, I don’t know, somebody from the eighties built it. And it’s just half-open connections that make it harder for people. And I say that like in the most loving way, because like I portscanned it just started !@#$!@#, and just started shooting welds in the air going like this and I was like, ohhh shit, you know, like, I guess I didn’t know but like the…”
CK: “Just to be clear, this wasn’t with runZero?”
CN: “No, no, no, no. No, this is bad scripts that, Chris, again 24 times unsafe, 25th time unsafe. I was like try three and it was now trying to kill people. So again, you know, like those types of tools, whether it’s like the idiot guard for me, which, probably need it more often, especially now that I’m older, but but being able to understand and how you can interrogate a box safely is it’s the hardest thing of testing because if you’re wrong, you’re really wrong.”
“Like it’s a super super bad moment because the whole thing that you’re like, oh, I found the one box that I can compromise. Oh, yeah. Just turned it offline. That’s it, start over, like two weeks of work gone.”
While many companies understand how critical asset inventory is, they still face challenges when trying to implement it; they often lack the knowledge and resources to do it effectively. However, CN points out that if you have the proper tools, you can avoid making tragic mistakes:
Video transcription
CK: “Here’s the thing that kills me, you know like, for a lot of that infrastructure. OT and also like the ERP system and those kinds of things, it’s like it’s both, this is absolutely critical for the business to survive, and this is so fragile and you can’t touch it and never touch it. These two things don’t makes sense to me.”
CN: “But this this is but this is where I appreciate the approach that’s been taken with runZero because they think that not not only are we looking at this like central source of truth and system of record, but the idea that the logic is built in for the grouping and for some of those things starts to create that that map of of where severity could be without having to get into them, you know, robots killing people.”
Yes, getting those parameters is important, and luckily, runZero can give you that right out of the box.
As a final note on the importance of asset management, CN told us:
Video transcription
CN: “I’ve also worked in a lot of other enterprises and consulted all over the planet, and everybody’s trying to change stuff in their network. Well, if I can just come in and give you an inventory. But let’s say, I mean, even if I’m a tester or I just run the network or I’m part of ops in engineering, if if what I can do is come back because you hired this, like, whatever some $4 billion consulting company to come in and like, upgrade your SAP system, they’re going to be like, oh, give a map of everything and the people who run it will give them the maps of like a couple of interfaces and then everything else won’t be there.”
“But if you can add value to go back and go, oh, this is absolutely every single thing that we have that as a SAP vendors, be able to group them, be able to categorize them, be able to explain to them that like, well, this one was from the 90s, this one was from the 2000s, all of them don’t follow the naming conventions, half of these aren’t in DNS.”
“Like you’re now making a graceful transition, which is huge because being a consultant, like the worst problem is information right? And if you can do that, you can give them accurate inventory, like they might actually get the job done on time. Probably never on cost, but at least quickly.”
So happy hunting to you, Chris! And many thanks for your entertaining insights on asset inventory from an attacker’s perspective.
Roger Rustad Recap
During Roger and Chris’s fireside chat, we heard about Roger’s journey in finding an asset management solution both for Fortinet and the volunteer group the Information Technology Disaster Resource Center (ITDRC).
Video transcription
CK: “Now for asset inventory. I think you, well, you brought in runZero, that’s why you’re here. But can you tell us a little bit about how you were doing asset inventory before you brought in runZero?”
RR: “I think probably the easiest way to put it is very poorly. We leveraged a lot of open source tools, mainly the command line tools, you know, nmap and mass scan are kind of something we use regularly. And we went through a lot of logs manually, you know, to go back and try to find things. I think that became very laborious. And doing our threat hunting sessions one time we had to kick off an nmap scan that was going to take forever. One of us said there’s got to be a better way than this. and so we started Googling and found you guys and here we find ourselves today.”
Roger elaborated that other methods and solutions involved waiting for results, and interpreting the data – even though there was often consensus on his team, sometimes the interpretations got lost in translation when presented to other teams.
