Twitter | Search | |
Kevin Beaumont Jan 12
Citrix Gateway and ADC vulnerability aka - a thread of some things which are catching out defenders:
Reply Retweet Like
Kevin Beaumont Jan 12
Replying to @GossiTheDog
I’ve heard from multiple companies where they believe they don’t use the SSL VPN functionality, but when they check they are vulnerable. Why? It’s enabled.
Reply Retweet Like
Kevin Beaumont Jan 12
Replying to @GossiTheDog
IPS (Intrusions Prevention Systems) are great but.. well, don’t rely on them. Why? The traffic is TLS encrypted. Your IDS almost certainly can’t see inside it to see threats, unless you’re a unicorn and have SSL decryption + decryption certs for ever host on your network + rotate
Reply Retweet Like
Kevin Beaumont Jan 12
Replying to @GossiTheDog
Check what is at your network border. Eg if you use Shodan Monitor, it will automatically email you if you’re vulnerable, no extra work required.
Reply Retweet Like
GoingSudo Jan 13
Replying to @GossiTheDog
In your experience with using Shodan, if it lists Vulnerabilities under a specific IP and I have checked that the Windows KB update has been applied will it still show that vulnerability or is it more likely that I missed another update I need to apply to secure that IP?
Reply Retweet Like
Shodan
it depends on how the vulnerability data is determined. If the vulnerability is implied based on the product name and version then the website will have a small blurb above the vulnerability information that says "the device may not be impacted by all of these issues..."
Reply Retweet Like More
Shodan Jan 13
Replying to @GossiTheDog
if the vulnerability has been verified then you won't see that disclaimer text. Within the data itself we have a property called "verified" which is set to True/ False depending on whether the vulnerability was checked by Shodan or whether it was implied based on the metadata
Reply Retweet Like
Shodan Jan 13
Replying to @GossiTheDog
the recent Citrix vulnerability is being verified by Shodan so if you see it on an IP then you should patch it asap. And you can request a re-scan of that IP via our API or CLI to confirm that it's been patched.
Reply Retweet Like