Skip to main content

Product Updates

See all of our release notes and learn about helpful features

Censys Release Notes for November 11, 2024

The following enhancements and improvements are now available to Censys ASM and Search customers.Censys ASMFixed several bugs impacting the displayed risk count in the ASM console. The Overview dashboard, Trends & Benchmarks dashboard widgets, and Asset Inventory now display the correct risk count. You may see a drop in active risks on the Trends & Benchmarks dashboard. This is expected, as Censys is changing how this dashboard is calculating risks. On the Risk Instances page in the ASM console, the port, service name, and risk change history are now displayed in the expanded risk display.Updates to end-of-life software versions in ASMThe end-of-life (EOL) versions for existing risks associated with the following software in ASM have been updated to reflect their most up-to-date EOL versions. The following table provides a complete list of affected software.  Software EOL Versions MySQL Versions 5.7 and below, between 8.1 and 8.3, and between 9.0.0 and 9.0.1 are considered end of life. PostgreSQL Versions 12.2 and below are considered end of life. MariaDB Versions below 10.3, between 10.7.0 and 10.10.7, and between 11.0.0 and 11.3.2 are considered end of life. MSSQL Versions 12.0.6449 and below are considered end of life. Elasticsearch Versions below 7.17 are considered end of life. Kubernetes Versions 1.29.9 and below are considered end of life. Redis Versions below 6.2, and between 7.0 and 7.2 are considered end of life. Python Versions below 3.9 are considered end of life. Exim Versions below 4.98 are considered end of life. Apache Traffic Versions below 10.0 are considered end of life. Microsoft IIS Versions below 10.0 are considered end of life. PHP Versions below 8.1.0 are considered end of life. OpenSSL Versions below 3.0.0 are considered end of life. Nginx Versions below 1.26 are considered end of life. Red Hat JBoss EAP Versions below 7.0 are considered end of life. ASUS Routers Added support to identify over 270 end of life ASUS routers.  Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:Linear eMerge OS Command Injection [CVE-2024-9441] Censys Search query Censys ASM query Microsoft SharePoint Vulnerabilities [CVE-2024-38094 and Others] Censys Search query Censys ASM query CyberPanel Command Injection Vulnerabilities [CVE-2024-51567, CVE-2024-51568] Censys Search query Censys ASM query New FingerprintsAdded or updated the following fingerprints: Type Name Description Query software ZFile This is a ZFile Server. Search Query  

Related products:Censys SearchCensys Attack Surface Management (ASM)

Censys Release Notes for October 7, 2024

The following enhancements and improvements are now available to Censys ASM and Search customers.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:14 Bugs in DrayTek Vigor Routers Disclosed: Admin Interfaces Widely Exposed Across Major ISPs [CVE-2024-41592] Censys Search query: services: (http.response.status_code=200 and http.request.uri:"/weblogin.htm" and (http.response.html_title:"Vigor" or http.response.favicons.md5_hash="208b1c5af9e2cc7d46e3ec5bf4d12001"))= Censys ASM query: host.services: (http.response.status_code=200 and http.request.uri:"/weblogin.htm" and (http.response.html_title:"Vigor" or http.response.favicons.md5_hash="208b1c5af9e2cc7d46e3ec5bf4d12001")) or web_entity.instances: (http.response.status_code=200 and http.request.uri:"/weblogin.htm" and (http.response.html_title:"Vigor" or http.response.favicons.md5_hash="208b1c5af9e2cc7d46e3ec5bf4d12001")) Censys ASM risk query: risks.name="Exposed DrayTek Vigor Router" New ProtocolsAdded support for the following protocols:RLOGIN NTRIP PGBOUNCER WS_DISCOVERYNew FingerprintsAdded or updated the following fingerprints: Type Name Description Query software DrayTek VigorConnect Admin Page This is a DrayTek VigorConnect admin page. Search Query software DrayTek Vigor Router This is a DrayTek Vigor Router. Search Query risk Exposed DrayTek Vigor Router   The affected service exposes a DrayTek Vigor router administration interface. This web application can be used to modify router configurations, which makes it a target. ASM Query

Related products:Censys SearchCensys Attack Surface Management (ASM)
featured-image

