Tag Archives: Vulristics

The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)

Leave a reply

The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian)

The digest of March trending vulnerabilities was published on the Positive Technologies website (in Russian). I also generated a Vulristics report for these vulnerabilities. There are 5 vulnerabilities in total.

🔻 For 3 vulnerabilities there are exploits and confirmed signs of exploitation in the wild: AuthBypassTeamCity (CVE-2024-27198), RCE – FortiClientEMS (CVE-2023-48788), EoPWindows Kernel (CVE-2024-21338).

🔻 For 2 more vulnerabilities there are no signs of exploitation in the wild yet, but there are exploits: EoP – Windows CLFS Driver (CVE-2023-36424), RCEMicrosoft Outlook (CVE-2024-21378).

На русском

For the January Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086), the write-up and PoC were released on March 26

Leave a reply

For the January Elevation of Privilege (Local Privilege Escalation) - Linux Kernel (CVE-2024-1086), the write-up and PoC were released on March 26
For the January Elevation of Privilege (Local Privilege Escalation) - Linux Kernel (CVE-2024-1086), the write-up and PoC were released on March 26

For the January Elevation of Privilege (Local Privilege Escalation) – Linux Kernel (CVE-2024-1086), the write-up and PoC were released on March 26. The video demo for the script looks impressive: they run the script as a regular user and after a couple of seconds they get a root shell. According to the author, the exploit works with most Linux kernels between versions 5.14 and 6.6, including Debian, Ubuntu and KernelCTF.

🔻 The exploit requires kconfig CONFIG_USER_NS=y; sh command sysctl kernel.unprivileged_userns_clone = 1; kconfig CONFIG_NF_TABLES=y. The author writes that this is the default for Debian, Ubuntu, and KernelCTF, and for other distributions it is necessary to test it.
🔹 The exploit does not work with kernels v6.4> with kconfig CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y (including Ubuntu v6.5)

NSFOCUS writes that Redhat is also vulnerable. 🤷‍♂️

На русском

I generated a report on the March Linux Patch Wednesday

Leave a reply

I generated a report on the March Linux Patch Wednesday
I generated a report on the March Linux Patch WednesdayI generated a report on the March Linux Patch WednesdayI generated a report on the March Linux Patch WednesdayI generated a report on the March Linux Patch WednesdayI generated a report on the March Linux Patch Wednesday

I generated a report on the March Linux Patch Wednesday. 134 vulnerabilities, of which 68 are in the Linux Kernel. There are no vulnerabilities with signs of exploitation in the wild. There are 15 vulnerabilities with PoCs.

🔸 The top vulnerability is Command Injection – libuv (CVE-2024-24806). This is a multi-platform library for asynchronous I/O. An attacker could potentially access internal APIs.

🔸 For aiohttp there is a pack of Command Injection (CVE-2023-37276, CVE-2023-47627, CVE-2023-49082) and Security Feature Bypass (CVE-2023-47641, CVE-2023-49081) with PoCs. It is an asynchronous client/server HTTP framework. The vulns were patched only in Russian RedOS and Debian.

🔸There are problems with vulnerability types/products detection due to the NVD crisis (no CPE & CWE). 🤷‍♂️

🔸 The Linux Kernel team is now a CNA and is creating a ton of CVEs with monstrously large descriptions. Because they can! 😏

🗒 March Linux Patch Wednesday

На русском

Recently there was news about an RCE vulnerability in FortiOS and FortiProxy (CVE-2023-42789)

Leave a reply

Recently there was news about an RCE vulnerability in FortiOS and FortiProxy (CVE-2023-42789)
Recently there was news about an RCE vulnerability in FortiOS and FortiProxy (CVE-2023-42789)Recently there was news about an RCE vulnerability in FortiOS and FortiProxy (CVE-2023-42789)

Recently there was news about an RCE vulnerability in FortiOS and FortiProxy (CVE-2023-42789). It “allows attacker to execute unauthorized code or commands via specially crafted HTTP requests”. The vulnerability is exploited in the captive portal, which, in theory, should not be accessible from the Internet. This is why the Fortinet bulletin warns about an “inside attacker”.

There is a repository on GitHub that allegedly contains a PoC, but its reliability is questionable. The code only implements checking the availability of the captive portal; there is no payload there. The repository was created by a user without any reputation or previous activity. He sells the full exploit code for ~$262. It looks like a scam, but if suddenly this is a truly functional exploit, then it is likely that it will quickly leak to the public.

In any case, it is worth updating or getting rid of this solution.

На русском

First impressions of the March Microsoft Patch Tuesday

Leave a reply

First impressions of the March Microsoft Patch Tuesday
First impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch TuesdayFirst impressions of the March Microsoft Patch Tuesday

First impressions of the March Microsoft Patch Tuesday. So far I have not seen anything overtly critical. There are 80 vulnerabilities in total, including 20 added between the February and March MSPT.

With PoC there is only one:

🔻 Information Disclosure – runc (CVE-2024-21626). It allows an attacker to escape from the container. What does Microsoft have to do with it? The vulnerability has been fixed in Azure Kubernetes Service and CBL-Mariner (Microsoft’s internal Linux distribution).

For the rest, there are no signs of active exploitation or the existence of a PoC yet.

We can pay attention to the following:

🔸 Elevation of Privilege – Windows Kernel (CVE-2024-21443, CVE-2024-26173, CVE-2024-26176, CVE-2024-26178, CVE-2024-26182). Such vulnerabilities often become exploitable recently. The same applies to Elevation of Privilege – Windows Print Spooler (CVE-2024-21433).
🔸 Remote Code Execution – Open Management Infrastructure (OMI) (CVE-2024-21334). CVSS 9.8 and ZDI write that “it would allow a remote, unauthenticated attacker to execute code on OMI instances on the Internet”. Perhaps such instances are indeed often accessible via the Internet, this requires research. 🤷‍♂️
🔸 Remote Code Execution – Windows Hyper-V (CVE-2024-21407). This “guest-to-host escape” vulnerability was highlighted by everyone: Qualys, Tenable, Rapid7, ZDI.
🔸 Remote Code Execution – Microsoft Exchange (CVE-2024-26198). This is a “DLL loading” vulnerability. The details are still unclear, but I wouldn’t be surprised if there will be a detailed write-up on it soon.

🗒 Vulristics report

На русском

October 2023: back to Positive Technologies, Vulristics updates, Linux Patch Wednesday, Microsoft Patch Tuesday, PhysTech VM lecture

2 Replies

October 2023: back to Positive Technologies, Vulristics updates, Linux Patch Wednesday, Microsoft Patch Tuesday, PhysTech VM lecture. Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of October I was a guest lecturer at MIPT/PhysTech university. But first thing first.

Alternative video link (for Russia): https://vk.com/video-149273431_456239138

Continue reading

September 2023: VM courses, Bahasa Indonesia, Russian Podcasts, Goodbye Tinkoff, MS Patch Tuesday, Qualys TOP 20, Linux, Forrester, GigaOm, R-Vision VM

2 Replies

September 2023: VM courses, Bahasa Indonesia, Russian Podcasts, Goodbye Tinkoff, MS Patch Tuesday, Qualys TOP 20, Linux, Forrester, GigaOm, R-Vision VM. Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went.

Alternative video link (for Russia): https://vk.com/video-149273431_456239136

September was quite a busy month for me.

Continue reading