Vulnerability Management and more

@avleonovcom

Kanal geosi va tili: Butun dunyo, Inglizcha

Toifa: Texnologiyalar

Vulnerability assessment, IT compliance management, security automation and other beautiful stuff. Discussion group for this channel: @avleonovchat. PM me @leonov_av

Связанные каналы | Похожие каналы

Kanal geosi va tili

Butun dunyo, Inglizcha

Toifa

Texnologiyalar

Statistika

Saralanganlar

Postlar filtri

O‘chirilganlarni yashirish

Repostlarni yashirish

Vulnerability Management and more

2 Jan, 22:34

New episode "In The Trend of VM" (#10): 8 trending vulnerabilities of November, zero budget VM and who should look for patches. The competition for the best question on the topic of VM continues. 😉🎁

📹 Video on YouTube, LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website

Content:

🔻 00:29 Spoofing - Windows NTLM (CVE-2024-43451)
🔻 01:16 Elevation of Privilege - Windows Task Scheduler (CVE-2024-49039)
🔻 02:16 Spoofing - Microsoft Exchange (CVE-2024-49040)
🔻 03:03 Elevation of Privilege - needrestart (CVE-2024-48990)
🔻 04:11 Remote Code Execution - FortiManager "FortiJump" (CVE-2024-47575)
🔻 05:19 Authentication Bypass - PAN-OS (CVE-2024-0012)
🔻 06:32 Elevation of Privilege - PAN-OS (CVE-2024-9474)
🔻 07:42 Path Traversal - Zyxel firewall (CVE-2024-11667)
🔻 08:37 Is it possible to Manage Vulnerabilities with no budget?
🔻 09:53 Should a VM specialist specify a patch to install on the host in a Vulnerability Remediation task?
🔻 10:51 Full digest of trending vulnerabilities
🔻 11:18 Backstage

На русском

@avleonovcom #TrendVulns #PositiveTechnologies #SecLab #Microsoft #NTLM #MSHTML #ClearSky #SparkRAT #Windows #AppContainer #TaskScheduler #RomCom #Firefox #Exchange #Kaspersky #needrestart #Ubuntu #Qualys #Fortinet #FortiManager #FortiJump #watchTowrLabs #PANOS #PaloAlto #CISAKEV #Shadowserver #Zyxel #Sekoia #Helldown #VMprocess #Detection #Remediation #VMprocess

In The Trend of VM #10: 8 November CVEs, zero budget VM and who should look for patches

In this episode, I'll cover the top vulnerabilities of November and answer a couple of questions related to VM practices. Subscribe to the avleonovcom Telegram channel "Vulnerability Management and more"! All links are there! https://t.me/avleonovcom Digest https://global.ptsecurity.com/analytics/t...

266 0 2 3

Vulnerability Management and more

1 Jan, 03:38

The results of 2024. This week, our whole family made traditional cookies. 😇 The cookies may be a bit crooked, but they are delicious and we made them with love. 🙂 Such is the year.

It was a wonderful year for me. I don't feel like this year was hard. I feel only joy, satisfaction and gratitude to the Creator for everything. 🙏 I wish the same for everyone!

I did a lot of things this year. I shared public results in the channel (although mainly in my Russian-language channel), only those who need to know about non-public ones. 😉 There were also topics that I stopped working on. But I did this consciously, based on an understanding of my interests, their timeliness, usefulness and the limitations of my resources. 😌

I don't have any plans for next year. Let it be as it will be. 😇

На русском

@avleonovcom #ny #ny2025

322 0 1 1

Vulnerability Management and more

28 Dec 2024, 15:37

About Denial of Service - PAN-OS (CVE-2024-3393) vulnerability. PAN-OS is the operating system that runs all Palo Alto Network NGFWs. The vendor's advisory was released on December 27. Аn unauthenticated attacker can send a malicious packet through the data plane of the firewall, causing it to reboot. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode. For exploitation the logging option of the "DNS Security" feature must be enabled.

👾 Palo Alto has already detected attacks that exploit this vulnerability. There are no public exploits yet.

👀 CyberOK detects more than 500 PAN-OS installations in RuNet, of which 32 are potentially vulnerable. Additionally, 218 hosts are running PAN-OS version 11.0.x, which is no longer supported by the vendor since November 17.

🔧 To fix the vulnerability, you need to update your device or, as a workaround, disable the logging option of the "DNS Security" function.