Censys Release Notes for September 23, 2024

The following enhancements and improvements are now available to Censys ASM and Search customers.Censys ASMUse CVE (Common Vulnerability and Exposures) risks in Censys ASM to identify software vulnerabilities in your attack surface and understand how critical and exploitable they are, enabling you to respond to the most important risks in your attack surface first and avoid chasing low-risk issues. This release adds over 5,000 CVE risks to the ASM risk library. Each CVE risk includes Known Exploited Vulnerability (KEV) information, Common Vulnerability Scoring System (CVSS) scores, and attack vector indicators. When a new CVE is cataloged by the National Vulnerability Database (NVD), it becomes discoverable in Censys ASM alongside its CVSS score within 24 hours. You can adjust the criteria for surfacing CVE risks in your ASM workspace. By default, only CVEs that meet the following criteria are included: CVSS score High to Critical Present in KEV catalog Network Attack Vector CVE risks are available to all ASM customers. Learn more about CVE risks in ASM in the following video.   Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:Advisory: VMware vCenter DCERPC Heap-Overflow RCE [CVE-2024-38812] To identify potentially vulnerable vCenter instances, the following Censys queries can be used: Censys Search query: services.software: (vendor: VMware and product: vCenter) Censys ASM query: host.services.software: (vendor: VMware and product: vCenter) Ivanti Cloud Services Appliance (CSA) Unauthenticated Remote Code Execution Vulnerability [CVE-2024-8963 and CVE-2024-8190] To identify exposed Ivanti Cloud Services Appliance instances, the following Censys queries can be used: Censys Search query: services.http.response.html_title=`Ivanti(R) Cloud Services Appliance` Censys ASM query: host.services.http.response.html_title=`Ivanti(R) Cloud Services Appliance` or web_entity.instances.http.response.html_title=`Ivanti(R) Cloud Services Appliance` New ProtocolsAdded support for the following protocols:Expanded detection of Murmur/Mumble servers  MURMUR Servers (new) MURMUR Tunnels (existing) New FingerprintsAdded the following fingerprints: Type Name Description Query software AutoGPT This is an AutoGPT Server. Search Query software Ivanti Cloud Services Appliance This is an Ivanti Cloud Services Appliance Server. Search Query software Scope Sentry This is a Scope Sentry Server. Search Query software VMware vSphere This is a VMware vSphere Server. Search Query  

Related products:Censys SearchCensys Attack Surface Management (ASM)

Censys Release Notes for September 9, 2024

The following enhancements and improvements are now available to Censys ASM and Search customers.Censys ASM Accepted risk events now appear in the Microsoft Sentinel risk table via our integration. This enables you to manage a single list of accepted risks in Microsoft Sentinel, instead of two separate lists.  Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:Unauthenticated RCE in Veeam Backup & Replication [CVE-2024-40711] To identify all exposed Veeam Backup & Replication servers, the following Censys queries can be used: Censys Search Query: services.software: (vendor: “Veeam” and product: “Backup Server”) and not labels: {tarpit, honeypot, truncated} Censys ASM Query: host.services.software: (vendor: “Veeam” and product: “Backup Server”) or web_entity.instances.software: (vendor: “Veeam” and product: “Backup Server”) Mirai Botnet Variant Targeting Unpatchable AVTECH CCTV Camera Command Injection Vulnerability [CVE-2024-7029] To identify exposed AVTECH cameras, the following Censys queries can be used: Censys Search Query: services.http.response.body:{`/avtech/jpg/left.jpg`, `href="/avtech/favicon.ico"`} or services.http.response.headers: (key: `Server` and value.headers: `Linux/2.x UPnP/1.0 Avtech/1.0`) Censys ASM Query: host.services: (software.vendor:"AVTECH" AND software.product:"IP Camera") New FingerprintsAdded the following fingerprints: Type Name Description Query software AVTECH IP Camera This is an AVTECH IP camera for video surveillance. It's designed for integration into existing networks and provides real-time monitoring. Search Query software SpiderFlow This is a SpiderFlow Server. Search Query  

Related products:Censys SearchCensys Attack Surface Management (ASM)

