Tag Archives: vulnerability

About Remote Code Execution – CUPS cups-browsed (CVE-2024-47176) and other CUPS vulnerabilities

Leave a reply

About Remote Code Execution - CUPS cups-browsed (CVE-2024-47176) and other CUPS vulnerabilities

About Remote Code Execution – CUPS cups-browsed (CVE-2024-47176) and other CUPS vulnerabilities. On September 26, researcher Simone Margaritelli (evilsocket) disclosed 4 vulnerabilities of the CUPS print server for Linux systems (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177) in the cups-browsed, libcupsfilters, libppd and cups-filters components.

The vulnerability chain allows a remote unauthenticated attacker to silently replace existing printer IPP URLs with malicious ones by sending special packets to 631/UDP. Then, when a print job is initiated, an RCE occurs. Mass exploitation is possible in local networks via mDNS or DNS-SD.

The OpenPrinting/cups-browsed bulletin contains a PoC of the exploit.

How many potentially vulnerable hosts are accessible from the Internet?
🔻 According to Qualys and Rapid7 score – 75000.

No patches yet. 🤷‍♂️ So, let’s wait, check network accessed and disable cups-browsed, where it is not needed.

На русском

watchTowr Labs draws attention to some oddities with the fix for the Remote Code Execution – Veeam Backup & Replication vulnerability (CVE-2024-40711)

Leave a reply

watchTowr Labs draws attention to some oddities with the fix for the Remote Code Execution - Veeam Backup & Replication vulnerability (CVE-2024-40711)

watchTowr Labs draws attention to some oddities with the fix for the Remote Code Execution – Veeam Backup & Replication vulnerability (CVE-2024-40711).

🔹 The description of the vulnerability in NVD tells us that authentication is not required to exploit the vulnerability, but the CVSS vector in the vendor bulletin indicates that authentication is required (“PR:L”).

🔹 The large number of changes in the patch hints that the vendor fixed some vulnerabilities without informing customers (silent patching).

🔹 The researchers concluded that CVE-2024-40711 was fixed in several stages. At first, exploitation of the vulnerability did not require authentication, then a patch was released and exploitation began to require authentication, and finally, the second patch completely fixed this vulnerability.

❗ Exploitation of the vulnerability allows an attacker to destroy backups and significantly complicate the restoration of the organization’s infrastructure.

На русском

About Remote Code Execution – Veeam Backup & Replication (CVE-2024-40711) vulnerability

Leave a reply

About Remote Code Execution - Veeam Backup & Replication (CVE-2024-40711) vulnerability

About Remote Code Execution – Veeam Backup & Replication (CVE-2024-40711) vulnerability. The bulletin was released on September 4. The vulnerability description states that it is caused by deserialization of untrusted data with a malicious payload. The vulnerability was discovered by a researcher from CODE WHITE.

Five days later, on September 9, researchers from another company, watchTowr Labs, posted a detailed write-up, exploit code, and a video demonstrating exploitation.

There are no signs of exploitation in the wild for this vulnerability yet. As with the June vulnerability in Veeam B&R (CVE-2024-29849). This does not mean that attackers do not exploit these vulnerabilities. It is possible that targeted attacks using these vulnerabilities have simply not yet been reliably confirmed. For example, CISA KEV contains Veeam B&R vulnerabilities from 2022, which were added to the list only in 2023. 😉

Update in advance!

На русском

About Remote Code Execution – VMware vCenter (CVE-2024-38812)

Leave a reply

About Remote Code Execution - VMware vCenter (CVE-2024-38812)

About Remote Code Execution – VMware vCenter (CVE-2024-38812). The vulnerability was published on September 17. An attacker with network access to the vCenter Server can send a specially crafted network packet and cause an RCE. This is due to a heap overflow in the DCERPC protocol implementation.

The vulnerability was discovered during The Matrix Cup competition by a team from Tsinghua University. There is no write-up yet. There is only one repository on GitHub, where some no-name sells the exploit for $105 (upd. A confirmed scam). On AttackerKB, another no-name claims to have seen the vulnerability exploited in the wild. The reliability is questionable.

However, we remember a similar RCE vulnerability vCenter DCERPC CVE-2023-34048, which has been exploited in targeted attacks since 2021. Censys reported then about 293 vCenter hosts with DCERPC accessible from the Internet.

Chances are high that there will be a big story with this vulnerability too.

На русском

August episode of “In The Trend of VM”: 5 vulnerabilities in Microsoft Windows and one in WordPress

Leave a reply

August episode of “In The Trend of VM”: 5 vulnerabilities in Microsoft Windows and one in WordPress. We have branched off from Seclab news videos and started releasing separate episodes. Hooray! 🥳😎 If we get enough views, we will continue to release them in the future. It’s up to you, please follow the link to the video platform and click “Like” button and/or leave a comment. 🥺

📹 Video “In The Trend of VM” on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest (rus) on the official PT website

List of vulnerabilities:

🔻 00:48 Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077)
🔻 02:22 Security Feature Bypass – Windows Mark of the Web “Copy2Pwn” (CVE-2024-38213)
🔻 03:23 Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193), Windows Kernel (CVE-2024-38106), Windows Power Dependency Coordinator (CVE-2024-38107)
🔻 04:50 Unauthenticated Elevation of Privilege – WordPress LiteSpeed Cache Plugin (CVE-2024-28000)

English voice over was generated by my open source utility subtivo (subtitles to voice over)

06:39 Check out the final jingle I generated using AI services 😉 (ToolBaz for lyrics and Suno for music)

На русском

September Linux Patch Wednesday

Leave a reply

September Linux Patch Wednesday

September Linux Patch Wednesday. 460 vulnerabilities. Of these, 279 are in the Linux Kernel.

2 vulnerabilities with signs of exploitation in the wild, but without public exploits:

🔻 Security Feature Bypass – Chromium (CVE-2024-7965)
🔻 Memory Corruption – Chromium (CVE-2024-7971)

29 vulnerabilities with no sign of exploitation in the wild, but with a link to a public exploit or a sign of its existence. Can be highlighted:

🔸 Remote Code ExecutionpgAdmin (CVE-2024-2044), SPIP (CVE-2024-7954), InVesalius (CVE-2024-42845)
🔸 Command Injection – SPIP (CVE-2024-8517)

Among them are vulnerabilities from 2023, fixed in repos only now (in RedOS):

🔸 Remote Code Executionwebmin (CVE-2023-38303)
🔸 Code Injection – webmin (CVE-2023-38306, CVE-2023-38308)
🔸 Information DisclosureKeePass (CVE-2023-24055)

Debian brought “Google Chrome on Windows” vulnerabilities. 😣👎

🗒 Vulristics September Linux Patch Wednesday Report

На русском

The severity of the Spoofing – Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased

Leave a reply

The severity of the Spoofing - Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased

The severity of the Spoofing – Windows MSHTML Platform vulnerability (CVE-2024-43461) has increased. The vulnerability was fixed in September Microsoft Patch Tuesday. At the time of publication, Microsoft had not yet flagged this vulnerability as being exploited in the wild. They did this only 3 days later, on September 13.

ZDI Threat Hunting team researcher Peter Girnus discovered the vulnerability while investigating the Void Banshee APT attack. The vulnerability was exploited in the same attack chain as the trending Spoofing – Windows MSHTML Platform (CVE-2024-38112) vulnerability, patched in July.

Using this vulnerability, the attackers hid the extension of the malicious HTA file being opened by adding 26 Braille space characters to its name. Thus, victims may think that they are opening a harmless PDF document.

Installing the security update does not remove spaces in the file name, but Windows now shows the actual file extension. 👍

На русском