Bad day for VPN routers: Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 auth bypass by HTTP, privesc via command injection. Exploitation enables pre-auth RCE chaining the bypass to inject arbitrary commands in PHP session handling, targeting SSLVPN devices.

Being actively exploited.

https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/

‘ We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?! At this point, why is anyone surprised?’

NIST-defined critical software.
https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/

Updates on PAN-SA-2024-0015: The blog has been updated with the following latest information provided by Palo Alto.

1) CVE-2024-0012 has been assigned
2) Indicators of Compromise has been updated.
3) Added a section "What if I found one of the IOCs in my Organization's environment??"
4) Affected Products and Product versions has been updated
5) Fixed versions has been updated.

Refer: https://patchnow24x7.com/blog-1/f/pan-sa-2024-0015-secure-your-paloalto-management-interface-now

#PatchNOW
#Vulnerability
#ComputerSecurity
#hacked
#Cyberattack
#infosec
#informationsecurity
#CyberSecurityAwareness
#DataBreach
#cybersecurity

r u freakin' kidding me? "X-PAN-AUTHCHECK: off" - seriously?!

https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/?123

Bad day for VPN routers: Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 auth bypass by HTTP, privesc via command injection. Exploitation enables pre-auth RCE chaining the bypass to inject arbitrary commands in PHP session handling, targeting SSLVPN devices.

Being actively exploited.

https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/

‘ We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?! At this point, why is anyone surprised?’

NIST-defined critical software.
https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/

r u freakin' kidding me? "X-PAN-AUTHCHECK: off" - seriously?!

https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/?123

Schwachstelle bei AnyDesk

https://www.borncity.com/blog/2024/11/19/anydesk-fuer-windows-schwachstelle-cve-2024-52940-bis-version-8-1-0/

@cR0w This is from a client lol, AlienVault is flagging 127.0.0.0/8 connections as cve-2024-26229 IOCs 🙄

Progress Kemp #LoadMaster contains an OS Command #Injection #vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution (CVE-2024-1212):
https://thehackernews.com/2024/11/cisa-alert-active-exploitation-of.html

It has been 0 days since I've had to tap the sign:
https://infosec.exchange/@ckure/111970971640286655

"CVE-2024-10224: local attackers can execute arbitrary shell commands as root by tricking needrestart into open()ing a filename of the form "commands|" (technically, this vulnerability is in Perl's ScanDeps module, but it is unclear whether this module was ever meant to operate on attacker-controlled files or not)."

https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

🚨CVE-2024-35250 PoC for the Untrusted Pointer Dereference in the ks.sys driver

https://darkwebinformer.com/cve-2024-35250-poc-for-the-untrusted-pointer-dereference-in-the-ks-sys-driver/

Tracked as CVE-2024-21287 (CVSS score of 7.5), the zero-day affects Agile PLM version 9.3.6 and can be exploited remotely without authentication. https://www.securityweek.com/oracle-patches-exploited-agile-plm-zero-day/

CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Hot off the press!

• CVE-2024-38812 (9.8 critical) VMware vCenter Server heap-overflow vulnerability
• CVE-2024-38813 (7.5 high) VMware vCenter privilege escalation vulnerability

#cisa #kev #cisakev #knownexploitedvulnerabilitiescatalog #vmware #vcenter #vulnerability #eitw #activeexploitation #infosec #cybersecurity

CISA: CISA Adds Two Known Exploited Vulnerabilities to Catalog
Hot off the press!

• CVE-2024-38812 (9.8 critical) VMware vCenter Server heap-overflow vulnerability
• CVE-2024-38813 (7.5 high) VMware vCenter privilege escalation vulnerability

#cisa #kev #cisakev #knownexploitedvulnerabilitiescatalog #vmware #vcenter #vulnerability #eitw #activeexploitation #infosec #cybersecurity

What a wonderful writeup of the #fortinet vulnerabilities found by watchtowr labs. It's insightful and entertaining :) #cybersecurity #security #infosec

https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-23113-cve-2024-47575/

What a wonderful writeup of the #fortinet vulnerabilities found by watchtowr labs. It's insightful and entertaining :) #cybersecurity #security #infosec

https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-23113-cve-2024-47575/

iOS 18.1.1 und macOS Sequoia 15.1.1 schließen aktiv ausgenutzte Sicherheitslücken
Apple hat mit den neuen Updates iOS 18.1.1 und macOS Sequoia 15.1.1 bedeutende Sicherheitslücken geschlossen, die Beric
https://www.apfeltalk.de/magazin/feature/ios-18-1-1-und-macos-sequoia-15-1-1-schliessen-aktiv-ausgenutzte-sicherheitsluecken/
#Feature #iPad #iPhone #Mac #Apple #CrossSiteScripting #CVE202444308 #CVE202444309 #IntelMac #IOS1811 #JavaScriptCore #MacOSSequoia1511 #Sicherheitsupdate #Webkit

