Tag Archives: vulnerability

I generated a report on the March Linux Patch Wednesday

Leave a reply

I generated a report on the March Linux Patch Wednesday
I generated a report on the March Linux Patch WednesdayI generated a report on the March Linux Patch WednesdayI generated a report on the March Linux Patch WednesdayI generated a report on the March Linux Patch WednesdayI generated a report on the March Linux Patch Wednesday

I generated a report on the March Linux Patch Wednesday. 134 vulnerabilities, of which 68 are in the Linux Kernel. There are no vulnerabilities with signs of exploitation in the wild. There are 15 vulnerabilities with PoCs.

🔸 The top vulnerability is Command Injection – libuv (CVE-2024-24806). This is a multi-platform library for asynchronous I/O. An attacker could potentially access internal APIs.

🔸 For aiohttp there is a pack of Command Injection (CVE-2023-37276, CVE-2023-47627, CVE-2023-49082) and Security Feature Bypass (CVE-2023-47641, CVE-2023-49081) with PoCs. It is an asynchronous client/server HTTP framework. The vulns were patched only in Russian RedOS and Debian.

🔸There are problems with vulnerability types/products detection due to the NVD crisis (no CPE & CWE). 🤷‍♂️

🔸 The Linux Kernel team is now a CNA and is creating a ton of CVEs with monstrously large descriptions. Because they can! 😏

🗒 March Linux Patch Wednesday

На русском

Over the weekend, I achieved the first results in my open source vulnerability detection project Vuldetta

Leave a reply

Over the weekend, I achieved the first results in my open source vulnerability detection project Vuldetta
Over the weekend, I achieved the first results in my open source vulnerability detection project VuldettaOver the weekend, I achieved the first results in my open source vulnerability detection project Vuldetta

Over the weekend, I achieved the first results in my open source vulnerability detection project Vuldetta. 😇

What I managed to do:

🔹 I parsed Ubuntu OVAL into simple detection rules based on package versions. The structure of Ubuntu OVAL is quite sophisticated, especially when it comes to detecting kernel vulnerabilities (not by packages, but by uname_test and variable_test 🤯). Despite the fact that OVAL content for each distribution version is downloaded in a separate file, distribution version checks are also implemented in OVAL. Now I just go through all the definitions, see which dpkginfo_test are used in the criteria and parse only them.

🔹 I made a primitive utility that uses these detection rules. Without any optimizations, parsing OVAL and calculating vulnerabilities takes 6.5 seconds. It works. 🙂👍

All code is available on Github. Next I will deal with kernel vulnerabilities, optimization and turn the code into an http API.

На русском

I looked at VulnCheck KEV

Leave a reply

I looked at VulnCheck KEV
I looked at VulnCheck KEVI looked at VulnCheck KEVI looked at VulnCheck KEVI looked at VulnCheck KEVI looked at VulnCheck KEVI looked at VulnCheck KEV

I looked at VulnCheck KEV. This is an analogue of CISA KEV (Know Exploited Vulnerabilities) by VulnCheck.

🔹 Unlike the public CISA KEV, only registered users have access to VulnCheck KEV. The VulnCheck website is accessible from Russian IPs 🇷🇺, but when registering they write that “account is currently under review” (in fact requests are simply blocked 🥸). Requests from non-Russian IPs are registered automatically. 🌝
🔹 There are ~2 times more CVEs in the database than in CISA KEV.
🔹 There are no standard tools for downloading all these CVEs via web-gui. 🤷‍♂️
🔹 There are links to exploits for CVEs that look good. 👌
🔹 There are signs of exploitation in the wild. Sometimes it’s clear, like “Outbreak Alerts 2023” pdf report. Sometimes it’s strange, like a link to a Shadowserver dashboard or a non-related blog post. 🤷‍♂️

The selection of CVEs is quite interesting, but the rationale for exploitation in the wild needs to be improved. 😉

На русском

Recently there was news about an RCE vulnerability in FortiOS and FortiProxy (CVE-2023-42789)

Leave a reply

Recently there was news about an RCE vulnerability in FortiOS and FortiProxy (CVE-2023-42789)
Recently there was news about an RCE vulnerability in FortiOS and FortiProxy (CVE-2023-42789)Recently there was news about an RCE vulnerability in FortiOS and FortiProxy (CVE-2023-42789)

Recently there was news about an RCE vulnerability in FortiOS and FortiProxy (CVE-2023-42789). It “allows attacker to execute unauthorized code or commands via specially crafted HTTP requests”. The vulnerability is exploited in the captive portal, which, in theory, should not be accessible from the Internet. This is why the Fortinet bulletin warns about an “inside attacker”.