Censys Release Notes for September 3, 2024

The following enhancements and improvements are now available to Censys ASM and Search customers.Censys SearchQuickly identify vulnerable hosts and exposures using the following enhancements for CVE Context in the Censys Search UI: Filters in search results: Filter by CVE ID, CVSS Scores, and CISA’s KEV catalog in the left navigation panel. CVE count in host record preview: See the total number of CVEs for a host at a glance in the host record preview in search results. CVE tab and page on host records: View the total number of CVEs associated with a host record via the new CVEs tab. Click this tab to see detailed information about all CVEs detected on a host, sorted by CVSS score and KEV catalog status. This added visibility in the Search web interface complements the CVE context that was already available in the raw data and via API. The CVE Context dataset is only available to customers who have purchased the add-on for this data. Contact your Censys account team to learn more about acquiring access to this dataset. Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:Versa Director Dangerous File Type Upload Vulnerability [CVE-2024-39717] To identify potentially all Versa Director instances (versions cannot be detected), the following Censys queries can be used: Censys Search Query: services.software: (vendor: Versa and product: Director) Censys ASM query: host.services.software: (vendor: Versa and product: Director) or web_entity.instances.software: (vendor: Versa and product: Director) Progress WhatsUp Gold GetFileWithoutZip Unauthenticated RCE [CVE-2024-4885] To identify potentially vulnerable Progress WhatsUp Gold instances (Please note that not all instances advertise their versions), the following Censys queries can be used: Censys Search Query: services.software: (vendor: “Progress” and product: “WhatsUp Gold”) Censys ASM query: host.services.software: (vendor: “Progress” and product: “WhatsUp Gold”) or web_entity.instances.software: (vendor: “Progress” and product: “WhatsUp Gold”) Moodle Calculated Questions RCE [CVE-2024-43425] To identify potentially vulnerable Moodle instances (the majority do not show their version), the following Censys queries can be used: Censys Search Query: services.software.product: Moodle Censys ASM Query: host.services.software.product: Moodle or web_entity.instances.software.product: Moodle Censys ASM Risk Query: risks.name: “Moodle RCE Vulnerability [CVE-2024-43425]” New FingerprintsAdded the following fingerprints: Type Name Description Query software 7777 Botnet This is a 7777 Botnet victim. Search Query software Cisco Smart Software Manager This is a Cisco Smart Software Manager Server. Search Query software EHR System Jade Jade EHR system. Search Query software Mediscan Mediscan PACs service. Search Query software mGuard This is an mGuard Server. Search Query software Moodle This is a Moodle Server. Search Query software Network Thermostat This service provides access to a network thermostat. Search Query software Progress WhatsUp Gold This is a Progress WhatsUp Gold Server. Search Query software Mobile Security Framework (MobSF) This is a Mobile Security Framework (MobSF) Server. Search Query software Versa Director This is a Versa Director Server. Search Query software Versa Analytics This is a Versa Analytics Server. Search Query risk Mobile Security Framework RCE Vulnerability [CVE-2024-43399] This is a Mobile Security Framework instance vulnerable to an RCE exploit. ASM Query risk Moodle RCE Vulnerability [CVE-2024-43425] This is a Moodle instance vulnerable to an RCE exploit. ASM Query  

Related products:Censys SearchCensys Attack Surface Management (ASM)

Censys Release Notes for August 26, 2024

The following enhancements and improvements are now available to Censys ASM and Search customers.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:Microsoft Windows IPv6 TCP/IP RCE (CVE-2024-38063) To identify potentially vulnerable non-hosted Windows systems for CVE-2024-38063, you can use the same Censys queries that were shared to track CVE-2024-38077: Censys Search Query: services.parsed.dcerpc.endpoints.explained_uuid=”3d267954-eeb7-11d1-b94e-00c04fa3080d v1.0″ Censys ASM Query: host.services.parsed.dcerpc.endpoints.explained_uuid=”3d267954-eeb7-11d1-b94e-00c04fa3080d v1.0″ Censys ASM Risk Query: risks.name=”Windows Remote Desktop Licensing Service RCE Vulnerability [CVE-2024-38077]” New FingerprintsAdded the following fingerprints: Type Name Description Query software BrainBoxes Ethernet to Serial This is a BrainBoxes Ethernet to Serial Device. Search: services.software: (vendor='BrainBoxes' and product=`Ethernet to Serial`) software WatchGuard This is a device running WatchGuard Fireware OS. Search: services.software: (vendor:'Watchguard' and product:'FireWare') software WatchGuard Fireware XTM OS This is a WatchGuard Firewall Device running the XTM OS. Search: services.software: (vendor:'Watchguard' and product:'FireWare XTM') software WatchGuard Firewall Implied Device This is an implied WatchGuard Firewall Device. Search: services.software: (vendor='WatchGuard' and NOT product:*)  

