Security
Headlines
HeadlinesLatestCVEs

Headline

Vulnerability Management news and publications #1

Hello everyone! In this episode, I will try to revive Security News with a focus on Vulnerability Management. On the one hand, creating such reviews requires free time, which could be spent more wisely, for example, on open source projects or original research. On the other hand, there are arguments in favor of news reviews. […]

Alexander V. Leonov
#sql#xss#vulnerability#web#windows#google#microsoft#ubuntu#linux#debian#git#java#rce#aws#log4j#auth#zero_day#sap#blog

Hello everyone! In this episode, I will try to revive Security News with a focus on Vulnerability Management.

On the one hand, creating such reviews requires free time, which could be spent more wisely, for example, on open source projects or original research. On the other hand, there are arguments in favor of news reviews. Keeping track of the news is part of our job as vulnerability and security specialists. And preferably not only headlines.

Alternative video link (for Russia): https://vk.com/video-149273431_456239095

I usually follow the news using my automated telegram channel @avleonovnews. And it looks like this: I see something interesting in the channel, I copy it to Saved Messages so that I can read it later. Do I read it later? Well, usually not. Therefore, the creation of news reviews motivates to read and clear Saved Messages. Just like doing Microsoft Patch Tuesday reviews motivates me to watch what’s going on there. In general, it seems it makes sense to make a new attempt. Share in the comments what you think about it. Well, if you want to participate in the selection of news, I will be glad too.

I took 10 news items from Saved Messages and divided them into 5 categories:

  1. Active Vulnerabilities
  2. Data sources
  3. Analytics
  4. VM vendors write about Vulnerability Management
  5. de-Westernization of IT

Active Vulnerabilities****🔴 “CISA warns of hackers exploiting PwnKit Linux vulnerability (CVE-2021-4034)” by BleepingComputer

The Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Linux vulnerability known as PwnKit to its list of bugs exploited in the wild. Unprivileged users can exploit this vulnerabilities to gain full root privileges on Linux systems with default configurations. Reliable proof-of-concept (PoC) exploit code has been shared online less than three hours after Qualys published technical details for PwnKit. It was January 25th. The vulnerability was found in the Polkit’s pkexec component used by all major distributions (including Ubuntu, Debian, Fedora, and CentOS). It has been hiding in plain sight for more than 12 years since pkexec’s first release in May 2009.

The US cybersecurity agency gave all Federal Civilian Executive Branch (FCEB) agencies three weeks, until July 18, to patch their Linux servers against PwnKit and block exploitation attempts. Even though this directive only applies to federal agencies, CISA also strongly urged all US organizations from the private and public sectors to prioritize patching this bug.

Well, it would be correct to say that not only the Americans should quickly patch this.

🔴 “Atlassian Confluence OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)” by Qualys

On June 02, 2022, Atlassian published a security advisory about a critical severity Unauthenticated Remote Code Execution vulnerability affecting Confluence Server and Data Center. According to the advisory, the vulnerability is being actively exploited and Confluence Server and Data Center versions after 1.3.0 are affected. In order to exploit a vulnerable server, a remote attacker can send a malicious HTTP GET request with an OGNL payload in the URI. The vulnerable server once exploited would allow the attacker to execute commands remotely with user privileges running the Confluence application.

To detect CVE-2022-26134, the detection sends HTTP GET request with a specially crafted OGNL payload to determine the vulnerability on the target Confluence application. The OGNL payload creates a custom HTTP response header containing the output of the system command executed on Linux and Windows systems. The detection also consists of a Qualys customized OGNL payload which is platform-independent, eliminating false positives and works irrespective of the host operating system by creating a custom HTTP response header with Qualys specified value.

In this detailed technical article, Mayank Deshmukh from Qualys describes OGNL Injection, RCE Payload, Exploit POC, Exploit Analysis and Source Code Analysis. If you are interested in how such vulnerabilities are exploited and detected, check out this article.

