Random in Security is a summary of the cybersecurity news.
Vulnerabilities#
CVE-2024-43451#
ClearSky Cyber Security has identified a critical zero-day vulnerability in Windows systems, designated as CVE-2024-43451. The report provides the details. They analyzed a malware sample first submitted to VirusTotal on June 21st, 2024. Similar NTLM Hash leakage patterns were present in malware samples as early as April 10th, 2024. Microsoft has since released a patch in their November Patch Tuesday via CVE-2024-43451.
CVE-2024-0012 and CVE-2024-9474#
In this article watchTowr Labs delves into two critical vulnerabilities in Palo Alto Networks’ PAN-OS.
CVE-2024-0012 is an authentication bypass in the management web interface.
By adding the header X-PAN-AUTHCHECK: off and abusing a proxypass rule can access the management web interface.
CVE-2024-9474 is a privilege escalation vulnerability that was chained with the above.
A vulnerability in createRemoteAppwebSession.php allows attackers to create arbitrary users with arbitrary roles and assigns a PHP session ID used as an authentication token.
Attackers can then upload their malicious PHP code using the PHP session ID and execute commands in the vulnerable products with root privileges.
One noteworthy line from the article to close this topic.
Enterprise-grade security appliances that everyone trusts to secure their communications and internal networks
CVE-2024-5910#
Palo Alto released the advisory for CVE-2024-5910 in July. Horizon3.ai team set out to reproduce the vulnerability and discovered three vulnerabilities on the way.
They googled “palo alto expedition reset admin password” and found one forum post as a top result.
Based on that information the vulnerability only required a curl request to <SERVER>/os/startup/restore/restoreAdmin.php to reset the admin password to paloalto.
Having a test system running, they discovered and reported three vulnerabilities:
- CVE-2024-9464: Authenticated Command Injection
- CVE-2024-9465: Unauthenticated SQL Injection
- CVE-2024-9466: Cleartext Credentials in Logs
Interesting Reads#
FortiClient vulnerability#
Volexity reported the discovery of a zero-day vulnerability in FortiClient. The flaw allowed user credentials to remain in the process memory of FortiClient after authentication, making them susceptible to extraction. Fortinet has acknockledged the issue, but not issued a fix or a requested a CVE. A detailled analysis by Volexity is available online.
Insights from CISA Red Team Assessment#
CISA shared the results of a red team assessment. They found the web shell that remained active after another security assessment.
the red team […] gained initial access through a web shell left from a third party’s previous security assessment
SMS Blaster fraud#
A 35-year-old Chinese national was arrested in Bangkok for deploying a base station in a car to transmit fraudulent SMS messages. There is a newpaper article as well as a YouTube video.
[,,] device simulated AIS signals, sending up to 1 million fraudulent messages […] advertised offers requiring users to click dangerous links
Cell-site simulator or Stingrays mimic real cell sites in order to lure mobile devices to connect to them. These devices are commonly used for security and privacy attacks. However, the cost and difficulty to deploy a stingray has come down quite a lot.
For an SMS blaster attack a fake network downgrades the user’s connection to legacy 2G. By exposing a fake 2G network mobile devices are lured to establish a connection. This is possible, because 2G is lacking mutual authentication between mobile device and base station. Once connected, the attackers can inject fraudulent SMS payloads with custom metadata. This way completely bypasses the carrier networks.
GSMA’s Fraud and Security Group (FASG) has developed a briefing paper for GSMA members. Google has also published an article on this topic. They also describe security features for Android against such attacks.
Analysis of i-Soon leaks by German domestic intelligence services#
This report offers a comprehensive overview of i-Soon’s cyber espionage activities, highlighting the industrialization of such operations and their alignment with China’s strategic objectives. The overview provides links to the four different parts of the analysis. Part one provides an overview of the organization and methods. The second report put the group into context with the security apparatus. The third report touches on the general targets of i-Soon. The fourth part provides a short overview of the tools and customers.
Tools#
Matrix 2.0 is here!#
Matrix.org Foundation announced the [release of Matrix 2.0]](https://matrix.org/blog/2024/10/29/matrix-2.0-is-here/). The four key enhancements in Matrix 2.0 are
- Simplified Sliding Sync MSC4186
- Native OIDC MSC3861
- Encrypted Multiparty VoIP/Video aka MatrixRTC MSC4143
- Invisible Encryption MSC4153
As for client software, currently only Element X supports Matrix 2.0.