Category Archives: Topics

First impressions of the April Microsoft Patch Tuesday

Leave a reply

First impressions of the April Microsoft Patch Tuesday. I don’t even know what to write. 🤪 Very strange! 173 vulnerabilities, of which 23 were added since the last Patch Tuesday.

Microsoft flags one vulnerability as being exploited in the wild: Spoofing – Proxy Driver (CVE-2024-26234). And only Qualys briefly mentions it. Literally like this: “Microsoft has not disclosed any information about the vulnerability”. 😅 ZDI also claims that Security Feature Bypass – SmartScreen Prompt (CVE-2024-29988) is being exploited in the wild, which is a Mark of the Web (MotW) bypass.

There are no exploits for anything yet. The following vulnerabilities can be highlighted:

🔸 Remote Code Execution – Microsoft Excel (CVE-2024-26257). Can be exploited by an attacker when the victim opens a specially crafted file.
🔸 Remote Code Execution – RPC (CVE-2024-20678). It is highlighted by ZDI, which also claims 1.3 million exposed TCP 135 ports.
🔸 Spoofing – Outlook for Windows (CVE-2024-20670). ZDI writes that this is an Information Disclosure vulnerability that can be used in NTLM relay attacks.
🔸 Remote Code Execution – Windows DNS Server (CVE-2024-26221, CVE-2024-26222, CVE-2024-26223, CVE-2024-26224, CVE-2024-26227, CVE-2024-26231, CVE-2024-26233). Maybe some of this will be exploited in the wild, ZDI particularly highlights CVE-2024-26221.
🔸 Remote Code Execution – Microsoft Defender for IoT (CVE-2024-21322, CVE-2024-21323, CVE-2024-29053). It is an IoT and ICS/OT security solution that can be deployed on-prem.

There are simply indecently massive fixes:

🔹 Remote Code Execution – Microsoft OLE DB Driver for SQL Server / Microsoft WDAC OLE DB Provider for SQL Server / Microsoft WDAC SQL Server ODBC Driver. 28 CVEs! I won’t even list everything here. 😨
🔹 Security Feature Bypass – Secure Boot. 23 CVEs!

🗒 Vulristics report

На русском

Upd. 10.04 I slightly tweaked the vulnerability type detection to increase the priority of the detection based on the Microsoft generated description compared to the detection based on CWE. In particular, the type of vulnerability for Spoofing – Proxy Driver (CVE-2024-26234) and Spoofing – Outlook for Windows (CVE-2024-20670) has changed.

The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)

Leave a reply

The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian). I also generated a Vulristics report for these vulnerabilities. There are 5 vulnerabilities in total.

🔻 For 3 vulnerabilities there are exploits and confirmed signs of exploitation in the wild: AuthBypass – TeamCity (CVE-2024-27198), RCE – FortiClientEMS (CVE-2023-48788), EoP – Windows Kernel (CVE-2024-21338).

🔻 For 2 more vulnerabilities there are no signs of exploitation in the wild yet, but there are exploits: EoP – Windows CLFS Driver (CVE-2023-36424), RCE – Microsoft Outlook (CVE-2024-21378).

На русском

The fundamental Open Source vulnerability demonstrated by the XZ Utils backdoor is not technical at all

Leave a reply

The fundamental Open Source vulnerability demonstrated by the XZ Utils backdoor is not technical at all. The fact is that the work of the communities responsible for writing commonly used code is based on more infantile principles than the work of children building a castle in a sandbox.

Some dedicated computer geeks on some mailing list somehow get organized and solve monstrously complex technical problems that affect hundreds of millions of people. 🤷‍♂️ Who are these geeks, what is their motivation, how adequate are the community leaders they choose? 🤔

As people familiar with the situation write, the backdoor in XZ Utils was allegedly added by a developer who, over the course of 2 years, joined the project, becoming its maintainer and main contributor. 😎 And the previous maintainer was gaslighted with the help of virtual trolls and was forced to share power. 🤷‍♂️ As a result, a Microsoft employee accidentally found the backdoor and raised the alarm.

