Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Vulnerability Regression

Vulnerability Regression

Section titled “Vulnerability Regression”

5 automated security scanners

Closed CVE Reintroduction

Section titled “Closed CVE Reintroduction”

Purpose: The Closed CVE Reintroduction Scanner is designed to identify and alert users about the reintroduction of previously closed Common Vulnerabilities and Exposures (CVEs) by analyzing domain data through threat intelligence feeds. This tool ensures that patches have not been regressed, and vulnerabilities have not resurfaced, thereby maintaining a secure digital environment.

What It Detects:

  • CVE Pattern Matching: Identifies specific CVEs in exposed services and domain/IP reputation reports using patterns like CVE-[0-9]{4}-[0-9]+.
  • Malware Indicators: Searches for indicators of malware, ransomware, or trojans such as terms like malware, ransomware, and trojan.
  • Command and Control (C2) Activity: Detects references to command and control servers or activities using patterns like command\\s*(?:and|&)\\s*control, c2, and c&c.
  • Phishing and Credential Harvesting: Identifies signs of phishing attempts or credential harvesting efforts with terms such as phishing and credential harvesting.
  • Exposure Indicators: Looks for terms indicating data exposure, unauthorized access, or data dumps like exposed, leaked, breached, unauthorized access, and data dump.

Inputs Required:

  • domain (string): The primary domain to be analyzed, such as acme.com.

Business Impact: This scanner is crucial for maintaining the integrity of cybersecurity measures by promptly detecting any regressed or reintroduced CVEs, which could lead to significant vulnerabilities in systems and networks.

Risk Levels:

  • Critical: The scanner identifies a previously closed CVE that has been reintroduced with no mitigating controls in place.
  • High: A known vulnerability is present without adequate patch management or security measures implemented.
  • Medium: Vulnerabilities are detected but do not pose an immediate threat, requiring attention and planned remediation.
  • Low: Minimal risk identified; the scanner detects a low number of indicators that could be addressed in future updates.
  • Info: Informational findings about potential vulnerabilities or exposure without significant impact on security posture.

Example Findings: The scanner might flag instances where previously patched CVEs have been reintroduced, potentially exposing systems to known threats such as malware or unauthorized access attempts.

Legacy System Re-exposure

Section titled “Legacy System Re-exposure”

Purpose: The Legacy System Re-exposure Scanner is designed to identify and alert about the reintroduction of legacy systems that could potentially reintroduce previously known vulnerabilities, thereby posing a significant threat to organizational cybersecurity.

What It Detects:

  • Restored Legacy Systems: Identifies domain activity indicative of restored legacy systems using Shodan API data, specifically looking for patterns such as “legacy,” “archived,” or “retired system.”
  • Vulnerable Services Reactivation: Detects reactivated services known to be vulnerable based on CISA KEV and NVD/CVE databases by scanning for specific vulnerability indicators.
  • Malware Indicators: Scans domain data for malware-related indicators using the VirusTotal API.
  • Command and Control (C2) Activity: Identifies potential C2 activity through language patterns related to command and control operations.
  • Phishing and Credential Harvesting: Detects signs of phishing attempts or credential harvesting efforts, which are critical in safeguarding sensitive information.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com) - This is the essential input for the scanner to perform its analysis on a specific target domain.

Business Impact: This scanner is crucial as it helps organizations proactively identify and mitigate risks associated with legacy systems that may have been mistakenly restored or reactivated, thereby reducing exposure to known vulnerabilities and potential cyber threats.

Risk Levels:

  • Critical: Conditions where the reintroduction of a legacy system poses an immediate threat to critical infrastructure or sensitive data, requiring immediate attention.
  • High: Situations where the restoration of a legacy system could lead to significant security breaches or compliance issues, necessitating high priority remediation efforts.
  • Medium: Issues that require careful monitoring and possible mitigation strategies due to potential vulnerabilities in reactivated systems but do not pose an immediate critical threat.
  • Low: Informal findings that may indicate minor risks or areas for improvement, which can be addressed as part of ongoing security operations.
  • Info: Non-critical observations that provide supplementary information but do not directly impact the core risk profile of the organization.

Example Findings:

  • A legacy system identified through its description containing keywords like “legacy” or “archived” has been reactivated, indicating a potential exposure to known vulnerabilities.
  • A service detected as having a CVE (Common Vulnerabilities and Exposures) number suggests that the service is running with an unpatched vulnerability, posing a risk if exploited by malicious actors.

Open Source Fork Divergence

Section titled “Open Source Fork Divergence”

Purpose: The Open_Source_Fork_Divergence Scanner is designed to identify potential security risks associated with outdated or unsupported software versions by detecting unpatched forks, maintenance abandonment, version fragmentation, known exploited vulnerabilities, and evaluating the reputation of the domain hosting the project. This tool helps in identifying potential risks that may arise from using unmaintained or compromised open-source projects.