Data sources****🟠 “New Vulnerability Database Catalogs Cloud Security Issues” by DarkReading

Organizations traditionally have struggled to track vulnerabilities in public cloud platforms and services because of the lack of a common vulnerability enumeration (CVE) program like the one that MITRE maintains for publicly disclosed software security issues. A new community-based database launched this week seeks to begin addressing that issue by providing a central repository of information on known cloud service-provider security issues and the steps organizations can take to mitigate them.

The database — cloudvulndb.org — is the brainchild of security researchers at Wiz, who for some time have been advocating the need for a public catalog of known security flaws on platforms and services run by the likes of AWS, Microsoft, and Google. The database currently lists some 70 cloud security issues and vulnerabilities. Such as Azure Open Management Infrastructure (OMI) Elevation of Privilege, OMIGOD. Anyone is free to suggest new issues to add to the website or to suggest new fixes to existing issues.

It’s not clear if a separate database is really needed. It seems that all of these entries can be added as NVD CVEs. Moreover, many vulnerabilities in this database already have CVE IDs. But the initiative is good. It proves once again that MITRE and NVD have problems with coverage.

Analytics****🟢 “MITRE shares this year’s list of most dangerous software bugs (CWE Top 25)” by BleepingComputer

MITRE shared this year’s top 25 most common and dangerous weaknesses impacting software throughout the previous two calendar years. These bugs are considered dangerous because they’re usually easy to discover, come with a high impact, and are prevalent in software released during the last two years.

Let’s see what’s on top:

1 CWE-787 Out-of-bounds Write2 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')4 CWE-20 Improper Input Validation5 CWE-125 Out-of-bounds Read6 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Seems to be true, although ‘OS Command Injection’ could be higher. Well, we need to remember that CWE identifiers are assigned manually to vulnerabilities by some analysts and therefore there may be classification errors. But it’s still interesting.

🟠 “Cyberattacks via Unpatched Systems Cost Orgs More Than Phishing” by DarkReading

This article is based on research of Tetra Defense, a leading incident response, cyber risk management and digital forensics firm based in Madison, Wisconsin.

Attackers continue to find significant success targeting unpatched servers and vulnerable remote-access systems, researchers say — and these types of compromises cost victim organizations 54% more than compromises caused by user actions (i.e., falling for phishing and opening malicious documents).

According to a report by Tetra Defense, which analyzed incident data from the first quarter, unpatched vulnerabilities and exposing risky services—such as Remote Desktop Protocol (RDP)—account for 82% of successful attacks, while social-engineering employees to take some action accounted for just 18% of successful compromises. The article also mentions known vulnerabilities ProxyShell exploit for Microsoft Exchange servers, Log4Shell vulnerability in Java Log4j library.

Two controls — comprehensive patching and using multifactor authentication (MFA) — could have prevented nearly 80% of the investigated incidents.

Good point in the article: “Data on successful compromises can help companies determine the most critical attack vectors to address, but it should be noted that the conclusions depend greatly on the specific incident-response firm”. But the fact that MFA and patching is very important is true.

🔴 “Zero-Days Aren’t Going Away Anytime Soon & What Leaders Need to Know” by DarkReading

The article was written by Dan Schiappa, Chief Product Officer of Arctic Wolf, Security Operations company.

Both Google and Mandiant tracked a record number of zero-days last year. More zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there’s some basic cyber hygiene strategies that can keep your organization sufficiently prepared to mitigate zero-day exploits.

  1. Ensure that the technology your organization has is sufficient for protecting from the unknown. Many zero-days may never hit a hard drive, so pointing threat detection tools there could be fruitless.
  2. Patching is integral to protection against exploits. Staying on top of guidance from industry organizations like International Information System Security Certification Consortium (ISC)2 or federal authorities like the Cybersecurity and Infrastructure Security Agency is a good way to prioritize the exploit.
  3. Zero-day exploits are those that the vendor doesn’t know exist, and therefore no patch is available. In some cases, protection technologies can use behavioral detections to block certain activities, while in other cases, using detection technologies or human expertise in a security operations center is the only defense. Investing in the human element of security will place an organization in the best position to limit the financial and data losses zero-days can incur.

