harrysintonen

joined 2 years ago
sorted by: new top controversial old
Apparently N-able N-central has critical flaws that are being exploited in the wild. https://www.bleepingcomputer.com/news/security/cisa-warns-of-n-able-n-central-flaws-exploited-in-zero-day-attacks/ in c/cybersecurity@fedia.io
[–] harrysintonen@infosec.exchange 1 points 1 month ago

@gnyman@infosec.exchange No kidding? I can only recommend anyone doing research on N-Able to avoid going through their "bug bounty" program. They actively cite the program rules to shut down disclosure, namely I cannot show how trivial the attack is to pull off by using mitmproxy. So there is no way for me to challenge their obviously flawed scoring of the vulnerability.

ref https://infosec.exchange/@harrysintonen/112999715864274188

2
Apparently N-able N-central has critical flaws that are being exploited in the wild. https://www.bleepingcomputer.com/news/security/cisa-warns-of-n-able-n-central-flaws-exploited-in-zero-day-attacks/ (infosec.exchange)
 

Apparently N-able N-central has critical flaws that are being exploited in the wild. https://www.bleepingcomputer.com/news/security/cisa-warns-of-n-able-n-central-flaws-exploited-in-zero-day-attacks/

I am not surprised at all. Their software security leaves a lot to desire. Recently they downplayed actually critical flaw #CVE_2024_5445 (RCE as SYSTEM via MiTM as "low") as seen here:

https://sintonen.fi/advisories/n-able-ecosystem-agent-improper-certificate-validation.txt

"The vulnerability reported does not constitute an RCE, the Ecosystem agent is designed to run installation packages in a privileged context and the agent is doing what it should do when it receives such packages to install over the APIs."'

#cybersecurity #infosec

6
"HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames (infosec.exchange)
 

"HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames

MadeYouReset exploits a mismatch caused by stream resets between HTTP/2 specifications and the internal architectures of many real-world web servers. This results in resource exhaustion, and a threat actor can leverage this vulnerability to perform a distributed denial of service attack (DDoS)."

https://kb.cert.org/vuls/id/767506

#CVE_2025_8671 #infosec #cybersecurity

A reminder that upgrading your server might shut down parts of the security related components and leave services unintentionally exposed. in c/cybersecurity@fedia.io
[–] harrysintonen@infosec.exchange 3 points 1 month ago* (last edited 1 month ago)

Post mortem:

This issue was made possible by a misconfiguration whereas "AllowOverride none" was used by accident. That made it possible to read the configuration file even though .htaccess file preventing it is in place.

So this in part this specific issue was a mistake by the admin (read: myself). I think it still highlights an issue that could occur in many other ways as well. It is best to restrict network access to servers when upgrading them.

PS: If you can't do things right at least make it possible for others to learn from your mistakes. πŸ™‚

11
A reminder that upgrading your server might shut down parts of the security related components and leave services unintentionally exposed. (fedia.io)
 

A reminder that upgrading your server might shut down parts of the security related components and leave services unintentionally exposed.

Upgrading should not be done without proper filtering of unwanted incoming traffic (via for example a firewall in front of the server).

Here we can see some database passwords and cryptographic secrets exposed during #debian13 upgrade due to PHP being down while the httpd was not.

#infosec #cybersecurity

2
Couple of vulnerabilities I found from #Eaton Rack PDU G4: (infosec.exchange)
 

Couple of vulnerabilities I found from #Eaton Rack PDU G4:

ETN-VA-2025-1002: Multiple vulnerabilities detected in Eaton G4 PDU

#CVE_2025_48393
CVSS v3.1 Base Score – 5.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:L

The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack.

#CVE_2025_48394
CVSS v3.1 Base Score – 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

An attacker with authenticated and privileged access could modify the contents of a nonsensitive file by traversing the path in the limited shell of the CLI.

