In The Trend of VM July 2024: 3 CVEs in Windows, Ghostscript, and Acronis Cyber Infrastructure
00:00 Greetings and explanation of what trending vulnerabilities are
00:33 Spoofing in Windows MSHTML Platform (CVE-2024-38112)
❗ CVSS score: 7.5, high danger level
A spoofing vulnerability in the engine for processing and displaying HTML pages of the Microsoft Windows MSHTML Platform. This is a vulnerability from the July Microsoft Patch Tuesday. According to Check Point, attackers use special “.url” files in their attacks, the icon of which is similar to the icon of a pdf documents. If the user clicks on the file and ignores 2 uninformative warning notifications, then a malicious HTA application is launched in the outdated Internet Explorer browser built into Windows, that creates the user interface and operates the malware.
What is HTA? This is a Microsoft Windows application that is an HTML document. The application is displayed in a separate window using the Microsoft Internet Explorer engine. This window does not contain familiar browser interface elements (menus, address bars, toolbars, etc.). The most dangerous thing is that most Internet Explorer security restrictions do not apply to HTA. The HTA application (and therefore the attacker) can create, modify, delete files and entries in the Windows system registry.
Why does the link open in Internet Explorer? This is all due to the processing of the “mhtml:“ prefix in the “.url“ file. The July update blocks this.
Check Point experts found examples of such “.url” files as far back as January 2023. According to Trend Micro, the vulnerability is exploited by the APT group Void Banshee to install the Atlantida Stealer malware and collect passwords, cookies and other sensitive data. Void Banshee add malicious “.url“ files to archives with PDF books and distribute them through websites, instant messengers and phishing emails.
02:23 Arbitrary Code Execution in Artifex Ghostscript (CVE-2024-29510)
❗ CVSS score: 6.3, medium danger level
Arbitrary code execution vulnerability in Artifex Ghostscript. Memory corruption allows an attacker to bypass the SAFER sandbox and execute arbitrary code. Ghostscript is an interpreter for PostScript and PDF documents. It is used in various software, for example, ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, CUPS, etc. It is available for many operating systems. It is difficult to say exactly how widespread it is. But it is clear that it is VERY widespread. For example, thanks to CUPS, it is included in almost every Linux distribution and is often installed by default. If we take computers running Linux alone, there will already be billions of them. And here it’s not limited to Linux. This is a very large-scale problem.
• Ghostscript , which fixes the vulnerability, was released on May 2.
• 2 months later, on July 2, Codean Labs experts published a detailed analysis of this vulnerability and PoC. In the video demonstration, they run the calculator by opening a special ps file with the ghostscript utility or a special odt file in LibreOffice.
• On July 10, a functional exploit appeared on GitHub. And on July 19, a module appeared in Metasploit.
According to Security Affairs and some other sites, the vulnerability is being exploited in the wild. But, they all refer to a single microblog post from some developer from Portland. I think more reliable evidence of exploitation in attacks will soon appear.
03:55 Arbitrary Code Execution in Acronis Cyber Infrastructure (CVE-2023-45249)
❗ CVSS score - 9.8, critically dangerous vulnerability
Arbitrary code execution vulnerability in the Acronis Cyber Infrastructure hyperconverged platform. Due to the default passwords used, a remote unauthenticated attacker can gain access to the Acronis Cyber Infrastructure (ACI) server and execute arbitrary code on it. ACI is a hyperconverged platform for storage, backup, compute, virtualization and networking functions.
• Patches that correct this vulnerability were released on October 30, 2023.
• 9-10 months later, on July 24 of this year, Acronis noted in a bulletin that the vulnerability showed signs of exploitation in the wild. They write that the purpose of the exploitation was to install a cryptominer. On July 29, the vulnerability was added to CISA KEV.
A number of sources report 20,000 service providers using ACI. I haven’t found any evidence of this. There may be confusion here with Acronis Cyber Protect. However, there are probably quite a few large companies using ACI. If you work for such a company, be sure to pay attention.
Subscribe to the avleonovcom Telegram channel “Vulnerability Management and more“! All links are there! #TrendVulns #PositiveTechnologies #Microsoft #Windows #InternetExplorer #Ghostscript #Artifex #CodeanLabs #Metasploit #Acronis #ACI
64 views
1021
323
2 months ago 00:05:42 1
Rammstein - Ohne Dich (Official Video)
2 months ago 00:03:53 1
This ZEPETO Hack/Mod is INSANE! How I Got Unlimited ZEM & Coins - Android & iOS
2 months ago 00:03:37 1
Monster Legends Hack ✅ How to Get Unlimited Gems! [iOS & Android] MOD APK
2 months ago 00:02:06 1
𝓟𝓤𝓑𝓛𝓘𝓒 𝓐𝓟𝓟𝓔𝓐𝓛 𝓯𝓽 𝓐𝓨𝓔$𝓗𝓐 𝓔𝓡𝓞 -- 𝓝𝓪𝓴𝓮𝓭 (𝓒𝓵𝓮𝓪𝓷)
2 months ago 01:28:54 1
Denis Dezuz - village set
2 months ago 00:36:10 1
Surprising Finds From an 1870s SEA CAPTAIN’S TOILET VAULT
2 months ago 00:02:21 1
Bill Haley & His Comets - Rock Around The Clock (1955) HD
2 months ago 00:04:48 1
Green Day - Boulevard Of Broken Dreams [Official Music Video]
2 months ago 00:10:36 1
NotStock Life - Our 1964 Corvair Van Comes Home + Octane and Iron What’s in the Shop
2 months ago 00:05:32 1
The Forever Winter - Full Length Cinematic Trailer
2 months ago 00:18:28 1
Hunting for SURVIVAL: The REAL Life Below Zero
2 months ago 00:19:43 1
Katie Hopkins challenges Carol Vorderman over Labour: “Love what surgeons have done to your face!”
2 months ago 00:08:09 1
I Survived Tokyo’s DEADLY Hail and Storm Here’s What Happened in Japan
2 months ago 00:02:20 1
Helicopter Logging by Boeing CH 234 Chinook
2 months ago 00:09:52 1
Bugatti DIVO, Bugatti Chiron Pur Sport, LaFerrari - Hypercar Paradise at Emirati One Motors Dubai
2 months ago 00:02:20 1
Decadent | “Madness” Trailer
2 months ago 00:19:25 1
Moments after Cops Witnessed Paranormal Activity in Gettysburg—Unseen Footage!
2 months ago 00:02:47 1
Financial Freedom : How SPX Options Can Change Your Life!💸