Happy #PatchTuesday from Microsoft: 5 ZERO-DAYS (2 exploited, all of them publicly disclosed)

• CVE-2024-43573 (6.5 medium) Microsoft Windows MSHTML Platform Spoofing Vulnerability (PUBLICLY DISCLOSED, EXPLOITED)
• CVE-2024-43572 (7.8 high) Microsoft Management Console Remote Code Execution Vulnerability (PUBLICLY DISCLOSED, EXPLOITED)
• CVE-2024-43583 (7.8 high) Winlogon Elevation of Privilege Vulnerability (PUBLICLY DISCLOSED)
• CVE-2024-20659 (7.1 high) Windows Hyper-V Security Feature Bypass Vulnerability (PUBLICLY DISCLOSED)
• CVE-2024-6197 (8.8 high) Open Source Curl Remote Code Execution Vulnerability (PUBLICLY DISCLOSED)

cc: @goatyell @mttaggart @hrbrmstr @ntkramer @iagox86 @zackwhittaker @dreadpir8robots @TheDustinChilds @neurovagrant @xorhex @campuscodi @briankrebs (remember to remove the mentions to avoid ReplyAll madness)

We can build the web that we want to see. Watch the recording of my talk from #XOXOFest!

https://www.youtube.com/watch?v=MTaeVVAvk-c

From HTTP request to ROP chain in Node.js! 🔥

Our latest blog post explains how to turn a file write vulnerability in a Node.js application into RCE – even though the target's file system is read-only:

https://www.sonarsource.com/blog/why-code-security-matters-even-in-hardened-environments/?utm_medium=mastodon&utm_source=twitter&utm_campaign=research&utm_content=social-why-code-security-matters-even-in-hardened-environments-241008-&utm_term=&s_category=Organic&s_source=Social%20Media&s_origin=mastodon

In response to my earlier post, some Twitter folks asked why I'm "so afraid of telemetry".

For one, it's because I've seen first-hand what ends up in it. Crash reporting is particularly bad: it's nearly impossible to reliably scrub of sensitive info - URLs, auth tokens, etc.

Worse, a lot of other "telemetry" is deliberately privacy-violating. "Don't worry, we only collect anonymized GPS routes". Except, you know, a buyer of this data can filter by tracks originating from my home.

But above all, I just don't want the mental burden of figuring this out for every piece of software I install, so I hate that it's the new norm.

If you want a peek at how I'm using your software, meaningfully ask, instead of sneaking it in on page 38 of the EULA.

@alienghic @ai6yr @meganL I read through Ajay Singh Chaudhary's "The Exhausted of the Earth" some months ago.

I got to this part:

"Capital will chew through the biosphere and societies alike in pursuit of an ever more costly maintenance of profitability."

About the same time as I read a piece about OpenAI claiming to want to spend the entire GDP of Japan on burning fuel and making electronic waste.

So I was not able to disagree with that part of his analysis.

TIL: AVX-512 supports an instruction implementing binary logic defined by a 3-input LUT. Sounds super handy.

https://arnaud-carre.github.io/2024-10-06-vpternlogd/

#Nikon video limit of 30 minutes? Let see if I can patch this bad boi.

#Ghidra #ReverseEngineering

Cisco security advisories:

