Happy #PatchTuesday from Zyxel: Zyxel security advisory for improper privilege management vulnerability in APs and security router devices
CVE-2024-12398 (8.8 high) An improper privilege management vulnerability in the web management interface of the Zyxel WBE530 firmware versions through 7.00(ACLE.3) and WBE660S firmware versions through 6.70(ACGG.2) could allow an authenticated user with limited privileges to escalate their privileges to that of an administrator, enabling them to upload configuration files to a vulnerable device.

There is no mention of exploitation.

#zyxel #cve #vulnerability #infosec #cybersecurity

Well dang CVE-2025-21298

This bug rates a CVSS 9.8 and allows a remote attacker to execute code on a target system by sending a specially crafted mail to an affected system with Outlook. The specific flaw exists within the parsing of RTF files.

https://www.zerodayinitiative.com/blog/2025/1/14/the-january-2025-security-update-review

@sleepybisexual I generally hate to use Apple devices, but iPod Nano is an exception. To make them work you'll pbbly need a replacement battery and fight a bit with disassembly/soldering/reassembly, but that's also a kid-compatible activity. For a more hackable but pricy alternative check out Tangara!

Anyhow, if I'll have time I plan to write up why walkmans may be an even better option for kids!

@eniko Sluzzle Tag should be a more widely accepted tradition: https://theamazingworldofgumball.fandom.com/wiki/Sluzzle_Tag

who came up with january anyway? absolutely awful, useless month, 0/10

Need to trigger BinExport headlessly to batch process patched binaries (using commercial and above)? First, build for a recent dev or stable: https://gist.github.com/psifertex/31d9bc3167eca91e466ebaae4382521c

Next, install the API for headless: https://docs.binary.ninja/dev/batch.html?h=install_api#install-the-api

Finally, automate your exporting using a script taking advantage of the PluginCommand and PluginCommandContext APIs, like the attached image.

Happy #PatchTuesday from Ivanti: January Security Update
Bottom line up front: "We have no evidence of any of these vulnerabilities being exploited in the wild."
Links:

• Security Advisory Ivanti Avalanche 6.4.7 (Multiple CVEs)
• Security Advisory - Ivanti Application Control Engine (CVE-2024-10630)
  • (AC Engine is present on Ivanti Application Control, Ivanti Neurons for App Control and can integrate with Ivanti Security Controls and Ivanti Endpoint Manager)
• Security Advisory EPM January 2025 for EPM 2024 and EPM 2022 SU6

These are unrelated to the zero-day exploitation of CVE-2025-0282 inside of Ivanti Connect Security, Policy Secure and ZTA Gateways advisory from 08 January 2025.

#ivanti #vulnerability #cve #infosec #cybersecurity

The rest of the #PatchTuesday security advisories from Fortinet:

1. Admin Account Persistence after Deletion CVE-2024-47571 (8.1 high)
2. Arbitrary file delete on firmware import image feature CVE-2024-33502 (6.5 medium)
3. Arbitrary file deletion in administrative interface CVE-2024-32115 (5.5 medium)
4. Arbitrary file write on GUI CVE-2024-36512 (7.2 high)
5. Blind SQL injection in Update CVE-2024-52969 (4.1 medium)
6. Blind SQL injection vulnerability CVE-2023-37931 (8.8 high)
7. CVE-2023-4863 - Heap overflow in Chrome/libwebp CVE-2023-4863 ("7.5 high" / NVD 8.8 high)
   • bruv I recognize a historical exploited zero-day when I see one: CVE-2023-4863
8. Command injection in csfd daemon CVE-2024-46662 (8.8 high)
9. Denial of Service in TLS-SYSLOG handler CVE-2024-46667 (7.5 high)
10. EMS console login under brute force attack does not get locked CVE-2024-23106 (8.1 high)
11. Exposure of sensitive information in RADIUS Accounting-Request CVE-2024-46665 (3.7 low)
12. File-Filter Bypass in Explicit Web Proxy Policy CVE-2024-54021 (6.5 medium)
13. FortiAP - Restricted Shell Escape via CLI Command Injection CVE-2024-26012 (6.7 medium)
14. FortiWeb - Stack overflow in execute backup command CVE-2024-21758 (6.4 medium)
15. HTML Content Injection CVE-2024-52967 (3.5 low)
16. Hardcoded Encryption Key Used for Named Pipe Communication CVE-2024-50564 (3.3 low)
17. Hardcoded Session Secret Leading to Unauthenticated Remote Code Execution CVE-2023-37936 (9.8 critical)
18. IPsec dynamic assignation IP spoofing CVE-2023-46715 (5.0 medium)
19. Improper Neutralization of Formula Elements in a CSV File CVE-2024-47572 (9.0 critical)

Notes: Other than the zero-day CVE-2024-55591, there is no other mention of exploitation.

