New assessment for topic: CVE-2024-9464

Topic description: "An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. ..."

"Note: While this is an authenticated exploit, CVE-2024-5910 affects the same versions and allows an attacker to reset the admin password to allow authentication. ..."

Link: https://attackerkb.com/assessments/911948de-467d-4804-b97d-d943203fae60

EDIT: Hey y'all who've already boosted this! Sorry for the ping. 🙃 But I was a silly git and posted this from my personal account, not expecting it to take off like it did. If you'd like to follow my #GameDev efforts and possibly support my work, follow me @ClarusPlusPlus@peoplemaking.games or @HadroSoft. Thanks! 😊

---- Original toot follows ----

Remember when Stewart Chiefet and Bruce Tognazzini got miniaturized and put inside an Apple IIe to teach us how computers work?

*wistful sigh*

Technology used to be fun and not scary

Happy Patch Tuesday to those who celebrate.

lmao. so intel couldn't use their own new fab to do their latest chips, right.

so they went to tsmc. and negotiated a 40% discount somehow. and then told their customers you can't trust tsmc because they're close to china.

mr tsmc was like "what a discourteous fellow" and refused to honour the discount 😂

E-crime groups have realised at scale three things in the past year:

A) orgs aren’t very good at applying patches for defective SSL VPN products

B) security vendors are negligently and knowingly shipping defective SSL VPN products

C) many orgs aren’t mandating MFA for VPN 100% of the time

It’s driving a lot of the incidents going on in the past year.

vArmor

vArmor is a cloud native container sandbox system based on AppArmor/BPF/Seccomp. It also includes multiple built-in protection rules that are ready to use out of the box.

https://github.com/bytedance/vArmor

[RSS] Ruby SAML CVE-2024-45409: As bad as it gets and hiding in plain sight

https://workos.com/blog/ruby-saml-cve-2024-45409

I will present about file formats at the CCC (ten years after 31c3's "Funky file formats").
https://speakerdeck.com/ange/funky-file-formats-31c3

#China has officially unveiled its new 5th-generation stealth fighter, the J-35A, at the Zhuhai Air Show

Images show a comparison with the US F-35.

The J-35A is a customized copy of the F-35. China hacked a British defence company and stole the F-35 blueprints a number of years ago. This is the result of that.

We've just released our 2024-Q3 edition of ThinkstScapes: https://thinkst.com/ts

For this issue, we went through ~5000 info-sec research talks, papers, presentations & blogs.

The website includes PDF & ePub links (and a brief audio summary).

As always: completely free...

Amazon has confirmed a data breach impacting employee data.

The confirmation comes after a hacker claimed to leak data from a bunch of major organizations, including Amazon, which they say is linked to last year's MOVEit mass-hacks

https://techcrunch.com/2024/11/11/amazon-confirms-employee-data-stolen-after-hacker-claims-moveit-breach/

Exploiting KsecDD through Server Silos – SCRT Team Blog
https://blog.scrt.ch/2024/11/11/exploiting-ksecdd-through-server-silos/

SBFT'25 Fuzzing Competition

https://sbft25.github.io/tools/fuzzing

"Unlike previous years, we will favour fuzzers which are better at discovering novel edges and will accept existing fuzzers as submissions"

/by @addison

Happy to announce the SBFT'25 fuzzing competition! Unlike previous years, we will favour fuzzers which are better at discovering novel edges and will accept existing fuzzers as submissions, so there is no excuse to not join in :^)

Register and find details here: https://sbft25.github.io/tools/fuzzing

Just Windows things: https://devblogs.microsoft.com/oldnewthing/20050715-14/?p=34923

I no like e-waste, I no like LLM, but the numbers in the DW article do not look right. As per WHO, 62 million tons of waste were created in 2022; so cumulative 5 million tons by 2030 could not mean "around 1,000 times more e-waste than was produced in 2023".

Interestingly, the paper argues we need to "prolong, reuse, and recycle generative AI hardware", and I think we probably should not have manufactured it in the first place.

WHO: https://www.who.int/news-room/fact-sheets/detail/electronic-waste-%28e-waste%29

https://mastodon.social/@dw_innovation/113463890083280062

@nina_kali_nina Code review?

@qwertyoruiop To be fair in Idiocracy there was also a whole apparatus of idiots under the president who worked against the smart guy (not very efficiently though) including ministers, the judical system and the police.

Here’s the recording of my Bluehat talk Pointer Problems - Why we’re refactoring the windows kernel https://youtu.be/-3jxVIFGuQw?si=3Q30ziJBBVv4ZbAU

[RSS] The case of a program that crashed on its first instruction

https://devblogs.microsoft.com/oldnewthing/20241108-00/?p=110490