These vulnerabilities are fixed in firmware version 3.5.0 and later. It is recommended to upgrade the device firmware as soon as possible.

https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1002.pdf

#infosec #cybersecurity

1
Sudo versions 1.9.14 to 1.9.17 (inclusive) have two critical vulnerabilities: (infosec.exchange)
 

Sudo versions 1.9.14 to 1.9.17 (inclusive) have two critical vulnerabilities:

#cve_2025_32463 #cve_2025_32462 #infosec #cybersecurity

6
Insecure defaults can lead to surprises. When creating FIFO sockets with systemd, be sure to note that SocketMode defaults to 0666 - that is world readable and writable. That is: any local user can (infosec.exchange)
 

Insecure defaults can lead to surprises. When creating FIFO sockets with systemd, be sure to note that SocketMode defaults to 0666 - that is world readable and writable. That is: any local user can communicate with the FIFO. If your FIFO is used to perform privileged operations you must ensure that either the FIFO file itself is located in secured location or set SocketMode to stricter value.

I spotted one such insecure use in cloud-init: the hotplug FIFO was world writable. This is CVE-2024-11584 and fixed in cloud-init 25.1.3.

The commit fixing this is in https://github.com/canonical/cloud-init/pull/6265

#CVE_2024_11584 #ubuntu #systemd #infosec #cybersecurity

1
The timeline in the "SEC Consult SA-20250611-0 :: Undocumented Root Shell Access on SIMCom SIM7600G Modem" advisory is mind blowing: (infosec.exchange)
 

The timeline in the "SEC Consult SA-20250611-0 :: Undocumented Root Shell Access on SIMCom SIM7600G Modem" advisory is mind blowing:

https://seclists.org/fulldisclosure/2025/Jun/17

#CVE_2025_26412 #infosec #cybersecurity #vulnerability

21
If you're creating an application that displays URLs to users (chat app for example), please make sure to apply spoof checks to avoid use of UTF-8 confusables in IDN homograph attacks. You may want to (infosec.exchange)
 

If you're creating an application that displays URLs to users (chat app for example), please make sure to apply spoof checks to avoid use of UTF-8 confusables in IDN homograph attacks. You may want to block URLs with hostnames that get flagged, or display them in #punycode instead.

As an example, see https://github.com/chromium/chromium/tree/main/components/url_formatter/spoof_checks

In particular https://github.com/chromium/chromium/blob/8e070073d47861b8bfc7548dce8fcfc708a356fb/components/url_formatter/spoof_checks/idn_spoof_checker.cc#L177 is quite interesting read.

#cybersecurity #infosec

6
If there were a single thing I'd want to convey to potential future #cybersecurity professionals: Hacking is fun, but reporting is the most important part. (infosec.exchange)
 

If there were a single thing I'd want to convey to potential future #cybersecurity professionals: Hacking is fun, but reporting is the most important part.

You can be the best hacker in the world, but all that is in vain if you can't convey what you did and how to prevent it.

You should spend time getting better at reporting, along with the technical skills.

#thoughtoftheday

21
Today Finland is voting in county and municipal #elections. Unsurprisingly the idiot Russian "hacking crew" is DDoSing websites of the political parties. (infosec.exchange)
 

Today Finland is voting in county and municipal #elections. Unsurprisingly the idiot Russian "hacking crew" is DDoSing websites of the political parties.

Newsflash: The voting is pen & paper. No websites are involved in the voting process. You gain absolutely nothing by DDoSing the party websites.

#infosec #cybersecurity

2
In case you haven't noticed #nis2directive is in effect in Finland now: (infosec.exchange)
 

In case you haven't noticed #nis2directive is in effect in Finland now:

"Finnish Parliament has passed the government proposal for a national #Cybersecurity Act to implement the EU Cybersecurity Directive (NIS 2 Directive). As regards public administration, the relevant requirements included in the Directive are laid down in the Act on Information Management in Public Administration."

Interestingly this also increases the duties and responsibilities of The Finnish Transport and Communications Agency Traficom:

"The Cybersecurity Act also entails new supervisory duties for Traficom compared to the old NIS Directive. In future, Traficom will be the competent authority supervising cybersecurity issues also in the following sectors: postal and courier services, space, public administration, managed service providers, managed security service providers, research, and the manufacture of vehicles and other transport equipment."

ref: https://traficom.fi/en/news/cybersecurity-act-passed-parliament-obligations-under-nis-2-directive-enter-force-8-april-2025

The fallout from the malicious tj-actions/changed-files is still being investigated. It is fortuitous that this malicious commit was identified fairly quickly, as further compromise of major OSS in c/cybersecurity@fedia.io
[–] harrysintonen@infosec.exchange 2 points 6 months ago* (last edited 6 months ago)

@jerry It largely depends on how well the initial impact is cleaned up. I'm hoping we won't see a ton of backdoors in various components next.

