Jump to content
OpenSecurity.global

Kevin Beaumont

Members
  • Content Count

    228
  • Joined

  • Last visited

  • Days Won

    32
  • Invited by

    DarkOverlord

Posts posted by Kevin Beaumont


  1. 18 minutes ago, Steve Walsh said:

    It was part of the August patch updates. Not related to the RDP vulnerability. But the issue came with the patch. So if you were quick off the mark, it hurt you a bit https://www.ghacks.net/2019/08/15/visual-basic-issues-in-windows-august-2019-updates/

    Oh I get you.  Yeah, I wouldn't rush out patching for this, just patch as usual process.


  2. CVE-2019-15107 is being exploited in the wild.  It's a pre-auth exploit which allows admin password change, a.k.a. RCE, introduced by an attacker via a backdoor in the application.

    Via BinaryEdge.io:

    image.thumb.png.40dd75cdec005022e02a37b9487c5e4e.png

     

    Timeline

    April 2018 - an attacker backdoor'd WebMin's Sourceforge repo via build process.

    17th August 2019 - 0day exploit available to exploit vulnerability.

    17th August 2019 - WebMin issue advisory

    20th August 2019 - mass exploitation seen in wild.


  3. CVE-2019-11510, impacting Pulse Secure SSL VPN, is being exploited in the wild. 

    I've seen it being exploited today, a few hours ago for first time, via BinaryEdge.

    image.thumb.png.45bef58b709e78c7c5047f53fd5331a1.png

     

    Timeline

    24th April 2019 - Vendor advisory.

    14th August 2019 - TLP Rainbow post.

    20th August 2019 - exploit posted publicly.

    22nd August 2019 - exploitation in wild.

    Pulse Secure is one of the "Zero Trust" secure SSL VPN systems where you get pwned by 1996 ../../ exploits.

    image.thumb.png.53b7b86abeb97f13b1d929f139b1f320.png


  4. 12 minutes ago, Nicholas L said:

    This is incredible:

    Quote

    In the login page, we found a special parameter called magic. Once the parameter meets a hardcoded string, we can modify any user’s password.

    This security software is just awful.


  5. CVE-2018-13379 is being exploited in the wild on Fortigate SSL VPN firewalls.  These exist as a perimeter security control, so it's a bad vulnerability.

    Using BinaryEdge.io I can see scanning activity from last night for first time for this vulnerability:

    image.thumb.png.c2decdb5add261fa1f48850c0ceb1c2d.png

    The scanning traffic is taking place across the whole internet it appears, spray and pray style.

    The vulnerability is ridiculously easy to exploit, it's a 1996 style pre-auth ../ webserver exploit to read plain text administrator credentials:

    Quote

    https://sslmgr/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession

    Timeline

    May 24th 2019 - Vendor posts advisory - https://fortiguard.com/psirt/FG-IR-18-384

    image.png.a3eb5618218e661eb10a6a5036b22d93.png

    June 4th 2019 - Vendor updates advisory to correct impacted versions

    August 9th 2019 - Blog explaining the different vulnerabilities in FortiOS, including this one.

    August 14th 2019 - Exploit appears on GitHub and exploitation details posted in TLP Rainbow.

    August 17th 2019 - Another exploit, checks if vulnerable before exploit.

    August 21nd 2019 - Exploitation seen in wild.

    • Like 1

  6. yeah that's a good way of doing it.  Personally I use Microsoft Authenticator, which lets you add Google Authenticator tokens - and backs up to iCloud on iOS.  It's obviously still flawed as you can recover iCloud via SMS, of course.


  7. 2 minutes ago, James Valente said:

    What's the solution for people whose real name is fewer than 10 characters?

    Join with a bunch of numbers at the end, and I'll strip them off as I see 'em.  It was to stop people signing up as Dave and such.


  8. Vulnerability management, or patch management?  For patch management I'd just use WSUS for Windows systems, it shows what you need.  For vulnerability management, if you're using something like Rapid7 I'd risk accept Spectre and Meltdown style vulns so they don't appear in reporting, and produce reports from the rest.


  9. Every company I've worked as has had a manual spam mailbox thingy, due to spam filtering not working as well as it should.  It's good for us as Microsoft are so bad at securing Azure and Office365 we get O365 phishing hosted by Microsoft getting through, keeps me in a job.


  10. 43 minutes ago, Steve Lord said:

    In 100 years we'll all be dead, and I suspect those that will be around will be tackling different problems in a very different world.

    If anything I see applied AI handling low hanging fruit for sysadmins rather than replacing them, freeing them up for more interesting work as Kevin put it. We've seen this already in other ML applications like Bayesian spam filtering instead of having people forward spam to be blocked (which was a thing in the late 90s for some people).

    I work in a SOC where people forward spam to be blocked 😄

    • Sad 1
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy