Tag Archives: Microsoft

Trending vulnerabilities for June according to Positive Technologies

Leave a reply

Trending vulnerabilities for June according to Positive Technologies. Traditionally, in 3 formats (in Russian):

📹 The section “Trending VM” in the SecLab news video (starts at 15:03)
🗞 Post on the Habr website, in fact this is a slightly expanded scenario for the “Trending VM” section
🗒 Compact digest with technical details on the official PT website

List of vulnerabilities:

🔻 EoP in Microsoft Windows CSC (CVE-2024-26229)
🔻 EoP in Microsoft Windows Error Reporting (CVE-2024-26169)
🔻 EoP in Microsoft Windows Kernel (CVE-2024-30088)
🔻 RCE in PHP (CVE-2024-4577)
🔻 EoP in Linux Kernel (CVE-2024-1086)
🔻 InfDisclosure in Check Point Security Gateways (CVE-2024-24919)
🔻 RCE in VMware vCenter (CVE-2024-37079, CVE-2024-37080)
🔻 AuthBypass in Veeam Backup & Replication (CVE-2024-29849)

На русском

Microsoft is beginning to add CVEs to address security flaws in its cloud services

Leave a reply

Microsoft is beginning to add CVEs to address security flaws in its cloud services

Microsoft is beginning to add CVEs to address security flaws in its cloud services. It’s not as straightforward. Assume a cloud CRM has a vulnerability. The vendor instantly corrected it for everyone, and clients didn’t need to take any action. What good is it to issue a CVE for this? 🤔

But Microsoft believes it’s required for greater transparency, and the new rules require CNAs (CVE Numbering Authorities) to add vulnerabilities that could cause significant harm, regardless of whether customers have to take action to fix the vulnerabilities or not. 🤷‍♂️

Microsoft promises to mark such vulnerabilities, such as CVE-2024-35260 “CVE requires no customer action to resolve”. There will be a special tag in CVEorg as well.

Whether or not it is necessary to register cloud service vulnerabilities as CVE is a controversial issue. But it is a fact that, due to this practice, the number of identifiers in CVEorg/NVD will grow much faster. 🤷‍♂️

На русском

The severity of the Elevation of Privilege – Windows Kernel (CVE-2024-30088) has increased

Leave a reply

The severity of the Elevation of Privilege - Windows Kernel (CVE-2024-30088) has increased

The severity of the Elevation of Privilege – Windows Kernel (CVE-2024-30088) has increased. The vulnerability is fresh, it is from the June Microsoft Patch Tuesday. I highlighted it in the review because, according to the CVSS vector, there was a private Proof-of-Concept Exploit for it. But there were no details. It was only clear that in case of successful exploitation, the attacker gains SYSTEM privileges. According to the ZDI advisory, the vulnerability affects the implementation of NtQueryInformationToken and is due to the lack of proper locking when performing operations on the object.

On June 24, 2 weeks after the June Patch Tuesday, a repository with technical details on this vulnerability and PoC appeared on GitHub. A video of running the utility to obtain SYSTEM privileges is also available.

A lot of exploits have begun to appear for Windows EoP/LPE vulnerabilities recently. Fix them in advance!

На русском

The criticality of the Elevation of Privilege – Windows Error Reporting Service (CVE-2024-26169) vulnerability has increased

Leave a reply

The criticality of the Elevation of Privilege - Windows Error Reporting Service (CVE-2024-26169) vulnerability has increased

The criticality of the Elevation of Privilege – Windows Error Reporting Service (CVE-2024-26169) vulnerability has increased. If exploited successfully, the attacker gains SYSTEM privileges. The vulnerability was fixed in Microsoft’s March Patch Tuesday. As often happens, no one highlighted this vulnerability back then. 🤷‍♂️

However, 3 months later, on June 12, Symantec researchers reported attacks related to the famous Black Basta ransomware, in which exploits for this vulnerability were used. If we believe the compilation timestamps, these exploits were created long before the release of Microsoft’s patches, in February 2024 or even December 2023. Of course, attackers could fake them, but why would they do that? 🤔

On June 13, the vulnerability was added to CISA KEV. The exploit is not yet publicly available.

The moral is the same: vulnerability prioritization is good, but regular unconditional patching is better.

На русском

The criticality of the Elevation of Privilege – Windows CSC Service vulnerability (CVE-2024-26229) has increased dramatically

Leave a reply

The criticality of the Elevation of Privilege - Windows CSC Service vulnerability (CVE-2024-26229) has increased dramatically

The criticality of the Elevation of Privilege – Windows CSC Service vulnerability (CVE-2024-26229) has increased dramatically. The vulnerability is from Microsoft’s April Patch Tuesday. In April, no one highlighted this vulnerability at all.

