Censys Attack Surface Management Release Notes
This page features release notes for the Censys Attack Surface Management (ASM) platform from May 13, 2024 through July 15, 2024. Beginning July 24, 2024, all Censys release notes were moved to the Censys Community.
For ASM release notes prior to May 13, 2024, reference our old release notes article.
July 15, 2024
ASM
- Added an account_id field to web entities. This field surfaces the Cloud Connector account ID that the web entity is associated with.
- Added a search shortcut, an inventory column, and a field on web entity detail pages to use with this data.
Rapid Response
-
Vulnerability in Exim MTA could allow malicious email attachments past filters (CVE-2024-39929)
- The following queries can be leveraged to identify Censys-visible public-facing Exim instances running potentially vulnerable versions affected by this CVE.
- Censys Search query for potentially vulnerable exposures: services.software: (product="exim" and version: [* to 4.97.1])
- Censys ASM query for potentially vulnerable exposures: host.services.software: (product="exim" and version: [* to 4.97.1]) or web_entity.instances.software: (product="exim" and version: [* to 4.97.1])
- Censys ASM risk name query: risks.name="Vulnerable Exim Server [CVE-2024-39929]"
- The following queries can be leveraged to identify Censys-visible public-facing Exim instances running potentially vulnerable versions affected by this CVE.
New Fingerprints
Type | Name | Category and Severity (for risks) | Description | Censys ASM Query |
risk | Entrust Issued Certificate | Misconfiguration - Low | This service is using a certificate issued by Entrust that will no longer be trusted by Google Chrome starting on October 31, 2024. | risks.name="Entrust Issued Certificate" |
risk | Vulnerable Exim Server [CVE-2024-39929] | Rapid Response (CVE) - High | This Exim mail server is running version 4.97.1 or earlier, which is affected by CVE-2024-39929, a header parsing bug that could potentially allow malicious actors to bypass file extension blocking security measures and potentially send harmful files directly to users' inboxes. | risks.name="Vulnerable Exim Server [CVE-2024-39929]" |
July 8, 2024
ASM
- Added risk fingerprints for the following:
- RegreSSHion RCE vulnerability in OpenSSH Server (CVE 2024-6387).
- Exposed Polyfill endpoints.
- More information about finding at-risk assets related to these issues is described below.
Rapid Response
The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:
-
regreSSHion RCE vulnerability in OpenSSH Server (CVE 2024-6387)
- The following queries can be leveraged to identify all Censys-visible, public-facing OpenSSH instances.
- Censys ASM query: host.services.software: (product: “openssh” and version: [8.5 to 9.8})
- Censys ASM Risk query: risks.name=”Vulnerable OpenSSH [CVE-2024-6387]”
- Censys Search query: services: (software.product: openssh and software.version: [8.5 to 9.8} and not ssh.endpoint_id.comment: {“Ubuntu-3ubuntu0.10”, “Ubuntu-1ubuntu3.6”, “Ubuntu-3ubuntu13.3”, “Debian-5+deb11u3”, “Debian-2+deb12u3”, “FreeBSD-20240701”})
- The following queries can be leveraged to identify all Censys-visible, public-facing OpenSSH instances.
