Patching

Security Advisory

Zero-Day Vulnerability in Microsoft Sysinternals Tools  

Summary 

A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute arbitrary code. This presents a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.

OEM Microsoft 
Severity High 
Date of Announcement 2025-02-05 
CVEs Not Yet Assigned 
Exploited in Wild No 
Patch/Remediation Available No 
Advisory Version 1.0 
Vulnerability Name Zero-Day  

Overview 

Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers it a “defense-in-depth” issue rather than a critical security flaw. 

Vulnerability Name CVE ID Product Affected Severity Impact 
            zero-day  Not Yet Assigned Microsoft Sysinternals Tools (Process Explorer, Autoruns, Bginfo, and potentially others)          High Arbitrary Code Execution, Privilege Escalation, Malware Deployment 

Technical Summary 

The vulnerability is caused by improper handling of DLL loading paths in affected Sysinternals utilities. When these tools search for required DLLs, they follow a specific search order, which may include untrusted locations such as network shares or user-writable directories. 

The issue arises from how Sysinternals tools prioritize DLL search paths, favoring untrusted directories such as: 

  • The Current Working Directory (CWD) 
  • Network locations (e.g., shared drives) 
  • User-writable paths over secure system directories 

This flaw allows attackers to place a malicious DLL in the same directory as a Sysinternals executable, tricking the application into loading the rogue DLL instead of the legitimate system DLL. 

Exploit Workflow 

  1. Attacker crafts a malicious DLL (e.g., cryptbase.dll or TextShaping.dll) containing a payload such as a reverse shell, ransomware, or trojan. 
  1. The DLL is placed in the same directory as a vulnerable Sysinternals tool. 
  1. The user unknowingly executes the tool (e.g., Bginfo.exe or procexp.exe) from that directory. 
  1. The malicious DLL is loaded instead of the legitimate system DLL. 
  1. Attackers gains code execution with the privileges of the running process (potentially SYSTEM privileges if run with admin rights). 

Recommendations 

  1. Avoid Running Sysinternals Tools from Network Locations 
  • Always copy tools to a local trusted directory before execution. 
  • Disable execution of .exe files from network drives if feasible. 
  1. Restrict DLL Search Paths 
  • Use SafeDLLSearchMode to prioritize secure directories. 
  • Implement DLL redirection to force tools to load DLLs from trusted paths. 
  1. Implement Application Control Policies 
  • Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized DLLs from loading. 
  • Restrict execution of Sysinternals tools to trusted admin-only directories. 
  1. Verify DLL Integrity Before Execution 
  • Use SigCheck (Sysinternals) to ensure all loaded DLLs are digitally signed. 
  • Block execution of unsigned or suspicious DLLs in sensitive directories. 
  1. Monitor for Suspicious DLL Loading Behavior 
  • Enable Sysmon logging to detect anomalous DLL loads (Event ID 7). 
  • Monitor for executions of Sysinternals tools from network shares (Event ID 4688). 

Conclusion 

Despite being responsibly disclosed to Microsoft in October 2024, the vulnerability in Sysinternals tools remains unpatched as of February 2025. Microsoft classifies it as a “defense-in-depth” issue, dismissing it as non-critical, while security researchers highlight its severe impact on enterprises, especially those running tools from network shares. This leaves users reliant on manual mitigations to avoid exploitation.

The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems. 

References

Security Advisory

Critical Authentication Bypass Vulnerability in CybersFortinet Products Under Active Exploitation

Summary

Fortinet recently announced a critical severity vulnerability affecting the FortiOS and FortiProxy products. 

A critical Zero-day vulnerability with a CVSSv3 score of 9.6 that affects FortiOS and FortiProxy. Categorised as an “Authentication Bypass Using an Alternate Path or Channel” vulnerability (CWE-288), the flaw allows an attacker to circumvent authentication.

OEMFortinet
SeverityCritical
CVSS9.6
CVEsCVE-2024-55591
Exploited in WildYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

According to data from the Shadowserver Foundation, almost 50,000 devices are still unpatched as of January 20, 2025.

The vulnerability, which has been actively exploited since November 2024, enables unauthenticated attackers to obtain super-admin privileges through specially crafted requests to the Node.js websocket module. Although patches have been released, but a large number of devices remain exposed and vulnerable.

Vulnerability NameCVE IDProduct AffectedSeverity
  Authentication Bypass Vulnerability  CVE-2024-55591  FortiOS and FortiProxy  Critical

Technical Summary

CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. Exploiting this flaw allows remote attackers to gain super-admin privileges by sending specially crafted requests to the Node.js websocket module. This can lead to unauthorized administrative access, enabling attackers to modify firewall configurations, extract credentials, and move laterally within compromised environments.

