Vulnerability Management and more

@avleonovcom

Гео и язык канала: Весь мир, Английский

Категория: Технологии

Vulnerability assessment, IT compliance management, security automation and other beautiful stuff. Discussion group for this channel: @avleonovchat. PM me @leonov_av

Связанные каналы | Похожие каналы

Гео и язык канала

Весь мир, Английский

Категория

Технологии

Статистика

Избранное

Фильтр публикаций

Скрывать удаленные

Скрывать репосты

Vulnerability Management and more

30 Nov, 02:00

About Elevation of Privilege - PAN-OS (CVE-2024-9474) vulnerability. An attacker with PAN-OS administrator access to the management web interface can perform actions on the Palo Alto device with root privileges. Linux commands can be injected via unvalidated input in createRemoteAppwebSession.php script.

The need for authentication and admin access could limit this vulnerability's impact, but here we have the previous vulnerability Authentication Bypass - PAN-OS (CVE-2024-0012). 😏 Exploitation of this vulnerability chain was noted by Palo Alto on November 17. After November 19, when the watchTowr Labs article was published and exploits appeared, mass attacks began.

On November 21, Shadowserver reported that ~2000 hosts were compromised, mostly in the US and India. According to Wiz, attackers deployed web shells, Sliver implants and cryptominers.

На русском

@avleonovcom #watchTowrLabs #PANOS #PaloAlto #Shadowserver #Wiz

251 0 2 1

Vulnerability Management and more

28 Nov, 15:57

New episode "In The Trend of VM" (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social "attack on the complainer", "Ford's method" for motivating IT specialists to fix vulnerabilities. The competition for the best question on the topic of VM continues. 😉🎁

📹 Video on YouTube, LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website

Content:

🔻 00:37 Elevation of Privilege - Microsoft Streaming Service (CVE-2024-30090)
🔻 01:46 Elevation of Privilege - Windows Kernel-Mode Driver (CVE-2024-35250)
🔻 02:38 Spoofing - Windows MSHTML Platform (CVE-2024-43573)
🔻 03:43 Remote Code Execution - XWiki Platform (CVE-2024-31982)
🔻 04:44 The scandal with the removal of Russian maintainers at The Linux Foundation, its impact on security and possible consequences.
🔻 05:22 Social "Attack on the complainer"
🔻 06:35 "Ford's method" for motivating IT staff to fix vulnerabilities: will it work?
🔻 08:00 About the digest, habr and the question contest 🎁
🔻 08:29 Backstage

На русском

@avleonovcom #TrendVulns #PositiveTechnologies #SecLab #Microsoft #StreamingService #KernelStreaming #DEVCORE #kssys #MSHTML #ZDI #VoidBanshee #AtlantidaStealer #XWiki #Linux #Kernel #HumanVM #VMprocess #Remediation #fun

In The Trend of VM #9: 4 October CVEs, Linux scandal, attack on the complainer, "Ford Method" for VM

In this episode, I will talk about trending October vulnerabilities, important events in the Linux world that impact the global IT landscape. I will also talk about cases of social engineering and the Vulnerability Management process. Subscribe to the avleonovcom Telegram channel "Vulnerability Man...

310 0 1

Vulnerability Management and more

27 Nov, 18:23

About Authentication Bypass - PAN-OS (CVE-2024-0012) vulnerability. An unauthenticated attacker with network access to the Palo Alto device web management interface could gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated vulnerabilities. Firewalls of the PA, VM, CN series and the Panorama management platform are vulnerable. The vendor recommends restricting access to the management web interface to trusted internal IP addresses only.

🔻 On November 8, a Palo Alto bulletin was released
🔻 On November 15, signs of attacks were noticed, labeled as "Operation Lunar Peek"
🔻 On November 18, the vulnerability was added to the CISA KEV
🔻 On November 19, watchTowr Labs released a post with technical details ("supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication") 😏 and exploits soon appeared on GitHub

На русском

@avleonovcom #watchTowrLabs #PANOS #PaloAlto #CISAKEV

351 0 2 1

Vulnerability Management and more

21 Nov, 01:15

November Linux Patch Wednesday. I was happy in October that the number of vulnerabilities was gradually decreasing to an acceptable level, and in November I got a peak again. A total of 803 vulnerabilities. Of these, 567 are in the Linux Kernel. Kind of crazy. 😱

2 vulnerabilities in Chromium with signs of exploitation in the wild:

