Security Boulevard

Vienna, Austria, 11th December 2024, CyberNewsWire

The post DMD Diamond Launches Open Beta for v4 Blockchain Ahead of 2025 Mainnet appeared first on Security Boulevard.

Recent guidance from CISA and the FBI highlights best practices to monitor and harden network infrastructure. The guidance, published in response to high-profile attacks on telecom infrastructure, is applicable to a wider audience. This blog unpacks important points and explains how Tenable products can help with compliance scans.

In November, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint statement concerning an investigation into cyberattacks on commercial telecommunications infrastructure. The ongoing investigation centers on threat actors believed to be affiliated with the People’s Republic of China (PRC) government. In response to the cyberattacks, U.S. and international government agencies, including CISA and the FBI, authored joint guidance to help network defenders improve network visibility and security. This guidance highlights the importance of monitoring and alerting, but also provides specific ways to strengthen cybersecurity with increased configuration management and strong identity hygiene. 

What’s this all about?

The U.S. government has been monitoring PRC-sponsored groups such as Volt Typhoon and Salt Typhoon because it suspects they may be preparing for a large-scale disruption of U.S. critical infrastructure. A press release from mobile telecom provider T-Mobile highlights the activity that it has identified, the controls that it had in place to help prevent a greater threat, as well as how it is collaborating with the authorities’ investigation. According to U.S. government officials, at least eight telecommunications companies have been targeted so far but there may be more. 

The new guidance can help prevent these attacks, whose main goal is to reportedly carry out cyber espionage activities on behalf of the Chinese government by, among other things, stealing customer call-records data. The guidelines pair well with recommendations in Center for Internet Security (CIS) Benchmarks for specific network devices. CIS Benchmarks are written and maintained by industry professionals with the goal of simplifying the implementation of security controls to help mitigate risk. By using CIS Benchmarks, network and security engineers can identify and harden configurations, and establish a more secure posture as suggested by the guidance.

We’ll be taking a closer look at the specific sections in the recent guidance and highlight CIS Benchmark recommendations that align with these objectives.

Strengthening visibility

This section highlights monitoring and alerting best practices. It breaks these guidelines into two sets of tasks: one for network engineers and another one for network defenders. However, the common goal is to help them find and trigger alerts on misconfigurations, changes and user account activity. One key recommendation is to use an independent and centralized log-storage environment, and if possible, a security information and event management (SIEM) solution built specifically to analyze the logs to produce alerts. 

Alerting should be focused on configuration changes; configurations that don’t meet specific criteria; and open ports or enabled services. In addition, devices that accept traffic from outside of the network (external facing) should be reviewed to ensure that only necessary services are accessible to and from the internet.

Examples of centralized logging criteria can be found in CIS Benchmarks for Cisco, Fortinet, Juniper Networks and Palo Alto Networks devices:

• Cisco: “Ensure Syslog Logging is configured”
• Fortigate: “Centralized Logging and Reporting”
• Juniper: “Ensure logging data is monitored”
• Palo Alto: “Syslog logging should be configured”

This section also focuses on monitoring user- and service-account logins to ensure that anomalous login activity is detected and prevented. Unused accounts should be disabled whenever possible. Some examples of this criteria can be found in CIS Benchmarks for Check Point Software and Palo Alto Networks devices:

• Check Point: “Ensure Deny access to unused accounts is selected”
• Palo Alto: “Ensure that the User-ID service account does not have interactive logon rights”

Hardening systems and devices

This section aims to help reduce risk by limiting access to the network and network devices; ensuring that communication is encrypted and secure; and providing more direct guidance with regards to Cisco-based devices. This section includes recommendations regarding access control and network segmentation, provides specific protocol guidelines (such as using only SNMPv3 when SNMP is necessary), and details what is considered to be “strong” encryption. 

