Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

September Microsoft Patch Tuesday

Leave a reply

September Microsoft Patch Tuesday

September Microsoft Patch Tuesday. 107 CVEs, 28 of which were added since August MSPT. 6 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Windows Update (CVE-2024-43491)
🔻 Elevation of Privilege – Windows Installer (CVE-2024-38014)
🔻 Security Feature Bypass – Windows Mark of the Web (CVE-2024-38217), Microsoft Publisher (CVE-2024-38226), Chromium (CVE-2024-7965)
🔻 Memory Corruption – Chromium (CVE-2024-7971)

3 more with private exploits:

🔸 Authentication Bypass – Azure (CVE-2024-38175)
🔸 Security Feature Bypass – Windows Mark of the Web (CVE-2024-43487)
🔸 Elevation of Privilege – Windows Storage (CVE-2024-38248)

Other interesting vulnerabilities:

🔹 Remote Code Execution – Microsoft SQL Server (CVE-2024-37335 and 5 more CVEs)
🔹 Remote Code Execution – Windows NAT (CVE-2024-38119)
🔹 Elevation of Privilege – Windows Win32k (CVE-2024-38246, CVE-2024-38252, CVE-2024-38253)

🗒 Full Vulristics report

На русском

I have released a new version of Vulristics 1.0.8 with some minor usability improvements

Leave a reply

I have released a new version of Vulristics 1.0.8 with some minor usability improvements

I have released a new version of Vulristics 1.0.8 with some minor usability improvements. I love it when my open source projects get pull requests. 😊 This time help came from user dvppvd:

🔹 Padding was set in the css table to make the html report more readable.

🔹 When you run the utility without parameters, help and examples are displayed. The examples show how to run the utility to analyze MSPT vulnerabilities for a specific month and year, or to analyze an arbitrary set of CVE identifiers.

🔹 Empty lines for the text banner have been added.

TODO for the next releases:

🔸 Support CVSS 4 for data sources that have already started providing this data.

🔸 Develop automated tests to verify the correct operation of the utility for known CVE identifiers.

🔸 Implement a new data source for the CVEProject GitHub repository for mass analysis of CVE vulnerabilities.

If you want to participate, join AVLEONOV Start. 😉

Changelog

На русском

I found that the research data for Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted

Leave a reply

I found that the research data for Remote Code Execution - Windows Remote Desktop Licensing Service MadLicense (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted

I found that the research data for Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted. Both on GitHub and on Google Sites.

And what does this all mean? 🤔 Who knows. 🤷‍♂️ Considering that it disappeared on two platforms at once, it was probably deleted by the Chinese researchers themselves. Why did they do this? Perhaps they established a dialogue with Microsoft and MS asked them to remove everything from the public (which, of course, is stupid – the Internet remembers everything). Perhaps someone else asked them to do this. 🫡 Another reason to pay attention to this vulnerability.

На русском

AVLEONOV Start – joint work on Open Source projects to start a career in Vulnerability Management

Leave a reply

AVLEONOV Start - joint work on Open Source projects to start a career in Vulnerability Management

AVLEONOV Start – joint work on Open Source projects to start a career in Vulnerability Management. People come to me from time to time in this situation: they want to start working in the VM field, but they have no practical experience working with vulnerabilities. Therefore, they cannot get a job. And they can’t get experience anywhere. A vicious circle. Usually I say to this – go for an internship. But there are also limited places at internships and it is not a fact that you will be assigned to work on VM tasks.

An alternative is to participate in open source projects. Here I can help a little. I have quite a lot of open source VM projects. I can give a task, track its implementation, merge the code into the main project with the authorship and describe the merits in the channel and changelog. There will be something to attach to the resume. 😉

Does this guarantee employment? No, nothing is guaranteed. But it will be a plus.

If you are interested, write to me. 🙂

На русском

Greenbone introduced the Greenbone Basic vulnerability scanner for SMEs, the price of which is NOT tied to the number of IP addresses that can be scanned

Leave a reply

Greenbone introduced the Greenbone Basic vulnerability scanner for SMEs, the price of which is NOT tied to the number of IP addresses that can be scanned

Greenbone introduced the Greenbone Basic vulnerability scanner for SMEs, the price of which is NOT tied to the number of IP addresses that can be scanned. A license for 1 scanner will cost 2450 € per year. It will be delivered as a virtual machine image. There is a comparison table and a data sheet.

Greenbone Basic differences:

🔹 Compared to Greenbone Free, it WILL have a full database of plugins for vulnerability detection, compliance scanning, scan scheduler, alerts, LDAP/Radius authentication, HTTPS certificate management, NTP integration.

🔹 Compared to Greenbone Enterprise, there WILL NOT be the ability to hierarchically connect scanners (sensors). API support, vulnerability remediation tickets, technical support from Greenbone and further enterprise features.

In terms of features, it looks like a real alternative to Tenable’s Nessus Professional. Competition in the entry-level fixed-price VM segment is intensifying. 👍

На русском

About Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday

Leave a reply

About Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday

About Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday. In total, in the August MSPT there were 3 EoPs with signs of exploitation in the wild. They have identical descriptions: an attacker can elevate privileges on the host to SYSTEM level. The vulnerability in Windows Kernel is more difficult to exploit, because it is necessary to win a race condition.

We only know the names of the attackers who exploited the EoP vulnerability in the Windows Ancillary Functions Driver (AFD.sys). It is exploited by the well-known group Lazarus. This was reported in a press release from Gen Digital, the company that owns Avira and Avast antiviruses. To neutralize information security products during an attack, Lazarus attackers use the Fudmodule rootkit. So, even if EDR is installed on the host, the host should be updated. 😏

На русском

Progress in exploitation of Remote Code Execution – Windows TCP/IP IPv6 (CVE-2024-38063)

Leave a reply

Progress in exploitation of Remote Code Execution - Windows TCP/IP IPv6 (CVE-2024-38063)

Progress in exploitation of Remote Code Execution – Windows TCP/IP IPv6 (CVE-2024-38063). The vulnerability is from the August Patch Tuesday. 2 weeks ago I already wrote why it is potentially dangerous. Now the danger has increased significantly:

🔻 On August 24, a PoC of the exploit appeared on GitHub. There is a video with the launch of a small python script (39 lines), causing Windows to crash with the error “KERNEL SECURITY CHECK FAILURE”. Looks more like DoS than RCE. But this is only for now.

🔻 Well-known researcher Marcus Hutchins posted a blog post titled “CVE-2024-38063 – Remotely Exploiting The Kernel Via IPv6“. It describes the technical details of exploiting the vulnerability.

The probability that the vulnerability will be exploited in the wild has increased significantly.

❗️ Check if the vulnerability is patched or increase the priority of the fix if it is not yet.

На русском