Tag Archives: vulnerability

Veeam B&R RCE vulnerability CVE-2024-40711 is exploited in attacks

Veeam B&R RCE vulnerability CVE-2024-40711 is exploited in attacks. On September 24, there were no signs of this vulnerability being exploited in the wild. And on October 10, Sophos X-Ops reported that they had observed a series of attacks exploiting this vulnerability over the course of a month. The attackers’ goal was to install Akira and Fog ransomware. 🤷‍♂️

The thesis of my original post was correct. The absence of reports on the exploitation of vulnerabilities in real attacks is not a reason to ignore them.

“This does not mean that attackers do not exploit these vulnerabilities. It is possible that targeted attacks using these vulnerabilities have simply not yet been reliably confirmed.”

🟥 Positive Technologies classifies the vulnerability as trending since September 10th.

На русском

Ford won’t work?

Leave a reply

Ford won’t work? There were a lot of comments about “paying vulnerability fixers only when they are in the break room“. I’ll say right away that the post was a joke. Staff motivation is too delicate a topic to give serious recommendations. 🙂

But I will sort out the objections:

🔻 IT staff will sabotage the vulnerability detection process by tweaking host configs. So that the scanner will produce only green reports. But IT staff can do this at any time, and we need to take this into account. 🤷‍♂️

🔻 IT staff will simply turn off hosts. If they can do this without harming the business, that’s great. 👍 And if this will break the production environment, then let them deal with their IT management. 😏

🔻 There is an opinion that the method is good, but only 2% of vulnerabilities used in attack chains need to be fixed. I traditionally DO NOT agree with the possibility of reliably separating these mythical 2% of vulnerabilities. Everything needs to be fixed. 😉

На русском

October Microsoft Patch Tuesday

Leave a reply

October Microsoft Patch Tuesday. 146 CVEs, of which 28 were added since September MSPT. 2 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Microsoft Management Console (CVE-2024-43572)
🔻 Spoofing – Windows MSHTML Platform (CVE-2024-43573)

Without signs of exploitation in the wild, but with a public PoC exploit:

🔸 Remote Code Execution – Open Source Curl (CVE-2024-6197)

Private exploits exist for:

🔸 Information Disclosure – Microsoft Edge (CVE-2024-38222)
🔸 Security Feature Bypass – Windows Hyper-V (CVE-2024-20659)

Among the rest can be highlighted:

🔹 Remote Code Execution – Remote Desktop Protocol Server (CVE-2024-43582)
🔹 Remote Code Execution – Windows Remote Desktop Client (CVE-2024-43533, CVE-2024-43599)
🔹 Remote Code Execution – Windows Routing and Remote Access Service (RRAS) (CVE-2024-38212 and 11 more CVEs)

🗒 Full Vulristics report

На русском

Vulnerability Remediation using the “Ford Method”

Leave a reply

Vulnerability Remediation using the “Ford Method”. There is a popular story in the Russian segment of the Internet. Allegedly, an experiment was carried out at Henry Ford’s plant: conveyor repair workers were paid only for the time they were in the break room. And as soon as the conveyor stopped 🚨 and the repair workers went to fix it, they stopped getting paid. Therefore, they did their work quickly and efficiently, so that they could quickly (and for a long time) return to the break room and start earning money again. 👷‍♂️🪙

I did not find any reliable evidence of this. 🤷‍♂️

But what if the specialists responsible for vulnerability remediation were paid only for the time when vulnerabilities are not detected on their hosts. 🤔 This can have a very positive impact on the speed and quality of remediation. Unsolvable problems will quickly become solvable, and automation of testing and deployment of updates will develop at the fastest pace. 😏

На русском

Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks

Leave a reply

Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks.

Researchers from Akamai Technologies wrote about this. An attacker can send a special packet to a vulnerable host with CUPS: “add a printer located at this IP address”. CUPS will start sending large IPP/HTTP requests to the specified IP address. Thus, vulnerable hosts can be organized in such a way that they start DDoSing IP addresses chosen by the attacker.

Akamai has discovered more than 198,000 vulnerable hosts with CUPS, of which more than 58,000 (34%) can be used for DDoS attacks. Of these, hundreds demonstrated an “infinite loop” of requests in response to HTTP/404.

Assuming that all 58,000+ vulnerable hosts are used for the attack, they can cause a traffic flow of 1 GB to 6 GB per attacker’s udp packet. The victim will have to handle 2.6 million TCP connections and HTTP requests.

На русском

About Remote Code Execution – NVIDIA Container Toolkit (CVE-2024-0132) vulnerability

Leave a reply

About Remote Code Execution – NVIDIA Container Toolkit (CVE-2024-0132) vulnerability. NVIDIA’s bulletin was released on September 25. The vulnerability was found by researchers from Wiz.

Container Toolkit provides containerized AI applications with access to GPU resources. AI is now almost impossible without the use of video cards. 😏 Therefore, this component is very common.

The essence of the vulnerability is that a launched malicious container image can gain access to the host file system, which, in turn, can lead to the attacker’s code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

If an attacker gains access to a desktop in this way, it’s not so bad, but what if he gains access to Kubernetes nodes or a cluster? 🫣 AI service providers (a la Hugging Face) that launch untrusted images are at risk.

На русском

About SQL Injection – The Events Calendar plugin for WordPress (CVE-2024-8275) vulnerability

Leave a reply

About SQL Injection – The Events Calendar plugin for WordPress (CVE-2024-8275) vulnerability. This plugin for WordPress CMS allows you to create event pages with search and filtering capabilities. The plugin is installed on more than 700,000 websites.

The plugin offers extensive customization options, including using individual plugin functions in your own code. One of these functions, tribe_has_next_event(), was found to have a SQL injection that allows an unauthenticated attacker to extract sensitive information from the website’s database. An exploit is available on GitHub.

❗️ The developers note that this function is not used by the plugin itself (“unused code”). Only sites that have manually added a tribe_has_next_event() call will be vulnerable.

If you are using WordPress with The Events Calendar plugin, check if there is some tricky customization using this vulnerable function and update to v.6.6.4.1 and above.

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: vulnerability

Veeam B&R RCE vulnerability CVE-2024-40711 is exploited in attacks

Ford won’t work?

October Microsoft Patch Tuesday

Vulnerability Remediation using the “Ford Method”

Continuing the story about recent CUPS vulnerabilities: vulnerable hosts will be used by attackers to amplify DDoS attacks

About Remote Code Execution – NVIDIA Container Toolkit (CVE-2024-0132) vulnerability

About SQL Injection – The Events Calendar plugin for WordPress (CVE-2024-8275) vulnerability