Related products:Censys SearchCensys Attack Surface Management (ASM)

Censys Release Notes for August 19, 2024

The following enhancements and improvements are now available to Censys ASM and Search customers.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:Windows Remote Desktop Licensing Service RCE (CVE-2024-38077) To identify potentially vulnerable non-hosted Windows Remote Desktop Licensing Service instances, the following Censys queries can be used: Censys Search Query: services.parsed.dcerpc.endpoints.explained_uuid=”3d267954-eeb7-11d1-b94e-00c04fa3080d v1.0″ Censys ASM Query: host.services.parsed.dcerpc.endpoints.explained_uuid=”3d267954-eeb7-11d1-b94e-00c04fa3080d v1.0″ Censys ASM Risk Query: risks.name=”Windows Remote Desktop Licensing Service RCE Vulnerability [CVE-2024-38077]” Elastic Kibana Prototype Tainting RCE (CVE-2024-37287) To identify potentially vulnerable Kibana instances, the following Censys queries can be used (note that these queries do not filter by version): Censys Search Query: services.software: (vendor: “Elastic” and product: “Kibana”) Censys ASM Query: host.services.software: (vendor: “Elastic” and product: “Kibana”) Censys ASM Risk Query: risks.name: “Elastic Kibana RCE Vulnerability [CVE-2024-37287]” New FingerprintsAdded the following fingerprints: Type Name Description Query risk Windows Remote Desktop Licensing Service RCE Vulnerability [CVE-2024-38077] This service is running a vulnerable version of Windows Remote Desktop Licensing Service susceptible to CVE-2024-38077. ASM: risks.name: `Windows Remote Desktop Licensing Service RCE Vulnerability [CVE-2024-38077]` risk Elastic Kibana RCE Vulnerability [CVE-2024-37287] This service is running a vulnerable version of Elastic Kibana susceptible to CVE-2024-37287. ASM: risks.name: `Elastic Kibana RCE Vulnerability [CVE-2024-37287]` software` Elastic Kibana This is an Elastic Kibana Server. Search: services.software: (vendor:'elastic' and product:'kibana') software Ivanti Virtual Traffic Manager Ivanti Virtual Traffic Manager (vTM) is a software-based application delivery controller (ADC) and load balancer for managing application traffic. Search: services.software: (vendor:'ivanti' and product:'virtual_traffic_manager') label Suspended This shows indications of being a suspended server. labels: `suspended`  

Related products:Censys SearchCensys Attack Surface Management (ASM)

Censys Release Notes for August 12, 2024

The following enhancements and improvements are now available to Censys ASM and Search customers.Censys ASMUpdated the subject lines, visual styling, footers, and interactive components of email alerts sent from Censys ASM to provide a more consistent, descriptive, and accurate experience. Deployed an improvement to the domain lookup process to enhance the detection of domains associated with an organization’s attack surface.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:The DigiCert DCV Bug: Implications and Industry Impact Censys ASM customers can identify services that are actively using an impacted certificate within their workspaces by querying for the new low severity risk named “Certificate Affected by DigiCert July 2024 Revocation Incident” Users of our Search feature can find hosts with affected certificates by querying labels=digicert-revoked-dcv. To refine the results for your specific domains, adjust this query to filter on services.tls.certificates.leaf_data.names. Jenkins arbitrary file read vulnerability through agent connections can lead to RCE (CVE-2024-43044) Censys Search Query for all exposed Jenkins instances: services.software: (product: jenkins and product: jenkins) Note that this does not pinpoint vulnerable versions. Censys ASM query for potentially vulnerable Jenkins: risks.name="Jenkins Vulnerability [CVE-2024-43044]" New ProtocolsAdded support for the following protocols:SER2NET NBD WEBLOGIC_T3 SPICE ONVIF HIKVISIONNew FingerprintsAdded the following fingerprints:  Type Name Description ASM Query risk Certificate Affected by DigiCert July 2024 Revocation Incident This service is using one or more DigiCert certificates impacted by the July 2024 DigiCert revocation incident. The issue stemmed from improper CNAME-based Domain Validation for certain certificates. These certificates are scheduled for revocation and may be marked as unsafe, which could lead to service interruptions or loss of trust. risks.name: 'Certificate Affected by DigiCert July 2024 Revocation Incident' risk Jenkins Vulnerability [CVE-2024-43044] Arbitrary file read vulnerability through agent connections can lead to RCE. risks.name= 'Jenkins Vulnerability [CVE-2024-43044]'  

