Jump to content
OpenSecurity.global

Kevin Beaumont

Members
  • Content Count

    209
  • Joined

  • Last visited

  • Days Won

    20
  • Invited by

    DarkOverlord

Posts posted by Kevin Beaumont


  1. CVE-2019-11510, impacting Pulse Secure SSL VPN, is being exploited in the wild. 

    I've seen it being exploited today, a few hours ago for first time, via BinaryEdge.

    image.thumb.png.45bef58b709e78c7c5047f53fd5331a1.png

     

    Timeline

    24th April 2019 - Vendor advisory.

    14th August 2019 - TLP Rainbow post.

    20th August 2019 - exploit posted publicly.

    22nd August 2019 - exploitation in wild.

    Pulse Secure is one of the "Zero Trust" secure SSL VPN systems where you get pwned by 1996 ../../ exploits.

    image.thumb.png.53b7b86abeb97f13b1d929f139b1f320.png


  2. 12 minutes ago, Nicholas L said:

    This is incredible:

    Quote

    In the login page, we found a special parameter called magic. Once the parameter meets a hardcoded string, we can modify any user’s password.

    This security software is just awful.


  3. CVE-2018-13379 is being exploited in the wild on Fortigate SSL VPN firewalls.  These exist as a perimeter security control, so it's a bad vulnerability.

    Using BinaryEdge.io I can see scanning activity from last night for first time for this vulnerability:

    image.thumb.png.c2decdb5add261fa1f48850c0ceb1c2d.png

    The scanning traffic is taking place across the whole internet it appears, spray and pray style.

    The vulnerability is ridiculously easy to exploit, it's a 1996 style pre-auth ../ webserver exploit to read plain text administrator credentials:

    Quote

    https://sslmgr/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession

    Timeline

    May 24th 2019 - Vendor posts advisory - https://fortiguard.com/psirt/FG-IR-18-384

    image.png.a3eb5618218e661eb10a6a5036b22d93.png

    June 4th 2019 - Vendor updates advisory to correct impacted versions

    August 9th 2019 - Blog explaining the different vulnerabilities in FortiOS, including this one.

    August 14th 2019 - Exploit appears on GitHub and exploitation details posted in TLP Rainbow.

    August 17th 2019 - Another exploit, checks if vulnerable before exploit.

    August 21nd 2019 - Exploitation seen in wild.

    • Like 1

  4. yeah that's a good way of doing it.  Personally I use Microsoft Authenticator, which lets you add Google Authenticator tokens - and backs up to iCloud on iOS.  It's obviously still flawed as you can recover iCloud via SMS, of course.


  5. 2 minutes ago, James Valente said:

    What's the solution for people whose real name is fewer than 10 characters?

    Join with a bunch of numbers at the end, and I'll strip them off as I see 'em.  It was to stop people signing up as Dave and such.


  6. Vulnerability management, or patch management?  For patch management I'd just use WSUS for Windows systems, it shows what you need.  For vulnerability management, if you're using something like Rapid7 I'd risk accept Spectre and Meltdown style vulns so they don't appear in reporting, and produce reports from the rest.


  7. Every company I've worked as has had a manual spam mailbox thingy, due to spam filtering not working as well as it should.  It's good for us as Microsoft are so bad at securing Azure and Office365 we get O365 phishing hosted by Microsoft getting through, keeps me in a job.


  8. 43 minutes ago, Steve Lord said:

    In 100 years we'll all be dead, and I suspect those that will be around will be tackling different problems in a very different world.

    If anything I see applied AI handling low hanging fruit for sysadmins rather than replacing them, freeing them up for more interesting work as Kevin put it. We've seen this already in other ML applications like Bayesian spam filtering instead of having people forward spam to be blocked (which was a thing in the late 90s for some people).

    I work in a SOC where people forward spam to be blocked 😄

    • Sad 1

  9. At work I've just been upgraded from a laptop running 32-bit Windows 7 with 4gb of RAM (3gb usable due to 32-bit).  I've now got 8gb of RAM, ooooo.  At home I have a Chromebook with 2gb of RAM and a gaming PC built in 2011 with an AMD processor from when AMD were more terrible than they are now.

    • Like 2

  10. @MalwareTech's analysis of the patch is up: https://www.malwaretech.com/2019/08/dejablue-analyzing-a-rdp-heap-overflow.html

    Quote

    I set the uncompressedSize field to 1 – 0x2000 (0xFFFFE001‬), so that when 0x2000 is added it will loop around to 1. Then I set the compressed data to contain the letter ‘A’ repeated 0x200 times, which should result in the heap buffer being overflowed by 0x1FF bytes.

    lols

    • Thanks 1

  11. My view is: won't happen.  Automation is and will continue to happen, e.g. most (but not all) orgs have invested in SCCM etc to automate PC deployment for example, but they still need people to build those images for deployment, set the Group Policy etc. I think sysadmins will end up doing slightly more interesting work.


  12. On 8/16/2019 at 2:17 PM, james mckinlay said:

    out of the box AntiVirus does not play well with non-persistent-VDI so we opted for application whitelisting and removal of admin rights for everyone instead of ( not as well as) Antivirus.

    Our monitoring tells us these were sensible choices for our environment.

    It’s a bit of tricky risk one - it’s pretty easy to get around things like AppLocker if you know what you’re doing. You can run AV with VDI, last two jobbings have done it. That said application whitelisting is quite often more successful than AV, make of that what you will. 


  13. Some people have used the one time name change to change to nicknames.  That wasn't the intention of the feature, which also had a banner describing why it is there.  If it keeps getting abused it will get removed.


  14. Yeah, it comes back to what people mean by EDR.  EDR has become the new thing that vendors need to sell their product, as industry people are asking for it - but everybody means something different it feels like.  

    Sophos are a pretty good example of where it gets confusing.  As a customer, you have:

    • Sophos Endpoint - their main product until a few years ago
    • Sophos Intercept X
    • Sophos Intercept X Advanced
    • Sophos Intercept X Advanced with EDR

    But when you've got to "Sophos Intercept X Advanced with EDR" (how is that a product name?!) it still doesn't include the EDR you're describing above, Kieran.

    • Like 2
×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy