Elevation of Privilege - Microsoft Streaming Service (CVE-2023-29360) has been exploited in the wild by the Raspberry Robin malware since August 2023. The vulnerability allows an attacker to gain SYSTEM privileges. Since September 2023 there is a PoC on GitHub.
That's how it happens. There was an unremarkable vulnerability with a small CVSS, which only Qualys briefly highlighted at the time of the release of June Microsoft Patch Tuesday. And then it turns out that the vulnerable component is different, and the vulnerability is actively exploited in the wild. 🤷♂️
CheckPoint reports that Raspberry Robin also exploits Elevation of Privilege – Microsoft Streaming Service Proxy (CVE-2023-36802), but for this vulnerability the signs of exploitation in the wild have existed since September MSPT, so this is not news. There is also a PoC for this vulnerability on GitHub.
На русском
@avleonovcom #Vulristics #CheckPoint #RaspberryRobin #EoP #MSKSSRVSYS #Microsoft
That's how it happens. There was an unremarkable vulnerability with a small CVSS, which only Qualys briefly highlighted at the time of the release of June Microsoft Patch Tuesday. And then it turns out that the vulnerable component is different, and the vulnerability is actively exploited in the wild. 🤷♂️
CheckPoint reports that Raspberry Robin also exploits Elevation of Privilege – Microsoft Streaming Service Proxy (CVE-2023-36802), but for this vulnerability the signs of exploitation in the wild have existed since September MSPT, so this is not news. There is also a PoC for this vulnerability on GitHub.
На русском
@avleonovcom #Vulristics #CheckPoint #RaspberryRobin #EoP #MSKSSRVSYS #Microsoft
⚡1
The latest Authentication Bypass - TeamCity (CVE-2024-27198, CVE-2024-27199). Formally, there is no public PoC yet, but Rapid7 released detailed write-up, so expect it very soon. They are famous for such tricks. 😉
A similar vulnerability in TeamCity (CVE-2023-42793) was actively exploited in attacks last year. Let's see how it goes this time. 🫠
All versions less than 2023.11.4 are vulnerable. Patch it now! 😇
На русском
@avleonovcom #Vulristics #TeamCity #JetBrains #Rapid7
A similar vulnerability in TeamCity (CVE-2023-42793) was actively exploited in attacks last year. Let's see how it goes this time. 🫠
All versions less than 2023.11.4 are vulnerable. Patch it now! 😇
На русском
@avleonovcom #Vulristics #TeamCity #JetBrains #Rapid7
⚡1
As expected, the script for exploiting Authentication Bypass - TeamCity (CVE-2024-27198, CVE-2024-27199) appeared on GitHub a few hours after the Rapid7 article was published. 🙂 The whole script is about creating an administrator account with one request. 🤷♂️
На русском
@avleonovcom #TeamCity #JetBrains #Rapid7 #PoC
На русском
@avleonovcom #TeamCity #JetBrains #Rapid7 #PoC
⚡2
February 2024: Vulremi, Vuldetta, PT VM Course relaunch, PT TrendVulns digests, Ivanti, Fortinet, MSPT, Linux PW
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities.
My Open Source projects
00:14 Vulremi - a simple vulnerability remediation utility
00:55 Vuldetta - an API for detecting vulnerabilities based on a list of Linux packages
Positive Technologies
01:22 Two new video modules for the relaunch of the Vulnerability Management training course
02:00 Monthly digests of trending vulnerabilities
Vulnerabilities
02:17 RCEs in the Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA (CVE-2024-21887, CVE-2023-46805, CVE-2024-21893)
03:47 Arbitrary Code Execution vulnerability in Fortinet FortiOS and FortiProxy (CVE-2024-21762)
04:11 Cisco ASA Information Disclosure vulnerability (CVE-2020-3259) is used by the Akira ransomware
04:55 February Microsoft Patch Tuesday
07:14 February Linux Patch Wednesday
🎞 Video
📘 Blogpost
🎞 VKVideo
@avleonovcom #Vulremi #Vuldetta #PositiveTechnologies #Ivanti #Fortinet #FortiOS #FortiProxy #Cisco #CiscoASA #Akira #Microsoft #patchtuesday #Linux #LinuxPatchWednesday
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities.