Related products:Censys SearchCensys Attack Surface Management (ASM)

Censys Release Notes for August 5, 2024

The following enhancements and improvements are now available to Censys ASM and Search customers.Censys ASMAdded the ability to execute Saved Queries from the CLI.Rapid Response The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:Multiple ServiceNow server-side template injection vulnerabilities (CVE-2024-4879, CVE-2024-5178, and CVE-2024-5217) For identifying potentially vulnerable non-hosted ServiceNow instances, the following Censys queries can be used: Censys Search Query: services: (software.product="ServiceNow" OR http.response.headers: (key: `Server` and value.headers: `ServiceNow`)) and not autonomous_system.name="SNC" and not name:".service-now." and not labels=`tarpit` Censys ASM query: host.services: (software.product:"ServiceNow" OR http.response.headers: (key: `Server` and value.headers: `ServiceNow`)) or web_entity.instances: (software.product:"ServiceNow" OR http.response.headers: (key: `Server` and value.headers: `ServiceNow`)) and not (host.services.labels=`tarpit` or web_entity.instances.labels=`tarpit`) New Protocols Added support for the following protocols:NMEA HID VertX UDP DTLSNew Fingerprints Added the following fingerprints:  Type Name Description Censys Search Query label Bulletproof Hosting This is a host that is associated with bulletproof hosting. labels: `bulletproof` software Ignite Realtime Openfire This is an Ignite Realtime Openfire Server. services.software: (vendor:'igniterealtime' and product:'openfire') software Oracle Opera This is an Oracle Opera Server. services.software: (vendor:'oracle' and product:'opera') software PoCBox This is a PoCBox Server. services.software: (vendor:'pocbox' and product:'pocbox') software ServiceNow This is a ServiceNow Server. services.software: (vendor:'servicenow' and product:'servicenow') software SonicWall Secure Mobile Access This is a SonicWall Secure Mobile Access Device. services.software: (vendor:'sonicwall' and product:'secure_mobile_access') software v2rayA This is a v2rayA Server. services.software: (vendor:'v2raya' and product:'v2raya') software VMware Spring Cloud Gateway This is a VMware Spring Cloud Gateway Server. services.software: (vendor:'vmware' and product:'spring_cloud_gateway')

Related products:Censys SearchCensys Attack Surface Management (ASM)

