iptables: Block traffic by country (Debian 10)

You need the package versions from at least Debian 10 testing for this to work. Installing specific packages from the testing branch is beyond the scope of this article, but there are many tutorials online.

  • Switch to legacy iptables (I did not try it with the new nftables packet filter that came with Debian 10):
sudo update-alternatives --config iptables 
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables). 

 Selection    Path                       Priority   Status 
------------------------------------------------------------ 
 0            /usr/sbin/iptables-nft      20        auto mode 
* 1            /usr/sbin/iptables-legacy   10        manual mode 
 2            /usr/sbin/iptables-nft      20        manual mode 

Press <enter> to keep the current choice[*], or type selection number: 1
  • Install iptables module "geoip" (from testing) and dependencies:
sudo aptitude install xtables-addons-common/testing xtables-addons-dkms/testing libnet-cidr-lite-perl libtext-csv-xs-perl
  • Make sure you have the right version (from Debian testing):
apt show xtables-addons-common
...
Version: 3.5-0.1
...
  • Download and build geoip database (zipped CSV file from MaxMind):
sudo -i
mkdir /usr/share/xt_geoip/ 
cd /usr/share/xt_geoip/
/usr/lib/xtables-addons/xt_geoip_dl
cd GeoLite2-Country-CSV_* 
/usr/lib/xtables-addons/xt_geoip_build
cp *iv? ..
  • Check your iptables rules in INPUT chain. It should look something like this, if you already setup iptables:
# iptables --line-numbers -nL  INPUT

Chain INPUT (policy DROP) 
num  target     prot opt source               destination          
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2    ACCEPT     ...
3    ACCEPT     ...
...
8    LOG        all  --  0.0.0.0/0            0.0.0.0/0            state INVALID,NEW LOG flags 0 level 4 prefix "DROP input:"
  • Add iptables rule to block all incoming traffic from e.g. Prague/Czech Republic. Make sure to insert the new rule after the RELATED/ESTABLISHED rule and before any other ACCEPT rules. In this example, the rule is inserted as line number 2.
iptables -I INPUT 2 -m geoip --src-cc CZ -j DROP
  • In the second example we block all traffic except the one that is originating from the United States. TCP traffic is not simply dropped, but spoofed by the DELUDE target.
iptables -I INPUT 2 -m geoip ! --src-cc US -j DROP
iptables -I INPUT 2 -p tcp -m geoip ! --src-cc US -j DELUDE

Important things to note:

  • You have to reinstall package "xtables-addons-common" with every new kernel version because it is compiled during package installation using the current kernel source (see /usr/src/xtables-addons-*).
  • For more information about the DELUDE target in the second example, see "man xtables-addons". It spoofs nmap scans and makes it harder for port scanners to scan the destination host. It is only valid for TCP traffic.
Share

Android smartphone "Cubot Echo"

Smartphone

Cubot is a Chinese Android smartphone brand that offers a wide variety of inexpensive phone models. With the Cubot Echo (released in 2016) you get surprisingly good quality at a low price.

https://www.cubot.net/smartphones/echo/spec.html

One of the main advantages of Cubot smartphones is their native Android version. Many smartphone manufacturers heavily modify Android and add tons of "features" and apps that you don't really need and are more annoying than helpful. They hope to create a unique customer experience that makes users get accustomed to their brand so they choose the same brand again for their next phone. Moreover these modifications often slow down overall performance and introduce security holes.

Cubot ships all their models with an almost native Android version. No modifications (except necessary adaptions to hardware), no annoying apps or background tasks that cannot be removed, etc.

Pros
+ Very good overall hardware quality compared to cheap price (unbreakable display, strong body for outdoor use)
+ Good display, camera quality and performance compared to cheap price
+ Large 5.0 inch display
+ HDR photography
+ Up to 128 GB micro sdcard (supported, but not included)
+ Plain Android user experience, no annoying modifications or add-ons
+ Removable battery
+ Cheap price

Cons
- Android security patch level only from 05.06.2017, but latest firmware update (which will be installed automatically after setup) DOES include security patch for WiFi WPA2 KRACK attack (build 08.02.2018). Android 6 Marshmallow does no longer receive security updates from Google, but you can install the unofficial Android alternative LineageOS based on Android 7 Nougat.
- No 4G / LTE support
- A bit heavy
- Released in 2016, a little bit outdated

Verdict
You can get this Android smartphone for as cheap as 60 EUR. If you can live with the security issues and the missing LTE support, that's a definitive buy. Especially considering that the upcoming Google Pixel 3 flagship for 850 EUR guarantees Android security updates for only 3 years. You could buy 14 Cubot Echos for that price. And the Google Pixel 3 does not have a removable battery, which makes it very hard to replace.