My Open Source projects
00:14 Vulremi - a simple vulnerability remediation utility
00:55 Vuldetta - an API for detecting vulnerabilities based on a list of Linux packages
Positive Technologies
01:22 Two new video modules for the relaunch of the Vulnerability Management training course
02:00 Monthly digests of trending vulnerabilities
Vulnerabilities
02:17 RCEs in the Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA (CVE-2024-21887, CVE-2023-46805, CVE-2024-21893)
03:47 Arbitrary Code Execution vulnerability in Fortinet FortiOS and FortiProxy (CVE-2024-21762)
04:11 Cisco ASA Information Disclosure vulnerability (CVE-2020-3259) is used by the Akira ransomware
04:55 February Microsoft Patch Tuesday
07:14 February Linux Patch Wednesday
🎞 Video
📘 Blogpost
🎞 VKVideo
@avleonovcom #Vulremi #Vuldetta #PositiveTechnologies #Ivanti #Fortinet #FortiOS #FortiProxy #Cisco #CiscoASA #Akira #Microsoft #patchtuesday #Linux #LinuxPatchWednesday
YouTube
February 2024: Vulremi, Vuldetta, PT VM Course, TrendVulns digests, Ivanti, Fortinet, MSPT, Linux PW
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities.
My Open Source projects
00:14 Vulremi - a simple vulnerability…
My Open Source projects
00:14 Vulremi - a simple vulnerability…
⚡3
I watched an episode of Application Security Weekly with Emily Fox about Vulnerability Management. As is common now, the hosts and guest pointed out that there are too many known vulnerabilities, 3-4% of them are actually exploited, and therefore not all vulnerabilities need to be fixed. And in order to understand what exactly does not need to be fixed, you need to
🔹 Take into account security layers that prevent exploitation of vulnerabilities.
🔹 Consider how the risk of exploitation and the type of vulnerable asset are related.
🔹 Assess the likelihood of exploitation in the context of a specific organization.
The words here seem to be all good, and I would even agree with them. But where to find reliable sources of information (about vulnerabilities, infrastructure, security mechanisms) and tools for processing them? And how can we make it all work very reliably?
So that we can give a hand to cut off that this vulnerability 100% does not need to be fixed and this vulnerability will never be actively exploited in attacks. 🙋♂️ And do this not just for one vulnerability, but en masse. Are there any brave souls with extra hands? IMHO, if you are not ready to do this, then you should not argue that some vulnerabilities can be left unfixed.
If there is a vulnerability (even potentially) and it can be fixed by an update, then it SHOULD be fixed by an update. As planned or faster than planned. But everything needs to be fixed. At the same time, getting rid of vulnerable assets, software, components, images is quite a good way to fix it. The smaller the attack surface, the better. If updating for some reason is difficult and painful, then first of all you need to resolve this issue. Why is this difficult and painful? What's wrong with the organization's basic processes that we can't do it? Maybe we need to look towards better architecture?
This is better than making unreliable assumptions that perhaps this vulnerability is not critical enough to be fixed. Because, as a rule, we know practically nothing about these vulnerabilities: today it is unexploitable, but tomorrow it will become exploitable, and the day after tomorrow all script kiddies will exploit it. It is possible that this vulnerability has been actively used in targeted attacks for several years now. Who can say that this is not the case?
It is very symptomatic, by the way, that in this episode it was recommended to use EPSS to select the most potentially dangerous vulnerabilities. 🤦♂️ A tool that, to my deep regret, simply does not work and shows low values for the probability of an exploit appearing for actively exploited vulnerabilities and high values for those vulnerabilities for which exploits have not appeared for years. 🤷♂️
For example, look at my Vulristics report for the February Microsoft Patch Tuesday. Elevation of Privilege - Windows Kernel (CVE-2024-21338) in CISA KEV, and its EPSS values are low (EPSS Probability is 0.00079, EPSS Percentile is 0.32236). 🤡 You can just as easily read tea leaves, maybe it will be even more effective. Therefore, the rest of the “magic of triage” also causes skepticism.
Again:
🔻 All detected vulnerabilities must be fixed in accordance with the vendor’s recommendations.
🔻 First of all, you need to fix what is actually exploited in attacks or will be exploited in the near future (trending vulnerabilities).
На русском
@avleonovcom #VMProcess #ASW #TrendVulns
🔹 Take into account security layers that prevent exploitation of vulnerabilities.
🔹 Consider how the risk of exploitation and the type of vulnerable asset are related.
🔹 Assess the likelihood of exploitation in the context of a specific organization.
The words here seem to be all good, and I would even agree with them. But where to find reliable sources of information (about vulnerabilities, infrastructure, security mechanisms) and tools for processing them? And how can we make it all work very reliably?
