Most recent activity.

Vulnerabilities fixed in Apache 2.4.59

2024-09-24T02:19:05.118563+00:00

- SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (cve.mitre.org) HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion. Credits: Bartek Nowotarski (https://nowotarski.info/) - SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response Splitting in multiple modules (cve.mitre.org) HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

Apache 2.4.60 vulnerabilities fixed

2024-09-24T02:19:05.118535+00:00

# A set of vulnerabilities discovered before version 2.4.59 and fixed in Apache httpd 2.4.60 - SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy handler substitution (cve.mitre.org) Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. Credits: Orange Tsai (@orange_8361) from DEVCORE - SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request (cve.mitre.org) null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Credits: Orange Tsai (@orange_8361) from DEVCORE - SECURITY: CVE-2024-38476: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect (cve.mitre.org) Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Note: Some legacy uses of the 'AddType' directive to connect a request to a handler must be ported to 'AddHandler' after this fix. Credits: Orange Tsai (@orange_8361) from DEVCORE - SECURITY: CVE-2024-38475: Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path. (cve.mitre.org) Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. Credits: Orange Tsai (@orange_8361) from DEVCORE - SECURITY: CVE-2024-38474: Apache HTTP Server weakness with encoded question marks in backreferences (cve.mitre.org) Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Note: Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. Credits: Orange Tsai (@orange_8361) from DEVCORE - SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding problem (cve.mitre.org) Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. Credits: Orange Tsai (@orange_8361) from DEVCORE - SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF (cve.mitre.org) SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content Note: Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing. Credits: Orange Tsai (@orange_8361) from DEVCORE - SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2 (cve.mitre.org) Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. Credits: Marc Stern ()

ServiceNow - July 2024 vulnerabilities

2024-09-24T02:19:05.118472+00:00

- KB1648313 CVE-2024-5217 - Incomplete Input Validation in GlideExpression Script 2024-07-10 - KB1648312 CVE-2024-5178 - Incomplete Input Validation in SecurelyAccess API 2024-07-10 - KB1645154 CVE-2024-4879 - Jelly Template Injection Vulnerability in ServiceNow UI Macros 2024-07-10 CVE-2024-4879 sounds to be the most serious vulnerability allowing RCE for non-authenticated users. ref: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1226057

New intelligence shows that exploitation of this RCE vulnerability does not require authentication

2024-09-24T02:19:05.116457+00:00

# Exploited Unauthenticated RCE Vulnerability CVE-2023-6548 in Citrix NetScaler ADC and NetScaler Gateway New intelligence shows that exploitation of this RCE vulnerability does not require authentication https://digital.nhs.uk/cyber-alerts/2024/cc-4525 The NHS England National Cyber Security Operations Centre (CSOC) is aware of intelligence provided by CrowdStrike that contrary to Citrix’s initial disclosure, the vulnerability known as CVE-2023-6548 does not require user privileges for exploitation. NHS England National CSOC now assesses CVE-2023-6548 as a critical vulnerability that can allow a remote, unauthenticated attacker to execute remote code on a vulnerable NetScaler Gateway or NetScaler ADC device. CVE-2023-6548 has two different CVSSv3 scores attributed to it. The NIST National Vulnerability Database (NVD) has classified it as having a score of 8.8, while Citrix rates the vulnerability at 5.5. The weakness is Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway and could allow a remote, unauthenticated attacker with access to the management interface to execute arbitrary code.