Censys Release Notes for July 29, 2024

The following enhancements and improvements are now available to Censys ASM and Search customers. Rapid Response The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:Progress Telerik Report Server RCE (CVE-2024-6327) The following queries can be leveraged to identify all Censys-visible, public-facing Telerik Report Server instances. Please note that only the ASM Risk checks for the vulnerability while the other queries look for exposures. Censys Search query: services.software: (vendor: “Progress” and product: “Telerik Report Server”) Censys ASM query: host.services.software: (vendor: “Progress” and product: “Telerik Report Server”) or web_entity.instances.software: (vendor: “Progress” and product: “Telerik Report Server”) Censys ASM Risk query: risks.name=”Vulnerable Progress Telerik Report Server [CVE-2024-6327]” New Protocols Added support for scanning the following protocols:CHROMECAST Ventrilo DVR_IP SCPI TIBIA TUYA APACHE_JSERV APPLE_AIRPORT_ADMINNew Fingerprints Adding the following fingerprints: Type Name Category and Severity (for risks) Description Censys Search Query Censys ASM Query label Usenet   This is a Usenet service. labels: `usenet`   risk Vulnerable Apache HTTP Server [CVE-2024-40725] Rapid Response - CVE - Medium This is a Apache HTTP server is running a version vulnerable to CVE-2024-40725. However, the vulnerability depends on the configuration of the server and may allow a remote attacker to access source code. n/a risks.name: `Vulnerable Apache HTTP Server [CVE-2024-40725]` risk Vulnerable Progress Telerik Report Server [CVE-2024-6327] Rapid Response - CVE - Critical This is a Telerik Report server running a version prone to an insecure deserialization vulnerability that could be leveraged to gain RCE. This affects Report Server version 2024 Q2 (10.1.24.709) and earlier. n/a risks.name: `Vulnerable Progress Telerik Report Server [CVE-2024-6327]` software Bazarr   This is a Bazarr Server. services.software: (vendor='bazarr' and product='bazarr')    

Related products:Censys SearchCensys Attack Surface Management (ASM)

Censys Release Notes for July 24, 2024

The following enhancements and improvements are now available to Censys ASM and Search customers.Censys ASMYou can now use Saved Query Automation with our Microsoft Teams, Slack, and Webex integrations to receive actionable alerts about changes to your attack surface. This update builds upon the support for email alert delivery with Saved Query Automation released in early July.  Learn more about Saved Query Automation in this short lesson in the Censys Academy. Saved Query Automation for Microsoft Teams, Slack, and Webex are available to Censys ASM Enterprise customers. Saved Query Automation for email is available to all ASM customers. Use our new ServiceNow Vulnerability Response (VR) integration to incorporate Censys data into your existing risk prioritization workflow and send Censys-discovered assets and risks to ServiceNow VR. Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:Vulnerability in GeoServer GeoTools mapping toolkit enables RCE (CVE 2024-36401) The following queries can be leveraged to identify all Censys-visible, public-facing GeoServer instances. Note that this does not pinpoint all vulnerable versions, just instances that display their version. Censys Search query: services.software: (vendor: “GeoServer” and product: “GeoServer”) Censys ASM query: host.services.software: (vendor: “GeoServer” and product: “GeoServer” ) or (web_entity.instances.software.vendor: “GeoServer” and web_entity.instances.software.product: “GeoServer”) Censys ASM Risk query: risks.name=”Vulnerable GeoServer [CVE-2024-36401]” Vulnerability in Apache HTTP Server (CVE-2024-40725 and CVE-2024-40898) The following queries can be leveraged to identify all Censys-visible, public-facing Apache HTTP Server instances that may potentially be vulnerable to either CVE-2024-40725 or CVE-2024-40898. The ASM Risk query only covers CVE-2024-40725. Censys Search query: services.software: (vendor: “Apache” and product: “HTTPD” and version: [2.4.0 to 2.4.61]) Censys ASM query: host.services.software: (vendor: “Apache” and product: “HTTPD” and version: [2.4.0 to 2.4.61]) or web_entity.instances.software: (vendor: “Apache” and product: “HTTPD” and version: [2.4.0 to 2.4.61]) Censys ASM Risk query: risks.name=”Vulnerable Apache HTTP Server [CVE-2024-40725]” Unauthenticated XXE Vulnerability in Adobe Commerce could lead to site compromise and sensitive data exposure (CVE CVE-2024-34102) The following queries can be leveraged to identify all Censys-visible, public-facing Adobe Commerce/Magento instances. Note that this identifies the software product associated with this advisory but does not pinpoint vulnerable instances. Further version confirmation will be necessary upon discovery. Censys Search query: services.software: (vendor:"Adobe" and product:"Magento") Censys ASM query: host.services.software: (vendor:"Adobe" and product:"Magento") or web_entity.instances.software: (vendor:"Adobe" and product:"Magento")