🔻 Security Feature Bypass - Chromium (CVE-2024-10229)
🔻 Memory Corruption - Chromium (CVE-2024-10230, CVE-2024-10231)

There are no signs of exploitation in the wild for 27 vulnerabilities yet, but there are public exploits. Of these, I would draw attention to:

🔸 Remote Code Execution - PyTorch (CVE-2024-48063)
🔸 Remote Code Execution - OpenRefine Butterfly (CVE-2024-47883) - "web application framework"
🔸 Code Injection - OpenRefine tool (CVE-2024-47881)
🔸 Command Injection - Eclipse Jetty (CVE-2024-6763)
🔸 Memory Corruption - pure-ftpd (CVE-2024-48208)

🗒 Vulristics November Linux Patch Wednesday Report

На русском

@avleonovcom #LinuxPatchWednesday #Vulristics #Linux

578 0 1 7

Vulnerability Management and more

20 Nov, 00:26

About Remote Code Execution - FortiManager "FortiJump" (CVE-2024-47575) vulnerability. FortiManager is a centralized solution for configuring, enforcing policies, updating, and monitoring Fortinet network devices.

🔻 The vulnerability was released on October 23. A missing authentication for critical function in the FortiManager fgfmd (FortiGate-to-FortiManager) daemon allows remote attacker to execute arbitrary code or commands via specially crafted requests. There were signs of exploitation in the wild and the vulnerability was added to the CISA KEV.

🔻 On November 15, WatchTowr Labs published a post about this "FortiJump" vulnerability with a video demo and a link to the PoC. The researchers noted that the IOCs in the Fortinet bulletin can be bypassed. And the patch itself is incomplete. It is possible to escalate privileges on a patched device by exploiting a vulnerability called "FortiJump Higher".

На русском

@avleonovcom #Fortinet #FortiManager #FortiJump #watchTowrLabs

546 0 5 4

Vulnerability Management and more

19 Nov, 11:19

On November 13, NIST NVD finally admitted the obvious: they had failed to process the CVE analysis backlog before the end of the fiscal year (September 30). This is actually visible in their own statistics. At the moment, there are 19860 identifiers in the backlog. This week, 1136 new CVEs were received, and they analyzed only 510. And this is not some abnormal week, this happens regularly. They can't cope with analyzing new vulnerabilities, they don't have time to deal with the backlog. The crisis continues.

At the same time, for some reason, they write in the message that they have a full team of analysts, and they are addressing all incoming CVEs as they are uploaded into NVD system. But why do their statistics show the opposite?

They write that they processed all the vulnerabilities from CISA KEV. And that's good. But CISA KEV only added 162 CVEs in 2024. It's great that NVD was able to process these identifiers, but the achievement is, to put it mildly, not impressive.

Why can't NVD process this backlog?

They write that the problem is in the format of data from Authorized Data Providers (ADPs), apparently meaning CISA Vulnrichment. NVD is currently unable to effectively import and enhance data in this format. In order to be able to do this, they are developing some "new systems".

Not only have they admitted their inability to analyze vulnerabilities on their own and their willingness to use the results of someone else’s analysis as is, they also cannot write parser-converters in any adequate time. 🐾 I have no words. 🤦‍♂️

And now there is news that US Senator Rand Paul, the new chairman of the Senate Homeland Security Committee, has promised to seriously reduce the powers of CISA or eliminate them completely. 😁 It's all because of CISA's work "to counter disinformation" before the US elections. So the only American information security regulator capable of doing anything useful in a reasonable amount of time could be destroyed. Great idea, comrades, keep it up. 👍

I expect nothing but further degradation.

На русском

@avleonovcom #NIST #NVD #CISA #Vulnrichment #thoseamericans

500 0 1 2

Vulnerability Management and more

19 Nov, 11:19

421 0 1

Vulnerability Management and more

16 Nov, 15:09

Qualys released QScanner - a console vulnerability scanner for container images. Feed it an image and get a list of vulnerabilities (a la Trivy).

It supports:

"Local Runtimes: Scan images from Docker, Containerd, or Podman.
Local Archives: Analyze Docker images or OCI layouts from local files.
Remote Registries: Connect to AWS ECR, Azure Container Registry, JFrog, GHCR, and more."

Capabilities:

🔹 Detects OS package vulnerabilities
🔹 Software Composition Analysis (SCA) for Ruby, Rust, PHP, Java, Go, Python, .NET and Node.js applications.
🔹 Detects secrets (passwords, API keys and tokens)

But it's not free. 🤷‍♂️💸🙂 All cases, except SBOM generation, require ACCESS_TOKEN and Platform POD. QScanner is the interface of Qualys Container Security module.

