CVE-2024-2961

The GNU C Library glibc

17 Apr 2024
Published
17 Apr 2024
Updated

CVSS
Pending

  • 12 Posts
  • 77 Interactions

CVE Info

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Fediverse

Profile picture

glibc iconv buffer overflow vulnerability that can be used for remote code execution on servers running PHP. Present for 24 years. This is the kind of stuff Rust was made for.

- openwall.com/lists/oss-securit
- nvd.nist.gov/vuln/detail/CVE-2
- rockylinux.org/news/glibc-vuln

  • 9
  • 20
  • 4 hours ago
Profile picture

A vulnerability (CVE-2024-2961) that may affect PHP applications is receiving patches on many operating systems. It's advised to update & restart your systems where patches are available.

Ubuntu/Debian/Fedora appear to have patches available for supported systems. Rocky has some checking/workaround guidance here:

rockylinux.org/news/glibc-vuln

  • 2
  • 1
  • 8 hours ago
Profile picture

There is a new PHP vulnerability out. It is being tracked as CVE-2024-2961. Here’s a video explaining the vulnerability youtu.be/u8jLUjpCWrs?si=Fm1JSB #cve #vulnerability #hacking #php #linux #news #Security

  • 2
  • 0
  • 11 hours ago
Profile picture

"the iconv() function in the GNU C library is prone to a buffer overflow vulnerability when converting strings to the ISO-2022-CN-EXT character set, which may lead to denial of service (application crash) or the execution of arbitrary code" Encore un coup des Chinois ?

#CVE-2024-2961

  • 2
  • 0
  • 8 hours ago
Profile picture

A 24 years old bug has been discovered in iconv in glibc, it impacts PHP engine.

CVE: nvd.nist.gov/vuln/detail/CVE-2
More detail in video: youtube.com/watch?v=kQdRT2odUI

  • 0
  • 0
  • 8 hours ago
Profile picture

Should you have noticed a short "absence" of the #IzzyOnDroid primary web server, that was probably the reboot…

A CVE was published to oss-sec 5 days ago and got its fixes available today (security-tracker.debian.org/tr), so it was applied immediately as the vuln would have affected some components here.

My thanks here once more goes to @obfusk for bringing it to my attention – and to my service provider who swiftly applied the updates within just minutes 🤩

#security

  • 0
  • 0
  • last hour
Profile picture

Regarding the recent glibc vulnerability (CVE-2024-2961) on servers serving php content, here's a step-by-step guide to secure your Rocky Linux installation rockylinux.org/news/glibc-vuln #RockyLinux #ELCommunity #Linux #glibc

  • 5
  • 13
  • 20 hours ago
Profile picture

Oh just PHP apps? NBD #CVE_2024_2961 #ThreatIntel

securityonline.info/cve-2024-2961-glibc-vulnerability-opens-door-to-php-attacks-patch-immediately/

The vulnerability, cataloged under CVE-2024-2961 and rated 8.8 on the CVSS scale, resides in the ISO-2022-CN-EXT plugin of the glibc’s iconv library. This critical flaw occurs during the charset conversion process from UCS4, where specific escape characters are required to signify changes in the charset to the library. However, due to insufficient boundary checks on internal buffers, an out-of-bounds write can occur, allowing up to three bytes to be written outside the intended memory area.

This vulnerability poses a significant risk as it compromises the Integrity, Confidentiality, and Availability (ICA) triad by potentially allowing attackers to craft malicious character sequences that trigger the out-of-bounds write, leading to remote code execution. The exploitation of this flaw could result in application crashes, arbitrary memory corruption, data overwrites, and even system takeovers.

  • 2
  • 12
  • 19 hours ago
Profile picture

CVE-2024-2961 quick fix roundup:

Ubuntu <22.04:
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules
Ubuntu 22.04:
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.d/gconv-modules-extra.conf
CentOS:
/usr/lib64/gconv/gconv-modules
AlmaLinux:
/usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf

Run:
sed -i -e '/^.*ISO-2022-CN-EXT.*$/s/^#*/#/' <filename>
iconvconfig

After fix:
iconv -l | grep -E 'CN-?EXT'

  • 0
  • 1
  • 15 hours ago

CVE-2022-38028

KEV
Microsoft Windows 10 Version 1809

11 Oct 2022
Published
20 Dec 2023
Updated

CVSS v3.1
HIGH (7.8)