featured-image

Feature Spotlight: CVE Context in Censys Search

CVE Context in Censys Search is a new add-on data module available to Censys Search customers using the Pro tier and above. Common Vulnerabilities and Exposures (CVE) data is a critical resource for threat hunters and security practitioners. CVE Context in Censys Search gives you the information you need to stay informed about the threat landscape and protect your organization.This dataset includes a plethora of CVE-related fields that you can leverage, including CVE ID, Attack Complexity, Attack Vector, Privileges Required, CVSS score, and KEV information. A comprehensive list of the fields in the dataset is available in our documentation.To get access to the CVE Context in Search dataset, contact your Censys account team representative.We have put together a video and a short lesson on the Censys Academy to illustrate the use-cases for CVE Context and help you get started using it. The video is embedded below and the lesson is accessible here.Additionally, here are some example use-cases and attendant queries that use the CVE Context components available with this add-on: Find hosts with critical-scored vulnerabilities with low attack complexity ratings:cves.cvss.score: [9 to 10] and cves.cvss.components.attack_complexity="LOW" Hosts with known exploited vulnerabilities added within the past month:cves.kev.date_added: [now-1M to *] Hosts with critical vulnerabilities that attackers can easily exploit:cves.cvss.score: [9 to 10] and cves.cvss.components.privileges_required="NONE" and cves.cvss.components.attack_complexity="LOW" Consider combining these queries with IP ranges or other information to focus the results on resources you are concerned about.  

Related products:Censys Search

Censys Release Notes for July 15, 2024

The following enhancements and improvements are now available to Censys ASM and Search customers.Censys ASM Added an account_id field to web entities. This field surfaces the Cloud Connector account ID that the web entity is associated with. Added a search shortcut, an inventory column, and a field on web entity detail pages to show this data. Rapid Response The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:Vulnerability in Exim MTA could allow malicious email attachments past filters (CVE-2024-39929) The following queries can be leveraged to identify Censys-visible public-facing Exim instances running potentially vulnerable versions affected by this CVE. Censys Search query for potentially vulnerable exposures: services.software: (product="exim" and version: [* to 4.97.1]) Censys ASM query for potentially vulnerable exposures: host.services.software: (product="exim" and version: [* to 4.97.1]) or web_entity.instances.software: (product="exim" and version: [* to 4.97.1]) Censys ASM risk name query: risks.name="Vulnerable Exim Server [CVE-2024-39929]"  New Fingerprints Type Name Category and Severity (for risks) Description Censys Search Query Censys ASM Query risk Entrust Issued Certificate Misconfiguration - Low This service is using a certificate issued by Entrust that will no longer be trusted by Google Chrome starting on October 31, 2024. n/a risks.name="Entrust Issued Certificate" risk Vulnerable Exim Server [CVE-2024-39929] Rapid Response (CVE) - High This Exim mail server is running version 4.97.1 or earlier, which is affected by CVE-2024-39929, a header parsing bug that could potentially allow malicious actors to bypass file extension blocking security measures and potentially send harmful files directly to users' inboxes. n/a risks.name="Vulnerable Exim Server [CVE-2024-39929]"  

Related products:Censys SearchCensys Attack Surface Management (ASM)