First, network segmentation helps to limit movement across the network and to make it easier to inspect inbound and outbound traffic. It also helps to maintain a DMZ to contain the services that must face externally (towards the internet) and prevent direct access to backend resources and networks. Segmentation also involves creating and using VLANs, and the recommendation is that these VLANs should be used to group together devices of a similar nature, which is common in most networks. In addition to segmenting the network, the authoring agencies also recommend adopting Transport Layer Security-everywhere using strong algorithms. These guidelines can help keep threat actors out of corporate networks, as well as ensure that these actors are limited in what they can do and/or see if they manage to penetrate the outermost defenses. 

Another component of segmentation is initializing a default-deny access-control list (ACL), which can be done at the firewall level. This is important for all traffic types, but especially so when isolating management traffic for network devices. Most physical network devices, such as routers and switches, have dedicated ports for management traffic that can be attached to a physically segmented network in order to limit administrative access. Further controls on lateral movement are also recommended for the management network, and it is advisable to not manage devices directly from the internet. Some examples of segmentation and ACL firewall configurations can be found in CIS Benchmarks for Cisco, Juniper Networks, and Palo Alto Networks products.

• Cisco: “Restrict Access to VTY Sessions” and “Ensure explicit deny in access lists is configured correctly”
• Juniper: “Ensure firewall filters contain explicit deny and log term”
• Palo Alto: “Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone”

The guidance further identifies numerous insecure protocols and services and notes that they should be disabled. These include FTP, TFTP, SSHv1, HTTP, and SNMP v1/v2. Additionally, any network protocols or services in use should require authentication when available, including routing protocols. Meanwhile, you should use SNMP Version 3 with encryption and authentication. Having centralized authentication, authorization, and accounting (AAA) logging is emphasized here, in addition to prior mentions of syslog configuration. Examples of identifying and disabling protocols can be found in several CIS Benchmarks for Cisco, Fortinet, Juniper Networks, and Palo Alto Networks products:

• Cisco: “Set version 2 for 'ip ssh version'”
• Fortigate: “Disable all management related services on WAN port” and “Ensure only SNMPv3 is enabled”
• Juniper: “Ensure Web-Management is not Set to HTTP”
• Palo Alto: “Ensure HTTP and Telnet options are disabled for the management interface”

This section highlights specific criteria for Cisco devices. Disabling the Smart Install and Guest Shell features is recommended, as is disabling Telnet in favor of SSH. Specific commands are also provided to disable HTTP-only access so that device management is performed over HTTPS instead. If UI access is not necessary, the secure service should also be disabled. The specific password type recommended is type-8 when possible, and type-6 encryption for securing the Terminal Access Controller Access-Control System + (TACACS+) key. The document also links to the hardening guide for Cisco IOS XE and a guide for securing NX-OS devices.

Secure by design

The secure-by-design concept helps introduce the security conversation earlier in the development lifecycle. This approach helps ensure that security considerations are addressed at the beginning of the product lifecycle. Customers should make sure that products they plan to buy adhere to this principle. CISA has more information on its “Secure by Design” site. Tenable has committed to a secure-by-design approach, as can be seen in a recent initiative reported on here and here.

How Tenable can help

This overview is meant to help give network and security engineers a summary of the best practices, as well as provide insight on how CIS Benchmarks cover many of the guidance’s topics. Still, engineers should read the guidance to ensure they fully understand the material and how it relates to their own networks. It’s equally important to map out the network and understand what devices exist and where they are placed. However, this is only a first step in securing the network.

Tenable has several products, such as Tenable Vulnerability Management, Tenable Security Center, and Nessus that support auditing a wide array of devices and operating systems using CIS Benchmarks. These products could help with maintaining control over risk factors that threat actors often attempt to exploit. Tenable audits are written to test for the criteria of each automated recommendation in CIS Benchmarks. After an evaluation is run against the target, a result is provided as well as remediation text from the CIS Benchmark so that engineers can remediate and harden the device or operating system.