  • 10 Posts
  • 83 Interactions

CVE Info

Windows Print Spooler Elevation of Privilege Vulnerability

Fediverse

Profile picture

Microsoft said today that Russian hackers have been exploiting the vulnerability tracked as CVE-2022-38028 since at least 2020. That would make it an 0day at the time Microsoft patched it in October 2022. And yet, Microsoft has never acknowledged that vulnerability as such. What's up with that?

microsoft.com/en-us/security/b

msrc.microsoft.com/update-guid

  • 38
  • 31
  • 23 hours ago
Profile picture

Hot off the press! CISA adds CVE-2022-38028 to the Known Exploited Vulnerabilities (KEV) Catalog after Microsoft's blog post states that Russian APT28 exploited it as a zero-day for years. 🔗cisa.gov/news-events/alerts/20

  • 1
  • 2
  • 2 hours ago
Profile picture

The post-compromise tool, which is said to have been used since at least June 2020 and possibly as early as April 2019, leveraged a now-patched flaw that allowed for privilege escalation (CVE-2022-38028, CVSS score: 7.8). thehackernews.com/2024/04/russ

  • 0
  • 0
  • 5 hours ago
Profile picture

Windows Printer Spooler Schwachstelle - längst gepatcht, wird aber gerne vom russ. Fancy Bear für Angriffe genutzt.

borncity.com/blog/2024/04/23/w

  • 0
  • 0
  • 5 hours ago
Profile picture

@ntkramer gonna enrich your toot with my reply: Microsoft article
What I took out of it was APT28's tool GooseEgg exploited CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability) as a zero-day since at least June 2020 (possibly as early as April 2019) which was 2 years 4 months to 3 years 6 months.

To that end, CISA added CVE-2022-38028 to the Known Exploited Vulnerabilities (KEV) Catalog today: cisa.gov/news-events/alerts/20

  • 0
  • 0
  • 2 hours ago
Profile picture

@mttaggart I think one of the key takeaways is that APT28, a Russian state actor publicly attributed to GRU Military Unit 26165, exploited CVE-2022-38028 as a zero-day for 2 years before it was publicly disclosed and patched:

Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.

  • 2
  • 2
  • 22 hours ago
Profile picture

@mttaggart I think one of the key takeaways is that APT28, a Russian state actor publicly attributed to GRU Military Unit 26165, exploited CVE-2022-38028 as a zero-day for 2 years before it was publicly disclosed and patched:

Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.

  • 2
  • 2
  • 22 hours ago
Profile picture

This analysis of #APT28 aka #ForestBlizzard methodology is being reported all over as though it were special. And while it may be "unique" to the group, it's just...not that special.

Everything I see here should be detected by modern standard defenses. This attack chain doesn't even read like an APT to me; it reads like a cybercrime group.

What am I missing?

  • 1
  • 2
  • 23 hours ago
Profile picture

@dangoodin Should your post read CVE-2022-38028?

  • 0
  • 0
  • 22 hours ago

CVE-2024-4040

CrushFTP

22 Apr 2024
Published
22 Apr 2024
Updated

CVSS v3.1
HIGH (7.7)

  • 13 Posts
  • 83 Interactions

CVE Info

VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.

Fediverse

Profile picture

Rapid7 researcher @fuzz analyzed CVE-2024-4040 and found that it's not only exploitable for arbitrary file read as root, but also authentication bypass for admin access and full RCE. Patch immediately. rapid7.com/blog/post/2024/04/2

  • 8
  • 5
  • 1 hours ago
Profile picture

Exploit from airbus-cert is out for CVE-2024-4040

Expect more in the wild exploitation in the coming days.. infosec.exchange/@wvu/11232021

  • 4
  • 3
  • 4 hours ago
Profile picture

@h4sh Rapid7 has a much more severe analysis of CVE-2024-4040, the actively exploited CrushFTP zero-day. 🔗 rapid7.com/blog/post/2024/04/2

Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution. Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance.

Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI).

  • 1
  • 1
  • 1 hours ago
Profile picture

Okay, other than the vendor's email to their customers I have not seen any proof that the bug is unauthenticated.

Can anyone from IR teams confirm that the exploitation was ever unauthenticated? I just need proof if I am to update the CVSS from 7.7 to like, 8.6

  • 1
  • 0
  • 7 hours ago
Profile picture

I bring you CVE-2024-4040: VFS Sandbox Escape in in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.

cve.org/CVERecord?id=CVE-2024-

If anyone disagrees with our CVSS analysis, please let me know & bring proof

  • 5
  • 7
  • 21 hours ago
Profile picture

Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). cve.org/CVERecord?id=CVE-2024-

VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.

