@arstechnica@Viss I wish articles like this would include, up front, the indicators of compromise that I can use to test if the servers I manage are affected. It's the first and most important thing I want to know when learning about a vulnerability.
The Catalyst: Jonah Berger is good reminder of the possibility of good things, even when the gap is large. I just reread the story of Virginia who talking to a voter about Transgendered people. The voter calls them 'fags'. Virginia "I'm gay does that include me?". This turns to a discussion with the voter about their disabled spouse and being able to love anyone. By the end of conversation, the voter has changed their view. Deep listening, #empathy and #vulnerability go a long way.
A critical vulnerability, identified as CVE-2024-20356, has been found in Cisco's Integrated Management Controller (IMC). This flaw allows for command injection, potentially giving attackers the ability to gain root access to systems. The vulnerability is located in the web-based management interface of the IMC, which is used for remotely managing Cisco hardware. The issue arises from insufficient user input validation in the IMC interface, allowing an authenticated, remote attacker with administrative privileges to inject malicious commands.
Security researchers from Nettitude have developed a Proof of Concept (PoC) exploit, named "CISCown," to demonstrate this vulnerability. The exploit involves sending crafted commands through the web interface, enabling attackers to execute arbitrary code with root privileges on the underlying operating system of Cisco hardware. This PoC exploit is part of a toolkit developed by Nettitude and is available on GitHub. It uses parameters such as target IP, username, and password to automate the exploitation process and deploy a telnetd root shell service on compromised devices.
The release of this PoC exploit signifies a critical threat level for organizations using affected Cisco products. Gaining root access can lead to data theft, system downtime, and further network compromise. Cisco has responded by releasing software updates to address this vulnerability. It is strongly recommended that all affected organizations apply these updates immediately, as no known workaround mitigates this vulnerability.
The affected products include a range of Cisco servers and computing systems, such as the 5000 Series Enterprise Network Compute Systems (ENCS), Catalyst 8300 Series Edge uCPE, UCS C-Series M5, M6, and M7 Rack Servers in standalone mode, UCS E-Series Servers, and UCS S-Series Storage Servers. Users and administrators are advised to visit Cisco’s official security advisory page and the Nettitude GitHub repository hosting the exploitation toolkit for more detailed information and access to the updates.
If you're in the UK, check out this new Rough Sleeping Criminal Justice Bill. Feel free to boost this for visibility or add hashtags - I think it's important to set &/or maintain the precedent that these laws be debated and critiqued very thoroughly. Telling someone with no home to 'move along' is a stiff order. That police could be asked to uphold this law (as it is written) could carry a risk of moral injury to our coppers.
“Nuisance rough sleeping” starts at s.59, and the offending smelly “rough sleeping condition” can be found at s.69(5)(c). Including words from subs.(4):
> A person does “something that is a nuisance” if the person ... causes or does something capable of causing ... damage to the environment (including excessive noise, smells, litter or deposits of waste)...
If one were to parody this, I'd propose the following as a start:
"Sleeping in public in the UK must now be done only in a suit and tie or equivalent formal dress, whilst wearing a perfume. Snoring is illegal. Campaigners are lobbying the government to permit it to be carried out whilst wearing a polo-shirt and chinos, however the government maintain that this is a slippery slope to people wearing pyjamas in public, and thence anarchy."
Information about one's MP is available at https://www.theyworkforyou.com/ if you feel further critique of this law is a worthy cause. I'd suggest any MP pushing for this would get positive media coverage.
We've released #PuTTY version 0.81. This is a SECURITY UPDATE, fixing a #vulnerability in ECDSA signing for #SSH.
If you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised! Generate a new key pair, and remove the old public key from authorized_keys files.
Other key types are not affected, even other sizes of ECDSA. In particular, Ed25519 is fine.