So that we can give a hand to cut off that this vulnerability 100% does not need to be fixed and this vulnerability will never be actively exploited in attacks. 🙋♂️ And do this not just for one vulnerability, but en masse. Are there any brave souls with extra hands? IMHO, if you are not ready to do this, then you should not argue that some vulnerabilities can be left unfixed.
If there is a vulnerability (even potentially) and it can be fixed by an update, then it SHOULD be fixed by an update. As planned or faster than planned. But everything needs to be fixed. At the same time, getting rid of vulnerable assets, software, components, images is quite a good way to fix it. The smaller the attack surface, the better. If updating for some reason is difficult and painful, then first of all you need to resolve this issue. Why is this difficult and painful? What's wrong with the organization's basic processes that we can't do it? Maybe we need to look towards better architecture?
This is better than making unreliable assumptions that perhaps this vulnerability is not critical enough to be fixed. Because, as a rule, we know practically nothing about these vulnerabilities: today it is unexploitable, but tomorrow it will become exploitable, and the day after tomorrow all script kiddies will exploit it. It is possible that this vulnerability has been actively used in targeted attacks for several years now. Who can say that this is not the case?
It is very symptomatic, by the way, that in this episode it was recommended to use EPSS to select the most potentially dangerous vulnerabilities. 🤦♂️ A tool that, to my deep regret, simply does not work and shows low values for the probability of an exploit appearing for actively exploited vulnerabilities and high values for those vulnerabilities for which exploits have not appeared for years. 🤷♂️
For example, look at my Vulristics report for the February Microsoft Patch Tuesday. Elevation of Privilege - Windows Kernel (CVE-2024-21338) in CISA KEV, and its EPSS values are low (EPSS Probability is 0.00079, EPSS Percentile is 0.32236). 🤡 You can just as easily read tea leaves, maybe it will be even more effective. Therefore, the rest of the “magic of triage” also causes skepticism.
Again:
🔻 All detected vulnerabilities must be fixed in accordance with the vendor’s recommendations.
🔻 First of all, you need to fix what is actually exploited in attacks or will be exploited in the near future (trending vulnerabilities).
На русском
@avleonovcom #VMProcess #ASW #TrendVulns
👍5
Congratulations to all the ladies on International Women's Day!
I wish you happiness, prosperity, realization of creative potential, equal rights and fair wages! 👩💻
На русском
@avleonovcom #8march
I wish you happiness, prosperity, realization of creative potential, equal rights and fair wages! 👩💻
На русском
@avleonovcom #8march
👍4❤2❤🔥1🤣1
I watched the recording of the Positive Technologies webinar "How to use MaxPatrol VM API: theory and practice". On the theoretical part, everything is clear: there is a documented API; it is the same for integrations and Web GUI. 🙂
On the practical side they showed:
🔻 How to use the MaxPatrol API in the Nightingale REST client (examples on GitHub).
🔻 Unofficial PTVM SDK. A small Python script with one class for working with the MaxPatrol API.
🔻 Positive CLI for MaxPatrol API. So, automation can be done simply with shell scripts! 😇 A much more functional project than the SDK, also in Python. The screenshots show the vulnerabilities with criticality calculated using FSTEC methodology and trending vulnerabilities with an exploit.
🔻 How to use the MaxPatrol API in the low-code tool n8n (e.g. sending query results to Telegram).
Links to projects are on the addons page.
Show it to your colleagues who work with MaxPatrol VM. 😉
На русском
@avleonovcom #PositiveTechnologies #MaxPatrolAPI #MaxPatrolVM #n8n
On the practical side they showed:
🔻 How to use the MaxPatrol API in the Nightingale REST client (examples on GitHub).
🔻 Unofficial PTVM SDK. A small Python script with one class for working with the MaxPatrol API.
🔻 Positive CLI for MaxPatrol API. So, automation can be done simply with shell scripts! 😇 A much more functional project than the SDK, also in Python. The screenshots show the vulnerabilities with criticality calculated using FSTEC methodology and trending vulnerabilities with an exploit.
🔻 How to use the MaxPatrol API in the low-code tool n8n (e.g. sending query results to Telegram).
Links to projects are on the addons page.
Show it to your colleagues who work with MaxPatrol VM. 😉
На русском
@avleonovcom #PositiveTechnologies #MaxPatrolAPI #MaxPatrolVM #n8n
👍1