Product Updates

CVE Context in Censys Search is a new add-on data module available to Censys Search customers using the Pro tier and above. Common Vulnerabilities and Exposures (CVE) data is a critical resource for threat hunters and security practitioners. CVE Context in Censys Search gives you the information you need to stay informed about the threat landscape and protect your organization.This dataset includes a plethora of CVE-related fields that you can leverage, including CVE ID, Attack Complexity, Attack Vector, Privileges Required, CVSS score, and KEV information. A comprehensive list of the fields in the dataset is available in our documentation.To get access to the CVE Context in Search dataset, contact your Censys account team representative.We have put together a video and a short lesson on the Censys Academy to illustrate the use-cases for CVE Context and help you get started using it. The video is embedded below and the lesson is accessible here.Additionally, here are some example use-cases and attendant queries that use the CVE Context components available with this add-on: Find hosts with critical-scored vulnerabilities with low attack complexity ratings:cves.cvss.score: [9 to 10] and cves.cvss.components.attack_complexity="LOW" Hosts with known exploited vulnerabilities added within the past month:cves.kev.date_added: [now-1M to *] Hosts with critical vulnerabilities that attackers can easily exploit:cves.cvss.score: [9 to 10] and cves.cvss.components.privileges_required="NONE" and cves.cvss.components.attack_complexity="LOW" Consider combining these queries with IP ranges or other information to focus the results on resources you are concerned about.  

The following enhancements and improvements are now available to Censys ASM and Search customers.Censys ASM Added an account_id field to web entities. This field surfaces the Cloud Connector account ID that the web entity is associated with. Added a search shortcut, an inventory column, and a field on web entity detail pages to show this data. Rapid Response The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:Vulnerability in Exim MTA could allow malicious email attachments past filters (CVE-2024-39929) The following queries can be leveraged to identify Censys-visible public-facing Exim instances running potentially vulnerable versions affected by this CVE. Censys Search query for potentially vulnerable exposures: services.software: (product="exim" and version: [* to 4.97.1]) Censys ASM query for potentially vulnerable exposures: host.services.software: (product="exim" and version: [* to 4.97.1]) or web_entity.instances.software: (product="exim" and version: [* to 4.97.1]) Censys ASM risk name query: risks.name="Vulnerable Exim Server [CVE-2024-39929]"  New Fingerprints Type Name Category and Severity (for risks) Description Censys Search Query Censys ASM Query risk Entrust Issued Certificate Misconfiguration - Low This service is using a certificate issued by Entrust that will no longer be trusted by Google Chrome starting on October 31, 2024. n/a risks.name="Entrust Issued Certificate" risk Vulnerable Exim Server [CVE-2024-39929] Rapid Response (CVE) - High This Exim mail server is running version 4.97.1 or earlier, which is affected by CVE-2024-39929, a header parsing bug that could potentially allow malicious actors to bypass file extension blocking security measures and potentially send harmful files directly to users' inboxes. n/a risks.name="Vulnerable Exim Server [CVE-2024-39929]"  

