Calenderweek 43 – WafdogBlog http://192.168.11.11 Fri, 29 Mar 2024 12:35:56 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.1 http://192.168.11.11/wp-content/uploads/2023/11/logo_fav.png Calenderweek 43 – WafdogBlog http://192.168.11.11 32 32 VMware Tools vulnerability enables privilege escalation http://192.168.11.11/vmware-tools-schwachstelle-ermoglicht-berechtigungseskalation/ Tue, 07 Nov 2023 15:55:40 +0000 http://192.168.11.11/?p=923 VMware Tools vulnerability enables privilege escalation Read More »

]]>
Two critical vulnerabilities have been identified in VMware Tools and labeled CVE-2023-34057 and CVE-2023-34058. These vulnerabilities are related to local privilege escalation and SAML token signature bypass.

These vulnerabilities have a high severity rating of 7.5 (High) and 7.8 (High) respectively. One of these vulnerabilities was identified in macOS systems. VMware has taken immediate action to address these issues by releasing patches and issuing security alerts.

CVE-2023-34057: Local Privilege Elevation Vulnerability This vulnerability allows a malicious actor with local user privileges within a guest virtualization machine to exploit and gain elevated privileges within that virtual machine. The severity of this vulnerability is rated 7.8 (High).

CVE-2023-34058: SAML token signature bypass To exploit this vulnerability, a threat actor must have “guest operation privileges”. These privileges determine the ability to interact with files and applications in the guest operating system of a virtual machine. With these privileges, a malicious actor can exploit this vulnerability in a targeted virtual machine and elevate their privileges if the target virtualization machine has a higher privileged guest alias. The severity rating for this vulnerability is 7.5 (High).

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
VMware Tools12.x.x, 11.x.x, 10.3.xmacOSCVE-2023-340577.8Important12.1.1NoneNone
VMware Tools12.x.x, 11.x.x, 10.3.xWindowsCVE-2023-34057N/AN/AUnaffectedN/AN/A
VMware Tools12.x.x, 11.x.x, 10.3.xmacOSCVE-2023-34058N/AN/AUnaffectedN/AN/A
VMware Tools12.x.x, 11.x.x, 10.3.xWindowsCVE-2023-340587.5Important12.3.5NoneNone

Users of these products are strongly advised to update to the latest version to minimize the risk of exploiting these vulnerabilities.

]]>
Backdoor Implanted on Hacked Cisco Devices http://192.168.11.11/backdoor-auf-gehackten-cisco-geraten-implatiert/ Tue, 07 Nov 2023 15:54:08 +0000 http://192.168.11.11/?p=920 Backdoor Implanted on Hacked Cisco Devices Read More »

]]>
The threat actor modified the backdoor on Cisco devices by exploiting two zero-day vulnerabilities in the IOS XE software, making it harder to detect when using previous fingerprinting techniques.

Examination of network traffic to a compromised device revealed that the threat actor updated the implant to include additional header validation. As a result, the implant remains active on many devices, but now only responds if the correct authorization HTTP header is set.

These attacks involve the use of CVE-2023-20198 (CVSS score: 10.0) and CVE-2023-20273 (CVSS score: 7.2) to create an exploit chain that allows the threat actor to access the devices, create privileged accounts, and deploy a Lua-based implant on the devices.

Cisco has initiated the release of security updates to address these issues, with further updates planned for an undisclosed date.

The identity of the threat actor responsible for this campaign remains unknown, but it is estimated that thousands of devices are affected, based on data shared by VulnCheck and attack surface management company Censys. The infections appear to be widespread, and experts suspect that the attackers may be assessing the value of the compromised data.

In recent days there has been a significant drop in the number of compromised devices, from around 40,000 to just a few hundred. Speculation suggests that the threat actor may have made modifications to disguise the presence of the implant.

The discovery of modifications to the implant by Fox-IT explains this sudden drop and shows that over 37,000 devices are still compromised.

Cisco has acknowledged the change in behavior and provided instructions for verifying the presence of the implant using a curl command.

“If the request returns a hexadecimal string such as 0123456789abcdef01, the implant is present,” Cisco noted.

The addition of header validation in the implant is considered a defensive measure by attackers to evade detection of compromised systems. This header verification has significantly reduced the visibility of publicly infected systems.

]]>
PoC exploits for Critix and VMware vulnerability published http://192.168.11.11/poc-exploits-fur-critix-und-vmware-schwachstelle-veroffentlicht/ Tue, 07 Nov 2023 15:51:05 +0000 http://192.168.11.11/?p=917 PoC exploits for Critix and VMware vulnerability published Read More »

]]>
VMware, a provider of virtualization services, has notified its customers of the discovery of a proof-of-concept (PoC) exploit for a recently patched vulnerability in Aria Operations for Logs. This high severity vulnerability, identified as CVE-2023-34051 with a CVSS score of 8.1, involves an authentication bypass that could potentially lead to remote code execution. According to the security alert published by VMware on October 19, 2023, an unauthenticated malicious actor can inject files into the affected device’s operating system, leading to remote code execution. The vulnerability was originally reported by James Horseman of Horizon3.ai and the Randori Attack Team.

Horizon3.ai subsequently provided the PoC for this vulnerability, which prompted VMware to update its security alert. It’s worth noting that CVE-2023-34051 serves as a workaround for a group of critical vulnerabilities that VMware had already patched in January that could leave users vulnerable to remote code execution attacks. James Horseman emphasized the importance of “Defense in Depth” and explained that an official patch cannot always fully mitigate a vulnerability.