It can be used for:

🔸 scanning local images on developers' desktops
🔸 integration into CI/CD pipelines
🔸 integration with registries

The concept is interesting. 👍

На русском

@avleonovcom #Qualys #QScanner #ContainerSecurity #SCA

567 0 3 7

Vulnerability Management and more

13 Nov, 01:48

November Microsoft Patch Tuesday. 125 CVEs, 35 of which were added since October MSPT. 2 vulnerabilities with signs of exploitation in the wild:

🔻 Elevation of Privilege - Windows Task Scheduler (CVE-2024-49039)
🔻 Disclosure/Spoofing - NTLM Hash (CVE-2024-43451)

No signs of exploitation, but with a private PoC of the exploit:

🔸 Remote Code Execution - Microsoft Edge (CVE-2024-43595, CVE-2024-43596)
🔸 Authentication Bypass - Azure Functions (CVE-2024-38204)
🔸 Authentication Bypass - Microsoft Dataverse (CVE-2024-38139)
🔸 Spoofing - Microsoft Exchange (CVE-2024-49040)

Among the rest can be highlighted:

🔹Remote Code Execution - Windows Kerberos (CVE-2024-43639)
🔹Elevation of Privilege - Windows Win32k (CVE-2024-43636)
🔹Elevation of Privilege - Windows DWM Core Library (CVE-2024-43629)
🔹Elevation of Privilege - Windows NT OS Kernel (CVE-2024-43623)

🗒 Full Vulristics report

На русском

@avleonovcom #Vulristics #PatchTuesday #Microsoft #Windows

619 0 3 2 1

Vulnerability Management and more

12 Nov, 11:16

I transformed my English-language site avleonov.com. While my Russian-language site avleonov.ru was intended as a mirror of my Telegram channel @avleonovrus, I wasn't sure how to move forward with the English-language site. 🤔

I've been running it since 2016. For a long time, it was my main VM blog. Since February 2020, I have been making posts there exclusively with videos. 🪧 I have released 94 videos. But over time, I grew tired of this format. 😮‍💨 It was easier and more engaging to create videos in Russian (starting with "Прожекторе по ИБ", and later in "В тренде VM") and translate them into English when needed.

Since March 2024, the English site had no updates. New posts appeared exclusively on the Telegram channel @avleonovcom. 🤷‍♂️ So, I decided to make the site a mirror of this channel. 🪞

✅ I updated the scripts and uploaded 117 Telegram posts (since March 2024) to the site, leaving the earlier content as is.

На русском

@avleonovcom #blogging #Telegram #Mirror #TrendVulns #SecLab

607 0 1 2

Vulnerability Management and more

31 Oct, 14:50

About Remote Code Execution - XWiki Platform (CVE-2024-31982) vulnerability. XWiki is a free open-source wiki platform. Its main feature is simplified extensibility. XWiki is often used in corporate environments as a replacement for commercial Wiki solutions (such as Atlassian Confluence).

A vulnerability with CVSS Base Score 10, published on April 10, allows attackers to execute arbitrary code via queries in the XWiki database search interface. This interface is available to all users by default and complements the regular XWiki search. If it is not needed, it can be disabled by removing the Main.DatabaseSearch page. The vulnerability is fixed in XWiki versions 14.10.20, 15.5.4 and 15.10RC1.

An exploit PoC was provided by XWiki developers in their vulnerability bulletin. 🤷‍♂️ Functional scripts for exploiting this vulnerability have been available on GitHub since June 22.

If your organization uses XWiki, be sure to pay attention.

На русском

@avleonovcom #XWiki

862 0 1 1 2

Vulnerability Management and more

30 Oct, 13:51

What is known about the Spoofing - Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday? In fact, just that it is being exploited in the wild. There are no write-ups or public exploits yet. The Acknowledgements section in the Microsoft bulletin is empty. It is not clear who reported it and from whom we can expect details.

ZDI suggested that this could be an additional fix for a similar July vulnerability Spoofing - Windows MSHTML Platform (CVE-2024-38112). The vulnerability type and component are the same. The July vulnerability was about ".url" file handling and was exploited by the APT group Void Banshee to install the Atlantida Stealer malware. Attackers may have bypassed the initial fix, prompting Microsoft to release a new patch. So far, this is only an assumption. But the vulnerability shouldn’t be ignored despite its low CVSS Base score (6.5).