What It Detects:

  • Unpatched Forks: Identifies forks that have not been updated to include recent patches, which can lead to security vulnerabilities.
    • Example pattern: last commit.*[0-9]{4}-[0-9]{2}-[0-9]{2}.*ago
  • Maintenance Abandonment: Detects projects where the last update was more than a specified time ago, indicating potential abandonment and lack of support.
    • Example pattern: inactive|abandoned|no longer maintained
  • Version Fragmentation: Identifies multiple versions of a project that are not aligned with the latest stable release, which can lead to inconsistent security practices.
    • Example pattern: version\\s*[0-9]+\\.[0-9]+\\.[0-9]+
  • Known Exploited Vulnerabilities (KEV): Checks for known exploited vulnerabilities in the detected software versions using CISA KEV data, highlighting potential security risks.
    • Example pattern: CVE-[0-9]{4}-[0-9]+
  • Domain Reputation: Evaluates the reputation of the domain hosting the project to identify potential malicious activities such as malware or ransomware.
    • Example pattern: malware|ransomware|trojan

Inputs Required:

  • domain (string): The primary domain to analyze, which is crucial for gathering information about the open-source project hosted on that domain.

Business Impact: This scanner is critical for organizations managing or using open-source software, as it helps in identifying potential risks associated with outdated versions and abandoned projects. By addressing these issues, organizations can mitigate security risks and ensure compliance with regulatory requirements.

Risk Levels:

  • Critical: The scanner identifies unpatched forks or significant time since the last update without clear communication from the project maintainers. This is a high-risk scenario as it directly impacts the security of systems relying on these projects.
  • High: Multiple versions are detected that do not align with the latest stable release, indicating confusion in version control and potential risks in using such versions.
  • Medium: Projects show signs of inactivity but have patches available or clear communication from maintainers about upcoming updates. This is a moderate risk level requiring attention for future planning.
  • Low: The domain reputation check shows no significant malicious activities, and the project appears to be actively maintained with regular updates.
  • Info: Informal findings such as minor version discrepancies that do not pose immediate risks but are worth monitoring for potential changes in maintenance practices.

Example Findings:

  1. A detected unpatched fork of a popular open-source library, which could lead to security vulnerabilities and unauthorized access if exploited.
  2. An abandoned project with no updates in over two years, posing a risk of unsupported versions being used in production environments without proper patches or upgrades.

Compatibility Patch Bypasses

Section titled “Compatibility Patch Bypasses”

Purpose: The Compatibility Patch Bypasses Scanner is designed to identify and report on instances where security patches have been disabled or bypassed due to compatibility reasons, leaving systems vulnerable to known exploits. This tool aims to help organizations assess their exposure to potential vulnerabilities and take proactive measures to secure their environments.

What It Detects:

  • Disabled Security Patches: Identifies configuration files that explicitly disable security features, often through comments indicating intentional disabling.
  • Selective Patching Indicators: Detects logs or documentation that suggest only certain patches are applied while others are skipped, which can leave critical vulnerabilities unaddressed.
  • Known Exploited Vulnerabilities (KEV): Checks for known exploited vulnerabilities from the CISA KEV list and identifies systems that remain unpatched despite being potentially vulnerable to exploitation.
  • Threat Intelligence Feeds: Utilizes threat intelligence feeds like Shodan, VirusTotal, and AbuseIPDB to detect indicators of compromised services or malicious activities related to open vulnerabilities.
  • Configuration File Analysis: Scans local configuration files for patterns that indicate bypasses or overrides of security settings, such as disabling security features through keywords like “disable”, “bypass”, or “override”.

Inputs Required:

  • domain (string): The primary domain to analyze, which serves as the scope for vulnerability scanning and threat intelligence collection.

Business Impact: This scanner is crucial for maintaining a robust security posture by identifying and mitigating risks associated with disabled patches and selective patching strategies. It helps organizations avoid potential breaches caused by unpatched vulnerabilities and ensures compliance with security best practices.

Risk Levels:

  • Critical: Systems where critical security patches are explicitly disabled or there are indicators of known exploited vulnerabilities that have not been addressed.
  • High: Systems showing signs of selective patching, indicating a higher risk of remaining vulnerable to specific exploits due to skipped patches.
  • Medium: Systems with potential vulnerabilities that could be mitigated by applying available patches but remain unpatched, posing a medium risk if left unchecked.
  • Low: Systems where no significant security patches are disabled or bypasses are detected, generally at lower risk unless other indicators suggest compromise.
  • Info: Informational findings regarding configuration file patterns that do not directly impact immediate security risks but can be monitored for future improvements in patch management.

