Category Archives: Vulnerability

RCE – Fluent Bit (CVE-2024-4323) “Linguistic Lumberjack”

RCE - Fluent Bit (CVE-2024-4323) Linguistic Lumberjack

RCE – Fluent Bit (CVE-2024-4323) “Linguistic Lumberjack”. Fluent Bit is a multi-platform open source tool for collecting and processing logs. It is easy to use, scales well, and can handle large amounts of data. Fluent Bit is often used in the infrastructures of large companies, especially in the infrastructures of cloud providers.

The vulnerability discovered by Tenable Research is related to memory corruption in the built-in Fluent Bit HTTP server. This HTTP server is used to monitor the status of Fluent Bit: uptime, plugin metrics, health checks, etc. Certain unauthenticated requests to the server API may result in denial of service (DoS), information leakage, or remote code execution (RCE). According to researchers, making a reliable RCE exploit will not be easy, but the PoC for DoS is already publicly available and, perhaps, it will be converted into RCE.

The fix is expected in version 3.0.4.

На русском

Regarding Jacob Williams’ idea of using “Accepted Insecure Time” instead of “Service-level Agreement” when discussing vulnerabilities and patches

Regarding Jacob Williams' idea of using Accepted Insecure Time instead of Service-level Agreement when discussing vulnerabilities and patches

Regarding Jacob Williams’ idea of using “Accepted Insecure Time” instead of “Service-level Agreement” when discussing vulnerabilities and patches. There is logic in this. Indeed, the term SLA hides the essence of the problem: as long as the vulnerability is not fixed (even if IT performs patching in the SLA window), the company can be HACKED. And this is no longer performing service operations, but something else, something more important.

On the other hand, where should this new term be used?

🔹 IT thinks in terms of services. Do you propose to go to them with your newspeak? Looks unconstructive. Nowadays it is common to speak to businesses in their language. Why do you speak to IT in the language of information security? 🤔
🔹 Or are you going to bring this to the business and then translate it into an SLA for IT? Isn’t this an extra unnecessary step? 🙂

BTW, it will be “принятое время незащищённости” (ПВН) in Russian and creates additional allusions to PWN. 😉

На русском

My colleagues from PT ESC discovered a previously unknown keylogger for Microsoft Exchange OWA

My colleagues from PT ESC discovered a previously unknown keylogger for Microsoft Exchange OWA

My colleagues from PT ESC discovered a previously unknown keylogger for Microsoft Exchange OWA. The injected code collects the logins/passwords that users enter to access the Exchange web interface and stores them in a special file. This file is accessible externally. Thus, attackers simply collect credentials to access confidential information and develop the attack further. 🙂

👾 The malware is installed by exploiting an old ProxyShell vulnerability (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

🏛 A total of 30 victims were discovered, including government agencies, banks, IT companies, and educational institutions.

🌍 Countries attacked: Russia, UAE, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, Lebanon and others.

🕵️‍♂️ The fact of compromise can be determined by a specific line in the logon.aspx file.

На русском

May Linux Patch Wednesday

May Linux Patch Wednesday
May Linux Patch WednesdayMay Linux Patch WednesdayMay Linux Patch WednesdayMay Linux Patch WednesdayMay Linux Patch Wednesday

May Linux Patch Wednesday. Last month, we jointly decided that it was worth introducing a rule for Unknown dates starting from May 2024. Which, in fact, is what I implemented. Now, if I see an oval definition that does not have a publication date (date when patches for related vulnerabilities were available), then I nominally assign today’s date. Thus, 32406 oval definitions without a date received a nominal date of 2024-05-15. One would expect that we would get a huge peak for vulnerabilities that “started being patched in May” based on the nominal date. How did it really turn out?

In fact, the peak was not very large. There are 424 CVEs in the May Linux Patch Wednesday. While in April there were 348. It’s comparable. Apparently the not very large peak is due to the fact that most of the vulnerabilities had patch dates older than the nominal one set (2024-05-15). And this is good. 🙂 It should get even better in June.

As usual, I generated a Vulristics report for the May vulnerabilities. Most of the vulnerabilities (282) relate to the Linux Kernel. This is due to the fact that Linux Kernel is now a CNA and they can issue CVEs for all sorts of things like bugs with huge traces right in the vulnerability descriptions.

The vulnerability from CISA KEV comes first.

🔻Path Traversal – Openfire (CVE-2023-32315). This is the August 2023 trending vulnerability. It was included in the report due to a fix in RedOS 2024-05-03. Has it not been fixed in other Linux distributions? It looks like this. In Vulners, among the related security objects, we can only see the RedOS bulletin. Apparently there are no Openfire packages in the repositories of other Linux distributions.

In second place is a vulnerability with a sign of active exploitation according to AttackerKB.

🔻 Path Traversal – aiohttp (CVE-2024-23334). The bug allows unauthenticated attackers to access files on vulnerable servers.

According to data from the FSTEC BDU, another 16 vulnerabilities have signs of active exploitation in the wild.

