Vulnerability in Nessus Enables Arbitrary Malicious Code Execution, Patch Now
Tenable has released Nessus Agent 11.1.3 to address this issues
Continue ReadingRemediation
Zero-Day Vulnerability in Microsoft Sysinternals Tools
Summary
A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute arbitrary code. This presents a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.
| OEM | Microsoft |
| Severity | High |
| Date of Announcement | 2025-02-05 |
| CVEs | Not Yet Assigned |
| Exploited in Wild | No |
| Patch/Remediation Available | No |
| Advisory Version | 1.0 |
| Vulnerability Name | Zero-Day |
Overview
Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers it a “defense-in-depth” issue rather than a critical security flaw.
| Vulnerability Name | CVE ID | Product Affected | Severity | Impact |
| zero-day | Not Yet Assigned | Microsoft Sysinternals Tools (Process Explorer, Autoruns, Bginfo, and potentially others) | High | Arbitrary Code Execution, Privilege Escalation, Malware Deployment |
Technical Summary
The vulnerability is caused by improper handling of DLL loading paths in affected Sysinternals utilities. When these tools search for required DLLs, they follow a specific search order, which may include untrusted locations such as network shares or user-writable directories.
The issue arises from how Sysinternals tools prioritize DLL search paths, favoring untrusted directories such as:
- The Current Working Directory (CWD)
- Network locations (e.g., shared drives)
- User-writable paths over secure system directories
This flaw allows attackers to place a malicious DLL in the same directory as a Sysinternals executable, tricking the application into loading the rogue DLL instead of the legitimate system DLL.
Exploit Workflow
- Attacker crafts a malicious DLL (e.g., cryptbase.dll or TextShaping.dll) containing a payload such as a reverse shell, ransomware, or trojan.
- The DLL is placed in the same directory as a vulnerable Sysinternals tool.
- The user unknowingly executes the tool (e.g., Bginfo.exe or procexp.exe) from that directory.
- The malicious DLL is loaded instead of the legitimate system DLL.
- Attackers gains code execution with the privileges of the running process (potentially SYSTEM privileges if run with admin rights).
Recommendations
- Avoid Running Sysinternals Tools from Network Locations
- Always copy tools to a local trusted directory before execution.
- Disable execution of .exe files from network drives if feasible.
- Restrict DLL Search Paths
- Use SafeDLLSearchMode to prioritize secure directories.
- Implement DLL redirection to force tools to load DLLs from trusted paths.
- Implement Application Control Policies
- Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized DLLs from loading.
- Restrict execution of Sysinternals tools to trusted admin-only directories.
- Verify DLL Integrity Before Execution
- Use SigCheck (Sysinternals) to ensure all loaded DLLs are digitally signed.
- Block execution of unsigned or suspicious DLLs in sensitive directories.
- Monitor for Suspicious DLL Loading Behavior
- Enable Sysmon logging to detect anomalous DLL loads (Event ID 7).
- Monitor for executions of Sysinternals tools from network shares (Event ID 4688).
Conclusion
Despite being responsibly disclosed to Microsoft in October 2024, the vulnerability in Sysinternals tools remains unpatched as of February 2025. Microsoft classifies it as a “defense-in-depth” issue, dismissing it as non-critical, while security researchers highlight its severe impact on enterprises, especially those running tools from network shares. This leaves users reliant on manual mitigations to avoid exploitation.
The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems.
References:
GitLab Releases Patch to Fix Critical and High-Severity Vulnerabilities
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities.
Summary
| OEM | Gitlab |
| Severity | High |
| CVEs | CVE-2024-5655, CVE-2024-6385, CVE-2024-6678, CVE-2024-8970, CVE-2025-0194, CVE-2024-6324, CVE-2024-12431, CVE-2024-13041 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
The vulnerabilities could potentially impact unauthorized access, data manipulation, and service disruption. These have been disclosed through GitLab’s HackerOne bug bounty program. Latest Versions 17.7.1, 17.6.3, and 17.5.5 are now available for immediate download and upgrade to address these issues.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Import Functionality Vulnerabilities | CVE-2024-6385 | GitLab CE/EE | Critical |
| Import Functionality Vulnerabilities | CVE-2024-5655 | GitLab CE/EE | High |
| Import Functionality Vulnerabilities | CVE-2024-6678 | GitLab CE/EE | High |
| Import Functionality Vulnerabilities | CVE-2024-8970 | GitLab CE/EE | High |
| Access Token Exposure in Logs | CVE-2025-0194 | GitLab CE/EE | Medium |
| Cyclic Reference of Epics Leading to DoS | CVE-2024-6324 | GitLab CE/EE | Medium |
| Unauthorized Manipulation of Issue Status | CVE-2024-12431 | GitLab CE/EE | Medium |
| Instance SAML Bypass | CVE-2024-13041 | GitLab CE/EE | Medium |
Technical Summary
This update addresses several significant vulnerabilities identified in GitLab CE/EE:
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-6385 | GitLab CE/EE | Vulnerability in import functionality allowing potential exploitation | Allows attackers to exploit the system. |
| CVE-2024-5655 | |||
| CVE-2024-6678 | |||
| CVE-2024-8970 | |||
| CVE-2025-0194 | GitLab CE/EE | Possible exposure of access tokens in logs under certain conditions. | Potential unauthorized access to sensitive resources. |
| CVE-2024-6324 | GitLab CE/EE | Cyclic references between epics could lead to resource exhaustion, causing a Denial of Service (DoS). | Service disruption due to resource exhaustion. |
| CVE-2024-12431 | GitLab CE/EE | Unauthorized users could manipulate issue statuses in public projects, potentially disrupting workflows. | Workflow disruption and compromised data integrity. |
| CVE-2024-13041 | GitLab CE/EE | Flaw in instance SAML configuration allowing bypass of external provider settings. | Unauthorized access to internal projects or groups. |
Key Changes to Import Functionality:
- Post-import mapping: This new feature allows administrators to assign imported contributions and memberships to users after the import process is complete, enhancing control and security.
