vulnerability | Alexander V. Leonov

Regarding the critical vulnerability Authentication Bypass – Veeam Backup & Replication (CVE-2024-29849). Veeam B&R is client-server software for centralized backup of virtual machines in VMware vSphere and Microsoft Hyper-V environments.

The vulnerability was found in the Backup Enterprise Manager component – a web console for management and reporting. An unauthenticated attacker could log into the web console as any user. CVSS 9.8.

🔸 The vulnerability was fixed by the vendor on May 21.

🔸 3 weeks later, on June 10, a researcher with the nickname SinSinology posted a write-up (based on analysis of the patch) and a PoC for this vulnerability.

There are no signs of exploitation in the wild yet, but most likely they will appear in the near future. Compromising backups is no less a tempting target than compromising virtual infrastructure.

Be sure to update!

Regarding the critical vulnerabilities Remote Code Execution – VMware vCenter (CVE-2024-37079, CVE-2024-37080). vCenter is a product for centralized management of virtual infrastructure on the VMware vSphere platform.

Both vulnerabilities were fixed on June 17. They have the same description and CVSS 9.8.

The vulnerabilities are related to heap overflow in the implementation of the DCERPC protocol. An attacker with network access to vCenter Server sends a specially crafted network packet and potentially triggers RCE.

There is no public exploit or sign of exploitation in the wild yet, however:

🔸 The description of the vulnerabilities is very similar to last year’s actively exploited vCenter RCE (CVE-2023-34048).

🔸 The “screenshot of vSphere Client”, the vCenter interface, has become a kind of meme for attackers, confirming that the organization’s virtual infrastructure has been compromised.

Be sure to update!

На русском

The criticality of the Elevation of Privilege – Windows Error Reporting Service (CVE-2024-26169) vulnerability has increased. If exploited successfully, the attacker gains SYSTEM privileges. The vulnerability was fixed in Microsoft’s March Patch Tuesday. As often happens, no one highlighted this vulnerability back then. 🤷‍♂️

However, 3 months later, on June 12, Symantec researchers reported attacks related to the famous Black Basta ransomware, in which exploits for this vulnerability were used. If we believe the compilation timestamps, these exploits were created long before the release of Microsoft’s patches, in February 2024 or even December 2023. Of course, attackers could fake them, but why would they do that? 🤔

On June 13, the vulnerability was added to CISA KEV. The exploit is not yet publicly available.

The moral is the same: vulnerability prioritization is good, but regular unconditional patching is better.

На русском

The criticality of the Elevation of Privilege – Windows CSC Service vulnerability (CVE-2024-26229) has increased dramatically. The vulnerability is from Microsoft’s April Patch Tuesday. In April, no one highlighted this vulnerability at all.

Microsoft wrote about it “Exploitation Less Likely”. All that was known was that if exploited successfully, the attacker could gain SYSTEM privileges.

But 2 months later, on June 10, an exploit appeared on GitHub. 🤷‍♂️ Surprise! The criticality of the vulnerability has increased dramatically.

Could this be somehow predicted? IMHO, not at all. Another confirmation that predicting trending vulnerabilities is, of course, good, but does not cancel regular unconditional patching according to the established SLA (AIT).

The author of the exploit clarified the CWE of the vulnerability.

It was: CWE-122 – Heap-based Buffer Overflow

It became: CWE-781 – Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code

На русском

An idea worth a million Hamster coins. 🐹😅 Website/app to tap on CVEs. But it will make sense to tap not on all CVEs, but only on those that should have a confirmed exploit or sign of exploitation in the wild within the next week.

🪙 When such a sign or exploit does appear, distribute coins to those who have been tapping on this vulnerability for the last week. In proportion to the number of taps, the criticality of the vulnerability, etc.

📈 And based on the analysis of these taps, it will be possible to make forecasts on the exploitability of vulnerabilities. With the help of AI, of course.

I am sure that this will work much better than EPSS and social network fortune tellers. 😅

На русском

June Microsoft Patch Tuesday. There are 69 vulnerabilities in total, 18 of which were added between May and June Patch Tuesday. Among these added were 2 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Chromium (CVE-2024-5274, CVE-2024-4947). Both vulnerabilities are in CISA KEV; there are no exploits for them yet.

