Tag Archives: Microsoft

Microsoft Patch Tuesday March 2020: a new record was set, SMBv3 “Wormable” RCE and updates for February goldies

Leave a reply

Microsoft Patch Tuesday March 2020: a new record was set, SMBv3 “Wormable” RCE and updates for February goldies. Without a doubt, the hottest Microsoft vulnerability in March 2020 is the “Wormable” Remote Code Execution in SMB v3 CVE-2020-0796. The most commonly used names for this vulnerability are EternalDarkness, SMBGhost and CoronaBlue.

Microsoft Patch Tuesday for March 2020: a new record was set, SMBv3 "Wormable" RCE and updates for February goldies

There was a strange story of how it was disclosed. It seems like Microsoft accidentally mentioned it in their blog. Than they somehow found out that the patch for this vulnerability will not be released in the March Patch Tuesday. So, they removed the reference to this vulnerability from the blogpost as quickly as they could.

But some security experts have seen it. And, of course, after EternalBlue and massive cryptolocker attacks in 2017, each RCE in SMB means “OMG, this is happening again, we need to do something really fast!” So, Microsoft just had to publish an advisory for this vulnerability with the workaround ADV200005 and to release an urgent patch KB4551762.

Continue reading

Microsoft Patch Tuesday February 2020

2 Replies

Microsoft Patch Tuesday February 2020. IMHO, these are the two most interesting vulnerabilities in a recent Microsoft Patch Tuesday February 2020:

  • Mysterious Windows RCE CVE-2020-0662. “To exploit the vulnerability, an attacker who has a domain user account could create a specially crafted request, causing Windows to execute arbitrary code with elevated permissions.” Without needing to directly log in to the affected device!
  • Microsoft Exchange server seizure CVE-2020-0688. By sending a malicious email message the attacker can run commands on a vulnerable Exchange server as the system user (and monitor email communications). “the attacker could completely take control of an Exchange server through a single e-mail”.

There were also RCEs in Remote Desktop (Client and Service), a third attempt to fix RCEs in Internet Explorer, Elevation of Privilege, etc. But all this stuff we see in almost every Patch Tuesday and without fully functional exploits it’s not really interesting. ?

Read the full reviews in Tenable and Zero Day Initiative blogs.

How to get the Organization Units (OU) and Hosts from Microsoft Active Directory using Python ldap3

1 Reply

How to get the Organization Units (OU) and Hosts from Microsoft Active Directory using Python ldap3. I recently figured out how to work with Microsoft Active Directory using Python 3. I wanted to get a hierarchy of Organizational Units (OUs) and all the network hosts associated with these OUs to search for possible anomalies. If you are not familiar with AD, here is a good thread about the difference between AD Group and OU.

It seems much easier to solve such tasks using PowerShell. But it will probably require a Windows server. So I leave this for the worst scenario. 🙂 There is also a PowerShell Core, which should support Linux, but I haven’t tried it yet. If you want to use Python, there is a choice from the native python ldap3 module and Python-ldap, which is a wrapper for the OpenLDAP client. I didn’t find any interesting high-level functions in Python-ldap and finally decided to use ldap3.

Continue reading

What’s wrong with patch-based Vulnerability Management checks?

6 Replies

What’s wrong with patch-based Vulnerability Management checks? My last post about Guinea Pigs and Vulnerability Management products may seem unconvincing without some examples. So, let’s review one. It’s a common problem that exists among nearly all VM vendors, I will demonstrate it on Tenable Nessus.

If you perform vulnerability scans, you most likely seen these pretty huge checks in your scan results like “KB4462917: Winsdows 10 Version 1607 and Windows Server 2016 October 2018 Security Update“. This particular Nessus plugin detects 23 CVEs at once.

What's wrong with patch-centric Vulnerability Management?

And, as you can see, it has formalized “Risk Information” data in the right column. There is only one CVSS score and vector, one CPE, one exploitability flag, one criticality level. Probably because of architectural limitations of the scanner. So, two very simple questions:

  • for which CVE (of these 23) is this formalized Risk Information block?
  • for which CVE (of these 23) exploit is available?

Ok, maybe they show CVSS for the most critical (by their logic) CVE. Maybe they somehow combine this parameter from data for different CVEs. But in most cases this will be inaccurate. Risk information data for every of these 23 vulnerabilities should be presented independently.

As you can see on the screenshot, one of these vulnerabilities is RCE the other is Information Disclosure. Vulnerability Management solution tells us that there is an exploit. Is this exploit for RCE or DoS? You should agree, that it can be crucial for vulnerability prioritization. And more than this, in the example there are 7 different RCEs in Internet Explorer, MSXML parser, Windows Hyper-V, etc. All this mean different attack scenarios. How is it possible to show it Vulnerability Scanner like one entity with one CVSS and exploitability flag? What can the user get from this? How to search in all this?