While patching is proper preparation, the investment in trained security professionals, in-house or outsourced, is the best defense against zero-days.

In general, I agree with everything. My opinion: while critical known vulnerabilities are not fixed promptly, it is premature to think about Zero-Days. And of course, dealing with Zero-Days is primarily the task of the SOC.

VM vendors write about Vulnerability Management

I would like to start here with an article with a provocative title

🟡 “Why We’re Getting Vulnerability Management Wrong” by DarkReading

The article was written by Liran Tancman, CEO of Rezilion, a platform vendor that allows you to map, validate and eliminate software vulnerabilities.

Sometimes, too much information is a mixed blessing. Security teams use multiple vulnerability scanners in an attempt to cope with a significant rise in both attack surface diversity and software vulnerabilities. But they soon find themselves overwhelmed with results, which leads to a growing backlog of bugs that need to be fixed.

A recent analysis from RAND Corporation found no notable reduction of breaches in organizations with mature vulnerability management programs.

By the way, an interesting study, it would be right to give it a separate episode, I guess. Leave a comment if you’d like it.

Rezilion’s own runtime research analysis finds, on average, only 15% of discovered vulnerabilities are loaded into memory, which makes them exploitable. That means, on average, only 15% of flaws require priority patching — or patching at all.

Also an interesting topic that deserves a separate episode.

Rezilion conducted an analysis of 20 of the most popular container images. The findings showed more than 4,347 known vulnerabilities. 75% of those rated as critical or high in severity did not load to memory and posed no risk. Organizations can use runtime analysis to prioritize remediation of vulnerabilities. A vulnerability in a package that isn’t being loaded to memory can’t be exploited by an attacker.

This is a long-standing dispute: is it necessary to fix vulnerabilities in software that is not running at the moment? Well, usually the answer is yes, it is necessary. Because no one can guarantee that the software will suddenly not be launched. But if it is possible to identify vulnerabilities in software that is currently running or was launched not so long ago, then this is a good source of data for additional prioritization. Why not. It’s good that Rezilion highlights this.

🔴 “Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0” by Qualys

To tell the truth, I have long been interested in what’s new in Qualys Vulnerability Management, Detection and Response.

According to the recently released Verizon DBIR report, vulnerability exploitation continued to be one of the top three attack vectors exploited by bad actors in 2021 to break into organizations. As of this writing, it’s only June, but more than 10,000 vulnerabilities have already been disclosed in 2022, according to the National Vulnerability Database (NVD). As if that weren’t bad enough, the rate of increase of ransomware attacks last year was more than the last five years combined.

  1. The resources required to patch all these vulnerabilities have not kept up with the pace at which vulnerabilities are disclosed and exploited.
  2. The correct remediation path is not always straightforward. In some cases, patching a vulnerability can require deploying a patch, making a configuration change, or both.

All these introduce delays in the remediation process.

Qualys VMDR 2.0 introduces TruRisk scores that help organizations prioritize vulnerabilities based on risk ratings that weigh multiple factors such as exploit code maturity, exploitation in the wild, and multiple other factors that accurately measure risk.

In general, it looks like Tenable vulnerability priority rating (VPR). It’s probably generated the same way. But the technical details of TruRisk are not given here.

A key step in any remediation workflow is good communication between the vulnerability management (VM) team and the remediation team. However, these two teams use different products and different terminology. The VM team understands the risk and QIDs. The remediation team understands patches. Qualys maps the selected vulnerabilities to the right patches and configuration changes required to remediate them specific to the organization’s unique environment. For some assets, this entire process can be automated with VMDR 2.0. For example, a zero-touch automation job can be created to patch non-mission critical assets that will automatically execute as soon as a new vulnerability with a Qualys Detection Score >90 is detected.

Integrated Patch Management is Simply Faster. On average, organizations that use Qualys VMDR + Patch Management remediate vulnerabilities 35% faster than organizations that use separate tools. Even better, with some vulnerabilities the difference can be 63% faster with a combined solution.