The following enhancements and improvements are now available to Censys ASM and Search customers.Censys ASMAdded risks for the following: RegreSSHion RCE vulnerability in OpenSSH Server (CVE 2024-6387)  Exposed Polyfill endpoints. More information about finding at-risk assets related to these issues is described below. Rapid ResponseThe Censys Rapid Response team published information about and queries for the following issues and vulnerabilities:regreSSHion RCE vulnerability in OpenSSH Server (CVE 2024-6387) The following queries can be leveraged to identify all Censys-visible public-facing OpenSSH instances. Censys Search query: services: (software.product: openssh and software.version: [8.5 to 9.8} and not ssh.endpoint_id.comment: {“Ubuntu-3ubuntu0.10”, “Ubuntu-1ubuntu3.6”, “Ubuntu-3ubuntu13.3”, “Debian-5+deb11u3”, “Debian-2+deb12u3”, “FreeBSD-20240701”}) Censys ASM query: host.services.software: (product: “openssh” and version: [8.5 to 9.8}) Censys ASM Risk query: risks.name=”Vulnerable OpenSSH [CVE-2024-6387]” Polyfill.io supply chain attack Detection with Censys Censys Search query for exposed hosts referencing the malicious polyfill[.]io domain: services.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`} Censys Search query for exposed hosts referencing one of the additional potentially associated domains: services.http.response.body: {`cdn.bootcdn.net`,  `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`} Censys ASM query for exposed hosts referencing the malicious polyfill[.]io domain: host.services.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`} or web_entity.instances.http.response.body:{`https://cdn.polyfill.io`, `https://cdn.polyfill.com`} Censys ASM query for exposed hosts referencing one of the additional potentially associated domains: host.services.http.response.body:{`cdn.bootcdn.net`,  `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`} or web_entity.instances.http.response.body:{`cdn.bootcdn.net`,  `cdn.bootcss.com`, `cdn.staticfile.net`, `cdn.staticfile.org`}New FingerprintsAdded the following fingerprints:Type Name Category Description Censys Search Query software NetSupportManager RAT C2 A NetSupportManager remote access trojan (RAT) server. services.software:(vendor='NetSupportManager RAT' and product='NetSupportManager RAT') software Poseidon C2 C2 A Poseidon C2 Server. services.software:(vendor='Poseidon' and product='Poseidon') software Rod Stealer C2 C2 A ROD Stealer C2 Server. services.software:(vendor='ROD Stealer' and product='ROD Stealer') software Saphira Botnet C2 C2 A Saphira Botnet Server. services.software:(vendor='Saphira BotNet' and product='Saphira BotNet') software XWiki Open Source Software XWiki is an open-source wiki software platform. services.software:(vendor='XWiki' and product='XWiki') Added the following risk fingerprints to ASM:Type Name Category and Severity Description Censys ASM Query risk Exposed Polyfill Supply Chain Attack Endpoint Rapid Response (CVE) - Medium This service is embedding code that references the compromised cdn.polyfill[.]io endpoint or related suspicious domains, potentially exposing users to malicious redirects and malware. Note that as of June 27, 2024, the malicious domain is no longer active. risks.name="Exposed Polyfill Supply Chain Attack Endpoint" risk Vulnerable OpenSSH CVE-2024-6387 Rapid Response (CVE) - Critical This service is running a vulnerable version of OpenSSH susceptible to CVE-2024-6387 which is a reoccurrence of CVE-2006-5051. risks.name="Vulnerable OpenSSH [CVE-2024-6387]"  

The following enhancements and improvements are now available to Censys ASM and Search customers.Censys ASMReceive actionable alerts about changes to your attack surface with Saved Query Automation.  Saved Query Automation enables you to send an alert to your integrations when an asset is added to or removed from a saved query. For example, you can configure ASM to send alerts when new risks are detected on assets or tags are newly added to assets.  This initial release features support for email alert delivery. Support for webhooks, Microsoft Teams, Slack, and Webex is forthcoming.  Learn more in this short lesson in the Censys Academy. Saved Query Automation is available to Censys ASM Advanced and Enterprise customers. Web entities that are sourced from Cloud Connectors will now be updated multiple times per day. Previously these assets were updated approximately once a day. Implemented an update to ensure that non-public assets are not ingested from Cloud Connectors.Rapid ResponseThe Censys Rapid Response team published information about and queries for the following vulnerability:Critical command injection vulnerability in EOL Zyxel NAS models exploited by botnet (CVE-2024-29973) The following query can be leveraged to identify all Censys-visible, public-facing Zyxel NAS326 and NAS542 instances. Note that Censys do not have visibility into firmware versions. Censys Search query: services.software: (vendor: “Zyxel” and product: {“NAS326”, “NAS542”}) Censys ASM query: host.services.software: (vendor: “Zyxel” and product: {“NAS326”, “NAS542″}) or web_entity.instances.software: (vendor:”Zyxel” and product:{“NAS326”, “NAS542”})Search and ASM Fingerprints Added the following fingerprints:Type Name Category Description Censys Search Censys ASM Query software Elkor Web Management Web Management Interface A web-based management platform for managing online content and operations. services.software:(vendor='elkor' and product='Elkor') host.services.software:(vendor='elkor' and product='Elkor') software MOVEit Transfer SFTP Managed File Transfer An SFTP client for the MOVEit managed file transfer service. services.software:(vendor='progress' and product='Progress') host.services.software:(vendor='progress' and product='Progress')

Saved Query Automation is a new feature in Censys ASM available to Advanced and Enterprise customers. Saved Query Automation enables you to send an alert to your integrations when an asset is added to or removed from a saved query.Many ASM customers already utilize queries to track items they deem noteworthy. Now, with Saved Query Automation, you can set alerts for queries of interest to automate monitoring activities.We have release a wealth of content to help you get started using Saved Query Automation quickly. For starters, our documentation has been updated to explain how to use it.If you’re seeking a detailed walk-through of the setup process as well as some example queries you might want to use with Saved Query Automation, check out this interactive microlesson in the Censys Academy.For the more visually inclined, check out the demo video embedded below.We’d be happy to help with any questions you have about using this feature and learn about the kinds of queries you’re using with it. Let us know in the comments!