Continue reading

Making CVE-1999-0016 (landc) vulnerability detection script for Windows NT

Leave a reply

Making CVE-1999-0016 (landc) vulnerability detection script for Windows NT. The fair question is why in 2018 someone might want to deal with Windows NT and vulnerabilities in it. Now Windows NT is a great analogue of DVWA (Damn Vulnerable Web Application), but for operating systems. There are a lot of well-described vulnerabilities with ready-made exploits. A great tool for practising.

Making CVE-1999-0016 (landc) vulnerability detection script for Windows NT

Well, despite the fact that this operating system is not supported since 2004, it can be used in some weird legacy systems. 😉

Continue reading

Vulnerability Databases: Classification and Registry

5 Replies

Vulnerability Databases: Classification and Registry. What publicly available Vulnerability Databases do we have? Well, I can only say that there are a lot of them and they are pretty different. Here I make an attempt to classify them.

It’s quite an ungrateful task. No matter how hard you try, the final result will be rather inaccurate and incomplete. I am sure someone will be complaining. But this is how I see it. 😉 If you want to add or change something feel free to make a comment bellow or email me@avleonov.com.

The main classifier, which I came up with:

  • There are individual vulnerability databases in which one identifier means one vulnerability. They try to cover all existing vulnerabilities.
  • And others are security bulletins. They cover vulnerabilities in a particular product or products. And they usually based on on patches. One patch may cover multiple vulnerabilities.

I made this diagram with some Vulnerability Databases. Note that I wanted to stay focused, so there are no exploit DBs, CERTs, lists of vulnerabilities detected by some researchers (CISCO Talos, PT Research, etc.), Media and Bug Bounty sites.

Vulnerability Databases classification

For these databases the descriptions of vulnerabilities are publicly available on the site (in html interface or downloadable data feed), or exist in a form of paid Vulnerability Intelligence service (for example, Flexera).

On one side there are databases of individual vulnerabilities, the most important is National Vulnerability Database. There are also Chinese, Japanese bases that can be derived from NVD or not.

On the other side we have security bulletins, for example RedHat Security Advisories.

And in the middle we have a Vulnerability Databases, for which it is not critical whether they have duplicated vulnerability IDs or not.

Continue reading

Microsoft security solutions against ransomware and APT

2 Replies

Microsoft security solutions against ransomware and APT. Last Tuesday I was invited to Microsoft business breakfast “Effective protection against targeted and multilevel attacks”. Here I would like to share some of my thoughts on this. Need to mention that the food was delicious and the restaurant of Russian Geographical Society is a very lovely place. 😉 Thanks, Microsoft!

Microsoft as a security vendor? O RLY?

Microsoft products are not actually my topic. To tell you the truth, personally I’d better live in a world without this massive Windows hegemony in desktop operating systems. I use Linux mostly. And even when I have to work in a Windows environment, it’s much easier for me to do all the work in some Linux virtual machine.

But in the real life almost every office network is build on Microsoft solutions. And if you are doing Vulnerability Management in any organization, you should deal with them too. The good news is that many security features are available out of the box in the MS products that you have already purchased. It’s just important to know about these features and use them right.

One more thing, why it’s interesting to learn more about Microsoft information security products. Microsoft developers, obviously, have direct access to Windows source code and know better how their own OS works. Many things are much easier for them to implement than for other security vendors. So, good chances that you will see in Microsoft products some interesting features, that other vendors don’t have (yet).

Drowning in data

The event began with an opening speech by Andrey Ivanov from Microsoft Russia.

Andrey Ivanov, "Effective protection against targeted and multilevel attacks"

I liked his thesis that “we are drowning in security data”:

  • Threat Intelligence from different sources that need to be implemented in your infrastructure and somehow validated. A good place to mention Vulners.com vulnerability feeds 😉
  • Threat Detection using logs, scanners, various protection tools, etc.
  • The overall number of SIEM inputs is growing faster than our resources. New IT system = new problems of SIEM configuration.

So, it would be nice if somebody, for example OS vendor, will provide all this as a service, right? 😉

Detect the undetectable

Then there was the keynote by Zbigniew Kukowski – one of the leading Microsoft information security experts.

Zbigniew Kukowski, "Effective protection against targeted and multilevel attacks"

Why is it necessary?

Here is what I would like to note from his report. First of all, great arguments why it is necessary. Ok, this is marketing. But the ability to explain (to sell) necessity of information security is important skill for any information security specialist now. It does not matter if you are working in a  security vendor, integrator or customer.

Zbigniew mentioned an interesting case: some Polish company, that lost $ 4.3 million in recent the Petya attack in 4 days. The cost of Information Security measures will be much less than the potential losses of business.

Another argument – attacks are not the entertainment for some individuals any more. Now it’s a well-organized criminal business. Dozens of people are working on popular malware tools, like Petya. That’s why ransomware tools are so popular now – cyber-criminals just want to return their development costs.

Continue reading