Tag Archives: vulnerability

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses

Leave a reply

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses. Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices of vulnerability management process. At the end we announce a contest of questions about Vulnerability Management with gifts. 🎁

📹 Video “In The Trend of VM” on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest on the official PT website

Content:

🔻 00:51 Elevation of Privilege – Windows Installer (CVE-2024-38014) and details about this vulnerability
🔻 02:42 Security Feature Bypass – Windows Mark of the Web “LNK Stomping” (CVE-2024-38217)
🔻 03:50 Spoofing – Windows MSHTML Platform (CVE-2024-43461)
🔻 05:07 Remote Code Execution – VMware vCenter (CVE-2024-38812)
🔻 06:20 Remote Code Execution – Veeam Backup & Replication (CVE-2024-40711), while the video was being edited, data about exploitation in the wild appeared
🔻 08:33 Cross Site Scripting – Roundcube Webmail (CVE-2024-37383)
🔻 09:31 SQL Injection – The Events Calendar plugin for WordPress (CVE-2024-8275)
🔻 10:30 Human vulnerabilities: fake reCAPTCHA
🔻 11:45 Real world vulnerabilities: еxplosions of pagers and other electronic devices in Lebanon and the consequences for the whole world
🔻 14:42 Vulnerability management process practices: tie annual bonuses of IT specialists to meeting SLAs for eliminating vulnerabilities
🔻 16:03 Final and announcement of the contest
🔻 16:24 Backstage

На русском

October Linux Patch Wednesday

Leave a reply

October Linux Patch Wednesday

October Linux Patch Wednesday. There are 248 vulnerabilities in total. Of these, 92 are in the Linux Kernel.

5 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – CUPS (CVE-2024-47176) and 4 more CUPS vulnerabilities that can also be used to enhance DoS attacks
🔻 Remote Code Execution – Mozilla Firefox (CVE-2024-9680)

For 10 vulnerabilities there are no signs of exploitation in the wild yet, but exploits exist. Among them, the following can be highlighted:

🔸 Remote Code Execution – Cacti (CVE-2024-43363)
🔸 Elevation of Privilege – Linux Kernel (CVE-2024-46848)
🔸 Arbitrary File Reading – Jenkins (CVE-2024-43044)
🔸 Denial of Service – CUPS (CVE-2024-47850)
🔸 Cross Site Scripting – Rollup JavaScript module (CVE-2024-47068)

🗒 Vulristics October Linux Patch Wednesday Report

На русском

About Cross Site Scripting – Roundcube Webmail (CVE-2024-37383) vulnerability

Leave a reply

About Cross Site Scripting - Roundcube Webmail (CVE-2024-37383) vulnerability

About Cross Site Scripting – Roundcube Webmail (CVE-2024-37383) vulnerability. Roundcube is a web-based email client with functionality comparable to desktop email clients such as Outlook Express or Mozilla Thunderbird.

The vulnerability is caused by an error in the processing of SVG elements in the email body. The victim opens an email from the attacker, which causes malicious JavaScript code to be executed in the context of the user’s page.

In September 2024, specialists from the TI department of the Positive Technologies Expert Security Center (PT ESC) discovered a malicious email with signs of exploitation of this vulnerability. It was sent to one of the government agencies of the CIS countries.

Attacks on Roundcube are not uncommon. At the end of last year, there were news about the exploitation of a similar vulnerability CVE-2023-5631 in targeted attacks.

Update it in a timely manner!

На русском

Veeam B&R RCE vulnerability CVE-2024-40711 is exploited in attacks

Leave a reply

Veeam B&R RCE vulnerability CVE-2024-40711 is exploited in attacks

Veeam B&R RCE vulnerability CVE-2024-40711 is exploited in attacks. On September 24, there were no signs of this vulnerability being exploited in the wild. And on October 10, Sophos X-Ops reported that they had observed a series of attacks exploiting this vulnerability over the course of a month. The attackers’ goal was to install Akira and Fog ransomware. 🤷‍♂️

The thesis of my original post was correct. The absence of reports on the exploitation of vulnerabilities in real attacks is not a reason to ignore them.

“This does not mean that attackers do not exploit these vulnerabilities. It is possible that targeted attacks using these vulnerabilities have simply not yet been reliably confirmed.”

🟥 Positive Technologies classifies the vulnerability as trending since September 10th.

На русском

Ford won’t work?

Leave a reply

Ford won't work?

Ford won’t work? There were a lot of comments about “paying vulnerability fixers only when they are in the break room“. I’ll say right away that the post was a joke. Staff motivation is too delicate a topic to give serious recommendations. 🙂

But I will sort out the objections:

🔻 IT staff will sabotage the vulnerability detection process by tweaking host configs. So that the scanner will produce only green reports. But IT staff can do this at any time, and we need to take this into account. 🤷‍♂️

🔻 IT staff will simply turn off hosts. If they can do this without harming the business, that’s great. 👍 And if this will break the production environment, then let them deal with their IT management. 😏

🔻 There is an opinion that the method is good, but only 2% of vulnerabilities used in attack chains need to be fixed. I traditionally DO NOT agree with the possibility of reliably separating these mythical 2% of vulnerabilities. Everything needs to be fixed. 😉

На русском

October Microsoft Patch Tuesday

Leave a reply

October Microsoft Patch Tuesday

October Microsoft Patch Tuesday. 146 CVEs, of which 28 were added since September MSPT. 2 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Microsoft Management Console (CVE-2024-43572)
🔻 Spoofing – Windows MSHTML Platform (CVE-2024-43573)

Without signs of exploitation in the wild, but with a public PoC exploit:

🔸 Remote Code Execution – Open Source Curl (CVE-2024-6197)

Private exploits exist for:

🔸 Information Disclosure – Microsoft Edge (CVE-2024-38222)
🔸 Security Feature Bypass – Windows Hyper-V (CVE-2024-20659)

Among the rest can be highlighted:

🔹 Remote Code Execution – Remote Desktop Protocol Server (CVE-2024-43582)
🔹 Remote Code Execution – Windows Remote Desktop Client (CVE-2024-43533, CVE-2024-43599)
🔹 Remote Code Execution – Windows Routing and Remote Access Service (RRAS) (CVE-2024-38212 and 11 more CVEs)

🗒 Full Vulristics report

На русском

Vulnerability Remediation using the “Ford Method”

Leave a reply

Vulnerability Remediation using the Ford Method

Vulnerability Remediation using the “Ford Method”. There is a popular story in the Russian segment of the Internet. Allegedly, an experiment was carried out at Henry Ford’s plant: conveyor repair workers were paid only for the time they were in the break room. And as soon as the conveyor stopped 🚨 and the repair workers went to fix it, they stopped getting paid. Therefore, they did their work quickly and efficiently, so that they could quickly (and for a long time) return to the break room and start earning money again. 👷‍♂️🪙

I did not find any reliable evidence of this. 🤷‍♂️

But what if the specialists responsible for vulnerability remediation were paid only for the time when vulnerabilities are not detected on their hosts. 🤔 This can have a very positive impact on the speed and quality of remediation. Unsolvable problems will quickly become solvable, and automation of testing and deployment of updates will develop at the fastest pace. 😏

На русском