На русском

@avleonovcom #Microsoft #MSHTML #ZDI #VoidBanshee #AtlantidaStealer

684 0 1 1

Vulnerability Management and more

27 Oct, 19:24

The severity of the Remote Code Execution - Microsoft SharePoint (CVE-2024-38094) vulnerability has increased. It was fixed as part of the July Microsoft Patch Tuesday (July 9).

SharePoint is a popular platform for corporate portals. According to the Microsoft bulletin, аn authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server.

On July 10, a repository with a PoC exploit for this vulnerability appeared on GitHub, as well as a video demonstrating how an attacker can launch processes on the attacked SharePoint server. A GitHub search by CVE number does not find a repository with the exploit, but a link is available in the The Hacker News article. Exploit also relates to the July SharePoint RCEs CVE-2024-38023 and CVE-2024-38024.

On October 22, the vulnerability was added to the CISA KEV, which means it was exploited in the wild.

На русском

@avleonovcom #SharePoint #Microsoft #CISAKEV

662 0 3 2

Vulnerability Management and more

23 Oct, 23:26

On Monday, October 21, updates for the critical Remote Code Execution - VMware vCenter (CVE-2024-38812) vulnerability were released again. Wait, haven't fixes for this vulnerability been available since September 17th? They were, but it was not enough.

"VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not completely address CVE-2024-38812. The patches listed in the Response Matrix below are updated versions that contain additional fixes to fully address CVE-2024-38812."

If you are using VMware vCenter, please take note and update it again. Current secure versions of VMware vCenter Server are 7.0 U3t, 8.0 U2e and 8.0 U3d.

Updates are also available for the VMware Cloud Foundation.

На русском

@avleonovcom #DCERPC #VMware #vCenter

716 0 2 1 5

Vulnerability Management and more

22 Oct, 23:07

The severity of the Elevation of Privilege - Windows Kernel-Mode Driver (CVE-2024-35250) vulnerability has increased. This vulnerability was fixed as part of the June Microsoft Patch Tuesday. As in the case of the CVE-2024-30090 vulnerability, it was discovered by a researcher with the nickname Angelboy from DEVCORE. And it also affects the Kernel Streaming framework, and specifically its core component - the ks.sys driver. Angelboy wrote about this vulnerability in a post on August 23.

On October 13, a PoC of the exploit, released by user varwara, appeared on GitHub. The repository also contains a video demonstrating the launch of the exploit and obtaining System privileges.

Updates are available for Windows 10 and 11, and Windows Server from 2008 to 2022.

На русском

@avleonovcom #Microsoft #kssys #KernelStreaming #DEVCORE

671 0 1 2

Vulnerability Management and more

22 Oct, 14:44

The severity of the Elevation of Privilege - Microsoft Streaming Service (CVE-2024-30090) vulnerability has increased. The vulnerability was fixed as part of the June Microsoft Patch Tuesday. At that time, no one highlighted this vulnerability. The vulnerability was discovered by a researcher with the nickname Angelboy from the DEVCORE company. The details are described in a series of his posts published on August 23 and October 5.

The vulnerability affects the Kernel Streaming framework, which is responsible for processing stream data. It is used, for example, when the system needs to read data from your microphones or webcams into RAM. This framework works mainly in kernel mode.

On October 5, Angelboy posted a video, demonstrating exploitation of this vulnerability for obtaining an interactive console with System privileges.

On October 17, a researcher with the nickname Dor00tkit released a PoC of the exploit on GitHub.

На русском

@avleonovcom #Microsoft #StreamingService #KernelStreaming #DEVCORE

594 0 0 1 1

Vulnerability Management and more

21 Oct, 16:01

September episode of "In The Trend of VM": 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses. Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices of vulnerability management process. At the end we announce a contest of questions about Vulnerability Management with gifts. 🎁

📹 Video "In The Trend of VM" on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest on the official PT website

Content:

🔻 00:51 Elevation of Privilege - Windows Installer (CVE-2024-38014) and details about this vulnerability
🔻 02:42 Security Feature Bypass - Windows Mark of the Web "LNK Stomping" (CVE-2024-38217)
🔻 03:50 Spoofing - Windows MSHTML Platform (CVE-2024-43461)
🔻 05:07 Remote Code Execution - VMware vCenter (CVE-2024-38812)
🔻 06:20 Remote Code Execution - Veeam Backup & Replication (CVE-2024-40711), while the video was being edited, data about exploitation in the wild appeared
🔻 08:33 Cross Site Scripting - Roundcube Webmail (CVE-2024-37383)
🔻 09:31 SQL Injection - The Events Calendar plugin for WordPress (CVE-2024-8275)
🔻 10:30 Human vulnerabilities: fake reCAPTCHA
🔻 11:45 Real world vulnerabilities: еxplosions of pagers and other electronic devices in Lebanon and the consequences for the whole world
🔻 14:42 Vulnerability management process practices: tie annual bonuses of IT specialists to meeting SLAs for eliminating vulnerabilities
🔻 16:03 Final and announcement of the contest
🔻 16:24 Backstage