Impact by Region (Unpatched Devices)

  • Asia: 20,687 devices
  • North America: 12,866 devices
  • Europe: 7,401 devices
CVE IDSystem AffectedVulnerability DetailsImpact
CVE-2024-55591FortiOS 7.0.0 – 7.0.16, FortiProxy 7.0.0 – 7.0.19, FortiProxy 7.2.0 – 7.2.12Crafted requests to Node.js WebSocket module bypass authentication and allow attackers to gain super-admin privileges.Unauthorized administrative access, credential extraction, and lateral movement.

Remediation:

  1. Upgrade Firmware:
  2. FortiOS: Update to version 7.0.17 or latest
  3. FortiProxy: For 7.0.x version update to v7.0.20 or latest and for 7.2.x version update to v7.2.13 or latest
  • Restrict Administrative Interface Access:
  • Disable HTTP/HTTPS interfaces or limit access to trusted IP addresses using local-in policies.
  • Enable Multi-Factor Authentication (MFA):
  • Enforce MFA on all administrative accounts to reduce the risk of unauthorized access.
  • Monitor Suspicious Activities:
  • Check for unauthorized admin accounts, suspicious logins, or unexpected changes in firewall configurations.

Conclusion:

The exploitation of CVE-2024-55591 underscores the critical importance of timely patch management and robust security practices. Organizations using Fortinet products should act swiftly to apply the necessary updates and implement recommended security measures to protect their networks from potential attacks.

References:

Hashtags

Security Advisory

Banshee Stealer: A Growing Threat to macOS Users 

Overview 

Cybersecurity researchers at Check Point Research (CPR) have discovered a sophisticated macOS malware called Banshee Stealer, putting over 100 million macOS users globally at risk. The malware, designed to exfiltrate sensitive user data, demonstrates advanced evasion techniques, posing a significant threat to users and organizations relying on macOS. 

Key Threat Details: 

Malware Capabilities: 

  • Data Theft: Banshee Stealer targets browser credentials, cryptocurrency wallets, and sensitive files, compromising user security. 
  • User Deception: It displays fake system pop-ups to trick users into revealing their macOS passwords, facilitating unauthorized access. 
  • Encryption and Exfiltration: Stolen data is compressed, encrypted, and transmitted to command-and-control (C&C) servers through stealthy channels, making detection challenging. 

C&C decryption     Source: Cybersecurity News 

Evasion Tactics: 

  • Advanced Encryption: The malware utilizes encryption techniques similar to Apple’s XProtect, camouflaging itself to evade detection by traditional antivirus systems. 
  • Stealth Operations: It operates seamlessly within system processes, avoiding scrutiny from debugging tools and remaining undetected for extended periods. 

Distribution Mechanisms: 

  • Phishing Websites: Banshee Stealer impersonates trusted software downloads, including Telegram and Chrome, to deceive users into downloading malicious files. 
  • Fake GitHub Repositories: It distributes DMG files with deceptive reviews and stars to gain user trust, facilitating the spread of the malware. 

Repository releases     source: Cybersecurity News 

Recent Developments: 

  • Expanded Targeting: The latest version of Banshee Stealer has removed geographic restrictions, such as the Russian language check, broadening its target audience globally. 
  • Source Code Leak: Following a source code leak, there has been increased activity, enabling other threat actors to develop variants and intensify the threat landscape. 

Impact: 

  • Users: Compromised browser data, cryptocurrency wallets, and personal files can lead to identity theft and financial losses. 
  • Organizations: Potential data breaches can result in reputational damage, financial losses, and legal implications. 
  • Global Threat: The malware’s expanded targeting underscores the need for enhanced vigilance among macOS users worldwide. 

Indicators of Compromise (IOCs): 

The IOCs listed below are associated with the threat. For the full list of IOCs, please refer to the link

IP Address and Domain  File Hash 
41.216.183[.]49 00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93 
Alden[.]io 1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416 
api7[.]cfd 3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab 
Authorisev[.]site b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114 

Recommendations: 

To mitigate the risks associated with Banshee Stealer, consider implementing the following proactive measures: 

  1. Avoid Untrusted Downloads: 
  • Refrain from downloading software from unverified sources, particularly free or “cracked” versions. 
  • Verify the authenticity of GitHub repositories before downloading any files. 
  1. Strengthening System Defenses: 
  • Regularly update macOS and all installed applications to patch known vulnerabilities. 
  • Deploy advanced security solutions with real-time threat detection and proactive intelligence. 
  1. Enhance Awareness and Training: 
  • Educate users on identifying phishing websites and suspicious downloads. 
  • Encourage caution when responding to system prompts or entering credentials. 
  1. Enable Two-Factor Authentication (2FA): 
  • Secure accounts with 2FA to minimize the impact of stolen credentials. 
  1. Monitor System Activity: 
  • Regularly review system logs for unauthorized changes or suspicious activity. 
  • Use tools to monitor unexpected outgoing data transmissions. 
  • Utilize threat intelligence feeds to detect and block IOCs like malicious IPs, domains, and file hashes.  
  • Continuously monitor network traffic, emails, and file uploads to identify and mitigate threats early. 