- Email-independent mapping: The updated mapping process no longer relies on email addresses, providing greater flexibility and security when importing from instances with different email domains.
- User control: Users on the destination instance now have the power to accept or reject assigned contributions, adding another layer of security and preventing unauthorized access.
Remediation:
- Upgrade GitLab Instances: All users are strongly advised to upgrade to versions 17.7.1, 17.6.3, or 17.5.5 immediately to mitigate these vulnerabilities.
- Disable Importers Temporarily: Until upgrades are complete, disable importers to avoid exploitation. If import functionality is essential, enable it only during the import process and disable it afterward.
- Adopt Updated Features: Leverage the new post-import mapping, email-independent mapping, and user control enhancements for increased security.
Conclusion:
The vulnerabilities addressed in this patch release highlight the importance of timely updates and proactive security measures. GitLab’s redesign of its import functionality and the prompt patch release demonstrate a commitment to user security. Upgrading to the latest patched versions and adhering to the recommended actions is critical to maintaining a secure environment.
References:
Image
Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released
Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released
OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. OpenSSH server process ‘sshd’ is affected by a signal handler race condition allowing unauthenticated remote code execution with root privileges on glibc-based Linux systems.
Summary
| Application | OpenSSH |
| Severity | High |
| CVSS | 8.1 |
| CVEs | CVE-2024-6387 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
CVE-2024-6387, a high-severity vulnerability in OpenSSH’s server (sshd), has been identified and is currently being exploited in the wild. Known as “regreSSHion,” this flaw involves a sophisticated race condition during the authentication phase, allowing unauthenticated remote attackers to execute arbitrary code with root privileges.
A proof-of-concept (PoC) exploit for this critical vulnerability has been released, further raising concerns.
The vulnerability affects millions of OpenSSH servers globally, with older versions particularly at risk. Rated with a CVSS score of 8.1, the flaw poses a significant security threat. Over 14 million OpenSSH server instances exposed to the Internet have been identified as potentially vulnerable, with around 700,000 instances facing external internet threats.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Race Condition vulnerability | CVE-2024-6387 | OpenSSH (8.5p1–9.8p1) | High | OpenSSH 9.8p2 or later |
Technical Summary
CVE-2024-6387, also known as “regreSSHion,” is a critical vulnerability in OpenSSH’s server (sshd) caused by a signal handler race condition. This issue arises when the SIGALRM handler, triggered during a failed login attempt exceeding LoginGraceTime, invokes non-async-signal-safe functions like syslog(). The Vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privileges, primarily affecting glibc-based Linux systems.
Exploitation is technically complex but feasible and has been demonstrated in controlled environments on 32-bit systems. OpenBSD systems are unaffected due to their different signal-handling mechanisms.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-6387 | OpenSSH v8.5p1 through 9.8p1 on glibc-based Linux systems | Signal handler race condition in sshd’s SIGALRM, triggered during login timeout (LoginGraceTime). | Remote Code Execution (Root Privileges) |
Impact:
This Vulnerability if exploited could lead to complete system takeover.
Remediation:
- Immediate Patch: Upgrade OpenSSH to version 9.8p2 or later, which resolves the issue.
- Access Restrictions: Implement firewall rules or TCP wrappers to limit SSH access to trusted IP ranges.
- Monitor Activity: Use intrusion detection systems (IDS) to analyze logs for unusual activity, failed login attempts, or exploitation patterns.
Indicators of Compromise (IOCs):
| IP Address / Hostname | File Hash |
| 209.141.53[.]247 | 0df799f05c6d97e2b7d4b26c8e7246f7 |
| 108.174.58[.]28 | 11cc5f00b466d4f9be4e0a46f2eb51ae |
| 195.85.205[.]47 | 1f452448cea986aedc88ba50d48691f7 |
| 62.72.191[.]203 | 207eb58423234306edaecb3ec89935d8 |
| botbot.ddosvps.cc |
Below are some IOCs associated with the threat. For a complete list of IOCs, refer to the AlienVault Pulse for CVE-2024-6387
Conclusion:
The public release of a PoC exploit for CVE-2024-6387 marks a critical moment for organizations relying on OpenSSH. While exploitation requires significant effort, the potential impact of a successful attack—complete system compromise and privilege escalation—is severe.
