Tag Archives: vulners

I watched a joint webinar by Vulners and RST Cloud about Vulnerability Prioritization

Leave a reply

I watched a joint webinar by Vulners and RST Cloud about Vulnerability PrioritizationI watched a joint webinar by Vulners and RST Cloud about Vulnerability PrioritizationI watched a joint webinar by Vulners and RST Cloud about Vulnerability PrioritizationI watched a joint webinar by Vulners and RST Cloud about Vulnerability Prioritization

I watched a joint webinar by Vulners and RST Cloud about Vulnerability Prioritization.

🔹 Kir Ermakov from Vulners spoke about the importance of prioritizing vulnerabilities (especially for MSSP companies, since they are responsible for customer security) and how it can be improved using dynamically updated AI Score v2. I really liked his phrase: “if you don’t know your assets very well, turn off the webinar and go do Asset Management”. Asset Management is the base. 👍

🔹 Yury Sergeev from RST Cloud told how, when prioritizing vulnerabilities, take into account data on the exploitation of vulnerabilities in real attacks (in your location, in your industry, for your attacker profile). He provided a formula and demonstrated how taking these factors into account affects prioritization. I liked his regreSSHion example: there is a lot of hype, but the attack is very noticeable and takes a lot of time, so the exploitation is unlikely to be widespread.

На русском

Linux Patch Wednesday: here is this May peak!

Leave a reply

Linux Patch Wednesday: here is this May peak!

Linux Patch Wednesday: here is this May peak! 🤦‍♂️ Also about June Linux Patch Wednesday. If you remember, in my post about the May Linux Patch Wednesday I was happy that, despite the launch of the rule for Unknown dates, the peak in May was insignificant. Although “32406 oval definitions without a date received a nominal date of 2024-05-15”. It turned out that the peak was not visible due to an error in the code. Ba-dum-tss! 🥸🤷‍♂️

I noticed that not all CVEs are in LPW bulletins, despite the addition of nominal dates, for example the high-profile vulnerability Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086). I could not find it anywhere. I debugged the function that distributes vulnerabilities into bulletins and added tests. I have ensured that all 38362 CVEs from the Linux OVAL content are actually distributed in bulletins. Including CVE-2024-1086. Here it is in February:

$ grep "CVE-2024-1086"  bulletins/*
bulletins/2024-02-21.json:        "CVE-2024-1086": [
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",
bulletins/2024-02-21.json:                "title": "CVE-2024-1086 linux",

Well, there really is a peak in May. And how huge it is! 11476 CVEs! 😱 This is so much that I regenerated the Vulristics report for it only using 2 sources: Vulners and BDU. Since even from Vulners the data was not collected quickly enough. The report contains 77 vulnerabilities with signs of active exploitation in the wild and 1404 vulnerabilities with exploits, but without signs of active exploitation in the wild. Since for the most part these are old vulnerabilities for which it was simply not clear exactly when they were fixed, for example, Remote Code Execution – Apache HTTP Server (CVE-2021-42013), I will not analyze them in detail – for those interested, see the report. But please note that the report size is very large.

🗒 Vulristics report on the May Linux Patch Wednesday (31.3 MB)

As for the June Linux Patch Wednesday, which was finalized on June 19, there are 1040 vulnerabilities. Also quite a lot. Why is this so? On the one hand, the rule for Unknown dates added 977 Debian OVAL definitions without a date. Not 30k, like in May, but also significant. Out of 1040 vulnerabilities, 854 are Linux Kernel vulnerabilities. Moreover, there are quite a lot of “old” vulnerability identifiers, but created in 2024. For example, CVE-2021-47489 with NVD Published Date 05/22/2024. 🤔 CNA Linux Kernel is doing something strange.

🔻 With signs of exploitation in the wild again Remote Code Execution – Chromium (CVE-2024-5274, CVE-2024-4947), like in Microsoft Patch Tuesday. According to the BDU, Remote Code Execution – Libarchive (CVE-2024-26256) is also exploited in the wild.

🔸 Another 20 vulnerabilities with a public exploit. I can highlight separately Remote Code Execution – Cacti (CVE-2024-25641) and Remote Code Execution – onnx/onnx framework (CVE-2024-5187).

