Tag Archives: Linux

August Linux Patch Wednesday

Leave a reply

August Linux Patch Wednesday

August Linux Patch Wednesday. 658 vulnerabilities. Of these, 380 are in the Linux Kernel. About 10 have signs of exploitation in the wild. I will highlight:

🔻 Vulnerabilities of IT Asset Management system GLPI: AuthBypass (CVE-2023-35939, CVE-2023-35940) and Code Injection (CVE-2023-35924, CVE-2023-36808, CVE-2024-27096, CVE-2024-29889). Fixed in RedOS.
🔻 InfDisclosure – Minio (CVE-2023-28432). Old and trendy, but also fixes appeared only in RedOS.
🔻 DoS – PHP (CVE-2024-2757). If I were to take into account Fedora or Alpine bulletins, this would be in an earlier LPW. 🤔 2DO.

About 30 without signs of exploitation in the wild, but with exploits. I will highlight:

🔸 Command Injection – Apache HTTP Server (CVE-2024-40898)
🔸 AuthBypass – Apache HTTP Server (CVE-2024-40725)
🔸 AuthBypass – Neat VNC (CVE-2024-42458)
🔸 RCE – Calibre (CVE-2024-6782); yes, e-books software 🙂

🗒 Vulristics report on August Linux Patch Wednesday

На русском

July Linux Patch Wednesday

Leave a reply

July Linux Patch Wednesday

July Linux Patch Wednesday. There are 705 vulnerabilities, of which 498 are in the Linux Kernel. There are no vulnerabilities with signs of exploitation in the wild yet, 11 have public exploits.

🔻 RCE – OpenSSH “regreSSHion” (CVE-2024-6387) is in the absolute top with many variations of exploits on GitHub. Mind the malicious fakes (❗️). I will also mention a similar vulnerability RCE – OpenSSH (CVE-2024-6409) with no exploits yet.
🔻 Public PoC links for DoS in Suricata (CVE-2024-38536) and QEMU (CVE-2024-3567).

According to BDU, public exploits exist for:

🔸 AuthBypass – RADIUS Protocol (CVE-2024-3596), it was also fixed in the July MSPT
🔸 Security Feature Bypass – Exim (CVE-2024-39929) – mime_filename blocking bypass, as well as in Nextcloud (CVE-2024-22403) – eternal OAuth codes
🔸 DoS – OpenTelemetry (CVE-2023-45142)
🔸 Memory Corruption – 7-Zip (CVE-2023-52168)

🗒 Vulristics report on July Linux Patch Wednesday

На русском

TOP 5 CVEs that were most often exploited by Positive Technologies pentesters in 2023

Leave a reply

TOP 5 CVEs that were most often exploited by Positive Technologies pentesters in 2023. The report was released on July 2. I generated a rap track on this topic in Russian using Suno. 🙂 English subtitles available.

List of vulnerabilities:

🔻 Remote Code Execution – Microsoft Exchange “ProxyNotShell” (CVE-2022-41040, CVE-2022-41080, CVE-2022-41082)
🔻 Remote Code Execution – Bitrix Site Manager “PollsVotes” (CVE-2022-27228)
🔻 Elevation of Privilege – Polkit “PwnKit” (CVE-2021-4034)

На русском

Trending vulnerabilities for June according to Positive Technologies

Leave a reply

Trending vulnerabilities for June according to Positive Technologies. Traditionally, in 3 formats (in Russian):

📹 The section “Trending VM” in the SecLab news video (starts at 15:03)
🗞 Post on the Habr website, in fact this is a slightly expanded scenario for the “Trending VM” section
🗒 Compact digest with technical details on the official PT website

List of vulnerabilities:

🔻 EoP in Microsoft Windows CSC (CVE-2024-26229)
🔻 EoP in Microsoft Windows Error Reporting (CVE-2024-26169)
🔻 EoP in Microsoft Windows Kernel (CVE-2024-30088)
🔻 RCE in PHP (CVE-2024-4577)
🔻 EoP in Linux Kernel (CVE-2024-1086)
🔻 InfDisclosure in Check Point Security Gateways (CVE-2024-24919)
🔻 RCE in VMware vCenter (CVE-2024-37079, CVE-2024-37080)
🔻 AuthBypass in Veeam Backup & Replication (CVE-2024-29849)

На русском

Linux Patch Wednesday: here is this May peak!