Cubot comparison chart

Cubot EchoCubot J5
Android VersionAndroid 6 Marshmallow
(no longer supported)
Unofficial support for LineageOS
based on Android 7 Nougat
Android 9
ProcessorMT6580 1.3 GHz Quad-coreMT6580 1.3 GHz Quad-core
Display5" IPS
(1300:1 contrast)
5.5" IPS
(18:9 format, 1300:1 contrast)
Brightness (cd/㎡)450450
Memory (RAM / ROM)2 GB / 16 GB2 GB / 16 GB
Max. Additional Storageup to 128 GB (not included)up to 128 GB (not included)
Camera (Back / Front)13 MP / 5 MP8 MP / 5 MP (interpolated)
LTEnono
Extras - Micro + standard dual SIM (no eSIM)
- A-GPS
- USB OTG
- Special sound chip with big speaker
- Unbreakable case
- Dual nano SIM (no eSIM)
- A-GPS
- Curved display sides
- Gradient color case
Battery3000 mAh (removable)2800 mAh (removable)
Price~ 60 €~ 65 €
Cubot NovaCubot Magic
Android VersionAndroid 8.1 OreoAndroid 7 Nougat
ProcessorMT6739 1.5 GHz Quad-coreMT6737 1.3 GHz Quad-core
Display5.5" HD+
(18:9 format, 1300:1 contrast)
5" IPS
(1300:1 contrast)
Brightness (cd/㎡)450450
Memory (RAM / ROM)3 GB / 16 GB3 GB / 16 GB
Max. Additional Storageup to 128 GB (not included)up to 128 GB (not included)
Camera (Back / Front)13 MP / 8 MP13 MP / 5 MP
(13 MP +2 MP Dual Back Camera)
LTEyesyes
Extras - Dual 4G nano SIM (no eSIM)
- A-GPS
- Fingerprint sensor
- Dual micro SIM and dual standby (no eSIM)
- A-GPS
- Curved display sides
Battery2800 mAh (removable)2600 mAh (removable)
Price~ 70 €~ 70 €

Share

Add entropy to KVM virtual guests (Why is key creation so slow?)

Problem

Cryptographic key creation (GnuPG, SSH, etc.) in virtual guests may be very slow because there is not enough entropy.

$ cat /proc/sys/kernel/random/entropy_avail 
7

Solution

Add /dev/urandom from virtual host in virt-manager. Click on "Add Hardware".

Add "RNG" device.

This is what will be added to the qemu xml file in /etc/libvirt/qemu:

<domain type='kvm'>
  ---
  <devices>
    ...
   <rng model='virtio'> 
     <backend model='random'>/dev/urandom</backend> 
     <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> 
   </rng> 
 </devices> 
</domain>

In the virtual guest, install "rng-tools" (Ubuntu 18.04).

$ sudo apt-get install rng-tools

If something goes wrong, the rngd daemon will complain in /var/log/syslog.

Oct 13 22:48:07 guest rngd: read error 
Oct 13 22:48:07 guest rngd: message repeated 99 times: [ read error] 
Oct 13 22:48:07 guest rngd: No entropy sources working, exiting rngd

If rngd is working correctly, check entropy level again.

