Tag Archives: watchTowrLabs

About Elevation of Privilege – PAN-OS (CVE-2024-9474) vulnerability

Leave a reply

About Elevation of Privilege - PAN-OS (CVE-2024-9474) vulnerability

About Elevation of Privilege – PAN-OS (CVE-2024-9474) vulnerability. An attacker with PAN-OS administrator access to the management web interface can perform actions on the Palo Alto device with root privileges. Linux commands can be injected via unvalidated input in script.

The need for authentication and admin access could limit this vulnerability’s impact, but here we have the previous vulnerability Authentication Bypass – PAN-OS (CVE-2024-0012). 😏 Exploitation of this vulnerability chain was noted by Palo Alto on November 17. After November 19, when the watchTowr Labs article was published and exploits appeared, mass attacks began.

On November 21, Shadowserver reported that ~2000 hosts were compromised, mostly in the US and India. According to Wiz, attackers deployed web shells, Sliver implants and cryptominers.

На русском

About Authentication Bypass – PAN-OS (CVE-2024-0012) vulnerability

Leave a reply

About Authentication Bypass - PAN-OS (CVE-2024-0012) vulnerability

About Authentication Bypass – PAN-OS (CVE-2024-0012) vulnerability. An unauthenticated attacker with network access to the Palo Alto device web management interface could gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated vulnerabilities. Firewalls of the PA, VM, CN series and the Panorama management platform are vulnerable. The vendor recommends restricting access to the management web interface to trusted internal IP addresses only.

🔻 On November 8, a Palo Alto bulletin was released
🔻 On November 15, signs of attacks were noticed, labeled as “Operation Lunar Peek”
🔻 On November 18, the vulnerability was added to the CISA KEV
🔻 On November 19, watchTowr Labs released a post with technical details (“supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication”) 😏 and exploits soon appeared on GitHub

На русском

About Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575) vulnerability

Leave a reply

About Remote Code Execution - FortiManager FortiJump (CVE-2024-47575) vulnerability

About Remote Code Execution – FortiManager “FortiJump” (CVE-2024-47575) vulnerability. FortiManager is a centralized solution for configuring, enforcing policies, updating, and monitoring Fortinet network devices.

🔻 The vulnerability was released on October 23. A missing authentication for critical function in the FortiManager fgfmd (FortiGate-to-FortiManager) daemon allows remote attacker to execute arbitrary code or commands via specially crafted requests. There were signs of exploitation in the wild and the vulnerability was added to the CISA KEV.

🔻 On November 15, WatchTowr Labs published a post about this “FortiJump” vulnerability with a video demo and a link to the PoC. The researchers noted that the IOCs in the Fortinet bulletin can be bypassed. And the patch itself is incomplete. It is possible to escalate privileges on a patched device by exploiting a vulnerability called “FortiJump Higher”.

На русском

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses

Leave a reply

September episode of “In The Trend of VM”: 7 CVEs, fake reCAPTCHA, lebanese pagers, VM and IT annual bonuses. Starting this month, we decided to slightly expand the topics of the videos and increase their duration. I cover not only the trending vulnerabilities of September, but also social engineering cases, real-world vulnerability exploitation, and practices of vulnerability management process. At the end we announce a contest of questions about Vulnerability Management with gifts. 🎁

📹 Video “In The Trend of VM” on YouTube
🗞 A post on Habr (rus) a slightly expanded script of the video
🗒 A compact digest on the official PT website

Content:

🔻 00:51 Elevation of Privilege – Windows Installer (CVE-2024-38014) and details about this vulnerability
🔻 02:42 Security Feature Bypass – Windows Mark of the Web “LNK Stomping” (CVE-2024-38217)
🔻 03:50 Spoofing – Windows MSHTML Platform (CVE-2024-43461)
🔻 05:07 Remote Code Execution – VMware vCenter (CVE-2024-38812)
🔻 06:20 Remote Code Execution – Veeam Backup & Replication (CVE-2024-40711), while the video was being edited, data about exploitation in the wild appeared
🔻 08:33 Cross Site Scripting – Roundcube Webmail (CVE-2024-37383)
🔻 09:31 SQL Injection – The Events Calendar plugin for WordPress (CVE-2024-8275)
🔻 10:30 Human vulnerabilities: fake reCAPTCHA
🔻 11:45 Real world vulnerabilities: еxplosions of pagers and other electronic devices in Lebanon and the consequences for the whole world
🔻 14:42 Vulnerability management process practices: tie annual bonuses of IT specialists to meeting SLAs for eliminating vulnerabilities
🔻 16:03 Final and announcement of the contest
🔻 16:24 Backstage

На русском

watchTowr Labs draws attention to some oddities with the fix for the Remote Code Execution – Veeam Backup & Replication vulnerability (CVE-2024-40711)

Leave a reply

watchTowr Labs draws attention to some oddities with the fix for the Remote Code Execution - Veeam Backup & Replication vulnerability (CVE-2024-40711)

watchTowr Labs draws attention to some oddities with the fix for the Remote Code Execution – Veeam Backup & Replication vulnerability (CVE-2024-40711).

🔹 The description of the vulnerability in NVD tells us that authentication is not required to exploit the vulnerability, but the CVSS vector in the vendor bulletin indicates that authentication is required (“PR:L”).

🔹 The large number of changes in the patch hints that the vendor fixed some vulnerabilities without informing customers (silent patching).

🔹 The researchers concluded that CVE-2024-40711 was fixed in several stages. At first, exploitation of the vulnerability did not require authentication, then a patch was released and exploitation began to require authentication, and finally, the second patch completely fixed this vulnerability.

❗ Exploitation of the vulnerability allows an attacker to destroy backups and significantly complicate the restoration of the organization’s infrastructure.

На русском

About Remote Code Execution – Veeam Backup & Replication (CVE-2024-40711) vulnerability

Leave a reply

About Remote Code Execution - Veeam Backup & Replication (CVE-2024-40711) vulnerability

About Remote Code Execution – Veeam Backup & Replication (CVE-2024-40711) vulnerability. The bulletin was released on September 4. The vulnerability description states that it is caused by deserialization of untrusted data with a malicious payload. The vulnerability was discovered by a researcher from CODE WHITE.

Five days later, on September 9, researchers from another company, watchTowr Labs, posted a detailed write-up, exploit code, and a video demonstrating exploitation.

There are no signs of exploitation in the wild for this vulnerability yet. As with the June vulnerability in Veeam B&R (CVE-2024-29849). This does not mean that attackers do not exploit these vulnerabilities. It is possible that targeted attacks using these vulnerabilities have simply not yet been reliably confirmed. For example, CISA KEV contains Veeam B&R vulnerabilities from 2022, which were added to the list only in 2023. 😉

Update in advance!

На русском