Tag Archives: vulnerability

Progress in exploitation of Remote Code Execution – Windows TCP/IP IPv6 (CVE-2024-38063)

Leave a reply

Progress in exploitation of Remote Code Execution - Windows TCP/IP IPv6 (CVE-2024-38063)

Progress in exploitation of Remote Code Execution – Windows TCP/IP IPv6 (CVE-2024-38063). The vulnerability is from the August Patch Tuesday. 2 weeks ago I already wrote why it is potentially dangerous. Now the danger has increased significantly:

🔻 On August 24, a PoC of the exploit appeared on GitHub. There is a video with the launch of a small python script (39 lines), causing Windows to crash with the error “KERNEL SECURITY CHECK FAILURE”. Looks more like DoS than RCE. But this is only for now.

🔻 Well-known researcher Marcus Hutchins posted a blog post titled “CVE-2024-38063 – Remotely Exploiting The Kernel Via IPv6“. It describes the technical details of exploiting the vulnerability.

The probability that the vulnerability will be exploited in the wild has increased significantly.

❗️ Check if the vulnerability is patched or increase the priority of the fix if it is not yet.

На русском

A couple of interesting details about Unauthenticated Elevation of Privilege – WordPress LiteSpeed ​​Cache Plugin (CVE-2024-28000)

Leave a reply

A couple of interesting details about Unauthenticated Elevation of Privilege - WordPress LiteSpeed ​​Cache Plugin (CVE-2024-28000)

A couple of interesting details about Unauthenticated Elevation of Privilege – WordPress LiteSpeed ​​Cache Plugin (CVE-2024-28000).

🔹 The vulnerability was found by researcher John Blackbourn. He submitted it through the bug bounty program and received $14,400. 👏

🔹 The vulnerability cannot be exploited on Windows installations, because the function that is needed to generate the hash does not work on Windows. This is what researchers write in the write-up. However, they do not write how this plugin works on Windows installations and whether it works at all. 🤔 But if the plugin works and the vulnerability cannot be exploited, then it turns out that sometimes it is not such a strange idea to use Windows instead of Linux as a hosting OS for websites. 🙃

На русском

Unauthenticated Elevation of Privilege – WordPress LiteSpeed Cache Plugin (CVE-2024-28000)

Leave a reply

Unauthenticated Elevation of Privilege - WordPress LiteSpeed Cache Plugin (CVE-2024-28000)

Unauthenticated Elevation of Privilege – WordPress LiteSpeed Cache Plugin (CVE-2024-28000).

🔹 WordPress is a popular open source CMS (835 million websites) that supports third-party plugins.

🔹 LiteSpeed Cache is one such plugin. It increases the loading speed of website pages by caching them. The free version is used on 5 million websites.

On August 13, a critical vulnerability of this plugin was released. A remote unauthenticated attacker can obtain administrator rights. 😱 According to the write-up, the attacker brute-forces the hash used for authentication. This hash is generated insecurely, so there are only a million of its possible values. If you make 3 requests to the website per second, then brute-force and obtaining admin rights takes from several hours to a week.

👾 The PoC is available on GitHub and attackers are already actively exploiting the vulnerability.

Update to version 6.4.1 and higher.

На русском

August Linux Patch Wednesday

Leave a reply

August Linux Patch Wednesday

August Linux Patch Wednesday. 658 vulnerabilities. Of these, 380 are in the Linux Kernel. About 10 have signs of exploitation in the wild. I will highlight:

🔻 Vulnerabilities of IT Asset Management system GLPI: AuthBypass (CVE-2023-35939, CVE-2023-35940) and Code Injection (CVE-2023-35924, CVE-2023-36808, CVE-2024-27096, CVE-2024-29889). Fixed in RedOS.
🔻 InfDisclosure – Minio (CVE-2023-28432). Old and trendy, but also fixes appeared only in RedOS.
🔻 DoS – PHP (CVE-2024-2757). If I were to take into account Fedora or Alpine bulletins, this would be in an earlier LPW. 🤔 2DO.

About 30 without signs of exploitation in the wild, but with exploits. I will highlight:

🔸 Command Injection – Apache HTTP Server (CVE-2024-40898)
🔸 AuthBypass – Apache HTTP Server (CVE-2024-40725)
🔸 AuthBypass – Neat VNC (CVE-2024-42458)
🔸 RCE – Calibre (CVE-2024-6782); yes, e-books software 🙂

🗒 Vulristics report on August Linux Patch Wednesday

На русском

Remote Code Execution – Scripting Engine (CVE-2024-38178)

Leave a reply

Remote Code Execution - Scripting Engine (CVE-2024-38178)

Remote Code Execution – Scripting Engine (CVE-2024-38178). A vulnerability from the August Microsoft Patch Tuesday. The victim clicks on the attacker’s link, memory corruption occurs and arbitrary attacker’s code is executed.

The tricky part is that the victim has to open the link in Microsoft Edge browser in Internet Explorer compatibility mode. But why would the victim want to set the browser to this mode?

🔻 The victim may be using some old corporate web application that only works in Internet Explorer, so the browser is configured this way. Not such a rare situation. 😏

🔻An attacker may try to convince the victim to enable the setting “Allow sites to be reloaded in Internet Explorer mode (IE mode)” in Edge. 🤷‍♂️

One way or another, the vulnerability is exploited in the wild and there is already a (semi?🤔)public exploit for it. My colleagues at PT ESC shared today how they found and tested this exploit. 🔍

На русском

Remote Code Execution – IBM QRadar / Robin Weser Fast Loops (CVE-2024-39008)

Leave a reply

Remote Code Execution - IBM QRadar / Robin Weser Fast Loops (CVE-2024-39008)

Remote Code Execution – IBM QRadar / Robin Weser Fast Loops (CVE-2024-39008). On August 14, a security bulletin for QRadar Suite Software and IBM Cloud Pak for Security was published on the IBM website. It lists fixed vulnerabilities in IBM QRadar itself and its open source components: Node.js, Jinja, kjd/idna, robinweser/fast-loops. The vulnerability of the last project is the most interesting.

🔻 robinweser/fast-loops – a set of compact utilities for faster work with JavaScript arrays and objects. This is not a very popular project, only 25 stars and 3 forks on GitHub.

🔻 The vulnerability CVE-2024-39008 allows an attacker to send special requests and, potentially, cause a DoS and RCE. There are technical details and a PoC.

Ok, the open source component is vulnerable. But how to exploit the vulnerability in QRadar itself? It is still unknown. 🤷‍♂️ But it is better not to wait for the details to appear, but to update QRadar in advance. 😉

На русском

Trending vulnerabilities of July according to Positive Technologies

Leave a reply

Trending vulnerabilities of July according to Positive Technologies.

The SecLab film crew went on vacation. Therefore, there was a choice: to skip the episode of “In the trend of VM” about the July vulnerabilities, or to make a video myself. Which is what I tried to do. And from the next episode we will return to SecLab again.

📹 Video “In The Trend of VM” on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest (rus) on the official PT website

List of vulnerabilities:

🔻 00:33 Spoofing – Windows MSHTML Platform (CVE-2024-38112)
🔻 02:23 RCE – Artifex Ghostscript (CVE-2024-29510)
🔻 03:55 RCE – Acronis Cyber Infrastructure (CVE-2023-45249)

English voice over was generated by my open source utility subtivo (subtitles to voice over)

На русском