На русском

@avleonovcom #PaloAlto #PANOS #DNS #NGFW #CyberOK

516 0 3 3

Vulnerability Management and more

22 Dec 2024, 03:10

Is it possible to manage vulnerabilities without no budget? Well, basically yes. Most of the work in the Vulnerability Management process does not require purchasing any solutions. You won't need them to detect and describe assets. And also to discuss SLAs for vulnerability remediation (and preferably regular patching) with asset owners. And it's not that difficult to automate the creation of remediation tasks and tracking their statuses.

The main problem is vulnerability detection. It is difficult to imagine an organization's infrastructure for which the capabilities of free utilities will be enough. Unless only Linux hosts are used there and software is installed only from the official repository. Then OpenSCAP with OVAL content from your Linux vendor will be enough. 🙂

When using commercial VM solutions, there will also be "blind spots" - unsupported software or hardware installations. But if you use only free utilities, it will be one big "blind spot". 🙈

На русском

@avleonovcom #VMprocess #Detection

618 0 1 3

Vulnerability Management and more

21 Dec 2024, 03:07

Should a VM specialist specify a patch to install on the host in a vulnerability remediation task? Here's what I think:

🔻 If there is a simple way to give such information to IT, then you need to do it. For example, if a vulnerability scanner gives such recommendations.

🔻 If it requires intensive research, then you shouldn't do it. Otherwise, it will be yet another game of "prove and show". And instead of building a VM process to improve the security of the entire organization, you will be investigating which vulnerability is fixed by which KB. Not cool. 😏

Detecting a vulnerability on a host is a sign that the IT department is not doing its job correctly. Ideally, everything should be fixed in the process of unconditional regular patching. And vulnerability scans should only confirm that everything is ok. 🟢👍 If IT can't implement such a process, then let them deal with fixing specific vulnerabilities and finding patches. 😉

На русском

@avleonovcom #Remediation #VMprocess

501 0 2 4

Vulnerability Management and more

21 Dec 2024, 01:51

About Spoofing - Windows NTLM (CVE-2024-43451) vulnerability. The vulnerability is from the November Microsoft Patch Tuesday. It immediately showed signs of being exploited in the wild. The vulnerability is related to the outdated MSHTML platform, which is still used in Windows. To exploit the vulnerability, the user must minimally interact with the malicious URL file: right-click on it, delete it, or move it to another folder. There is no need to open the malicious file. As a result, the attacker receives the user's NTLMv2 hash, which he can use for authentication.

👾 According to ClearSky, the vulnerability is used to distribute Spark RAT, an open-source remote access Trojan.

На русском

@avleonovcom #NTLM #MSHTML #Microsoft #ClearSky #SparkRAT

449 0 1 1

Vulnerability Management and more

20 Dec 2024, 03:16

About Spoofing - Microsoft Exchange (CVE-2024-49040) vulnerability. The vulnerability is from the November Microsoft Patch Tuesday. An incorrectly formulated P2 FROM header processing policy allows an attacker to make his email address look legitimate to the victim (for example, like a work colleague's address). Which, of course, significantly increases the effectiveness of phishing attacks. 😏🪝 The vulnerabilities affect Exchange Server 2019 and Exchange Server 2016.

Microsoft has paused the rollout of the initial patches published on November 12. Their installation led to crashes. New fixes were published by Microsoft only on November 27.

👾 Kaspersky has already observed attempts to exploit this vulnerability. They wrote about this in a blog post on November 26.

На русском

@avleonovcom #Microsoft #Exchange #Kaspersky

483 0 4 1

Vulnerability Management and more

20 Dec 2024, 02:35

December Linux Patch Wednesday. There are 316 vulnerabilities in total. Compared to November LPW - much better. 🙂 119 are in Linux Kernel.

Two vulnerabilities with signs of exploitation in the wild. Both in Safari:

🔻 RCE - Safari (CVE-2024-44308)
🔻 XSS - Safari (CVE-2024-44309)

These vulnerabilities are fixed not in Safari, but in packages of the WebKit browser engine.

There are no signs of exploitation in the wild for 19 vulnerabilities yet, but there are public exploits. The following can be highlighted:

🔸 RCE - Moodle (CVE-2024-43425). First fix in the Linux vendor repository appeared on 2024-11-21 (RedOS)
🔸 Command Injection - Grafana (CVE-2024-9264)
🔸 Command Injection - virtualenv (CVE-2024-53899)
🔸 SQLi - Zabbix (CVE-2024-42327)
🔸 Data Leakage - Apache Tomcat (CVE-2024-52317)

🗒 Vulristics December Linux Patch Wednesday Report

🎉🆕 I released Vulristics 1.0.9 with improved detection of vulnerable software based on CVE description.

