Vulnerability Management and more

@avleonovcom

Kanal geosi va tili: Butun dunyo, Inglizcha

Toifa: Texnologiyalar

Vulnerability assessment, IT compliance management, security automation and other beautiful stuff. Discussion group for this channel: @avleonovchat. PM me @leonov_av

Связанные каналы | Похожие каналы

Kanal geosi va tili

Butun dunyo, Inglizcha

Toifa

Texnologiyalar

Statistika

Saralanganlar

Postlar filtri

O‘chirilganlarni yashirish

Repostlarni yashirish

Vulnerability Management and more

20 Jan, 18:02

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies. Last year, 74 vulnerabilities were classified as trending (to compare the scale, just over 40,000 were added to NVD in 2024).

All trending vulnerabilities are found in Western commercial products and open source projects. This year, the vulnerabilities of domestic Russian products did not reach the level of criticality required to classify them as trending.

For 55 of all trending vulnerabilities there are currently signs of exploitation in attacks, for 17 there are public exploits (but no signs of exploitation) and for the remaining 2 there is only a possibility of future exploitation.

Vulnerabilities were often added to trending ones before signs of exploitation in the wild appeared. For example, the remote code execution vulnerability in VMware vCenter (CVE-2024-38812) was added to the list of trending vulnerabilities on September 20, 3 days after the vendor's security bulletin appeared. There were no signs of exploitation in the wild or public exploit for this vulnerability. Signs of exploitation appeared only 2 months later, on November 18.

Most of the vulnerabilities in the trending list are of the following types: Remote Code or Command Execution (24) and Elevation of Privilege (21).

4 vulnerabilities in Barracuda Email Security Gateway (CVE-2023-2868), MOVEit Transfer (CVE-2023-34362), papercut (CVE-2023-27350) and SugarCRM (CVE-2023-22952) were added in early January 2024. These vulnerabilities were massively exploited in the West in 2023, and attacks using these vulnerabilities could also tangentially affect those domestic Russian organizations where these products had not yet been taken out of service. The rest of the vulnerabilities became trending in 2024.

34 trending vulnerabilities affect Microsoft products (45%).

🔹 17 of them are Elevation of Privilege vulnerabilities in the Windows kernel and standard components.

🔹 1 Remote Code Execution vulnerability in Windows Remote Desktop Licensing Service (CVE-2024-38077).

2 trending Elevation of Privilege vulnerabilities affect Linux systems: one in nftables (CVE-2024-1086), and the second in needrestart (CVE-2024-48990).

Other groups of vulnerabilities

🔻 Phishing attacks: 19 (Windows components, Outlook, Exchange, Ghostscript, Roundcube)
🔻 Network security and entry points: 13 (Palo Alto, Fortinet, Juniper, Ivanti, Check Point, Zyxel)
🔻 Virtual infrastructure and backups: 7 (VMware, Veeam, Acronis)
🔻 Software development: 6 (GitLab, TeamCity, Jenkins, PHP, Fluent Bit, Apache Struts)
🔻 Collaboration tools: 3 (Atlassian Confluence, XWiki)
🔻 CMS WordPress plugins: 3 (LiteSpeed Cache, The Events Calendar, Hunk Companion)

🗒 Full Vulristics report

🟥 Article on the official website "Vulnerable software and hardware vs. security researchers" (rus)

На русском

@avleonovcom #TrendVulns #PositiveTechnologies #Barracuda #MOVEitTransfer #papercut #SugarCRM #Microsoft #Windows #RDLS #Linux #nftables #needrestart #Windows #Ghostscript #Outlook #Exchange #Roundcube #PaloAlto #Fortinet #Juniper #Ivanti #CheckPoint #Zyxel #VMware #Veeam #Acronis #GitLab #TeamCity #Jenkins #PHP #FluentBit #Struts #Atlassian #Confluence #XWiki #WordPress #LiteSpeedCache #TheEventsCalendar #HunkCompanion

206 0 3 2

Vulnerability Management and more

20 Jan, 18:02

209 0 1

Vulnerability Management and more

19 Jan, 04:26

January Linux Patch Wednesday. Out of 424 total vulnerabilities, 271 are in the Linux Kernel. None show signs of exploitation in the wild, but 9 have public exploits.

