What’s new with runZero 3.3?
- Extended visibility into Google Workspace
- Queries for Google Workspace users and groups
- Fingerprinting for Google assets
- Identification of OpenSSL services
- Improvements to the runZero Console
Extended visibility into Google Workspace
runZero 3.3 furthers the visibility into your Google ecosystem through a new integration with Google Workspace. runZero Professional+ users will be able to sync Google Workspace asset details from mobile devices, endpoints, and managed Chrome systems, while runZero Enterprise users will also be able to sync Users and Groups. Once the integrations are configured, users can view, search, analyze, export, and alert on attributes from both Google Workspace and Google Cloud Platform.
One of the key reasons to leverage the runZero integrations is to get better insight into the scope of your environment and completeness of coverage since MDM and IAM platforms can’t provide any insights into devices that haven’t been onboarded. To identify assets on your network that aren’t onboarded to Google Workspace, use the query source:runZero AND NOT source:googleworkspace. Conversely, use this query to find assets from Google Cloud Platform or Google Workspace that have not been scanned by runZero yet: (source:gcp OR source:googleworkspace) AND NOT source:runzero. These queries can help you keep pace with unmanaged and disconnected assets.
The integration also pulls in many Google Workspace attributes to give you comprehensive asset visibility. This could include attributes like when a device was last synced, whether a device has a password enabled or is encrypted, or whether it supports the use of a work profile. The Recent Users list in the asset details can also provide insight into device ownership and usage. You can filter for a specific user by using the @googleworkspace.mobile.email attribute for mobile devices or the @googleworkspace.chromeos.recentUsers attribute for ChromeOS devices. To find mobile devices that aren’t locked with a password try the query @googleworkspace.mobile.devicePasswordStatus:=”Off”, or use @googleworkspace.mobile.encryptionStatus:=”Not Encrypted” to find ones without encryption enabled. The wildcard operator also lets you find results with a range of OS versions, such as using @googleworkspace.endpoint.osVersion:=”MacOS 12.% to find Google Workspace assets running macOS Monterey.
runZero offers unmatched active network scanning, while also integrating with an ever-growing list of data sources so that you have a complete asset inventory at your fingertips. To get started, set up a connection to Google Workspace or Google Cloud Platform.
Queries for Google Workspace users and groups
runZero Enterprise users can leverage the new queries tailored for the Google Workspace integration to quickly find and alert on accounts that match particular parameters, in addition to being able to run searches in the Users and Groups inventories. Identify administrator accounts, suspended accounts, and accounts without MFA to improve IAM efforts and better protect your environment. These queries are included in the Query Library and can also be used to create alerts.
Run queries about Google Workspace users or create an alert rule to find assets of interest.
Fingerprinting for Google assets
runZero includes fingerprints for the metadata returned by the Google integrations, including Google Cloud Platform and Google Workspace. This will help provide the most accurate operating system and hardware data about the assets in your inventory.
In addition to Google fingerprints, runZero has also improved fingerprinting coverage of Microsoft 365 Defender assets and SNMP devices. Additional support was added or improved for products by Apache, Aruba, Avaya, Axon, Cisco, CyberPower, Debian, Eaton, Epson, Fortinet, Fujifilm, Geist, Hikvision, Lexmark, Oracle, Sato, Sony, Vivi, and VMware.
Identification of OpenSSL services
In preparation for the OpenSSL vulnerability announcement, runZero released remote, unauthenticated fingerprinting for OpenSSL 3 services, allowing our users to get ahead of the mitigation process prior to the vulnerability details becoming public. This capability has since expanded to detect even more TLS implementations and track the TLS stacks in use on each asset. runZero users can find OpenSSL endpoints using the query product:openssl, in the assets, services, and software inventories.
The server-side exposure only applies to services that process client certificates. runZero already performs checks for this, even though it is not a common configuration. To identify services running OpenSSL 3.0.x variants that may be vulnerable to exploitation, use the following query in the service inventory search: _service.product:”OpenSSL:OpenSSL:3″ AND tls.requiresClientCertificate:”true”.
Improvements to the runZero Console
The 3.3 release includes several changes to the user interface to improve the performance of the runZero console. The tables on the Explorers, Sites, Organizations, and Your team pages now perform and load faster. This will let users query and sort the results in tables more efficiently, getting to the answers they need faster.