$ cat /proc/sys/kernel/random/entropy_avail
3162
Share

Security Guidelines

Computer Security

Physical Device Security

  • Always completely switch off your computer and lock your computer safely away, even if you just visit the bathroom. Screen saver locking or putting the laptop into sleep mode is not enough (Cold Boot Attacks).
    https://blog.f-secure.com/cold-boot-attacks
  • Don't display anything important on your computer screen (Van-Eck-Phreaking).
    https://twitter.com/windyoona/status/1023503150618210304
    http://www.eweek.com/security/researchers-discover-computer-screens-emit-sounds-that-reveal-data
  • Don't type in anything important on your keyboard or touchscreen.
    http://www.eweek.com/security/researchers-discover-computer-screens-emit-sounds-that-reveal-data
  • Install USBGuard to protect against unknown USB devices.
    (Note that USB IDs and serial numbers of USB devices can easily be replicated. Once an attacker knows the type of USB device you are using, and its serial number, USBGuard can easily be bypassed. That means: Never lend someone your USB stick, never accept a USB device from untrustworthy persons ... which means anyone.)

Software Security

  • Always use fingerprints to identify certificates for important web services. Don't rely solely on CAs.
    https://www.theregister.co.uk/2018/09/06/certificate_authority_dns_validation/

Useful Links

  • Ubuntu Security
    https://www.ubuntu.com/security
  • Ubuntu Security Features Matrix
    https://wiki.ubuntu.com/Security/Features
  • End User Device Security Guidance for Ubuntu 18.04 LTS from the NCSC (National Cyber Security Center, part of GCHQ)
    https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1804-lts
Share

Password security - it is not about length or complexity

Password

Passwörter sollten nach Möglichkeit nicht im Klartext am Bildschirm angezeigt werden. Neben dem offensichtlichen Shoulder Surfing ("über die Schulter schauen"), gibt es auch sog. Seitenkanalangriffe in blickgeschützten Bereichen.

Das ursprünglich für ältere Röhrenmonitore entwickelte Van-Eck-Phreaking, bei dem die elektromagnetische Strahlung über größere Distanzen aufgezeichnet wird, lässt sich offenbar auch für moderne LCD-Monitore mit HDMI-Kabel ausnutzen. Aus der empfangenen elektromagnetischen Strahlung wird dann das ursprüngliche Monitorbild rekonstruiert. Die dazu notwendige Elektronik ist mittlerweile schon für ambitionierte Hobby-Bastler erschwinglich.

Einige Quellen im Internet weisen ebenso auf relativ hohe elektromagetische Strahlungen und akustische Signale von aktuellen PC-Grafikkarten und Flachbildschirmen/Touchscreens in Kombination mit Monitor- und Stromkabeln hin, die im Prinzip wie eine Antenne funktionieren.

Um Sicherheitsproblemen in diesem Bereich von vornherein aus dem Weg zu gehen, kann man z.B. moderne Passwortmanager verwenden, die Passwörter automatisch generieren und dann über die Zwischenablage in die Anwendung kopieren, ohne das Passwort selbst im Klartext eintippen oder auf dem Bildschirm anzeigen zu müssen.

Share

Top 5 questions you should never ask computer security experts

  1. If you can hack into my computer, why should I trust you?
  2. If there is an update for my software, does that mean that it was vulnerable for the last couple of years?
  3. Are printed documents safer than computers?
  4. Today's computer devices are insanely insecure (s. Security Guidelines). If I buy a PC, monitor, laptop, tablet or mobile phone online, why is there no option for e.g. protection against radio signal emission?
  5. I can break into any house by smashing the windows. Why should computers be safer than real world objects?

Absolute security is an illusion of the past (online and offline). The roof top has been blown off. It is now time to close the doors and windows downstairs to keep the rats out.

https://goo.gl/images/TDf4d1

Share

Sending mail on the Linux command line (Ubuntu 18.04)

How to send end-to-end encrypted emails on the Linux command line.

If you want to add attachments, use mutt or mail from GNU Mailutils as the mail client. The following examples use mailx and ssmtp.

Unencrypted mail

Install package "bsd-mailx":

$ sudo apt-get install bsd-mailx

Edit /etc/mail.rc and add the following lines:

set smtp=smtp://mail.example.com
alias root postmaster@example.com

Run mailx:

$ mailx root
Subject: test 
This is a test. 
. 
Cc: 

Notes:

  • Mail gets sent to postmaster@example.com (see mail.rc).
  • Mail server is mail.example.com (see mail.rc).
  • Email message body is terminated by a single "." as the last line.

Encrypted mail (Inline PGP)

Make sure you can send unencrypted mail (s. "Unencrypted mail" above).

