Category Archives: Projects

August Microsoft Patch Tuesday

Leave a reply

August Microsoft Patch Tuesday

August Microsoft Patch Tuesday. 130 CVEs, of which 45 were added since July MSPT.

In the TOP suddenly is RCE – OpenSSH “regreSSHion” (CVE-2024-6387), which MS fixed in Azure. 🙂

6 vulnerabilities with signs of exploitation in the wild. 😱 It’s been a long time since we’ve seen so many. I will write about them in separate posts.

🔻 EoP – Windows Kernel (CVE-2024-38106), Windows Ancillary Function Driver for WinSock (CVE-2024-38193), Windows Power Dependency Coordinator (CVE-2024-38107)
🔻 Security Feature Bypass – Windows Mark of the Web (CVE-2024-38213)
🔻 RCE – Microsoft Project (CVE-2024-38189)
🔻 RCE – Scripting Engine (CVE-2024-38178)

Other:

🔸 AuthBypass – Windows Update Stack (CVE-2024-38202) – the vulnerability was recently presented at BlackHat
🔹 Interesting RCEs – Windows TCP/IP (CVE-2024-38063) and LPD (CVE-2024-38199)
🔹 A lot of EoPs in Windows components (~26)

🗒 Full Vulristics report

На русском

I have released a new version of Vulristics 1.0.7

Leave a reply

I have released a new version of Vulristics 1.0.7

I have released a new version of Vulristics 1.0.7.

🔹 Now, if you see exploits in the report that are not actually exploits (but are, for example, detection scripts), you can exclude them. To do this, create a custom data source (json file) for the CVE identifier and add the identifiers of the exploits you want to exclude to the ignore_exploits tag.

🔹 I’ve added the ability to manage the html report banner via the –result-html-label key. You can specify a banner for Linux Patch Wednesday (lpw), a banner for Microsoft Patch Tuesday (mspt), or the URL of an arbitrary image.

Changelog
Uncompressed picture

На русском

July Linux Patch Wednesday

Leave a reply

July Linux Patch Wednesday

July Linux Patch Wednesday. There are 705 vulnerabilities, of which 498 are in the Linux Kernel. There are no vulnerabilities with signs of exploitation in the wild yet, 11 have public exploits.

🔻 RCE – OpenSSH “regreSSHion” (CVE-2024-6387) is in the absolute top with many variations of exploits on GitHub. Mind the malicious fakes (❗️). I will also mention a similar vulnerability RCE – OpenSSH (CVE-2024-6409) with no exploits yet.
🔻 Public PoC links for DoS in Suricata (CVE-2024-38536) and QEMU (CVE-2024-3567).

According to BDU, public exploits exist for:

🔸 AuthBypass – RADIUS Protocol (CVE-2024-3596), it was also fixed in the July MSPT
🔸 Security Feature Bypass – Exim (CVE-2024-39929) – mime_filename blocking bypass, as well as in Nextcloud (CVE-2024-22403) – eternal OAuth codes
🔸 DoS – OpenTelemetry (CVE-2023-45142)
🔸 Memory Corruption – 7-Zip (CVE-2023-52168)

🗒 Vulristics report on July Linux Patch Wednesday

На русском

I’ve released a new version of Vulristics 1.0.6

Leave a reply

I've released a new version of Vulristics 1.0.6

I’ve released a new version of Vulristics 1.0.6.

🔹 I’ve made it easier to work with exploit data. Now all Data Sources bring such data in a single format and it is processed uniformly. Including signs of the presence of an exploit in Microsoft CVSS Temporal Vector (I classify them as private exploits). First, I look for the presence of public exploits; if there are none, then private exploits.

🔹 I fixed a bug due to which it was not possible to force the vulnerability type to be set from the Custom Data Source.

🔹 During simplified detection of product names for generated Microsoft vulnerability descriptions, product descriptions can now be pulled up by alternative_names as well.

