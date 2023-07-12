



Nothing makes me feel older than realizing how much of my life I’ve devoted to a subject. At what point do you consider yourself an expert?After more than 17 years in vulnerability management, I’m starting to think I might be an expert in the field. But the main reason I feel that way is because I’ve seen pretty much everything at this point.

One thing I’ve seen time and time again is the debate over patch management and vulnerability management. We could delve deeper into the discussion of management and evaluation, but let’s ignore it for now. With patch management, the process simply checks to see if a patch is installed. Within the vulnerability management realm, the process looks identical, especially for authenticated scanning. However, secondary steps are required to determine the vulnerability status, such as post-patch mitigations.

The idea of ​​post-patch mitigation is one of the biggest challenges for our customers, especially those using patch management software. This, coupled with patches that don’t apply, dominates the conversations I have. Microsoft is famous for the text “To be fully protected against this vulnerability, customers should do the following.” For some reason, many people are still aware of these additional steps. I have not. Some people are completely convinced that if the patch says it installed successfully, it really must have installed successfully. Interestingly, a successful patch installation does not indicate that the vulnerability has been resolved. This is probably one of the points I spend the most time explaining to my customers.

But there is a more interesting issue, which I would like to discuss today. Vulnerabilities that will never be fixed, but will no longer be discussed. For years this has been the battle we have been fighting with Oracle Database Express. This was such a big problem that it became a major research project for us, resulting in a blog post and multiple conference presentations. However, today we are talking about CVE-2010-1549, an unspecified vulnerability in agents prior to HP LoadRunner 9.50 and HP Performance Center 9.50 that allows remote attackers to execute arbitrary code via an unknown vector. I would like to talk to you.

Some tools may have stopped doing this check after LoadRunner version 9.50. Others may have dug a little deeper and discovered that the mitigation for this issue won’t become the default until version 12.50. Tripwire has developed a direct condition test for this. This means testing vulnerabilities by interacting with vulnerable products, rather than inferring them based on other relevant data. Since this is a direct conditional test, I didn’t feel the need to mask it for a specific version of LoadRunner. This means that every year he has one or two instances of this vulnerability being reported as false positives by customers.

Over the years, I’ve heard multiple reasons why people think it’s a false positive.

This is a CVE in 2010 and our software shouldn’t be vulnerable in 10 years. HP sold his LoadRunner to his MicroFocus, which is HP’s vulnerability. NVD’s description states that this affects his LoadRunner prior to 9.50, which was running newer versions. The documentation states that starting with 12.50 running newer versions, this vulnerability is mitigated by default.

I’m sure there are other valid reasons we’ve heard of, but these are the most common.

Recently, this vulnerability resurfaced among customers involved in large projects, and they wanted to know more about why this vulnerability was detected. We ended up deploying the latest version, MicroFocus LoadRunner 2023, and tested the content with the default installation. Vulnerabilities were matched instantly. We then grabbed the exploit code, ran the actual exploit against the server, and set it up to run calc.exe on the device. The calculator opened immediately. So the vulnerability still exists.

However, there was a problem. I couldn’t find any documentation for this vulnerability on his website at MicroFocus. Many of the HP pages addressing this vulnerability no longer exist, and the settings mentioned on the page I found did not exist. After searching for keywords in the MicroFocus documentation, I found a command line setting that might help. I ran the command to test the vulnerability again. Sure enough, it has been reduced. Disabling the setting quickly made the system vulnerable again.

I called the customer and was able to quickly walk through a demonstration of this attack and explain why Tripwire IP360 identified the system as vulnerable. The customer was happy to have confirmation that we were right, and I was happy to be able to demonstrate exactly what happened. At the same time, the limited documentation on mitigating this vulnerability left no one satisfied. The only reference currently online mentions enabling the secure channel feature. For those running LoadRunner, here are the settings I used to mitigate the vulnerability.

In recent versions of LoadRunner, this setting is configurable using the lr_agent_settings binary. This binary is located in the bin directory of your LoadRunner installation folder. To mitigate this vulnerability, the check_client_cert setting must be enabled.

Enable check_client_cert: lr_agent_settings -check_client_cert 1 Restart the agent: lr_agent_settings -restart_agent

If you ever need to undo the mitigation, you can do so with the following command:

Disable check_client_cert: lr_agent_settings -check_client_cert 0 Restart agent: lr_agent_settings -restart_agent

For me, this was a good reminder of why patch management and vulnerability management are different. It was also a good reminder why we don’t deprecate old vulnerability content. Important (and easy to exploit) unauthorized remote code execution popups don’t always appear on modern networks every day, but for organizations without a mature vulnerability management program, this can be devastating. may cause serious damage.