Tenable provides audit files for the following CIS Benchmarks to help organizations assess device configurations:

• CIS Check Point Firewall Benchmark v1.1.0 - Level 1, Level 2 
• CIS Cisco ASA 9.x Firewall Benchmark v1.1.0 - Level 1, Level 2 
• CIS Cisco Firewall v8.x Benchmark v4.2.0 - Level 1 
• CIS Cisco IOS XE 16.x Benchmark v2.1.0 - Level 1, Level 2 
• CIS Cisco IOS XE 17.x Benchmark v2.1.1 - Level 1, Level 2 
• CIS Cisco IOS XR 7.x v1.0.0 - Level 1, Level 2 
• CIS Cisco NX-OS Benchmark v1.1.0 - Level 1, Level 2 
• CIS Fortigate 7.0.x Benchmark v1.3.0 - Level 1, Level 2 
• CIS Juniper OS Benchmark v2.1.0 - Level 1, Level 2 
• CIS Palo Alto Firewall 10 Benchmark v1.2.0 - Level 1, Level 2 
• CIS Palo Alto Firewall 11 Benchmark v1.1.0 - Level 1, Level 2 

These CIS Benchmarks align with the intent of the CISA hardening guidance. The example below highlights the CIS Cisco IOS XE 17.x v2.1.1 CIS Benchmark, and how it relates to the CISA hardening guidance:

Section 1.1 - Authentication, Authorization and Accounting (AAA) configuration

• Strengthening visibility as AAA logging supports user account login monitoring, and tracking changes
• Hardening systems and devices by providing identity management and policy enforcement

Section 1.2 - Access Rules for device administration

• Hardening systems and devices by restricting device management, and ensuring sessions are limited

Section 1.3 - Banner Rules to communicate legal rights to users

• Strengthening visibility by informing users they are subject to monitoring, and the event logs can support prosecution

Section 1.4 - Password Rules to enforce secure credentials and password lifecycle

• Hardening systems and devices by ensuring strong passwords are utilized, and passwords are securely stored

Section 1.5 - SNMP Rules provides guidance for secure configuration parameters

• Hardening systems and devices by ensuring SNMP is disabled, or is configured with secure parameters

Section 2.1 - Global Service Rules to reduce attack surface and disable unnecessary services

• Hardening systems and devices by disabling unnecessary, unused, exploitable, or plaintext services and protocols

Section 2.2 - Logging Rules configures log collection and forwarding

• Strengthening visibility by collecting event logs, and forwarding to a central log collection source
• Hardening systems and devices by forwarding logs to a central log collection source

Section 2.3 - NTP Rules ensures system time is provided by a single, consistent source

• Strengthening visibility by ensuring a consistent time source for event logs
• Hardening systems and devices by requiring that NTP is authenticated

Section 2.4 - Lookback Rules for configuring device initiated connections to supporting services such as AAA, SYSLOG, or NTP

• Hardening systems and devices by ensuring that traffic is initiated from a specific source, which can be used to set ACLs/filtering

Section 3.1 - Routing Rules to disable unneeded services

• Hardening systems and devices by disabling unneeded services such as source routing

Section 3.2 - Border Router Filtering defines filtering between internal and external networks

• Hardening systems and devices by implementing a strategy to control inbound and egress traffic

Section 3.3 - Neighbor Authentication configures routing protocol authentication

• Hardening systems and devices by requiring routing protocols are authenticated

Learn more

• Tenable Nessus
• Tenable Security Center
• Tenable Vulnerability Management
• Tenable Research audits
• Who is CIS?
• "Enhanced Visibility and Hardening Guidance for Communications Infrastructure" joint publication from various U.S. and international government agencies

The post New CISA Hardening Guidance Provides Valuable Insights for Network Security Engineers appeared first on Security Boulevard.

Researchers in Europe unveil a vulnerability dubbed "BadRAM" that hackers can easily exploit using $10 hardware to bypass protections in AMD's Eypc server processors used in cloud environments and expose sensitive data stored in memory.

The post AMD Chip VM Memory Protections Broken by BadRAM appeared first on Security Boulevard.

This blog explores ten essential web design security practices every developer and business should adopt to stay ahead of potential attacks.