Example Findings:

  • A system has a configuration file with the comment “disable firewall”, indicating an intentional bypass of security hardening measures.
  • An application log mentions selective patching where only specific patches are mentioned as applied, leaving out critical updates that could close known vulnerabilities.

CI CD Pipeline

Section titled “CI CD Pipeline”

Purpose: The CI/CD Pipeline Vulnerability Scanner is designed to evaluate and enhance the security posture of a Continuous Integration and Continuous Deployment (CI/CD) pipeline by analyzing cloud configurations across AWS, Azure, and GCP environments. It aims to identify potential vulnerabilities in areas such as S3 bucket management, IAM policies, Azure Storage accounts, GCP Cloud Storage buckets, and network security settings.

What It Detects:

  • S3 Bucket Misconfigurations:

    • Pattern: BlockPublicAcls.*?false
      • Description: Assesses whether public access is enabled on S3 buckets, which could lead to unauthorized data exposure.
    • Pattern: ServerSideEncryptionConfiguration.*?not\\s+found
      • Description: Ensures that server-side encryption is configured for all S3 buckets to protect data at rest.
    • Pattern: AllUsers
      • Description: Identifies if the bucket policy allows access to all users, which could lead to public exposure of sensitive information.
    • Pattern: AuthenticatedUsers
      • Description: Detects if the bucket policy allows access to authenticated users, potentially exposing data to unauthorized parties.

  • IAM Policy Vulnerabilities:

    • Pattern: "Effect":\\s*\"Allow\".*?\"Action\":\\s*\"\\*"
      • Description: Identifies IAM policies that allow all actions, which could lead to excessive permissions and unauthorized access.
    • Pattern: arn:aws:iam::.*?:root
      • Description: Detects if the root user has active permissions, posing a significant security risk.
    • Pattern: CreateDate.*?[0-9]{4}
      • Description: Checks for old or unused IAM users and roles that might indicate misconfigured access controls.

  • Azure Storage Account Vulnerabilities:

    • Pattern: "accessTier":\\s*"Hot"
      • Description: Identifies if storage accounts are using the Hot access tier, which may not be necessary for all data types and could lead to unnecessary exposure.
    • Pattern: "publicAccess":\\s*"Container"
      • Description: Detects if containers in storage accounts are publicly accessible, which can expose sensitive information to unauthorized users.

  • GCP Cloud Storage Bucket Vulnerabilities:

    • Pattern: "iamConfiguration":.*?"uniformBucketLevelAccess":.*?"enabled":\\s*false
      • Description: Assesses if uniform bucket-level access is disabled, which can lead to misconfigurations and potential unauthorized access.
    • Pattern: "bindings":.*?"role":\\s*"roles/storage.admin"
      • Description: Identifies overly permissive roles assigned to storage buckets that could allow excessive data exposure.

  • Network Security Misconfigurations:

    • Pattern: "securityGroups":.*?"GroupName":\\s*".*?default"
      • Description: Detects if default security groups are in use, which may have insecure rules and fail to protect against common network threats.
    • Pattern: "firewallRules":.*?"direction":\\s*"INGRESS".*?"priority":\\s*1000
      • Description: Identifies if the default firewall rule (priority 1000) is used, which allows all traffic and could be a critical security flaw.

Inputs Required:

  • domain (string): The primary domain to analyze, such as acme.com, providing context for scanning cloud resources.
  • github_org (string): The GitHub organization name, like “AcmeCorp,” which helps in identifying repositories and their configurations within the CI/CD pipeline.

Business Impact: Identifying and addressing vulnerabilities detected by this scanner is crucial to ensure that sensitive data remains secure and access controls are strictly enforced across cloud environments. Misconfigurations can lead to unauthorized data exposure, system compromises, and compliance violations, impacting both business operations and reputation.

Risk Levels:

  • Critical: Conditions where misconfigurations directly affect root user permissions or allow unrestricted public access to S3 buckets without encryption pose a critical risk to the security of the CI/CD pipeline and its associated data assets.
  • High: Policies that grant overly permissive actions, such as allowing all actions on IAM policies, are considered high risk as they can lead to significant unauthorized access issues.
  • Medium: Misconfigurations in network settings or storage access tiers may expose sensitive information but do not pose the same immediate threat as critical vulnerabilities.
  • Low: Informational findings indicate minor misconfigurations that might affect usability but do not significantly impact security.
  • Info: These are generally non-critical issues that provide insights into potential improvements without posing an immediate risk to security.

Example Findings:

  • A misconfigured S3 bucket allows public access, which could lead to unauthorized data exposure and compliance violations.
  • An IAM policy granting all actions on a critical resource exposes the entire organization’s infrastructure to significant risks through a single compromised account.