На русском

@avleonovcom #LinuxPatchWednesday #Vulristics #Linux

433 0 1 1

Vulnerability Management and more

11 Dec 2024, 02:19

December Microsoft Patch Tuesday. 89 CVEs, of which 18 were added since November MSPT. 1 vulnerability with signs of exploitation in the wild:

🔻 EoP - Windows Common Log File System Driver (CVE-2024-49138). There are no details about this vulnerability yet.

Strictly speaking, there was another vulnerability that was exploited in the wild: EoP - Microsoft Partner Network (CVE-2024-49035). But this is an already fixed vulnerability in the Microsoft website and I'm not even sure that it was worth creating a CVE. 🤔

For the remaining vulnerabilities, there are no signs of exploitation in the wild, nor exploits (even private ones).

I can highlight:

🔹 RCE - Windows LDAP (CVE-2024-49112, CVE-2024-49127)
🔹 RCE - Windows LSASS (CVE-2024-49126)
🔹 RCE - Windows Remote Desktop Services (CVE-2024-49106 и ещё 8 CVE)
🔹 RCE - Microsoft MSMQ (CVE-2024-49122, CVE-2024-49118)
🔹 RCE - Microsoft SharePoint (CVE-2024-49070)

🗒 Full Vulristics report

На русском

@avleonovcom #Vulristics #PatchTuesday #Microsoft #Windows

686 0 1 1 2

Vulnerability Management and more

4 Dec 2024, 16:21

About Elevation of Privilege - Windows Task Scheduler (CVE-2024-49039) vulnerability. It was released on November Microsoft Patch Tuesday and showed signs of exploitation in the wild right away. To exploit the vulnerability, an authenticated attacker runs a specially crafted application on the target system. The attack can be performed from an AppContainer restricted environment. Using this vulnerability, an attacker can elevate their privileges to Medium Integrity level and gain the ability to execute RPC functions that are restricted to privileged accounts only.

ESET reports that the vulnerability allowed the RomCom attackers to execute malicious code outside the Firefox sandbox and then launch hidden PowerShell processes to download and run malware from C&C servers.

👾 There is a backdoor code on GitHub that exploits this vulnerability.

На русском

@avleonovcom #Microsoft #Windows #AppContainer #TaskScheduler #RomCom #Firefox

725 0 2 2 2

Vulnerability Management and more

3 Dec 2024, 20:22

About Elevation of Privilege - needrestart (CVE-2024-48990) vulnerability. On November 19, Qualys released a security bulletin about five privilege escalation vulnerabilities in the needrestart utility (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003) used in Ubuntu Server, starting with version 21.04.

The needrestart utility runs automatically after APT operations (installing, updating, or removing packages). It checks if a reboot is required, thus ensuring that services use updated libraries without unnecessary downtime.

All 5 vulnerabilities make it possible for a regular user to become root. Qualys has private exploits for each. There is currently a publicly available exploit only for one vulnerability related to the PYTHONPATH environment variable.⚡️ It is available on Github since November 20th.

Update needrestart to version 3.8 or disable "interpreter scanning" in needrestart.conf.

На русском

@avleonovcom #needrestart #Ubuntu #Qualys

579 0 1 2

Vulnerability Management and more

3 Dec 2024, 19:25

About Path Traversal - Zyxel firewall (CVE-2024-11667) vulnerability. A directory traversal vulnerability in the web management interface of Zyxel firewall could allow an attacker to download or upload files via a crafted URL. The vulnerability affects Zyxel ZLD firmware versions from 5.00 to 5.38, used in the ATP, USG FLEX, USG FLEX 50(W), and USG20(W)-VPN device series.

👾 Specialists from Sekoia discovered this vulnerability being exploited on their honeypots by ransomware attackers from the Helldown group. There are no public exploits yet.

Zyxel recommends:

🔹Update firmware to version 5.39, which was released on September 3, 2024
🔹Disable remote access until devices are updated
🔹Learn best practices for device configuration

If your company uses Zyxel firewalls, please pay attention. 😉

На русском

@avleonovcom #Zyxel #Sekoia #Helldown

500 0 0 1

Vulnerability Management and more

30 Nov 2024, 02:00

About Elevation of Privilege - PAN-OS (CVE-2024-9474) vulnerability. An attacker with PAN-OS administrator access to the management web interface can perform actions on the Palo Alto device with root privileges. Linux commands can be injected via unvalidated input in createRemoteAppwebSession.php script.