Additional information from CSIRT/CERTs

2024-09-24T02:19:05.116434+00:00

# Additional information from CSIRT/CERTs about Cisco Secure Email Gateway vulnerability - [IE](https://www.ncsc.gov.ie/pdfs/CiscoSecureEmailGateway_Vuln.pdf) - [FI](https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_18/2024) - [SE](https://www.cert.se/2024/07/bm24-003-kritisk-sarbarhet-i-cisco-secure-email-gateway.html) - [ES](https://www.incibe.es/incibe-cert/alerta-temprana/avisos/multiples-vulnerabilidades-en-productos-cisco-0)

Timeline of reporting, publication/disclosure and fix

2024-09-24T02:19:05.116411+00:00

The timeline on https://bugzilla.tianocore.org/show_bug.cgi?id=3387 is interesting: - 2021-05-10 16:43 UTC - Bug reported by John Mathews - 2021-07-07 14:02:27 - Working patch mentioned by Vincent Zimmer (and also recommends the need of a CVE) - 2022-05-10 21:04:45 UTC "Blackduck has this CVE in their database so this CVE is being flagged for all edk2 products that are scanned." - 2022-06-14 05:52:10 UTC - Patch doesn't build. - 2022-11-04 - Patch merged in the repo https://github.com/tianocore/edk2/commit/cab1f02565d3b29081dd21afb074f35fdb4e1fd6 But the vulnerability was published 2022-03-03 21:53 or is the timeline incorrect?

Potential typo in the CVE summary

2024-09-24T02:19:05.116389+00:00

As mentioned in [this toot](https://social.circl.lu/@fl@infosec.exchange/112876958526263355), it seems the group name is `ESX Admins` and not `ESXi Admins`.

KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

2024-09-24T02:19:05.116367+00:00

- [KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932](https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d)

More details about the update process on the AMD website

2024-09-24T02:19:05.116345+00:00

"AMD plans to release the Platform Initialization (PI) firmware version indicated below. " The release scheduled is mentioned there: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html It also depends of the AGESA update process for some motherboards.

MISP 2.4.197 released with many bugs fixed, a security fix and improvements.

2024-09-24T02:19:05.116321+00:00

- [MISP 2.4.197 released with many bugs fixed, a security fix and improvements.](https://www.misp-project.org/2024/09/02/MISP.2.4.197.released.html/) The MISP release 2.4.197

More details about the Veeam vulnerability

2024-09-24T02:19:05.116296+00:00

- https://censys.com/cve-2024-40711/ - https://labs.watchtowr.com/veeam-backup-response-rce-with-auth-but-mostly-without-auth-cve-2024-40711-2/ ~~~ Well, that was a complex vulnerability, requiring a lot of code-reading! We’ve successfully shown how multiple bugs can be chained together to gain RCE in a variety of versions of Veeam Backup & Replication. We’re a little confused by Veeam’s advisory, however, which seems to be contradictory. As you may recall from the very start of the blogpost, Veeam’s advice was that versions up to and including 12.1.2.172 are vulnerable. While the title of the bug states that “A vulnerability allowing unauthenticated remote code execution (RCE)“, suggesting a world-ending CVSS 10 bug, they then proceed to label the bug as a less-serious CVSS 9.8, requiring user authentication before exploitation is possible. This is confusing, because all versions beneath 12.1.2.172 don’t require authentication to exploit, and only a change made in 12.1.2.172 made it so authentication was required (see above analysis). Perhaps Veeam simply made an error in their advisory, as we (and Code White) clearly demonstrate that authentication is not required. Hopefully, a pre-emptive change wasn’t made in 12.1.2.172 to downgrade the eventual severity of this vulnerability. Regardless of CVSS, the actual situation, as you can see above, is somewhat more nuanced than ‘RCE before 12.1.2.172': Version Status 12.2.0.334 Fully patched. Not affected by the vulnerabilities in this blogpost. 12.1.2.172 Affected, but exploitation requires authentication. Low privilege users are able to execute arbitrary code. 12.1.1.56 and earlier Vulnerable to unauthenticated RCE. Speaking of exploitation, we’re breaking with tradition on this bug by not releasing a full exploit chain (sorry, folks!). We’re a little worried by just how valuable this bug is to malware operators, and so are (on this occasion only) refraining from dropping a working exploit. The most we’re going to drop is this tantalizing video of exploitation, which will have to tide you over until our next post: ~~~