The post Top 10 Web Design Security Best Practices to Follow in 2025 appeared first on Security Boulevard.

Understanding the nuances between cybersecurity products and platforms is crucial for enhancing business protections and supporting businesses anywhere.

The post Cybersecurity Products or Platforms – Which is More Effective? appeared first on Security Boulevard.

One of the most significant regulatory mandates on the horizon is the European Union’s Digital Operational Resilience Act (DORA).

The post Leveraging Crypto Agility to Meet DORA Requirements in Financial Services by January 2025 appeared first on Security Boulevard.

Learn how SOC 2 policies safeguard data, ensure compliance, and simplify the audit process for your business.

The post SOC 2 Policies: What They Should Include and Why They Matter appeared first on Scytale.

The post SOC 2 Policies: What They Should Include and Why They Matter appeared first on Security Boulevard.

In this Patch Tuesday edition, Microsoft addressed 72 CVEs, including 1 Zero-Day, 16 Criticals, 54 Important and 1 Moderate—the one Zero-Day was found to be actively exploited in the wild. From an Impact perspective, Escalation of Privilege (EoP) vulnerabilities accounted for 23%, followed by Remote Code Execution (RCE) at 38% and Denial of Service (DoS) …

Read More

The post Patch Tuesday Update – December 2024 appeared first on Security Boulevard.

Why is NHIDR Crucial in Modern Cybersecurity? For organizations to stay ahead in this dynamic cybersecurity landscape, it’s imperative to embrace innovative and comprehensive security methodologies. One such methodology is Non-Human Identity and Access Management (NHIDR). NHIDR is a revolutionary approach that addresses the increasingly complex security challenges associated with cloud environments. But, what makes […]

The post Staying Ahead: The Role of NHIDR in Modern Cybersecurity appeared first on Entro.

The post Staying Ahead: The Role of NHIDR in Modern Cybersecurity appeared first on Security Boulevard.

Microsoft addressed over 1000 CVEs as part of Patch Tuesday releases in 2024, including 22 zero-day vulnerabilities.

Background

Microsoft’s Patch Tuesday, a monthly release of software patches for Microsoft products, has just celebrated its 21st anniversary. After a wrap-up covering the 20th anniversary in 2023, the Tenable Security Response Team (SRT) chose to keep the tradition and cover trends and significant vulnerabilities from the 2024 Patch Tuesday releases.

Analysis

In 2024, Microsoft patched 1,009 CVEs throughout the year across a multitude of products. In contrast, 2023 saw 909 CVE’s patched and in 2022, 917 CVE’s were patched. While Microsoft has yet to break its 2020 record with 1,245 CVE’s patched, 2024 was still significant, as it is only the second time since Patch Tuesday’s inception that Microsoft patched over 1,000 CVE’s in a year.

Year over year, we see a steady increase in CVEs patched, with the exception of the outlier in 2020, a peak CVE count we have not yet seen matched.

In 2024, the largest CVE count was observed in April, with Microsoft releasing patches for 147 CVEs. Only three months saw CVE counts over 100, with an average of 84 CVE’s patched per month.

Patch Tuesday 2024 by severity

Each month, Microsoft categorizes vulnerabilities into four main severity levels: low, moderate, important and critical.

Just as in 2023, 2024 saw the majority of vulnerabilities rated as important, accounting for 93.6% of all CVEs patched, followed by critical at 5.4%. Moderate accounted for 1.1%, while there were no CVEs rated as low in 2024.

Patch Tuesday 2024 by impact

In addition to severity levels, Microsoft also categorizes vulnerabilities by seven impact levels: remote code execution (RCE), elevation of privilege (EoP), denial of service (DoS), information disclosure, spoofing, security feature bypass and tampering.

Once again in 2024, RCE vulnerabilities led the impact category, accounting for 39.7%, while EoP vulnerabilities accounted for 28.8%. DoS vulnerabilities ranked third, accounting for 10%, followed by information disclosure flaws at 8.3% and security feature bypass vulnerabilities at 8.0%. Last year, there were no vulnerabilities categorized as tampering, but this year, there were just four, which accounted for 0.4%.