🔻 Memory Corruption – nghttp2 (CVE-2024-27983)
🔻 Memory Corruption – Chromium (CVE-2024-3832, CVE-2024-3833, CVE-2024-3834, CVE-2024-4671)
🔻 Memory Corruption – FreeRDP (CVE-2024-32041, CVE-2024-32458, CVE-2024-32459, CVE-2024-32460)
🔻 Memory Corruption – Mozilla Firefox (CVE-2024-3855, CVE-2024-3856)
🔻 Security Feature Bypass – bluetooth_core_specification (CVE-2023-24023)
🔻 Security Feature Bypass – Chromium (CVE-2024-3838)
🔻 Denial of Service – HTTP/2 (CVE-2023-45288)
🔻 Denial of Service – nghttp2 (CVE-2024-28182)
🔻 Incorrect Calculation – FreeRDP (CVE-2024-32040)

Another 22 vulnerabilities have an exploit (public or private), but so far there are no signs of active exploitation in the wild. I won’t list them all here, but you can pay attention to:

🔸 Security Feature Bypass – putty (CVE-2024-31497). A high-profile vulnerability that allows an attacker to recover a user’s private key.
🔸 Remote Code Execution – GNU C Library (CVE-2014-9984)
🔸 Remote Code Execution – Flatpak (CVE-2024-32462)
🔸 Command Injection – aiohttp (CVE-2024-23829)
🔸 Security Feature Bypass – FreeIPA (CVE-2024-1481)

I think that to improve the Vulristics report, it makes sense to separately group vulnerabilities with public exploits and private exploits, since this still greatly affects the criticality. Put 🐳 if you would like to see this feature.

🗒 Vulristics report on the May Linux Patch Wednesday

На русском

May Microsoft Patch Tuesday

May Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch TuesdayMay Microsoft Patch Tuesday

May Microsoft Patch Tuesday. There are 91 vulnerabilities in total. Of those, 29 were added between April and May Patch Tuesday.

Two vulnerabilities have signs of exploitation in the wild and the presence of a functional exploit (not yet public):

🔻 Security Feature Bypass – Windows MSHTML Platform (CVE-2024-30040). In fact, an attacker can execute arbitrary code when the victim opens a specially crafted document. It is exploited through phishing.
🔻 Elevation of Privilege – Windows DWM Core Library (CVE-2024-30051). A local attacker can gain SYSTEM privileges on the vulnerable host. Microsoft credits four different groups for reporting the bug, indicating that the vulnerability is being widely exploited. The vulnerability is associated with the QakBot malware.

Among the rest we can note:

🔸 Security Feature Bypass – Windows Mark of the Web (CVE-2024-30050). Such vulnerabilities have been frequently exploited recently. Microsoft indicates that there is a functional exploit (private) for the vulnerability.
🔸 Remote Code Execution – Microsoft SharePoint Server (CVE-2024-30044). An authenticated attacker with Site Owner privileges or higher can execute arbitrary code in the context of SharePoint Server by uploading a specially crafted file.
🔸 Elevation of Privilege – Windows Search Service (CVE-2024-30033). ZDI believes that the vulnerability has the potential to be exploited in the wild.
🔸 Remote Code Execution – Microsoft Excel (CVE-2024-30042). An attacker can execute code, presumably in the user’s context, when a malicious file is opened.

🗒 Vulristics report

На русском

The Americans have released joint Cybersecurity Advisory (CISA, FBI, HHS, MS-ISAC) against the Black Basta ransomware

The Americans have released joint Cybersecurity Advisory (CISA, FBI, HHS, MS-ISAC) against the Black Basta ransomware

The Americans have released joint Cybersecurity Advisory (CISA, FBI, HHS, MS-ISAC) against the Black Basta ransomware. It is alleged that as of May 2024, more than 500 organizations worldwide have been affected by Black Basta, including businesses and critical infrastructure in North America, Australia and Europe. 12 of 16 critical infrastructure sectors are affected.

The ransomware was first spotted in April 2022. Initial Access is obtained through phishing or exploitation of the February vulnerability AuthBypass in ConnectWise ScreenConnect (CVE-2024-1709).

Privilege Escalation and Lateral Movement Toolkit: Mimikatz and Vulnerability Exploitation ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42278, CVE-2021-42287), PrintNightmare (CVE-2021-34527). Patches have been available for years, but organizations have not installed them. 🤷‍♂️ Perhaps they hoped that the perimeter would never be breached. 😏

На русском

Today starts an online hackathon organized by the MaxPatrol VM Positive Technologies team

Today starts an online hackathon organized by the MaxPatrol VM Positive Technologies team

Today starts an online hackathon organized by the MaxPatrol VM Positive Technologies team. Participants will develop vulnerability detection rules. There were no restrictions on the participation of PT employees, so I also applied and will share my impressions in the Telegram channel. 😏 I am very exited. 🤩

IMHO, involving the community in the development of security content is exactly what will radically improve the completeness and quality of vulnerability/misconfiguration detection in VM products. And that is the very essence of these products.

На русском