4
The fallout from the malicious tj-actions/changed-files is still being investigated. It is fortuitous that this malicious commit was identified fairly quickly, as further compromise of major OSS (infosec.exchange)
 

The fallout from the malicious tj-actions/changed-files is still being investigated. It is fortuitous that this malicious commit was identified fairly quickly, as further compromise of major OSS components and projects could lead to a kind of chain reaction.

#infosec #cybersecurity

#curl predecessor httpget 0.2 from around 1996/1997 is 165 lines. Needless to say, it has multiple critical security vulnerabilities. How many can you spot? in c/cybersecurity@fedia.io
[–] harrysintonen@infosec.exchange 1 points 7 months ago* (last edited 7 months ago)

The httpget 0.2 doesn't quite work in the form it was uploaded.

First it uses hardcoded argv, argc instead of getting from the app invocation (as args in main, the code uses void main).

Second obtaining any data from the socket will result in the app stopping and leaving behind an empty file (if (nread) break;).

This program could never download anything. It is likely some work in progress or modified test version of httpget. Since it includes some windows specific headers and has disabled the unix ones I can only presume it was some earlier attempt to get the tool running on windows.

So while the code has a local stack buffer overflow it can't be triggered for this early version.

As expected #Apple has nuked Advanced Data Protection (ADP) for UK users. What does this mean in practice? UK govt will be able to decrypt all UK user's #iCloud data at will. in c/cybersecurity@fedia.io
[–] harrysintonen@infosec.exchange 1 points 7 months ago

If this trend continues, we will be losing the ability to use secure means of communication with UK friends and colleagues. For example, #signalapp will rather get out of the UK than add backdoors: https://www.bbc.com/news/technology-64584001

#Nordnet - nordic digital platform for savings and investments - had an issue where people could see each others information. The website has been taken down for now. in c/cybersecurity@fedia.io
#Nordnet - nordic digital platform for savings and investments - had an issue where people could see each others information. The website has been taken down for now. in c/cybersecurity@fedia.io
[–] harrysintonen@infosec.exchange 1 points 7 months ago

#Nordnet services appear to be back.

#Nordnet - nordic digital platform for savings and investments - had an issue where people could see each others information. The website has been taken down for now. in c/cybersecurity@fedia.io
[–] harrysintonen@infosec.exchange 1 points 7 months ago (2 children)

Nordnet has a lot of technical issues to sort out. If the malfunction allowed unauthorized parties to operate the accounts it will be quite messy to sort out.

Among with technical part, they will have to deal with the regulatory issues, in particular the Financial Supervisory Authority. They will demand answers.

#cURL doesn't validate SSH host identity if known_hosts file is missing. I think this is a #vulnerability, but the project disagrees. Advisory is here: in c/cybersecurity@fedia.io
[–] harrysintonen@infosec.exchange 2 points 8 months ago

@SatyrSack@feddit.org Curl will likely address this eventually even though they don't consider it a vulnerability. See https://github.com/curl/curl/issues/16197

#cURL doesn't validate SSH host identity if known_hosts file is missing. I think this is a #vulnerability, but the project disagrees. Advisory is here: in c/cybersecurity@fedia.io
[–] harrysintonen@infosec.exchange 3 points 8 months ago

The latest curl version 8.12.0 (released today) is affected.

Apparently there's a major #vulnerability in #AMD CPUs: "AMD Microcode Signature Verification Vulnerability." in c/cybersecurity@fedia.io
A company appears to be abusing #BugCrowd’s #bugbounty program to hide essential details of a critical vulnerability. The company itself has rated the vulnerability as low severity. This has led many in c/cybersecurity@fedia.io
[–] harrysintonen@infosec.exchange 1 points 8 months ago

The company doing this is https://www.n-able.com/ - here's are the details: https://sintonen.fi/advisories/n-able-ecosystem-agent-improper-certificate-validation.txt

...except for the PoC exploit which is insanely simple to pull off. Anyone with #mitmproxy and half a brain can do it.

view more: next β€Ί