Category Archives: Vulnerability

October Linux Patch Wednesday

October Linux Patch Wednesday. There are 248 vulnerabilities in total. Of these, 92 are in the Linux Kernel.

5 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – CUPS (CVE-2024-47176) and 4 more CUPS vulnerabilities that can also be used to enhance DoS attacks
🔻 Remote Code Execution – Mozilla Firefox (CVE-2024-9680)

For 10 vulnerabilities there are no signs of exploitation in the wild yet, but exploits exist. Among them, the following can be highlighted:

🔸 Remote Code Execution – Cacti (CVE-2024-43363)
🔸 Elevation of Privilege – Linux Kernel (CVE-2024-46848)
🔸 Arbitrary File Reading – Jenkins (CVE-2024-43044)
🔸 Denial of Service – CUPS (CVE-2024-47850)
🔸 Cross Site Scripting – Rollup JavaScript module (CVE-2024-47068)

🗒 Vulristics October Linux Patch Wednesday Report

На русском

About Cross Site Scripting – Roundcube Webmail (CVE-2024-37383) vulnerability

Leave a reply

About Cross Site Scripting – Roundcube Webmail (CVE-2024-37383) vulnerability. Roundcube is a web-based email client with functionality comparable to desktop email clients such as Outlook Express or Mozilla Thunderbird.

The vulnerability is caused by an error in the processing of SVG elements in the email body. The victim opens an email from the attacker, which causes malicious JavaScript code to be executed in the context of the user’s page.

In September 2024, specialists from the TI department of the Positive Technologies Expert Security Center (PT ESC) discovered a malicious email with signs of exploitation of this vulnerability. It was sent to one of the government agencies of the CIS countries.

Attacks on Roundcube are not uncommon. At the end of last year, there were news about the exploitation of a similar vulnerability CVE-2023-5631 in targeted attacks.

Update it in a timely manner!

На русском

Veeam B&R RCE vulnerability CVE-2024-40711 is exploited in attacks

Leave a reply

Veeam B&R RCE vulnerability CVE-2024-40711 is exploited in attacks. On September 24, there were no signs of this vulnerability being exploited in the wild. And on October 10, Sophos X-Ops reported that they had observed a series of attacks exploiting this vulnerability over the course of a month. The attackers’ goal was to install Akira and Fog ransomware. 🤷‍♂️

The thesis of my original post was correct. The absence of reports on the exploitation of vulnerabilities in real attacks is not a reason to ignore them.

“This does not mean that attackers do not exploit these vulnerabilities. It is possible that targeted attacks using these vulnerabilities have simply not yet been reliably confirmed.”

🟥 Positive Technologies classifies the vulnerability as trending since September 10th.

На русском

Ford won’t work?

Leave a reply

Ford won’t work? There were a lot of comments about “paying vulnerability fixers only when they are in the break room“. I’ll say right away that the post was a joke. Staff motivation is too delicate a topic to give serious recommendations. 🙂

But I will sort out the objections:

🔻 IT staff will sabotage the vulnerability detection process by tweaking host configs. So that the scanner will produce only green reports. But IT staff can do this at any time, and we need to take this into account. 🤷‍♂️

🔻 IT staff will simply turn off hosts. If they can do this without harming the business, that’s great. 👍 And if this will break the production environment, then let them deal with their IT management. 😏

🔻 There is an opinion that the method is good, but only 2% of vulnerabilities used in attack chains need to be fixed. I traditionally DO NOT agree with the possibility of reliably separating these mythical 2% of vulnerabilities. Everything needs to be fixed. 😉

На русском

October Microsoft Patch Tuesday

Leave a reply

October Microsoft Patch Tuesday. 146 CVEs, of which 28 were added since September MSPT. 2 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Microsoft Management Console (CVE-2024-43572)
🔻 Spoofing – Windows MSHTML Platform (CVE-2024-43573)

Without signs of exploitation in the wild, but with a public PoC exploit:

🔸 Remote Code Execution – Open Source Curl (CVE-2024-6197)

Private exploits exist for:

🔸 Information Disclosure – Microsoft Edge (CVE-2024-38222)
🔸 Security Feature Bypass – Windows Hyper-V (CVE-2024-20659)

Among the rest can be highlighted:

🔹 Remote Code Execution – Remote Desktop Protocol Server (CVE-2024-43582)
🔹 Remote Code Execution – Windows Remote Desktop Client (CVE-2024-43533, CVE-2024-43599)
🔹 Remote Code Execution – Windows Routing and Remote Access Service (RRAS) (CVE-2024-38212 and 11 more CVEs)

🗒 Full Vulristics report

На русском

Vulnerability Remediation using the “Ford Method”

Leave a reply

Vulnerability Remediation using the “Ford Method”. There is a popular story in the Russian segment of the Internet. Allegedly, an experiment was carried out at Henry Ford’s plant: conveyor repair workers were paid only for the time they were in the break room. And as soon as the conveyor stopped 🚨 and the repair workers went to fix it, they stopped getting paid. Therefore, they did their work quickly and efficiently, so that they could quickly (and for a long time) return to the break room and start earning money again. 👷‍♂️🪙

I did not find any reliable evidence of this. 🤷‍♂️

But what if the specialists responsible for vulnerability remediation were paid only for the time when vulnerabilities are not detected on their hosts. 🤔 This can have a very positive impact on the speed and quality of remediation. Unsolvable problems will quickly become solvable, and automation of testing and deployment of updates will develop at the fastest pace. 😏

На русском

Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks

Leave a reply

Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks.

Researchers from Akamai Technologies wrote about this. An attacker can send a special packet to a vulnerable host with CUPS: “add a printer located at this IP address”. CUPS will start sending large IPP/HTTP requests to the specified IP address. Thus, vulnerable hosts can be organized in such a way that they start DDoSing IP addresses chosen by the attacker.

Akamai has discovered more than 198,000 vulnerable hosts with CUPS, of which more than 58,000 (34%) can be used for DDoS attacks. Of these, hundreds demonstrated an “infinite loop” of requests in response to HTTP/404.

Assuming that all 58,000+ vulnerable hosts are used for the attack, they can cause a traffic flow of 1 GB to 6 GB per attacker’s udp packet. The victim will have to handle 2.6 million TCP connections and HTTP requests.

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Category Archives: Vulnerability

October Linux Patch Wednesday

About Cross Site Scripting – Roundcube Webmail (CVE-2024-37383) vulnerability

Veeam B&R RCE vulnerability CVE-2024-40711 is exploited in attacks

Ford won’t work?

October Microsoft Patch Tuesday

Vulnerability Remediation using the “Ford Method”

Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks