Tag Archives: Chromium

May Linux Patch Wednesday

1 Reply

May Linux Patch Wednesday
May Linux Patch WednesdayMay Linux Patch WednesdayMay Linux Patch WednesdayMay Linux Patch WednesdayMay Linux Patch Wednesday

May Linux Patch Wednesday. Last month, we jointly decided that it was worth introducing a rule for Unknown dates starting from May 2024. Which, in fact, is what I implemented. Now, if I see an oval definition that does not have a publication date (date when patches for related vulnerabilities were available), then I nominally assign today’s date. Thus, 32406 oval definitions without a date received a nominal date of 2024-05-15. One would expect that we would get a huge peak for vulnerabilities that “started being patched in May” based on the nominal date. How did it really turn out?

In fact, the peak was not very large. There are 424 CVEs in the May Linux Patch Wednesday. While in April there were 348. It’s comparable. Apparently the not very large peak is due to the fact that most of the vulnerabilities had patch dates older than the nominal one set (2024-05-15). And this is good. 🙂 It should get even better in June.

As usual, I generated a Vulristics report for the May vulnerabilities. Most of the vulnerabilities (282) relate to the Linux Kernel. This is due to the fact that Linux Kernel is now a CNA and they can issue CVEs for all sorts of things like bugs with huge traces right in the vulnerability descriptions.

The vulnerability from CISA KEV comes first.

🔻Path Traversal – Openfire (CVE-2023-32315). This is the August 2023 trending vulnerability. It was included in the report due to a fix in RedOS 2024-05-03. Has it not been fixed in other Linux distributions? It looks like this. In Vulners, among the related security objects, we can only see the RedOS bulletin. Apparently there are no Openfire packages in the repositories of other Linux distributions.

In second place is a vulnerability with a sign of active exploitation according to AttackerKB.

🔻 Path Traversal – aiohttp (CVE-2024-23334). The bug allows unauthenticated attackers to access files on vulnerable servers.

According to data from the FSTEC BDU, another 16 vulnerabilities have signs of active exploitation in the wild.

🔻 Memory Corruption – nghttp2 (CVE-2024-27983)
🔻 Memory Corruption – Chromium (CVE-2024-3832, CVE-2024-3833, CVE-2024-3834, CVE-2024-4671)
🔻 Memory Corruption – FreeRDP (CVE-2024-32041, CVE-2024-32458, CVE-2024-32459, CVE-2024-32460)
🔻 Memory Corruption – Mozilla Firefox (CVE-2024-3855, CVE-2024-3856)
🔻 Security Feature Bypass – bluetooth_core_specification (CVE-2023-24023)
🔻 Security Feature Bypass – Chromium (CVE-2024-3838)
🔻 Denial of Service – HTTP/2 (CVE-2023-45288)
🔻 Denial of Service – nghttp2 (CVE-2024-28182)
🔻 Incorrect Calculation – FreeRDP (CVE-2024-32040)

Another 22 vulnerabilities have an exploit (public or private), but so far there are no signs of active exploitation in the wild. I won’t list them all here, but you can pay attention to:

🔸 Security Feature Bypass – putty (CVE-2024-31497). A high-profile vulnerability that allows an attacker to recover a user’s private key.
🔸 Remote Code Execution – GNU C Library (CVE-2014-9984)
🔸 Remote Code Execution – Flatpak (CVE-2024-32462)
🔸 Command Injection – aiohttp (CVE-2024-23829)
🔸 Security Feature Bypass – FreeIPA (CVE-2024-1481)

I think that to improve the Vulristics report, it makes sense to separately group vulnerabilities with public exploits and private exploits, since this still greatly affects the criticality. Put 🐳 if you would like to see this feature.

🗒 Vulristics report on the May Linux Patch Wednesday

На русском

I generated a Vulristics report on the April Linux Patch Wednesday

Leave a reply

I generated a Vulristics report on the April Linux Patch Wednesday
I generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch Wednesday

I generated a Vulristics report on the April Linux Patch Wednesday. Over the past month, Linux vendors have begun releasing patches for a record number of vulnerabilities – 348. There are signs of exploitation in the wild for 7 vulnerabilities (data on incidents from the FSTEC BDU). Another 165 have a link to an exploit or a sign of the existence of a public/private exploit.

Let’s start with 7 vulnerabilities with signs of exploitation in the wild and exploits:

🔻 The trending January vulnerability Authentication Bypass – Jenkins (CVE-2024-23897) unexpectedly appeared in the TOP. As far as I understand, Linux distributions usually do not include Jenkins packages in the official repositories and, accordingly, do not add Jenkins vulnerability detection rules to their OVAL content. Unlike the Russian Linux distribution RedOS. Therefore, RedOS has the earliest fix timestamp for this vulnerability.