The need for authentication and admin access could limit this vulnerability's impact, but here we have the previous vulnerability Authentication Bypass - PAN-OS (CVE-2024-0012). 😏 Exploitation of this vulnerability chain was noted by Palo Alto on November 17. After November 19, when the watchTowr Labs article was published and exploits appeared, mass attacks began.

On November 21, Shadowserver reported that ~2000 hosts were compromised, mostly in the US and India. According to Wiz, attackers deployed web shells, Sliver implants and cryptominers.

На русском

@avleonovcom #watchTowrLabs #PANOS #PaloAlto #Shadowserver #Wiz

666 0 2 1

Vulnerability Management and more

28 Nov 2024, 15:57

New episode "In The Trend of VM" (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social "attack on the complainer", "Ford's method" for motivating IT specialists to fix vulnerabilities. The competition for the best question on the topic of VM continues. 😉🎁

📹 Video on YouTube, LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website

Content:

🔻 00:37 Elevation of Privilege - Microsoft Streaming Service (CVE-2024-30090)
🔻 01:46 Elevation of Privilege - Windows Kernel-Mode Driver (CVE-2024-35250)
🔻 02:38 Spoofing - Windows MSHTML Platform (CVE-2024-43573)
🔻 03:43 Remote Code Execution - XWiki Platform (CVE-2024-31982)
🔻 04:44 The scandal with the removal of Russian maintainers at The Linux Foundation, its impact on security and possible consequences.
🔻 05:22 Social "Attack on the complainer"
🔻 06:35 "Ford's method" for motivating IT staff to fix vulnerabilities: will it work?
🔻 08:00 About the digest, habr and the question contest 🎁
🔻 08:29 Backstage

На русском

@avleonovcom #TrendVulns #PositiveTechnologies #SecLab #Microsoft #StreamingService #KernelStreaming #DEVCORE #kssys #MSHTML #ZDI #VoidBanshee #AtlantidaStealer #XWiki #Linux #Kernel #HumanVM #VMprocess #Remediation #fun

In The Trend of VM #9: 4 October CVEs, Linux scandal, attack on the complainer, "Ford Method" for VM

In this episode, I will talk about trending October vulnerabilities, important events in the Linux world that impact the global IT landscape. I will also talk about cases of social engineering and the Vulnerability Management process. Subscribe to the avleonovcom Telegram channel "Vulnerability Man...

712 1 1 1

Vulnerability Management and more

27 Nov 2024, 18:23

About Authentication Bypass - PAN-OS (CVE-2024-0012) vulnerability. An unauthenticated attacker with network access to the Palo Alto device web management interface could gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated vulnerabilities. Firewalls of the PA, VM, CN series and the Panorama management platform are vulnerable. The vendor recommends restricting access to the management web interface to trusted internal IP addresses only.

🔻 On November 8, a Palo Alto bulletin was released
🔻 On November 15, signs of attacks were noticed, labeled as "Operation Lunar Peek"
🔻 On November 18, the vulnerability was added to the CISA KEV
🔻 On November 19, watchTowr Labs released a post with technical details ("supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication") 😏 and exploits soon appeared on GitHub

На русском

@avleonovcom #watchTowrLabs #PANOS #PaloAlto #CISAKEV

642 0 2 1 1

Vulnerability Management and more

21 Nov 2024, 01:15

November Linux Patch Wednesday. I was happy in October that the number of vulnerabilities was gradually decreasing to an acceptable level, and in November I got a peak again. A total of 803 vulnerabilities. Of these, 567 are in the Linux Kernel. Kind of crazy. 😱

2 vulnerabilities in Chromium with signs of exploitation in the wild:

🔻 Security Feature Bypass - Chromium (CVE-2024-10229)
🔻 Memory Corruption - Chromium (CVE-2024-10230, CVE-2024-10231)

There are no signs of exploitation in the wild for 27 vulnerabilities yet, but there are public exploits. Of these, I would draw attention to:

🔸 Remote Code Execution - PyTorch (CVE-2024-48063)
🔸 Remote Code Execution - OpenRefine Butterfly (CVE-2024-47883) - "web application framework"
🔸 Code Injection - OpenRefine tool (CVE-2024-47881)
🔸 Command Injection - Eclipse Jetty (CVE-2024-6763)
🔸 Memory Corruption - pure-ftpd (CVE-2024-48208)

🗒 Vulristics November Linux Patch Wednesday Report

На русском

@avleonovcom #LinuxPatchWednesday #Vulristics #Linux

799 0 1 7

Vulnerability Management and more

20 Nov 2024, 00:26

About Remote Code Execution - FortiManager "FortiJump" (CVE-2024-47575) vulnerability. FortiManager is a centralized solution for configuring, enforcing policies, updating, and monitoring Fortinet network devices.

