Forum Widgets
Recent Discussions
Frequently Asked Questions about Spring4Shell Vulnerability
Frequently Asked Questions about Spring4Shell Vulnerability On March 30, there were reports about Spring4Shell, a critical zero-day vulnerability in the Spring Core Framework, a programming and configuration model for Java-based enterprise applications. At the same time, news about a vulnerability in the Spring Cloud Function, identified as CVE-2022-22963, was also circulating. Unfortunately, these two flaws were conflated with one another, but they are not related. The Tenable Security Response Team has published an FAQ blog post about Spring4Shell to consolidate some of the questions being asked about the flaw. At the time we published the blog and this community post, Spring4Shell did NOT have a CVE identifier associated with it nor are patches available. For the most up-to-date information about Spring4Shell, including the availability of patches and Tenable product coverage, please visit our blog.
Zero Click Zero Day in Microsoft Support Diagnostic Tool...
Zero Click Zero Day in Microsoft Support Diagnostic Tool Exploited in the Wild (CVE-2022-30190) On May 30, Microsoft released an advisory for a zero-day in the Microsoft Windows Support Diagnostic Tool (MSDT) that has been exploited in the wild and gained considerable researcher attention over the weekend. CVE-2022-30190 is a remote code execution vulnerability in MSDT that impacts several versions of Microsoft Office, including patched versions of Office 2019 and 2021. An attacker would craft a malicious document, Microsoft Word is common, and send it to their target via email. By exploiting this vulnerability, an attacker can execute commands with the permissions of the application used to open the malicious document. Researchers have found that this vulnerability can be exploited without user interaction. Microsoft has published a workaround and detection information, but no patches as of May 31. For more information, please visit our blog post.Proof-of-Concept for Critical Apache Log4j Remote Code...
Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (CVE-2021-44228) On December 9, researchers published proof-of-concept (PoC) exploit code for a critical vulnerability in Apache Log4j 2, a Java logging library used by a number of applications and services including but not limited to: Apache Druid Apache Flink Apache Solr Apache Spark Apache Struts2 Apache Tomcat Dubbed Log4Shell by researchers, CVE-2021-44228 is a remote code execution vulnerability in Apache Log4j 2. Apache released 2.15.0 on December 10 to address this vulnerability. Tenable will be releasing plugins and scan templates for Tenable.io, Tenable.sc and Nessus Professional as soon as possible. Organizations that don’t currently have a Tenable product can sign up for a free trial of Nessus Professional to scan for this vulnerability. For more information and ongoing updates, please visit our blog.Microsoft Issues Out-of-Band Informational Advisory for Zero-
Microsoft Issues Out-of-Band Informational Advisory for Zero-Day in MSHTML (CVE-2021-40444) UPDATE 09-14: Microsoft have published patches for this vulnerability as part of Patch Tuesday. For more information, please visit our blog. On September 7, Microsoft published an out-of-band informational advisory for a critical zero-day vulnerability in its MSHTML rendering engine, also known as Trident. Identified as CVE-2021-40444, the flaw has reportedly been exploited in-the-wild in limited, targeted attacks. Microsoft says that attackers are exploiting this vulnerability using Microsoft Office documents that contain a malicious ActiveX control. Therefore, an attacker would need to use social engineering tactics to convince their target to open the malicious document file. Successful exploitation would grant an attacker remote code execution. Microsoft notes that this would primarily impact those Windows users that have more user rights, such as administrators. At this time, there are no patches available, hence the advisory is informational in nature. However, Microsoft has provided some mitigation instructions, which require disabling ActiveX controls on individual systems. To help aid customers, Tenable has released an audit script to help verify whether or not these mitigations have been applied. When patches become available, we will update this post with more information.Critical Remote Code Execution Vulnerability CVE-2019-0708...
Critical Remote Code Execution Vulnerability CVE-2019-0708 Addressed in Patch Tuesday Updates Microsoft has released its monthly security update for May. Included in this month's Patch Tuesday release is CVE-2019-0708, a critical remote code execution vulnerability that could allow an unauthenticated remote attacker to execute remote code on a vulnerable target running Remote Desktop Protocol (RDP). Tenable recommends applying the full May 2019 Security Update from Microsoft for all vulnerable assets. For CVE-2019-0708, Microsoft has provided updates for Windows 7, Windows Server 2008 and Windows Server 2008 R2. Additionally, Microsoft has provided patches for out-of-support systems, including Windows XP, Windows XP Professional, Windows XP Embedded and Windows Server 2003. For more information, please visit our blog.
Tenable Research Update On ProxyNotShell (CVE-2022-41040,...
