controlgap.com

Despite the release of Kerberos more than 20 years ago, many enterprises today have not transitioned away from using NTLM authentication in their enterprise IT environments. As attackers continuously refine their tools and tactics, finding new and sophisticated ways to exploit NTLM's inherent vulnerabilities, the risks associated with maintaining NTLM are becoming increasingly prominent. This article aims to demonstrate some of the most popular and contemporary attacks exploiting NTLM, provide insight as to why Microsoft is working on disabling NTLM by default during the Windows 11 lifecycle, and underline the urgency for transitioning away from this outdated protocol. Keeping NTLM authentication enabled can lead to rapid (less than one minute) compromises of entire Active Directory domains.

In the realm of cybersecurity, accurately assessing and quantifying the severity of vulnerabilities is crucial for organizations to effectively prioritize their remediation efforts. One widely adopted framework for quantifying the risk a vulnerability poses is the Common Vulnerability Scoring System (CVSS). Recently, the CVSS 4.0 specification and calculator were released, bringing significant enhancements to the process of vulnerability assessment and risk management. In this blog post, we will explore what CVSS is and highlight the key changes in version 4.0.

On May 3^rd Google introduced several new top-level domains (TLDs), including the .zip TLD which has generated warnings from the cybersecurity community. TLDs are the suffixes at the end of website addresses (such as .com or .org) and play a crucial role in defining a website's identity. Whenever new TLDs emerge, it is essential to evaluate the potential cybersecurity risks they may introduce. This blog post will explore the dangers of the Google .zip TLD and discuss precautionary measures to safeguard against potential threats.

This week saw the publication of 294 new CVE IDs. Of those, 99 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 10% were of critical severity, 33% were high, 57% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• The highly popular WordPress plugin, “Advanced Custom Fields”, which boasts more than 2 million users, was found to have been affected by an XSS vulnerability which would allow an unauthenticated attacker to conduct scripting attacks against site admins.
• A particular model of Cisco phone adapter was found to allow unauthenticated users to force firmware updates on the device, resulting in complete compromise of the system. The devices are end-of-life and Cisco has stated they will not be releasing a fix.
• OpenText BizManager, a popular document management system, had a vulnerability disclosed this week which would allow for the takeover of admin accounts.
• Acronis, a security vendor specializing in backup solutions, had a CVE published this week for two products affected by information disclosure vulnerabilities. Interestingly, the vulnerabilities were addressed by Acronis a year ago in an official advisory.

This week saw the publication of 501 new CVE IDs. Of those, 430 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 20% were of critical severity, 13% were high, 67% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• Apache Superset disclosed a vulnerability affecting multiple versions of the Superset server. The issue has been known since October 2021 but was finally patched this last week. Apache is urging users to update immediately.
• The highly popular print server “PaperCut” has disclosed multiple critical severity vulnerabilities which are being actively exploited in the wild. Unauthenticated attackers can exploit affected PaperCut servers to execute remote code. Trend Micro, the researchers who initially discovered the vulnerability, have announced that they will wait until May 10th to release technical details. Horizon3 and Huntress Labs have preempted Trend Micro by releasing their own blog posts and PoC exploits publicly.
• APC, an incredibly popular battery backup and electrical product producer, has disclosed a vulnerability affecting the software used to manage their products remotely. This vulnerability’s severity could potentially be exacerbated as these products are commonly relied on during disaster recovery situations.
• ESET has released research showing that they were able to retrieve highly sensitive information from networking technology purchased on the secondhand market. ESET was able to retrieve network and application configuration information in addition to authentication secrets even from devices which were said to be securely wiped by a third-party service.

This week saw the publication of 652 new CVE IDs. Of those, 240 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 12% were of critical severity, 48% were high, 39% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• A flaw in the Microsoft Windows Message Queueing service was disclosed and patched which would allow for remote code execution on any affected asset running an MSMQ service.
• The Microsoft Windows Common Log File System continues to be abused by threat actors to escalate privileges on affected systems, this week saw the disclosure and patch of the 32nd vulnerability affecting the service since 2018.
• SAP products utilized by Fortune 100 companies all over the world had two critical severity vulnerabilities disclosed this week which would allow attackers to execute arbitrary code or upload arbitrary files.
• Spice DB had a very length CVE record published this week outlining a vulnerability which would allow attackers to obtain secrets entered when launching the database from the command line.