Patch Tuesday 2024 zero-day vulnerabilities

According to Statista, Microsoft’s Windows operating system (OS) has a 72% market share as of February 2024, making it the most prominent OS. With the largest market share, Microsoft remains a top target for cybercriminals and advanced persistent threat (APT) groups. On occasion, these groups find and exploit vulnerabilities that remain unknown to Microsoft, known as zero-day vulnerabilities. Zero-day vulnerabilities are defined as vulnerabilities in software that have been exploited in the wild and/or have been publicly disclosed prior to patches becoming available. These zero-day vulnerabilities are often leveraged in limited, targeted attacks, however exploitation of these flaws can vary in depth and breadth.

In 2024, Microsoft patched 22 CVEs that were identified as zero-day vulnerabilities. Of the 22 zero-day vulnerabilities patched in 2024, 36.4% were EoP flaws. EoP vulnerabilities are often leveraged by APT actors and by determined cybercriminals seeking to elevate privileges as part of post-compromise activity. Following EoP flaws, security feature bypass vulnerabilities accounted for 27.3% of zero-days in 2024. While RCEs were the most prominent vulnerabilities across Patch Tuesday, they only accounted for 18.2% of zero-day flaws.

While these zero-days made up a small portion of the overall CVE’s addressed by Microsoft in 2024, we analyzed some of the most notable zero-day vulnerabilities of 2024. The table below includes these CVE’s with some details around their exploitation activity.

CVE Description Exploitation Activity CVE-2024-21338 Windows Kernel Elevation of Privilege Vulnerability Exploited by the Lazarus APT Group to deploy the FudModule rootkit CVE-2024-21412 Internet Shortcut Files Security Feature Bypass Vulnerability Water Hydra (aka DarkCasino) exploited this in a campaign named DarkGate. This APT has also exploited this CVE to deploy the DarkMe remote access trojan (RAT) CVE-2024-30051 Windows DWM Core Library Elevation of Privilege Vulnerability Used to deploy QakBot malware CVE-2024-30088 Windows Kernel Elevation of Privilege Vulnerability Exploited by APT34 (aka OilRig) CVE-2024-38112 Windows MSHTML Platform Spoofing Vulnerability Exploited by APT group Void Banshee to deploy the malware known as Atlantida stealer. CVE-2024-38178 Scripting Engine Memory Corruption Vulnerability Exploited by APT37 (aka RedEyes, Reaper, ScarCruft, Group123 and TA-RedAnt) CVE-2024-38193 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Exploited by the Lazarus APT Group (aka Diamond Sleet) to deploy the FudModule rootkit CVE-2024-38213 Windows Mark of the Web Security Feature Bypass Vulnerability Water Hydra (aka DarkCasino) exploited this in a campaign named DarkGate. Vulnerability was named “Copy2Pwn” by Trend Micro’s Zero Day Initiative (ZDI) CVE-2024-43451 NTLM Hash Disclosure Spoofing Vulnerability Exploited by APT known as UAC-0194 to deploy Spark RAT malware. CVE-2024-43461 Windows MSHTML Platform Spoofing Vulnerability Exploited by APT group Void Banshee in an attack chain with CVE-2024-38112 CVE-2024-49039 Windows Task Scheduler Elevation of Privilege Vulnerability Exploited by the threat actor tracked as RomCom to deploy the RomCom RAT malware. Conclusion

As we reflect on Patch Tuesday vulnerabilities in 2024, despite the year over year CVE counts being steady, we observed a small increase this year. While there will always be outliers, it is likely that 2025 will continue to follow an upward trend. In June, Microsoft announced that CVE’s would be issued for vulnerabilities in cloud-based products, even when no end user action is required. This could lead to a sharp increase in the number of CVEs assigned next year.

The SRT will continue to blog about Patch Tuesday each month along with other significant vulnerabilities that represent risk across the threat landscape, ensuring our readers are equipped with the most up to date information about the exposures that require immediate action.

