leakix

leakix, 3 months ago to random

🚨 New plugin for #QNAP indexing hosts vulnerable to CVE-2024-21899.

~8500 vulnerable hosts were found.

Hosting providers & CERTs have been notified.

Patch now!

Thanks: @Gi7w0rm

image/png

leakix, 7 months ago to iOS

🔎 In the last episode of the #IOS XE exploit research saga, we find out how they replaced Nginx config files.

CVE-2023-20273: IOS XE root privilege escalation and implant installation.

https://blog.leakix.net/2023/10/cisco-root-privesc/

leakix, 7 months ago to random

🚨 Cisco Implant traffic detected from 192.3.101[.]111 .

Looking for DNS settings, likely to ID targets.

Also more at https://mastodon.social/@SI_FalconTeam/111314289536498986

leakix, 7 months ago to vmware

🚨 CVE-2023-34048 - New plugin released for #VMWare #vCenter.

Found ~1100 vulnerable public services with DCERPC enabled. Patch now!
Out of 1911 vulnerable hosts 1100 are not fire-walled.

Alerts have been dispatched to CERTs and hosting providers.

Thanks: @Gi7w0rm

leakix, 7 months ago to vmware

CVE-2023-45498 / CVE-2023-45499, announced yesterday affects #VinChin #VMWare #Backup and enables a remote attacker to achieve remote code execution.

Vendor failed to acknowledge the vulnerability.

Blog post, IOCs and demo at https://blog.leakix.net/2023/10/vinchin-backup-rce-chain/

Hopefully the first of many CVEs discovered by our research team!

hrbrmstr, 7 months ago to random

🚨We ( @greynoise ) are seeing initial scans looking for compromised Cisco IOS devices (CVE-2023-20198): https://viz.greynoise.io/query?gnql=tags:%22Cisco%20IOS%20XE%20CVE-2023-20198%20Scanner%22

^^ hit most of the fleet. Looks like there may be a second IP using a slight variant of the path/query string (investigating it now).

@vulncheck has a great blog indicating scores of impacted devices in the wild: https://vulncheck.com/blog/cisco-implants

leakix, 7 months ago to cisco

🚨🚨🚨 Whatever you were thinking about CVE-2023-20198 (#Cisco IOS EX) it's 100x worse.

We used @TalosSecurity IOC check and found ~30k implants.

That's 30k devices infected (routers, switches, VPNs), under the control of threat actors.

That's excluding rebooted devices.

Source: https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/

GossiTheDog, 9 months ago to random

deleted_by_author

GossiTheDog, 10 months ago (edited 10 months ago) to random

deleted_by_author

leakix, 10 months ago to random

🚨 CVE-2023-35082 - Plugin updated for finding vulnerable MobileIron Core instances taking into account the recent developments affecting versions higher than 11.2.

~1.3k found,

Hosting providers and national CERTs have been notified.

Sources:

• https://www.rapid7.com/blog/post/2023/08/02/cve-2023-35082-mobileiron-core-unauthenticated-api-access-vulnerability/
• https://forums.ivanti.com/s/article/KB-Remote-Unauthenticated-API-Access-Vulnerability-CVE-2023-35082

image/png

leakix, 10 months ago to random

🤷Ivanti MobileIron Core strikes back :
CVE-2023-35081 - Remote Arbitrary File Write (RCE)

We are seeing 3 new version being deployed :
11.10.0.3, 11.9.1.2 and 11.8.1.2

It seems that current exploitation is chained together with CVE-2023-35078 so the scope should be authenticated IF previously patched.

Sources:

• https://www.mnemonic.io/resources/blog/threat-advisory-remote-file-write-vulnerability-in-ivanti-epmm/
• https://forums.ivanti.com/s/article/KB-Arbitrary-File-Write-CVE-2023-35081?language=en_US
  Thanks :
• @_SteveG_

leakix, 10 months ago to random

💡If you're looking for precise version information on #Ivanti MobileIron Core aka EPMM without disclosing the 0day, you can get it from:

/mifs/c/windows/api/v2/device/registration

head > script > src attribute

Looks like someone mixed 2 template variables.