Tag Archives: Apache

Linux Patch Wednesday: here is this May peak!

Leave a reply

Linux Patch Wednesday: here is this May peak!

Linux Patch Wednesday: here is this May peak! 🤦‍♂️ Also about June Linux Patch Wednesday. If you remember, in my post about the May Linux Patch Wednesday I was happy that, despite the launch of the rule for Unknown dates, the peak in May was insignificant. Although “32406 oval definitions without a date received a nominal date of 2024-05-15”. It turned out that the peak was not visible due to an error in the code. Ba-dum-tss! 🥸🤷‍♂️

I noticed that not all CVEs are in LPW bulletins, despite the addition of nominal dates, for example the high-profile vulnerability Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086). I could not find it anywhere. I debugged the function that distributes vulnerabilities into bulletins and added tests. I have ensured that all 38362 CVEs from the Linux OVAL content are actually distributed in bulletins. Including CVE-2024-1086. Here it is in February:

$ grep "CVE-2024-1086"  bulletins/*
bulletins/2024-02-21.json:        "CVE-2024-1086": [
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",

Well, there really is a peak in May. And how huge it is! 11476 CVEs! 😱 This is so much that I regenerated the Vulristics report for it only using 2 sources: Vulners and BDU. Since even from Vulners the data was not collected quickly enough. The report contains 77 vulnerabilities with signs of active exploitation in the wild and 1404 vulnerabilities with exploits, but without signs of active exploitation in the wild. Since for the most part these are old vulnerabilities for which it was simply not clear exactly when they were fixed, for example, Remote Code Execution – Apache HTTP Server (CVE-2021-42013), I will not analyze them in detail – for those interested, see the report. But please note that the report size is very large.

🗒 Vulristics report on the May Linux Patch Wednesday (31.3 MB)

As for the June Linux Patch Wednesday, which was finalized on June 19, there are 1040 vulnerabilities. Also quite a lot. Why is this so? On the one hand, the rule for Unknown dates added 977 Debian OVAL definitions without a date. Not 30k, like in May, but also significant. Out of 1040 vulnerabilities, 854 are Linux Kernel vulnerabilities. Moreover, there are quite a lot of “old” vulnerability identifiers, but created in 2024. For example, CVE-2021-47489 with NVD Published Date 05/22/2024. 🤔 CNA Linux Kernel is doing something strange.

🔻 With signs of exploitation in the wild again Remote Code Execution – Chromium (CVE-2024-5274, CVE-2024-4947), like in Microsoft Patch Tuesday. According to the BDU, Remote Code Execution – Libarchive (CVE-2024-26256) is also exploited in the wild.

🔸 Another 20 vulnerabilities with a public exploit. I can highlight separately Remote Code Execution – Cacti (CVE-2024-25641) and Remote Code Execution – onnx/onnx framework (CVE-2024-5187).

🗒 Vulristics report on the June Linux Patch Wednesday (4.4 MB)

I generated a Vulristics report on the April Linux Patch Wednesday

Leave a reply

I generated a Vulristics report on the April Linux Patch Wednesday
I generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch Wednesday

I generated a Vulristics report on the April Linux Patch Wednesday. Over the past month, Linux vendors have begun releasing patches for a record number of vulnerabilities – 348. There are signs of exploitation in the wild for 7 vulnerabilities (data on incidents from the FSTEC BDU). Another 165 have a link to an exploit or a sign of the existence of a public/private exploit.

Let’s start with 7 vulnerabilities with signs of exploitation in the wild and exploits:

🔻 The trending January vulnerability Authentication Bypass – Jenkins (CVE-2024-23897) unexpectedly appeared in the TOP. As far as I understand, Linux distributions usually do not include Jenkins packages in the official repositories and, accordingly, do not add Jenkins vulnerability detection rules to their OVAL content. Unlike the Russian Linux distribution RedOS. Therefore, RedOS has the earliest fix timestamp for this vulnerability.

🔻 2 RCE vulnerabilities. The most interesting of them is Remote Code Execution – Exim (CVE-2023-42118). When generating the report, I deliberately did not take into account the vulnerability description and product names from the BDU database (flags –bdu-use-product-names-flag, –bdu-use-vulnerability-descriptions-flag set to False). Otherwise, the report would be partly in English and partly in Russian. But it turned out that so far only BDU has an adequate description of this vulnerability. 🤷‍♂️ You need to take a closer look at this vulnerability because Exim is a fairly popular mail server. The second RCE vulnerability is in the web browser, Remote Code Execution – Safari (CVE-2023-42950).

🔻2 DoS vulnerabilities. Denial of Service – nghttp2/Apache HTTP Server (CVE-2024-27316) and Denial of Service – Apache Traffic Server (CVE-2024-31309). The second is classified in the report as Security Feature Bypass, but this is due to incorrect CWE in NVD (CWE-20 – Improper Input Validation)

🔻 2 browser vulnerabilities Security Feature Bypass – Chromium (CVE-2024-2628, CVE-2024-2630)

Among the vulnerabilities for which there are only signs of the existence of exploits so far, you can pay attention to the following:

🔸 A large number of RCE vulnerabilities (71). Most of them are in the gtkwave product. This is a viewer for VCD (Value Change Dump) files, which are typically created by digital circuit simulators. Also, the Remote Code Execution – Cacti (CVE-2023-49084, CVE-2023-49085) vulnerabilities look dangerous. Cacti is a solution for monitoring servers and network devices.

🔸 Security Feature Bypass – Sendmail (CVE-2023-51765). Allows an attacker to inject email messages with a spoofed MAIL FROM address.