-
Polyfill.io supply chain attack
- Detection with Censys
- Censys ASM query for exposed hosts referencing the malicious polyfill[.]io domain: host.services.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`} or web_entity.instances.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`}
- Censys ASM query for exposed hosts referencing one of the additional potentially associated domains: host.services.http.response.body:{`cdn.bootcdn.net`, `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`} or web_entity.instances.http.response.body:{`cdn.bootcdn.net`, `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`}
- Censys Search query for exposed hosts referencing the malicious polyfill[.]io domain: services.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`}
- Censys Search query for exposed hosts referencing one of the additional potentially associated domains: services.http.response.body: {`cdn.bootcdn.net`, `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`}
- Detection with Censys
Fingerprints
Type | Name | Category and Severity (for risks) |
Description | Censys ASM Query |
software | NetSupportManager RAT | C2 | A NetSupportManager remote access trojan (RAT) server. | host.services.software:(vendor='NetSupportManager RAT' and product='NetSupportManager RAT') |
software | Poseidon C2 | C2 | A Poseidon C2 Server. | host.services.software:(vendor='Poseidon' and product='Poseidon') |
software | Rod Stealer C2 | C2 | A ROD Stealer C2 Server. | host.services.software:(vendor='ROD Stealer' and product='ROD Stealer') |
software | Saphira Botnet C2 | C2 | A Saphira Botnet Server. | host.services.software:(vendor='Saphira BotNet' and product='Saphira BotNet') |
software | XWiki | Open Source Software | XWiki is an open-source wiki software platform. | host.services.software:(vendor='XWiki' and product='XWiki') |
risk | Exposed Polyfill Supply Chain Attack Endpoint | Rapid Response (CVE) - Medium | This service is embedding code that references the compromised cdn.polyfill[.]io endpoint or related suspicious domains, potentially exposing users to malicious redirects and malware. Note that as of June 27, 2024, the malicious domain is no longer active. | risks.name="Exposed Polyfill Supply Chain Attack Endpoint" |
risk | Vulnerable OpenSSH [CVE-2024-6387] | Rapid Response (CVE) - Critical | This service is running a vulnerable version of OpenSSH susceptible to CVE-2024-6387 which is a reoccurrence of CVE-2006-5051. | risks.name="Vulnerable OpenSSH [CVE-2024-6387]" |
July 1, 2024
ASM
- Receive actionable alerts about changes to your attack surface with Saved Query Automation.
- Saved Query Automation enables you to send an alert to your integrations when an asset is added to or removed from a saved query. For example, you can configure ASM to send alerts when new risks are detected on assets or tags are newly added to assets.
- This initial release features support for email alert delivery. Support for webhooks, Microsoft Teams, Slack, and Webex is forthcoming.
- Learn more in this short lesson in the Censys Academy.
- Saved Query Automation is available to Censys ASM Advanced and Enterprise customers.
- Web entities that are sourced from Cloud Connectors will now be updated multiple times per day. Previously these assets were updated approximately once a day.
- Implemented an update to ensure that non-public assets are not ingested from Cloud Connectors.
Added the following fingerprints:
Type | Name | Category | Description | Censys ASM Query |
software |
Elkor Web Management | Web Management Interface | A web-based management platform for managing online content and operations. | host.services.software:(vendor='elkor' and product='Elkor') |
software | MOVEit Transfer SFTP | Managed File Transfer | An SFTP client for the MOVEit managed file transfer service. | host.services.software:(vendor='progress' and product='Progress') |
Rapid Response
The Censys Rapid Response team published information about and queries for the following vulnerability:
-
Critical command injection vulnerability in EOL Zyxel NAS models exploited by botnet (CVE-2024-29973)
- The following query can be leveraged to identify all Censys-visible, public-facing Zyxel NAS326 and NAS542 instances. Note that Censys do not have visibility into firmware versions.
June 24, 2024
ASM
- Use relative time variables in ASM search queries to easily find and analyze assets based on dynamic time periods that are relative to the current time.
- Search shortcuts in the ASM inventory have been updated to use relative time variables.
- The following example queries illustrate how to use this functionality.
- Assets discovered today: association_date: [now/d TO *]
- Risk discovered in the past 3 days: risks.discovered_at: [now-3d TO *]
- Domains expiring tomorrow: domain.expiration_date: [* TO now+1d]
- Dynamic assets under management query: (host:* and not host.cdns:*) or (domain.expiration_date: {now/d to *}) or (type: web_entity)
- Added support for Microsoft Databricks to our Azure Cloud Connector.