There is a repository on GitHub that allegedly contains a PoC, but its reliability is questionable. The code only implements checking the availability of the captive portal; there is no payload there. The repository was created by a user without any reputation or previous activity. He sells the full exploit code for ~$262. It looks like a scam, but if suddenly this is a truly functional exploit, then it is likely that it will quickly leak to the public.

In any case, it is worth updating or getting rid of this solution.

На русском

First impressions of the March Microsoft Patch Tuesday

Leave a reply

First impressions of the March Microsoft Patch Tuesday
First impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch Tuesday

First impressions of the March Microsoft Patch Tuesday. So far I have not seen anything overtly critical. There are 80 vulnerabilities in total, including 20 added between the February and March MSPT.

With PoC there is only one:

🔻 Information Disclosure – runc (CVE-2024-21626). It allows an attacker to escape from the container. What does Microsoft have to do with it? The vulnerability has been fixed in Azure Kubernetes Service and CBL-Mariner (Microsoft’s internal Linux distribution).

For the rest, there are no signs of active exploitation or the existence of a PoC yet.

We can pay attention to the following:

🔸 Elevation of Privilege – Windows Kernel (CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178, CVE-2024-26182). Such vulnerabilities often become exploitable recently. The same applies to Elevation of Privilege – Windows Print Spooler (CVE-2024-21433).
🔸 Remote Code Execution – Open Management Infrastructure (OMI) (CVE-2024-21334). CVSS 9.8 and ZDI write that “it would allow a remote, unauthenticated attacker to execute code on OMI instances on the Internet”. Perhaps such instances are indeed often accessible via the Internet, this requires research. 🤷‍♂️
🔸 Remote Code Execution – Windows Hyper-V (CVE-2024-21407). This “guest-to-host escape” vulnerability was highlighted by everyone: Qualys, Tenable, Rapid7, ZDI.
🔸 Remote Code Execution – Microsoft Exchange (CVE-2024-26198). This is a “DLL loading” vulnerability. The details are still unclear, but I wouldn’t be surprised if there will be a detailed write-up on it soon.

🗒 Vulristics report

На русском

Lord of the CVEs: NVD crisis

Leave a reply

Lord of the CVEs: NVD crisis

Lord of the CVEs: NVD crisis. The NVD website currently has a banner:

“NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.”

In fact, NVDs have completely stopped enriching CVE data (CVSS, CWE, CPE). And panic is growing in the global near-VM community. Almost everyone used NVD’s publicly available content and took it for granted. It turned out that everything could stop and consumers of NVD content would have to self-organize and obtain new sources of such data, like the kids in Golding’s Lord of the Flies. 🙂🐚🐷🪰

I still believe that these are temporary difficulties that will be solved by the reorganization of NVD. But if not, then it will be interesting to see where this leads. 🌝

На русском

I reach a wider audience: I talk about trending vulnerabilities in the SecLab News show

Leave a reply

I reach a wider audience: I talk about trending vulnerabilities in the SecLab News show. 🤩 It’s in Russian, but the automatically generated subtitles combined with automatic translation do a good job. The “Trending VM” section starts at 16:05. 🎞

As for the content, this is the February digest of trending vulnerabilities, but presented in a more lively format: simple phrases, with all sorts of memes, jokes and so on. Typical edutainment. 😏 The level of production demonstrated by the SecLab News team is, of course, amazing. I haven’t seen anything better yet. Very professional guys, it’s a pleasure to work with them. 🔥

In general, this is a trial attempt – the further fate of the section (and maybe not only the section) depends on you 😉.

➡️ Please follow the link, watch the episode, like it, leave a comment about the section. What you liked and what could have been done better.

We are really looking forward to your feedback. 🫠

На русском