🔻 2 RCE vulnerabilities. The most interesting of them is Remote Code Execution – Exim (CVE-2023-42118). When generating the report, I deliberately did not take into account the vulnerability description and product names from the BDU database (flags –bdu-use-product-names-flag, –bdu-use-vulnerability-descriptions-flag set to False). Otherwise, the report would be partly in English and partly in Russian. But it turned out that so far only BDU has an adequate description of this vulnerability. 🤷‍♂️ You need to take a closer look at this vulnerability because Exim is a fairly popular mail server. The second RCE vulnerability is in the web browser, Remote Code Execution – Safari (CVE-2023-42950).

🔻2 DoS vulnerabilities. Denial of Service – nghttp2/Apache HTTP Server (CVE-2024-27316) and Denial of Service – Apache Traffic Server (CVE-2024-31309). The second is classified in the report as Security Feature Bypass, but this is due to incorrect CWE in NVD (CWE-20 – Improper Input Validation)

🔻 2 browser vulnerabilities Security Feature Bypass – Chromium (CVE-2024-2628, CVE-2024-2630)

Among the vulnerabilities for which there are only signs of the existence of exploits so far, you can pay attention to the following:

🔸 A large number of RCE vulnerabilities (71). Most of them are in the gtkwave product. This is a viewer for VCD (Value Change Dump) files, which are typically created by digital circuit simulators. Also, the Remote Code Execution – Cacti (CVE-2023-49084, CVE-2023-49085) vulnerabilities look dangerous. Cacti is a solution for monitoring servers and network devices.

🔸 Security Feature Bypass – Sendmail (CVE-2023-51765). Allows an attacker to inject email messages with a spoofed MAIL FROM address.

🔸 A pack of Cross Site Scripting vulnerabilities in MediaWiki, Cacti, Grafana, Nextcloud.

There is a lot to explore this time. 🤩

🗒 April Linux Patch Wednesday

На русском

November 2023 – January 2024: New Vulristics Features, 3 Months of Microsoft Patch Tuesdays and Linux Patch Wednesdays, Year 2023 in Review

1 Reply

November 2023 – January 2024: New Vulristics Features, 3 Months of Microsoft Patch Tuesdays and Linux Patch Wednesdays, Year 2023 in Review. Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done.

Alternative video link (for Russia): https://vk.com/video-149273431_456239139

Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and some other interesting vulnerabilities that have been released or updated in the last 3 months. Finally, I’d like to end this episode with a reflection on how my 2023 went and what I’d like to do in 2024.

Continue reading

October 2023: back to Positive Technologies, Vulristics updates, Linux Patch Wednesday, Microsoft Patch Tuesday, PhysTech VM lecture

2 Replies

October 2023: back to Positive Technologies, Vulristics updates, Linux Patch Wednesday, Microsoft Patch Tuesday, PhysTech VM lecture. Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of October I was a guest lecturer at MIPT/PhysTech university. But first thing first.

Alternative video link (for Russia): https://vk.com/video-149273431_456239138

Continue reading

Microsoft Patch Tuesday December 2022: SPNEGO RCE, Mark of the Web Bypass, Edge Memory Corruptions

Leave a reply

Microsoft Patch Tuesday December 2022: SPNEGO RCE, Mark of the Web Bypass, Edge Memory Corruptions. Hello everyone! This episode will be about Microsoft Patch Tuesday for December 2022, including vulnerabilities that were added between November and December Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities.

Alternative video link (for Russia): https://vk.com/video-149273431_456239112

But let’s start with an older vulnerability. This will be another example why vulnerability prioritization is a tricky thing and you should patch everything. In the September Microsoft Patch Tuesday there was a vulnerability Information Disclosure – SPNEGO Extended Negotiation (NEGOEX) Security Mechanism (CVE-2022-37958), which was completely unnoticed by everyone. Not a single VM vendor paid attention to it in their reviews. I didn’t pay attention either.

Continue reading

Microsoft Patch Tuesday May 2022: Edge RCE, PetitPotam LSA Spoofing, bad patches

1 Reply

Microsoft Patch Tuesday May 2022: Edge RCE, PetitPotam LSA Spoofing, bad patches. Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch Tuesday, April 12th.

Alternative video link (for Russia): https://vk.com/video-149273431_456239089

I have set direct links in comments_links.txt for Qualys, ZDI and Kaspersky blog posts.

Continue reading

Security News: Microsoft Patch Tuesday September 2021, OMIGOD, MSHTML RCE, Confluence RCE, Ghostscript RCE, FORCEDENTRY Pegasus

Leave a reply

Security News: Microsoft Patch Tuesday September 2021, OMIGOD, MSHTML RCE, Confluence RCE, Ghostscript RCE, FORCEDENTRY Pegasus. Hello everyone! This time, let’s talk about recent vulnerabilities. I’ll start with Microsoft Patch Tuesday for September 2021. I created a report using my Vulristics tool. You can see the full report here.

The most interesting thing about the September Patch Tuesday is that the top 3 VM vendors ignored almost all RCEs in their reviews. However, there were interesting RCEs in the Office products. And what is most unforgivable is that they did not mention CVE-2021-38647 RCE in OMI – Open Management Infrastructure. Only ZDI wrote about this.

Continue reading