Dashboard Toolbox - VM DASHBOARD BETA: QID 91563 (SevenMonkeys)

Document created by Felix Jimenez Employee on Aug 13, 2019Last modified by Felix Jimenez Employee on Aug 29, 2019
Version 16Show Document
  • View in full screen mode

This Dashboard will enable you to get instant visibility on the Seven Monkeys Vulns (QID:91563) Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (RCE).

 

We all know how busy, and the amount of work as security professionals we encounter daily given its an ever-changing environment. That is where Qualys can provide the ability for quick dashboarding and views to key indicators to assist and prioritize your remediation work.  #visualizedatanotcsvs #sevenmonkeys  #AgentStackConsolidation

 

In the August 2019 Patch Tuesday release, Microsoft disclosed 7 RDP Vulnerabilities, out of which 4 are labeled as critical and 3 as important.

 

The cyber industry has named them as Seven Monkeys pertaining to seven CVEs released. Microsoft has released patches for these vulnerabilities and at least two of these (CVE-2019-1181&CVE-2019-1182) can be considered “wormable” and equates them to BlueKeep. Of the three “Important” RDP vulnerabilities, one (CVE-2019-1223) is a DoS, and the other two (CVE-2019-1224 and CVE-2019-1225) disclose memory contents. Microsoft update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests. 

 

What makes the SevenMonkeys Risky?

This vulnerability allows an unauthenticated attacker (or malware) to execute code on the vulnerable system. All the critical vulnerabilities exist in Remote Desktop Services – formerly known as Terminal Services – and do not require authentication or user interaction. To exploit the vulnerabilities, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.

 

How to quickly detect and remediate all in one single solution?  #AgentStackConsolidation

This QID is included in signature version VULNSIGS-2.4.675-4, and requires authenticated scanning or the Qualys Cloud Agent. Cloud Agents will automatically receive this new QID as part of manifest version 2.4.675-4.

 

The benefits of the Qualys Cloud Agent over Authenticated Scanning:

  • Continuously monitor assets for the latest Operating System, Application, and Certificate vulnerabilities

  • Track missing critical patches on each device in real-time

  • Patch and remediate systems no matter where they reside in the world with our new revolutionary Qualys Patch Management 
  • No credential / Authentication record management or complex firewall profiles needed—only requires outbound encrypted communications over a single port to the Qualys Cloud Platform

  • Combine network scans with Cloud Agents for devices where it is not practical to install agents—firewalls, routers, etc.

 

Qualys Cloud Agents brings the new age of continuous monitoring capabilities to your Vulnerability Management program. This eliminates the need for establishing scanning windows, managing credential manually or integrations with credential vaults for systems, as well as the need to actually know where a particular asset resides. "Consolidate your security stack with the Qualys Cloud Agent!" #AgentStackConsolidation

 

 

Mitigation? 

The following mitigation may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Services disabled:
1. Disable Remote Desktop Services if they are not required. If you no longer need these services on your system, consider disabling them as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.

WorkArounds? 

The following workarounds may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave these workarounds in place:
1. Enable Network Level Authentication (NLA) on systems running supported editions: You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.
2. Block TCP port 3389 at the enterprise perimeter firewall: TCP port 3389 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

 

Authenticated check Update:

Qualys has issued a special QID (91563) for Qualys Vulnerability Management that covers all 7 CVEs across all impacted Operating Systems. This QID is included in signature version VULNSIGS-2.4.675-4, and requires authenticated scanning or the Qualys Cloud Agent. Cloud Agents will automatically receive this new QID as part of manifest version 2.4.675-4.

Dashboard Demonstration Images: New

 

List QIDs associated with SevenMonkeys:

QID: 91563 - Windows RDP Remote Code Execution Vulnerability (BlueKeep)


Query to create WorkAround Widget:

Title:  Workaround - QID:45379 - Network Level Authentication (NLA)

Query:  vulnerabilities.vulnerability.qid:45379

 

Query to create Mitigation Widget:

Title:  VULN - CVE-2019-0708 & TERMService - NOT Running

Query:  vulnerabilities.vulnerability.qid:91534 and not (services:(name:TermService and status:RUNNING) or vulnerabilities.vulnerability.qid: 45381)

 

Title:  VULN - CVE-2019-0708 & TERMService - Running

Query:  vulnerabilities.vulnerability.qid:91534 and (services:(name:TermService and status:RUNNING) or vulnerabilities.vulnerability.qid: 45381)

 

 

 

How to Enable Trending on the widgets:

Open the desired widget in edit mode and select the Collect trend data check box.

