Tag Archives: vulnerability

Qualys announced the TotalAI module for artificial intelligence (AI) and large language models (LLM) security

Qualys announced the TotalAI module for artificial intelligence (AI) and large language models (LLM) security. The module will be available in Q4 2024 as part of the Enterprise TruRisk platform.

Announced features:

🔹 Detection and monitoring of the AI infrastructure of organizations. To avoid “shadow LLM”.

🔹 Vulnerability Management with a focus on AI threats. Especially on countering theft (extraction) of data and models. They will offer a variety of ways to fix vulnerabilities.

🔹 Specialized LLM scanning focussed on prompt injection, model theft, and disclosure of confidential information.

🔹 Compliance Management and risk management. They emphasize combating data leaks and mention GDPR, PCI, CCPA.

There is a screenshot of the interface with statistics on models and related threats. We can also see statistics on threats related to assets and interesting informers for AI Workloads, AI Software and GPU.

На русском

I also made a meme with the cool Yusuf Dikeç

Leave a reply

I also made a meme with the cool Yusuf Dikeç. 😅

🔹 Every vulnerability existing in the infrastructure must be detected.
🔹 For each detected vulnerability, a patching task must be created.

This is the base. And when they tell you that you don’t have to do this because there is some super-modern vulnerability assessment and prioritization tool, you should be skeptical. 😉

На русском

Regarding the Qualys Patch Management event that took place yesterday

Leave a reply

Regarding the Qualys Patch Management event that took place yesterday.

I liked:

✅ Cool report by Eran Livne about Patch Management capabilities in Qualys. 👍 Especially about creating linked patching tasks (first for a test scope, and a week later for a full scope) and about the ability to isolate hosts as a mitigation option (access remains only from the Qualys cloud). The part about new TruRisk Eliminate was also interesting.
✅ Adam Gray beautifully justified the need for mandatory patching (since prevention doesn’t really work 🤷‍♂️).

I didn’t like:

❌ Most speakers focused on other information security topics rather than patch management. I think it would have been possible to select more thematic reports for this event.
❌ I simply can’t accept theses like “you don’t need to patch all vulnerabilities”. 🤷‍♂️ My position: you need to patch everything. And workarounds are good for a while UNTIL a patch is installed.

На русском

Remote Code Execution – Acronis Cyber Infrastructure (CVE-2023-45249)

Leave a reply

Remote Code Execution – Acronis Cyber Infrastructure (CVE-2023-45249). Due to the default passwords used, a remote unauthenticated attacker can gain access to an Acronis Cyber Infrastructure (ACI) server and execute arbitrary code.

ACI is a hyperconverged platform for storage, backup, computing, virtualization and networking.

🔻 Patches that fix this vulnerability were released on October 30, 2023 (❗️).
🔻 After 9-10 months, on July 24 of this year, Acronis noted in a bulletin that the vulnerability was exploited in the wild. The purpose of exploitation was to install a cryptominer. On July 29, the vulnerability was added to the CISA KEV.

Some sources report 20,000 service providers using ACI. I have not found any confirmation of this. Perhaps there is confusion with Acronis Cyber Protect. However, there are probably quite a few large companies using ACI. If you work for such a company, be sure to pay attention.

На русском

Remote Code Execution vulnerability – Artifex Ghostscript (CVE-2024-29510)

Leave a reply

Remote Code Execution vulnerability – Artifex Ghostscript (CVE-2024-29510). Memory corruption allows to bypass the SAFER sandbox and execute arbitrary code.

Ghostscript is a PostScript and PDF document interpreter. It is used in ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, CUPS, etc. It is available for many OS.

🔻 Ghostscript version 10.03.1, which fixes the vulnerability, was released on May 2.
🔻 On July 2, Codean Labs published a detailed analysis of this vulnerability and PoC. In the video they launch the calculator by opening a special ps file with the ghostscript utility or a special odt file in LibreOffice.
🔻 On July 10, a functional exploit was released on GitHub. And on July 19, a module for Metasploit was released.

👾 The media writes that the vulnerability is being exploited in the wild. However, it’s based on a single microblog post by some Portland developer. 🤷‍♂️ I think more reliable evidence of exploitation in attacks will appear soon.

На русском

Qualys introduces TruRisk Eliminate for augmented Patch Management

Leave a reply

Qualys introduces TruRisk Eliminate for augmented Patch Management. Qualys didn’t wait until the event and published a blog post. What they presented is an implementation of workarounds.

In the screenshot of TruRisk Eliminate we see a filtered list of vulnerabilities on assets, the criticality of vulnerabilities in the form of QDS, the Remediations and Mitigations columns.

🔹 Remediations – installing a patch or installing a patch with reconfiguration.

🔹 Mitigations – workarounds that neutralize the vulnerability instead of patching: changing the registry key, changing the config, removing the application, blocking the port, isolating the device, etc.

And there is a button to perform an action on the asset (using an agent) with a choice of Remediations/Mitigations option.

It’s a logical step. Since they gave the ability to patch, why not give the ability to apply workarounds. But Qualys will have a lot of difficulties with this. 🫣

На русском

“The Mystery of the Hole”: Remote Code Execution – Internet Explorer (CVE-2012-4792)

Leave a reply

“The Mystery of the Hole”: Remote Code Execution – Internet Explorer (CVE-2012-4792). Yesterday, an old vulnerability “CDwnBindInfo” from 2012 was added to CISA KEV: the user opens a malicious website in MS Internet Explorer 6–8 and the attacker gets RCE on user’s host. The vulnerability has been actively exploited since the end of 2012 as 0day in watering hole attacks on US organizations. In particular, the malicious code was placed on the hacked Council on Foreign Relations (CFR) website.

Why was the vulnerability added to CISA KEV only now?

🔹 New attacks on legacy systems (Win XP/ Vista/7, WinServer 2003/2008) were discovered? 🤪 It’s unlikely.

🔹 They saw a vulnerability with confirmed incidents, but it wasn’t in CISA KEV, so they added it? More likely, but why only this vulnerability? 🧐

🔹 There was no formal excuse for urgently updating found legacy systems? A bit strange. 🤷‍♂️

Let’s wait for updates. 🙂

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: vulnerability

I also made a meme with the cool Yusuf Dikeç

Regarding the Qualys Patch Management event that took place yesterday

Remote Code Execution – Acronis Cyber Infrastructure (CVE-2023-45249)

Remote Code Execution vulnerability – Artifex Ghostscript (CVE-2024-29510)

Qualys introduces TruRisk Eliminate for augmented Patch Management

“The Mystery of the Hole”: Remote Code Execution – Internet Explorer (CVE-2012-4792)