CheckPoint

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies. Last year, 74 vulnerabilities were classified as trending (to compare the scale, just over 40,000 were added to NVD in 2024).

All trending vulnerabilities are found in Western commercial products and open source projects. This year, the vulnerabilities of domestic Russian products did not reach the level of criticality required to classify them as trending.

For 55 of all trending vulnerabilities there are currently signs of exploitation in attacks, for 17 there are public exploits (but no signs of exploitation) and for the remaining 2 there is only a possibility of future exploitation.

Vulnerabilities were often added to trending ones before signs of exploitation in the wild appeared. For example, the remote code execution vulnerability in VMware vCenter (CVE-2024-38812) was added to the list of trending vulnerabilities on September 20, 3 days after the vendor’s security bulletin appeared. There were no signs of exploitation in the wild or public exploit for this vulnerability. Signs of exploitation appeared only 2 months later, on November 18.

Most of the vulnerabilities in the trending list are of the following types: Remote Code or Command Execution (24) and Elevation of Privilege (21).

4 vulnerabilities in Barracuda Email Security Gateway (CVE-2023-2868), MOVEit Transfer (CVE-2023-34362), papercut (CVE-2023-27350) and SugarCRM (CVE-2023-22952) were added in early January 2024. These vulnerabilities were massively exploited in the West in 2023, and attacks using these vulnerabilities could also tangentially affect those domestic Russian organizations where these products had not yet been taken out of service. The rest of the vulnerabilities became trending in 2024.

34 trending vulnerabilities affect Microsoft products (45%).

🔹 17 of them are Elevation of Privilege vulnerabilities in the Windows kernel and standard components.

🔹 1 Remote Code Execution vulnerability in Windows Remote Desktop Licensing Service (CVE-2024-38077).

2 trending Elevation of Privilege vulnerabilities affect Linux systems: one in nftables (CVE-2024-1086), and the second in needrestart (CVE-2024-48990).

Other groups of vulnerabilities

🔻 Phishing attacks: 19 (Windows components, Outlook, Exchange, Ghostscript, Roundcube)
🔻 Network security and entry points: 13 (Palo Alto, Fortinet, Juniper, Ivanti, Check Point, Zyxel)
🔻 Virtual infrastructure and backups: 7 (VMware, Veeam, Acronis)
🔻 Software development: 6 (GitLab, TeamCity, Jenkins, PHP, Fluent Bit, Apache Struts)
🔻 Collaboration tools: 3 (Atlassian Confluence, XWiki)
🔻 CMS WordPress plugins: 3 (LiteSpeed Cache, The Events Calendar, Hunk Companion)

🗒 Full Vulristics report

🟥 Article on the official website “Vulnerable software and hardware vs. security researchers” (rus)

На русском

Trending vulnerabilities of July according to Positive Technologies.

The SecLab film crew went on vacation. Therefore, there was a choice: to skip the episode of “In the trend of VM” about the July vulnerabilities, or to make a video myself. Which is what I tried to do. And from the next episode we will return to SecLab again.

📹 Video “In The Trend of VM” on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest (rus) on the official PT website

List of vulnerabilities:

🔻 00:33 Spoofing – Windows MSHTML Platform (CVE-2024-38112)
🔻 02:23 RCE – Artifex Ghostscript (CVE-2024-29510)
🔻 03:55 RCE – Acronis Cyber Infrastructure (CVE-2023-45249)

English voice over was generated by my open source utility subtivo (subtitles to voice over)

На русском

What is known about Spoofing – Windows MSHTML Platform (CVE-2024-38112) from the July Microsoft Patch Tuesday?

🔻 According to Check Point, attackers use special “.url” files with icons that look like PDF documents. If the user clicks on the file and ignores 2 uninformative warnings, then a malicious HTA application is launched in the outdated Internet Explorer browser built into Windows. 😱 Why in IE? This is all due to the processing of the “mhtml:” prefix in the “.url” file. The July update blocks this. 👍

🔻 Check Point found “.url” samples that could date back to January 2023. According to Trend Micro, the vulnerability is exploited by the APT group Void Banshee to install the Atlantida Stealer malware and collect passwords, cookies and other sensitive data. Void Banshee add malicious “.url” files to archives with PDF books and distribute them through websites, instant messengers and phishing.