#fortinet #vulnerability #infosec #cybersecurity #cve

More details:

Blog post https://ioactive.com/raspberry-pi-2350-hacking-challenge/

Full writeup: https://info.ioactive.com/acton/attachment/34793/f-e5160595-f1ec-4e2f-b650-ba856656db09/1/-/-/-/-/IOActive-RP2350HackingChallenge.pdf

I'm also going to be keynoting the HARRIS 2025 Hardware Reverse Engineering Workup at the Max Planck Institute for Security & Privacy in March

https://harris2025.mpi-sp.org/keynotes/

azonenberg@havequick:/tmp$ cat lulz.txt
2024-09-11 17:45 PDT
Successful extraction of RP2350 antifuse bits by FIB PVC

(Random text here to make hash bruteforcing harder)
fjoinzofkjpogkzpofzkpofkspofzpofkz
azonenberg@havequick:/tmp$ sha256sum lulz.txt
a76433af090ceb77b65b153285478bd615bdd51e26a3dd1d6a386b8e1f2ac362 lulz.txt

https://ioc.exchange/@azonenberg/113121829899435528

New vulnerability report from Talos:

Wavlink AC3000 wctrls static login vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2034

CVE-2024-39754

New vulnerability report from Talos:

Wavlink AC3000 login.cgi Unauthenticated Firmware Upload vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2024-2036

CVE-2024-39608

Story of a Pentester Recruitment 2025

https://blog.silentsignal.eu/2025/01/14/pentester-recruitment-2025-mushroom/

Happy #ZeroDay from your friends at Fortinet: Authentication bypass in Node.js websocket module
CVE-2024-55591 (CVSSv3.1: 9.8 critical) An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.

Please note that reports show this is being exploited in the wild.

Indicators of compromise include possible log entries, IP addresses used, and admin accounts created. cc: @GossiTheDog @wdormann @cR0w @briankrebs

#zeroday #patchtuesday #fortinet #vulnerability #CVE_2024_55591 #infosec #ioc #threatintel #infosec #cybersecurity #

Project: golang/go https://github.com/golang/go
File: src/cmd/compile/internal/reflectdata/reflect.go:1708 https://github.com/golang/go/blob/refs/tags/go1.23.4/src/cmd/compile/internal/reflectdata/reflect.go#L1708

func NeedEmit(typ *types.Type) bool

SVG:
dark https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fgolang%2Fgo%2Fblob%2Frefs%2Ftags%2Fgo1.23.4%2Fsrc%2Fcmd%2Fcompile%2Finternal%2Freflectdata%2Freflect.go%23L1708&colors=dark
light https://tmr232.github.io/function-graph-overview/render/?github=https%3A%2F%2Fgithub.com%2Fgolang%2Fgo%2Fblob%2Frefs%2Ftags%2Fgo1.23.4%2Fsrc%2Fcmd%2Fcompile%2Finternal%2Freflectdata%2Freflect.go%23L1708&colors=light

DOOM has now been ported to... a PDF!
(Works in browsers)
https://github.com/ading2210/doompdf

@krypt3ia

Micropatches Released for Windows "LDAPNightmare" Denial of Service Vulnerability (CVE-2024-49113)
https://blog.0patch.com/2025/01/micropatches-released-for-windows.html

Micropatches were issued for fully updated:
- Windows 11 v21H2
- Windows 10 v21H2, v21H1, v20H2, v2004, v1909, v1809, v1803
- Windows 7 - without ESU, or with ESU 1-3
- Windows Server 2012, Server 2012 R2 - without ESU
- Windows Server 2008 R2 - without ESU, or with ESU 1-4

We would like to thank Or Yair (@oryair1999) and Shahak Morag of @safebreach for sharing their analysis and proof-of-concept, which made it possible for us to create a micropatch for this issue. We'd also like to thank the original finder Yuki Chen (@guhe120).

Turns out snprintf() in old Windows C runtimes is documented to have the buffer overflow that no other implementations do. 🤔

https://learn.microsoft.com/en-us/cpp/c-runtime-library/reference/snprintf-snprintf-snprintf-l-snwprintf-snwprintf-l?view=msvc-170#remarks