Added the following fingerprints:
Type | Name | Category | Description | Censys ASM Query |
software | Zyxel NAS326 | Network Device | Entry-level network attached storage device for home and small office use by Zyxel. | host.services.software:(vendor='Zyxel' and product='NAS326') |
software | Zyxel NAS542 | Network Device | Mid-range network attached storage device by Zyxel. | host.services.software:(vendor='Zyxel' and product='NAS542') |
software | ASUS Router | Network Device | Consumer-grade networking router for home and small office use by ASUS. | host.services.software:(vendor='ASUS') |
software | DoomedLoader C2 |
C2 |
Command-and-control server used by the DoomedLoader malware. | host.services.software:(vendor='DoomedLoader' and product='DoomedLoader') |
software | Kinsing C2 | C2 | Command-and-control server used by the Kinsing malware. | host.services.software:(vendor='Kinsing' and product='Kinsing') |
software | Pupy RAT C2 | C2 | Command-and-control server for Pupy, a remote access trojan. | host.services.software:(vendor='Pupy RAT' and product='Pupy RAT') |
software | Responder | Network Device | Network analysis tool used to monitor and respond to network name resolution requests. | host.services.software:(vendor='Responder' and product='Responder') |
Rapid Response
The Censys Rapid Response team published information about and queries for the following vulnerabilities:
-
Heap Overflow Vulnerabilities in VMWare vCenter Server (CVE-2024-37079 and CVE-2024-27080)
- ASM exposure query for all Censys-visible vCenter HTTP interfaces: host.services.software: (vendor: VMware and product: vCenter)
- ASM exposure query for all Censys-visible vCenter HTTP interfaces that also run DCE/RPC: host.services.software: (vendor: VMware and product: vCenter) and host.services.service_name: DCERPC
June 17, 2024
ASM
- Added several enhancements to Cloud Connector setup in the ASM console, including better display of error messages and support for multi-select on exclusion dropdown menus.
Added the following fingerprints:
Rapid Response
-
Monitoring exploitation of PHP vulnerability CVE-2024-4577
- The Censys Rapid Response team has been tracking active exploitation of this vulnerability. The vulnerability has been rapidly weaponized by the TellYouThePass ransomware group to breach servers and encrypt files since around June 7, 2024. Censys has published a live dashboard tracking publicly exposed infected hosts.
- ASM customers can use the same queries provided in the June 10, 2024 release notes to investigate this issue.
- ASM exposure query for all Censys-visible public-facing PHP instances running potentially vulnerable versions on Windows: host.services.software: (product: PHP and (version: [8.3.0 to 8.3.7] or version: [8.2.0 to 8.2.19] or version: [8.1.0 to 8.1.28] or version: [8.0.0 to 8.1.0] or version: [7.0.0 to 8.0.0] or version: [5.0.0 to 6.0.0])) and host.operating_system.product: Windows
June 10, 2024
Rapid Response
The Censys Rapid Response team published information about and queries for the following vulnerabilities:
-
PHP-CGI argument injection vulnerability (CVE-2024-4577)
- ASM exposure query for all Censys-visible public-facing PHP instances running potentially vulnerable versions on Windows: host.services.software: (product: PHP and (version: [8.3.0 to 8.3.7] or version: [8.2.0 to 8.2.19] or version: [8.1.0 to 8.1.28] or version: [8.0.0 to 8.1.0] or version: [7.0.0 to 8.0.0] or version: [5.0.0 to 6.0.0])) and host.operating_system.product: Windows
-
Authentication bypass vulnerability in Progress Telerik Report Server (CVE-2024-4358)
- ASM risk query for potentially vulnerable, Censys-visible, public-facing instances of Telerik Report Server: risks.name=“Vulnerable Progress Telerik Report Server [CVE-2024-4358]”
- ASM exposure query for all Censys-visible, public-facing Telerik Report Server gateways: host.services.software: (vendor:“Progress Software” and product:“Telerik Report Server” ) or (web_entity.instances.software.vendor:“Progress Software” and web_entity.instances.software.product:“Telerik Report Server”)
June 3, 2024
Censys ASM
- You can now quickly set up and configure AWS, GCP, and Azure hosted cloud connectors using our in-app self-service wizard.
