Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Remote Code Execution – Acronis Cyber Infrastructure (CVE-2023-45249)

Leave a reply

Remote Code Execution - Acronis Cyber Infrastructure (CVE-2023-45249)

Remote Code Execution – Acronis Cyber Infrastructure (CVE-2023-45249). Due to the default passwords used, a remote unauthenticated attacker can gain access to an Acronis Cyber ​​Infrastructure (ACI) server and execute arbitrary code.

ACI is a hyperconverged platform for storage, backup, computing, virtualization and networking.

🔻 Patches that fix this vulnerability were released on October 30, 2023 (❗️).
🔻 After 9-10 months, on July 24 of this year, Acronis noted in a bulletin that the vulnerability was exploited in the wild. The purpose of exploitation was to install a cryptominer. On July 29, the vulnerability was added to the CISA KEV.

Some sources report 20,000 service providers using ACI. I have not found any confirmation of this. Perhaps there is confusion with Acronis Cyber ​​Protect. However, there are probably quite a few large companies using ACI. If you work for such a company, be sure to pay attention.

На русском

Remote Code Execution vulnerability – Artifex Ghostscript (CVE-2024-29510)

Leave a reply

Remote Code Execution vulnerability - Artifex Ghostscript (CVE-2024-29510)

Remote Code Execution vulnerability – Artifex Ghostscript (CVE-2024-29510). Memory corruption allows to bypass the SAFER sandbox and execute arbitrary code.

Ghostscript is a PostScript and PDF document interpreter. It is used in ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, CUPS, etc. It is available for many OS.

🔻 Ghostscript version 10.03.1, which fixes the vulnerability, was released on May 2.
🔻 On July 2, Codean Labs published a detailed analysis of this vulnerability and PoC. In the video they launch the calculator by opening a special ps file with the ghostscript utility or a special odt file in LibreOffice.
🔻 On July 10, a functional exploit was released on GitHub. And on July 19, a module for Metasploit was released.

👾 The media writes that the vulnerability is being exploited in the wild. However, it’s based on a single microblog post by some Portland developer. 🤷‍♂️ I think more reliable evidence of exploitation in attacks will appear soon.

На русском

Qualys introduces TruRisk Eliminate for augmented Patch Management

Leave a reply

Qualys introduces TruRisk Eliminate for augmented Patch Management

Qualys introduces TruRisk Eliminate for augmented Patch Management. Qualys didn’t wait until the event and published a blog post. What they presented is an implementation of workarounds.

In the screenshot of TruRisk Eliminate we see a filtered list of vulnerabilities on assets, the criticality of vulnerabilities in the form of QDS, the Remediations and Mitigations columns.

🔹 Remediations – installing a patch or installing a patch with reconfiguration.

🔹 Mitigations – workarounds that neutralize the vulnerability instead of patching: changing the registry key, changing the config, removing the application, blocking the port, isolating the device, etc.

And there is a button to perform an action on the asset (using an agent) with a choice of Remediations/Mitigations option.

It’s a logical step. Since they gave the ability to patch, why not give the ability to apply workarounds. But Qualys will have a lot of difficulties with this. 🫣

На русском

No Boot – No Hacker!

Leave a reply

No Boot – No Hacker! Updated track. It seems that the case with the CrowdStrike BSODStrike incident is coming to a logical conclusion. Why this happened is already more or less clear. All that remains is long legal battles between clients and the vendor. Therefore, I am closing this topic for myself with an updated track made in Suno. It’s in Russian, but subtitles are available on YouTube.

My position is that BSODStrike was not the problems of a specific company, but rather the problems of cloud CyberSecurity services with agents, whose architecture is vulnerable. Such services literally force customers to overtrust them. 🤷‍♂️ I don’t think it’s right to keep silent about this. We need to call for improving the security, transparency and controllability of such services.

It should be understood that this was just a small and relatively harmless failure, but someday we will see a case with a full-scale attack through a hacked cloud vendor. And, as it seems to me, at the moment, on-premise solutions have their advantages.

На русском

Tomorrow Qualys will host a major online event about Patch Management

Leave a reply

Tomorrow Qualys will host a major online event about Patch Management

Tomorrow Qualys will host a major online event about Patch Management. They promise to present the “groundbreaking new strategies” of “Patching goes Patchless”. Will they promote immutable infrastructure? Virtual patching? Something else? 🤔 We’ll see.

What else will there be, besides the keynote report by Qualys CEO?

🔹 CIS will talk about when to install patches (and when not to), minimizing disruptions to business.
🔹 Reports by CyberSec companies. InfoSys will tell you how to deal with 80-85% of critical security updates within 4-5 days. Novacoast will throw in a report “your tools don’t work”.
🔹 Client reports by JPMorgan Chase and Signature Aviation employees (judging by their social networks 😉).
🔹 2 product reports by Qualys about improving interaction with IT and “remediation beyond patching”.

The event will start at 9:00 AM PT and will last ~4 hours. I think the keynote and product reports are definitely worth checking out, the rest is optional.

На русском

“The Mystery of the Hole”: Remote Code Execution – Internet Explorer (CVE-2012-4792)

Leave a reply

The Mystery of the Hole: Remote Code Execution - Internet Explorer (CVE-2012-4792)

“The Mystery of the Hole”: Remote Code Execution – Internet Explorer (CVE-2012-4792). Yesterday, an old vulnerability “CDwnBindInfo” from 2012 was added to CISA KEV: the user opens a malicious website in MS Internet Explorer 6–8 and the attacker gets RCE on user’s host. The vulnerability has been actively exploited since the end of 2012 as 0day in watering hole attacks on US organizations. In particular, the malicious code was placed on the hacked Council on Foreign Relations (CFR) website.

Why was the vulnerability added to CISA KEV only now?

🔹 New attacks on legacy systems (Win XP/ Vista/7, WinServer 2003/2008) were discovered? 🤪 It’s unlikely.

🔹 They saw a vulnerability with confirmed incidents, but it wasn’t in CISA KEV, so they added it? More likely, but why only this vulnerability? 🧐

🔹 There was no formal excuse for urgently updating found legacy systems? A bit strange. 🤷‍♂️

Let’s wait for updates. 🙂

На русском

About the “EvilVideo” vulnerability in Telegram for Android

Leave a reply

About the EvilVideo vulnerability in Telegram for Android

About the “EvilVideo” vulnerability in Telegram for Android. The post was published on the ESET blog. They stated that the exploit is for sale on the Dark Net.

🔻 The attacker creates a payload, which is displayed in Telegram for Android not as a file, but as a video preview. By default, media files in Telegram are downloaded automatically when the user sees a message in a chat. This payload will also be downloaded automatically as well.
If the user clicks on the preview, he sees a Telegram error asking him to use an external media player.
If the user agrees, an attempt is made to install the APK.
If the user allows the installation of APK from Telegram and clicks on the preview again, a window appears to confirm the installation of the application.
If the user presses “install”, the malware installs. 👾
🎞 There is a video demo.

🔻 Fixed in 10.14.5, older versions are vulnerable.

This is far from 0click, but with good social engineering, the efficiency can be high.

На русском