The CrowdStrike Outage and Market-Driven Brittleness

https://www.schneier.com/blog/archives/2024/07/the-crowdstrike-outage-and-market-driven-brittleness.html

Our UEFI support added in 3.5 continues to improve! 4.1 released last week adds TE support, platform types for SMM, PEI, and PPI and updates to EFI Resolver.

https://binary.ninja/2024/07/17/4.1-elysium.html#uefi-enhancements

And we're not done, keep an eye out for an in-progress blog post with more details.

New OpenSecurityTraining2 mini-class: "Debuggers 1102: Introductory Ghidra" https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Dbg1102_IntroGhidra+2024_v2/about

Binarly's PKFail:
Yet another way that SecureBoot is broken. This time it's due to manufacturers like Acer, Dell, Gigabyte, Fujitsu, HP, Intel, Lenovo, and SuperMicro using test/public keys to secure the kingdom. (The Platform Key (PK))
https://www.binarly.io/blog/pkfail-untrusted-platform-keys-undermine-secure-boot-on-uefi-ecosystem

Surely my no-name (Beelink) cheapo Chinese PC does the right thing, right?

Oh...

"DO NOT TRUST - AMI Test PK"

Nobody could possibly know what that could imply.
N O B O D Y

Cloud nerds will enjoy this. Cryptographer Tal Be'ery reverse engineered AWS session tokens and has a detailed write-up.

https://medium.com/@TalBeerySec/revealing-the-inner-structure-of-aws-session-tokens-a6c76469cba7

In June, we disclosed several vulnerabilities in the Deep Sea Electronics DSE855. Today, ZDI analyst @infosecdj provides his in-depth analysis of the bugs and their root causes. He includes the timeline for disclosure. https://www.zerodayinitiative.com/blog/2024/7/25/multiple-vulnerabilities-in-the-deep-sea-electronics-dse855

Running an ARM Linux machine but still want to do RE? Or maybe you're a sad apple silicon user who misses running native VMs you could use your regular tooling in. With Binary Ninja 4.1, our stable branch includes ARM Linux support!

https://binary.ninja/2024/07/17/4.1-elysium.html#linux-arm-builds

In the trenches, security and IT teams are the real heroes. The CrowdStrike incident crashed 8.5M Windows devices, and IT worked around the clock to restore systems. But did they get the recognition they deserved from leadership? Too often, their efforts go unnoticed while facing unrealistic expectations. As leaders, we must have their backs - publicly appreciate their work, ensure they have resources, and advocate for them to the C-suite. That's how we build resilient, high-performing teams.

Progress Telerik security advisories (edit: plural):

• Insecure Deserialization Vulnerability - CVE-2024-6327 (9.9 critical, disclosed 24 July 2024) In Progress Telerik Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability.
• Object Injection Vulnerability - CVE-2024-6096 In Progress Telerik Reporting versions prior to 18.1.24.709, a code execution attack is possible through object injection via an insecure type resolution vulnerability.

No mention of exploitation.

Why you should care about CVE-2024-6327: FIVE Telerik vulnerabilities are known exploited vulnerabilities, TWO specifically called Progress Telerik. One in particular, CVE-2019-18935, is a deserialization of untrusted data vulnerability. This is the same one exploited against the U.S. government last year as noted by CISA on 15 June 2023: Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers. Patch your Teleriks.

cc: @cR0w @tas50 @campuscodi

#CVE_2024_6327 #Telerik #vulnerability #CVE

[RSS] Injecting Java in-memory payloads for post-exploitation

https://www.synacktiv.com/en/publications/injecting-java-in-memory-payloads-for-post-exploitation

[RSS] Pwn2Own Automotive: Popping the CHARX SEC-3100

https://blog.ret2.io/2024/07/24/pwn2own-auto-2024-charx-exploit/

[RSS] On ColdFusion Administrator Access Control Bypass Techniques

https://www.hoyahaxa.com/2024/07/on-coldfusion-administrator-access.html

[RSS] Battle of the parsers: PEG vs combinators

https://www.synacktiv.com/en/publications/battle-of-the-parsers-peg-vs-combinators

A bit more gasoline to pour into Clownstrike's fire... ;-)

https://www.bitsight.com/blog/crowdstrike-timeline-mystery

Anyone can Access Deleted and Private Repository Data on GitHub ◆ Truffle Security Co.
https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github

EU MEP accusing #Hungary for trying to infect his phone with spyware:

https://www.politico.eu/newsletter/brussels-playbook/orban-critic-mep-targeted-with-spyware/

Hungarian news talk about Pegasus, but this seems wrong as the Politico article mentions #Candiru (tech journalism at its best...).

Also the accusation is not supported by evidence, and frankly I wouldn't expect that even our gov is this stupid.

Pwnie Awards Nominations 2024

https://docs.google.com/document/d/13Jdwlw-jvdBI3N6JSZZqHTmj9rvld7WvhGykvDcE5x0/mobilebasic?s=09

Congrats @nachoskrnl for being nominated @pwnieawards for his 3-episode research work on Windows paths - well deserved (yes, I nominated it:)).
https://x.com/PwnieAwards/status/1815894380789592298

https://bird.makeup/@pwnieawards/1815894380789592298

In case you don't feel like untangle the #CrowdStrike post-mortem, this is the gist of it:

"Based on the testing performed before the initial deployment of the Template Type (on March 05, 2024), trust in the checks performed in the Content Validator, and previous successful IPC Template Instance deployments, these instances were deployed into production."

In other words they simply didn't do e2e tests on the problematic update data that triggered the bug in their parser, because prev updates worked fine.

We still don't know how the malformed Template Instances were produced.

Something I've had on my list for quite some time and finally got around to now: updating the HowFuzzilliWorks document: https://github.com/googleprojectzero/fuzzilli/blob/main/Docs/HowFuzzilliWorks.md

Besides a number of smaller changes (e.g. new mutators), the design of the HybridEngine has changed considerably since the document was initially written.

Happy fuzzing!