As Roger and his team looked to find different approaches to the problem, they looked at attack surface management solutions. Unfortunately, many of these tools require agents or APIs, and because Fortinet is more of a hacker culture internally, they preferred command line tools. They wanted to start there and wanted something that started there, too. He noted that runZero’s agentless solution made it very easy for his team to get a quick 30,000 ft view and then trim it appropriately.
As for first steps on how they began their runZero journey, Roger stated,
Video transcription
RR: “Literally, we just downloaded it and played with it. Each one of us ran it in our home network and we were just amazed at what it found. You know, we liked the fact that you can export everything straight into nmap format or XML format or interact with the API. I think that made it really easy. Then it was really just kind of figuring out how we were going to start implementing it internally.”
Once they had runZero up and running, Roger provided some insight into how the solution has been helpful in specific use cases:
Video transcription
RR: “Yes. So oftentimes we need to find an owner of an asset. I mean, everyone has the challenge of on certain networks finding owners is difficult. The extra information that we can look through or see who maybe was on that IP first. You know, I don’t think of runZero so much as an asset tool but sometimes as a time machine where we can go back and see who was on that network or on that device at a particular time. That’s been incredibly helpful for our incident response and our forensics team.”
CK: “How do you, give me an example of when you have an incident that you are investigating, how would you leverage runZero in that respect?”
RR: “So there could be a time in which we saw that a certain IP, let’s say, certificate on an IP, we could see what the certificate was. We could then pull that certificate and pivot across and see who else had that certificate.”
“I think when it comes to our FortiGates, we can tell by that type of certificate what version it is, what this may be running, and then that’s helped as we’ve gone through and patched certain things. Just seeing them, getting more details. But even the web page itself, being able to get a screenshot on that web page has been really helpful with runZero.”
We’re so glad we could help you at Fortinet, Roger, but we’re also happy to help with your work at ITDRC. This volunteer group is a nonprofit that builds IT solutions in areas affected by disasters, with no cost to the communities using these solutions. Roger explained that a lot of the work involves setting up simple connectivity, including setting up satellites and access points so first responders, shelters, kitchens, and churches can have access to their networks.
How does runZero help the ITDRC?
Video transcription
RR: “And runZero has been really good for helping us kind of figure out what’s on the network before we put stuff on, once we put stuff on. We often forget where we put stuff because as you can imagine, asset inventory is a bigger pain in the butt. Whenever you’re, you know, it’s a volunteer thing at the end of your day that you’re not keeping good tabs on.”
And for how the ITDRC plans to use runZero in the future:
Video transcription
CK: “When you think about how you want to mature and evolve that, looking to the future for disaster relief, etc., how are you planning to use runZero in the future?”
RR: “So I think, you know, one thing we’re starting to see is, as we start to partner with bigger companies like ZPE and other companies, we’re starting to leverage edge compute devices a lot more.”
“So the fact that runZero can run on such a tiny footprint becomes really helpful in figuring out what else has been added or taken off of the network. As we start to at some of these sites, do things like check the fuel levels of the generator or check the voltage level of the battery, we can do all that right off of runZero console access.”
“So as we start to do those things, it just makes sense to just throw a container on it, just see what else is on the network and it might be compromising. So I think when we talk about security for a lot of our other projects, you know, the CIA triad, the one we’re most concerned about is availability. The others don’t matter so much, and we kind of see runZero being really helpful for just making sure things are up and we know what else is running on the networks that we kind of throw out spontaneously.”
With all of the work that Roger does, we’re so happy that we can take off some of the strain in both his day-to-day job and volunteering. Thank you, Roger, for chatting with us during RSA!
RSA Venue Recap
In summary, the runZero team had a great time at our venue during the RSA conference, and we were grateful we could host these informative discussions with Roger Rustad and Chris Nickerson. We were also glad we could welcome many other cybersecurity professionals throughout the week to join us for drinks, tacos, digital caricatures, and faraday bag giveaways.
