Category Archives: Vulnerability

Information Disclosure vulnerability – Check Point Security Gateway (CVE-2024-24919) exploited in the wild

Leave a reply

Information Disclosure vulnerability - Check Point Security Gateway (CVE-2024-24919) exploited in the wild

Information Disclosure vulnerability – Check Point Security Gateway (CVE-2024-24919) exploited in the wild. On May 28, Check Point released a security bulletin reporting a critical vulnerability in Check Point Security Gateways configured with the “IPSec VPN” or “Mobile Access” software blades.

📖 Almost immediately, technical details on the vulnerability appeared. The vulnerability allows an unauthenticated remote attacker to read the content of an arbitrary file located on an affected device. This allows an attacker to read the /etc/shadow file with password hashes for local accounts, including accounts used to connect to Active Directory. An attacker can obtain passwords from hashes, and then use these passwords for authentication and further development of the attack. Of course, if the Security Gateway allows password-only authentication.

🔨 Exploiting the vulnerability is trivial – one Post request is enough. There are already many scripts on GitHub for this.

👾 Attempts to exploit the vulnerability have been detected since April 7. In other words, 1.5 months before the vendor released the fixes. The vulnerability is already in CISA KEV.

Vulnerable products:

🔻 CloudGuard Network
🔻 Quantum Maestro
🔻 Quantum Scalable Chassis
🔻 Quantum Security Gateways
🔻 Quantum Spark Appliances

🔍 How many vulnerable hosts can there be? Qualys found 45,000 hosts in Fofa and about 20,000 hosts in Shodan. Most of all, of course, in Israel. Russia is not in the TOP 5 countries. Fofa shows 408 hosts for Russia. 🤷‍♂️

🩹 The vendor’s website provides hotfixes, a script for checking for compromise, and recommendations for hardening devices.

На русском

RCE – Confluence (CVE-2024-21683) with public exploits on GitHub

Leave a reply

RCE - Confluence (CVE-2024-21683) with public exploits on GitHub

RCE – Confluence (CVE-2024-21683) with public exploits on GitHub. Authentication is required. Both Confluence Data Center and Confluence Server are vulnerable.

🔻 Version 8.5.9 LTS, which fixes the vulnerability, was released on May 9.
🔻 On May 23, after the description of the vulnerability in NVD and the Atlassian ticket became public, researcher Huong Kieu studied the patch, described the vulnerability and reported that he was able to make a PoC. On the same day, exploits for this vulnerability appeared on GitHub.

Atlassian likely held back information about fixing this vulnerability so that more organizations could update before active exploitation began. However, they didn’t quite succeed. Apparently they accidentally published the ticket on May 15th, and then hid it until May 23rd. But the vulnerability search engine Vulners remembered it. 😉 So information about the vulnerability was available all this time.

На русском

RCE – Fluent Bit (CVE-2024-4323) “Linguistic Lumberjack”

Leave a reply

RCE - Fluent Bit (CVE-2024-4323) Linguistic Lumberjack

RCE – Fluent Bit (CVE-2024-4323) “Linguistic Lumberjack”. Fluent Bit is a multi-platform open source tool for collecting and processing logs. It is easy to use, scales well, and can handle large amounts of data. Fluent Bit is often used in the infrastructures of large companies, especially in the infrastructures of cloud providers.

The vulnerability discovered by Tenable Research is related to memory corruption in the built-in Fluent Bit HTTP server. This HTTP server is used to monitor the status of Fluent Bit: uptime, plugin metrics, health checks, etc. Certain unauthenticated requests to the server API may result in denial of service (DoS), information leakage, or remote code execution (RCE). According to researchers, making a reliable RCE exploit will not be easy, but the PoC for DoS is already publicly available and, perhaps, it will be converted into RCE.

The fix is expected in version 3.0.4.

На русском

Regarding Jacob Williams’ idea of using “Accepted Insecure Time” instead of “Service-level Agreement” when discussing vulnerabilities and patches

Leave a reply

Regarding Jacob Williams' idea of using Accepted Insecure Time instead of Service-level Agreement when discussing vulnerabilities and patches

Regarding Jacob Williams’ idea of using “Accepted Insecure Time” instead of “Service-level Agreement” when discussing vulnerabilities and patches. There is logic in this. Indeed, the term SLA hides the essence of the problem: as long as the vulnerability is not fixed (even if IT performs patching in the SLA window), the company can be HACKED. And this is no longer performing service operations, but something else, something more important.

On the other hand, where should this new term be used?

🔹 IT thinks in terms of services. Do you propose to go to them with your newspeak? Looks unconstructive. Nowadays it is common to speak to businesses in their language. Why do you speak to IT in the language of information security? 🤔
🔹 Or are you going to bring this to the business and then translate it into an SLA for IT? Isn’t this an extra unnecessary step? 🙂

BTW, it will be “принятое время незащищённости” (ПВН) in Russian and creates additional allusions to PWN. 😉

На русском

My colleagues from PT ESC discovered a previously unknown keylogger for Microsoft Exchange OWA

Leave a reply

My colleagues from PT ESC discovered a previously unknown keylogger for Microsoft Exchange OWA

My colleagues from PT ESC discovered a previously unknown keylogger for Microsoft Exchange OWA. The injected code collects the logins/passwords that users enter to access the Exchange web interface and stores them in a special file. This file is accessible externally. Thus, attackers simply collect credentials to access confidential information and develop the attack further. 🙂

👾 The malware is installed by exploiting an old ProxyShell vulnerability (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

🏛 A total of 30 victims were discovered, including government agencies, banks, IT companies, and educational institutions.