На русском

For the January Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086), the write-up and PoC were released on March 26

Leave a reply

For the January Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086), the write-up and PoC were released on March 26. The video demo for the script looks impressive: they run the script as a regular user and after a couple of seconds they get a root shell. According to the author, the exploit works with most Linux kernels between versions 5.14 and 6.6, including Debian, Ubuntu and KernelCTF.

🔻 The exploit requires kconfig CONFIG_USER_NS=y; sh command sysctl kernel.unprivileged_userns_clone = 1; kconfig CONFIG_NF_TABLES=y. The author writes that this is the default for Debian, Ubuntu, and KernelCTF, and for other distributions it is necessary to test it.
🔹 The exploit does not work with kernels v6.4> with kconfig CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y (including Ubuntu v6.5)

NSFOCUS writes that Redhat is also vulnerable. 🤷‍♂️

На русском

I generated a report on the March Linux Patch Wednesday

Leave a reply

I generated a report on the March Linux Patch Wednesday. 134 vulnerabilities, of which 68 are in the Linux Kernel. There are no vulnerabilities with signs of exploitation in the wild. There are 15 vulnerabilities with PoCs.

🔸 The top vulnerability is Command Injection – libuv (CVE-2024-24806). This is a multi-platform library for asynchronous I/O. An attacker could potentially access internal APIs.

🔸 For aiohttp there is a pack of Command Injection (CVE-2023-37276, CVE-2023-47627, CVE-2023-49082) and Security Feature Bypass (CVE-2023-47641, CVE-2023-49081) with PoCs. It is an asynchronous client/server HTTP framework. The vulns were patched only in Russian RedOS and Debian.

🔸There are problems with vulnerability types/products detection due to the NVD crisis (no CPE & CWE). 🤷‍♂️

🔸 The Linux Kernel team is now a CNA and is creating a ton of CVEs with monstrously large descriptions. Because they can! 😏

🗒 March Linux Patch Wednesday

На русском

Over the weekend, I achieved the first results in my open source vulnerability detection project Vuldetta

Leave a reply

Over the weekend, I achieved the first results in my open source vulnerability detection project Vuldetta. 😇

What I managed to do:

🔹 I parsed Ubuntu OVAL into simple detection rules based on package versions. The structure of Ubuntu OVAL is quite sophisticated, especially when it comes to detecting kernel vulnerabilities (not by packages, but by uname_test and variable_test 🤯). Despite the fact that OVAL content for each distribution version is downloaded in a separate file, distribution version checks are also implemented in OVAL. Now I just go through all the definitions, see which dpkginfo_test are used in the criteria and parse only them.

🔹 I made a primitive utility that uses these detection rules. Without any optimizations, parsing OVAL and calculating vulnerabilities takes 6.5 seconds. It works. 🙂👍

All code is available on Github. Next I will deal with kernel vulnerabilities, optimization and turn the code into an http API.

На русском

I looked at VulnCheck KEV

Leave a reply

I looked at VulnCheck KEV. This is an analogue of CISA KEV (Know Exploited Vulnerabilities) by VulnCheck.

🔹 Unlike the public CISA KEV, only registered users have access to VulnCheck KEV. The VulnCheck website is accessible from Russian IPs 🇷🇺, but when registering they write that “account is currently under review” (in fact requests are simply blocked 🥸). Requests from non-Russian IPs are registered automatically. 🌝
🔹 There are ~2 times more CVEs in the database than in CISA KEV.
🔹 There are no standard tools for downloading all these CVEs via web-gui. 🤷‍♂️
🔹 There are links to exploits for CVEs that look good. 👌
🔹 There are signs of exploitation in the wild. Sometimes it’s clear, like “Outbreak Alerts 2023” pdf report. Sometimes it’s strange, like a link to a Shadowserver dashboard or a non-related blog post. 🤷‍♂️

The selection of CVEs is quite interesting, but the rationale for exploitation in the wild needs to be improved. 😉

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Category Archives: Topics

First impressions of the April Microsoft Patch Tuesday

The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)

The fundamental Open Source vulnerability demonstrated by the XZ Utils backdoor is not technical at all

For the January Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086), the write-up and PoC were released on March 26

I generated a report on the March Linux Patch Wednesday

Over the weekend, I achieved the first results in my open source vulnerability detection project Vuldetta

I looked at VulnCheck KEV