What’s new with runZero 3.4?
- Vulnerability import from CrowdStrike Spotlight
- Integration performance improvements and enhancements
- Automatic expiration of ephemeral AWS assets
- Processing performance improvements
- Enrichment-only integration support
- OAuth Client Secret authentication
- Simplified site import and export format
- Rapid Response queries for MegaRAC and Cisco
- User interface improvements
Vulnerability inventory from CrowdStrike
runZero Enterprise customers can now import vulnerabilities from CrowdStrike Spotlight. runZero 3.4 automatically imports vulnerabilities when a credential is supplied that has access to the “Spotlight” OAuth scope. CrowdStrike Spotlight vulnerability data can be viewed from the asset detail page as well as in the vulnerability inventory. CrowdStrike vulnerability attributes include the relevant CVE identifier, severity, exploitability status, vulnerability detail, and any recommended actions to remediate the issue. Use the filtersource:crowdstrike in the asset or vulnerability inventory to see CrowdStrike-sourced data. Use the following queries to track down common concerns:
- Find vulnerabilities on assets with public IP addresses:
source:crowdstrike AND has_public:t - Find critical vulnerabilities on end-of-life assets:
source:crowdstrike AND os_eol:<now AND severity:critical - Find vulnerabilities that match a specific exploit status:
- Exploit unproven:
exploit_status:=0 - Exploit available:
exploit_status:=30 - Exploit easily accessible: `exploit_status:=60
- Exploit actively used:
exploit_status:=90
- Exploit unproven:
Integration performance improvements and enhancements
The 3.4 release delivers new features and performance improvements to runZero integrations.Automatic expiration of ephemeral AWS assets
You can now have your AWS integration automatically remove AWS assets from your inventory that weren’t seen in the latest sync. Many AWS resources are ephemeral, only being in use for a short period of time, and these temporary assets can lead to a slow increase of offline assets over time. If you don’t want to keep those decommissioned AWS assets in your runZero inventory, this feature can be used to automatically delete them. An alternative to this feature is to place your cloud assets in a separate Organization and configure a low stale asset expiration.Processing performance improvements
The performance of all integration tasks has been improved and processing now completes much faster, with better use of resources, especially for self-hosted customers. This improvement is the most significant for processing data from vulnerability management products.Enrichment-only integration support
You can now choose to exclude unknown assets from your integration imports. If enabled, runZero won’t import assets from an integration unless they can be merged with an existing asset in your inventory. This places the integration into an enrichment-only mode. This option is helpful when overlaying data from directory providers (Azure AD and Windows AD) as well as MDM and EDR systems that often include off-network assets that may be outside of your runZero scope.OAuth Client Secret authentication
In addition to being able to access the runZero APIs using bearer tokens, you can now configure the use of OAuth2 client credentials. Simply register an API client and use the client ID and secret to obtain a temporary session token, which can then be using with the existing APIs as a bearer token.Simplified site import and export format
The process and format for importing sites has been simplified so that you can more quickly add multiple sites based on subnets. The format of the imported CSV has been updated so that each registered subnet can be provided as a separate row, with the results merged automatically during import. Need to add a ton of new subnets to your sites? Export the current CSV, append the new subnets to the end with the same site name, and re-import the list to update your site configuration.Rapid Response queries for MegaRAC and Cisco
In addition to letting you create queries to fit your needs, runZero includes pre-built queries for recent threats. During the 3.4 release, new queries were added to quickly track down assets running MegaRAC BMC firmware and to locate Cisco 7800/8800 series IP phone assets.User interface improvements
The 3.4 release includes several changes to the user interface to improve the performance of the runZero console. The tables on the analysis reports, site comparison reports, and SSO groups pages now perform and load faster. This will let users query and sort the results in tables more efficiently, getting to the answers they need faster.Release notes
The runZero 3.4 release includes a rollup of all the 3.3.x updates, which includes all of the following features, improvements, and updates.New features
- The AWS integration now includes an option to automatically remove assets no longer reported by AWS.
- OAuth 2.0 client credentials can now be used to authenticate with runZero APIs.