If we were lucky enough to see you at the venue, thank you for stopping by! We hope you had a wonderful time. And if we missed you during RSA week, we’d love to catch you at Black Hat in August. Feel free to shoot us a message if you’d like to coordinate a meeting at our Mandalay Bay suite!
Either way, if you are interested in learning more about how runZero can help your company with cyber asset management, please let us know by reaching out via our contact us form.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
runZero customers can now identify risky assets across their environment and assign them to users for triage and remediation. Asset risk and criticality are presented as new fields in the inventory that can be used for both queries and alerts. The asset risk field is automatically set to the highest risk level of associated vulnerabilities; this data can be sourced from third-party vulnerability management imports as well as runZero queries. Asset risk can be overridden individually in the asset detail page or by applying a new risk level to assets matching a query. In addition to the changes above, a new Asset risk report is now available, which summarizes asset risk across each level of criticality.
The 3.8.0 release includes 34 new queries that automatically apply vulnerability records to matching assets. These queries are shown in the screenshot below and the full list can be found at the end of this post.
Although the new runZero queries are focused on unintended exposure, any query can be used to associate vulnerabilities to the corresponding asset, which also updates the asset risk level, and ties into the Security Ownership model for triage.
These queries can run against the assets, services, software, and vulnerability inventories. If you are importing software inventory through an integration, you can now create a query that automatically associates a vulnerability with assets with specific software installed.
As an example, if you would like to identify and remove all instances of Photoshop in your environment, create a new software query for name:photoshop, enable the new vulnerability association setting, and provide a unique vulnerability ID for the query. On the next update, a new vulnerability will be associated with every matching asset, and these vulnerabilities can be assigned through the console.
Queries can also be used to prioritize existing vulnerabilities. To add a critical finding when a low-risk vulnerability is reported on an asset with a public IP address, create a new vulnerability inventory query using the public:true asset filter, add additional conditions for the specific vulnerabilities that you would like to match, provide a unique vulnerability ID, and finally set the risk to Critical. On the next update, any assets with the specified vulnerabilities will have an additional critical risk finding attached if they also have a public IP address.
Users can find a list of assigned assets in the asset and vulnerability inventory pages by clicking their owner name in the inventory table or by viewing their user detail page under Your Team > Users.
Once a vulnerability has been remediated, the next update will remove the vulnerability from the asset and update the risk of the associated asset. Risky asset triage and query-based vulnerability associations are available to all runZero Professional and runZero Enterprise users.
Public preview of goal tracking
Measuring progress toward your security and organizational goals can be challenging and difficult to communicate to leadership. With the introduction of goals, runZero customers can set time-bound and query-driven goals that are customizable to what matters most to your team. Goals can be used with new features like asset risk as well as existing features like asset ownership. If you can query for it in runZero, it can now be a goal!
Some examples of goals could include:
Managing expiring TLS certificates
Remediating critical risk vulnerabilities on assets within a set timeframe
Keeping insecure management services off external networks
This feature is in a public preview and we would love your feedback via email or through the in-product support form.
Protocol improvements
The default TCP port list has grown to almost 600 ports (from ~500) for better coverage. Protocol support has been added for Brother’s proprietary scanner protocol, allowing us to identify Brother scanners or Brother multi-function devices that include a scanner. SNMP enumeration is more configurable through the disable-bulk-walk and max-repetitions settings in the advanced scan configuration. Protocol detection has also been improved for TNS Listener and Android Debug Bridge services.