🌍 Countries attacked: Russia, UAE, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, Lebanon and others.

🕵️‍♂️ The fact of compromise can be determined by a specific line in the logon.aspx file.

На русском

May Linux Patch Wednesday

Leave a reply

May Linux Patch Wednesday
May Linux Patch WednesdayMay Linux Patch WednesdayMay Linux Patch WednesdayMay Linux Patch WednesdayMay Linux Patch Wednesday

May Linux Patch Wednesday. Last month, we jointly decided that it was worth introducing a rule for Unknown dates starting from May 2024. Which, in fact, is what I implemented. Now, if I see an oval definition that does not have a publication date (date when patches for related vulnerabilities were available), then I nominally assign today’s date. Thus, 32406 oval definitions without a date received a nominal date of 2024-05-15. One would expect that we would get a huge peak for vulnerabilities that “started being patched in May” based on the nominal date. How did it really turn out?

In fact, the peak was not very large. There are 424 CVEs in the May Linux Patch Wednesday. While in April there were 348. It’s comparable. Apparently the not very large peak is due to the fact that most of the vulnerabilities had patch dates older than the nominal one set (2024-05-15). And this is good. 🙂 It should get even better in June.

As usual, I generated a Vulristics report for the May vulnerabilities. Most of the vulnerabilities (282) relate to the Linux Kernel. This is due to the fact that Linux Kernel is now a CNA and they can issue CVEs for all sorts of things like bugs with huge traces right in the vulnerability descriptions.

The vulnerability from CISA KEV comes first.

🔻Path Traversal – Openfire (CVE-2023-32315). This is the August 2023 trending vulnerability. It was included in the report due to a fix in RedOS 2024-05-03. Has it not been fixed in other Linux distributions? It looks like this. In Vulners, among the related security objects, we can only see the RedOS bulletin. Apparently there are no Openfire packages in the repositories of other Linux distributions.

In second place is a vulnerability with a sign of active exploitation according to AttackerKB.

🔻 Path Traversal – aiohttp (CVE-2024-23334). The bug allows unauthenticated attackers to access files on vulnerable servers.

According to data from the FSTEC BDU, another 16 vulnerabilities have signs of active exploitation in the wild.

🔻 Memory Corruption – nghttp2 (CVE-2024-27983)
🔻 Memory Corruption – Chromium (CVE-2024-3832, CVE-2024-3833, CVE-2024-3834, CVE-2024-4671)
🔻 Memory Corruption – FreeRDP (CVE-2024-32041, CVE-2024-32458, CVE-2024-32459, CVE-2024-32460)
🔻 Memory Corruption – Mozilla Firefox (CVE-2024-3855, CVE-2024-3856)
🔻 Security Feature Bypass – bluetooth_core_specification (CVE-2023-24023)
🔻 Security Feature Bypass – Chromium (CVE-2024-3838)
🔻 Denial of Service – HTTP/2 (CVE-2023-45288)
🔻 Denial of Service – nghttp2 (CVE-2024-28182)
🔻 Incorrect Calculation – FreeRDP (CVE-2024-32040)

Another 22 vulnerabilities have an exploit (public or private), but so far there are no signs of active exploitation in the wild. I won’t list them all here, but you can pay attention to:

🔸 Security Feature Bypass – putty (CVE-2024-31497). A high-profile vulnerability that allows an attacker to recover a user’s private key.
🔸 Remote Code Execution – GNU C Library (CVE-2014-9984)
🔸 Remote Code Execution – Flatpak (CVE-2024-32462)
🔸 Command Injection – aiohttp (CVE-2024-23829)
🔸 Security Feature Bypass – FreeIPA (CVE-2024-1481)

I think that to improve the Vulristics report, it makes sense to separately group vulnerabilities with public exploits and private exploits, since this still greatly affects the criticality. Put 🐳 if you would like to see this feature.

🗒 Vulristics report on the May Linux Patch Wednesday

На русском

May Microsoft Patch Tuesday

Leave a reply

May Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch Tuesday

May Microsoft Patch Tuesday. There are 91 vulnerabilities in total. Of those, 29 were added between April and May Patch Tuesday.

Two vulnerabilities have signs of exploitation in the wild and the presence of a functional exploit (not yet public):

🔻 Security Feature Bypass – Windows MSHTML Platform (CVE-2024-30040). In fact, an attacker can execute arbitrary code when the victim opens a specially crafted document. It is exploited through phishing.
🔻 Elevation of Privilege – Windows DWM Core Library (CVE-2024-30051). A local attacker can gain SYSTEM privileges on the vulnerable host. Microsoft credits four different groups for reporting the bug, indicating that the vulnerability is being widely exploited. The vulnerability is associated with the QakBot malware.

Among the rest we can note:

🔸 Security Feature Bypass – Windows Mark of the Web (CVE-2024-30050). Such vulnerabilities have been frequently exploited recently. Microsoft indicates that there is a functional exploit (private) for the vulnerability.
🔸 Remote Code Execution – Microsoft SharePoint Server (CVE-2024-30044). An authenticated attacker with Site Owner privileges or higher can execute arbitrary code in the context of SharePoint Server by uploading a specially crafted file.
🔸 Elevation of Privilege – Windows Search Service (CVE-2024-30033). ZDI believes that the vulnerability has the potential to be exploited in the wild.
🔸 Remote Code Execution – Microsoft Excel (CVE-2024-30042). An attacker can execute code, presumably in the user’s context, when a malicious file is opened.

🗒 Vulristics report

На русском