I agree that the focus of the VM should be on Remediation and it’s good that Qualys is pushing this topic. Is there enough new features to call this update VMDR 2.0? I don’t think so yet. It seems that if Remediation were fully automated for 100% of the hosts (which requires a fundamentally different approach to functional testing after the patch), then it would be 2.0. But marketers of Qualys know better.

🟢 “Modern IT Security Teams’ Inevitable Need for Advanced Vulnerability Management” by Threatpost (sponsored by Secpod)

Today’s modern attack surface needs a next-gen, advanced vulnerability management approach to deal with the complex, ever-evolving attack surfaces and to curb cyberattacks. Why Conventional Vulnerability Management is not the Best-fit for Modern Security Landscape

  1. Vulnerabilities beyond CVEs are overlooked. Numerous security risks exist like a poorly configured setting, asset exposures, deviation in security controls, missing security patches, and security posture anomalies.
  2. Lack of integrated remediation controls. Most of the traditional vulnerability management tools in the market do not come with integrated patching to remediate vulnerabilities. Conventional vulnerability management solutions rely on multiple tools to execute each step, making it hard for IT security teams.
  3. Siloed Interfaces and Multiple-point Solutions Approach. Conventional vulnerability management solutions rely on multiple tools to execute each step, making it hard for IT security teams.
  4. Manual Methods and Repetitive Processes. Traditional Vulnerability management tools are still not fully automated.

And to overcome these issues, you need Advanced Vulnerability Management from Secpod. In general, the list of cons looks fair, and the fact that they pay attention to vulnerabilities in addition to CVEs seems to me very correct.

de-Westernization of IT

I have nothing against people or companies from Western countries. According to Google analytics, the majority of visitors to my avleonov.com blog are actually from the US (then India, China, and Russia). However, that’s how it goes. Some companies stop working in Russia because of the sanctions. And Russian information security specialists should take into account these risks, mitigate them and warn colleagues who may also face these problems.

Last week there was news that SAP and Microsoft will block Russian companies’ access to software updates, including security updates, in August. For some reason, the news was published in Bloomberg without reference to the source.

“It’s not just industry that’s affected. SAP SE and Microsoft Corp. are due to stop updates and services for Russian companies in August, leaving businesses and government services that rely on their software potentially vulnerable to security breaches and viruses.”

Some time later, this paragraph was rewritten. The mention of August was removed. Unfortunately, the fact that the leading Western media are spreading propaganda and rumors is no longer surprising. I do not even want to give a link to the article, whoever is interested can google it on their own.

However, what if this really happens? What if we can no longer use WSUS and SCCM to update the Windows infrastructure? And even more, if we get some malicious functionality in the updates, which will be activated over time. Unfortunately, what once seemed like a minor risk and paranoia is now becoming more than real. Therefore, we need to think in advance about network isolation, alternative ways to update the Windows infrastructure, implement control over backups, implement information security tools that could compensate for the lack of patches to some extent. And most importantly, we need to quickly reduce dependence on the software of unstable vendors. And this is now relevant not only for Russia, but also for the BRICS countries and other countries that are already under US sanctions or may potentially face them.

I also finally decided to launch a Russian-language telegram channel “Управление Уязвимостями и прочее” @avleonovrus. I think it will be updated a little more often, and there will be more reactions to our local Russian topics. Therefore, those who are interested, subscribe.

Hi! My name is Alexander and I am an Information Security Automation specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

Related news

ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor

Russian organizations have been targeted by a cybercrime gang called ExCobalt using a previously unknown Golang-based backdoor known as GoRed. "ExCobalt focuses on cyber espionage and includes several members active since at least 2016 and presumably once part of the notorious Cobalt Gang," Positive Technologies researchers Vladislav Lunin and Alexander Badayev said in a technical report

CVE-2022-22942: Security Update 3.0 356

The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to files opened by other processes on the system through a dangling 'file' pointer.

