CISAKEV | Alexander V. Leonov

The criticality of the Elevation of Privilege – Windows Error Reporting Service (CVE-2024-26169) vulnerability has increased. If exploited successfully, the attacker gains SYSTEM privileges. The vulnerability was fixed in Microsoft’s March Patch Tuesday. As often happens, no one highlighted this vulnerability back then. 🤷‍♂️

However, 3 months later, on June 12, Symantec researchers reported attacks related to the famous Black Basta ransomware, in which exploits for this vulnerability were used. If we believe the compilation timestamps, these exploits were created long before the release of Microsoft’s patches, in February 2024 or even December 2023. Of course, attackers could fake them, but why would they do that? 🤔

On June 13, the vulnerability was added to CISA KEV. The exploit is not yet publicly available.

The moral is the same: vulnerability prioritization is good, but regular unconditional patching is better.

На русском

Information Disclosure vulnerability – Check Point Security Gateway (CVE-2024-24919) exploited in the wild. On May 28, Check Point released a security bulletin reporting a critical vulnerability in Check Point Security Gateways configured with the “IPSec VPN” or “Mobile Access” software blades.

📖 Almost immediately, technical details on the vulnerability appeared. The vulnerability allows an unauthenticated remote attacker to read the content of an arbitrary file located on an affected device. This allows an attacker to read the /etc/shadow file with password hashes for local accounts, including accounts used to connect to Active Directory. An attacker can obtain passwords from hashes, and then use these passwords for authentication and further development of the attack. Of course, if the Security Gateway allows password-only authentication.

🔨 Exploiting the vulnerability is trivial – one Post request is enough. There are already many scripts on GitHub for this.

👾 Attempts to exploit the vulnerability have been detected since April 7. In other words, 1.5 months before the vendor released the fixes. The vulnerability is already in CISA KEV.

Vulnerable products:

🔻 CloudGuard Network
🔻 Quantum Maestro
🔻 Quantum Scalable Chassis
🔻 Quantum Security Gateways
🔻 Quantum Spark Appliances

🔍 How many vulnerable hosts can there be? Qualys found 45,000 hosts in Fofa and about 20,000 hosts in Shodan. Most of all, of course, in Israel. Russia is not in the TOP 5 countries. Fofa shows 408 hosts for Russia. 🤷‍♂️

🩹 The vendor’s website provides hotfixes, a script for checking for compromise, and recommendations for hardening devices.

На русском

I looked at VulnCheck KEV. This is an analogue of CISA KEV (Know Exploited Vulnerabilities) by VulnCheck.

🔹 Unlike the public CISA KEV, only registered users have access to VulnCheck KEV. The VulnCheck website is accessible from Russian IPs 🇷🇺, but when registering they write that “account is currently under review” (in fact requests are simply blocked 🥸). Requests from non-Russian IPs are registered automatically. 🌝
🔹 There are ~2 times more CVEs in the database than in CISA KEV.
🔹 There are no standard tools for downloading all these CVEs via web-gui. 🤷‍♂️
🔹 There are links to exploits for CVEs that look good. 👌
🔹 There are signs of exploitation in the wild. Sometimes it’s clear, like “Outbreak Alerts 2023” pdf report. Sometimes it’s strange, like a link to a Shadowserver dashboard or a non-related blog post. 🤷‍♂️

The selection of CVEs is quite interesting, but the rationale for exploitation in the wild needs to be improved. 😉

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: CISAKEV

The criticality of the Elevation of Privilege – Windows Error Reporting Service (CVE-2024-26169) vulnerability has increased

Information Disclosure vulnerability – Check Point Security Gateway (CVE-2024-24919) exploited in the wild

I looked at VulnCheck KEV