Hello everyone! In this episode I want to highlight the latest changes in my Vulristics project. For those who don’t know, this is a utility for prioritizing CVE vulnerabilities based on data from various sources.. Currently Microsoft, NVD, Vulners, AttackerKB.
I started working on the CLI for Vulristics. Of course, it is not normal to edit scripts every time to release a report.
Continue readingHello everyone! This episode will be about the VMconf 22 Vulnerability Management conference. CFP started on November 1, which will last a month and a half. So please submit your talk or share this video with someone who might be interested.
Let’s talk about the conference itself. All started with a post in my Telegram channel. I have looked at the listings of cybersecurity conferences and have not seen a global event dedicated entirely to Vulnerability Management.
Specialized conferences are mainly about SOC, DLP, AntiFraud, cryptography. Conferences with broad topics are aimed mainly at C-level executives or hardcore offensive specialists. Conferences are usually very regional. Of course, there are events organized by VM vendors, but their marketing goals are clear and there are usually no CFPs (Calls For Papers) at these events. In our COVID times, it has become much more difficult to attend offline events due to various restrictions.
So, it would be great to have our own independent international online Vulnerability Management event. From the community (in a very broad, global sense) and for the community. For interesting content and development of horizontal connections between people, not for marketing. And we will do it.
Continue readingHello everyone! This episode will be about relatively recent critical vulnerabilities. Let’s start with Microsoft Patch Tuesday for October 2021. Specifically, with the vulnerability that I expected there, but it didn’t get there.
“Autodiscover, a protocol used by Microsoft Exchange for automatic configuration of clients such as Microsoft Outlook, has a design flaw that causes the protocol to “leak” web requests to Autodiscover domains outside of the user’s domain but in the same TLD (i.e. Autodiscover.com).” Guardicore Labs acquired multiple Autodiscover domains and have captured 372,072 Windows domain credentials in total. It seems Microsoft have chosen to ignore this issue. No CVE, no Outlook or ActiveSync patches. The only fix is to ban the “Autodiscover.” domains on devices.
74 vulnerabilities: 1 Critical, 30 High, 43 Medium.
It is a use-after-free vulnerability in the NtGdiResetDC function of the Win32k driver. A detailed technical description is available in Kasperky Securelist post, but, in short, the vulnerability can lead to leakage of kernel module addresses in the computer’s memory. This vulnerability is being exploited in the wild by APT MysterySnail. All servers and desktops should be updated.
Continue readingLast week I gave a “Career Navigator” talk for the students of the IT Hub College in Moscow. By the way, this college has a very interesting practical information security program. If it is relevant for you, check it out.
I’ve never talked so much about myself in public. It was like giving advises to yourself from the past. An interesting experience. It took about an hour and a half. And now I will try to mention the main points.
I talked about studying at the university. The fact that we go to university to gain knowledge and skills. But this is not the only reason. The university diploma makes it easier to find a job and participate in emigration programs if you ever want to. For example, this is a requirement for a for the European Blue Card. Networking at the university is also important.
My experience of studying at Bauman Moscow State Technical University was definitely positive. Although I believe that there could be more practical courses on Operating Systems, networking and programming. On the other hand, there could be much less mathematics. I have the best memories from the Theoretical Foundations of Information Security course and the course based on CISSP exam.
Continue readingHello everyone! This time, let’s talk about recent vulnerabilities. I’ll start with Microsoft Patch Tuesday for September 2021. I created a report using my Vulristics tool. You can see the full report here.
The most interesting thing about the September Patch Tuesday is that the top 3 VM vendors ignored almost all RCEs in their reviews. However, there were interesting RCEs in the Office products. And what is most unforgivable is that they did not mention CVE-2021-38647 RCE in OMI – Open Management Infrastructure. Only ZDI wrote about this.
Continue readingIn a previous episode on Microsoft Defender for Endpoint, I described how to get a list of antivirus engine and signatures versions for the hosts in your infrastructure using the Microsoft Graph API. But the problem remains. You know the versions that are currently installed on the hosts. But where can you get the latest versions that should be installed there?
I haven’t found any pretty solution for this. I parse public html pages on the Microsoft site I’ll show you how I do it. If you know something better, please write in the comments.
Continue readingHello everyone! This is a new episode with my comments on the latest Information Security news.
I want to start with something about attacks on Exchange. ProxyShell is in the news, the LockFile ransomware compromised more than 2000 servers. On the other hand, there is basically nothing to say here.
ProxyShell is the name for 3 vulnerabilities. The bulletins for Remote Code Execution CVE-2021-34473 and Server Elevation of Privilege CVE-2021-34523 were released on July 13, but were fixed by April Patch Tuesday patches. Yes, it happens sometimes. The bulletin for Security Feature Bypass CVE-2021-31207 was released on May 11. Users had 4 months to install the updates. Interestingly, 2 out of 3 vulnerabilities have the property “Less likely to be exploited”. As you can see, it’s pretty useless.
Continue readingThis is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.