Tag Archives: CISAKEV

The severity of the Remote Code Execution – Microsoft SharePoint (CVE-2024-38094) vulnerability has increased

Leave a reply

The severity of the Remote Code Execution - Microsoft SharePoint (CVE-2024-38094) vulnerability has increased

The severity of the Remote Code Execution – Microsoft SharePoint (CVE-2024-38094) vulnerability has increased. It was fixed as part of the July Microsoft Patch Tuesday (July 9).

SharePoint is a popular platform for corporate portals. According to the Microsoft bulletin, аn authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server.

On July 10, a repository with a PoC exploit for this vulnerability appeared on GitHub, as well as a video demonstrating how an attacker can launch processes on the attacked SharePoint server. A GitHub search by CVE number does not find a repository with the exploit, but a link is available in the The Hacker News article. Exploit also relates to the July SharePoint RCEs CVE-2024-38023 and CVE-2024-38024.

On October 22, the vulnerability was added to the CISA KEV, which means it was exploited in the wild.

На русском

Trending vulnerabilities of July according to Positive Technologies

Leave a reply

Trending vulnerabilities of July according to Positive Technologies.

The SecLab film crew went on vacation. Therefore, there was a choice: to skip the episode of “In the trend of VM” about the July vulnerabilities, or to make a video myself. Which is what I tried to do. And from the next episode we will return to SecLab again.

📹 Video “In The Trend of VM” on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest (rus) on the official PT website

List of vulnerabilities:

🔻 00:33 Spoofing – Windows MSHTML Platform (CVE-2024-38112)
🔻 02:23 RCE – Artifex Ghostscript (CVE-2024-29510)
🔻 03:55 RCE – Acronis Cyber Infrastructure (CVE-2023-45249)

English voice over was generated by my open source utility subtivo (subtitles to voice over)

На русском

Remote Code Execution – Acronis Cyber Infrastructure (CVE-2023-45249)

Leave a reply

Remote Code Execution - Acronis Cyber Infrastructure (CVE-2023-45249)

Remote Code Execution – Acronis Cyber Infrastructure (CVE-2023-45249). Due to the default passwords used, a remote unauthenticated attacker can gain access to an Acronis Cyber ​​Infrastructure (ACI) server and execute arbitrary code.

ACI is a hyperconverged platform for storage, backup, computing, virtualization and networking.

🔻 Patches that fix this vulnerability were released on October 30, 2023 (❗️).
🔻 After 9-10 months, on July 24 of this year, Acronis noted in a bulletin that the vulnerability was exploited in the wild. The purpose of exploitation was to install a cryptominer. On July 29, the vulnerability was added to the CISA KEV.

Some sources report 20,000 service providers using ACI. I have not found any confirmation of this. Perhaps there is confusion with Acronis Cyber ​​Protect. However, there are probably quite a few large companies using ACI. If you work for such a company, be sure to pay attention.

На русском

“The Mystery of the Hole”: Remote Code Execution – Internet Explorer (CVE-2012-4792)

Leave a reply

The Mystery of the Hole: Remote Code Execution - Internet Explorer (CVE-2012-4792)

“The Mystery of the Hole”: Remote Code Execution – Internet Explorer (CVE-2012-4792). Yesterday, an old vulnerability “CDwnBindInfo” from 2012 was added to CISA KEV: the user opens a malicious website in MS Internet Explorer 6–8 and the attacker gets RCE on user’s host. The vulnerability has been actively exploited since the end of 2012 as 0day in watering hole attacks on US organizations. In particular, the malicious code was placed on the hacked Council on Foreign Relations (CFR) website.

Why was the vulnerability added to CISA KEV only now?

🔹 New attacks on legacy systems (Win XP/ Vista/7, WinServer 2003/2008) were discovered? 🤪 It’s unlikely.