🔻 The vulnerability was released on October 23. A missing authentication for critical function in the FortiManager fgfmd (FortiGate-to-FortiManager) daemon allows remote attacker to execute arbitrary code or commands via specially crafted requests. There were signs of exploitation in the wild and the vulnerability was added to the CISA KEV.

🔻 On November 15, WatchTowr Labs published a post about this "FortiJump" vulnerability with a video demo and a link to the PoC. The researchers noted that the IOCs in the Fortinet bulletin can be bypassed. And the patch itself is incomplete. It is possible to escalate privileges on a patched device by exploiting a vulnerability called "FortiJump Higher".

На русском

@avleonovcom #Fortinet #FortiManager #FortiJump #watchTowrLabs

747 0 5 4

Vulnerability Management and more

19 Nov 2024, 11:19

On November 13, NIST NVD finally admitted the obvious: they had failed to process the CVE analysis backlog before the end of the fiscal year (September 30). This is actually visible in their own statistics. At the moment, there are 19860 identifiers in the backlog. This week, 1136 new CVEs were received, and they analyzed only 510. And this is not some abnormal week, this happens regularly. They can't cope with analyzing new vulnerabilities, they don't have time to deal with the backlog. The crisis continues.

At the same time, for some reason, they write in the message that they have a full team of analysts, and they are addressing all incoming CVEs as they are uploaded into NVD system. But why do their statistics show the opposite?

They write that they processed all the vulnerabilities from CISA KEV. And that's good. But CISA KEV only added 162 CVEs in 2024. It's great that NVD was able to process these identifiers, but the achievement is, to put it mildly, not impressive.

Why can't NVD process this backlog?

They write that the problem is in the format of data from Authorized Data Providers (ADPs), apparently meaning CISA Vulnrichment. NVD is currently unable to effectively import and enhance data in this format. In order to be able to do this, they are developing some "new systems".

Not only have they admitted their inability to analyze vulnerabilities on their own and their willingness to use the results of someone else’s analysis as is, they also cannot write parser-converters in any adequate time. 🐾 I have no words. 🤦‍♂️

And now there is news that US Senator Rand Paul, the new chairman of the Senate Homeland Security Committee, has promised to seriously reduce the powers of CISA or eliminate them completely. 😁 It's all because of CISA's work "to counter disinformation" before the US elections. So the only American information security regulator capable of doing anything useful in a reasonable amount of time could be destroyed. Great idea, comrades, keep it up. 👍

I expect nothing but further degradation.

На русском

@avleonovcom #NIST #NVD #CISA #Vulnrichment #thoseamericans

662 0 1 2

Vulnerability Management and more

19 Nov 2024, 11:19

606 0 1

Vulnerability Management and more

16 Nov 2024, 15:09

Qualys released QScanner - a console vulnerability scanner for container images. Feed it an image and get a list of vulnerabilities (a la Trivy).

It supports:

"Local Runtimes: Scan images from Docker, Containerd, or Podman.
Local Archives: Analyze Docker images or OCI layouts from local files.
Remote Registries: Connect to AWS ECR, Azure Container Registry, JFrog, GHCR, and more."

Capabilities:

🔹 Detects OS package vulnerabilities
🔹 Software Composition Analysis (SCA) for Ruby, Rust, PHP, Java, Go, Python, .NET and Node.js applications.
🔹 Detects secrets (passwords, API keys and tokens)

But it's not free. 🤷‍♂️💸🙂 All cases, except SBOM generation, require ACCESS_TOKEN and Platform POD. QScanner is the interface of Qualys Container Security module.

It can be used for:

🔸 scanning local images on developers' desktops
🔸 integration into CI/CD pipelines
🔸 integration with registries

The concept is interesting. 👍

На русском

@avleonovcom #Qualys #QScanner #ContainerSecurity #SCA