Check that you have GnuPG version 2 installed, and If you haven't done so before, create private and public GnuPG key.

$ gpg --version
gpg (GnuPG) 2.2.4
libgcrypt 1.8.1
...
$ gpg --gen-key
...

Import public PGP key from recipient.

$ gpg --import alice.pub

First sign message (clearsign - ascii signature will be appended to text), then encrypt message, then mail message.

$ echo "Hello Alice, if you can read this your PGP mail client is working." | \
    gpg --clearsign | \
    gpg -a -r alice@example.com --encrypt | \
    mailx -s "PGP encrypted mail test" alice@example.com

Notes:

  • First sign the message. "gpg --clearsign" uses the default private key to sign message. Check with "gpg -K". Otherwise use option "--default-key bob@example.com" to choose a specific private key.
  • Then encrypt the message. Check with "gpg -k" that recipient is properly added to your GPG keyring.
  • Finally send mail message. Email body is simply the signed and encrypted message text in ASCII format.
  • Email subject will not be encrypted.

Encrypted mail (S/MIME)

Make sure you can send unencrypted mail (s. "Unencrypted mail" above).

You need your own public certificate / private key pair, and the public certificate from the recipient (all in PEM format).

You can get a S/MIME email certificate for free from COMODO. Or you run your own certificate authority. Either way, both your own certificate and your own key need to be in a single file in PEM format (in the following example it is called "bob.pem").

-----BEGIN PRIVATE KEY-----
 ...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
 ...
-----END CERTIFICATE-----

The public certificate of the recipient must be in PEM format too (in the following example it is called "alice.pem"). You can extract it from an email signature if the recipient already sent you a signed email.

-----BEGIN CERTIFICATE-----
 ...
-----END CERTIFICATE-----

Install the package "ssmtp".

$ sudo apt-get install ssmtp

Again (as in the above example for PGP encrypted mail), all commands for signing, encrypting and sending the message can be chained together to a single command line.

$ echo "Hello Alice, if you can read this your S/MIME mail client is working." | \
    openssl smime -sign -signer bob.pem -text | \
    openssl smime -encrypt -from bob.example.com -to alice@example.com -subject "S/MIME encrypted mail test" -aes-256-cbc alice.pem | \
    ssmtp -t

Notes:

  • Email body is simply the signed and encrypted message text in ASCII format. OpenSSL adds all required headers to it (sender, recipient, subject).
  • If you are using a S/MIME certificate from a public CA (like COMODO) to sign your message, it is easier for the recipient to validate your signature, compared to PGP encrypted emails.
  • You still need the public certificate of the recipient, and make somehow sure that it is authentic.
  • Again, the email subject will not be encrypted.
Share

Upgrading from Ubuntu 16.04 LTS to 18.04 LTS

Overall changes

Canonical support has been dropped from the following packages. They have been moved to the universe repo.

  • tcpd
  • xinetd
  • isc-dhcp-server-ldap
  • ntp, ntpdate
    There might be problems to automatically start previously configured ntp service at boot time. As a replacement, systemd-timesyncd.service is now enabled by default and provides SNTP client services. Default time server is ntp.ubuntu.com, or the one obtained from systemd-networkd.service (s. "man timesyncd.conf" for configuration).
  • firewalld
  • ssmtp

New versions

  • kernel 4.4 -> 4.15
  • bind 9.10.3 -> 9.11.3
    https://kb.isc.org/category/81/0/10/Software-Products/BIND9/Release-Notes/
    https://www.isc.org/downloads/bind/bind-9-11-new-features/
  • bacula-fd 7.0.5 -> 9.0.6
    http://www.bacula.org/9.0.x-manuals/en/main/New_Features_in_7_4_0.html
    http://www.bacula.org/9.0.x-manuals/en/main/New_Features_in_9_0_0.html
  • systemd 229 -> 237
    https://github.com/systemd/systemd/blob/master/NEWS
  • libvirt 1.3.1 -> 4.0.0
    https://libvirt.org/news.html
  • virt-manager 1.3.2 -> 1.5.1
    https://github.com/virt-manager/virt-manager/blob/master/NEWS.md

