In The Trend of VM July 2024: 3 CVEs in Windows, Ghostscript, and Acronis Cyber ​​Infrastructure

00:00 Greetings and explanation of what trending vulnerabilities are 00:33 Spoofing in Windows MSHTML Platform (CVE-2024-38112) ❗ CVSS score: 7.5, high danger level A spoofing vulnerability in the engine for processing and displaying HTML pages of the Microsoft Windows MSHTML Platform. This is a vulnerability from the July Microsoft Patch Tuesday. According to Check Point, attackers use special “.url” files in their attacks, the icon of which is similar to the icon of a pdf documents. If the user clicks on the file and ignores 2 uninformative warning notifications, then a malicious HTA application is launched in the outdated Internet Explorer browser built into Windows, that creates the user interface and operates the malware. What is HTA? This is a Microsoft Windows application that is an HTML document. The application is displayed in a separate window using the Microsoft Internet Explorer engine. This window does not contain familiar browser interface elements (menus, address bars, toolbars, etc.). The most dangerous thing is that most Internet Explorer security restrictions do not apply to HTA. The HTA application (and therefore the attacker) can create, modify, delete files and entries in the Windows system registry. Why does the link open in Internet Explorer? This is all due to the processing of the “mhtml:“ prefix in the “.url“ file. The July update blocks this. Check Point experts found examples of such “.url” files as far back as January 2023. According to Trend Micro, the vulnerability is exploited by the APT group Void Banshee to install the Atlantida Stealer malware and collect passwords, cookies and other sensitive data. Void Banshee add malicious “.url“ files to archives with PDF books and distribute them through websites, instant messengers and phishing emails. 02:23 Arbitrary Code Execution in Artifex Ghostscript (CVE-2024-29510) ❗ CVSS score: 6.3, medium danger level Arbitrary code execution vulnerability in Artifex Ghostscript. Memory corruption allows an attacker to bypass the SAFER sandbox and execute arbitrary code. Ghostscript is an interpreter for PostScript and PDF documents. It is used in various software, for example, ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, CUPS, etc. It is available for many operating systems. It is difficult to say exactly how widespread it is. But it is clear that it is VERY widespread. For example, thanks to CUPS, it is included in almost every Linux distribution and is often installed by default. If we take computers running Linux alone, there will already be billions of them. And here it’s not limited to Linux. This is a very large-scale problem. • Ghostscript , which fixes the vulnerability, was released on May 2. • 2 months later, on July 2, Codean Labs experts published a detailed analysis of this vulnerability and PoC. In the video demonstration, they run the calculator by opening a special ps file with the ghostscript utility or a special odt file in LibreOffice. • On July 10, a functional exploit appeared on GitHub. And on July 19, a module appeared in Metasploit. According to Security Affairs and some other sites, the vulnerability is being exploited in the wild. But, they all refer to a single microblog post from some developer from Portland. I think more reliable evidence of exploitation in attacks will soon appear. 03:55 Arbitrary Code Execution in Acronis Cyber Infrastructure (CVE-2023-45249) ❗ CVSS score - 9.8, critically dangerous vulnerability Arbitrary code execution vulnerability in the Acronis Cyber ​​Infrastructure hyperconverged platform. Due to the default passwords used, a remote unauthenticated attacker can gain access to the Acronis Cyber ​​Infrastructure (ACI) server and execute arbitrary code on it. ACI is a hyperconverged platform for storage, backup, compute, virtualization and networking functions. • Patches that correct this vulnerability were released on October 30, 2023. • 9-10 months later, on July 24 of this year, Acronis noted in a bulletin that the vulnerability showed signs of exploitation in the wild. They write that the purpose of the exploitation was to install a cryptominer. On July 29, the vulnerability was added to CISA KEV. A number of sources report 20,000 service providers using ACI. I haven’t found any evidence of this. There may be confusion here with Acronis Cyber ​​Protect. However, there are probably quite a few large companies using ACI. If you work for such a company, be sure to pay attention. Subscribe to the avleonovcom Telegram channel “Vulnerability Management and more“! All links are there! #TrendVulns #PositiveTechnologies #Microsoft #Windows #InternetExplorer #Ghostscript #Artifex #CodeanLabs #Metasploit #Acronis #ACI