Tag Archives: vulnerability

Generating names for vulnerabilities

Leave a reply

Generating names for vulnerabilities

Generating names for vulnerabilities. Colleagues who work on attack attribution have a funny habit of naming attack groups according to some scheme. For example, Midnight Blizzard or Mysterious Werewolf. 🙂 I thought, why can’t we name vulnerabilities in a similar way?

For example, Remote Code Execution – Windows NAT (CVE-2024-38119)

🔹 We transform vulnerability types into consonant names of animals. RCE – let it be Racoon. For EoP it can be Elephant, for Memory Corruption – Monkey, etc.

🔹 Based on software names, we automatically select adjectives that begin with the same letters. “Windows NAT” -> “Windy Nautical”.

🔹 There can be many vulnerabilities of the same type in the same product. Therefore, we generate combinations of adverbs and past participles (6940230 combinations), and then map CVE identifiers into them. CVE-2024-38119 -> 202438119 -> “2438119”: “inquisitively underspecified”

Thus we get: “Inquisitively Underspecified Windy Nautical Racoon”. 🙂

На русском

September Microsoft Patch Tuesday

Leave a reply

September Microsoft Patch Tuesday

September Microsoft Patch Tuesday. 107 CVEs, 28 of which were added since August MSPT. 6 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution – Windows Update (CVE-2024-43491)
🔻 Elevation of Privilege – Windows Installer (CVE-2024-38014)
🔻 Security Feature Bypass – Windows Mark of the Web (CVE-2024-38217), Microsoft Publisher (CVE-2024-38226), Chromium (CVE-2024-7965)
🔻 Memory Corruption – Chromium (CVE-2024-7971)

3 more with private exploits:

🔸 Authentication Bypass – Azure (CVE-2024-38175)
🔸 Security Feature Bypass – Windows Mark of the Web (CVE-2024-43487)
🔸 Elevation of Privilege – Windows Storage (CVE-2024-38248)

Other interesting vulnerabilities:

🔹 Remote Code Execution – Microsoft SQL Server (CVE-2024-37335 and 5 more CVEs)
🔹 Remote Code Execution – Windows NAT (CVE-2024-38119)
🔹 Elevation of Privilege – Windows Win32k (CVE-2024-38246, CVE-2024-38252, CVE-2024-38253)

🗒 Full Vulristics report

На русском

I have released a new version of Vulristics 1.0.8 with some minor usability improvements

Leave a reply

I have released a new version of Vulristics 1.0.8 with some minor usability improvements

I have released a new version of Vulristics 1.0.8 with some minor usability improvements. I love it when my open source projects get pull requests. 😊 This time help came from user dvppvd:

🔹 Padding was set in the css table to make the html report more readable.

🔹 When you run the utility without parameters, help and examples are displayed. The examples show how to run the utility to analyze MSPT vulnerabilities for a specific month and year, or to analyze an arbitrary set of CVE identifiers.

🔹 Empty lines for the text banner have been added.

TODO for the next releases:

🔸 Support CVSS 4 for data sources that have already started providing this data.

🔸 Develop automated tests to verify the correct operation of the utility for known CVE identifiers.

🔸 Implement a new data source for the CVEProject GitHub repository for mass analysis of CVE vulnerabilities.

If you want to participate, join AVLEONOV Start. 😉

Changelog

На русском

I found that the research data for Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted

Leave a reply

I found that the research data for Remote Code Execution - Windows Remote Desktop Licensing Service MadLicense (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted

I found that the research data for Remote Code Execution – Windows Remote Desktop Licensing Service “MadLicense” (CVE-2024-38077), which I wrote about 3 weeks ago, was deleted. Both on GitHub and on Google Sites.

And what does this all mean? 🤔 Who knows. 🤷‍♂️ Considering that it disappeared on two platforms at once, it was probably deleted by the Chinese researchers themselves. Why did they do this? Perhaps they established a dialogue with Microsoft and MS asked them to remove everything from the public (which, of course, is stupid – the Internet remembers everything). Perhaps someone else asked them to do this. 🫡 Another reason to pay attention to this vulnerability.

На русском

AVLEONOV Start – joint work on Open Source projects to start a career in Vulnerability Management

Leave a reply

AVLEONOV Start - joint work on Open Source projects to start a career in Vulnerability Management

AVLEONOV Start – joint work on Open Source projects to start a career in Vulnerability Management. People come to me from time to time in this situation: they want to start working in the VM field, but they have no practical experience working with vulnerabilities. Therefore, they cannot get a job. And they can’t get experience anywhere. A vicious circle. Usually I say to this – go for an internship. But there are also limited places at internships and it is not a fact that you will be assigned to work on VM tasks.

An alternative is to participate in open source projects. Here I can help a little. I have quite a lot of open source VM projects. I can give a task, track its implementation, merge the code into the main project with the authorship and describe the merits in the channel and changelog. There will be something to attach to the resume. 😉

Does this guarantee employment? No, nothing is guaranteed. But it will be a plus.

If you are interested, write to me. 🙂

На русском

Greenbone introduced the Greenbone Basic vulnerability scanner for SMEs, the price of which is NOT tied to the number of IP addresses that can be scanned

Leave a reply

Greenbone introduced the Greenbone Basic vulnerability scanner for SMEs, the price of which is NOT tied to the number of IP addresses that can be scanned

Greenbone introduced the Greenbone Basic vulnerability scanner for SMEs, the price of which is NOT tied to the number of IP addresses that can be scanned. A license for 1 scanner will cost 2450 € per year. It will be delivered as a virtual machine image. There is a comparison table and a data sheet.

Greenbone Basic differences:

🔹 Compared to Greenbone Free, it WILL have a full database of plugins for vulnerability detection, compliance scanning, scan scheduler, alerts, LDAP/Radius authentication, HTTPS certificate management, NTP integration.

🔹 Compared to Greenbone Enterprise, there WILL NOT be the ability to hierarchically connect scanners (sensors). API support, vulnerability remediation tickets, technical support from Greenbone and further enterprise features.

In terms of features, it looks like a real alternative to Tenable’s Nessus Professional. Competition in the entry-level fixed-price VM segment is intensifying. 👍

На русском

About Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday

Leave a reply

About Elevation of Privilege - Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday

About Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday. In total, in the August MSPT there were 3 EoPs with signs of exploitation in the wild. They have identical descriptions: an attacker can elevate privileges on the host to SYSTEM level. The vulnerability in Windows Kernel is more difficult to exploit, because it is necessary to win a race condition.

We only know the names of the attackers who exploited the EoP vulnerability in the Windows Ancillary Functions Driver (AFD.sys). It is exploited by the well-known group Lazarus. This was reported in a press release from Gen Digital, the company that owns Avira and Avast antiviruses. To neutralize information security products during an attack, Lazarus attackers use the Fudmodule rootkit. So, even if EDR is installed on the host, the host should be updated. 😏

На русском