На русском

@avleonovcom #TrendVulns #PositiveTechnologies #Microsoft #WindowsInstaller #SECConsult #msiscan #MSI #LNKStomping #MotW #MSHTML #ZDI #VoidBanshee #DCERPC #VMware #vCenter #Veeam #Backup #Replication #CODEWHITE #watchTowrLabs #Sophos #Akira #Fog #Roundcube #WordPress #TheEventsCalendar #reCAPTCHA #Phishing #HumanVM #pager #GoldApollo #AR924 #ICOM #ICV82 #smartphone #VMprocess #PTVMcourse #Remediation #SLA

In The Trend of VM September 2024: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses

Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices of vulnerability management process. At the end...

659 0 5 2

Vulnerability Management and more

17 Oct, 00:56

October Linux Patch Wednesday. There are 248 vulnerabilities in total. Of these, 92 are in the Linux Kernel.

5 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution - CUPS (CVE-2024-47176) and 4 more CUPS vulnerabilities that can also be used to enhance DoS attacks
🔻 Remote Code Execution - Mozilla Firefox (CVE-2024-9680)

For 10 vulnerabilities there are no signs of exploitation in the wild yet, but exploits exist. Among them, the following can be highlighted:

🔸 Remote Code Execution - Cacti (CVE-2024-43363)
🔸 Elevation of Privilege - Linux Kernel (CVE-2024-46848)
🔸 Arbitrary File Reading - Jenkins (CVE-2024-43044)
🔸 Denial of Service - CUPS (CVE-2024-47850)
🔸 Cross Site Scripting - Rollup JavaScript module (CVE-2024-47068)

🗒 Vulristics October Linux Patch Wednesday Report

На русском

@avleonovcom #LinuxPatchWednesday #Vulristics #Linux

760 0 4 4

Vulnerability Management and more

15 Oct, 15:21

About Cross Site Scripting - Roundcube Webmail (CVE-2024-37383) vulnerability. Roundcube is a web-based email client with functionality comparable to desktop email clients such as Outlook Express or Mozilla Thunderbird.

The vulnerability is caused by an error in the processing of SVG elements in the email body. The victim opens an email from the attacker, which causes malicious JavaScript code to be executed in the context of the user's page.

In September 2024, specialists from the TI department of the Positive Technologies Expert Security Center (PT ESC) discovered a malicious email with signs of exploitation of this vulnerability. It was sent to one of the government agencies of the CIS countries.

Attacks on Roundcube are not uncommon. At the end of last year, there were news about the exploitation of a similar vulnerability CVE-2023-5631 in targeted attacks.

Update it in a timely manner!

На русском

@avleonovcom #Roundcube #PositiveTechnologies

717 0 2 2

Vulnerability Management and more

13 Oct, 12:41

Veeam B&R RCE vulnerability CVE-2024-40711 is exploited in attacks. On September 24, there were no signs of this vulnerability being exploited in the wild. And on October 10, Sophos X-Ops reported that they had observed a series of attacks exploiting this vulnerability over the course of a month. The attackers' goal was to install Akira and Fog ransomware. 🤷‍♂️

The thesis of my original post was correct. The absence of reports on the exploitation of vulnerabilities in real attacks is not a reason to ignore them.

"This does not mean that attackers do not exploit these vulnerabilities. It is possible that targeted attacks using these vulnerabilities have simply not yet been reliably confirmed."

🟥 Positive Technologies classifies the vulnerability as trending since September 10th.

На русском

@avleonovcom #Veeam #Backup #Replication #PositiveTechnologies #Sophos #TrendVulns #Akira #Fog

723 0 3 1 4

Показано 20 последних публикаций.

2 792

подписчиков

Статистика канала

Язык сайта

Надо было вчера

Книга "Взгляд в будущее: шаги к себе"

Посмеемся?

Vulnerability Management and more

Гео и язык канала

Категория

2 792

Популярное в канале