Firefox

April Linux Patch Wednesday. Total vulnerabilities: 251. 164 in the Linux Kernel. No vulnerabilities show signs of being exploited in the wild. There are 7 vulnerabilities that appear to have publicly available exploits.

For 2 vulnerabilities, exploit code with detailed explanation is available on GitHub. Both were first patched in RedOS packages:

SQL injection – Exim (CVE-2025-26794)
Code Injection – MariaDB (CVE-2023-39593)

For the Memory Corruption – Mozilla Firefox (CVE-2025-3028), the NVD states the exploit code is in Mozilla’s bug tracker, but access is restricted.

BDU FSTEC reports public exploits for 4 vulnerabilities:

Information Disclosure – GLPI (CVE-2025-21626)
Security Feature Bypass – GLPI (CVE-2025-23024)
Denial of Service / Remote Code Execution – Perl (CVE-2024-56406)
Memory Corruption – Libsoup (CVE-2025-32050)

Full Vulristics report

На русском

New episode “In The Trend of VM” (#10): 8 trending vulnerabilities of November, zero budget VM and who should look for patches. The competition for the best question on the topic of VM continues.

Video on YouTube, LinkedIn
Post on Habr (rus)
Digest on the PT website

Content:

00:29 Spoofing – Windows NTLM (CVE-2024-43451)
01:16 Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039)
02:16 Spoofing – Microsoft Exchange (CVE-2024-49040)
03:03 Elevation of Privilege – needrestart (CVE-2024-48990)
04:11 Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575)
05:19 Authentication Bypass – PAN-OS (CVE-2024-0012)
06:32 Elevation of Privilege – PAN-OS (CVE-2024-9474)
07:42 Path Traversal – Zyxel firewall (CVE-2024-11667)
08:37 Is it possible to Manage Vulnerabilities with no budget?
09:53 Should a VM specialist specify a patch to install on the host in a Vulnerability Remediation task?
10:51 Full digest of trending vulnerabilities
11:18 Backstage

На русском

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability. It was released on November Microsoft Patch Tuesday and showed signs of exploitation in the wild right away. To exploit the vulnerability, an authenticated attacker runs a specially crafted application on the target system. The attack can be performed from an AppContainer restricted environment. Using this vulnerability, an attacker can elevate their privileges to Medium Integrity level and gain the ability to execute RPC functions that are restricted to privileged accounts only.

ESET reports that the vulnerability allowed the RomCom attackers to execute malicious code outside the Firefox sandbox and then launch hidden PowerShell processes to download and run malware from C&C servers.

There is a backdoor code on GitHub that exploits this vulnerability.

На русском

May Linux Patch Wednesday. Last month, we jointly decided that it was worth introducing a rule for Unknown dates starting from May 2024. Which, in fact, is what I implemented. Now, if I see an oval definition that does not have a publication date (date when patches for related vulnerabilities were available), then I nominally assign today’s date. Thus, 32406 oval definitions without a date received a nominal date of 2024-05-15. One would expect that we would get a huge peak for vulnerabilities that “started being patched in May” based on the nominal date. How did it really turn out?

In fact, the peak was not very large. There are 424 CVEs in the May Linux Patch Wednesday. While in April there were 348. It’s comparable. Apparently the not very large peak is due to the fact that most of the vulnerabilities had patch dates older than the nominal one set (2024-05-15). And this is good. It should get even better in June.

As usual, I generated a Vulristics report for the May vulnerabilities. Most of the vulnerabilities (282) relate to the Linux Kernel. This is due to the fact that Linux Kernel is now a CNA and they can issue CVEs for all sorts of things like bugs with huge traces right in the vulnerability descriptions.

The vulnerability from CISA KEV comes first.

Path Traversal – Openfire (CVE-2023-32315). This is the August 2023 trending vulnerability. It was included in the report due to a fix in RedOS 2024-05-03. Has it not been fixed in other Linux distributions? It looks like this. In Vulners, among the related security objects, we can only see the RedOS bulletin. Apparently there are no Openfire packages in the repositories of other Linux distributions.