1. Cisco UCS B-Series, Managed C-Series, and X-Series Servers Redfish API Command Injection Vulnerability CVE-2024-20365 (6.5 medium)
2. Cisco Small Business RV042, RV042G, RV320, and RV325 Routers Denial of Service and Remote Code Execution Vulnerabilities
   • CVE-2024-20516, CVE-2024-20517, CVE-2024-20522, CVE-2024-20523 and CVE-2024-20524 (6.8 medium) Cisco Small Business RV042, RV042G, RV320, and RV325 Denial of Service Vulnerabilities
   • CVE-2024-20518, CVE-2024-20519, CVE-2024-20520 and CVE-2024-20521 (6.5 medium) Cisco Small Business RV042, RV042G, RV320, and RV325 Remote Command Execution Vulnerabilities
3. Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Privilege Escalation and Remote Command Execution Vulnerabilities CVE-2024-20393 (8.8 high) CVE-2024-20470 (4.7 medium)
4. Cisco Nexus Dashboard Orchestrator SSL/TLS Certificate Validation Vulnerability CVE-2024-20385 (5.9 medium)
5. Cisco Nexus Dashboard and Nexus Dashboard Fabric Controller Unauthorized REST API Vulnerabilities
   • CVE-2024-20438 (6.3 medium) Cisco NDFC Unauthorized REST API Endpoints Vulnerability
   • CVE-2024-20441 (5.7 medium) Cisco NDFC Unauthorized REST API Endpoint Vulnerability
   • CVE-2024-20442 (5.4 medium) Cisco Nexus Dashboard Unauthorized REST API Endpoints Vulnerability
   • CVE-2024-20477 (5.4 medium) Cisco NDFC Unauthorized REST API Endpoint Vulnerability
6. Cisco Nexus Dashboard Hosted Services Information Disclosure Vulnerabilities CVE-2024-20490 and CVE-2024-20491 both 6.3 medium
7. Cisco Nexus Dashboard Fabric Controller REST API Command Injection Vulnerability CVE-2024-20444 (5.5 medium)
8. Cisco Nexus Dashboard Fabric Controller Remote Code Execution Vulnerability CVE-2024-20449 (8.8 high)
9. Cisco Nexus Dashboard Fabric Controller Arbitrary Command Execution Vulnerability CVE-2024-20432 (9.9 critical) 🥵
10. Cisco Nexus Dashboard Fabric Controller Configuration Backup Information Disclosure Vulnerability CVE-2024-20448 (6.3 medium)
11. Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Session Takeover and Denial of Service Vulnerability CVE-2024-20509 (5.8 medium)
12. Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Denial of Service Vulnerabilities
    • CVE-2024-20498, CVE-2024-20499, CVE-2024-20501 (8.6 high) Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN DoS Vulnerability
    • CVE-2024-20500 (5.8 medium) Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN DoS Vulnerability
    • CVE-2024-20502 (5.8 medium) Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN DoS Vulnerability
    • CVE-2024-20513 (5.8 medium) Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Targeted DoS Vulnerability
13. Cisco Identity Services Engine Information Disclosure Vulnerability CVE-2024-20515 (6.5 medium)
14. Cisco Expressway Series Privilege Escalation Vulnerability CVE-2024-20492 (6.0 medium)

At a glance no mention of exploitation:

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
Neither the Cisco Product Security Incident Response Team (PSIRT) nor the Cisco Meraki Incident Response Team is aware of any malicious use of the vulnerabilities that are described in this advisory.

#cisco #PatchTuesday #vulnerability #meraki #cve

Okay, after reading this email, I can shut down my computer and change jobs:
'Dear colleague, the fact that our software does not function after 24 hours is perfectly expected. It depends on many dependencies, and we do not have complete control over all of them. For this reason, we suggest, as a standard practice, a service restart every 12 hours. This will ensure everything functions correctly.
And as a general recommendation, we always suggest restarting all services (if you are using Docker) or the entire server (if you are using a traditional setup) every 3 days, as systems tend to get bogged down over time and need to be optimized.'

#NoComment #IT #SysAdmin

Google has lost their collective minds.

It's time to name and shame as Eviden, a supposed "next-gen technology leader in data-driven, trusted and sustainable digital transformation" decided to sit on a CVSSv3.1 perfect 10.0 critical vulnerability 🥳 (cc: @cR0w) in Atos Eviden iCare tracked as CVE-2024-42017 for a full year. The CVE was assigned 30 September but this has been known since at least 07 February 2024 (they drafted up a security bulletin on 13 November 2023). The end result? "Given the obsolescence of the product, it was decided not to patch the vulnerabilities..."

In the worst-case scenario, if the application is remotely accessible, it allows an attacker to execute arbitrary commands with system privilege on the endpoint hosting the application, without any authentication.

I think the worst case scenario is using Eviden products. What exactly is iCare? "This product is an administrative tool to manage the hardware of several servers of the Bullion S and BullSequana S family. Its goal is to ease firmware patching and server sensors monitoring."

#vulnerability #CVE

If you're wondering how things are going with the famous #DRM'd Polish trains, well, their manufacturer – #Newag – sued the hackers who had un-blocked them:
https://rys.io/en/175.html

But weirdly, after months of implying and suggesting that the locking code was added to the software by the hackers themselves, in the lawsuit the company now insists they did not in fact modify the software installed on the trains.

Why? Because that would not mesh well with the copyright infringement claim. 🤡

1/🧵