Rapid Response
The Censys Rapid Response team published information about and queries for the following vulnerabilities:
- Unauthenticated remote code execution in South Korean Telesquare Routers (CVE-2024-29269)
-
Arbitrary file read in Check Point VPN Gateways (CVE-2024-24919)
- Censys ASM customers can use the following query to check for vulnerable Quantum Spark Gateways in their environment: risks.name=”Vulnerable Check Point Quantum Spark Gateway [CVE-2024-24919]”
- Additionally, Censys ASM customers can leverage the queries below to identify all Censys-visible public-facing instances of these three products:
- CloudGuard Network (exposures)
- Quantum Security Gateways (exposures)
- Quantum Spark Appliances (exposures and potentially vulnerable versions)
May 28, 2024
ASM
- You can now quickly set up and configure our Microsoft Teams integration using our self-service wizard in the ASM console.
- Use Labels on Web Entities to quickly identify the web technology on these assets, such as login pages, CDNs, and more.
- These Web Entity Labels are surfaced in a new column in your Inventory.
- Use the following example queries to discover these resources:
- Use the new search shortcut for Web Entity Labels to preview top Label values and more easily build queries using the field.
Rapid Response
-
Active exploitation of NextGen Healthcare Mirth Connect platform
- Censys ASM risk search: Censys ASM customers can use the following query to look for all exposed Mirth Connect instances in their network: host.services.software: (product:”Mirth Connect” ) or (web_entity.instances.software.product:”Mirth Connect”)
- Note that this query does not pinpoint vulnerable instances and those leveraging this query will need to further investigate the software versions of Mirth Connect running on their machines.
- Censys ASM risk search: Censys ASM customers can use the following query to look for all exposed Mirth Connect instances in their network: host.services.software: (product:”Mirth Connect” ) or (web_entity.instances.software.product:”Mirth Connect”)
May 20, 2024
ASM
- The Outdated TLS Version risk has been updated to utilize our tls.version_selected and tls.versions.tls_version fields. This risk will be triggered if the highest negotiated version is or supported versions include TLSv1.0, TLSv1.1, or SSLv3.
May 13, 2024
ASM
- You can now quickly set up integrations with the following services using our self-service wizard:
- Cisco Webex Teams
- Censys Rapid Response
- Webhooks
- Microsoft Sentinel
- Tenable Vulnerability Management (VM)
- Qualys Vulnerability Management, Detection & Response (VMDR)
- Atlassian Jira
- ServiceNow IT Service Management
- These additions complement our previously-released self-service support for email and Slack integrations.
- Use TLS version enumeration to see supported TLS versions for a host or web entity instead of just the highest negotiated version.
- This feature enables you to quickly identify assets that support the outdated SSLv3, TLSv1.0, and TLSv1.1 versions. These versions lack the robust encryption and security features of newer versions of TLS, making them susceptible to various types of attacks.
- ASM hosts search for outdated TLS versions: host.services.tls.versions.tls_version: {SSLv3, TLSv1_0, TLSv1_1}
- ASM web entity search for outdated TLS versions: web_entity.instances.tls.versions.tls_version: {SSLv3, TLSv1_0, TLSv1_1}
Rapid Response
The Censys Rapid Response team published information about and queries for the following vulnerabilities:
-
Three Cisco ASA and FTD vulnerabilities
- Censys ASM risk search: risks.name=”Exposed Cisco Adaptive Security Appliance”
-
Four ArubaOS vulnerabilities
- Censys ASM risk search: risks.name=”Vulnerable ArubaOS Installation [CVE-2024-26304, CVE-2024-26305, CVE-2024-33511]"
-
Tinyproxy use-after-free vulnerability
- Censys ASM risk search: risks.name=”Vulnerable Tinyproxy [CVE-2023-49606]"
Comments
0 comments
Article is closed for comments.