  • 4
  • 7
  • 21 hours ago
Profile picture

Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). cve.org/CVERecord?id=CVE-2024-

VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.

  • 4
  • 7
  • 21 hours ago
Profile picture

The CrushFTP zero-day is now CVE-2024-4040

nvd.nist.gov/vuln/detail/CVE-2

  • 4
  • 2
  • 18 hours ago
Profile picture

@campuscodi Kudos to @h4sh for assigning the CVE to the actively exploited CrushFTP zero-day: infosec.exchange/@h4sh/1123165

According to his analysis and patch diffing, the CVSSv3 score for CVE-2024-4040 is 7.7 HIGH: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Did some patch diffing on the new bug, and it does look like the bug has 2 components and at least one of them need some form of authentication to exploit (need creation of something).
After the first stage, the reading of the file outside of VFS sandbox might not need authentication. I am not sure.

  • 4
  • 2
  • 18 hours ago
Profile picture

@campuscodi Kudos to @h4sh for assigning the CVE to the actively exploited CrushFTP zero-day: infosec.exchange/@h4sh/1123165

According to his analysis and patch diffing, the CVSSv3 score for CVE-2024-4040 is 7.7 HIGH: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Did some patch diffing on the new bug, and it does look like the bug has 2 components and at least one of them need some form of authentication to exploit (need creation of something).
After the first stage, the reading of the file outside of VFS sandbox might not need authentication. I am not sure.

  • 4
  • 2
  • 18 hours ago
Profile picture

Here's a template to detect potentially unpatched 10.x servers against CVE-2024-4040.

Note that the templates do NOT exploit the vuln and are not remotely related to a POC. Attackers will likely find these useless because they are.

github.com/directcyber/checker

  • 1
  • 3
  • 16 hours ago
Profile picture

The CrushFTP vulnerability being exploited now has a CVE: CVE-2024-4040. Patch ASAP

therecord.media/crushftp-file-

  • 0
  • 1
  • 20 hours ago

CVE-2024-2389

Progress Software Flowmon

02 Apr 2024
Published
02 Apr 2024
Updated

CVSS v3.1
CRITICAL (10.0)

  • 3 Posts
  • 14 Interactions

CVE Info

In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified.  An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.

Fediverse

Profile picture

Progress Software has released a patch to fix an unauthenticated command injection vulnerability in its Kemp Flowmon network monitoring suite: support.kemptechnologies.com/h

Rhino Labs has published a write-up on the bug here: rhinosecuritylabs.com/research

The issue is tracked as CVE-2024-2389.

  • 3
  • 4
  • 3 hours ago
Profile picture

@cR0w your favorite company Progress Software is at it again with another perfect score 10.0 vulnerability 🥳 h/t @campuscodi
CVE-2024-2389 (10.0 critical, disclosed 02 April 2024) Unauthenticated, remote attackers can gain access to the web interface of Flowmon to issue a carefully crafted API command that will allow arbitrary system commands to be executed without authentication. Patched and not exploited in the wild. 🔗 support.kemptechnologies.com/h

  • 3
  • 4
  • 2 hours ago
Profile picture

Rhino Security Labs publishes vulnerability details of CVE-2024-2389, which they refer to as Unauthenticated Command Injection. This includes a proof of concept. 🔗rhinosecuritylabs.com/research

Historically, Rhino has recently reported on 2 other Progress vulnerabilities scoring an 8.4 and a 10.0. Absolutely clowning this vendor. h/t @campuscodi

  • 0
  • 0
  • 2 hours ago

CVE-2024-3400

KEV
Palo Alto Networks PAN-OS

12 Apr 2024
Published
19 Apr 2024
Updated

CVSS v3.1
CRITICAL (10.0)

  • 3 Posts

CVE Info

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Fediverse

Profile picture

Hold onto your Industrial Control Systems! Security Week reports that Siemens Ruggedcom APE1808 configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). "Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications." 🔗 securityweek.com/siemens-indus and advisory cert-portal.siemens.com/produc

  • 0
  • 0
  • 5 hours ago
Profile picture

Siemens revealed that its Ruggedcom APE1808 devices configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400. securityweek.com/siemens-indus

  • 0
  • 0
  • 5 hours ago

CVE-2024-20356

Pending

Pending
Published
Pending
Updated

CVSS
Pending

  • 2 Posts

CVE Info

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Fediverse

Profile picture

IMO on tient ici un des plus beaux descriptifs/blog post technique de l'année sur l'exploitation de la vulnérabilité CVE-2024-20356 (web-GUI Cisco IMC ) :

✅ Complet
✅ Précis
🛠️ Toolkit disponible sur GitHub
😄 ...et amusant !

