If you can't answer whether you have #MOVEit in your environment, now is the time to engage all elements of your IT team. There are two recently assigned #CVEs:

#CVE-2023-35036 (June 9, 2023)
#CVE-2023-34362 (May 31, 2023)

If you identify unpatched instances of MOVEit in your environment, you may want to consider moving to the detect/assess phase of the #NIST Incident Response framework.

Details and #iocs here:

https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability

#cybersecurity

#Fortigate #RCE -- Nomen est omen.

Why give a company a name that sounds pretty close to the biggest political scandal in the US in the 1970s?

Probably to make it more robust against all possible #InfoSec fails and scandals.

If you count the critical #CVEs in their products, this obviously worked pretty well.

https://www.bleepingcomputer.com/news/security/fortinet-fixes-critical-rce-flaw-in-fortigate-ssl-vpn-devices-patch-now/

Security flaws can be overwhelming, but don't despair! Learn more about patching, #CVEs and #CVSS with #RedHat's @vdanen in the latest Security Detail video. #security #opensource https://sprou.tt/1SaIqJaqVVV

Außerdem wird empfohlen den OpenSLP Service der #ESXi Hosts zu deaktivieren. Dieser ist ab Version 7.0 U2c per default deaktiviert.

Ist gar nicht schlecht sich auch persönlich von #VMware per #Mail oder #RSS zu neuen #CVEs benachrichtigen zu lassen (siehe https://www.vmware.com/security/advisories.html)
So kann man schnell auf neue Sicherheitslücken reagieren.

Why are #CVEs in 2023 starting in the 20k range? CVE-2023-22809 for example.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22809

💻​From #CISA 💻​

CISA added two new #CVEs to its Known Exploitable Catalog
- CVE-2022-41080: Microsoft Exchange Server Privilege Escalation #Vulnerability

- CVE-2023-21674: Microsoft Windows Advanced Local Procedure Call (ALPC) Privilege Escalation Vulnerability.

CISA also released 2 Industrial Control Systems Advisories:
 ICSA-23-010-01 Black Box KVM
 ICSA-22-298-07 Delta electronics InfraSuite Device Master (Update A).

#infosec #criticalinfrastructure #cybersecurity #patchmanagement #riskmanagement #industrialcontrols #ICSsecurity

A new Cybersecurity Advisory provides the top #CVEs used by People’s Republic of China (PRC) state-sponsored cyber actors as assessed by the #FBI, #NSA, & #CISA, to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.

Available here:

https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF

#cybersecurity #cyber #prc #china

So how are we handling #vulnerability #CVE #CVEs here? What's the preferred format? #CVE_2022_37958 ? #CVE202237958 ?

https://securityintelligence.com/posts/critical-remote-code-execution-vulnerability-spnego-extended-negotiation-security-mechanism/
#infosec #cybersecurity #cves

In addition to duplicate CVEs, 'the industry' also has some amusing CVE mis-assignment.

Recently CVE-2017-9833 and CVE-2021-33558 were brought up as attack vectors in a campaign against liquified natural gas victims.

Both CVEs, it turns out, are mis-attributed to the open source Boa webserver. I am pretty darned confident that neither CVE actually applies to the Boa codebase. And I'm not the only one to notice (see all the way at the end, some actually famous infosec friend noticed one of them).

Let's take a look:

CVE-2017-9833 is stated to be a vulnerability in Boa webserver 0.94.14rc21. The vulnerability description ( https://nvd.nist.gov/vuln/detail/CVE-2017-9833 ) is very odd though: apparently it is a directory traversal in a specific CGI handler called /cgi-bin/wapopen . The variable itself is called 'FILECAMERA'. This appears to be a vulnerability in a specific IP camera, not Boa itself. To wit, you can retrieve the original source package for Boa 0.94.14rc21 and search all of the files for the variable 'FILECAMERA' and there is no mention of this variable. Of course it would be very odd for a generic web server to include any cgi handlers — sure you’d expect a generic mechanism to bolt on your own CGI applications but unless there is some ‘test’ application for demonstrating CGI, we wouldn’t expect such a vulnerability to be in the web server itself. A quick check of exposed webservers for the /cgi-bin/wapopen URL shows that they 404 (as we’d expect).

CVE-2021-33558 is likewise very odd. It is stated to be a vulnerability in Boa webserver 0.94.13. The minimal writeup and public proof of concept just indicate that a few HTML and JS files are exposed without authentication. Again, these are files that are on some specific device firmware. Boa itself does not include a ‘backup.html’ or a ‘preview.html’ or ‘js/log.js’, or any of the files included in the advisory. This is a mistake in one particular device, not in Boa itself. And again if we try to load some of these files on generic Boa webservers, we get a 404.