🔹 They saw a vulnerability with confirmed incidents, but it wasn’t in CISA KEV, so they added it? More likely, but why only this vulnerability? 🧐

🔹 There was no formal excuse for urgently updating found legacy systems? A bit strange. 🤷‍♂️

Let’s wait for updates. 🙂

На русском

Trending vulnerabilities for June according to Positive Technologies

Leave a reply

Trending vulnerabilities for June according to Positive Technologies. Traditionally, in 3 formats (in Russian):

📹 The section “Trending VM” in the SecLab news video (starts at 15:03)
🗞 Post on the Habr website, in fact this is a slightly expanded scenario for the “Trending VM” section
🗒 Compact digest with technical details on the official PT website

List of vulnerabilities:

🔻 EoP in Microsoft Windows CSC (CVE-2024-26229)
🔻 EoP in Microsoft Windows Error Reporting (CVE-2024-26169)
🔻 EoP in Microsoft Windows Kernel (CVE-2024-30088)
🔻 RCE in PHP (CVE-2024-4577)
🔻 EoP in Linux Kernel (CVE-2024-1086)
🔻 InfDisclosure in Check Point Security Gateways (CVE-2024-24919)
🔻 RCE in VMware vCenter (CVE-2024-37079, CVE-2024-37080)
🔻 AuthBypass in Veeam Backup & Replication (CVE-2024-29849)

На русском

The criticality of the Elevation of Privilege – Windows Error Reporting Service (CVE-2024-26169) vulnerability has increased

Leave a reply

The criticality of the Elevation of Privilege - Windows Error Reporting Service (CVE-2024-26169) vulnerability has increased

The criticality of the Elevation of Privilege – Windows Error Reporting Service (CVE-2024-26169) vulnerability has increased. If exploited successfully, the attacker gains SYSTEM privileges. The vulnerability was fixed in Microsoft’s March Patch Tuesday. As often happens, no one highlighted this vulnerability back then. 🤷‍♂️

However, 3 months later, on June 12, Symantec researchers reported attacks related to the famous Black Basta ransomware, in which exploits for this vulnerability were used. If we believe the compilation timestamps, these exploits were created long before the release of Microsoft’s patches, in February 2024 or even December 2023. Of course, attackers could fake them, but why would they do that? 🤔

On June 13, the vulnerability was added to CISA KEV. The exploit is not yet publicly available.

The moral is the same: vulnerability prioritization is good, but regular unconditional patching is better.

На русском

Information Disclosure vulnerability – Check Point Security Gateway (CVE-2024-24919) exploited in the wild

Leave a reply

Information Disclosure vulnerability - Check Point Security Gateway (CVE-2024-24919) exploited in the wild

Information Disclosure vulnerability – Check Point Security Gateway (CVE-2024-24919) exploited in the wild. On May 28, Check Point released a security bulletin reporting a critical vulnerability in Check Point Security Gateways configured with the “IPSec VPN” or “Mobile Access” software blades.

📖 Almost immediately, technical details on the vulnerability appeared. The vulnerability allows an unauthenticated remote attacker to read the content of an arbitrary file located on an affected device. This allows an attacker to read the /etc/shadow file with password hashes for local accounts, including accounts used to connect to Active Directory. An attacker can obtain passwords from hashes, and then use these passwords for authentication and further development of the attack. Of course, if the Security Gateway allows password-only authentication.

🔨 Exploiting the vulnerability is trivial – one Post request is enough. There are already many scripts on GitHub for this.

👾 Attempts to exploit the vulnerability have been detected since April 7. In other words, 1.5 months before the vendor released the fixes. The vulnerability is already in CISA KEV.

Vulnerable products:

🔻 CloudGuard Network
🔻 Quantum Maestro
🔻 Quantum Scalable Chassis
🔻 Quantum Security Gateways
🔻 Quantum Spark Appliances

🔍 How many vulnerable hosts can there be? Qualys found 45,000 hosts in Fofa and about 20,000 hosts in Shodan. Most of all, of course, in Israel. Russia is not in the TOP 5 countries. Fofa shows 408 hosts for Russia. 🤷‍♂️

🩹 The vendor’s website provides hotfixes, a script for checking for compromise, and recommendations for hardening devices.

На русском