Tag Archives: vulnerability

Is it possible to manage vulnerabilities without no budget?

Is it possible to manage vulnerabilities without no budget? Well, basically yes. Most of the work in the Vulnerability Management process does not require purchasing any solutions. You won’t need them to detect and describe assets. And also to discuss SLAs for vulnerability remediation (and preferably regular patching) with asset owners. And it’s not that difficult to automate the creation of remediation tasks and tracking their statuses.

The main problem is vulnerability detection. It is difficult to imagine an organization’s infrastructure for which the capabilities of free utilities will be enough. Unless only Linux hosts are used there and software is installed only from the official repository. Then OpenSCAP with OVAL content from your Linux vendor will be enough.

When using commercial VM solutions, there will also be “blind spots” – unsupported software or hardware installations. But if you use only free utilities, it will be one big “blind spot”.

На русском

Should a VM specialist specify a patch to install on the host in a vulnerability remediation task?

Leave a reply

Should a VM specialist specify a patch to install on the host in a vulnerability remediation task? Here’s what I think:

If there is a simple way to give such information to IT, then you need to do it. For example, if a vulnerability scanner gives such recommendations.

If it requires intensive research, then you shouldn’t do it. Otherwise, it will be yet another game of “prove and show”. And instead of building a VM process to improve the security of the entire organization, you will be investigating which vulnerability is fixed by which KB. Not cool.

Detecting a vulnerability on a host is a sign that the IT department is not doing its job correctly. Ideally, everything should be fixed in the process of unconditional regular patching. And vulnerability scans should only confirm that everything is ok. If IT can’t implement such a process, then let them deal with fixing specific vulnerabilities and finding patches.

На русском

About Spoofing – Windows NTLM (CVE-2024-43451) vulnerability

Leave a reply

About Spoofing – Windows NTLM (CVE-2024-43451) vulnerability. The vulnerability is from the November Microsoft Patch Tuesday. It immediately showed signs of being exploited in the wild. The vulnerability is related to the outdated MSHTML platform, which is still used in Windows. To exploit the vulnerability, the user must minimally interact with the malicious URL file: right-click on it, delete it, or move it to another folder. There is no need to open the malicious file. As a result, the attacker receives the user’s NTLMv2 hash, which he can use for authentication.

According to ClearSky, the vulnerability is used to distribute Spark RAT, an open-source remote access Trojan.

На русском

About Spoofing – Microsoft Exchange (CVE-2024-49040) vulnerability

Leave a reply

About Spoofing – Microsoft Exchange (CVE-2024-49040) vulnerability. The vulnerability is from the November Microsoft Patch Tuesday. An incorrectly formulated P2 FROM header processing policy allows an attacker to make his email address look legitimate to the victim (for example, like a work colleague’s address). Which, of course, significantly increases the effectiveness of phishing attacks. The vulnerabilities affect Exchange Server 2019 and Exchange Server 2016.

Microsoft has paused the rollout of the initial patches published on November 12. Their installation led to crashes. New fixes were published by Microsoft only on November 27.

Kaspersky has already observed attempts to exploit this vulnerability. They wrote about this in a blog post on November 26.

На русском

December Linux Patch Wednesday

Leave a reply

December Linux Patch Wednesday. There are 316 vulnerabilities in total. Compared to November LPW – much better. 119 are in Linux Kernel.

Two vulnerabilities with signs of exploitation in the wild. Both in Safari:

RCE – Safari (CVE-2024-44308)
XSS – Safari (CVE-2024-44309)

These vulnerabilities are fixed not in Safari, but in packages of the WebKit browser engine.

There are no signs of exploitation in the wild for 19 vulnerabilities yet, but there are public exploits. The following can be highlighted:

RCE – Moodle (CVE-2024-43425). First fix in the Linux vendor repository appeared on 2024-11-21 (RedOS)
Command Injection – Grafana (CVE-2024-9264)
Command Injection – virtualenv (CVE-2024-53899)
SQLi – Zabbix (CVE-2024-42327)
Data Leakage – Apache Tomcat (CVE-2024-52317)

Vulristics December Linux Patch Wednesday Report

I released Vulristics 1.0.9 with improved detection of vulnerable software based on CVE description.

На русском

December Microsoft Patch Tuesday

Leave a reply

December Microsoft Patch Tuesday. 89 CVEs, of which 18 were added since November MSPT. 1 vulnerability with signs of exploitation in the wild:

EoP – Windows Common Log File System Driver (CVE-2024-49138). There are no details about this vulnerability yet.

Strictly speaking, there was another vulnerability that was exploited in the wild: EoP – Microsoft Partner Network (CVE-2024-49035). But this is an already fixed vulnerability in the Microsoft website and I’m not even sure that it was worth creating a CVE.

For the remaining vulnerabilities, there are no signs of exploitation in the wild, nor exploits (even private ones).

I can highlight:

RCE – Windows LDAP (CVE-2024-49112, CVE-2024-49127)
RCE – Windows LSASS (CVE-2024-49126)
RCE – Windows Remote Desktop Services (CVE-2024-49106 и ещё 8 CVE)
RCE – Microsoft MSMQ (CVE-2024-49122, CVE-2024-49118)
RCE – Microsoft SharePoint (CVE-2024-49070)

Full Vulristics report

На русском

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability

Leave a reply

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability. It was released on November Microsoft Patch Tuesday and showed signs of exploitation in the wild right away. To exploit the vulnerability, an authenticated attacker runs a specially crafted application on the target system. The attack can be performed from an AppContainer restricted environment. Using this vulnerability, an attacker can elevate their privileges to Medium Integrity level and gain the ability to execute RPC functions that are restricted to privileged accounts only.

ESET reports that the vulnerability allowed the RomCom attackers to execute malicious code outside the Firefox sandbox and then launch hidden PowerShell processes to download and run malware from C&C servers.

There is a backdoor code on GitHub that exploits this vulnerability.

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: vulnerability

Is it possible to manage vulnerabilities without no budget?

Should a VM specialist specify a patch to install on the host in a vulnerability remediation task?

About Spoofing – Windows NTLM (CVE-2024-43451) vulnerability

About Spoofing – Microsoft Exchange (CVE-2024-49040) vulnerability

December Linux Patch Wednesday

December Microsoft Patch Tuesday

About Elevation of Privilege – Windows Task Scheduler (CVE-2024-49039) vulnerability