New and improved fingerprints
New fingerprints were added for products by Advantech, Amazon, Apache, ASUSTeK, AV Costar, Avaya, AVM, Bosch, Canon, Canonical, Cisco, Citrix, Codonics, Cognosys, CostarHD, Cradlepoint, Cubic Transportation Systems, DataDirect Networks, Dahua, Daktronics, Datamax, Debian, Dell, DigitalOcean, Eaton, Econolite, EnGenius, Entrust, EVGA, ExaGrid, F5, Fortinet, Getinge, Glenayre, Grandstream, HP, HPE, Huawei, iCAD, Kali, LAVA, March Networks, Microsoft, Moen, MSI, MultiTech, Multitone, Netgear, Oce, Okidata, OpenLogic, The Ottawa Hospital Cancer Center, Palo Alto Networks, Panasonic, PaperCut, Proxim, Prusa, Qualys, Red Hat, RICOH, The Royal Marsden NHS Foundation Trust, Saulmatics, Schneider Electric, Somfy, Sonos, SUSE, Ubiquiti, VMware, and ZTE.
In addition to the above protocol and fingerprinting improvements, we improved our normalization of x509 certificate issuer and subject values, allowing us to more consistently apply fingerprints regardless of ordering/formatting variants found in the field or due to tech stacks.
Passwordless logins
We don’t want your password.
From the beginning, runZero has supported single sign (SSO) for all users, including the free Starter Edition. From this version (3.8.0) of runZero onward we now support using a one-time authentication link in addition to any configured MFA token.
This feature is no less secure than an email-based password reset and prevents runZero from storing even the hashed and encrypted passwords on our servers. If you are unable to set up SSO, using passwordless logins with a WebAuthn token is the next best thing.
See runZero 3.8 in action
Watch the video to see a demonstration of the newest features in runZero, including asset risk and criticality, goal tracking, and applying vulnerabilities from queries.
Release notes
The runZero 3.8 release includes a rollup of all the 3.7.x updates, which includes all of the following features, improvements, and updates.
New features
Risk and criticality levels can now be assigned to assets through third-party integrations, the asset inventory, and custom rules.
runZero Preview Program: Goal tracking helps users with Professional and Enterprise licenses track progress toward completing their security initiatives. Use built-in goals for asset ownership coverage or system queries, or create goals with custom queries to fit your needs.
runZero system and custom queries can now be used to create vulnerability records.
Passwordless authentication is now available, allowing users to request one-time authentication links via email rather than storing a password. This provides a secure authentication alternative when SSO cannot be configured.
Added support for Azure and Intune GCC, GCC High, and DoD environments.
Improved compatibility with WireGuard and Tailscale on macOS and *BSD.
Added support for searching software attributes.
Alert channels now support more than one email address.
Asset limit warnings have been updated to be more clear about whether or not scans will be affected.
A bug preventing explorer reassigned to a previous organization and picking up assigned tasks has been resolved.
A bug causing software search links to navigate to a 404 page has been resolved.
A bug causing task-failed events to ignore the site restriction has been resolved.
A bug causing the hostname override tag to not update the hostname displayed has been resolved.
A bug that prevented clearing Insights from the dashboard has been resolved.
A bug where the copy scan button was cut off in the recurring tasks tab has been resolved.
New vulnerability queries
Application: Apache HTTP Server versions vulnerable to CVE-2021-41773 or CVE-2021-42013
Application: HPE iLO 4 authentication bypass
Application: HPE iLO 5 firmware versions known to be vulnerable
Application: OMI WSMAN versions vulnerable to OMIGOD
Application: OpenSSH servers vulnerable to CVE-2023-25136
Application: SolarWinds Serv-U MFT
Application: VMware ESXi vulnerable to CVE-2021-21974 (OpenSLP)
Hardware: Accellion legacy file transfer appliances
Hardware: Cisco VPN routers vulnerable to CVE-2022-20825
Policy: Android debug bridge
Policy: Cassandra (unauthenticated)
Policy: CouchDB (unauthenticated)
Policy: Distributed Ruby service
Policy: Elastic Search (unauthenticated)
Policy: HTTP directory index
Policy: InfluxDB (unauthenticated)
Policy: IPMI cipher type zero authentication bypass
Policy: Java RMI service
Policy: Memcached (unauthenticated)
Policy: MongoDB (limited)
Policy: MongoDB (unauthenticated)
Policy: Neo4J (unauthenticated)
Policy: NFS world-readable exports
Policy: Redis (unauthenticated)
Policy: Remote desktop service on internet-facing host
Policy: Riak (unauthenticated)
Policy: SMB signing not required
Policy: SMB v1 enabled
Policy: SNMP default communities
Policy: SSH password authentication on internet-facing host
Policy: SSLv2 / SSLv3 services
Policy: Windows management service on internet-facing host
Policy: Zabbix agent without ACL
Policy: Zookeeper (unauthenticated)
Product improvements
Improved error message when attempting to delete a scan template twice
Grace period for tasks can now be configured from the task template page.