🗒 Vulristics report on the June Linux Patch Wednesday (4.4 MB)

RCE – Confluence (CVE-2024-21683) with public exploits on GitHub

Leave a reply

RCE - Confluence (CVE-2024-21683) with public exploits on GitHub

RCE – Confluence (CVE-2024-21683) with public exploits on GitHub. Authentication is required. Both Confluence Data Center and Confluence Server are vulnerable.

🔻 Version 8.5.9 LTS, which fixes the vulnerability, was released on May 9.
🔻 On May 23, after the description of the vulnerability in NVD and the Atlassian ticket became public, researcher Huong Kieu studied the patch, described the vulnerability and reported that he was able to make a PoC. On the same day, exploits for this vulnerability appeared on GitHub.

Atlassian likely held back information about fixing this vulnerability so that more organizations could update before active exploitation began. However, they didn’t quite succeed. Apparently they accidentally published the ticket on May 15th, and then hid it until May 23rd. But the vulnerability search engine Vulners remembered it. 😉 So information about the vulnerability was available all this time.

На русском

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

2 Replies

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs. Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. I just had to do the final test. Many thanks to them for this!

Alternative video link (for Russia): https://vk.com/video-149273431_456239113

How can the support of these two APIs in Scanvus be useful?

  1. Now there is no binding to one vendor. Choose which service and price you prefer.
  2. The set of supported operating systems varies between Vulners.com and Vulns.io. If a particular Linux distribution is not supported by one vendor, it may be supported by another vendor.
  3. Vulners and Vulns.io implemented vulnerability checks independently of each other. If the results differ when scanning the same host/image, then implementation errors will be clearly visible.
  4. Scanvus is released under the MIT license, so you can use it as an example of working with the Vulners.com and Vulns.io APIs and use this code in your projects.

Continue reading

Scanvus – my open source Vulnerability Scanner for Linux hosts and Docker images

1 Reply

Scanvus – my open source Vulnerability Scanner for Linux hosts and Docker images. Hello everyone! This video was recorded for the VMconf 22 Vulnerability Management conference, vmconf.pw. I will be talking about my open source project Scanvus. This project is already a year old and I use it almost every day.

Alternative video link (for Russia): https://vk.com/video-149273431_456239100

Scanvus (Simple Credentialed Authenticated Network VUlnerability Scanner) is a vulnerability scanner for Linux. Currently for Ubuntu, Debian, CentOS, RedHat, Oracle Linux and Alpine distributions. But in general for any Linux distribution supported by the Vulners Linux API. The purpose of this utility is to get a list of packages and Linux distribution version from some source, make a request to an external vulnerabililty detection API (only Vulners Linux API is currently supported), and show the vulnerability report.

Scanvus can show vulnerabilities for

  • localhost
  • remote host via SSH
  • docker image
  • inventory file of a certain format

This utility greatly simplifies Linux infrastructure auditing. And besides, this is a project in which I can try to implement my ideas on vulnerability detection.

Example of output

For all targets the output is the same. It contains information about the target and the type of check. Then information about the OS version and the number of Linux packages. And finally, the actual information about vulnerabilities: how many vulnerabilities were found and the criticality levels of these vulnerabilities. The table shows the criticality level, bulletin ID, CVE list for the bulletin, and a comparison of the invulnerable fixed package version with the actual installed version.

This report is not the only way to present results. You can optionally export the results to JSON (OS inventory data, raw vulnerability data from Vulners Linux API or processed vulnerability data).

Continue reading

Vulners Linux Audit API: Security Bulletin Publication Dates in Results

Leave a reply

Vulners Linux Audit API: Security Bulletin Publication Dates in Results. Hello everyone! In this short episode, I want to talk about the new feature in Vulners Linux API.

Alternative video link (for Russia): https://vk.com/video-149273431_456239092

Linux security bulletin publication dates are now included in scan results. Why is it useful?

Continue reading

AM Live Vulnerability Management Conference 2022: my impressions and position

Leave a reply

AM Live Vulnerability Management Conference 2022: my impressions and position. Hello everyone! This episode will be about the AM Live Vulnerability Management online conference. I participated in it on May 17th.

Alternative video link (for Russia): https://vk.com/video-149273431_456239090

The event lasted 2 hours. Repeating everything that has been said is difficult and makes little sense. Those who want can watch the full video or read the article about the event (both in Russian). Here I would like to share my impressions, compare this event with last year’s and express my position.

Continue reading