Category Archives: Topics

About Elevation of Privilege – Windows Kernel Streaming WOW Thunk Service Driver (CVE-2024-38144) vulnerability

Leave a reply

About Elevation of Privilege - Windows Kernel Streaming WOW Thunk Service Driver (CVE-2024-38144) vulnerability

About Elevation of Privilege – Windows Kernel Streaming WOW Thunk Service Driver (CVE-2024-38144) vulnerability. The vulnerability is from the August Microsoft Patch Tuesday. It wasn’t highlighted in reviews; all we knew was that a local attacker could gain SYSTEM privileges.

Three and a half months later, on November 27, SSD Secure Disclosure released a write-up with exploit code. This vulnerability was exploited at TyphoonPWN 2024, earning the researcher a $70,000 prize.

SSD stated in their write-up that communications with Microsoft were problematic and noted that “at the time of trying this on the latest version of Windows 11, the vulnerability still worked”. It’s unclear if this “time of trying” was before the August MSPT or just before the write-up was released in November. If the second option, the vulnerability might still be a 0day. 🤔🤷‍♂️

No reports of this vulnerability being exploited in attacks yet.

На русском

About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability

Leave a reply

About Authentication Bypass - Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability

About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability. ThemeHunk company develops commercial themes for WordPress CMS. And the Hunk Companion plugin is designed to complement and enhance the functionality of these themes. The plugin has over 10,000 installations.

On December 10, WPScan reported a vulnerability in Hunk Companion plugin versions below 1.9.0, allowing unauthenticated attackers to install and activate plugins from the WordPressOrg repository. The exploit has been on GitHub since December 28.

This way, attackers can install plugins that contain additional vulnerabilities. 👾 In the incident analyzed by WPScan, the attackers installed the WP Query Console plugin with RCE vulnerability CVE‑2024‑50498 on the website and exploited it to install a backdoor.

If you use WordPress, try to minimize the number of plugins and update them regularly!

На русском

Aggregators of actively discussed vulnerabilities

Leave a reply

Aggregators of actively discussed vulnerabilities

Aggregators of actively discussed vulnerabilities. Alexander Redchits updated his list of services that highlight TOP CVE vulnerabilities and uploaded it with descriptions to teletype (in Russian). Now there are 11 of them:

1. Intruder’s Top CVE Trends & Expert Vulnerability Insights
2. Cytidel Top Trending
3. CVE Crowd
4. Feedly Trending Vulnerabilities
5. CVEShield
6. CVE Radar
7. Vulners “Discussed in social networks”
8. Vulmon Vulnerability Trends
9. SecurityVulnerability Trends
10. CVESky
11. Vulnerability-lookup

It’s great that there are so many of them! 👍 But for the most part, these services are NOT about real attacks and exploitability, but about the desire of the information security community to discuss some vulnerabilities. What is being discussed may not always be important to you.

And the attention span of the information security community is like that of a goldfish: they analyze a vulnerability/incident, demonstrate their expertise and immediately forget about it. 🤷‍♂️😏

It’s fascinating to look at these selections of CVE vulnerabilities, but using these lists to prioritize vulnerabilities in the VM process is a bad idea. It’s better to focus on the trending vulnerability lists provided by Positive Technologies. 😉😇

На русском

About Remote Code Execution – Apache Struts (CVE-2024-53677) vulnerability

Leave a reply

About Remote Code Execution - Apache Struts (CVE-2024-53677) vulnerability

About Remote Code Execution – Apache Struts (CVE-2024-53677) vulnerability. Apache Struts is an open source software framework for building Java web applications. It allows developers to separate the application’s business logic from the user interface. Due to its scalability and flexibility, Apache Struts is often used in large enterprise projects.

A security bulletin describing the vulnerability was released on December 14. A flaw in file upload logic allows an unauthenticated attacker to perform Path Traversal, upload a malicious file, and, under certain circumstances, perform Remote Code Execution. On December 20, a public exploit for the vulnerability was released. There are reports of exploitation attempts, but no information on successful attacks yet.

The vendor recommends upgrading to version 6.4.0 or higher and migrating applications to the new secure File Upload mechanism.

На русском

About Remote Code Execution – Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112)

Leave a reply

About Remote Code Execution - Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112)

About Remote Code Execution – Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112). The vulnerability is from the December Microsoft Patch Tuesday. Three weeks later, on January 1, researchers from SafeBreach released a write-up on this vulnerability, labeled as LDAPNightmare, and an exploit PoC.

The exploit causes a forced reboot of Windows servers. One prerequisite: the victim domain controller’s DNS server must have Internet connectivity.

The attack flow starts with sending a DCE/RPC request to the victim server, causing the LSASS (Local Security Authority Subsystem Service) to crash and force a reboot when an attacker sends a specially crafted CLDAP (Connectionless Lightweight Directory Access Protocol) referral response packet.

But this is all about DoS, why RCE? 🤔 Researchers note that RCE can be achieved by modifying the CLDAP packet.

На русском

New episode “In The Trend of VM” (#10): 8 trending vulnerabilities of November, zero budget VM and who should look for patches

Leave a reply

New episode “In The Trend of VM” (#10): 8 trending vulnerabilities of November, zero budget VM and who should look for patches. The competition for the best question on the topic of VM continues. 😉🎁

📹 Video on YouTube, LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website

Content:

🔻 00:29 Spoofing – Windows NTLM (CVE-2024-43451)
🔻 01:16 Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039)
🔻 02:16 Spoofing – Microsoft Exchange (CVE-2024-49040)
🔻 03:03 Elevation of Privilege – needrestart (CVE-2024-48990)
🔻 04:11 Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575)
🔻 05:19 Authentication Bypass – PAN-OS (CVE-2024-0012)
🔻 06:32 Elevation of Privilege – PAN-OS (CVE-2024-9474)
🔻 07:42 Path Traversal – Zyxel firewall (CVE-2024-11667)
🔻 08:37 Is it possible to Manage Vulnerabilities with no budget?
🔻 09:53 Should a VM specialist specify a patch to install on the host in a Vulnerability Remediation task?
🔻 10:51 Full digest of trending vulnerabilities
🔻 11:18 Backstage

На русском

About Denial of Service – PAN-OS (CVE-2024-3393) vulnerability

Leave a reply

About Denial of Service - PAN-OS (CVE-2024-3393) vulnerability

About Denial of Service – PAN-OS (CVE-2024-3393) vulnerability. PAN-OS is the operating system that runs all Palo Alto Network NGFWs. The vendor’s advisory was released on December 27. Аn unauthenticated attacker can send a malicious packet through the data plane of the firewall, causing it to reboot. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode. For exploitation the logging option of the “DNS Security” feature must be enabled.

👾 Palo Alto has already detected attacks that exploit this vulnerability. There are no public exploits yet.

👀 CyberOK detects more than 500 PAN-OS installations in RuNet, of which 32 are potentially vulnerable. Additionally, 218 hosts are running PAN-OS version 11.0.x, which is no longer supported by the vendor since November 17.

🔧 To fix the vulnerability, you need to update your device or, as a workaround, disable the logging option of the “DNS Security” function.

На русском