Iranian Nation-State Actors Employ Password Spray Attacks Targeting Multiple Sectors

Iranian nation-state actors have been conducting password spray attacks against thousands of organizations globally between February and July 2023, new findings from Microsoft reveal. The tech giant, which is tracking the activity under the name Peach Sandstorm (formerly Holmium), said the adversary pursued organizations in the satellite, defense, and pharmaceutical sectors to likely facilitate

New LABRAT Campaign Exploits GitLab Flaw for Cryptojacking and Proxyjacking Activities

A new, financially motivated operation dubbed LABRAT has been observed weaponizing a now-patched critical flaw in GitLab as part of a cryptojacking and proxyjacking campaign. "The attacker utilized undetected signature-based tools, sophisticated and stealthy cross-platform malware, command-and-control (C2) tools which bypassed firewalls, and kernel-based rootkits to hide their presence," Sysdig

2022's most routinely exploited vulnerabilities—history repeats

Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.

North Korean Hackers Exploit Unpatched Zimbra Devices in 'No Pineapple' Campaign

A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems. That's according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident No Pineapple. Targets of the malicious operation included a healthcare research organization

Microsoft Warns on Zero-Day Spike as Nation-State Groups Shift Tactics

The software giant also recorded an increase in attacks on IT services companies as state-backed threat actors have adapted to better enterprise defenses and cast a wider net, Microsoft says.

CVE-2022-21587: Oracle Critical Patch Update Advisory - October 2022

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Feature-Rich 'Alchimist' Cyberattack Framework Targets Windows, Mac, Linux Environments

The comprehensive, multiplatform framework comes loaded with weapons, and it is likely another effort by a China-based threat group to develop an alternative to Cobalt Strike and Sliver.

New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems

A previously undocumented command-and-control (C2) framework dubbed Alchimist is likely being used in the wild to target Windows, macOS, and Linux systems. "Alchimist C2 has a web interface written in Simplified Chinese and can generate a configured payload, establish remote sessions, deploy payload to the remote machines, capture screenshots, perform remote shellcode execution, and run

Alchimist: A new attack framework in Chinese for Mac, Linux and Windows

Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities.

Alchimist: A new attack framework in Chinese for Mac, Linux and Windows

By Chetan Raghuprasad, Asheer Malhotra and Vitor Ventura, with contributions from Matt Thaxton. Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities. The Alchimist has a web interface in Simplified Chinese with remote administration features. The attack framework is designed to target Windows, Linux and Mac machines. Alchimist and Insekt binaries are implemented in GoLang. This campaign consists of additional bespoke tools such as a MacOS exploitation tool, a custom backdoor and multiple off-the-shelf tools such as reverse proxies. Cisco Talos has discovered a new single-file command and control (C2) framework the authors call "Alchimist [sic]." Talos researchers found this C2 on a server that had a file listing active on the root directory along with a set of post-exploitation tools. Cisco Talos assesses with moderate-high confidence that this framework is being...

CVE-2022-1941: Security Bulletins  |  Customer Care  |  Google Cloud

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Hackers Targeting Unpatched Atlassian Confluence Servers to Deploy Crypto Miners

A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations. "If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment

Stealthy Linux Malware Shikitega Deploying Monero Cryptominer

By Deeba Ahmed The stealthy malware leverages security flaws to gain privilege escalation and establish persistence. This is a post from HackRead.com Read the original post: Stealthy Linux Malware Shikitega Deploying Monero Cryptominer

Evasive Shikitega Linux malware drops Monero cryptominer

Categories: News Categories: Threats Researchers from the AT&T Alien Labs Resarch have discovered a stealthy new Linux malware. (Read more...) The post Evasive Shikitega Linux malware drops Monero cryptominer appeared first on Malwarebytes Labs.

Next-Gen Linux Malware Takes Over Devices With Unique Tool Set

The Shikitega malware takes over IoT and endpoint devices, exploits vulnerabilities, uses advanced encoding, abuses cloud services for C2, installs a cryptominer, and allows full remote control.