CVE Wednesday - CVE-2024-20439 - from StarkeBlog

2024-09-24T02:19:05.116266+00:00

[Cisco recently released an advisory for CVE-2024-20439 here. (nvd) Please note I did not discover this vulnerability, I just reverse engineered the vulnerability from the advisory](https://starkeblog.com/cve-wednesday/cisco/2024/09/20/cve-wednesday-cve-2024-20439.html) published by Nicholas Starke https://starkeblog.com/

Critical Exploit in MediaTek Wi-Fi Chipsets: Zero-Click Vulnerability (CVE-2024-20017) Threatens Routers and Smartphones

2024-09-24T02:19:05.116177+00:00

# Critical Exploit in MediaTek Wi-Fi Chipsets: Zero-Click Vulnerability (CVE-2024-20017) Threatens Routers and Smartphones By Security News from https://blog.sonicwall.com/en-us/2024/09/critical-exploit-in-mediatek-wi-fi-chipsets-zero-click-vulnerability-cve-2024-20017-threatens-routers-and-smartphones/ September 19, 2024 # Overview The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-20017, assessed its impact and developed mitigation measures for the vulnerability. CVE-2024-20017 is a critical zero-click vulnerability with a CVSS 3.0 score of 9.8, impacting MediaTek Wi-Fi chipsets MT7622/MT7915 and RTxxxx SoftAP driver bundles used in products from various manufacturers, including Ubiquiti, Xiaomi and Netgear. The affected versions include MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02. This translates to a large variety of vulnerable devices, including routers and smartphones. The flaw allows remote code execution without user interaction due to an out-of-bounds write issue. MediaTek has released patches to mitigate the vulnerability and users should update their devices immediately. While this vulnerability was published and patched back in March, only recently did a public PoC become available making exploitation more likely. # Technical Overview The vulnerability resides in wappd, a network daemon included in the MediaTek MT7622/MT7915 SDK and RTxxxx SoftAP driver bundle. This service is responsible for configuring and managing wireless interfaces and access points, particularly with Hotspot 2.0 technologies. The architecture of wappd is complex, comprising the network service itself, a set of local services that interact with the device’s wireless interfaces, and communication channels between components via Unix domain sockets. Ultimately, the vulnerability is a buffer overflow as a result of a length value taken directly from attacker-controlled packet data without bounds checking and placed into a memory copy. This buffer overflow creates an out-of-bounds write. # Triggering the Vulnerability The vulnerability exists in the IAPP_RcvHandlerSSB function where an attacker controlled length value is passed to the IAPP_MEM_MOVE macro as described in hyprdude’s blog and seen in Figure 1. Figure 1: Vulnerable Code sourced from hyprdude Prior to the last line which calls IAPP_MEM_MOVE, the only bounds check done is to check that the provided length does not exceed the maximum packet length of 1600 bytes. As the size of the destination struct is only 167 bytes, this results in a stack buffer overflow of up to 1433 bytes. To trigger this vulnerability an attacker must send a packet with the expected structures prepending the attack payload. These structures are referred to as the RT_IAPP_HEADER and the RT_IAPP_SEND_SECURITY_BLOCK within the code. To bypass validation checks the length of the RT_IAPP_HEADER struct needs to be small and the RT_IAPP_HEADER.Command field must be to 50. Exploitation The publicly available exploit code achieves remote code execution by using a global address table overwrite technique via a return-oriented programming (ROP) chain. This method leverages the `system()` call to execute commands, such as sending a reverse shell back to the attacker. The reverse shell is established using Bash and the existing Netcat tool on the chipset. Figure 2 illustrates how the reverse shell command is crafted and embedded within the payload to enable this exploitation tactic. Figure 2: Reverse Shell Commands # SonicWall Protections To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released: IPS: 20322 MediaTek MT7915 wlan Service OOB Write 1 IPS: 20323 MediaTek MT7915 wlan Service OOB Write 2 # Remediation Recommendations Due to the availability of the exploit code, it is highly recommended that users upgrade to the latest version of the firmware for their