Microsoft wrote about it “Exploitation Less Likely”. All that was known was that if exploited successfully, the attacker could gain SYSTEM privileges.

But 2 months later, on June 10, an exploit appeared on GitHub. 🤷‍♂️ Surprise! The criticality of the vulnerability has increased dramatically.

Could this be somehow predicted? IMHO, not at all. Another confirmation that predicting trending vulnerabilities is, of course, good, but does not cancel regular unconditional patching according to the established SLA (AIT).

The author of the exploit clarified the CWE of the vulnerability.

It was: CWE-122 – Heap-based Buffer Overflow

It became: CWE-781 – Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code

На русском

June Microsoft Patch Tuesday

Leave a reply

June Microsoft Patch Tuesday

June Microsoft Patch Tuesday. There are 69 vulnerabilities in total, 18 of which were added between May and June Patch Tuesday. Among these added were 2 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Chromium (CVE-2024-5274, CVE-2024-4947). Both vulnerabilities are in CISA KEV; there are no exploits for them yet.

For the remaining vulnerabilities, there are no formal signs of exploitation in the wild or public exploits yet.

The specialized InfoSec media pay attention to these 2:

🔸 Remote Code Execution – Microsoft Message Queuing (MSMQ) (CVE-2024-30080). This vulnerability has a high CVSS Score of 9.8. To get RCE, the attacker sends a specially crafted malicious packet to the MSMQ server. The vulnerability may well become wormable for Windows servers with MSMQ enabled. It is very similar to last year’s QueueJumper (CVE-2023-21554).
🔸 Denial of Service – DNSSEC (CVE-2023-50868). Vulnerability in DNSSEC validation. An attacker can cause DoS using standard DNS integrity protocols. 🤷‍♂️ I don’t see any super criticality, but this is rare for MS Patch Tuesday, which is probably why everyone is writing about it.

What else you can pay attention to:

🔸 Elevation of Privilege – Windows Win32k (CVE-2024-30091), Windows Kernel (CVE-2024-30088, CVE-2024-30099) and Windows Cloud Files Mini Filter Driver (CVE-2024-30085). Why these? Microsoft’s CVSS states that there are private Proof-of-Concept exploits for them.
🔸 Remote Code Execution – Microsoft Office (CVE-2024-30101). This is a Microsoft Outlook vulnerability. To successfully exploit this vulnerability, a user must open a malicious email in an affected version of Microsoft Outlook and then perform certain actions to trigger the vulnerability. It’s enough to open the email in the Preview Pane. However, to successfully exploit this vulnerability, an attacker needs to win the race condition.
🔸 Remote Code Execution – Microsoft Outlook (CVE-2024-30103). Preview Pane is a vector. Authentication required. The vulnerability is somehow related to the creation of malicious DLL files. 🤷‍♂️
🔸 Remote Code Execution – Windows Wi-Fi Driver (CVE-2024-30078). An attacker can execute code on a vulnerable system by sending a specially crafted network packet. The victim must be within the attacker’s Wi-Fi range and use a Wi-Fi adapter. Sounds interesting, let’s wait for details. 😈
🔸 Remote Code Execution – Microsoft Office (CVE-2024-30104). An attacker must send the user a malicious file and convince the user to open the file. The Preview Pane is NOT an attack vector.

🗒 Vulristics report on June Microsoft Patch Tuesday

На русском

The Remote Code Execution vulnerability – PHP on Windows hosts (CVE-2024-4577) is used in ransomware attacks

Leave a reply

The Remote Code Execution vulnerability - PHP on Windows hosts (CVE-2024-4577) is used in ransomware attacks

The Remote Code Execution vulnerability – PHP on Windows hosts (CVE-2024-4577) is used in ransomware attacks. I already had a post about this vulnerability earlier. Now Imperva Threat Research reports that this vulnerability is being used by attackers to deliver malware identified as a component of the TellYouThePass ransomware.

⏳ The attacks were noticed on June 8, less than 48 hours after the PHP developers released a patch. The attacks used an exploit that by that time was already publicly available.

TellYouThePass attacks have been reported since 2019. They target enterprises and individuals. Attackers encrypt both Windows and Linux infrastructure.

What conclusions can be drawn? If you see a vulnerability with a public exploit and a more or less clear vector of exploitation, don’t be lazy to patch it as quickly as possible. Because attackers will definitely not be too lazy to add this exploit to their malware. 😉

На русском