 

 

Qualys - Training Videos:

Self-Paced Class: Vulnerability Management Asset Tags

https://vimeo.com/album/4372322

 

Help Link:

POD - 1 - Apply Tags to Organize Your Assets

POD - 2 - Apply Tags to Organize Your Assets

POD - 3 - Apply Tags to Organize Your Assets

 

References: 

Looking for additional Qualys Documentation use the Resource link in the Qualys Portal (Help > Resources)

 

Related community Post:

 

External References:

 

Additional Dashboards:#performance_mgmt

Dashboard Toolbox - How To Enable the New VM Dashboard BETA within the Qualys UI 

Dashboard Toolbox - How To - Importing Dashboard json 

- - - - - - - - - - - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - - - - - - - - - - - -

Dashboard Toolbox - VM DASHBOARD BETA: QID:91534 - CVE-2019-0708 - (BlueKeep) 

Dashboard Toolbox - VM DASHBOARD BETA: QID Specific Remediation Dashboard (v1.0) 

Dashboard Toolbox - VM DASHBOARD BETA: Host Scan Time Management (v1.1) 

Dashboard Toolbox - VM DASHBOARD BETA: Per Year Environment View - Vr1.0 

Dashboard Toolbox - VM DASHBOARD BETA: Severity 1 thru 5  & Threat Protection (RTI) Dashboard BETA 

Dashboard Toolbox - VM DASHBOARD BETA: PCI Compliance Vulnerability Exposure Dashboard 

Dashboard Toolbox - VM DASHBOARD BETA: Windows Authentication Management (v1.2) 

Dashboard Toolbox - VM DASHBOARD BETA: Total Vulnerabilities Scorecard    

Dashboard Toolbox - VM DASHBOARD BETA: Total Unremediated Scorecard   

Dashboard Toolbox - VM DASHBOARD BETA: Top 10 Vulnerabilities Scorecard 

Dashboard Toolbox - VM DASHBOARD BETA: Top 10 Assets Scorecard 

Dashboard Toolbox - VM DASHBOARD BETA: Hosts Assessment Dashboard 

Dashboard Toolbox - VM DASHBOARD BETA: Threat Real Time Indicator (RTI) Dashboard 

Dashboard Toolbox - Top 5 Vendor Open Vulns Sev3-5 Assessment Dashboard BETA

Dashboard Toolbox - [Tags.Name] Confirmed Sev 3- 5 Excl NRK 90D BETA

Dashboard Toolbox - VM DASHBOARD BETA: Windows 7 Confirmed/Potential Sev 3-5 90D Assessment 

Dashboard Toolbox - Cisco Vendor Only Confirmed/Potential Sev 3-5 90D Assessment BETA

Dashboards and Reporting: Apache Struts RCE Vulnerabilities: CVE-2017-5638 and CVE-2018-11776

QID Tracking Dashboard: .NET Framework Service Packs - All of a Sudden

Adobe Product Dashboard: Qualys API - List Assets by Vulnerability Title

 

 

 

* * * WARNING: Read Before Downloading * * *

At this time, Dashboard and Widget JSON files are not interchangeable between application dashboards, meaning Vulnerability Management Beta Dashboard JSON files may only be used in VM Dashboard and AssetView JSON files may only be used in AssetView. If you make a mistake and import a JSON file from one application into the other, you must contact Qualys Support to have the error corrected in the database for your subscription. 

Again, there is no way to reverse this mistake within the UI, it must be done in the database.

 

Back to Dashboard Toolbox - New Vulnerability Management (VM) Dashboard BETA 

Back toDashboarding and Reporting 

Outcomes