Tag Archives: Cisco

Last Week’s Security News: Black Hat Pwnie Awards, iPhone Checks Photos, Evil Windows Print Server, Cisco VPN Routers Takeovers

Leave a reply

Last Week’s Security News: Black Hat Pwnie Awards, iPhone Checks Photos, Evil Windows Print Server, Cisco VPN Routers Takeovers. Hello everyone! Last Week’s Security News, August 1 – August 8.

Black Hat Pwnie Awards

Last week was more quiet than normal with Black Hat USA and DEF CON security conferences. I would like to start with the Pwnie Awards, which are held annually at Black Hat. It’s like an Oscar or Tony in the information security world. Pwnie Awards recognizes both excellence and incompetence. And, in general, is a very respectable, adequate and fun event.

There were 10 nominations. I will note a few.

  • Firstly 2 nominations, which were received by the guys from Qualys.
    Best Privilege Escalation Bug: Baron Samedit, a 10-year-old exploit in sudo.
    Most Under-Hyped Research: 21Nails, 21 vulnerabilities in Exim, the Internet’s most popular mail server.
  • Best Server-Side Bug: Orange Tsai, for his Microsoft Exchange Server ProxyLogon attack surface discoveries.
  • Most Epic Fail: Microsoft, for their failure to fix PrintNightmare.
  • Best Song: The Ransomware Song by Forrest Brazeal

Continue reading

Last Week’s Security news: PrintNightmare patches and Metasploit, Kaseya CVEs, Morgan Stanley Accellion FTA, Cisco BPA and WSA, Philips Vue PACS, CISA RVAs, Lazarus job offers

1 Reply

Last Week’s Security news: PrintNightmare patches and Metasploit, Kaseya CVEs, Morgan Stanley Accellion FTA, Cisco BPA and WSA, Philips Vue PACS, CISA RVAs, Lazarus job offers. Hello guys! The third episode of Last Week’s Security news, July 5 – July 11. There was a lot of news last week. Most of them was again about PrintNightmare and Kaseya.

The updates for PrintNightmare (CVE-2021-34527) were finally released mid-week. It became possible not only to disable the service, but also to update the hosts. This is especially important for desktops that need to print something. But the problem is that these patches can be bypassed. “If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft’s patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE”. Microsoft has updated their security update guide after that: “if you set this reg key to = 1 then the system is vulnerable by design”. It seems that solving this problem requires hardening and registry monitoring.

Continue reading

Last Week’s Security news: Cisco ASA, BIG-IQ, vSphere, Solaris, Dlink, iPhone %s, DarkRadiation, Google schema, John McAfee

Leave a reply

Last Week’s Security news: Cisco ASA, BIG-IQ, vSphere, Solaris, Dlink, iPhone %s, DarkRadiation, Google schema, John McAfee. Hello, today I want to experiment with a new format. I will be reading last week’s news from my @avleonovnews channel, which I found the most interesting. I do this mostly for myself, but if you like it too, then that would be great. Please subscribe to my YouTube channel and my Telegram @avleonovcom.

Let’s start with some new public exploits.

  1. Researchers at Positive Technologies have dropped a proof-of-concept (PoC) exploit on Twitter for a known cross-site scripting (XSS) vulnerability in the Cisco Adaptive Security Appliance (ASA) CVE-2020-3580. This flaw was patched in October. There are reports of researchers pursuing bug bounties using this exploit. Maybe you should do this too. Well, or at least ask your IT administrators if they have updated the ASA.
  2. F5 BIG-IQ VE Post-auth Remote Root RCE. BIG-IQ provides a single point of management for all your BIG-IP devices — whether they are on premises or in a public or private cloud. It was possible to execute commands with root privileges as an authenticated privileged user via command injection in easy-setup-test-connection. A good reason to check if you have this in the infrastructure. But of course the fact that this is Post-auth makes it less interesting.
  3. VMware vCenter 6.5 / 6.7 / 7.0 Remote Code Execution. From the description of the vulnerability that was published in February 2021. “The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.” Therefore, if your IT colleagues have not patched vCenter since February, you can try to demonstrate how this vulnerability is exploited in practice.
  4. Solaris SunSSH 11.0 Remote Root. “CVE-2020-14871 is a critical pre-authentication (via SSH) stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. PAM is a dynamic authentication component that was integrated into Solaris back in 1997 as part of Solaris 2.6”. If you are still using Solaris in your infrastructure, this is a great opportunity to try this exploit.
  5. Dlink DSL2750U – ‘Reboot’ Command Injection. There, in the exploit code, there is a link to the full study that shows how the researcher, Mohammed Hadi, gains admin access to the router. This is interesting considering that this router model is quite popular and you can still buy such a router.
  6. It’s 2021 and a printf format string in a wireless network’s name can break iPhone Wi-Fi. On Friday, Carl Schou, a security researcher in Denmark, reported that his iPhone lost its Wi-Fi capability after attempting to connect to a Wi-Fi network named “%p%s%s%s%s%n”. Fortunately, the damage appears not to be permanent. Apple iOS devices that lose Wi-Fi capability after being bitten by this bug can be restored via the General -> Reset -> Reset Network Settings menu option, which reverts network settings to their factory default. Not a very interesting vulnerability in terms of practical exploitation, but fun. Don’t connect to unfamiliar Wi-Fi networks.

