Skip to main content
Christoph Kemetmüller

Random in Security 202222

··2 mins
News
Table of Contents

This post covers 2022-05-30 to 2022-06-06.

Vulnerabilities
#

Follina — a Microsoft Office code execution vulnerability continued
#

It’s a zero day allowing code execution in Office products. Historically, when there’s easy ways to execute code directly from Office, people use it to do bad things. This breaks the boundary of having macros disabled. Vendor detection is poor.

During the weekend additional samples based on this vulnerabilty in th ms-msdt handler were discovered Twitter, Twitter, SANS

In the meantime Microsoft issued mitigation recommendations, that have been published already: Disable the MSDT URL Protocol. Deploying this mitigation would best be done via a GPO.

reg export HKEY_CLASSES_ROOT\ms-msdt follina.reg
reg delete HKEY_CLASSES_ROOT\ms-msdt /f

Confluence Server and Data Center - CVE-2022-26134 - Critical severity unauthenticated remote code execution vulnerability
#

Initially, the vendor advisory for this unauthenticated RCE did not include a patch. Unfortunately, the vulnerability was being actively exploited in the wild. The recommended mitigation was to restrict network access to vulnerable instances. Proof of Concept code is available and wide-spread scanning has started. The details show that this vulnerability exploits an OGNL injection.

curl -v http://127.0.0.1/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/

News
#

ALPHV/BlackCat
#

ALPHV compromised the federal state of Carinthia in May alphv…onion. The ransom is said to be around 5 Mio USD. They released a first set of files from the breach. The release included passport copies, bank information and is probably from the Covid19 test campaign.