🔸 RCE - Apache Tomcat (CVE-2024-56337). Based on the description, the vulnerability affects "case-insensitive file systems" like Windows or MacOS. However, Debian lists it as affecting tomcat9 and tomcat10. Either this is about rare case-insensitive Linux installations or there is an error in the description. 🤷‍♂️
🔸 RCE - Chromium (CVE-2025-0291). According to the FSTEC BDU, a public exploit exists.
🔸 RCE - 7-Zip (CVE-2024-11477). What's in the public is not an exploit, but a write-up.
🔸 Memory Corruption - Theora (CVE-2024-56431). It's not clear yet how to exploit this. 🤷‍♂️
🔸 Memory Corruption - Telegram (CVE-2021-31320, CVE-2021-31319, CVE-2021-31315, CVE-2021-31318, CVE-2021-31322). Ubuntu fixed these vulnerabilities in the rlottie library package.

🗒 Full Vulristics report

На русском

@avleonovcom #LinuxPatchWednesday #Vulristics #Linux

295 0 2 1 2

Vulnerability Management and more

16 Jan, 14:46

The Elevation of Privilege - Windows Common Log File System Driver (CVE-2024-49138) has become more critical. Just as I wrote that nothing had been heard about this vulnerability for a month since it was first published in Microsoft's December Patch Tuesday, a public exploit for it appeared on January 15th. 🙂 It was developed by Alessandro Iandoli from HN Security. The source code and video demonstrating the exploit are available on GitHub: a local attacker runs an exe file in PowerShell and, after a second, becomes "nt authority/system". The researcher tested the exploit on Windows 11 23h2. He also promises to publish a blog post with a detailed analysis of the vulnerability.

На русском

@avleonovcom #CLFS #Windows #HNSecurity

371 0 4 3

Vulnerability Management and more

15 Jan, 12:29

What has become known about the Elevation of Privilege - Windows Common Log File System Driver (CVE-2024-49138) vulnerability from the December Microsoft Patch Tuesday a month later? Almost nothing. 🙄 This is a vulnerability in a standard Windows component, available in all versions starting with Windows Server 2003 R2. Its description is typical for EoP in Windows: if successfully exploited, a local attacker can gain SYSTEM privileges. The cause of the vulnerability is Heap-based Buffer Overflow.

Microsoft has labeled the vulnerability as being exploited in the wild, but has not provided information on where the vulnerability was being exploited or how widespread the attacks were.

The vulnerability was reported by CrowdStrike's Advanced Research Team. But neither they nor other researchers have provided technical details yet. 🤷‍♂️ And there are no exploits yet either.

So install the December Microsoft security updates and let's wait for news! 😉

Update

На русском

@avleonovcom #CLFS #Windows #CrowdStrike

385 0 2 1 1

Vulnerability Management and more

15 Jan, 02:22

January Microsoft Patch Tuesday. 170 CVEs, 10 of them were added since December MSPT. 3 exploited in the wild:

🔻 EoP - Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335). No details yet.

No vulnerabilities have public exploits. 5 have private ones:

🔸 Security Feature Bypass - Microsoft Update Catalog (CVE-2024-49147), MapUrlToZone (CVE-2025-21268, CVE-2025-21189)
🔸 EoP - Windows Installer (CVE-2025-21287)
🔸 Auth. Bypass - Azure (CVE-2025-21380)

Notable among the rest:

🔹 RCE - Windows OLE (CVE-2025-21298), Windows RMCAST (CVE-2025-21307), Microsoft Office (CVE-2025-21365), Windows Remote Desktop Services (CVE-2025-21297, CVE-2025-21309), NEGOEX (CVE-2025-21295)
🔹 EoP - Windows NTLM V1 (CVE-2025-21311), Windows Search Service (CVE-2025-21292), Windows App Package Installer (CVE-2025-21275)
🔹 Spoofing - Windows Themes (CVE-2025-21308)

🗒 Full Vulristics report

На русском

@avleonovcom #Vulristics #PatchTuesday #Microsoft #Windows

370 0 2 3

Vulnerability Management and more

13 Jan, 13:04

About Elevation of Privilege - Windows Kernel Streaming WOW Thunk Service Driver (CVE-2024-38144) vulnerability. The vulnerability is from the August Microsoft Patch Tuesday. It wasn't highlighted in reviews; all we knew was that a local attacker could gain SYSTEM privileges.

Three and a half months later, on November 27, SSD Secure Disclosure released a write-up with exploit code. This vulnerability was exploited at TyphoonPWN 2024, earning the researcher a $70,000 prize.

