Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

watchTowr Labs draws attention to some oddities with the fix for the Remote Code Execution – Veeam Backup & Replication vulnerability (CVE-2024-40711)

Leave a reply

watchTowr Labs draws attention to some oddities with the fix for the Remote Code Execution - Veeam Backup & Replication vulnerability (CVE-2024-40711)

watchTowr Labs draws attention to some oddities with the fix for the Remote Code Execution – Veeam Backup & Replication vulnerability (CVE-2024-40711).

🔹 The description of the vulnerability in NVD tells us that authentication is not required to exploit the vulnerability, but the CVSS vector in the vendor bulletin indicates that authentication is required (“PR:L”).

🔹 The large number of changes in the patch hints that the vendor fixed some vulnerabilities without informing customers (silent patching).

🔹 The researchers concluded that CVE-2024-40711 was fixed in several stages. At first, exploitation of the vulnerability did not require authentication, then a patch was released and exploitation began to require authentication, and finally, the second patch completely fixed this vulnerability.

❗ Exploitation of the vulnerability allows an attacker to destroy backups and significantly complicate the restoration of the organization’s infrastructure.

На русском

About Remote Code Execution – Veeam Backup & Replication (CVE-2024-40711) vulnerability

Leave a reply

About Remote Code Execution - Veeam Backup & Replication (CVE-2024-40711) vulnerability

About Remote Code Execution – Veeam Backup & Replication (CVE-2024-40711) vulnerability. The bulletin was released on September 4. The vulnerability description states that it is caused by deserialization of untrusted data with a malicious payload. The vulnerability was discovered by a researcher from CODE WHITE.

Five days later, on September 9, researchers from another company, watchTowr Labs, posted a detailed write-up, exploit code, and a video demonstrating exploitation.

There are no signs of exploitation in the wild for this vulnerability yet. As with the June vulnerability in Veeam B&R (CVE-2024-29849). This does not mean that attackers do not exploit these vulnerabilities. It is possible that targeted attacks using these vulnerabilities have simply not yet been reliably confirmed. For example, CISA KEV contains Veeam B&R vulnerabilities from 2022, which were added to the list only in 2023. 😉

Update in advance!

На русском

About Remote Code Execution – VMware vCenter (CVE-2024-38812)

Leave a reply

About Remote Code Execution - VMware vCenter (CVE-2024-38812)

About Remote Code Execution – VMware vCenter (CVE-2024-38812). The vulnerability was published on September 17. An attacker with network access to the vCenter Server can send a specially crafted network packet and cause an RCE. This is due to a heap overflow in the DCERPC protocol implementation.

The vulnerability was discovered during The Matrix Cup competition by a team from Tsinghua University. There is no write-up yet. There is only one repository on GitHub, where some no-name sells the exploit for $105 (upd. A confirmed scam). On AttackerKB, another no-name claims to have seen the vulnerability exploited in the wild. The reliability is questionable.

However, we remember a similar RCE vulnerability vCenter DCERPC CVE-2023-34048, which has been exploited in targeted attacks since 2021. Censys reported then about 293 vCenter hosts with DCERPC accessible from the Internet.

Chances are high that there will be a big story with this vulnerability too.

На русском

August episode of “In The Trend of VM”: 5 vulnerabilities in Microsoft Windows and one in WordPress

Leave a reply

August episode of “In The Trend of VM”: 5 vulnerabilities in Microsoft Windows and one in WordPress. We have branched off from Seclab news videos and started releasing separate episodes. Hooray! 🥳😎 If we get enough views, we will continue to release them in the future. It’s up to you, please follow the link to the video platform and click “Like” button and/or leave a comment. 🥺

📹 Video “In The Trend of VM” on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest (rus) on the official PT website

List of vulnerabilities:

🔻 00:48 Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077)
🔻 02:22 Security Feature Bypass – Windows Mark of the Web “Copy2Pwn” (CVE-2024-38213)
🔻 03:23 Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193), Windows Kernel (CVE-2024-38106), Windows Power Dependency Coordinator (CVE-2024-38107)
🔻 04:50 Unauthenticated Elevation of Privilege – WordPress LiteSpeed Cache Plugin (CVE-2024-28000)

English voice over was generated by my open source utility subtivo (subtitles to voice over)

06:39 Check out the final jingle I generated using AI services 😉 (ToolBaz for lyrics and Suno for music)

На русском

September Linux Patch Wednesday

Leave a reply

September Linux Patch Wednesday

September Linux Patch Wednesday. 460 vulnerabilities. Of these, 279 are in the Linux Kernel.

2 vulnerabilities with signs of exploitation in the wild, but without public exploits:

🔻 Security Feature Bypass – Chromium (CVE-2024-7965)
🔻 Memory Corruption – Chromium (CVE-2024-7971)

29 vulnerabilities with no sign of exploitation in the wild, but with a link to a public exploit or a sign of its existence. Can be highlighted:

🔸 Remote Code ExecutionpgAdmin (CVE-2024-2044), SPIP (CVE-2024-7954), InVesalius (CVE-2024-42845)
🔸 Command Injection – SPIP (CVE-2024-8517)

Among them are vulnerabilities from 2023, fixed in repos only now (in RedOS):

🔸 Remote Code Executionwebmin (CVE-2023-38303)
🔸 Code Injection – webmin (CVE-2023-38306, CVE-2023-38308)
🔸 Information DisclosureKeePass (CVE-2023-24055)

Debian brought “Google Chrome on Windows” vulnerabilities. 😣👎

🗒 Vulristics September Linux Patch Wednesday Report

На русском

The severity of the Spoofing – Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased

Leave a reply

The severity of the Spoofing - Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased

The severity of the Spoofing – Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased. The vulnerability was fixed in September Microsoft Patch Tuesday. At the time of publication, Microsoft had not yet flagged this vulnerability as being exploited in the wild. They did this only 3 days later, on September 13.

ZDI Threat Hunting team researcher Peter Girnus discovered the vulnerability while investigating the Void Banshee APT attack. The vulnerability was exploited in the same attack chain as the trending Spoofing – Windows MSHTML Platform (CVE-2024-38112) vulnerability, patched in July.

Using this vulnerability, the attackers hid the extension of the malicious HTA file being opened by adding 26 Braille space characters to its name. Thus, victims may think that they are opening a harmless PDF document.

Installing the security update does not remove spaces in the file name, but Windows now shows the actual file extension. 👍

На русском

Generating names for vulnerabilities

Leave a reply

Generating names for vulnerabilities

Generating names for vulnerabilities. Colleagues who work on attack attribution have a funny habit of naming attack groups according to some scheme. For example, Midnight Blizzard or Mysterious Werewolf. 🙂 I thought, why can’t we name vulnerabilities in a similar way?

For example, Remote Code Execution – Windows NAT (CVE-2024-38119)

🔹 We transform vulnerability types into consonant names of animals. RCE – let it be Racoon. For EoP it can be Elephant, for Memory Corruption – Monkey, etc.

🔹 Based on software names, we automatically select adjectives that begin with the same letters. “Windows NAT” -> “Windy Nautical”.

🔹 There can be many vulnerabilities of the same type in the same product. Therefore, we generate combinations of adverbs and past participles (6940230 combinations), and then map CVE identifiers into them. CVE-2024-38119 -> 202438119 -> “2438119”: “inquisitively underspecified”

Thus we get: “Inquisitively Underspecified Windy Nautical Racoon”. 🙂

На русском