This week saw the publication of 579 new CVE IDs. Of those, 314 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 34% were high, 48% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• Two new zero-day arbitrary code execution vulnerabilities affecting multiple Apple products have been disclosed and patched.
• VM2, a popular JavaScript library designed around secure execution of untrusted code was affected by a vulnerability which would allow attackers to escape the sandbox and execute arbitrary code on the host system.
• A vulnerability affecting HP LaserJet products has been disclosed which would allow an attacker to compromise IPsec credentials. HP has disputed the vulnerabilities severity based on the highly conditional requirements for exploitation.
• The open-source edge and service proxy “Envoy” has had multiple vulnerabilities disclosed this past week which could potentially allow for the compromise of sensitive communications between applications and the network layer.

This week saw the publication of 591 new CVE IDs. Of those, 100 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 34% were high, 48% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• A new bug dubbed “aCropalypse” has been disclosed which affects the “Markup Tool”, Google’s photo editing app for Android devices. The bug could allow for sensitive information to be retrieved from images which have been cropped or redacted dating back 5 years to Android 9.
• WooCommerce has addressed a vulnerability in the popular self-titled WordPress plugin which would allow an unauthenticated user to impersonate an admin, leading to the complete compromise of the site.
• Microsoft has addressed a zero-day vulnerability in its Outlook email client which could allow attackers to conduct NTLM relay attacks by sending a crafted email that the user does not even have to open or preview. Microsoft has acknowledged exploitation of this vulnerability by Russian APT groups dating back to April 2022.
• Cisco Talos researchers have identified a very simple but effective remote command execution vulnerability in Netgear Orbi routers that could be exploited if an attacker could gain access to the administrator console, either through misconfiguration or credential attacks.

This week saw the publication of 493 new CVE IDs. Of those, 58 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 24% were high, 57% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• Fortinet products experience yet another remote code execution vulnerability allowing a path of entry for threat actors into organization’s internal networks.
• Two remote code execution vulnerabilities have been disclosed and patched for multiple versions of the Android operating system. Google has chosen to play their cards very close to their chest and not release any technical details surrounding the vulnerabilities. Highly motivated attackers will likely seek to create exploits for these vulnerabilities as mobile devices represent high-value targets.
• Veeam has disclosed a high severity vulnerability which would allow an attacker to retrieve “encrypted” credentials from the Backup & Replication service. The vulnerability is being treated very seriously by Veeam and would suggest an unauthenticated attacker could access sensitive backup files without much effort.
• Microsoft has disclosed a vulnerability for its popular document editing product “Word” which affects its rich text format parser. In a world where the mark of the web is severely reducing the effectiveness of malspam this represents an attractive alternative attack path.

This week saw the publication of 442 new CVE IDs. Of those, 258 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 14% were of critical severity, 39% were high, 47% were medium, and 0% were low. Listed below are the vulnerabilities that caught our attention:

• ArubaOS has had a staggering 21 vulnerabilities of varying severity disclosed this week; all requiring an attacker to be authenticated to exploit. This release appears to coincide with a batch disclosure of vulnerabilities identified by their bug bounty program.
• ClamAV, an open-source and “hackable” antivirus tool now owned by Cisco, has had two vulnerabilities disclosed which would allow for the compromise of an affected system if the tool was used to analyze a specially crafted file.
• Firmware for WAGO programmable logic controllers was found to not enforce authentication on requests made to the back end of its web management interface. An unauthenticated attacker could abuse this to completely compromise the affected system.
• Various models of Cisco IP phones were found to be vulnerable to remote code execution allowing an attacker who compromises the device to potentially lurk on the network for an extended period of time.