Attacks & Vulnerabilities
|
VMware vCenter Server Vulnerabilities Let Attackers Execute Remote Code (2 minute read)
Two critical vulnerabilities in VMware vCenter Server and Cloud Foundation products allow attackers to execute remote code and escalate privileges. VMware has advised customers to patch affected systems immediately by upgrading to specific versions or applying the async patch. These flaws impact versions 7.0 and 8.0 of vCenter Server and versions 4.x and 5.x of Cloud Foundation.
|
|
Confusion Attacks: Exploiting Hidden Ambiguity in Apache HTTP Server (12 minute read)
Apache's HTTP server's modular design opens it up to vulnerabilities as the request_rec structure gets passed around to different modules, which may mutate it and interfere with how a module further downstream expects it to be, leading to confusion attacks. Most modules treat the filename parameter as a system path but some treat it as a URL. This leads to path truncation vulnerabilities in mod_rewrite and ACL bypass in mod_proxy. mod_rewrite will always load the path from both the DocumentRoot and root directory, which can lead to source code disclosure or LFI, XSS, and even RCE via local gadget abuse and jailbreak. A legacy code snippet that allows for the Content-Type to override the Handler causes handler confusion, which can lead to SSRF, information disclosure, and RCE.
|
Enhancing LinkedIn's Security Posture Management with AI-Driven Insights (8 minute read)
LinkedIn developed a tool called Security Posture Platform (SPP), which provides a graph database and GraphQL API to answer questions about security posture in the organization. To enhance usability by allowing for natural language querying, LinkedIn added an AI layer to SPP. This post describes the process and data engineering used to achieve 85-90% accuracy with LinkedIn's AI.
|
Exploring Deserialization Attacks and Their Effects (5 minute read)
This blog post explores deserialization attacks, focusing on how to identify and exploit vulnerabilities in applications that handle serialized data. It provides a step-by-step guide on how attackers can inject malicious code through deserialization, ultimately gaining control over the application's functionality. The author emphasizes the importance of understanding these attacks to enhance security practices during code review engagements.
|
|
Fibratus (GitHub Repo)
Fibratus detects, protects, and eradicates advanced adversary tradecraft by scrutinizing and asserting a wide spectrum of system events against a behavior-driven rule engine and YARA memory scanner. Events can be shipped to a wide array of output sinks or dumped to capture files for local inspection and forensics analysis. Users can use filaments to extend Fibratus with their own arsenal of tools and so leverage the power of the Python ecosystem.
|
Opal (GitHub Repo)
OPAL is an administration layer for Policy Engines, such as Open Policy Agent (OPA) and AWS' Cedar Agent. It detects changes to both policy and policy data in real time and pushes live updates to agents. OPAL brings open-policy up to the speed needed for live applications.
|
|
Redefining CNAPP: A Complete Guide to the Future of Cloud Security (15 minute read)
This post provides a comprehensive look at the cloud security and CNAPP landscape. It begins with a history of cloud security before diving into the agent vs agentless debate. Agent based scammers can provide more granular insights and provide runtime protection but can be difficult to deploy and may have performance issues. Agentless scanners are quick to deploy but generate a lot of false positives and are not suited to containerized workloads. CNAPP stifles innovation while being too bloated to be useful due to trying to cater to cloud security engineers and developers, who are both looking for fundamentally different things. The future of CNAPP is a convergence between vulnerability management, posture scanning, runtime detection, and response.
|
Microsoft is Building New Windows Security Features to Prevent Another CrowdStrike Incident (3 minute read)
In the wake of the disastrous CrowdStrike outage, Microsoft met with industry leaders to discuss security features that could be added to Windows to enable endpoint security vendors to move their products out of the kernel. Many vendors championed this as a productive endeavor and appreciated the collaboration from Microsoft. Others, like Cloudflare CEO Matthew Prince, cautioned the move as potentially leading to an unfair market where only Microsoft has access to the kernel. Microsoft has not mentioned locking vendors out of the kernel since 2006.
|
Hacking the Planet - A DEFCON ICS CTF 2024 Retrospective (9 minute read)
Maxwell Dulin's team won the Industrial Control Systems (ICS) Capture the Flag (CTF) competition this year with a 37% lead over the next team. In this blog post, Dulin shares the team's winning strategies, which include focusing on in-person challenges during the day and solving offline challenges at night. Dulin's favorite challenge was turning on the lights for a smart city, which involved spoofing a device to control the lights.
|
|
Love TLDR? Tell your friends and get rewards!
|
Share your referral link below with friends to get free TLDR swag!
|
|
Track your referrals here. |
Want to advertise in TLDR? π°
|
If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.
If you have any comments or feedback, just respond to this email!
Thanks for reading,
Prasanna Gautam, Eric Fernandez & Sammy Tbeile
|
|
|
|