SSD stated in their write-up that communications with Microsoft were problematic and noted that "at the time of trying this on the latest version of Windows 11, the vulnerability still worked". It's unclear if this "time of trying" was before the August MSPT or just before the write-up was released in November. If the second option, the vulnerability might still be a 0day. 🤔🤷‍♂️

No reports of this vulnerability being exploited in attacks yet.

На русском

@avleonovcom #ksthunk #Windows #SSD

366 0 3 1

Vulnerability Management and more

11 Jan, 15:41

About Authentication Bypass - Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability. ThemeHunk company develops commercial themes for WordPress CMS. And the Hunk Companion plugin is designed to complement and enhance the functionality of these themes. The plugin has over 10,000 installations.

On December 10, WPScan reported a vulnerability in Hunk Companion plugin versions below 1.9.0, allowing unauthenticated attackers to install and activate plugins from the WordPressOrg repository. The exploit has been on GitHub since December 28.

This way, attackers can install plugins that contain additional vulnerabilities. 👾 In the incident analyzed by WPScan, the attackers installed the WP Query Console plugin with RCE vulnerability CVE‑2024‑50498 on the website and exploited it to install a backdoor.

If you use WordPress, try to minimize the number of plugins and update them regularly!

На русском

@avleonovcom #WPScan #HunkCompanion #WordPress

414 0 1 2

Vulnerability Management and more

9 Jan, 17:28

Aggregators of actively discussed vulnerabilities. Alexander Redchits updated his list of services that highlight TOP CVE vulnerabilities and uploaded it with descriptions to teletype (in Russian). Now there are 11 of them:

1. Intruder's Top CVE Trends & Expert Vulnerability Insights
2. Cytidel Top Trending
3. CVE Crowd
4. Feedly Trending Vulnerabilities
5. CVEShield
6. CVE Radar
7. Vulners "Discussed in social networks"
8. Vulmon Vulnerability Trends
9. SecurityVulnerability Trends
10. CVESky
11. Vulnerability-lookup

It's great that there are so many of them! 👍 But for the most part, these services are NOT about real attacks and exploitability, but about the desire of the information security community to discuss some vulnerabilities. What is being discussed may not always be important to you.

And the attention span of the information security community is like that of a goldfish: they analyze a vulnerability/incident, demonstrate their expertise and immediately forget about it. 🤷‍♂️😏

It's fascinating to look at these selections of CVE vulnerabilities, but using these lists to prioritize vulnerabilities in the VM process is a bad idea. It's better to focus on the trending vulnerability lists provided by Positive Technologies. 😉😇

На русском

@avleonovcom #CVETop #TrendVulns

457 0 3 4

Vulnerability Management and more

9 Jan, 17:28

402 0 1

Vulnerability Management and more

9 Jan, 00:47

About Remote Code Execution - Apache Struts (CVE-2024-53677) vulnerability. Apache Struts is an open source software framework for building Java web applications. It allows developers to separate the application's business logic from the user interface. Due to its scalability and flexibility, Apache Struts is often used in large enterprise projects.

A security bulletin describing the vulnerability was released on December 14. A flaw in file upload logic allows an unauthenticated attacker to perform Path Traversal, upload a malicious file, and, under certain circumstances, perform Remote Code Execution. On December 20, a public exploit for the vulnerability was released. There are reports of exploitation attempts, but no information on successful attacks yet.

The vendor recommends upgrading to version 6.4.0 or higher and migrating applications to the new secure File Upload mechanism.

На русском

@avleonovcom #Apache #Struts

448 0 1 3

Vulnerability Management and more

8 Jan, 04:58

About Remote Code Execution - Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112). The vulnerability is from the December Microsoft Patch Tuesday. Three weeks later, on January 1, researchers from SafeBreach released a write-up on this vulnerability, labeled as LDAPNightmare, and an exploit PoC.

The exploit causes a forced reboot of Windows servers. One prerequisite: the victim domain controller's DNS server must have Internet connectivity.

The attack flow starts with sending a DCE/RPC request to the victim server, causing the LSASS (Local Security Authority Subsystem Service) to crash and force a reboot when an attacker sends a specially crafted CLDAP (Connectionless Lightweight Directory Access Protocol) referral response packet.

But this is all about DoS, why RCE? 🤔 Researchers note that RCE can be achieved by modifying the CLDAP packet.