- The
edr.nameasset attribute is now updated to show when a runZero scan no longer detects the EDR. - Tasks can now be stopped during data gathering and processing phases.
- The site import and export CSV format has been simplified.
- The performance of connector task processing has been improved.
- Tables for the Site comparison report, analysis report results, and SSO group mappings have been redesigned for improved performance.
- Added a new canned query for finding Cisco 7800/8800 series IP phone assets.
- Improved fingerprinting coverage of Google Workspace assets.
- Additional fingerprint updates.
Security improvements
- A bug that could show cross-tenant “no access” role users in the Your team > Current organization view was resolved. This issue only applied to the cloud-hosted version of the runZero platform. The affected build was live for slightly more than two hours. Any customers affected by this issue will receive a detailed notice to the email addresses associated with their superuser accounts.
Product improvements
- The consistency in asset terminology has been improved.
- The site import CSV format has been improved.
- The CLI Scanner
--api-urlparameter handling has been improved. - The DELETE API method for bulk asset deletion has been deprecated.
- A public API endpoint to check the platform health has been added.
- OS EOL dates are now reported for Windows 11.
- A new canned query for MegaRAC BMC firmware has been added.
- Self-hosted customers can configure concurrent task processing with the RUNZERO_CRUNCHER_INSTANCES option.
- VMware ESXi instances now display OS end-of-life dates based on version.
- The scanner now supports a configurable ToS/Traffic Class field in the advanced configuration.
- Additional operating system and hardware icons are available in the inventory view.
- Explorer and CLI Scanner binaries are now approximately 5MB smaller.
- The All Organizations view now more accurately handles limited user permissions.
Performance improvements
- The performance of the task overview page load time has been improved.
- The import time for third-party data sources was improved.
- The scheduler will now delay recurring tasks if the previously completed task has not yet started processing.
- The backend now processes concurrent tasks for separate sites within the same organization when possible.
- Searching and sorting is faster when using the asset first seen and last seen columns.
Fingerprinting changes
- Improved fingerprinting coverage of Apple HomeKit and HomeKit-connected devices.
- Improved fingerprinting coverage of Google Workspace assets.
- Improved fingerprinting coverage of Microsoft Intune and Azure Active Directory assets.
- Additional support added-or-improved for products by by Advidia, APC, Apple, Ascom, Avaya, Cisco, Citrix, D-Link, Dahua, ecobee, Eve, Fortinet, First Peer, Google, Green Electronics, ICP DAS, ifm electronic, iXsystems, LG, Microsoft, Motorola, Nintendo, OnePlus, OpenWRT, Poly, QNAP, Raspberry Pi, Red Hat, Riverbed, Roku, Sagemcom, Samsung, Shelly, Schneider Electric, SolidCP, Sony, SUSE, SwitchBot, TCL, Technicolor, Twinkly, UPS Manufacturing, Vizio, and VMware.
Integration improvements
- The CrowdStrike integration now imports vulnerabilities when CrowdStrike Spotlight is enabled for the API key.
- An option to disable the creation of new assets from third-party integrations has been added.
- Third-party integrations merge assets more consistently.
- Third-party integrations now merge more accurately when using IP addresses as the match key.
- Microsoft Intune and Azure Active Directory assets are now fingerprinted more accurately.
- New LDAP credentials now auto-populate the discovered port.
- The Microsoft Defender integration now merges assets more comprehensively.
- The AWS EC2 integration now provides an option to include Stopped instances.
Bug fixes
- A bug that could prevent an Explorer from running scans with specific network configurations has been resolved.
- A bug that could cause recurring tasks to backup has been resolved.
- A bug in the Organization asset export API has been resolved.
- A bug that caused the License information page to display an incorrect project asset count was resolved.
- A bug that could delay concurrent task processing has been resolved.
- An issue that could cause the command-line scanner to skip LDAP enumeration has been resolved with the
--ldap-thumbprintsflag. - A bug that could prevent tag searches from completing when thousands of tags are in use has been resolved.
- A bug that could result in partial import of GCP CloudSQL assets was resolved.
- A bug that could lead to duplicate vulnerabilities when an import was restarted has been resolved.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
Marvin Petzolt, Senior Application Security Engineer at Nord Security