Fixing all of this in the public literature is likely an impossible task since we are not the original researchers? First we have to identify exactly what devices the researchers were looking at, and then get those researchers to publish new advisories I guess. In the case of CVE-2017-9833, the researcher has no public point of contact, which is unfortunate. In the case of CVE-2021-33558, our friend attrition (does anyone know if he’s on some mastodon instance?) already tried to get some confirmation because they spotted the same thing we did. There doesn’t seem to be any update though ( https://github.com/mdanzaruddin/CVE-2021-33558./issues/1 ).

The bigger picture? If we toss a firmware with Boa into a vulnerability scanning tool, or even run a network scanning tool against a device with Boa, it’s probably going to flag the web server as vulnerable even though it isn’t. And that’s almost not the scanning tool’s fault: it’s really a problem with CVE mis-assignment.

If you made it this far, thanks for listening to my rant. ⭐

#vulnerabilities #cves #threatintel #sbom

@DavidJBianco Thanks! We think so. And btw, probability scores for all #CVEs are updated daily, and free for everyone. Just check the data page.

@hacks4pancakes And #CVEs.

Hey folks! Since we have this fun new platform, I thought I'd post a position that we're #hiring for! The role is "Lead Security Reacher - Emergent Threats Response" at #Rapid7 (that's my team!)

The position is #remote, but we strongly prefer timezones that are compatible with North America (since I'm US west coast).

You'd be working side-by-side with me (and working for the amazing @catc0n), doing #research and deep-dive analyses of public #vulnerabilities / #CVEs / #exploits / etc that impact lots of folks. Sometimes it's stuff that others found (which might be testing PoCs or #ReverseEngineering patches), and sometimes it's our own research.

The skills we want are a deep understanding of vulnerabilities (ideally, you'd be conversant in not just memory corruption, but other vulnerability classes), strong technical writing / presenting / explaining, and some degree of leadership as we shape the vulnerability discussion within Rapid7 and the internet as a whole!

If you're interested, apply here (or, if we know each other well, ping me for a referral :) ): https://www.rapid7.com/careers/jobs/detail/?jid=R5574

grep gets some important notifications & several #CVEs are handled this week in #openSUSE Tumbleweed snapshots, including one for #Python https://news.opensuse.org/2022/09/21/vb-grep-gawk-up-in-tw/

Learn about #security issues & see examples on how to prevent #CVEs at the @opensuse Conference. Sign up and register before next week. https://events.opensuse.org/conferences/oSVC21/program/proposals/3427

Report: Most Popular Home Routers Have ‘Critical’ Flaws - Common devices from Netgear, Linksys, D-Link and others contain serious security vulnerabilities t... more: https://threatpost.com/report-most-popular-home-routers-have-critical-flaws/157346/ #critical-ratedvulnerabilities #vulnerabilities #securityflaws #websecurity #homerouters #miraibotnet #networking #internet #wireless #linksys #netgear #routers #tp-link #d-link #linux #zyxel #asus #cves

Adobe issues emergency fix for file-munching bug - Adobe has released another security patch outside of its usual routine, to deal with a bug that al... more: https://nakedsecurity.sophos.com/2020/03/26/adobe-issues-emergency-fix-for-file-munching-bug/ #securitythreats #vulnerability #photoshop #dataloss #patching #acrobat #reader #adobe #patch #bugs #cves

Cisco issues urgent fixes for SD-WAN router flaws - Cisco has patched a clutch of high-priority vulnerabilities in its SD-WAN routes and their managem... more: https://nakedsecurity.sophos.com/2020/03/23/cisco-issues-urgent-fixes-for-sd-wan-router-flaws/ #securitythreats #wideareanetwork #vulnerability #patching #patches #routers #vmanage #sd-wan #cisco #flaws #patch #cves #wan

Delayed Adobe patches fix long list of critical flaws - This week the company made amends, issuing fixes for an unusually high CVE-level 41 vulnerabilitie... more: https://nakedsecurity.sophos.com/2020/03/19/delayed-adobe-patches-fix-long-list-of-critical-flaws/ #securitythreats #vulnerability #acrobatreader #patchtuesday #microsoft #photoshop #cwetop25 #patching #patches #adobe #cves

Microsoft leaves critical bug unpatched on Patch Tuesday - Microsoft fixed bugs across a range of products on patch Tuesday, issuing patches for 115 distinct... more: https://nakedsecurity.sophos.com/2020/03/11/microsoft-leaves-critical-bug-unpatched-on-patch-tuesday/ #windowsgraphicsdeviceinterface #remotecodeexecution #internetexplorer #securitythreats #vulnerability #microsoftword #patchtuesday #chakracore #microsoft #fortinet #patching #windows #outlook #patches #cisco #cves