Category Archives: Topics

About Elevation of Privilege – needrestart (CVE-2024-48990) vulnerability

Leave a reply

About Elevation of Privilege - needrestart (CVE-2024-48990) vulnerability

About Elevation of Privilege – needrestart (CVE-2024-48990) vulnerability. On November 19, Qualys released a security bulletin about five privilege escalation vulnerabilities in the needrestart utility (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003) used in Ubuntu Server, starting with version 21.04.

The needrestart utility runs automatically after APT operations (installing, updating, or removing packages). It checks if a reboot is required, thus ensuring that services use updated libraries without unnecessary downtime.

All 5 vulnerabilities make it possible for a regular user to become root. Qualys has private exploits for each. There is currently a publicly available exploit only for one vulnerability related to the PYTHONPATH environment variable.⚡️ It is available on Github since November 20th.

Update needrestart to version 3.8 or disable “interpreter scanning” in needrestart.conf.

На русском

About Path Traversal – Zyxel firewall (CVE-2024-11667) vulnerability

Leave a reply

About Path Traversal - Zyxel firewall (CVE-2024-11667) vulnerability

About Path Traversal – Zyxel firewall (CVE-2024-11667) vulnerability. A directory traversal vulnerability in the web management interface of Zyxel firewall could allow an attacker to download or upload files via a crafted URL. The vulnerability affects Zyxel ZLD firmware versions from 5.00 to 5.38, used in the ATP, USG FLEX, USG FLEX 50(W), and USG20(W)-VPN device series.

👾 Specialists from Sekoia discovered this vulnerability being exploited on their honeypots by ransomware attackers from the Helldown group. There are no public exploits yet.

Zyxel recommends:

🔹Update firmware to version 5.39, which was released on September 3, 2024
🔹Disable remote access until devices are updated
🔹Learn best practices for device configuration

If your company uses Zyxel firewalls, please pay attention. 😉

На русском

About Elevation of Privilege – PAN-OS (CVE-2024-9474) vulnerability

Leave a reply

About Elevation of Privilege - PAN-OS (CVE-2024-9474) vulnerability

About Elevation of Privilege – PAN-OS (CVE-2024-9474) vulnerability. An attacker with PAN-OS administrator access to the management web interface can perform actions on the Palo Alto device with root privileges. Linux commands can be injected via unvalidated input in script.

The need for authentication and admin access could limit this vulnerability’s impact, but here we have the previous vulnerability Authentication Bypass – PAN-OS (CVE-2024-0012). 😏 Exploitation of this vulnerability chain was noted by Palo Alto on November 17. After November 19, when the watchTowr Labs article was published and exploits appeared, mass attacks began.

On November 21, Shadowserver reported that ~2000 hosts were compromised, mostly in the US and India. According to Wiz, attackers deployed web shells, Sliver implants and cryptominers.

На русском

New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities

Leave a reply

New episode “In The Trend of VM” (#9): 4 trending vulnerabilities of October, scandal at The Linux Foundation, social “attack on the complainer”, “Ford’s method” for motivating IT specialists to fix vulnerabilities. The competition for the best question on the topic of VM continues. 😉🎁

📹 Video on YouTube, LinkedIn
🗞 Post on Habr (rus)
🗒 Digest on the PT website

Content:

🔻 00:37 Elevation of Privilege – Microsoft Streaming Service (CVE-2024-30090)
🔻 01:46 Elevation of Privilege – Windows Kernel-Mode Driver (CVE-2024-35250)
🔻 02:38 Spoofing – Windows MSHTML Platform (CVE-2024-43573)
🔻 03:43 Remote Code Execution – XWiki Platform (CVE-2024-31982)
🔻 04:44 The scandal with the removal of Russian maintainers at The Linux Foundation, its impact on security and possible consequences.
🔻 05:22 Social “Attack on the complainer
🔻 06:35Ford’s method” for motivating IT staff to fix vulnerabilities: will it work?
🔻 08:00 About the digest, habr and the question contest 🎁
🔻 08:29 Backstage

На русском

About Authentication Bypass – PAN-OS (CVE-2024-0012) vulnerability

Leave a reply

About Authentication Bypass - PAN-OS (CVE-2024-0012) vulnerability

About Authentication Bypass – PAN-OS (CVE-2024-0012) vulnerability. An unauthenticated attacker with network access to the Palo Alto device web management interface could gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated vulnerabilities. Firewalls of the PA, VM, CN series and the Panorama management platform are vulnerable. The vendor recommends restricting access to the management web interface to trusted internal IP addresses only.

🔻 On November 8, a Palo Alto bulletin was released
🔻 On November 15, signs of attacks were noticed, labeled as “Operation Lunar Peek”
🔻 On November 18, the vulnerability was added to the CISA KEV
🔻 On November 19, watchTowr Labs released a post with technical details (“supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication”) 😏 and exploits soon appeared on GitHub

На русском

November Linux Patch Wednesday

Leave a reply

November Linux Patch Wednesday

November Linux Patch Wednesday. I was happy in October that the number of vulnerabilities was gradually decreasing to an acceptable level, and in November I got a peak again. A total of 803 vulnerabilities. Of these, 567 are in the Linux Kernel. Kind of crazy. 😱

2 vulnerabilities in Chromium with signs of exploitation in the wild:

🔻 Security Feature Bypass – Chromium (CVE-2024-10229)
🔻 Memory Corruption – Chromium (CVE-2024-10230, CVE-2024-10231)

There are no signs of exploitation in the wild for 27 vulnerabilities yet, but there are public exploits. Of these, I would draw attention to:

🔸 Remote Code Execution – PyTorch (CVE-2024-48063)
🔸 Remote Code Execution – OpenRefine Butterfly (CVE-2024-47883) – “web application framework”
🔸 Code Injection – OpenRefine tool (CVE-2024-47881)
🔸 Command Injection – Eclipse Jetty (CVE-2024-6763)
🔸 Memory Corruption – pure-ftpd (CVE-2024-48208)

🗒 Vulristics November Linux Patch Wednesday Report

На русском

About Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575) vulnerability

Leave a reply

About Remote Code Execution - FortiManager FortiJump (CVE-2024-47575) vulnerability

About Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575) vulnerability. FortiManager is a centralized solution for configuring, enforcing policies, updating, and monitoring Fortinet network devices.

🔻 The vulnerability was released on October 23. A missing authentication for critical function in the FortiManager fgfmd (FortiGate-to-FortiManager) daemon allows remote attacker to execute arbitrary code or commands via specially crafted requests. There were signs of exploitation in the wild and the vulnerability was added to the CISA KEV.

🔻 On November 15, WatchTowr Labs published a post about this “FortiJump” vulnerability with a video demo and a link to the PoC. The researchers noted that the IOCs in the Fortinet bulletin can be bypassed. And the patch itself is incomplete. It is possible to escalate privileges on a patched device by exploiting a vulnerability called “FortiJump Higher”.

На русском