Vulristics: Microsoft Patch Tuesdays Q1 2021. Hello everyone! It has been 3 months since my last review of Microsoft vulnerabilities for Q4 2020. In this episode I want to review the Microsoft vulnerabilities for the first quarter of 2021. There will be 4 parts: January, February, March and the vulnerabilities that were released between the Patch Tuesdays.
I will be using the reports that I created with my Vulristics tool. This time I’ll try to make the episodes shorter. I will describe only the most critical vulnerabilities. Links to the full reports are at the bottom of the blog post.
Microsoft Patch Tuesday September 2020: Zerologon and other exploits, RCEs in SharePoint and Exchange. I would like to start this post by talking about Microsoft vulnerabilities, which recently turned out to be much more serious than it seemed at first glance.
Older Vulnerabilities with exploits
“Zerologon” Netlogon RCE (CVE-2020-1472)
One of them is, of course, the Netlogon vulnerability from the August 2020 Patch Tuesday. It’s called “Zerologon”. I would not say that Vulnerability Management vendors completely ignored it. But none of them (well, maybe only ZDI) emphasized in their reports that this vulnerability would be a real disaster.
Barapass, Tsunami scanner, vulnerabilities in Windows DNS Server and SAP products, weird attack on Twitter. This episode is based on posts from my Telegram channel avleonovcom, published in the last 2 weeks. So, if you use Telegram, please subscribe. I update it frequently.
Barapass update
I recently released an update to my password manager barapass. BTW, it seems to be my only pet project at the MVP stage, which I use every day.
What’s new:
Now I am sure that it works on Windows 10 without WSL. And you can run it beautifully even with the icon. ? Read more about installation in Windows in this file.
Not only “copy the next value to the clipboard” (or “revolver mode” ) is now possible in the search results section. You can also get the previous value or copy the same value one again if it was somehow erased in the clipboard. Previously, I had to retype the search request each time to do this, and it was quite annoying. By the way, I unexpectedly discovered that the user input history inside the application magically works in the Windows shell (using up and down arrows) without any additional coding. On Linux it does not.
You can set a startup command, for example, to decrypt the container.
The startup command and quick (favorite) commands are now in settings.json and not hard-coded.
settings.json, container files and decrypted files are now in “files” directory. It became more convenient to update barapass, just change the scripts in the root directory and that’s it. I divided the scripts into several files, now it should be more clear how it works.
So, if you need a minimalistic console password manager in which you can easily use any encryption you like – welcome! You can read more about barapass in my previous post.
Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities. Making the reviews of Microsoft Patch Tuesday vulnerabilities should be an easy task. All vulnerability data is publicly available. Even better, dozens of reviews have already been written. Just read them, combine and post. Right?
Not really. In fact it is quite boring and annoying. It may be fun to write about vulnerabilities that were already used in some real attacks. But this is a very small part of all vulnerabilities. What about more than a hundred others? They are like “some vulnerability in some component may be used in some attack (or may be not)”. If you describe each of them, no one will read or listen this.
You must choose what to highlight. And when I am reading the reports from Tenable, Qualys and ZDI, I see that they choose very different groups of vulnerabilities, pretty much randomly.
My classification script
That’s why I created a script that takes Patch Tuesday CVE data from microsoft.com and visualizes it giving me helicopter view on what can be interesting there. With nice grouping by vulnerability type and product, with custom icons for vulnerability types, coloring based on severity, etc.
CyberThursday: Asset Inventory, IT-transformation in Cisco, Pentest vs. RedTeam. Two weeks ago I was speaking at a very interesting information security event – CyberThursday. This is a meeting of a closed Information Security practitioners group. The group is about 70 people, mainly from the financial organizations, telecoms and security vendors.
These meetings have a rather unique atmosphere. Almost everyone knows each other. The event has no permanent place. It constantly moves between the offices of large Russian companies. The hoster, usually a CISO, can bring his IT and InfoSec colleagues. For others, only “bring a friend” format is available. This helps keep the event focussed and very informal. Participants propose and approve the topics by voting in the chat group. There is no place for marketing, all topics are practical and relevant.
Asset Inventory for Network Perimeter: from Declarations to Active Scanning. In the previous post, I shared some of my thoughts about the good Asset Inventory system. Of course, for me as a Security Specialist, it would be great if IT will provide such magical system. 🙂 But such an ideal situation is rarely possible. So now let’s see how to build an Asset Inventory system using the resources of Information Security team.
There are no special secrets. It’s necessary to get information about the assets from all available IT systems and then get the rest of the data using our own Assessment tools. I would like to start with hosts on Network Perimeter. The Network Perimeter targets are available at any time for hacker attacks, that’s why this part of the network is the most critical.
Network Perimeter is like the Wall in the Game of Thrones. The same white walkers are hiding behind the wall and our task is to find the breaches in the wall faster than potential intruders. “Night gathers, and now my watch begins”. (c)
Perimeter is changing constantly. And we should understand at any time what hosts are currently exposed in every office and every external hosting platform.
We can get information about external hosts using some Vulnerability Scanner located on external host in the Internet. I have already wrote about it briefly in Vulnerability Management for Network Perimeter. Here I would like focus on how we can understand which hosts should be scanned and what useful information we can get from the raw scan results.
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.