На русском

@avleonovcom #Windows #LDAP #LDAPNightmare

446 0 2 3

Vulnerability Management and more

2 Jan, 22:34

New episode "In The Trend of VM" (#10): 8 trending vulnerabilities of November, zero budget VM and who should look for patches. The competition for the best question on the topic of VM continues. 😉🎁

📹 Video on YouTube, LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website

Content:

🔻 00:29 Spoofing - Windows NTLM (CVE-2024-43451)
🔻 01:16 Elevation of Privilege - Windows Task Scheduler (CVE-2024-49039)
🔻 02:16 Spoofing - Microsoft Exchange (CVE-2024-49040)
🔻 03:03 Elevation of Privilege - needrestart (CVE-2024-48990)
🔻 04:11 Remote Code Execution - FortiManager "FortiJump" (CVE-2024-47575)
🔻 05:19 Authentication Bypass - PAN-OS (CVE-2024-0012)
🔻 06:32 Elevation of Privilege - PAN-OS (CVE-2024-9474)
🔻 07:42 Path Traversal - Zyxel firewall (CVE-2024-11667)
🔻 08:37 Is it possible to Manage Vulnerabilities with no budget?
🔻 09:53 Should a VM specialist specify a patch to install on the host in a Vulnerability Remediation task?
🔻 10:51 Full digest of trending vulnerabilities
🔻 11:18 Backstage

На русском

@avleonovcom #TrendVulns #PositiveTechnologies #SecLab #Microsoft #NTLM #MSHTML #ClearSky #SparkRAT #Windows #AppContainer #TaskScheduler #RomCom #Firefox #Exchange #Kaspersky #needrestart #Ubuntu #Qualys #Fortinet #FortiManager #FortiJump #watchTowrLabs #PANOS #PaloAlto #CISAKEV #Shadowserver #Zyxel #Sekoia #Helldown #VMprocess #Detection #Remediation #VMprocess

In The Trend of VM #10: 8 November CVEs, zero budget VM and who should look for patches

In this episode, I'll cover the top vulnerabilities of November and answer a couple of questions related to VM practices. Subscribe to the avleonovcom Telegram channel "Vulnerability Management and more"! All links are there! https://t.me/avleonovcom Digest https://global.ptsecurity.com/analytics/t...

629 1 3 3

Vulnerability Management and more

1 Jan, 03:38

The results of 2024. This week, our whole family made traditional cookies. 😇 The cookies may be a bit crooked, but they are delicious and we made them with love. 🙂 Such is the year.

It was a wonderful year for me. I don't feel like this year was hard. I feel only joy, satisfaction and gratitude to the Creator for everything. 🙏 I wish the same for everyone!

I did a lot of things this year. I shared public results in the channel (although mainly in my Russian-language channel), only those who need to know about non-public ones. 😉 There were also topics that I stopped working on. But I did this consciously, based on an understanding of my interests, their timeliness, usefulness and the limitations of my resources. 😌

I don't have any plans for next year. Let it be as it will be. 😇

На русском

@avleonovcom #ny #ny2025

599 0 1 1

Vulnerability Management and more

28 Dec 2024, 15:37

About Denial of Service - PAN-OS (CVE-2024-3393) vulnerability. PAN-OS is the operating system that runs all Palo Alto Network NGFWs. The vendor's advisory was released on December 27. Аn unauthenticated attacker can send a malicious packet through the data plane of the firewall, causing it to reboot. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode. For exploitation the logging option of the "DNS Security" feature must be enabled.

👾 Palo Alto has already detected attacks that exploit this vulnerability. There are no public exploits yet.

👀 CyberOK detects more than 500 PAN-OS installations in RuNet, of which 32 are potentially vulnerable. Additionally, 218 hosts are running PAN-OS version 11.0.x, which is no longer supported by the vendor since November 17.

🔧 To fix the vulnerability, you need to update your device or, as a workaround, disable the logging option of the "DNS Security" function.

На русском

@avleonovcom #PaloAlto #PANOS #DNS #NGFW #CyberOK

797 0 4 3

Vulnerability Management and more

22 Dec 2024, 03:10

Is it possible to manage vulnerabilities without no budget? Well, basically yes. Most of the work in the Vulnerability Management process does not require purchasing any solutions. You won't need them to detect and describe assets. And also to discuss SLAs for vulnerability remediation (and preferably regular patching) with asset owners. And it's not that difficult to automate the creation of remediation tasks and tracking their statuses.

