vulnerability | Alexander V. Leonov

Trending vulnerabilities for June according to Positive Technologies. Traditionally, in 3 formats (in Russian):

📹 The section “Trending VM” in the SecLab news video (starts at 15:03)
🗞 Post on the Habr website, in fact this is a slightly expanded scenario for the “Trending VM” section
🗒 Compact digest with technical details on the official PT website

List of vulnerabilities:

🔻 EoP in Microsoft Windows CSC (CVE-2024-26229)
🔻 EoP in Microsoft Windows Error Reporting (CVE-2024-26169)
🔻 EoP in Microsoft Windows Kernel (CVE-2024-30088)
🔻 RCE in PHP (CVE-2024-4577)
🔻 EoP in Linux Kernel (CVE-2024-1086)
🔻 InfDisclosure in Check Point Security Gateways (CVE-2024-24919)
🔻 RCE in VMware vCenter (CVE-2024-37079, CVE-2024-37080)
🔻 AuthBypass in Veeam Backup & Replication (CVE-2024-29849)

На русском

I watched a joint webinar by Vulners and RST Cloud about Vulnerability Prioritization.

🔹 Kir Ermakov from Vulners spoke about the importance of prioritizing vulnerabilities (especially for MSSP companies, since they are responsible for customer security) and how it can be improved using dynamically updated AI Score v2. I really liked his phrase: “if you don’t know your assets very well, turn off the webinar and go do Asset Management”. Asset Management is the base. 👍

🔹 Yury Sergeev from RST Cloud told how, when prioritizing vulnerabilities, take into account data on the exploitation of vulnerabilities in real attacks (in your location, in your industry, for your attacker profile). He provided a formula and demonstrated how taking these factors into account affects prioritization. I liked his regreSSHion example: there is a lot of hype, but the attack is very noticeable and takes a lot of time, so the exploitation is unlikely to be widespread.

На русском

Attackers are distributing malware on social networks under the guise of the regreSSHion exploit (CVE-2024-6387). According to Kaspersky Lab experts, this is an attack on cybersecurity specialists. The attackers invite victims to examine an archive that supposedly contains a functional regreSSHion exploit, a list of IP addresses, and some payload.

🔻 The source code resembles a slightly edited version of a non-functional proof-of-concept exploit for this vulnerability that was already public.

🔻 One of the Python scripts simulates the exploitation of the vulnerability on IP addresses from the list. But in reality, it launches malware that achieves persistence in the system and downloads additional payload. The malware modifies /etc/cron.hourly and the operation of the ls command.

If you are examining someone else’s code, do so in a securely isolated environment and be aware that you may be attacked this way. 😉

На русском

Microsoft is beginning to add CVEs to address security flaws in its cloud services. It’s not as straightforward. Assume a cloud CRM has a vulnerability. The vendor instantly corrected it for everyone, and clients didn’t need to take any action. What good is it to issue a CVE for this? 🤔

But Microsoft believes it’s required for greater transparency, and the new rules require CNAs (CVE Numbering Authorities) to add vulnerabilities that could cause significant harm, regardless of whether customers have to take action to fix the vulnerabilities or not. 🤷‍♂️

Microsoft promises to mark such vulnerabilities, such as CVE-2024-35260 “CVE requires no customer action to resolve”. There will be a special tag in CVEorg as well.

Whether or not it is necessary to register cloud service vulnerabilities as CVE is a controversial issue. But it is a fact that, due to this practice, the number of identifiers in CVEorg/NVD will grow much faster. 🤷‍♂️

На русском

OpenSSH “regreSSHion” RCE with root privileges (CVE-2024-6387). The vulnerability was discovered by Qualys. An unauthenticated remote attacker can execute arbitrary code as root. It sounds creepy. 😱🙂

This vulnerability is a regression of the CVE-2006-5051. For it, by the way, there are no signs of exploitation in the wild or exploits.

🔻 The regression happened in October 2020, starting with OpenSSH version 8.5p1
🔻 “glibc-based Linux systems” in default configuration are vulnerable, OpenBSD is not vulnerable
🔻 There are 14 million potentially vulnerable hosts on the Internet
🔻 Qualys promise not to publish the exploit, but third-party researchers can write it based on the detailed write-up

Vulnerable versions:

❌ OpenSSH < 4.4p1
❌ 8.5p1 <= OpenSSH < 9.8p1 Invulnerable versions: ✅ 4.4p1 <= OpenSSH < 8.5p1
✅ OpenSSH >= 9.8p1

Upd. Attacking a 32-bit system with ASLR in laboratory conditions took 6-8 hours. Apparently the process is not so easy. 😉

На русском

The severity of the Elevation of Privilege – Windows Kernel (CVE-2024-30088) has increased. The vulnerability is fresh, it is from the June Microsoft Patch Tuesday. I highlighted it in the review because, according to the CVSS vector, there was a private Proof-of-Concept Exploit for it. But there were no details. It was only clear that in case of successful exploitation, the attacker gains SYSTEM privileges. According to the ZDI advisory, the vulnerability affects the implementation of NtQueryInformationToken and is due to the lack of proper locking when performing operations on the object.

On June 24, 2 weeks after the June Patch Tuesday, a repository with technical details on this vulnerability and PoC appeared on GitHub. A video of running the utility to obtain SYSTEM privileges is also available.

A lot of exploits have begun to appear for Windows EoP/LPE vulnerabilities recently. Fix them in advance!

На русском

Linux Patch Wednesday: here is this May peak! 🤦‍♂️ Also about June Linux Patch Wednesday. If you remember, in my post about the May Linux Patch Wednesday I was happy that, despite the launch of the rule for Unknown dates, the peak in May was insignificant. Although “32406 oval definitions without a date received a nominal date of 2024-05-15”. It turned out that the peak was not visible due to an error in the code. Ba-dum-tss! 🥸🤷‍♂️

I noticed that not all CVEs are in LPW bulletins, despite the addition of nominal dates, for example the high-profile vulnerability Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086). I could not find it anywhere. I debugged the function that distributes vulnerabilities into bulletins and added tests. I have ensured that all 38362 CVEs from the Linux OVAL content are actually distributed in bulletins. Including CVE-2024-1086. Here it is in February:

$ grep "CVE-2024-1086"  bulletins/*
bulletins/2024-02-21.json:        "CVE-2024-1086": [
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",

Well, there really is a peak in May. And how huge it is! 11476 CVEs! 😱 This is so much that I regenerated the Vulristics report for it only using 2 sources: Vulners and BDU. Since even from Vulners the data was not collected quickly enough. The report contains 77 vulnerabilities with signs of active exploitation in the wild and 1404 vulnerabilities with exploits, but without signs of active exploitation in the wild. Since for the most part these are old vulnerabilities for which it was simply not clear exactly when they were fixed, for example, Remote Code Execution – Apache HTTP Server (CVE-2021-42013), I will not analyze them in detail – for those interested, see the report. But please note that the report size is very large.

🗒 Vulristics report on the May Linux Patch Wednesday (31.3 MB)

As for the June Linux Patch Wednesday, which was finalized on June 19, there are 1040 vulnerabilities. Also quite a lot. Why is this so? On the one hand, the rule for Unknown dates added 977 Debian OVAL definitions without a date. Not 30k, like in May, but also significant. Out of 1040 vulnerabilities, 854 are Linux Kernel vulnerabilities. Moreover, there are quite a lot of “old” vulnerability identifiers, but created in 2024. For example, CVE-2021-47489 with NVD Published Date 05/22/2024. 🤔 CNA Linux Kernel is doing something strange.

🔻 With signs of exploitation in the wild again Remote Code Execution – Chromium (CVE-2024-5274, CVE-2024-4947), like in Microsoft Patch Tuesday. According to the BDU, Remote Code Execution – Libarchive (CVE-2024-26256) is also exploited in the wild.

🔸 Another 20 vulnerabilities with a public exploit. I can highlight separately Remote Code Execution – Cacti (CVE-2024-25641) and Remote Code Execution – onnx/onnx framework (CVE-2024-5187).

🗒 Vulristics report on the June Linux Patch Wednesday (4.4 MB)

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: vulnerability

Trending vulnerabilities for June according to Positive Technologies

I watched a joint webinar by Vulners and RST Cloud about Vulnerability Prioritization

Attackers are distributing malware on social networks under the guise of the regreSSHion exploit (CVE-2024-6387)

OpenSSH “regreSSHion” RCE with root privileges (CVE-2024-6387)

The severity of the Elevation of Privilege – Windows Kernel (CVE-2024-30088) has increased

Linux Patch Wednesday: here is this May peak!