Installing Bacula client from source

Again the new bacula-fd version 9.0.6 might be a problem, if you are running a Bacula server with an older version (s. Upgrade from Ubuntu Desktop 14.04 LTS to 16.04 LTS). In your job output, you will see an error like this:

25-Apr 02:15 server-dir JobId 5638: FD compression disabled for this Job because AllowCompress=No in Storage resource.
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/inputrc

25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/bind/db.empty

25-Apr 02:15 server-sd JobId 5638: Fatal error: bsock.c:547 Packet size=1073742451 too big from "client:192.168.0.1:9103. Terminating connection.
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/bind/Kexample2.+163+42584.private

25-Apr 02:15 server-sd JobId 5638: Fatal error: append.c:149 Error reading data header from FD. n=-2 msglen=0 ERR=No data available
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=9 level=1524615306 client-fd JobId 5638:      Unchanged file skipped: /etc/bind/zones.rfc1918

25-Apr 02:15 server-sd JobId 5638: Elapsed time=00:00:01, Transfer rate=186  Bytes/second
25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=4 level=1524615307 client-fd JobId 5638: Error: bsock.c:649 Write error sending 884 bytes to Storage daemon:192.168.0.1:9103: ERR=Broken pipe

25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=3 level=1524615307 client-fd JobId 5638: Fatal error: backup.c:843 Network send error to SD. ERR=Broken pipe

25-Apr 02:15 server-dir JobId 5638: Error: getmsg.c:178 Malformed message: Jmsg JobId=5638 type=4 level=1524615317 client-fd JobId 5638: Error: bsock.c:537 Socket has errors=1 on call to Storage daemon:192.168.0.1:9103

25-Apr 02:15 server-dir JobId 5638: Fatal error: bsock.c:547 Packet size=1073741935 too big from "Client: client-fd:client.example.com:9102. Terminating connection.
25-Apr 02:15 server-dir JobId 5638: Fatal error: No Job status returned from FD.

Here is how to install bacula-fd 5.2.13 from source on Ubuntu 18.04:

  • systemctl stop bacula-fd
  • Install packages required for building bacula client from source:
    apt-get install build-essentials libssl1.0-dev
  • Download bacula-5.2.13.tar.gz and bacula-5.2.13.tar.gz.sig from https://sourceforge.net/projects/bacula/files/bacula/5.2.13/
  • Import Bacula Distribution Verification Key and check key fingerprint (fingerprint for my downloaded Bacula key is 2CA9 F510 CA5C CAF6 1AB5  29F5 9E98 BF32 10A7 92AD):
    gpg --recv-keys 10A792AD
    gpg --fingerprint -k 10A792AD
  • Check signature of downloaded files:
    gpg --verify bacula-5.2.13.tar.gz.sig
  • tar -xzvf bacula-5.2.13.tar.gz
  • cd bacula-5.2.13
  • ./configure --prefix=/usr/local --enable-client-only --disable-build-dird --disable-build-stored --with-openssl --with-pid-dir=/var/run/bacula --with-systemd
  • check output of previous configure command
  • make && make install
  • check output of previous command for any errors
  • create new file /etc/ld.so.conf.d/local.conf:
    /usr/local/lib
  • ldconfig
  • Delete the following files:
    rm /lib/systemd/system/bacula-fd.service
    rm /etc/init.d/bacula-fd
    (In fact you can remove the bacula-fd 9.0.6 package completely, just make sure to copy the directory /etc/bacula somewhere safe before you do, and restore it afterwards.)
  • Create file /etc/systemd/system/bacula-fd.service (see below)
  • systemctl daemon-reload
  • systemctl start bacula-fd

/etc/systemd/system/bacula-fd.service:

[Unit] 
Description=Bacula File Daemon service 
Documentation=man:bacula-fd(8) 
Requires=network.target 
After=network.target 
RequiresMountsFor=/var/lib/bacula /etc/bacula /usr/sbin 
 
# from http://www.freedesktop.org/software/systemd/man/systemd.service.html 
[Service] 
Type=forking 
User=root 
Group=root 
Environment="CONFIG=/etc/bacula/bacula-fd.conf" 
EnvironmentFile=-/etc/default/bacula-fd 
ExecStartPre=/usr/local/sbin/bacula-fd -t -c $CONFIG 
ExecStart=/usr/local/sbin/bacula-fd -u root -g root -c $CONFIG 
ExecReload=/bin/kill -HUP $MAINPID 
SuccessExitStatus=15 
Restart=on-failure 
RestartSec=60 
PIDFile=/run/bacula/bacula-fd.9102.pid 

[Install] 
WantedBy=multi-user.target

Make sure that in you bacula-fd.conf, you have:

Pid Directory = /run/bacula

... and that the directory actually exists.