iOS 18.1.1 und macOS Sequoia 15.1.1 schließen aktiv ausgenutzte Sicherheitslücken
Apple hat mit den neuen Updates iOS 18.1.1 und macOS Sequoia 15.1.1 bedeutende Sicherheitslücken geschlossen, die Beric
https://www.apfeltalk.de/magazin/feature/ios-18-1-1-und-macos-sequoia-15-1-1-schliessen-aktiv-ausgenutzte-sicherheitsluecken/
#Feature #iPad #iPhone #Mac #Apple #CrossSiteScripting #CVE202444308 #CVE202444309 #IntelMac #IOS1811 #JavaScriptCore #MacOSSequoia1511 #Sicherheitsupdate #Webkit

Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation
Analysis With The APT10 Umbrella
https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html

LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend
Micro has been tracking the group as Earth Kasha. We have identified a new
campaign connected to this group with significant updates to their strategy,
tactics, and arsenals.

In the new campaign starting in early 2023, Earth Kasha expanded their targets
into Japan, Taiwan, and India. Based on the bias of the incident amount, while
we believe that Japan is still the main target of Earth Kasha, we observed
that a few high-profile organizations in Taiwan and India were targeted. The
observed industries under attack are organizations related to advanced
technology and government agencies.

Earth Kasha has also employed different Tactics, Techniques, and Procedures
(TTPs) in the Initial Access phase, which now exploits public-facing
applications such as SSL-VPN and file storage services. We observed that
vulnerabilities of enterprise products, such as Array AG (CVE-2023-28461),
Proself (CVE-2023-45727) and FortiOS/FortiProxy (CVE-2023-27997), were abused
in the wild. Earth Kasha was changing these vulnerabilities to abuse from time
to time. After gaining access, they deployed several backdoors in the victim's
network to achieve persistence. These include Cobalt Strike, LODEINFO, and the
newly discovered NOOPDOOR, which we will describe later.

Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation
Analysis With The APT10 Umbrella
https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html

LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend
Micro has been tracking the group as Earth Kasha. We have identified a new
campaign connected to this group with significant updates to their strategy,
tactics, and arsenals.

In the new campaign starting in early 2023, Earth Kasha expanded their targets
into Japan, Taiwan, and India. Based on the bias of the incident amount, while
we believe that Japan is still the main target of Earth Kasha, we observed
that a few high-profile organizations in Taiwan and India were targeted. The
observed industries under attack are organizations related to advanced
technology and government agencies.

Earth Kasha has also employed different Tactics, Techniques, and Procedures
(TTPs) in the Initial Access phase, which now exploits public-facing
applications such as SSL-VPN and file storage services. We observed that
vulnerabilities of enterprise products, such as Array AG (CVE-2023-28461),
Proself (CVE-2023-45727) and FortiOS/FortiProxy (CVE-2023-27997), were abused
in the wild. Earth Kasha was changing these vulnerabilities to abuse from time
to time. After gaining access, they deployed several backdoors in the victim's
network to achieve persistence. These include Cobalt Strike, LODEINFO, and the
newly discovered NOOPDOOR, which we will describe later.

Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation
Analysis With The APT10 Umbrella
https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html

LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend
Micro has been tracking the group as Earth Kasha. We have identified a new
campaign connected to this group with significant updates to their strategy,
tactics, and arsenals.

In the new campaign starting in early 2023, Earth Kasha expanded their targets
into Japan, Taiwan, and India. Based on the bias of the incident amount, while
we believe that Japan is still the main target of Earth Kasha, we observed
that a few high-profile organizations in Taiwan and India were targeted. The
observed industries under attack are organizations related to advanced
technology and government agencies.

Earth Kasha has also employed different Tactics, Techniques, and Procedures
(TTPs) in the Initial Access phase, which now exploits public-facing
applications such as SSL-VPN and file storage services. We observed that
vulnerabilities of enterprise products, such as Array AG (CVE-2023-28461),
Proself (CVE-2023-45727) and FortiOS/FortiProxy (CVE-2023-27997), were abused
in the wild. Earth Kasha was changing these vulnerabilities to abuse from time
to time. After gaining access, they deployed several backdoors in the victim's
network to achieve persistence. These include Cobalt Strike, LODEINFO, and the
newly discovered NOOPDOOR, which we will describe later.