Conclusion: 

The rise of the Banshee malware exemplifies the increasing sophistication of threats targeting macOS. Users and organizations must adopt layered security defenses, maintain vigilance, and prioritize awareness to mitigate the risks of advanced malware like Banshee. By leveraging updated tools and practices, you can safeguard critical systems and data from evolving cyber threats. 

References

Security Advisory

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released  

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released  

OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. OpenSSH server process ‘sshd’ is affected by a signal handler race condition allowing unauthenticated remote code execution with root privileges on glibc-based Linux systems.

Summary 

Application OpenSSH 
Severity High 
CVSS 8.1 
CVEs CVE-2024-6387 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

CVE-2024-6387, a high-severity vulnerability in OpenSSH’s server (sshd), has been identified and is currently being exploited in the wild. Known as “regreSSHion,” this flaw involves a sophisticated race condition during the authentication phase, allowing unauthenticated remote attackers to execute arbitrary code with root privileges.

A proof-of-concept (PoC) exploit for this critical vulnerability has been released, further raising concerns. 

The vulnerability affects millions of OpenSSH servers globally, with older versions particularly at risk. Rated with a CVSS score of 8.1, the flaw poses a significant security threat. Over 14 million OpenSSH server instances exposed to the Internet have been identified as potentially vulnerable, with around 700,000 instances facing external internet threats. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Race Condition vulnerability   CVE-2024-6387  OpenSSH (8.5p1–9.8p1)  High  OpenSSH 9.8p2 or later 

Technical Summary 

CVE-2024-6387, also known as “regreSSHion,” is a critical vulnerability in OpenSSH’s server (sshd) caused by a signal handler race condition. This issue arises when the SIGALRM handler, triggered during a failed login attempt exceeding LoginGraceTime, invokes non-async-signal-safe functions like syslog(). The Vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privileges, primarily affecting glibc-based Linux systems.

Exploitation is technically complex but feasible and has been demonstrated in controlled environments on 32-bit systems. OpenBSD systems are unaffected due to their different signal-handling mechanisms. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-6387 OpenSSH v8.5p1 through 9.8p1 on glibc-based Linux systems Signal handler race condition in sshd’s SIGALRM, triggered during login timeout (LoginGraceTime). Remote Code Execution (Root Privileges) 

Impact:

This Vulnerability if exploited could lead to complete system takeover.

Remediation

  • Immediate Patch: Upgrade OpenSSH to version 9.8p2 or later, which resolves the issue. 
  • Access Restrictions: Implement firewall rules or TCP wrappers to limit SSH access to trusted IP ranges. 
  • Monitor Activity: Use intrusion detection systems (IDS) to analyze logs for unusual activity, failed login attempts, or exploitation patterns. 

Indicators of Compromise (IOCs): 

IP Address / Hostname File Hash 
209.141.53[.]247 0df799f05c6d97e2b7d4b26c8e7246f7 
108.174.58[.]28 11cc5f00b466d4f9be4e0a46f2eb51ae 
195.85.205[.]47 1f452448cea986aedc88ba50d48691f7 
62.72.191[.]203 207eb58423234306edaecb3ec89935d8 
botbot.ddosvps.cc  

Below are some IOCs associated with the threat. For a complete list of IOCs, refer to the AlienVault Pulse for CVE-2024-6387 

Conclusion: 

The public release of a PoC exploit for CVE-2024-6387 marks a critical moment for organizations relying on OpenSSH. While exploitation requires significant effort, the potential impact of a successful attack—complete system compromise and privilege escalation—is severe.

Swift patching and the adoption of layered security measures are imperative to mitigate the risks. 

Organizations must act promptly to safeguard their systems and monitor for signs of active exploitation. By staying informed and proactive, businesses can minimize the potential fallout from this serious vulnerability. 

