Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

What is known about the Spoofing – Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday?

Leave a reply

What is known about the Spoofing - Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday?

What is known about the Spoofing – Windows MSHTML Platform (CVE-2024-43573) vulnerability from the October Microsoft Patch Tuesday? In fact, just that it is being exploited in the wild. There are no write-ups or public exploits yet. The Acknowledgements section in the Microsoft bulletin is empty. It is not clear who reported it and from whom we can expect details.

ZDI suggested that this could be an additional fix for a similar July vulnerability Spoofing – Windows MSHTML Platform (CVE-2024-38112). The vulnerability type and component are the same. The July vulnerability was about “.url” file handling and was exploited by the APT group Void Banshee to install the Atlantida Stealer malware. Attackers may have bypassed the initial fix, prompting Microsoft to release a new patch. So far, this is only an assumption. But the vulnerability shouldn’t be ignored despite its low CVSS Base score (6.5).

На русском

The severity of the Remote Code Execution – Microsoft SharePoint (CVE-2024-38094) vulnerability has increased

Leave a reply

The severity of the Remote Code Execution - Microsoft SharePoint (CVE-2024-38094) vulnerability has increased

The severity of the Remote Code Execution – Microsoft SharePoint (CVE-2024-38094) vulnerability has increased. It was fixed as part of the July Microsoft Patch Tuesday (July 9).

SharePoint is a popular platform for corporate portals. According to the Microsoft bulletin, аn authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server.

On July 10, a repository with a PoC exploit for this vulnerability appeared on GitHub, as well as a video demonstrating how an attacker can launch processes on the attacked SharePoint server. A GitHub search by CVE number does not find a repository with the exploit, but a link is available in the The Hacker News article. Exploit also relates to the July SharePoint RCEs CVE-2024-38023 and CVE-2024-38024.

On October 22, the vulnerability was added to the CISA KEV, which means it was exploited in the wild.

На русском

On Monday, October 21, updates for the critical Remote Code Execution – VMware vCenter (CVE-2024-38812) vulnerability were released again

Leave a reply

On Monday, October 21, updates for the critical Remote Code Execution - VMware vCenter (CVE-2024-38812) vulnerability were released again

On Monday, October 21, updates for the critical Remote Code Execution – VMware vCenter (CVE-2024-38812) vulnerability were released again. Wait, haven’t fixes for this vulnerability been available since September 17th? They were, but it was not enough.

“VMware by Broadcom has determined that the vCenter patches released on September 17, 2024 did not completely address CVE-2024-38812. The patches listed in the Response Matrix below are updated versions that contain additional fixes to fully address CVE-2024-38812.”

If you are using VMware vCenter, please take note and update it again. Current secure versions of VMware vCenter Server are 7.0 U3t, 8.0 U2e and 8.0 U3d.

Updates are also available for the VMware Cloud Foundation.

На русском

The severity of the Elevation of Privilege – Windows Kernel-Mode Driver (CVE-2024-35250) vulnerability has increased

Leave a reply

The severity of the Elevation of Privilege - Windows Kernel-Mode Driver (CVE-2024-35250) vulnerability has increased

The severity of the Elevation of Privilege – Windows Kernel-Mode Driver (CVE-2024-35250) vulnerability has increased. This vulnerability was fixed as part of the June Microsoft Patch Tuesday. As in the case of the CVE-2024-30090 vulnerability, it was discovered by a researcher with the nickname Angelboy from DEVCORE. And it also affects the Kernel Streaming framework, and specifically its core component – the ks.sys driver. Angelboy wrote about this vulnerability in a post on August 23.

On October 13, a PoC of the exploit, released by user varwara, appeared on GitHub. The repository also contains a video demonstrating the launch of the exploit and obtaining System privileges.

Updates are available for Windows 10 and 11, and Windows Server from 2008 to 2022.

На русском

The severity of the Elevation of Privilege – Microsoft Streaming Service (CVE-2024-30090) vulnerability has increased

Leave a reply

The severity of the Elevation of Privilege - Microsoft Streaming Service (CVE-2024-30090) vulnerability has increased

The severity of the Elevation of Privilege – Microsoft Streaming Service (CVE-2024-30090) vulnerability has increased. The vulnerability was fixed as part of the June Microsoft Patch Tuesday. At that time, no one highlighted this vulnerability. The vulnerability was discovered by a researcher with the nickname Angelboy from the DEVCORE company. The details are described in a series of his posts published on August 23 and October 5.

The vulnerability affects the Kernel Streaming framework, which is responsible for processing stream data. It is used, for example, when the system needs to read data from your microphones or webcams into RAM. This framework works mainly in kernel mode.

On October 5, Angelboy posted a video, demonstrating exploitation of this vulnerability for obtaining an interactive console with System privileges.

On October 17, a researcher with the nickname Dor00tkit released a PoC of the exploit on GitHub.

На русском

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses

Leave a reply

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses. Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices of vulnerability management process. At the end we announce a contest of questions about Vulnerability Management with gifts. 🎁

📹 Video “In The Trend of VM” on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest on the official PT website

Content:

🔻 00:51 Elevation of Privilege – Windows Installer (CVE-2024-38014) and details about this vulnerability
🔻 02:42 Security Feature Bypass – Windows Mark of the Web “LNK Stomping” (CVE-2024-38217)
🔻 03:50 Spoofing – Windows MSHTML Platform (CVE-2024-43461)
🔻 05:07 Remote Code Execution – VMware vCenter (CVE-2024-38812)
🔻 06:20 Remote Code Execution – Veeam Backup & Replication (CVE-2024-40711), while the video was being edited, data about exploitation in the wild appeared
🔻 08:33 Cross Site Scripting – Roundcube Webmail (CVE-2024-37383)
🔻 09:31 SQL Injection – The Events Calendar plugin for WordPress (CVE-2024-8275)
🔻 10:30 Human vulnerabilities: fake reCAPTCHA
🔻 11:45 Real world vulnerabilities: еxplosions of pagers and other electronic devices in Lebanon and the consequences for the whole world
🔻 14:42 Vulnerability management process practices: tie annual bonuses of IT specialists to meeting SLAs for eliminating vulnerabilities
🔻 16:03 Final and announcement of the contest
🔻 16:24 Backstage

На русском

October Linux Patch Wednesday

Leave a reply

October Linux Patch Wednesday

October Linux Patch Wednesday. There are 248 vulnerabilities in total. Of these, 92 are in the Linux Kernel.

5 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – CUPS (CVE-2024-47176) and 4 more CUPS vulnerabilities that can also be used to enhance DoS attacks
🔻 Remote Code Execution – Mozilla Firefox (CVE-2024-9680)

For 10 vulnerabilities there are no signs of exploitation in the wild yet, but exploits exist. Among them, the following can be highlighted:

🔸 Remote Code Execution – Cacti (CVE-2024-43363)
🔸 Elevation of Privilege – Linux Kernel (CVE-2024-46848)
🔸 Arbitrary File Reading – Jenkins (CVE-2024-43044)
🔸 Denial of Service – CUPS (CVE-2024-47850)
🔸 Cross Site Scripting – Rollup JavaScript module (CVE-2024-47068)

🗒 Vulristics October Linux Patch Wednesday Report

На русском