𝕮𝖆𝖓 𝖎𝖙 𝖗𝖚𝖓 𝕯𝖔𝖔𝖒?

(constat: ces "appliances" sont de vrais 🧀 )
👇
labs.nettitude.com/blog/cve-20

  • 0
  • 0
  • 8 hours ago

CVE-2024-27282

Pending

Pending
Published
Pending
Updated

CVSS
Pending

  • 1 Post
  • 7 Interactions

CVE Info

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Fediverse

Profile picture

I worked to handle CVE-2024-27282 and release Ruby 3.0.7 and 3.1.5 today. see details ruby.social/@ruby/112320715745

  • 2
  • 5
  • 4 hours ago

CVE-2023-48795

Pending

18 Dec 2023
Published
13 Mar 2024
Updated

CVSS
Pending

  • 2 Posts
  • 2 Interactions

CVE Info

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Fediverse

Profile picture

Jenkins security advisory from 17 April 2024 patched against the Terrapin Attack vulnerability CVE-2023-48795 🔗 jenkins.io/security/advisory/2

  • 0
  • 1
  • 23 hours ago
Profile picture

Jenkins security advisory from 17 April 2024 patched against the Terrapin Attack vulnerability CVE-2023-48795 🔗 jenkins.io/security/advisory/2

  • 0
  • 1
  • 23 hours ago

CVE-2023-21036

Android

24 Mar 2023
Published
24 Mar 2023
Updated

CVSS
Pending

  • 1 Post
  • 1 Interaction

CVE Info

In BitmapExport.java, there is a possible failure to truncate images due to a logic error in the code.Product: AndroidVersions: Android kernelAndroid ID: A-264261868References: N/A

Fediverse

CVE-2018-18388

Pending

20 Dec 2018
Published
20 Dec 2018
Updated

CVSS
Pending

  • 1 Post
  • 1 Interaction

CVE Info

eScan Agent Application (MWAGENT.EXE) 4.0.2.98 in MicroWorld Technologies eScan 14.0 allows remote or local attackers to execute arbitrary commands by sending a carefully crafted payload to TCP port 2222.

Fediverse

Profile picture
eScan AV also seems like a truly professional company:
- While they have a Vulnerability Disclosure Program, there is no listing of security advisories (ProTip: always make sure your vendor has an advisory listing)
- There is a Hall of Fame though, that just outright discloses the email addresses of reporters, but no info about the vulns
- This CVE record references a blog post, that simply bitrotted: https://nvd.nist.gov/vuln/detail/CVE-2018-18388
  • 0
  • 1
  • last hour

CVE-2024-28890

Pending

Pending
Published
Pending
Updated

CVSS
Pending

  • 1 Post

CVE Info

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Fediverse

Profile picture

250.000 siti WordPress a rischio compromissione. Aggiornate il plugin Forminator

Gli esperti JPCERT mettono in guardia su una serie di vulnerabilità critiche nel plugin Forminator per WordPress, sviluppato da WPMU DEV. Il plugin viene utilizzato su più di 500.000 siti e offre la possibilità di creare vari moduli senza troppe conoscenze di programmazione. Di particolare preoccupazione è la vulnerabilità identificata da CVE-2024-28890 (punteggio CVSS: 9,8), che consente agli aggressori di caricare […]

L'articolo 250.000 siti WordPress a rischio compromissione. Aggiornate il plugin Forminator proviene da il blog della sicurezza informatica.

redhotcyber.com/post/250-000-s
redhotcyber.com/feed

poliverso.org/display/0477a01e

  • 0
  • 0
  • last hour

CVE-2022-25237

Pending

27 May 2022
Published
27 May 2022
Updated

CVSS
Pending

  • 1 Post

CVE Info

Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API endpoints. This can lead to remote code execution by abusing the privileged API actions.

Fediverse

Profile picture

Meerkat is a Sherlock SOC investigation from HackTheBox. I'll see how an attacker credential stuff a Bonitasoft server, getting access and then exploiting CVE-2022-25237 to get admin access, uploading an extension to run commands, adding SSH access.

