Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Remote Code Execution – Apache Struts (CVE-2024-53677) vulnerability

Leave a reply

About Remote Code Execution - Apache Struts (CVE-2024-53677) vulnerability

About Remote Code Execution – Apache Struts (CVE-2024-53677) vulnerability. Apache Struts is an open source software framework for building Java web applications. It allows developers to separate the application’s business logic from the user interface. Due to its scalability and flexibility, Apache Struts is often used in large enterprise projects.

A security bulletin describing the vulnerability was released on December 14. A flaw in file upload logic allows an unauthenticated attacker to perform Path Traversal, upload a malicious file, and, under certain circumstances, perform Remote Code Execution. On December 20, a public exploit for the vulnerability was released. There are reports of exploitation attempts, but no information on successful attacks yet.

The vendor recommends upgrading to version 6.4.0 or higher and migrating applications to the new secure File Upload mechanism.

На русском

About Remote Code Execution – Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112)

Leave a reply

About Remote Code Execution - Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112)

About Remote Code Execution – Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112). The vulnerability is from the December Microsoft Patch Tuesday. Three weeks later, on January 1, researchers from SafeBreach released a write-up on this vulnerability, labeled as LDAPNightmare, and an exploit PoC.

The exploit causes a forced reboot of Windows servers. One prerequisite: the victim domain controller’s DNS server must have Internet connectivity.

The attack flow starts with sending a DCE/RPC request to the victim server, causing the LSASS (Local Security Authority Subsystem Service) to crash and force a reboot when an attacker sends a specially crafted CLDAP (Connectionless Lightweight Directory Access Protocol) referral response packet.

But this is all about DoS, why RCE? 🤔 Researchers note that RCE can be achieved by modifying the CLDAP packet.

На русском

New episode “In The Trend of VM” (#10): 8 trending vulnerabilities of November, zero budget VM and who should look for patches

Leave a reply

New episode “In The Trend of VM” (#10): 8 trending vulnerabilities of November, zero budget VM and who should look for patches. The competition for the best question on the topic of VM continues. 😉🎁

📹 Video on YouTube, LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website

Content:

🔻 00:29 Spoofing – Windows NTLM (CVE-2024-43451)
🔻 01:16 Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039)
🔻 02:16 Spoofing – Microsoft Exchange (CVE-2024-49040)
🔻 03:03 Elevation of Privilege – needrestart (CVE-2024-48990)
🔻 04:11 Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575)
🔻 05:19 Authentication Bypass – PAN-OS (CVE-2024-0012)
🔻 06:32 Elevation of Privilege – PAN-OS (CVE-2024-9474)
🔻 07:42 Path Traversal – Zyxel firewall (CVE-2024-11667)
🔻 08:37 Is it possible to Manage Vulnerabilities with no budget?
🔻 09:53 Should a VM specialist specify a patch to install on the host in a Vulnerability Remediation task?
🔻 10:51 Full digest of trending vulnerabilities
🔻 11:18 Backstage

На русском

The results of 2024

Leave a reply

The results of 2024

The results of 2024. This week, our whole family made traditional cookies. 😇 The cookies may be a bit crooked, but they are delicious and we made them with love. 🙂 Such is the year.

It was a wonderful year for me. I don’t feel like this year was hard. I feel only joy, satisfaction and gratitude to the Creator for everything. 🙏 I wish the same for everyone!

I did a lot of things this year. I shared public results in the channel (although mainly in my Russian-language channel), only those who need to know about non-public ones. 😉 There were also topics that I stopped working on. But I did this consciously, based on an understanding of my interests, their timeliness, usefulness and the limitations of my resources. 😌

I don’t have any plans for next year. Let it be as it will be. 😇

На русском

About Denial of Service – PAN-OS (CVE-2024-3393) vulnerability

Leave a reply

About Denial of Service - PAN-OS (CVE-2024-3393) vulnerability

About Denial of Service – PAN-OS (CVE-2024-3393) vulnerability. PAN-OS is the operating system that runs all Palo Alto Network NGFWs. The vendor’s advisory was released on December 27. Аn unauthenticated attacker can send a malicious packet through the data plane of the firewall, causing it to reboot. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode. For exploitation the logging option of the “DNS Security” feature must be enabled.

👾 Palo Alto has already detected attacks that exploit this vulnerability. There are no public exploits yet.

👀 CyberOK detects more than 500 PAN-OS installations in RuNet, of which 32 are potentially vulnerable. Additionally, 218 hosts are running PAN-OS version 11.0.x, which is no longer supported by the vendor since November 17.

🔧 To fix the vulnerability, you need to update your device or, as a workaround, disable the logging option of the “DNS Security” function.

На русском

Is it possible to manage vulnerabilities without no budget?

Leave a reply

Is it possible to manage vulnerabilities without no budget?

Is it possible to manage vulnerabilities without no budget? Well, basically yes. Most of the work in the Vulnerability Management process does not require purchasing any solutions. You won’t need them to detect and describe assets. And also to discuss SLAs for vulnerability remediation (and preferably regular patching) with asset owners. And it’s not that difficult to automate the creation of remediation tasks and tracking their statuses.

The main problem is vulnerability detection. It is difficult to imagine an organization’s infrastructure for which the capabilities of free utilities will be enough. Unless only Linux hosts are used there and software is installed only from the official repository. Then OpenSCAP with OVAL content from your Linux vendor will be enough. 🙂

When using commercial VM solutions, there will also be “blind spots” – unsupported software or hardware installations. But if you use only free utilities, it will be one big “blind spot”. 🙈

На русском

Should a VM specialist specify a patch to install on the host in a vulnerability remediation task?

Leave a reply

Should a VM specialist specify a patch to install on the host in a vulnerability remediation task?

Should a VM specialist specify a patch to install on the host in a vulnerability remediation task? Here’s what I think:

🔻 If there is a simple way to give such information to IT, then you need to do it. For example, if a vulnerability scanner gives such recommendations.

🔻 If it requires intensive research, then you shouldn’t do it. Otherwise, it will be yet another game of “prove and show”. And instead of building a VM process to improve the security of the entire organization, you will be investigating which vulnerability is fixed by which KB. Not cool. 😏

Detecting a vulnerability on a host is a sign that the IT department is not doing its job correctly. Ideally, everything should be fixed in the process of unconditional regular patching. And vulnerability scans should only confirm that everything is ok. 🟢👍 If IT can’t implement such a process, then let them deal with fixing specific vulnerabilities and finding patches. 😉

На русском