Tag Archives: vulnerability

On May 3, more than 826 new vulnerabilities were added to NVD (in just one day)

Leave a reply

On May 3, more than 826 new vulnerabilities were added to NVD (in just one day)

On May 3, more than 826 new vulnerabilities were added to NVD (in just one day). Picture from the CVE.icu service, which visualizes NVD changes. There is also a list of these vulnerabilities. Most of them, 709, were added by ZDI. Why would they do that? 🤔

Last November I had a post (in Russian) that a number of trending vulnerabilities that were reported by ZDI are displayed in NVD as “CVE ID Not Found”. So, it seems the geniuses from Trend Micro ZDI finally noticed that their CVEs do not reach NVD and decided to fix this with such a massive import of problematic CVEs. 🤷‍♂️ At the same time, they clearly demonstrated the scale of the disaster. 🙂

Well, better late than never. But now it will be interesting to calculate the delay between the appearance of ZDI-CAN identifier and NVD CVE. 😏 For example, for RCE – WinRAR CVE-2023-40477, exploited in phishing attacks, it is 260 days. 🤠

PS: the final number for May 3rd is 847 CVE, but this is not that important.

На русском

4 RCEs in HPE Aruba Networking devices

Leave a reply

4 RCEs in HPE Aruba Networking devices4 RCEs in HPE Aruba Networking devices4 RCEs in HPE Aruba Networking devices4 RCEs in HPE Aruba Networking devices4 RCEs in HPE Aruba Networking devices

4 RCEs in HPE Aruba Networking devices. All 4 vulnerabilities relate to buffer overflows in various ArubaOS services. ArubaOS is a network operating system for Aruba networking equipment, including switches, access points, and gateways. The company’s main focus is on wireless networks.

All 4 vulnerabilities are exploited via requests to the Process Application Programming Interface (PAPI), UDP port 8211, no authentication required. All have CVSS 9.8.

Vulnerable Products:

🔻 Mobility Conductor (formerly Mobility Master)
🔻 Mobility Controllers
🔻 Aruba Central manages WLAN Gateways and SD-WAN Gateways

Updates are available for minor versions of ArubaOS 8 and 10. Legacy versions of ArubaOS and SD-WAN are also vulnerable.

Now is the time to check if you have anything from HPE Aruba on your network before an exploit appears. 😉

На русском

I generated a Vulristics report on the April Linux Patch Wednesday

Leave a reply

I generated a Vulristics report on the April Linux Patch Wednesday
I generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch WednesdayI generated a Vulristics report on the April Linux Patch Wednesday

I generated a Vulristics report on the April Linux Patch Wednesday. Over the past month, Linux vendors have begun releasing patches for a record number of vulnerabilities – 348. There are signs of exploitation in the wild for 7 vulnerabilities (data on incidents from the FSTEC BDU). Another 165 have a link to an exploit or a sign of the existence of a public/private exploit.

Let’s start with 7 vulnerabilities with signs of exploitation in the wild and exploits:

🔻 The trending January vulnerability Authentication Bypass – Jenkins (CVE-2024-23897) unexpectedly appeared in the TOP. As far as I understand, Linux distributions usually do not include Jenkins packages in the official repositories and, accordingly, do not add Jenkins vulnerability detection rules to their OVAL content. Unlike the Russian Linux distribution RedOS. Therefore, RedOS has the earliest fix timestamp for this vulnerability.

🔻 2 RCE vulnerabilities. The most interesting of them is Remote Code Execution – Exim (CVE-2023-42118). When generating the report, I deliberately did not take into account the vulnerability description and product names from the BDU database (flags –bdu-use-product-names-flag, –bdu-use-vulnerability-descriptions-flag set to False). Otherwise, the report would be partly in English and partly in Russian. But it turned out that so far only BDU has an adequate description of this vulnerability. 🤷‍♂️ You need to take a closer look at this vulnerability because Exim is a fairly popular mail server. The second RCE vulnerability is in the web browser, Remote Code Execution – Safari (CVE-2023-42950).

🔻2 DoS vulnerabilities. Denial of Service – nghttp2/Apache HTTP Server (CVE-2024-27316) and Denial of Service – Apache Traffic Server (CVE-2024-31309). The second is classified in the report as Security Feature Bypass, but this is due to incorrect CWE in NVD (CWE-20 – Improper Input Validation)

🔻 2 browser vulnerabilities Security Feature Bypass – Chromium (CVE-2024-2628, CVE-2024-2630)

Among the vulnerabilities for which there are only signs of the existence of exploits so far, you can pay attention to the following:

🔸 A large number of RCE vulnerabilities (71). Most of them are in the gtkwave product. This is a viewer for VCD (Value Change Dump) files, which are typically created by digital circuit simulators. Also, the Remote Code Execution – Cacti (CVE-2023-49084, CVE-2023-49085) vulnerabilities look dangerous. Cacti is a solution for monitoring servers and network devices.

🔸 Security Feature Bypass – Sendmail (CVE-2023-51765). Allows an attacker to inject email messages with a spoofed MAIL FROM address.

🔸 A pack of Cross Site Scripting vulnerabilities in MediaWiki, Cacti, Grafana, Nextcloud.