Get more information

• Tenable Blog: Microsoft Patch Tuesday 2023 Year in Review

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post Microsoft Patch Tuesday 2024 Year in Review appeared first on Security Boulevard.

Quantum computing was long considered to be part of a distant future. However, it is quickly becoming a reality. Google’s recent announcement of its Willow quantum computing chip is a breakthrough generating significant media attention and questions about the implications for cybersecurity. Google’s Willow advancements are significant because of two major breakthroughs critical to the […]

The post Post-Quantum Cryptography: The Implications of Google’s Willow and Other Quantum Computers for Cybersecurity first appeared on Accutive Security.

The post Post-Quantum Cryptography: The Implications of Google’s Willow and Other Quantum Computers for Cybersecurity appeared first on Security Boulevard.

Open source software security and dependency management have never been more critical, as organizations strive to protect their software supply chains while navigating increasing complexity and risks.

The post Why software composition analysis is essential for open source security appeared first on Security Boulevard.

SpartanWarrioz, whose prolific phishing kit business took a hit when the group's Telegram channel was shut down in November, is rebounding quickly, creating a new channel and courting former subscribers as it rebuilds its operations, Forta researchers say.

The post Scam Kit Maker Rebuilding Business After Telegram Channel Shut Down appeared first on Security Boulevard.

In today’s digital classroom, connectivity is key—but it comes with challenges. As technology becomes an integral part of teaching and learning, K-12 schools face the responsibility of supporting classroom technology while safeguarding sensitive student and staff data. The shift to cloud-based tools like Google Workspace and Microsoft 365 has opened up new possibilities for collaboration, ...

The post Discover the Benefits of Cloud Monitor’s Advanced Cloud Security appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.

The post Discover the Benefits of Cloud Monitor’s Advanced Cloud Security appeared first on Security Boulevard.

Authors/Presenters: Rob Joyce, The Dark Tangent

Our sincere appreciation to DEF CON, and the Presenters/Authors for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – Changing Global Threat Landscape appeared first on Security Boulevard.

Auguria today at the Black Hat Europe conference, in addition to providing five additional integrations with other platforms, revealed it has added an explainability graph capability that makes it simple to understand why log data collected is either irrelevant or warrants further investigation.

The post Auguria Streamlines Management of Security Log Data appeared first on Security Boulevard.

1. 16Critical
2. 54Important
3. 0Moderate
4. 0Low

Microsoft addresses 70 CVEs with 16 rated critical, including one zero-day that was exploited in the wild.

Microsoft patched 70 CVEs in its December 2024 Patch Tuesday release, with 16 rated critical, and 54 rated as important.

This month’s update includes patches for:

• GitHub
• Microsoft Defender for Endpoint
• Microsoft Office
• Microsoft Office Access
• Microsoft Office Excel
• Microsoft Office Publisher
• Microsoft Office SharePoint
• Microsoft Office Word
• Remote Desktop Client
• Role: DNS Server
• Role: Windows Hyper-V
• System Center Operations Manager
• Windows Cloud Files Mini Filter Driver
• Windows Common Log File System Driver
• Windows File Explorer
• Windows IP Routing Management Snapin
• Windows Kernel
• Windows Kernel-Mode Drivers
• Windows LDAP - Lightweight Directory Access Protocol
• Windows Local Security Authority Subsystem Service (LSASS)
• Windows Message Queuing
• Windows Mobile Broadband
• Windows PrintWorkflowUserSvc
• Windows Remote Desktop
• Windows Remote Desktop Services
• Windows Resilient File System (ReFS)
• Windows Routing and Remote Access Service (RRAS)
• Windows Task Scheduler
• Windows Virtualization-Based Security (VBS) Enclave
• Windows Wireless Wide Area Network Service
• WmsRepair Service

Remote code execution (RCE) vulnerabilities accounted for 42.9% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 38.6%.