Swift patching and the adoption of layered security measures are imperative to mitigate the risks.
Organizations must act promptly to safeguard their systems and monitor for signs of active exploitation. By staying informed and proactive, businesses can minimize the potential fallout from this serious vulnerability.
References:
- https://nvd.nist.gov/vuln/detail/cve-2024-6387
- https://www.yorku.ca/uit/2025/01/openssh-remote-code-execution-regresshion-cve-2024-6387/
Adobe released Security updates Addressing critical ColdFusion vulnerability with (PoC) Exploit code
Adobe released security updates (APSB24-107) addressing an arbitrary file system vulnerability ColdFusion, identified as CVE-2024-53961, is linked to a path traversal weakness with proof-of-concept (PoC) exploit code.
This could allow attackers to exploit the flaw and gain unauthorized access to arbitrary files on vulnerable servers.
As per the updates Adobe ColdFusion versions 2023 and 2021 that addressed an arbitrary file proof-of-concept may enable attackers to read arbitrary files on vulnerable servers, potentially leading to unauthorized access and data exposure warns of critical ColdFusion bug with PoC exploit code.
Summary:
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe earlier gave statement cautioning customers that it assigned a “Priority 1” severity rating to the flaw because it has a “a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.”
Key findings:
- The vulnerability, CVE-2024-53961, affects ColdFusion 2021 and 2023.
- Adobe has provided a patch to address the issue.
- The vulnerability can potentially lead to unauthorized access and data exposure
- The flaw has been given a Priority 1 severity rating, the highest possible level, due to its potential for exploitation in the wild.
- Adobe has highlighted the critical nature of these updates and classified the vulnerability with a CVSS base score of 7.4, signifying a threat to the security of affected systems.
Adobe has issued advisory
- Monitor systems for any signs of exploitation.
- Adobe has provided a patch to address the vulnerability remediation to mitigate the risk of exploitation.
- Consider implementing file system monitoring and logging to detect and prevent unauthorized file access.
Path traversal weakness in ColdFusion; CVE-2024-53961
What is Path Traversal?
Hackers uses a tactics by Tricking a web application into displaying the contents of a directory that was not on request by user to gain access to sensitive files on a server.
The path traversal weakness in ColdFusion could be exploited by an attacker to perform unauthorized file system reads on affected servers.
This means that an attacker could manipulate file paths to access sensitive files that are otherwise restricted. This kind of vulnerability can lead to exposure of critical system information, unauthorized access and data exposure.
Reference: https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-coldfusion-bug-with-poc-exploit-code/
Re-release of November 2024 Exchange Server Security Updates
Microsoft users had a tough time to send or load attachments to emails when using Outlook, were unable to connect to the server, and in some cases could not log into their accounts.
Microsoft Exchange Online is a platform for business communication that has a mail server and cloud apps for email, contacts, and calendars.
Microsoft mitigated the issue after identification were able to determine the cause of the outages and is rolling out a fix for the issue. That rollout is gradual, however, as outage reports continue to come in at DownDetector.
Impact
The outage left many users unable to communicate with colleagues, particularly as it coincided with the start of the workday in Europe. Frustration quickly spread across social media, with users reporting issues accessing emails and participating in Teams calls
Re-release of November 2024 Exchange Server Security Updates
Summary
| OEM | Microsoft |
| Severity | High |
| Date of Announcement | 27/11/2024 |
| Product | Microsoft Exchange Server |
| CVE ID | CVE-2024-49040 |
| CVSS Score | 7.5 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
On November 27, 2024, Microsoft re-released the November 2024 Security Updates (SUs) for Exchange Server to resolve an issue introduced in the initial release on November 12, 2024. The original update (SUv1) caused Exchange Server transport rules to intermittently stop functioning, particularly in environments using transport or Data Loss Protection (DLP) rules. The updated version (SUv2) addresses this issue.
Table of Actions for Admins:
| Scenario | Action Required |
| SUv1 installed manually, and transport/DLP rules are not used | Install SUv2 to regain control over the X-MS-Exchange-P2FromRegexMatch header. |
| SUv1 installed via Windows/Microsoft Update, no transport/DLP rules used | No immediate action needed; SUv2 will be installed automatically in December 2024. |
| SUv1 installed and then uninstalled due to transport rule issues | Install SUv2 immediately. |
| SUv1 never installed | Install SUv2 immediately. |
Remediation Steps
1. Immediate Actions
- Use the Health Checker script to inventory your Exchange Servers and assess update needs.
- Install the latest Cumulative Update (CU) followed by the November 2024 SUv2.
2. Monitor System Performance
- After enabling AMSI integration for message bodies, monitor for any performance issues such as delays in mail flow or server responsiveness.
3. Run SetupAssist Script for Issues
- Use the SetupAssist script to troubleshoot issues with failed installations or update issues, and check logs for specific error details.
References:
Recent Comments