A critical CVSS:10 vulnerability (CVE-2020-1472) in the Microsoft Netlogon process was patched in the August patch cycle, but details were not made public until earlier this week (14th September).
The recent disclosure of CVE-2020-1472 vulnerability by Microsoft showcases the need for tools that allow defenders to quickly replicate published exploit code, register attack data, and create signatures or other mitigations against released exploits with a high likelihood of exploitation against popular infrastructure or operating systems.
Knowing what could hurt you can help you. That’s the point of the nonprofit MITRE’s 2020 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors (CWE Top 25) list, released a few weeks ago.
On September 14, CVE-2020-14386 was reported as a “high” severity threat. This CVE is a kernel security vulnerability that enables an unprivileged local process to gain root access to the system. CVE-2020-14386 is a result of a bug found in the packet socket facility in the Linux kernel. It allows a bad actor to trigger a memory corruption that can be exploited to hijack data and resources and in the most severe case, completely take over the system.
During the late 1990s, security professionals were using information assurance tools in concert with vulnerability scanners to detect and remove vulnerabilities from the systems for which they are responsible. There’s just one problem – each security vendor has its own database with little to no crossover.
So far, there has not been a perfect solution to ridding the world of software and hardware weaknesses. Keeping up-to-date with which weaknesses have are most common and impactful can be a daunting task. Thankfully, a list has been made to do just that the Common Weakness Enumeration Top 25 (CWE).
Since the start of the pandemic we’ve been writing about the latest CVEs to look out for in our risk based vulnerability management blog. As we head into the Autumn and the nights begin to draw in, threat actors continue to exploit vulnerabilities the world over. Let’s take a look at some that have raised their profile in the last couple of weeks.
Learn about the new product features or watch the video highlight of our Summer release to help you manage vulnerabilities more effectively and automate security hygiene across the full technology stack with less effort.
Scope-creeping doesn’t always end up in a 0-day with a CVE assigned, and this was the fortune of Detectify Crowdsource hacker, Özgür Alp. He is an ethical hacker with 7+ years experience, well certified within offensive security and also high ranked on hacker leaderboards. Here is his success story on how he, with the help of the Detectify Crowdsource team, turned an open redirect into a public disclosed vulnerability known as CVE-2020-1323.