Censys Release Notes for July 8, 2024

The following enhancements and improvements are now available to Censys ASM and Search customers.Censys ASMAdded risks for the following: RegreSSHion RCE vulnerability in OpenSSH Server (CVE 2024-6387)  Exposed Polyfill endpoints. More information about finding at-risk assets related to these issues is described below. Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:regreSSHion RCE vulnerability in OpenSSH Server (CVE 2024-6387) The following queries can be leveraged to identify all Censys-visible public-facing OpenSSH instances. Censys Search query: services: (software.product: openssh and software.version: [8.5 to 9.8} and not ssh.endpoint_id.comment: {“Ubuntu-3ubuntu0.10”, “Ubuntu-1ubuntu3.6”, “Ubuntu-3ubuntu13.3”, “Debian-5+deb11u3”, “Debian-2+deb12u3”, “FreeBSD-20240701”}) Censys ASM query: host.services.software: (product: “openssh” and version: [8.5 to 9.8}) Censys ASM Risk query: risks.name=”Vulnerable OpenSSH [CVE-2024-6387]” Polyfill.io supply chain attack Detection with Censys Censys Search query for exposed hosts referencing the malicious polyfill[.]io domain: services.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`} Censys Search query for exposed hosts referencing one of the additional potentially associated domains: services.http.response.body: {`cdn.bootcdn.net`,  `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`} Censys ASM query for exposed hosts referencing the malicious polyfill[.]io domain: host.services.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`} or web_entity.instances.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`} Censys ASM query for exposed hosts referencing one of the additional potentially associated domains: host.services.http.response.body:{`cdn.bootcdn.net`,  `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`} or web_entity.instances.http.response.body:{`cdn.bootcdn.net`,  `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`}New FingerprintsAdded the following fingerprints:Type Name Category Description Censys Search Query software NetSupportManager RAT C2 A NetSupportManager remote access trojan (RAT) server. services.software:(vendor='NetSupportManager RAT' and product='NetSupportManager RAT') software Poseidon C2 C2 A Poseidon C2 Server. services.software:(vendor='Poseidon' and product='Poseidon') software Rod Stealer C2 C2 A ROD Stealer C2 Server. services.software:(vendor='ROD Stealer' and product='ROD Stealer') software Saphira Botnet C2 C2 A Saphira Botnet Server. services.software:(vendor='Saphira BotNet' and product='Saphira BotNet') software XWiki Open Source Software XWiki is an open-source wiki software platform. services.software:(vendor='XWiki' and product='XWiki') Added the following risk fingerprints to ASM:Type Name Category and Severity Description Censys ASM Query risk Exposed Polyfill Supply Chain Attack Endpoint Rapid Response (CVE) - Medium This service is embedding code that references the compromised cdn.polyfill[.]io endpoint or related suspicious domains, potentially exposing users to malicious redirects and malware. Note that as of June 27, 2024, the malicious domain is no longer active. risks.name="Exposed Polyfill Supply Chain Attack Endpoint" risk Vulnerable OpenSSH CVE-2024-6387 Rapid Response (CVE) - Critical This service is running a vulnerable version of OpenSSH susceptible to CVE-2024-6387 which is a reoccurrence of CVE-2006-5051. risks.name="Vulnerable OpenSSH [CVE-2024-6387]"  

Related products:Censys SearchCensys Attack Surface Management (ASM)

Censys Release Notes for July 1, 2024

The following enhancements and improvements are now available to Censys ASM and Search customers.Censys ASMReceive actionable alerts about changes to your attack surface with Saved Query Automation.  Saved Query Automation enables you to send an alert to your integrations when an asset is added to or removed from a saved query. For example, you can configure ASM to send alerts when new risks are detected on assets or tags are newly added to assets.  This initial release features support for email alert delivery. Support for webhooks, Microsoft Teams, Slack, and Webex is forthcoming.  Learn more in this short lesson in the Censys Academy. Saved Query Automation is available to Censys ASM Advanced and Enterprise customers. Web entities that are sourced from Cloud Connectors will now be updated multiple times per day. Previously these assets were updated approximately once a day. Implemented an update to ensure that non-public assets are not ingested from Cloud Connectors.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following vulnerability:Critical command injection vulnerability in EOL Zyxel NAS models exploited by botnet (CVE-2024-29973) The following query can be leveraged to identify all Censys-visible, public-facing Zyxel NAS326 and NAS542 instances. Note that Censys do not have visibility into firmware versions. Censys Search query: services.software: (vendor: “Zyxel” and product: {“NAS326”, “NAS542”}) Censys ASM query: host.services.software: (vendor: “Zyxel” and product: {“NAS326”, “NAS542″}) or web_entity.instances.software: (vendor:”Zyxel” and product:{“NAS326”, “NAS542”})Search and ASM Fingerprints Added the following fingerprints:Type Name Category Description Censys Search Censys ASM Query software Elkor Web Management Web Management Interface A web-based management platform for managing online content and operations. services.software:(vendor='elkor' and product='Elkor') host.services.software:(vendor='elkor' and product='Elkor') software MOVEit Transfer SFTP Managed File Transfer An SFTP client for the MOVEit managed file transfer service. services.software:(vendor='progress' and product='Progress') host.services.software:(vendor='progress' and product='Progress')

Related products:Censys SearchCensys Attack Surface Management (ASM)
featured-image