A critical vulnerability, named BatBadBut, was discovered in the Rust programming language, affecting not just Rust but also Erlang, Go, Python, Ruby, and potentially others. This vulnerability, with a severity score of 10/10, could allow attackers to execute arbitrary commands on Windows systems by exploiting how Rust handles batch files. The issue arises from Rust's standard library improperly escaping arguments when invoking batch files on Windows, leading to potential command injection. The vulnerability has been addressed with a fix in Rust version 1.77.2, which developers are urged to update to. Other programming languages and systems, including Node.js, PHP, and Java, are also affected and are working on patches.
Fortinet has revealed vulnerabilities in its FortiOS, FortiProxy, FortiClient Linux, and FortiClient Mac products, including a critical one that could allow remote code execution. This critical flaw, identified as CVE-2023-45590, has a high severity score and could enable an attacker to execute arbitrary code by tricking a user into visiting a malicious website. Other high-severity issues affect FortiOS and FortiProxy, where credentials are not adequately protected. A specific flaw (CVE-2023-41677) might allow an attacker to steal the administrator cookie under certain conditions. Additionally, FortiClientMac has vulnerabilities due to a lack of configuration file validation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning about the potential for cyber threat actors to exploit these vulnerabilities.
I am currently designing a small toy-language and was considering making all strings proper #Unicode objects and all source files utf-8. Lo and behold, Unicode has recently published some guidance: #TR55http://www.unicode.org/reports/tr55/ I am, however, rather deeply concerned about the general strong preference for #blocklists over #allowlist, e.g. as recommended for identifiers. I get wanting to allow people to use their own language and script wherever possible, and therefore recommending switching from e.g. requiring type names to start with an upper-case character to blocking an initial lower-case character, thereby allowing the use of unicameral (without upper and lower case) scripts. But I have this deep gut-feeling that while the TR certainly solves some existing #vulnerability classes, it also opens up a huge amount of new ones with this general attitude. I haven't yet gone through the TR with a fine-toothed comb to allay that fear, but I'd appreciate input from anyone that has thoughts on the matter.
If your Linux installation has the "xz" utility installed make sure to update your system and keep an eye on things, it has had a security backdoor installed for a while:
The xz package, starting from version 5.6.0 to
5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates.
If you would like to be sure that you are up to date and not affected by this vulnerability, you can do the following to upgrade your local version of the package: sudo apt update && sudo apt install -only-upgrade liblzma5
Бэкдор присутствовал в официальных выпусках xz 5.6.0 и 5.6.1, опубликованных 24 февраля и 9 марта, которые успели попасть в состав некоторых дистрибутивов и репозиториев, например, Gentoo, Arch Linux, Debian sid/unstable, Fedora Rawhide и 40-beta, openSUSE factory и tumbleweed, LibreELEC, Alpine edge, Solus, CRUX, Cygwin, NixOS unstable, OpenIndiana, OpenMandriva rolling, pkgsrc current, Slackware current, Manjaro testing. Всем пользователям выпусков xz 5.6.0 и 5.6.1 рекомендуется срочно откатиться на версию 5.4.6.
Версия liblzma c бэкдором не успела войти в состав стабильных выпусков крупных дистрибутивов, но затронула openSUSE Tumbleweed и Fedora 40-beta. Arch Linux и Gentoo использовали уязвимую версию xz, но не подвержены атаке, так как не применяют к openssh патч для поддержки systemd-notify, приводящий к связыванию sshd к liblzma. Бэкдор затрагивает только системы x86_64 на базе ядра Linux и Си-библиотеки Glibc.
Всё самое интересное опять случилось ночью, пока вы спали.
Интернет штормит на 10 из 10 по CVE: скомпрометированы примерно все ssh сервера на debian-like, через подломленный репозиторий xz и библиотечку liblzma.
А как так, спросишь ты? openssh никак не используется liblzma. Но есть нюанс: шапка, федора и прочие дебианы патчат openssh для совместимости c нотификациями systemd и вот такая вот петрушка.
Автор кода, молодец каких поискать надо. Мало того что придумал как скомпрометировать проект через тест(то есть код xz чистый и до компиляции всё чинно-благородно), так говорят что он ещё и известный oss-fuzz отучил детектить своё нововведение.