In a related development, Citrix has issued its security alert urging its customers to install updates for CVE-2023-4966, a critical vulnerability affecting NetScaler ADC and NetScaler Gateway. This vulnerability has a CVSS score of 9.4 and has been actively exploited.

]]>
DDoS attack exploits HTTP/2 rapid reset vulnerability http://192.168.11.11/ddos-angriff-nutzt-http-2-rapid-reset-schwachstelle-aus/ Tue, 07 Nov 2023 15:41:22 +0000 http://192.168.11.11/?p=910 DDoS attack exploits HTTP/2 rapid reset vulnerability Read More »

]]>
Cloudflare announced Thursday that it has successfully mitigated thousands of high-volume HTTP distributed denial-of-service (DDoS) attacks that exploited a recently disclosed vulnerability called HTTP/2 Rapid Reset. Among these attacks, 89 exceeded the 100 million requests per second (RPS) mark.

In a report shared with The Hacker News, the web infrastructure and security company stated, “The campaign contributed to an overall 65% increase in HTTP DDoS attack traffic in the third quarter compared to the previous quarter. Similarly, L3/4 DDoS attacks increased by 14%.”

During the quarter, the total number of HTTP DDoS attack requests increased to 8.9 trillion, compared to 5.4 trillion in Q2 2023 and 4.7 trillion in Q1 2023. In Q4 2022, the number of attack requests was 6.5 trillion.

The vulnerability in question, HTTP/2 Rapid Reset (CVE-2023-44487), was publicly disclosed this month following a coordinated industry-wide release. That release revealed DDoS attacks carried out by an unknown actor who exploited the vulnerability to attack various providers, including Amazon Web Services (AWS), Cloudflare and Google Cloud.

Fastly reported in its own release on Wednesday that it had mitigated a similar attack that reached about 250 million RPS and lasted about three minutes.

Cloudflare also noted, “Botnets utilizing cloud computing platforms and exploiting HTTP/2 can generate up to x5,000 more power per botnet node. This allows them to perform hyper-volumetric DDoS attacks with a small botnet of 5-20,000 nodes alone.”

The most targeted industries in HTTP DDoS attacks were gaming, IT, cryptocurrency, computer software and telecommunications. The United States, China, Brazil, Germany and Indonesia were identified as the main sources of application layer (L7) attacks.

On the receiving end of HTTP DDoS attacks, the main targets were the United States, Singapore, China, Vietnam and Canada.

In addition, Cloudflare reported that DNS-based DDoS attacks were the most prevalent for the second consecutive quarter, accounting for nearly 47% of all attacks, an increase of 44% from the previous quarter. SYN floods ranked second, followed by RST floods, UDP floods and Mirai attacks.

One notable change was the decrease in ransomware DDoS attacks, which Cloudflare attributed to attackers realizing that organizations were less likely to pay ransoms.

This information is related to fluctuations in internet traffic and an increase in DDoS attacks following the Israel-Hamas conflict, during which Cloudflare successfully defended against several attempted attacks targeting Israeli and Palestinian websites.

]]>
USB stick with lost millions of euros now crackable http://192.168.11.11/usb-stick-mit-verlorenen-millionen-euro-nun-knackbar/ Tue, 07 Nov 2023 15:37:25 +0000 http://192.168.11.11/?p=907 USB stick with lost millions of euros now crackable Read More »

]]>
According to Unciphered, crypto experts claim to have found a way to unlock an encrypted USB hard drive on which German programmer Stefan Thomas allegedly lost 7,002 Bitcoins (BTC) worth over 200 million euros. However, Thomas has shown a certain unwillingness to cooperate and appears unwilling to release the USB hard drive, as Wired reports.

The story of Stefan Thomas is well known in the crypto community. The San Francisco-based crypto entrepreneur owns an encrypted USB hard drive called Ironkey from 2011. He lost the password required to unlock the drive and thus gave up access to a cryptowallet containing 7,002 BTC that he had received for creating a YouTube video titled “What is Bitcoin?”.

In 2011, the value of a single Bitcoin surpassed the 1 US dollar mark, making the value of the USB hard disk relatively insignificant at the time. Currently, one Bitcoin is worth around 32,000 euros, which puts the current value of Thomas’ Ironkey at around 224 million euros, assuming his information about its contents is correct.

Nevertheless, Thomas has not yet gained access to the USB hard disk. He claims to have already tried eight out of ten possible passwords. Two more incorrect attempts would lead to the irrevocable deletion of the contents of the USB hard drive and permanently exclude him from his Bitcoins.

Unciphered has allegedly developed a secret technique that allows them to crack Ironkey passwords. This technique essentially allows an unlimited number of password attempts without erasing the data. With a brute force attack, the password can be determined with sufficient time and computing power.

In one test, Unciphered reportedly needed around 200 trillion attempts with a powerful computer to crack a three-word password, which they managed to do within a day. However, Thomas has so far declined to work with them.

When asked by Wired, the German programmer explained that he had already worked with other experts to recover the USB hard drive, which made him “not free” to negotiate with new parties. Thomas seems determined to give the two other teams he had previously hired more time to crack the Ironkey, although those teams appear to have made little progress.

The vulnerabilities exploited by Unciphered to bypass the Ironkey lock are currently being kept secret. These vulnerabilities are considered too dangerous to be made public, as the affected USB hard drives are too old to be patched with a software update. Many of these hard drives could still be used to store sensitive information. Nick Fedoroff, Director of Operations at Unciphered, warned that such a leak would have more far-reaching implications for national security than the loss of a crypto wallet.

]]>