Some notable changes to systemd

When using systemd's default tmp.mount unit for /tmp, the mount point will now be established with the "nosuid" and "nodev" options. This avoids privilege escalation attacks that put traps and exploits into /tmp. However, this might cause problems if you e. g. put container images or overlays into /tmp; if you need this, override tmp.mount's "Options=" with a drop-in, or mount /tmp from /etc/fstab with your desired options.

systemd-resolved now listens on the local IP address 127.0.0.53:53 for DNS requests. This improves compatibility with local programs that do not use the libc NSS or systemd-resolved's bus APIs for name resolution. This minimal DNS service is only available to local programs and does not implement the full DNS protocol, but enough to cover local DNS clients. A new, static resolv.conf file, listing just this DNS server is now shipped in /usr/lib/systemd/resolv.conf. It is now recommended to make /etc/resolv.conf a symlink to this file in order to route all DNS lookups to systemd-resolved, regardless if done via NSS, the bus API or raw DNS packets. Note that this local DNS service is not as fully featured as the libc NSS or systemd-resolved's bus APIs. For example, as unicast DNS cannot be used to deliver link-local address information (as this implies sending a local interface index along), LLMNR/mDNS support via this interface is severely restricted. It is thus strongly recommended for all applications to use the libc NSS API or native systemd-resolved bus API instead.

systemd-resolved gained a new "DNSStubListener" setting in resolved.conf. It either takes a boolean value or the special values "udp" and "tcp", and configures whether to enable the stub DNS listener on 127.0.0.53:53.

The new ProtectKernelModules= option can be used to disable explicit load and unload operations of kernel modules by a service. In addition access to /usr/lib/modules is removed if this option is set.

Units acquired a new boolean option IPAccounting=. When turned on, IP traffic accounting (packet count as well as byte count) is done for the service, and shown as part of "systemctl status" or "systemd-run --wait". If CPUAccounting= or IPAccounting= is turned on for a unit a new structured log message is generated each time the unit is stopped, containing information about the consumed resources of this invocation.

Share

Check for new versions of Firefox, Thunderbird

Created a little Bash script on Github that reads your locally installed Firefox and Thunderbird versions and compares them to the newest versions available for download.

https://github.com/groland11/check-mozilla-updates

You can use it if:

  • you manually installed Firefox and Thunderbird with root privileges
  • you are an unprivileged user who may not tamper with the installation
  • Firefox and Thunderbird can not automatically update local installation
  • you do not want to run Firefox or Thunderbird to check for updates
Share

That was 2017

Ubuntu 16.04 LTS Security Notices

Overall USNs: 348

Highest CVE priority fixed by USN:

  • High: 61
  • Medium: 277
  • Low: 5

Bugfixes in Red Hat Enterprise Linux 7

https://www.redhat.com/security/data/metrics/

Critical: 45 vulnerabilities
** Average time for fixing: 2 days
** 15% were 0day
** 37% were within 1 day
** 100% were within 7 days
** 100% were within 14 days
** 100% were within 31 days
** 100% were within 90 days

Important: 137 vulnerabilities
**Average time for fixing: 39 days
** 22% were 0day
** 29% were within 1 day
** 63% were within 7 days
** 65% were within 14 days
** 69% were within 31 days
** 87% were within 90 days

Moderate: 308 vulnerabilities
**Average time for fixing: 165 days
** 3% were 0day
** 8% were within 1 day
** 20% were within 7 days
** 21% were within 14 days
** 25% were within 31 days
** 43% were within 90 days

Low: 103 vulnerabilities
**Average time for fixing: 264 days
** 0% were 0day
** 2% were within 1 day
** 7% were within 7 days
** 7% were within 14 days
** 7% were within 31 days
** 19% were within 90 days

Share