Leave a reply

Linux Patch Wednesday: here is this May peak!

Linux Patch Wednesday: here is this May peak! 🤦‍♂️ Also about June Linux Patch Wednesday. If you remember, in my post about the May Linux Patch Wednesday I was happy that, despite the launch of the rule for Unknown dates, the peak in May was insignificant. Although “32406 oval definitions without a date received a nominal date of 2024-05-15”. It turned out that the peak was not visible due to an error in the code. Ba-dum-tss! 🥸🤷‍♂️

I noticed that not all CVEs are in LPW bulletins, despite the addition of nominal dates, for example the high-profile vulnerability Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086). I could not find it anywhere. I debugged the function that distributes vulnerabilities into bulletins and added tests. I have ensured that all 38362 CVEs from the Linux OVAL content are actually distributed in bulletins. Including CVE-2024-1086. Here it is in February:

$ grep "CVE-2024-1086"  bulletins/*
bulletins/2024-02-21.json:        "CVE-2024-1086": [
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",

Well, there really is a peak in May. And how huge it is! 11476 CVEs! 😱 This is so much that I regenerated the Vulristics report for it only using 2 sources: Vulners and BDU. Since even from Vulners the data was not collected quickly enough. The report contains 77 vulnerabilities with signs of active exploitation in the wild and 1404 vulnerabilities with exploits, but without signs of active exploitation in the wild. Since for the most part these are old vulnerabilities for which it was simply not clear exactly when they were fixed, for example, Remote Code Execution – Apache HTTP Server (CVE-2021-42013), I will not analyze them in detail – for those interested, see the report. But please note that the report size is very large.

🗒 Vulristics report on the May Linux Patch Wednesday (31.3 MB)

As for the June Linux Patch Wednesday, which was finalized on June 19, there are 1040 vulnerabilities. Also quite a lot. Why is this so? On the one hand, the rule for Unknown dates added 977 Debian OVAL definitions without a date. Not 30k, like in May, but also significant. Out of 1040 vulnerabilities, 854 are Linux Kernel vulnerabilities. Moreover, there are quite a lot of “old” vulnerability identifiers, but created in 2024. For example, CVE-2021-47489 with NVD Published Date 05/22/2024. 🤔 CNA Linux Kernel is doing something strange.

🔻 With signs of exploitation in the wild again Remote Code Execution – Chromium (CVE-2024-5274, CVE-2024-4947), like in Microsoft Patch Tuesday. According to the BDU, Remote Code Execution – Libarchive (CVE-2024-26256) is also exploited in the wild.

🔸 Another 20 vulnerabilities with a public exploit. I can highlight separately Remote Code Execution – Cacti (CVE-2024-25641) and Remote Code Execution – onnx/onnx framework (CVE-2024-5187).

🗒 Vulristics report on the June Linux Patch Wednesday (4.4 MB)

Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086) has been added to CISA KEV

Leave a reply

Elevation of Privilege (Local Privilege Escalation) - Linux Kernel (CVE-2024-1086) has been added to CISA KEV

Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086) has been added to CISA KEV. The vulnerability itself is relatively old, from January. I already wrote about it in March, when the write-up and public exploit were released.

Despite the fact that the exploitation of this vulnerability is trivial (the attacker launches a local utility and gains root privileges), until recently there were no signs of exploitation in the wild. This is quite strange: such a useful exploit should immediately be included in the attackers’ toolkit. So either the practical exploitation of this vulnerability is somehow complicated, or the attackers did not leave any traces. 🤔

In any case, on May 30, the vulnerability was added to CISA KEV, and this means the fact of its exploitation in attacks has been proven. But there are no details yet. Please be aware of this vulnerability when upgrading Linux hosts.

На русском