In second place is a vulnerability with a sign of active exploitation according to AttackerKB.

Path Traversal – aiohttp (CVE-2024-23334). The bug allows unauthenticated attackers to access files on vulnerable servers.

According to data from the FSTEC BDU, another 16 vulnerabilities have signs of active exploitation in the wild.

Memory Corruption – nghttp2 (CVE-2024-27983)
Memory Corruption – Chromium (CVE-2024-3832, CVE-2024-3833, CVE-2024-3834, CVE-2024-4671)
Memory Corruption – FreeRDP (CVE-2024-32041, CVE-2024-32458, CVE-2024-32459, CVE-2024-32460)
Memory Corruption – Mozilla Firefox (CVE-2024-3855, CVE-2024-3856)
Security Feature Bypass – bluetooth_core_specification (CVE-2023-24023)
Security Feature Bypass – Chromium (CVE-2024-3838)
Denial of Service – HTTP/2 (CVE-2023-45288)
Denial of Service – nghttp2 (CVE-2024-28182)
Incorrect Calculation – FreeRDP (CVE-2024-32040)

Another 22 vulnerabilities have an exploit (public or private), but so far there are no signs of active exploitation in the wild. I won’t list them all here, but you can pay attention to:

Security Feature Bypass – putty (CVE-2024-31497). A high-profile vulnerability that allows an attacker to recover a user’s private key.
Remote Code Execution – GNU C Library (CVE-2014-9984)
Remote Code Execution – Flatpak (CVE-2024-32462)
Command Injection – aiohttp (CVE-2024-23829)
Security Feature Bypass – FreeIPA (CVE-2024-1481)

I think that to improve the Vulristics report, it makes sense to separately group vulnerabilities with public exploits and private exploits, since this still greatly affects the criticality. Put if you would like to see this feature.

Vulristics report on the May Linux Patch Wednesday

На русском

How to Perform a Free Ubuntu Vulnerability Scan with OpenSCAP and Canonical’s Official OVAL Content. Hello everyone! Five years ago I wrote a blogpost about OpenSCAP. But it was only about the SCAP Workbench GUI application and how to use it to detect security misconfigurations.

Alternative video link (for Russia): https://vk.com/video-149273431_456239104

This time, I will install the OpenSCAP command line tool on Ubuntu and use it to check for vulnerabilities on my local host.

Continue reading →

0day RCE in Firefox. This seems like a pretty interesting vulnerability CVE-2019-17026 in Firefox (and Thunderbird) in Windows, MacOS and Linux.

A pretty interesting vulnerability in Firefox (and Thunderbird)

“Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw”.

US-cert informs us that “an attacker could exploit this vulnerability to take control of an affected system“. Yep, it’s RCE.

On the one hand, it’s not a big deal, because Firefox will ask you to update it after the next launch.

But if somewhere in your organization the old version of Firefox is used because it is the only version that is supported by some legacy application or plugin, you are in hell. Of course, this old browser may be only installed somewhere and not used, but still try to monitor this and take care. Especially if you use some custom Firefox-based build.

Making Vulnerable Web-Applications: XXS, RCE, SQL Injection and Stored XSS ( + Buffer Overflow). In this post I will write some simple vulnerable web applications in python3 and will show how to attack them. This is all for educational purposes and for complete beginners. So please don’t be too hard on me.

As a first step I will create a basic web-application using twisted python web server (you can learn more about it in “Making simple Nmap SPA web GUI with Apache, AngularJS and Python Twisted“).

Continue reading →

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: Firefox

April Linux Patch Wednesday

New episode “In The Trend of VM” (#10): 8 trending vulnerabilities of November, zero budget VM and who should look for patches

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability

May Linux Patch Wednesday

How to Perform a Free Ubuntu Vulnerability Scan with OpenSCAP and Canonical’s Official OVAL Content

0day RCE in Firefox

Making Vulnerable Web-Applications: XXS, RCE, SQL Injection and Stored XSS ( + Buffer Overflow)