The release also extends the availability of the All Organizations view. All users now have a view that will show them the results from all of the organizations that they have access to. The available permissions in that view reflect their per-organization permissions so that they can manage resources just like they would when viewing a single organization.
The runZero 3.3 release includes a rollup of all the 3.2.x updates, which includes all of the following features, improvements, and updates.
- runZero Professional and Enterprise customers can now sync assets from Google Workspace.
- runZero Enterprise customers can now sync users and groups from Google Workspace.
- The “All Organizations” view is now available to restricted users with a filtered scope.
- User interface tables were revamped for Organizations,
- Sites, Explorers, and Teams.
- Live validation is no longer required for Qualys VMDR and InsightVM credentials.
- The subnet utilization report now supports filtering by site.
- CSV export of assets now includes the same hostname information as the inventory view.
- Up-to-date ARM64 builds of the standalone scanner are now available.
- The account API endpoint for creating organizations now accepts the argument types documented.
- Merging two assets now correctly updates the date of the newest MAC address for the resulting asset.
- Disabling all scan probes now disables the SNMP probe.
Service Provider information is now displayed with a default domain before SSO settings are configured.
- Explorers are now ordered alphabetically on the scan configuration and connector configuration pages.
- runZero users logging in via SSO are now presented with the terms and conditions acceptance dialogue.
- A new tls.stack attribute that tracks the TLS software provider and version has been added for assets and services.
- A new canned query for OpenSSL 3.0.x with client certificate authentication has been added.
- The scanner now reports OpenSSL versions via TLS fingerprinting.
The scanner now reports Tanium agent instances on the network.
- The scanner now reports additional detail for SSLv3 services.
- The search keywords has_os_eol and has_os_eol_extended are now supported on the Assets and Vulnerabilities inventory pages.
- The “last seen” link to the most recent scan details has been restored on the asset details page.
- Improved performance when scanning from macOS hosts that have certain EDR solutions installed.
- Improved performance of Intune integration when importing a large number of users and devices.
- Scan task processing speed has been improved for SaaS and self-hosted customers.
- The baseline memory usage of Explorers has been reduced.
- Error handling of misconfigured fingerprints has been improved to reduce Explorer and scanner crashes.
- Improved fingerprinting coverage of Microsoft 365 Defender for Endpoints assets.
- Improved fingerprinting coverage of SNMP devices.
- Tanium agent detection now sets the edr.name attribute.
- Added fingerprinting of OpenSSL, GnuTLS, and Windows TLS stacks, including version when possible.
- Apple ecosystem OS fingerprint updates.
- Additional support added-or-improved for products by Apache, Aruba, Avaya, Axon, Cisco, CyberPower, Debian, Eaton, Epson, Fortinet, Fujifilm, Geist, Hikvision, Lexmark, Oracle, Sato, Sony, Vivi, and VMware.
- The AWS integration now includes an option to delete AWS-only assets that were not seen in the most recent import.
- The Qualys integration now includes an option to import unscanned assets and is disabled by default.
- Processing speed for large Qualys imports has been improved.
- GCP credentials can now be configured to import assets from multiple projects.
- The error message indicating that an AWS integration credential has insufficient permissions has been improved.
- A bug that could prevent the use of third-party credentials when using TLS thumbprints or the insecure connection option with a public URL has been resolved.
- A bug which sometimes prevented GCP imports from completing has been fixed.
- A bug in how Service Inventory searches were launched from the
- Asset details page had been resolved.
- A bug that could prevent TLS probes from completing has been resolved.
- A bug that could prevent updating site metrics has been resolved.
- A bug that could prevent the Intune integration from completing long-running tasks has been resolved.
- A bug that could prevent the GCP integration from returning all assets has been resolved.
- A bug that could result in a recurring integration running again before the previous task finished has been resolved.
- A bug that could prevent importing assets from Microsoft Intune has been resolved.
- A bug that could prevent importing assets from Microsoft 365 Defender has been resolved.
- A bug that could prevent importing assets from Microsoft 365 Defender has been resolved.
- A bug that could cause broken asset links has been resolved.
- A bug that could cause missing service data for services with conflicting virtual hosts has been resolved.
- A bug that could cause inaccurate user counts for imported directory groups has been resolved.
- A bug that affected tooltip display has been resolved.
- A bug that prevented “open in new tab” navigation using middle/right click has been resolved.
- A bug that could prevent Azure AD imports has been resolved.
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.