Posts tagged Rapid7 Disclosure

1 min Vulnerability Disclosure

Lessons Learned Firsthand: Securing Corporate Voicemail PINs

On Thursday afternoon, Nov. 15, 2018, Rapid7 learned of a potential security issue with our corporate voicemail system, reported by security researcher Kristian Hermansen.

8 min Vulnerability Disclosure

Shoring Up the Defenses Together: 2018Q2 and Q3 Wrap-Up

Today (October 29, 2018) we are sharing several vulnerabilities that have been fixed in Rapid7 products and supporting services.

7 min Vulnerability Disclosure

Shoring up the defenses together: 2018Q1 wrap-up

Today (April 10, 2018) we are sharing six vulnerabilities that have been fixed in Rapid7 products and supporting services. You won’t need to take any actions: all of the issues have been addressed. We are disclosing these vulnerabilities in order to be transparent, to thank those that take the time to report security issues responsibly, and to provide a few reminders of security concerns that you should audit for in your own organization. Dynamically-generated web server access policies Generat

6 min Vulnerability Disclosure

Vulnerabilities Affecting Four Rapid7 Products (FIXED)

Today we are announcing four fixed vulnerabilities in four Rapid7 products, summarized in the table below. These issues are low to medium severity (mostly due to the high exploitation requirements), but we want to make sure that our customers have all the information they need to make informed security decisions. This article includes detailed descriptions of the vulnerabilities, as well as how to ensure they are mitigated in your environment. Some of the updates are automatic, but some may requ

2 min Vulnerability Disclosure

R7-2017-16 | CVE-2017-5244: Lack of CSRF protection for stopping tasks in Metasploit Pro, Express, and Community editions (FIXED)

Summary A vulnerability in Metasploit Pro, Express, and Community was patched in Metasploit v4.14.0 (Update 2017061301) [https://help.rapid7.com/metasploit/release-notes/archive/2017/06/#20170613]. Routes used to stop running tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should have been allowed, as the stop/stop_all routes change the state of the service. This could have allowed an attacker to stop currently-running Metasploit tasks by getting an authenti

4 min Nexpose

R7-2017-13 | CVE-2017-5243: Nexpose Hardware Appliance SSH Enabled Obsolete Algorithms

Summary Nexpose [http://www.rapid7.com/products/nexpose] physical appliances shipped with an SSH configuration that allowed obsolete algorithms to be used for key exchange and other functions. Because these algorithms are enabled, attacks involving authentication to the hardware appliances are more likely to succeed. We strongly encourage current hardware appliance owners to update their systems to harden their SSH configuration using the steps outlined under “Remediation” below. In addition, Ra

7 min Metasploit

Multiple Vulnerabilities Affecting Four Rapid7 Products

Today, we'd like to announce eight vulnerabilities that affect four Rapid7 products, as described in the table below. While all of these issues are relatively low severity, we want to make sure that our customers have all the information they need to make informed security decisions regarding their networks. If you are a Rapid7 customer who has any questions about these issues, please don't hesitate to contact your customer success manager (CSM), our support team, or leave a comment below. For

3 min Metasploit

Security Advisory: OpenSSL Vulnerabilities CVE-2014-0224 and CVE-2014-0221 in Metasploit (Updated 6/6/14, 2pm EST)

Metasploit 4.9.2 and earlier vulnerable to OpenSSL vulnerabilities The OpenSSL team today published a security advisory [http://www.openssl.org/news/secadv_20140605.txt] containing several critical vulnerabilities. The Metasploit editions Metasploit Pro, Metasploit Express, Metasploit Community and Metasploit Framework in versions 4.9.2 or earlier are vulnerable to these OpenSSL vulnerabilities, most notably CVE-2014-0224 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224] and CVE-2014