There is a lot to explore this time. 🤩

🗒 April Linux Patch Wednesday

На русском

First impressions of the April Microsoft Patch Tuesday

Leave a reply

First impressions of the April Microsoft Patch Tuesday
First impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch TuesdayFirst impressions of the April Microsoft Patch Tuesday

First impressions of the April Microsoft Patch Tuesday. I don’t even know what to write. 🤪 Very strange! 173 vulnerabilities, of which 23 were added since the last Patch Tuesday.

Microsoft flags one vulnerability as being exploited in the wild: Spoofing – Proxy Driver (CVE-2024-26234). And only Qualys briefly mentions it. Literally like this: “Microsoft has not disclosed any information about the vulnerability”. 😅 ZDI also claims that Security Feature Bypass – SmartScreen Prompt (CVE-2024-29988) is being exploited in the wild, which is a Mark of the Web (MotW) bypass.

There are no exploits for anything yet. The following vulnerabilities can be highlighted:

🔸 Remote Code Execution – Microsoft Excel (CVE-2024-26257). Can be exploited by an attacker when the victim opens a specially crafted file.
🔸 Remote Code Execution – RPC (CVE-2024-20678). It is highlighted by ZDI, which also claims 1.3 million exposed TCP 135 ports.
🔸 Spoofing – Outlook for Windows (CVE-2024-20670). ZDI writes that this is an Information Disclosure vulnerability that can be used in NTLM relay attacks.
🔸 Remote Code Execution – Windows DNS Server (CVE-2024-26221, CVE-2024-26222, CVE-2024-26223, CVE-2024-26224, CVE-2024-26227, CVE-2024-26231, CVE-2024-26233). Maybe some of this will be exploited in the wild, ZDI particularly highlights CVE-2024-26221.
🔸 Remote Code Execution – Microsoft Defender for IoT (CVE-2024-21322, CVE-2024-21323, CVE-2024-29053). It is an IoT and ICS/OT security solution that can be deployed on-prem.

There are simply indecently massive fixes:

🔹 Remote Code Execution – Microsoft OLE DB Driver for SQL Server / Microsoft WDAC OLE DB Provider for SQL Server / Microsoft WDAC SQL Server ODBC Driver. 28 CVEs! I won’t even list everything here. 😨
🔹 Security Feature Bypass – Secure Boot. 23 CVEs!

🗒 Vulristics report

На русском

Upd. 10.04 I slightly tweaked the vulnerability type detection to increase the priority of the detection based on the Microsoft generated description compared to the detection based on CWE. In particular, the type of vulnerability for Spoofing – Proxy Driver (CVE-2024-26234) and Spoofing – Outlook for Windows (CVE-2024-20670) has changed.

The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)

Leave a reply

The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)

The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian). I also generated a Vulristics report for these vulnerabilities. There are 5 vulnerabilities in total.

🔻 For 3 vulnerabilities there are exploits and confirmed signs of exploitation in the wild: AuthBypassTeamCity (CVE-2024-27198), RCE – FortiClientEMS (CVE-2023-48788), EoPWindows Kernel (CVE-2024-21338).

🔻 For 2 more vulnerabilities there are no signs of exploitation in the wild yet, but there are exploits: EoP – Windows CLFS Driver (CVE-2023-36424), RCEMicrosoft Outlook (CVE-2024-21378).

На русском

The fundamental Open Source vulnerability demonstrated by the XZ Utils backdoor is not technical at all

Leave a reply

The fundamental Open Source vulnerability demonstrated by the XZ Utils backdoor is not technical at all

The fundamental Open Source vulnerability demonstrated by the XZ Utils backdoor is not technical at all. The fact is that the work of the communities responsible for writing commonly used code is based on more infantile principles than the work of children building a castle in a sandbox.

Some dedicated computer geeks on some mailing list somehow get organized and solve monstrously complex technical problems that affect hundreds of millions of people. 🤷‍♂️ Who are these geeks, what is their motivation, how adequate are the community leaders they choose? 🤔

As people familiar with the situation write, the backdoor in XZ Utils was allegedly added by a developer who, over the course of 2 years, joined the project, becoming its maintainer and main contributor. 😎 And the previous maintainer was gaslighted with the help of virtual trolls and was forced to share power. 🤷‍♂️ As a result, a Microsoft employee accidentally found the backdoor and raised the alarm.

На русском

For the January Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086), the write-up and PoC were released on March 26

Leave a reply

For the January Elevation of Privilege (Local Privilege Escalation) - Linux Kernel (CVE-2024-1086), the write-up and PoC were released on March 26
For the January Elevation of Privilege (Local Privilege Escalation) - Linux Kernel (CVE-2024-1086), the write-up and PoC were released on March 26

For the January Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086), the write-up and PoC were released on March 26. The video demo for the script looks impressive: they run the script as a regular user and after a couple of seconds they get a root shell. According to the author, the exploit works with most Linux kernels between versions 5.14 and 6.6, including Debian, Ubuntu and KernelCTF.

🔻 The exploit requires kconfig CONFIG_USER_NS=y; sh command sysctl kernel.unprivileged_userns_clone = 1; kconfig CONFIG_NF_TABLES=y. The author writes that this is the default for Debian, Ubuntu, and KernelCTF, and for other distributions it is necessary to test it.
🔹 The exploit does not work with kernels v6.4> with kconfig CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y (including Ubuntu v6.5)

NSFOCUS writes that Redhat is also vulnerable. 🤷‍♂️

На русском