Tenable Research Update On ProxyNotShell (CVE-2022-41040, CVE-2022-41082) Update 10/6: A new plugin has been released. Read below for more details. As new information and research into the two zero-day vulnerabilities impacting Microsoft Exchange Servers has become available, the Tenable Research Team wants to keep our customers informed of the latest information. Our previous posts can be found here and here. Dubbed “ProxyNotShell” by security researchers, the pair of CVEs include a server-side request forgery (SSRF) vulnerability (CVE-2022-41040) and a remote code execution (RCE) vulnerability (CVE-2022-41082). The moniker is aptly named as this vulnerability leverages the same vulnerability path used by ProxyShell from early 2021. However, in order to exploit the ProxyNotShell vulnerabilities, authentication is required. Despite this requirement, in-the-wild exploitation of ProxyNotShell has been discovered according to multiple reports, including the original advisory from GTSC Cybersecurity Technology Company Limited, who observed attackers exploiting the flaws in early August. On September 29, Microsoft published its first blog post, confirming that they were investigating the GTSC report of the then unconfirmed zero-days. The next day, Microsoft published another post with information to aid organizations in their incident response, with information on observed behavior from impacted hosts. In the days following its initial post, Microsoft has added, updated and corrected mitigation advice related to these flaws. Following Microsoft’s updates, researchers have taken to public platforms to call out errors with the mitigation advice that allow for the bypass of the proposed mitigations. As Tenable Research continues to monitor the situation and explore our coverage and plugin options, we are conscious that releasing a plugin to check for these mitigations could provide a false sense of security and cause our customers unnecessary frustration as the mitigation suggestions have continued to be modified by Microsoft. As the guidance from Microsoft continues to evolve, we continue to monitor for further updates and await the release of patches for these vulnerabilities or further dependable and verified mitigation guidance to incorporate into additional plugins. We have released an initial plugin (Plugin ID 165629) for our customers and continue to research and monitor the evolving situation. Additionally, as soon as patches are released, we will develop and release additional plugins to identify unpatched hosts. At this time, we recommend customers identify Microsoft Exchange Servers in their environments so they can develop a patching strategy in anticipation of official patches from Microsoft. To aid in this effort, we recommend using Plugin ID 108804 - Microsoft Exchange Server Detection (Uncredentialed) and Plugin ID 77910 - Microsoft Exchange Installed to identify the Exchange Servers in your environment. Tenable has released a new plugin (Plugin ID 165705) which will report all currently supported versions of Microsoft Exchange with a High severity rating. This will aid our customers in identifying systems with Microsoft Exchange installed that are currently affected by the unpatched zero-day vulnerabilities. This plugin is available as of plugin feed Serial ID 202210060050. For additional updates related to ProxyNotShell, please visit our Tenable blog post.Additional Plugins Released for Log4Shell - Apache Log4j...
Additional Plugins Released for Log4Shell - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228) Tenable has released two additional plugins for CVE-2021-44228, known as Log4Shell. Additional plugins are expected to be released in the coming days. You can track plugins for CVE-2021-44228 using this link. The two new plugins are: Plugin ID 156014 - Apache Log4Shell RCE detection via callback correlation (Direct Check HTTP) - This remote check can be used to identify the vulnerability without authentication. This plugin is compatible with Tenable cloud scanners Plugin ID 113075 - Apache Log4j Remote Code Execution (Log4Shell) - This plugin is available for our Tenable.io Web App Scanning (WAS) customers. This is a comprehensive plugin which can be used to test input fields that could be abused to exploit Log4Shell. Please note that in order to ensure the latest plugins are available on your scanner, you will want to manually update your plugins. Details on this process and additional updates can be found in our blog.Apache Solr Remains Vulnerable to Zero Day Remote Code...
Apache Solr Remains Vulnerable to Zero Day Remote Code Execution Flaw Late last month, a proof of concept (PoC) for a remote code execution (RCE) vulnerability in the Velocity Response Writer plugin in Apache Solr, a popular open-source search platform built on Apache Lucene, was published as a GitHub Gist. A few days later, an exploit script was published to a GitHub repository. Our research teams have confirmed Apache Solr versions 7.7.2 through 8.3 (the most current release) are vulnerable to this flaw, and we suspect older versions that include the Config API are potentially vulnerable. For more details about the vulnerability, including mitigation, please visit our blog.Unauthenticated check for Zerologon available Tenable has...
Unauthenticated check for Zerologon available Tenable has released Microsoft Netlogon Elevation of Privilege. This plugin attempts to authenticate to the target using an all zero client credential after providing an all zero client challenge. On vulnerable targets, this will succeed on average once every 256 attempts, and this plugin will attempt this up to 2000 times in order to verify if the target is affected. Due to the number of login attempts required to accurately verify exploitability of a target, Tenable does not recommend running this plugin alongside any other plugins in a scan, as it is intended for single-target Domain Controller scans. To enable the plugin, users must disable the 'Only use credentials provided by the user' setting under the Brute Force section in the Assessment options in their scan configuration.CVE-2019-1367: Zero Day Vulnerability in Internet Explorer...
CVE-2019-1367: Zero Day Vulnerability in Internet Explorer Exploited In The Wild Earlier today, Microsoft released an out-of-band patch for CVE-2019-1367, a memory corruption vulnerability in Internet Explorer that has been exploited in the wild. The vulnerability was discovered and reported by Clément Lecigne of Google’s Threat Analysis Group (TAG). Additional details about the in-the-wild exploitation have not yet been made public by Google’s TAG. The vulnerability affects Internet Explorer 9, 10, and 11 across Windows 7, Windows 8.1, Windows 10, as well as Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. For more information, please visit our blog.