🔹I fixed a bug with Vulristics crashing when generating a Microsoft Patch Tuesday report while searching for an MSPT review from Qualys. […]

Changelog
Uncompressed picture
На русском

July Microsoft Patch Tuesday

Leave a reply

July Microsoft Patch Tuesday

July Microsoft Patch Tuesday. There are 175 vulnerabilities in total, 33 of which appeared between June and July Patch Tuesday.

There are 2 vulnerabilities with the sign of exploitation in the wild:

🔻 Spoofing – Windows MSHTML Platform (CVE-2024-38112). It’s not clear what exactly is being spoofed. Let’s wait for the details. It is currently known that to exploit the vulnerability, an attacker must send the victim a malicious (MSHTML?) file, which the victim must somehow run/open.
🔻 Elevation of Privilege – Windows Hyper-V (CVE-2024-38080). This vulnerability allows an authenticated attacker to execute code with SYSTEM privileges. Again, no details. This could be interpreted that the guest OS user can gain privileges in the host OS (I hope this is not the case).

From the rest we can highlight:

🔸 Elevation of Privilege – various Windows components (CVE-2024-38059, CVE-2024-38066, CVE-2024-38100, CVE-2024-38034, CVE-2024-38079, CVE-2024-38085, CVE-2024-38062, CVE-2024-30079, CVE-2024-38050). EoPs quite often become exploitable.
🔸 Remote Code Execution – Windows Remote Desktop Licensing Service (CVE-2024-38074, CVE-2024-38076, CVE-2024-38077)
🔸 Remote Code Execution – Microsoft Office (CVE-2024-38021)
🔸 Remote Code Execution – Windows Imaging Component (CVE-2024-38060). All you need to do is upload a malicious TIFF file to the server.
🔸 Remote Code Execution – Microsoft SharePoint Server (CVE-2024-38023, CVE-2024-38024). Authentication is required, but “Site Owner” permissions are sufficient.

🗒 Vulristics report on July Microsoft Patch Tuesday

Vulristics shows an exploit existence for Spoofing – RADIUS Protocol (CVE-2024-3596) on GitHub, but in reality it is just a detection utility.

На русском

Linux Patch Wednesday: here is this May peak!

Leave a reply

Linux Patch Wednesday: here is this May peak!

Linux Patch Wednesday: here is this May peak! 🤦‍♂️ Also about June Linux Patch Wednesday. If you remember, in my post about the May Linux Patch Wednesday I was happy that, despite the launch of the rule for Unknown dates, the peak in May was insignificant. Although “32406 oval definitions without a date received a nominal date of 2024-05-15”. It turned out that the peak was not visible due to an error in the code. Ba-dum-tss! 🥸🤷‍♂️

I noticed that not all CVEs are in LPW bulletins, despite the addition of nominal dates, for example the high-profile vulnerability Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086). I could not find it anywhere. I debugged the function that distributes vulnerabilities into bulletins and added tests. I have ensured that all 38362 CVEs from the Linux OVAL content are actually distributed in bulletins. Including CVE-2024-1086. Here it is in February:

$ grep "CVE-2024-1086"  bulletins/*
bulletins/2024-02-21.json:        "CVE-2024-1086": [
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",

Well, there really is a peak in May. And how huge it is! 11476 CVEs! 😱 This is so much that I regenerated the Vulristics report for it only using 2 sources: Vulners and BDU. Since even from Vulners the data was not collected quickly enough. The report contains 77 vulnerabilities with signs of active exploitation in the wild and 1404 vulnerabilities with exploits, but without signs of active exploitation in the wild. Since for the most part these are old vulnerabilities for which it was simply not clear exactly when they were fixed, for example, Remote Code Execution – Apache HTTP Server (CVE-2021-42013), I will not analyze them in detail – for those interested, see the report. But please note that the report size is very large.