New Stealthy Shikitega Malware Targeting Linux Systems and IoT Devices

A new piece of stealthy Linux malware called Shikitega has been uncovered adopting a multi-stage infection chain to compromise endpoints and IoT devices and deposit additional payloads. "An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist," AT&T Alien Labs said in a new report published Tuesday. The findings add to a

CVE-2022-32427: Security Bulletin | Printerlogic

PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.

CVE-2022-38368: PSIRT Advisories — aviatrix_docs documentation

An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x before 6.7.1376. Because Gateway API functions mishandle authentication, an authenticated VPN user can inject arbitrary commands.

Hackers Exploited Atlassian Confluence Bug to Deploy Ljl Backdoor for Espionage

A threat actor is said to have "highly likely" exploited a security flaw in an outdated Atlassian Confluence server to deploy a never-before-seen backdoor against an unnamed organization in the research and technical services sector. The attack, which transpired over a seven-day-period during the end of May, has been attributed to a threat activity cluster tracked by cybersecurity firm Deepwatch

Critical Bugs Threaten to Crack Atlassian Confluence Workspaces Wide Open

A hardcoded password associated with the Questions for Confluence app has been publicly released, which will likely lead to exploit attempts that give cyberattackers access to all Confluence content.

‘PwnKit’ vulnerability exploited in the wild: How Red Hat responded

Ravie Lakshmanan's recent article CISA warns of active exploitation of 'PwnKit' Linux vulnerability in the wild articulates the vulnerability in Polkit (CVE-2021-4034) and recommends "to mitigate any potential risk of exposure to cyberattacks… that organizations prioritize timely remediation of the issues," while "federal civilian executive branch agencies, however, are required to mandatorily patch the flaws by July 18

CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed PwnKit to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit's pkexec utility, which allows an

Atlassian Confluence Exploits Peak at 100K Daily

Swarms of breach attempts against the Atlassian Confluence vulnerability are likely to continue for years, researchers say, averaging 20,000 attempts daily as of this week.

Containers vulnerability risk assessment

Security considerations are even more important today than they were in the past. Every day we discover new vulnerabilities that impact our computer systems, and every day our computer systems become more complex. With the deluge of vulnerabilities that threaten to swamp our security teams, the question, "How much does it matter?" comes quickly to our minds. This question, "Does it matter?", has two parts:

Confluence OGNL Injection Remote Code Execution

Confluence suffers from a pre-authentication remote code execution vulnerability that is leveraged via OGNL injection. All 7.4.17 versions before 7.18.1 are affected.

Attackers Use Public Exploits to Throttle Atlassian Confluence Flaw

The vulnerability remains unpatched on many versions of the collaboration tool and has potential to create a SolarWinds-type scenario.

Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild

Atlassian on Friday rolled out fixes to address a critical security flaw affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution. Tracked as CVE-2022-26134, the issue is similar to CVE-2021-26084 — another security flaw the Australian software company patched in August 2021. Both relate to a case of

Threat Advisory: Atlassian Confluence zero-day vulnerability under active exploitation

Cisco Talos is monitoring reports of an actively exploited zero-day vulnerability in Confluence Data Center and Server. Confluence is a Java-based corporate Wiki employed by numerous enterprises. At this time, it is confirmed that all supported versions of Confluence are affected by this... [[ This is only the beginning! Please visit the blog for the complete entry ]]

CVE-2022-26134: [CONFSERVER-79016] Remote code execution via OGNL injection in Confluence Server & Data Center - CVE-2022-26134

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.

Actively Exploited Atlassian Zero-Day Bug Allows Full System Takeover

An remote code execution (RCE) vulnerability in all versions of the popular Confluence collaboration platform can be abused in credential harvesting, cyber espionage, and network backdoor attacks.

Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability

Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild. The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134. "Atlassian has been made aware of current active exploitation of a

CVE-2022-29085: DSA-2022-021: Dell Unity, Dell UnityVSA, and Dell Unity XT Security Update for Multiple Vulnerabilities

Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.

CVE-2022-21496: Oracle Critical Patch Update Advisory - April 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...

CVE-2021-4034

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.

Alexander V. Leonov: Latest News

December Microsoft Patch Tuesday