Category Archives: Vulnerability

About Spoofing – Microsoft Exchange (CVE-2024-49040) vulnerability

About Spoofing – Microsoft Exchange (CVE-2024-49040) vulnerability. The vulnerability is from the November Microsoft Patch Tuesday. An incorrectly formulated P2 FROM header processing policy allows an attacker to make his email address look legitimate to the victim (for example, like a work colleague’s address). Which, of course, significantly increases the effectiveness of phishing attacks. 😏🪝 The vulnerabilities affect Exchange Server 2019 and Exchange Server 2016.

Microsoft has paused the rollout of the initial patches published on November 12. Their installation led to crashes. New fixes were published by Microsoft only on November 27.

👾 Kaspersky has already observed attempts to exploit this vulnerability. They wrote about this in a blog post on November 26.

На русском

December Linux Patch Wednesday

Leave a reply

December Linux Patch Wednesday. There are 316 vulnerabilities in total. Compared to November LPW – much better. 🙂 119 are in Linux Kernel.

Two vulnerabilities with signs of exploitation in the wild. Both in Safari:

🔻 RCE – Safari (CVE-2024-44308)
🔻 XSS – Safari (CVE-2024-44309)

These vulnerabilities are fixed not in Safari, but in packages of the WebKit browser engine.

There are no signs of exploitation in the wild for 19 vulnerabilities yet, but there are public exploits. The following can be highlighted:

🔸 RCE – Moodle (CVE-2024-43425). First fix in the Linux vendor repository appeared on 2024-11-21 (RedOS)
🔸 Command Injection – Grafana (CVE-2024-9264)
🔸 Command Injection – virtualenv (CVE-2024-53899)
🔸 SQLi – Zabbix (CVE-2024-42327)
🔸 Data Leakage – Apache Tomcat (CVE-2024-52317)

🗒 Vulristics December Linux Patch Wednesday Report

🎉🆕 I released Vulristics 1.0.9 with improved detection of vulnerable software based on CVE description.

На русском

December Microsoft Patch Tuesday

Leave a reply

December Microsoft Patch Tuesday. 89 CVEs, of which 18 were added since November MSPT. 1 vulnerability with signs of exploitation in the wild:

🔻 EoP – Windows Common Log File System Driver (CVE-2024-49138). There are no details about this vulnerability yet.

Strictly speaking, there was another vulnerability that was exploited in the wild: EoP – Microsoft Partner Network (CVE-2024-49035). But this is an already fixed vulnerability in the Microsoft website and I’m not even sure that it was worth creating a CVE. 🤔

For the remaining vulnerabilities, there are no signs of exploitation in the wild, nor exploits (even private ones).

I can highlight:

🔹 RCE – Windows LDAP (CVE-2024-49112, CVE-2024-49127)
🔹 RCE – Windows LSASS (CVE-2024-49126)
🔹 RCE – Windows Remote Desktop Services (CVE-2024-49106 и ещё 8 CVE)
🔹 RCE – Microsoft MSMQ (CVE-2024-49122, CVE-2024-49118)
🔹 RCE – Microsoft SharePoint (CVE-2024-49070)

🗒 Full Vulristics report

На русском

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability

Leave a reply

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability. It was released on November Microsoft Patch Tuesday and showed signs of exploitation in the wild right away. To exploit the vulnerability, an authenticated attacker runs a specially crafted application on the target system. The attack can be performed from an AppContainer restricted environment. Using this vulnerability, an attacker can elevate their privileges to Medium Integrity level and gain the ability to execute RPC functions that are restricted to privileged accounts only.

ESET reports that the vulnerability allowed the RomCom attackers to execute malicious code outside the Firefox sandbox and then launch hidden PowerShell processes to download and run malware from C&C servers.

👾 There is a backdoor code on GitHub that exploits this vulnerability.

На русском

About Elevation of Privilege – needrestart (CVE-2024-48990) vulnerability

Leave a reply

About Elevation of Privilege – needrestart (CVE-2024-48990) vulnerability. On November 19, Qualys released a security bulletin about five privilege escalation vulnerabilities in the needrestart utility (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003) used in Ubuntu Server, starting with version 21.04.

The needrestart utility runs automatically after APT operations (installing, updating, or removing packages). It checks if a reboot is required, thus ensuring that services use updated libraries without unnecessary downtime.

All 5 vulnerabilities make it possible for a regular user to become root. Qualys has private exploits for each. There is currently a publicly available exploit only for one vulnerability related to the PYTHONPATH environment variable.⚡️ It is available on Github since November 20th.

Update needrestart to version 3.8 or disable “interpreter scanning” in needrestart.conf.

На русском

About Path Traversal – Zyxel firewall (CVE-2024-11667) vulnerability

Leave a reply

About Path Traversal – Zyxel firewall (CVE-2024-11667) vulnerability. A directory traversal vulnerability in the web management interface of Zyxel firewall could allow an attacker to download or upload files via a crafted URL. The vulnerability affects Zyxel ZLD firmware versions from 5.00 to 5.38, used in the ATP, USG FLEX, USG FLEX 50(W), and USG20(W)-VPN device series.

👾 Specialists from Sekoia discovered this vulnerability being exploited on their honeypots by ransomware attackers from the Helldown group. There are no public exploits yet.

Zyxel recommends:

🔹Update firmware to version 5.39, which was released on September 3, 2024
🔹Disable remote access until devices are updated
🔹Learn best practices for device configuration

If your company uses Zyxel firewalls, please pay attention. 😉

На русском

About Elevation of Privilege – PAN-OS (CVE-2024-9474) vulnerability

Leave a reply

About Elevation of Privilege – PAN-OS (CVE-2024-9474) vulnerability. An attacker with PAN-OS administrator access to the management web interface can perform actions on the Palo Alto device with root privileges. Linux commands can be injected via unvalidated input in script.

The need for authentication and admin access could limit this vulnerability’s impact, but here we have the previous vulnerability Authentication Bypass – PAN-OS (CVE-2024-0012). 😏 Exploitation of this vulnerability chain was noted by Palo Alto on November 17. After November 19, when the watchTowr Labs article was published and exploits appeared, mass attacks began.

On November 21, Shadowserver reported that ~2000 hosts were compromised, mostly in the US and India. According to Wiz, attackers deployed web shells, Sliver implants and cryptominers.

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Category Archives: Vulnerability

About Spoofing – Microsoft Exchange (CVE-2024-49040) vulnerability

December Linux Patch Wednesday

December Microsoft Patch Tuesday

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability

About Elevation of Privilege – needrestart (CVE-2024-48990) vulnerability

About Path Traversal – Zyxel firewall (CVE-2024-11667) vulnerability

About Elevation of Privilege – PAN-OS (CVE-2024-9474) vulnerability