Improved asset correlation for multi-source assets.
Public API endpoints to view hosted zones have been added.
The API endpoints for managing scan tasks now accept an argument to select a hosted zone.
Validation for stored queries has been improved to prevent saving queries with warnings or errors.
Excerpts of task log messages are now available on the task details page for tasks that are in error status.
The display of datagrid warning and error messages has been improved.
Improved asset processing when FortiGuard endpoints with “Policy Override Authentication” enabled are present.
Self-hosted installs now support an option to disable TLS validation between Explorers and the console application
The max-repetitions and disable-bulk parameters have been added to SNMP probes.
Task failures are now reported in the Task details pane.
All queries, including runZero-provided system queries, can now be copied.
The configuration for runZero-provided system queries can be modified.
Integration improvements
Credential verification is now allowed only after all required fields have been completed.
Third-party vulnerability integrations now support a more granular risk filter.
Third-party integrations now support more granular vulnerability filters.
Crowdstrike will now use Connection IP and Connection MAC for asset matching.
Bug fixes
A bug that could result in a panic while performing a scan has been resolved.
A bug that could prevent the API from creating valid scan tasks has been resolved.
A bug that negatively impacted fingerprinting via TLS certificates has been resolved.
A bug preventing TLS negotiation in some cases has been resolved.
A bug that was triggered when submitting Azure credentials for verification with a subscription ID has been resolved.
A bug that could cause deadlocks in the TCP LDAP probe and Active Directory integration has been resolved.
A bug that caused an infinite redirect when clicking on site breadcrumbs has been resolved.
A bug causing recurring tasks to be incorrectly sorted by start time on the tasks page has been resolved.
A bug allowing “Verify & save” on the credentials update page to error has been resolved.
A bug where Dell laptops were identified as desktops or servers has been resolved.
A bug preventing TLS negotiation in some cases has been resolved.
A bug that caused imported queries to be parsed improperly has been resolved.
A bug with the default webhook Slack alert template has been resolved.
A recent update in Explorer and Scanner behavior which could inadvertently trigger CrowdStrike EDR detection has been disabled
A bug regarding Intune rate limiting and intermittent failures has been resolved.
A bug where certain tasks could not be edited has been resolved.
A bug regarding erroneously returned results from unscanned runZero assets when searching the asset inventory has been resolved.
A bug marking assets “unscanned” has been resolved.
A bug that resulted in a 500 error when running the asset attribute report has been resolved
A bug that could prevent custom integration results from merging into existing assets has been resolved.
A bug that could cause the save button on the credential edit form to be disabled has been resolved.
A bug where clicking links on the Query page of a self-hosted instance may return a 500 has been resolved.
A bug where clicking links in the Tasks column of the Credentials page would result in an error has been resolved.
A bug where paginated results could display Viewing 0 – N for the first page has been resolved to now display Viewing 1 – N.
A bug that could result in duplicate offline assets has been resolved.
A bug that prevented CSV exports of assets when using free text search has been resolved.
A bug where the number of hops could be incorrectly set to zero when ARP is present as a service has been resolved.
A bug that prevented searching assets using the task search key has been resolved.
Want to take runZero for a spin?
Sign up today to test out these capabilities free for 21 days.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