На русском

Trending vulnerabilities for June according to Positive Technologies. Traditionally, in 3 formats (in Russian):

📹 The section “Trending VM” in the SecLab news video (starts at 15:03)
🗞 Post on the Habr website, in fact this is a slightly expanded scenario for the “Trending VM” section
🗒 Compact digest with technical details on the official PT website

List of vulnerabilities:

🔻 EoP in Microsoft Windows CSC (CVE-2024-26229)
🔻 EoP in Microsoft Windows Error Reporting (CVE-2024-26169)
🔻 EoP in Microsoft Windows Kernel (CVE-2024-30088)
🔻 RCE in PHP (CVE-2024-4577)
🔻 EoP in Linux Kernel (CVE-2024-1086)
🔻 InfDisclosure in Check Point Security Gateways (CVE-2024-24919)
🔻 RCE in VMware vCenter (CVE-2024-37079, CVE-2024-37080)
🔻 AuthBypass in Veeam Backup & Replication (CVE-2024-29849)

На русском

Information Disclosure vulnerability – Check Point Security Gateway (CVE-2024-24919) exploited in the wild. On May 28, Check Point released a security bulletin reporting a critical vulnerability in Check Point Security Gateways configured with the “IPSec VPN” or “Mobile Access” software blades.

📖 Almost immediately, technical details on the vulnerability appeared. The vulnerability allows an unauthenticated remote attacker to read the content of an arbitrary file located on an affected device. This allows an attacker to read the /etc/shadow file with password hashes for local accounts, including accounts used to connect to Active Directory. An attacker can obtain passwords from hashes, and then use these passwords for authentication and further development of the attack. Of course, if the Security Gateway allows password-only authentication.

🔨 Exploiting the vulnerability is trivial – one Post request is enough. There are already many scripts on GitHub for this.

👾 Attempts to exploit the vulnerability have been detected since April 7. In other words, 1.5 months before the vendor released the fixes. The vulnerability is already in CISA KEV.

Vulnerable products:

🔻 CloudGuard Network
🔻 Quantum Maestro
🔻 Quantum Scalable Chassis
🔻 Quantum Security Gateways
🔻 Quantum Spark Appliances

🔍 How many vulnerable hosts can there be? Qualys found 45,000 hosts in Fofa and about 20,000 hosts in Shodan. Most of all, of course, in Israel. Russia is not in the TOP 5 countries. Fofa shows 408 hosts for Russia. 🤷‍♂️

🩹 The vendor’s website provides hotfixes, a script for checking for compromise, and recommendations for hardening devices.

На русском

CheckPoint released a report about the Magnet Goblin group, which was noted for its rapid exploitation of vulnerabilities in services accessible from the Internet. At the time of exploitation, these vulnerabilities already have patches (that’s why they are 1-day, not 0-day). But because companies tend to be slow to update their systems, Magnet Goblin attackers have been successful in their attacks. 🤷‍♂️

The report mentions the following vulnerabilities exploited by Magnet Goblin:

🔻 Magento (open source e-commerce platform) – CVE-2022-24086
🔻 Qlik Sense (data analytics solution) – CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365
🔻 Ivanti Connect Secure (tool for remote access to infrastructure) – CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893.
🔻 Apache ActiveMQ (message broker) – CheckPoint write that it is “possible” and do not provide CVE, but this is probably about CVE-2023-46604.

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: CheckPoint

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies

Trending vulnerabilities of July according to Positive Technologies

What is known about Spoofing – Windows MSHTML Platform (CVE-2024-38112) from the July Microsoft Patch Tuesday?

Trending vulnerabilities for June according to Positive Technologies

Information Disclosure vulnerability – Check Point Security Gateway (CVE-2024-24919) exploited in the wild

CheckPoint released a report about the Magnet Goblin group, which was noted for its rapid exploitation of vulnerabilities in services accessible from the Internet