🗒 Vulristics report on the May Linux Patch Wednesday (31.3 MB)

As for the June Linux Patch Wednesday, which was finalized on June 19, there are 1040 vulnerabilities. Also quite a lot. Why is this so? On the one hand, the rule for Unknown dates added 977 Debian OVAL definitions without a date. Not 30k, like in May, but also significant. Out of 1040 vulnerabilities, 854 are Linux Kernel vulnerabilities. Moreover, there are quite a lot of “old” vulnerability identifiers, but created in 2024. For example, CVE-2021-47489 with NVD Published Date 05/22/2024. 🤔 CNA Linux Kernel is doing something strange.

🔻 With signs of exploitation in the wild again Remote Code Execution – Chromium (CVE-2024-5274, CVE-2024-4947), like in Microsoft Patch Tuesday. According to the BDU, Remote Code Execution – Libarchive (CVE-2024-26256) is also exploited in the wild.

🔸 Another 20 vulnerabilities with a public exploit. I can highlight separately Remote Code Execution – Cacti (CVE-2024-25641) and Remote Code Execution – onnx/onnx framework (CVE-2024-5187).

🗒 Vulristics report on the June Linux Patch Wednesday (4.4 MB)

June Microsoft Patch Tuesday

Leave a reply

June Microsoft Patch Tuesday

June Microsoft Patch Tuesday. There are 69 vulnerabilities in total, 18 of which were added between May and June Patch Tuesday. Among these added were 2 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Chromium (CVE-2024-5274, CVE-2024-4947). Both vulnerabilities are in CISA KEV; there are no exploits for them yet.

For the remaining vulnerabilities, there are no formal signs of exploitation in the wild or public exploits yet.

The specialized InfoSec media pay attention to these 2:

🔸 Remote Code Execution – Microsoft Message Queuing (MSMQ) (CVE-2024-30080). This vulnerability has a high CVSS Score of 9.8. To get RCE, the attacker sends a specially crafted malicious packet to the MSMQ server. The vulnerability may well become wormable for Windows servers with MSMQ enabled. It is very similar to last year’s QueueJumper (CVE-2023-21554).
🔸 Denial of Service – DNSSEC (CVE-2023-50868). Vulnerability in DNSSEC validation. An attacker can cause DoS using standard DNS integrity protocols. 🤷‍♂️ I don’t see any super criticality, but this is rare for MS Patch Tuesday, which is probably why everyone is writing about it.

What else you can pay attention to:

🔸 Elevation of Privilege – Windows Win32k (CVE-2024-30091), Windows Kernel (CVE-2024-30088, CVE-2024-30099) and Windows Cloud Files Mini Filter Driver (CVE-2024-30085). Why these? Microsoft’s CVSS states that there are private Proof-of-Concept exploits for them.
🔸 Remote Code Execution – Microsoft Office (CVE-2024-30101). This is a Microsoft Outlook vulnerability. To successfully exploit this vulnerability, a user must open a malicious email in an affected version of Microsoft Outlook and then perform certain actions to trigger the vulnerability. It’s enough to open the email in the Preview Pane. However, to successfully exploit this vulnerability, an attacker needs to win the race condition.
🔸 Remote Code Execution – Microsoft Outlook (CVE-2024-30103). Preview Pane is a vector. Authentication required. The vulnerability is somehow related to the creation of malicious DLL files. 🤷‍♂️
🔸 Remote Code Execution – Windows Wi-Fi Driver (CVE-2024-30078). An attacker can execute code on a vulnerable system by sending a specially crafted network packet. The victim must be within the attacker’s Wi-Fi range and use a Wi-Fi adapter. Sounds interesting, let’s wait for details. 😈
🔸 Remote Code Execution – Microsoft Office (CVE-2024-30104). An attacker must send the user a malicious file and convince the user to open the file. The Preview Pane is NOT an attack vector.

🗒 Vulristics report on June Microsoft Patch Tuesday

На русском