Important CVE-2024-49138 | Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2024-49138 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. It was exploited in the wild as a zero-day, though no details about the in-the-wild exploitation were known at the time this blog post was published.

In addition to CVE-2024-49138, Microsoft patched two other CLFS driver EoP vulnerabilities: CVE-2024-49090, CVE-2024-49088, both assigned a CVSSv3 score of 7.8, were rated as important and assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

This is the ninth vulnerability in the Windows CLFS driver patched in 2024, and the first that was exploited in the wild as a zero-day this year. In 2023, there were 10 CLFS vulnerabilities patched, including two zero-day vulnerabilities in the CLFS driver that were exploited (CVE-2023-28252, CVE-2023-23376). CLFS driver vulnerabilities have been a popular attack vector and exploited in the wild by ransomware operators in the last few years according to researchers.

Important CVE-2024-49070 | Microsoft SharePoint Remote Code Execution Vulnerability

CVE-2024-49070 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 7.4 and is rated as important. Microsoft’s advisory notes that complexity is high and successful exploitation requires the attacker to first prepare the target in order to improve reliability of an exploit. While no details have been provided, Microsoft assessed this vulnerability as “Exploitation More Likely.”

In addition to CVE-2024-49070, Microsoft patched two information disclosure vulnerabilities (CVE-2024-49062, CVE-2024-49064) and an EoP vulnerability (CVE-2024-49068) in Microsoft SharePoint.

Critical CVE-2024-49118, CVE-2024-49122 | Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

CVE-2024-49118 and CVE-2024-49122 are RCE vulnerabilities in Microsoft Message Queuing (MSMQ). Both were assigned a CVSSv3 score of 8.1 and are rated as critical. According to both of the Microsoft advisories, successful exploitation requires an attacker winning a race condition. Despite this requirement, Microsoft assessed CVE-2024-49122 as “Exploitation More Likely” while CVE-2024-49118 was assessed as “Exploitation Less Likely” as the winning the race condition must occur “during the execution of a specific operation that recurs in a low frequency on the target system.”

In order for a system to be vulnerable, the MSMQ service must be added and enabled. According to Microsoft, if the service is enabled on a Windows installation, a service named “Message Queueing” will be running on TCP port 1801. Tenable customers can use Plugin ID 174933 to identify systems that have this service running.

CVE-2024-49118 and CVE-2024-49122 brings the total to six RCE’s affecting MSMQ that were patched in 2024. One was addressed in the June Patch Tuesday (CVE-2024-30080) release, two addressed in the April Patch Tuesday (CVE-2024-26232, CVE-2024-26208) release and one in February's Patch Tuesday (CVE-2024-21363) release.

Critical CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution Vulnerability

CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

In addition to these nine RCE’s, Microsoft addressed CVE-2024-49075, a DoS vulnerability affecting Remote Desktop Services.

Tenable Solutions

A list of all the plugins released for Microsoft’s December 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

• Microsoft's December 2024 Security Updates
• Tenable plugins for Microsoft December 2024 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post Microsoft’s December 2024 Patch Tuesday Addresses 70 CVEs (CVE-2024-49138) appeared first on Security Boulevard.

via the respected Software Engineering expertise of Mikkel Noe-Nygaard and the lauded Software Engineering / Enterprise Agile Coaching work of Luxshan Ratnaravi at Comic Agilé!

The post Comic Agilé – Mikkel Noe-Nygaard, Luxshan Ratnaravi – #315 – Stickies appeared first on Security Boulevard.

GitGuardian today extended the reach of its ability to manage applications secrets into the realm of non-human identities (NHI) associated with machines and software components.

The post GitGuardian Extends Reach to Manage Non-Human Identities appeared first on Security Boulevard.

Microsoft is calling out to researchers to participate in a competition that is aimed at testing the latest protections in LLMs against prompt injection attacks, which OWASP is calling the top security risk facing the AI models as the industry rolls into 2025.

The post Microsoft Challenge Will Test LLM Defenses Against Prompt Injections appeared first on Security Boulevard.