Continue reading

Is Vulnerability Management more about Vulnerabilities or Management?

Leave a reply

Is Vulnerability Management more about Vulnerabilities or Management? I’ve just read a nice article about Vulnerability Management in the Acribia blog (in Russian). An extract and my comments below.

In the most cases Vulnerability Management is not about Vulnerabilities, but about Management. Just filtering the most critical vulnerabilities is not enough.

Practical Cases:

  1. “Oh, yes, we know ourselves that that everything is bad!” – CVE-2013−4786 IPMI password hash disclosure on > 500 servers. Customer just accepted the risks, Acribia proposed an effective workaround (unbrutable user IDs and passwords). It’s often hard to figure out right remediation measures and implement them. Someone should do it!
  2. “We can download OpenVAS without your help!” – CVE-2018-0171 Cisco Smart Install RCE on 350 hosts. Vulnerability detection rules of several Vulnerability Scanners were not good enough to detect this vulnerability. Do not rely on scanners, know how they work and their limitations.
  3. “If the attackers wanted to hack us, they would have already done it!” – CVE-2017-0144 (MS17-010) Windows SMB RCE on domain controller and several other critical servers. Vulnerability was detected in infrastructure several times, the remediation was agreed with the management, but it was ignored by responsible IT guys. As a result, during the next successful WannaCry-like malware attack the servers, including the DC were destroyed. Vulnerability Management is about the willingness to patch anything, very quickly, as often as required. Otherwise, it makes no sense.

What’s wrong with patch-based Vulnerability Management checks?

6 Replies

What’s wrong with patch-based Vulnerability Management checks? My last post about Guinea Pigs and Vulnerability Management products may seem unconvincing without some examples. So, let’s review one. It’s a common problem that exists among nearly all VM vendors, I will demonstrate it on Tenable Nessus.

If you perform vulnerability scans, you most likely seen these pretty huge checks in your scan results like “KB4462917: Winsdows 10 Version 1607 and Windows Server 2016 October 2018 Security Update“. This particular Nessus plugin detects 23 CVEs at once.

What's wrong with patch-centric Vulnerability Management?

And, as you can see, it has formalized “Risk Information” data in the right column. There is only one CVSS score and vector, one CPE, one exploitability flag, one criticality level. Probably because of architectural limitations of the scanner. So, two very simple questions:

  • for which CVE (of these 23) is this formalized Risk Information block?
  • for which CVE (of these 23) exploit is available?

Ok, maybe they show CVSS for the most critical (by their logic) CVE. Maybe they somehow combine this parameter from data for different CVEs. But in most cases this will be inaccurate. Risk information data for every of these 23 vulnerabilities should be presented independently.

As you can see on the screenshot, one of these vulnerabilities is RCE the other is Information Disclosure. Vulnerability Management solution tells us that there is an exploit. Is this exploit for RCE or DoS? You should agree, that it can be crucial for vulnerability prioritization. And more than this, in the example there are 7 different RCEs in Internet Explorer, MSXML parser, Windows Hyper-V, etc. All this mean different attack scenarios. How is it possible to show it Vulnerability Scanner like one entity with one CVSS and exploitability flag? What can the user get from this? How to search in all this?

Continue reading

CyberThursday: Asset Inventory, IT-transformation in Cisco, Pentest vs. RedTeam

Leave a reply

CyberThursday: Asset Inventory, IT-transformation in Cisco, Pentest vs. RedTeam. Two weeks ago I was speaking at a very interesting information security event – CyberThursday. This is a meeting of a closed Information Security practitioners group. The group is about 70 people, mainly from the financial organizations, telecoms and security vendors.

CyberThursday 2018 Asset Inventory

These meetings have a rather unique atmosphere. Almost everyone knows each other. The event has no permanent place. It constantly moves between the offices of large Russian companies. The hoster, usually a CISO, can bring his IT and InfoSec colleagues. For others, only “bring a friend” format is available. This helps keep the event focussed and very informal. Participants propose and approve the topics by voting in the chat group. There is no place for marketing, all topics are practical and relevant.

Continue reading

Asset Inventory for Internal Network: problems with Active Scanning and advantages of Splunk

8 Replies

Asset Inventory for Internal Network: problems with Active Scanning and advantages of Splunk. In the previous post, I was writing about Asset Inventory and Vulnerability Scanning on the Network Perimeter. Now it’s time to write about the Internal Network.

Typical IT-infrastructure of a large organization

I see a typical IT-infrastructure of a large organization as monstrous favela, like Kowloon Walled City in Hong Kong. At the beginning it was probably wisely designed, but for years it  was highly effected by spontaneous development processes in various projects as well as multiple acquisitions. And now very few people in the organization really understand how it all works and who owns each peace.

There is a common belief that we can use Active Network Scanning for Asset Inventory in the organization. Currently, I’m not a big fan of this approach, and I will try to explain here the disadvantages of this method and mention some alternatives.

Continue reading