0xdf.gitlab.io/2024/04/23/htb-

  • 0
  • 0
  • 6 hours ago

CVE-2024-21111

Oracle Corporation VM VirtualBox

16 Apr 2024
Published
16 Apr 2024
Updated

CVSS v3.1
HIGH (7.8)

  • 1 Post

CVE Info

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 7.0.16. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: This vulnerability applies to Windows hosts only. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Fediverse

Profile picture

Resumen de las últimas 24 horas en seguridad informática: Oracle VirtualBox, MITRE Corporation, Microsoft y Amazon son protagonistas en las últimas 24 horas de ciberseguridad. Desde exploits en VirtualBox hasta el robo de datos de salud por ciberdelincuentes. ¡No te pierdas estos detalles y más en el siguiente listado de noticias sobre seguridad informática! 👉 djar.co/7n3e9A

🗞️ ÚLTIMAS NOTICIAS EN SEGURIDAD INFORMÁTICA 🔒
====| 🔥 LO QUE DEBES SABER HOY 23/04/24 📆 |====

🔒 ORACLE VIRTUALBOX EXPLOIT (CVE-2024-21111): PUBLICAN PoC

Naor Hodorov ha publicado un exploit de prueba de concepto (PoC) para la grave vulnerabilidad CVE-2024-21111 en Oracle VirtualBox. Descubre más sobre este riesgo potencial aquí 👉 djar.co/1tNI0

🛡️ MITRE CORPORATION HACKED POR ESTADO NACIÓN APROVECHANDO FALLOS IVANTI

MITRE, una destacada firma de ciberseguridad, fue comprometida por un ataque de un estado-nación. Conoce cómo los días cero y el secuestro de sesiones fueron utilizados en este incidente 👉 djar.co/CwpQSj

🔍 MICROSOFT: HACKERS APT28 EXPLOTAN VULNERABILIDAD DE WINDOWS REPORTADA POR NSA

Microsoft alerta sobre el grupo de amenazas ruso APT28 que está explotando una vulnerabilidad en el Spooler de impresión de Windows para elevar privilegios y robar datos con la herramienta GooseEgg. Lee más detalles aquí 👉 djar.co/3Fzz

💻 APT28 ASOCIADO A RUSIA UTILIZA GOOSEEGG PARA EXPLOTAR FALLA EN WINDOWS

El grupo APT28 vinculado a Rusia empleó la herramienta desconocida GooseEgg para aprovechar una vulnerabilidad en el servicio de Spooler de impresión de Windows. ¡Accede a la historia completa! 👉 djar.co/UUZX3Y

🔐 AMAZON BUG BOUNTY PROGRAM - INVOLUCRA A LA COMUNIDAD DE HACKERS

El Programa de Investigación de Vulnerabilidades de Amazon se une a HackerOne para fortalecer la seguridad. Participa en la mejora del Programa de Investigación de Vulnerabilidades de Amazon aquí 👉 djar.co/6YCjPV

⚠️ UNITEDHEALTH REPORTA ROBO DE DATOS DE SALUD POR CIBERDELINCUENTES

UnitedHealth confirma que piratas informáticos accedieron a datos de salud de "una cantidad significativa de personas en América". Descubre el impacto de este incidente aquí 👉 djar.co/Uxy5f

🌐 HACKERS RESPALDADOS POR KREMLIN EXPLOTAN VULNERABILIDAD CRÍTICA DE WINDOWS

Microsoft revela que hackers apoyados por el Kremlin han explotado una falla crítica en Windows. Obtén más información sobre esta amenaza aquí 👉 djar.co/c8B6nQ

  • 0
  • 0
  • 4 hours ago

CVE-2024-32657

NixOS hydra

22 Apr 2024
Published
22 Apr 2024
Updated

CVSS v3.1
MEDIUM (4.6)

  • 1 Post
  • 28 Interactions

CVE Info

Hydra is a Continuous Integration service for Nix based projects. Attackers can execute arbitrary code in the browser context of Hydra and execute authenticated HTTP requests. The abused feature allows Nix builds to specify files that Hydra serves to clients. One use of this functionality is serving NixOS `.iso` files. The issue is only with html files served by Hydra. The issue has been patched on https://hydra.nixos.org around 2024-04-21 14:30 UTC. The nixpkgs package were fixed in unstable and 23.11. Users with custom Hydra packages can apply the fix commit to their local installations. The vulnerability is only triggered when opening HTML build artifacts, so not opening them until the vulnerability is fixed works around the issue.

