INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Microsoft Patch Tuesday July 2024
Published: 2024-07-09
Last Updated: 2024-07-09 17:35:23 UTC
by Johannes Ullrich (Version: 1)
Microsoft today released patches for 142 vulnerabilities. Only four of the vulnerabilities are rated as "critical". There are two vulnerabilities that have already been discussed and two that have already been exploited.
Noteworthy Vulnerabilities:
CVE-2024-38080: Windows Hyper-V Elevation of Privilege Vulnerability (exploited vulnerability)
An attacker can obtain SYSTEM privilege by exploiting this integer overflow.
CVE-2024-38112: Windows MSHTML Platform Spoofing Vulnerability
I haven't seen any details disclosed yet. However, these vulnerabilities typically make it difficult to identify the nature and origin of an attachment. A victim may be tricked into opening a malicious attachment, leading to code execution. There have been numerous similar vulnerabilities in the past.
CVE-2024-35264: .NET and Visual Studio Remote Code Execution Vulnerability (disclosed vulnerability)
CVSS score for this vulnerability is 8.1. It is not considered critical. The vulnerability is exploited by closing an http/3 connection while the body is still being processed. The attacker must take advantage of a race condition to execute code.
CVE-2024-37985: Systematic Identification and Characterization of Proprietary Prefetchers (disclosed vulnerability)
This vulnerability only affects ARM systems. An attacker would be able to view privileged heap memory.
CVE-2024-38074, CVE-2024-38076, CVE-2024-38077: Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
Three of the four critical vulnerabilities affect the RDP Licensing Service. Watch our for PoC exploits for this vulnerability.
CVE-2024-38060: Windows Imaging Component Remote Code Execution Vulnerability
The WIC is the Windows framework used to parse images and related metadata. Toe trigger the vulnerability, an authenticated attacker must upload a TIFF image to a server.
Read the full entry:
https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+July+2024/31058/
SSH "regreSSHion" Remote Code Execution Vulnerability in OpenSSH.
Published: 2024-07-01
Last Updated: 2024-07-01 17:01:32 UTC
by Johannes Ullrich (Version: 1)
Qualys published a blog post with details regarding a critical remote code execution vulnerability.
This week is far from ideal to have to deal with a critical vulnerability in widely used software like OpenSSH. So I want to save you some time by summarizing the most important points in a very brief post:
The CVEs associated with this vulnerability are CVE-2006-5051 and CVE-2024-6387,
The reason for the two CVE numbers and the use of the old 2006 CVE number is that this is a regression. An old vulnerability that came back. Sadly, this happens somewhat regularly (not with OpenSSH, but software in general) if developers do not add tests to ensure the vulnerability is patched in future versions. Missing comments are another reason for these regressions. A developer may remove a test they consider unnecessary.
The vulnerability does allow arbitrary remote code execution without authentication.
OpenSSH versions up to 4.4p1 are vulnerable to CVE-2006-5051
OpenSSH versions from 8.5p1 to 9.8p1 (this is the version patched version)
Remember that many Linux distributions will not increase version numbers if they are backporting a patch
This is a timing issue, and exploitation is not easily reproducible but takes about 10,000 attempts on x86 (32-bit).
This speed of exploitation is limited by the MaxStartups and LoginGraceTime.
Exploitation for AMD64 appears to be not practical at this time.
Most Linux systems are currently running on 64-bit architectures. However, this could be a big deal for legacy systems / IoT systems in particular if no more patches are available. Limiting the rate of new connections using a network firewall may make exploitation less likely in these cases. First of all, a patch should be applied. But if no patch is available, port knocking, moving the server to an odd port or allowlisting specific IPs may be an option.
Read the full entry:
https://isc.sans.edu/diary/SSH+regreSSHion+Remote+Code+Execution+Vulnerability+in+OpenSSH/31046/
Overlooked Domain Name Resiliency Issues: Registrar Communications
Published: 2024-07-05
Last Updated: 2024-07-05 11:54:02 UTC
by Johannes Ullrich (Version: 1)
I often think the Internet would work better without DNS. People unable to remember an IP address would be unable to use it. But on the other hand, there is more to DNS than translating a human-readable hostname to a "machine-readable" IP address. DNS does allow us to use consistent labels even as the IP address changes.
Many critical resources are only referred to by hostname, not by IP address. This does include part of the DNS infrastructure itself. NS records point to hostnames, not IP addresses, and we use glue records (A records, actually) to resolve them. Organizations typically rely on multiple authoritative name servers that automatically replicate updates between them to provide resiliency for DNS. This process is typically quite reliant, and cloud providers offer additional services to ensure data availability. Anycast name servers can provide additional resilience to this setup.
However, there is a weak point in this setup: Registrars. Yesterday, Hurricane Electric, a significant internet transit provider, experienced this problem ...
As an internet transit provider, Hurricane Electric relies on BGP (Border Gateway Protocol) to route traffic to and from its customers. The associate routers are identified with hostnames like "ns1-ns5.he.net". However, yesterday the name resolution for he.net failed. It probably didn't help that this happened on a major holiday in the US.
The domain "he.net" is hosted with Network Solutions. Network Solutions is one of the "original" domain registrars but has been going through the usual acquisitions and mergers. They currently appear to be owned by Newfold, a company that happens to be located in Jacksonville, FL, where I happen to reside, too.
Yesterday, he.net stopped resolving. The technical issue was that the he.net domain was removed from the .net zone. Without any nameservers being returned by .net nameservers, clients could not resolve he.net names. The registrar is responsible for maintaining this information. Registrars are "special" because they have the contracts in place to update these top-level domains with whoever maintains them. Whois can be used to identify these relationships. For he.net, the whois record returned ...
Read the full entry:
https://isc.sans.edu/diary/Overlooked+Domain+Name+Resiliency+Issues+Registrar+Communications/31048/