For the remaining vulnerabilities, there are no formal signs of exploitation in the wild or public exploits yet.

The specialized InfoSec media pay attention to these 2:

🔸 Remote Code Execution – Microsoft Message Queuing (MSMQ) (CVE-2024-30080). This vulnerability has a high CVSS Score of 9.8. To get RCE, the attacker sends a specially crafted malicious packet to the MSMQ server. The vulnerability may well become wormable for Windows servers with MSMQ enabled. It is very similar to last year’s QueueJumper (CVE-2023-21554).
🔸 Denial of Service – DNSSEC (CVE-2023-50868). Vulnerability in DNSSEC validation. An attacker can cause DoS using standard DNS integrity protocols. 🤷‍♂️ I don’t see any super criticality, but this is rare for MS Patch Tuesday, which is probably why everyone is writing about it.

What else you can pay attention to:

🔸 Elevation of Privilege – Windows Win32k (CVE-2024-30091), Windows Kernel (CVE-2024-30088, CVE-2024-30099) and Windows Cloud Files Mini Filter Driver (CVE-2024-30085). Why these? Microsoft’s CVSS states that there are private Proof-of-Concept exploits for them.
🔸 Remote Code Execution – Microsoft Office (CVE-2024-30101). This is a Microsoft Outlook vulnerability. To successfully exploit this vulnerability, a user must open a malicious email in an affected version of Microsoft Outlook and then perform certain actions to trigger the vulnerability. It’s enough to open the email in the Preview Pane. However, to successfully exploit this vulnerability, an attacker needs to win the race condition.
🔸 Remote Code Execution – Microsoft Outlook (CVE-2024-30103). Preview Pane is a vector. Authentication required. The vulnerability is somehow related to the creation of malicious DLL files. 🤷‍♂️
🔸 Remote Code Execution – Windows Wi-Fi Driver (CVE-2024-30078). An attacker can execute code on a vulnerable system by sending a specially crafted network packet. The victim must be within the attacker’s Wi-Fi range and use a Wi-Fi adapter. Sounds interesting, let’s wait for details. 😈
🔸 Remote Code Execution – Microsoft Office (CVE-2024-30104). An attacker must send the user a malicious file and convince the user to open the file. The Preview Pane is NOT an attack vector.

🗒 Vulristics report on June Microsoft Patch Tuesday

На русском

Exploit accounting in Vulristics: bug and new component name.

🔹 I discovered that sometime in April a bug was added to Vulristics: vulnerabilities without exploits received the value of the corresponding component 0.5, not 0. 🤦‍♂️ Somehow I didn’t pay attention to it and no one reported it to me. I corrected it with today’s commit. I’m going to regenerate the Microsoft Patch Tuesday and Linux Patch Wednesday reports for April and May. This, of course, is not a super-critical bug, but the final vulnerability score was distorted. If you use Vulristics, take note and update.

🔹 At the same time, I renamed the “Public Exploit Exists” component to the more logical “Exploit Exists”. It takes values:
1, if there is a public exploit (link or flag in the BDU)
0, if there is no exploit data at all
from 0 to 1, if there is data about a private exploit/PoC

🔹 I created a Changelog and added the “-v” or “–version” parameters. I have been running a project without versions since 2020. 😅🤷‍♂️

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: vulnerability

Regarding the critical vulnerability Authentication Bypass – Veeam Backup & Replication (CVE-2024-29849)

Regarding the critical vulnerabilities Remote Code Execution – VMware vCenter (CVE-2024-37079, CVE-2024-37080)

The criticality of the Elevation of Privilege – Windows Error Reporting Service (CVE-2024-26169) vulnerability has increased

The criticality of the Elevation of Privilege – Windows CSC Service vulnerability (CVE-2024-26229) has increased dramatically

An idea worth a million Hamster coins

June Microsoft Patch Tuesday

Exploit accounting in Vulristics: bug and new component name