References: 

  • https://nvd.nist.gov/vuln/detail/cve-2024-6387 
  • https://www.yorku.ca/uit/2025/01/openssh-remote-code-execution-regresshion-cve-2024-6387/

Security Advisory

Denial of Service Vulnerability in DNS Security Feature of Palo Alto Networks PAN-OS 

Summary 

OEM Palo Alto 
Severity High 
CVSS 8.7 
CVEs CVE-2024-3393 
Exploited in Wild  No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A Denial-of-Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.  

Vulnerability Name CVE ID Product Affected Severity Affected Version 
(DoS) in DNS Security Using a Specially Crafted Packet CVE-2024-3393   Palo Alto High PAN-OS 11.2 – < 11.2.3* PAN-OS 11.1 – < 11.1.5* PAN-OS 10.2 – >= 10.2.8*, <10.2.14* PAN-OS 10.1 – >= 10.1.14*, <10.1.15* 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-3393   Palo Alto PAN-OS CVE-2024-3393 is a high-severity DoS vulnerability in Palo Alto Networks PAN-OS exists in the DNS Security feature, where malformed DNS packets are improperly parsed and logged. If exploited, this vulnerability enables an unauthenticated attacker to remotely trigger a firewall reboot. Repeated exploitation attempts can cause the firewall to enter maintenance mode. CISA added it to the KEV catalog, with patching required by January 20, 2025.     Dos – Denial-of-Service 

Remediation

  • Update: Ensure that the appropriate patches or updates are applied to the relevant PAN-OS versions as listed below 
PAN-OS Version Fixes and Releases 
PAN-OS 11.1 11.1.2-h16, 11.1.3-h13, 11.1.4-h7, 11.1.5 
PAN-OS 10.2 10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, 10.2.14 
PAN-OS 10.1 10.1.14-h8, 10.1.15 
PAN-OS 10.2.9-h19 Only applicable to Prisma Access 
PAN-OS 10.2.10-h12 Only applicable to Prisma Access 
PAN-OS 11.0 No fix (reached end-of-life status on November 17, 2024) 

Recommendations: 

  • Avoid Using EOL Versions: 
  • PAN-OS 11.0 is end-of-life (EOL) as of November 17, 2024. Ensure that you are not using this version and upgrade to be supported versions. 
  • Monitoring & Incident Response: 
  • Regularly monitor firewall logs for unusual behavior, especially DoS triggers. 
  • For Prisma Access Users (Workaround): 
  • Disable DNS Security logging across all NGFWs if patching cannot be applied immediately. This can be done by opening a support case with Palo Alto Networks. 

References: 

Cybersecurity News

Adobe released Security updates Addressing critical ColdFusion vulnerability with (PoC) Exploit code

Adobe released security updates (APSB24-107) addressing an arbitrary file system vulnerability ColdFusion, identified as CVE-2024-53961,  is linked to a path traversal weakness with proof-of-concept (PoC) exploit code.

This could allow attackers to exploit the flaw and gain unauthorized access to arbitrary files on vulnerable servers. 

As per the updates Adobe ColdFusion versions 2023 and 2021 that addressed an arbitrary file proof-of-concept may enable attackers to read arbitrary files on vulnerable servers, potentially leading to unauthorized access and data exposure warns of critical ColdFusion bug with PoC exploit code.

Summary:

“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe earlier gave statement cautioning customers that it assigned a “Priority 1” severity rating to the flaw because it has a “a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.”

Key findings:

  • The vulnerability, CVE-2024-53961, affects ColdFusion 2021 and 2023.
  • Adobe has provided a patch to address the issue.
  • The vulnerability can potentially lead to unauthorized access and data exposure
  • The flaw has been given a Priority 1 severity rating, the highest possible level, due to its potential for exploitation in the wild.
  • Adobe has highlighted the critical nature of these updates and classified the vulnerability with a CVSS base score of 7.4, signifying a threat to the security of affected systems. 

Adobe has issued advisory

  • Monitor systems for any signs of exploitation.
  • Adobe has provided a patch to address the vulnerability remediation to mitigate the risk of exploitation.
  • Consider implementing file system monitoring and logging to detect and prevent unauthorized file access.

Path traversal weakness in ColdFusion; CVE-2024-53961

What is Path Traversal?

Hackers uses a tactics by Tricking a web application into displaying the contents of a directory that was not on request by user to gain access to sensitive files on a server.

The path traversal weakness in ColdFusion could be exploited by an attacker to perform unauthorized file system reads on affected servers.

This means that an attacker could manipulate file paths to access sensitive files that are otherwise restricted. This kind of vulnerability can lead to exposure of critical system information, unauthorized access and data exposure.

Reference: https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-coldfusion-bug-with-poc-exploit-code/

Scroll to top