🔸 A pack of Cross Site Scripting vulnerabilities in MediaWiki, Cacti, Grafana, Nextcloud.

There is a lot to explore this time. 🤩

🗒 April Linux Patch Wednesday

На русском

CheckPoint released a report about the Magnet Goblin group, which was noted for its rapid exploitation of vulnerabilities in services accessible from the Internet

Leave a reply

CheckPoint released a report about the Magnet Goblin group, which was noted for its rapid exploitation of vulnerabilities in services accessible from the Internet

CheckPoint released a report about the Magnet Goblin group, which was noted for its rapid exploitation of vulnerabilities in services accessible from the Internet. At the time of exploitation, these vulnerabilities already have patches (that’s why they are 1-day, not 0-day). But because companies tend to be slow to update their systems, Magnet Goblin attackers have been successful in their attacks. 🤷‍♂️

The report mentions the following vulnerabilities exploited by Magnet Goblin:

🔻 Magento (open source e-commerce platform) – CVE-2022-24086
🔻 Qlik Sense (data analytics solution) – CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365
🔻 Ivanti Connect Secure (tool for remote access to infrastructure) – CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893.
🔻 Apache ActiveMQ (message broker) – CheckPoint write that it is “possible” and do not provide CVE, but this is probably about CVE-2023-46604.

На русском

Joint Advisory AA22-279A and Vulristics

2 Replies

Joint Advisory AA22-279A and Vulristics. Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics.

Alternative video link (for Russia): https://vk.com/video-149273431_456239105

Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on American organizations.” They like to add geopolitics and point the finger at some country. Therefore, I leave the attack attribution mentioned in the advisory title without comment.

Continue reading

Vulnerability Intelligence based on media hype. It works? Grafana LFI and Log4j “Log4Shell” RCE

1 Reply

Vulnerability Intelligence based on media hype. It works? Grafana LFI and Log4j “Log4Shell” RCE. Hello everyone! In this episode, I want to talk about vulnerabilities, news and hype. The easiest way to get timely information on the most important vulnerabilities is to just read the news regularly, right? Well, I will try to reflect on this using two examples from last week.

I have a security news telegram channel https://t.me/avleonovnews that is automatically updated by a script using many RSS feeds. And the script even highlights the news associated with vulnerabilities, exploits and attacks.

And last Tuesday, 07.02, a very interesting vulnerability in Grafana was released.

Continue reading

Security News: Microsoft Patch Tuesday October 2021, Autodiscover, MysterySnail, Exchange, DNS, Apache, HAProxy, VMware vCenter, Moodle

Leave a reply

Security News: Microsoft Patch Tuesday October 2021, Autodiscover, MysterySnail, Exchange, DNS, Apache, HAProxy, VMware vCenter, Moodle. Hello everyone! This episode will be about relatively recent critical vulnerabilities. Let’s start with Microsoft Patch Tuesday for October 2021. Specifically, with the vulnerability that I expected there, but it didn’t get there.

Autodiscover leak discovered by Guardicore Labs

“Autodiscover, a protocol used by Microsoft Exchange for automatic configuration of clients such as Microsoft Outlook, has a design flaw that causes the protocol to “leak” web requests to Autodiscover domains outside of the user’s domain but in the same TLD (i.e. Autodiscover.com).” Guardicore Labs acquired multiple Autodiscover domains and have captured 372,072 Windows domain credentials in total. It seems Microsoft have chosen to ignore this issue. No CVE, no Outlook or ActiveSync patches. The only fix is to ban the “Autodiscover.” domains on devices.

Microsoft Patch Tuesday for October 2021

74 vulnerabilities: 1 Critical, 30 High, 43 Medium.

Elevation of Privilege – Windows Kernel (CVE-2021-40449)

It is a use-after-free vulnerability in the NtGdiResetDC function of the Win32k driver. A detailed technical description is available in Kasperky Securelist post, but, in short, the vulnerability can lead to leakage of kernel module addresses in the computer’s memory. This vulnerability is being exploited in the wild by APT MysterySnail. All servers and desktops should be updated.

Continue reading

Vulnerability Databases: Classification and Registry

5 Replies

Vulnerability Databases: Classification and Registry. What publicly available Vulnerability Databases do we have? Well, I can only say that there are a lot of them and they are pretty different. Here I make an attempt to classify them.

It’s quite an ungrateful task. No matter how hard you try, the final result will be rather inaccurate and incomplete. I am sure someone will be complaining. But this is how I see it. 😉 If you want to add or change something feel free to make a comment bellow or email me@avleonov.com.

The main classifier, which I came up with:

  • There are individual vulnerability databases in which one identifier means one vulnerability. They try to cover all existing vulnerabilities.
  • And others are security bulletins. They cover vulnerabilities in a particular product or products. And they usually based on on patches. One patch may cover multiple vulnerabilities.

I made this diagram with some Vulnerability Databases. Note that I wanted to stay focused, so there are no exploit DBs, CERTs, lists of vulnerabilities detected by some researchers (CISCO Talos, PT Research, etc.), Media and Bug Bounty sites.

Vulnerability Databases classification

For these databases the descriptions of vulnerabilities are publicly available on the site (in html interface or downloadable data feed), or exist in a form of paid Vulnerability Intelligence service (for example, Flexera).

On one side there are databases of individual vulnerabilities, the most important is National Vulnerability Database. There are also Chinese, Japanese bases that can be derived from NVD or not.

On the other side we have security bulletins, for example RedHat Security Advisories.

And in the middle we have a Vulnerability Databases, for which it is not critical whether they have duplicated vulnerability IDs or not.

Continue reading