The main problem is vulnerability detection. It is difficult to imagine an organization's infrastructure for which the capabilities of free utilities will be enough. Unless only Linux hosts are used there and software is installed only from the official repository. Then OpenSCAP with OVAL content from your Linux vendor will be enough. 🙂

When using commercial VM solutions, there will also be "blind spots" - unsupported software or hardware installations. But if you use only free utilities, it will be one big "blind spot". 🙈

На русском

@avleonovcom #VMprocess #Detection

786 0 1 3

Vulnerability Management and more

21 Dec 2024, 03:07

Should a VM specialist specify a patch to install on the host in a vulnerability remediation task? Here's what I think:

🔻 If there is a simple way to give such information to IT, then you need to do it. For example, if a vulnerability scanner gives such recommendations.

🔻 If it requires intensive research, then you shouldn't do it. Otherwise, it will be yet another game of "prove and show". And instead of building a VM process to improve the security of the entire organization, you will be investigating which vulnerability is fixed by which KB. Not cool. 😏

Detecting a vulnerability on a host is a sign that the IT department is not doing its job correctly. Ideally, everything should be fixed in the process of unconditional regular patching. And vulnerability scans should only confirm that everything is ok. 🟢👍 If IT can't implement such a process, then let them deal with fixing specific vulnerabilities and finding patches. 😉

На русском

@avleonovcom #Remediation #VMprocess

621 0 2 4

Vulnerability Management and more

21 Dec 2024, 01:51

About Spoofing - Windows NTLM (CVE-2024-43451) vulnerability. The vulnerability is from the November Microsoft Patch Tuesday. It immediately showed signs of being exploited in the wild. The vulnerability is related to the outdated MSHTML platform, which is still used in Windows. To exploit the vulnerability, the user must minimally interact with the malicious URL file: right-click on it, delete it, or move it to another folder. There is no need to open the malicious file. As a result, the attacker receives the user's NTLMv2 hash, which he can use for authentication.

👾 According to ClearSky, the vulnerability is used to distribute Spark RAT, an open-source remote access Trojan.

На русском

@avleonovcom #NTLM #MSHTML #Microsoft #ClearSky #SparkRAT

577 0 2 1

Vulnerability Management and more

20 Dec 2024, 03:16

About Spoofing - Microsoft Exchange (CVE-2024-49040) vulnerability. The vulnerability is from the November Microsoft Patch Tuesday. An incorrectly formulated P2 FROM header processing policy allows an attacker to make his email address look legitimate to the victim (for example, like a work colleague's address). Which, of course, significantly increases the effectiveness of phishing attacks. 😏🪝 The vulnerabilities affect Exchange Server 2019 and Exchange Server 2016.

Microsoft has paused the rollout of the initial patches published on November 12. Their installation led to crashes. New fixes were published by Microsoft only on November 27.

👾 Kaspersky has already observed attempts to exploit this vulnerability. They wrote about this in a blog post on November 26.

На русском

@avleonovcom #Microsoft #Exchange #Kaspersky

599 0 4 1

Vulnerability Management and more

20 Dec 2024, 02:35

December Linux Patch Wednesday. There are 316 vulnerabilities in total. Compared to November LPW - much better. 🙂 119 are in Linux Kernel.

Two vulnerabilities with signs of exploitation in the wild. Both in Safari:

🔻 RCE - Safari (CVE-2024-44308)
🔻 XSS - Safari (CVE-2024-44309)

These vulnerabilities are fixed not in Safari, but in packages of the WebKit browser engine.

There are no signs of exploitation in the wild for 19 vulnerabilities yet, but there are public exploits. The following can be highlighted:

🔸 RCE - Moodle (CVE-2024-43425). First fix in the Linux vendor repository appeared on 2024-11-21 (RedOS)
🔸 Command Injection - Grafana (CVE-2024-9264)
🔸 Command Injection - virtualenv (CVE-2024-53899)
🔸 SQLi - Zabbix (CVE-2024-42327)
🔸 Data Leakage - Apache Tomcat (CVE-2024-52317)

🗒 Vulristics December Linux Patch Wednesday Report

🎉🆕 I released Vulristics 1.0.9 with improved detection of vulnerable software based on CVE description.

На русском

@avleonovcom #LinuxPatchWednesday #Vulristics #Linux