Fediverse

Profile picture

Discovered and (tentatively) fixed CVE-2024-32657 yesterday - somehow I think this might be my first CVE finder credit ever.

github.com/NixOS/hydra/securit

Very obvious hole, but hey, either nobody saw the exploitability or nobody cared to fix it before...

  • 4
  • 24
  • 22 hours ago

CVE-2024-31497

Pending

15 Apr 2024
Published
18 Apr 2024
Updated

CVSS
Pending

  • 1 Post
  • 1 Interaction

CVE Info

In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. This is especially important in a scenario where an adversary is able to read messages signed by PuTTY or Pageant. The required set of signed messages may be publicly readable because they are stored in a public Git service that supports use of SSH for commit signing, and the signatures were made by Pageant through an agent-forwarding mechanism. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. After a key compromise, an adversary may be able to conduct supply-chain attacks on software maintained in Git. A second, independent scenario is that the adversary is an operator of an SSH server to which the victim authenticates (for remote login or file copy), even though this server is not fully trusted by the victim, and the victim uses the same private key for SSH connections to other services operated by other entities. Here, the rogue server operator (who would otherwise have no way to determine the victim's private key) can derive the victim's private key, and then use it for unauthorized access to those other services. If the other services include Git services, then again it may be possible to conduct supply-chain attacks on software maintained in Git. This also affects, for example, FileZilla before 3.67.0, WinSCP before 6.3.3, TortoiseGit before 2.15.0.1, and TortoiseSVN through 1.14.6.

Fediverse

Profile picture

Thanks to @gsuberland for this write up on CVE-2024-31497. Made for a fun discussion today.

chaos.social/@gsuberland/11227

  • 0
  • 1
  • 20 hours ago

CVE-2024-29001

SolarWinds Platform

18 Apr 2024
Published
23 Apr 2024
Updated

CVSS v3.1
HIGH (7.5)

  • 1 Post
  • 2 Interactions

CVE Info

A SolarWinds Platform SWQL Injection Vulnerability was identified in the user interface. This vulnerability requires authentication and user interaction to be exploited.

Fediverse

Profile picture

Three SolarWinds security advisories from 17 April 2024. No mention of exploitation:

  • CVE-2024-28073 (8.4 high) SolarWinds Serv-U Directory Traversal Remote Code Execution Vulnerability
  • CVE-2024-29001 (7.5 high) SolarWinds Platform SWQL Injection Vulnerability
  • CVE-2024-29003 (7.5 high) SolarWinds Platform Cross Site Scripting Vulnerability

  • 0
  • 2
  • 6 hours ago

CVE-2024-28073

SolarWinds ServU

17 Apr 2024
Published
17 Apr 2024
Updated

CVSS v3.1
HIGH (8.4)

  • 1 Post
  • 2 Interactions

CVE Info

SolarWinds Serv-U was found to be susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability requires a highly privileged account to be exploited.

Fediverse

Profile picture

Three SolarWinds security advisories from 17 April 2024. No mention of exploitation:

  • CVE-2024-28073 (8.4 high) SolarWinds Serv-U Directory Traversal Remote Code Execution Vulnerability
  • CVE-2024-29001 (7.5 high) SolarWinds Platform SWQL Injection Vulnerability
  • CVE-2024-29003 (7.5 high) SolarWinds Platform Cross Site Scripting Vulnerability

  • 0
  • 2
  • 6 hours ago

CVE-2024-29003

SolarWinds Platform

18 Apr 2024
Published
23 Apr 2024
Updated

CVSS v3.1
HIGH (7.5)

  • 1 Post
  • 2 Interactions

CVE Info

The SolarWinds Platform was susceptible to a XSS vulnerability that affects the maps section of the user interface. This vulnerability requires authentication and requires user interaction.

Fediverse

Profile picture

Three SolarWinds security advisories from 17 April 2024. No mention of exploitation:

  • CVE-2024-28073 (8.4 high) SolarWinds Serv-U Directory Traversal Remote Code Execution Vulnerability
  • CVE-2024-29001 (7.5 high) SolarWinds Platform SWQL Injection Vulnerability
  • CVE-2024-29003 (7.5 high) SolarWinds Platform Cross Site Scripting Vulnerability

  • 0
  • 2
  • 6 hours ago