adulau , to random
@adulau@infosec.exchange avatar

We are still at the stage where the ISO standards body sells the document behind a paywall, and it cannot be redistributed.

ISO/IEC 30111:2019 Information technology — Security techniques — Vulnerability handling processes

Maybe it's time to use IETF to publish such standard and not ISO.

hdm , to random
@hdm@infosec.exchange avatar

I am super excited to speak at Black Hat USA this year with Rob King (@lorddimwit) Our work, "Secure Shells in Shambles", dives deep into the Secure Shell protocol, its popular implementations, what's changed, what hasn't, and how this leads to unexpected vulnerabilities and novel attacks. An open source tool, dubbed "sshamble", will be demonstrated, which reproduces these attacks and opens the door for further research.

Some of the announced talks that I am looking forward to include:

  • Super Hat Trick: Exploit Chrome and Firefox Four Times: Nan Wang, Zhenghang Xiao, & Xuehao Guo

  • Securing Network Appliances: New Technologies and Old Challenges: Vladyslav Babkin

  • Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! Orange Tsai

  • Listen to the Whispers: Web Timing Attacks that Actually Work: James Kettle

  • Project Zero: Ten Years of 'Make 0-Day Hard': Natalie Silvanovich

  • Nope, S7ill Not Secure: Stealing Private Keys From S7 PLCs: Nadav Adir, Alon Dankner, Eli Biham, Sara Bitan, Ron Freudenthal, Or Keret

  • Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap: Alex Plaskett, Robert Hererra

  • Bugs of Yore: A Bug Hunting Journey on VMware's Hypervisor: Zisis Sialveras

  • Crashing the Party: Vulnerabilities in RPKI Validation: Niklas Vogel, Donika Mirdita, Haya Schulmann, Michael Waidner

  • OVPNX: 4 Zero-Days Leading to RCE, LPE and KCE (via BYOVD) Affecting Millions of OpenVPN Endpoints Across the Globe: Vladimir Tokarev

  • Surveilling the Masses with Wi-Fi Positioning Systems: Erik Rye

  • Terrapin Attack: Breaking SSH Channel Integrity by Sequence Number Manipulation: Fabian Bäumer

alice_watson , to random
@alice_watson@infosec.exchange avatar

"There are no ways to prevent such attacks"

Well that's concerning...

"except when the user's VPN runs on Linux or Android"

Oh. Well then.

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/

simontatham , to random
@simontatham@hachyderm.io avatar

We've released version 0.81. This is a SECURITY UPDATE, fixing a in ECDSA signing for .

If you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised! Generate a new key pair, and remove the old public key from authorized_keys files.

Other key types are not affected, even other sizes of ECDSA. In particular, Ed25519 is fine.

This vulnerability has id CVE-2024-31497. Full information is at https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html

simontsui , to random
@simontsui@infosec.exchange avatar

CERT-EU warns of an exploited zero-day for Palo Alto Networks: CVE-2024-3400 (10.0 critical, disclosed 12 April 2024) command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software. Affected versions are PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1. This zero-day is NOT patched yet, and hotfix releases will be made available starting 14 April 2024. 🔗 https://cert.europa.eu/publications/security-advisories/2024-037/ and original Palo Alto Networks security advisory: https://security.paloaltonetworks.com/CVE-2024-3400

simontsui OP ,
@simontsui@infosec.exchange avatar

Hot off the press! CISA adds CVE-2024-3400 (10.0 critical, disclosed 12 April 2024, PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway) to the Known Exploited Vulnerabilities (KEV) Catalog 🔗 https://www.cisa.gov/news-events/alerts/2024/04/12/cisa-adds-one-known-exploited-vulnerability-catalog

simontsui OP ,
@simontsui@infosec.exchange avatar

Just to make it easier to read through the various reports (saying almost the same exact thing), I've assembled a Palo Alto Networks zero-day MEGA list:

UPDATE: Volexity and Unit 42 talk about the threat actor, campaign, and include indicators of compromise:

Here's the rest of the related reporting:

simontsui OP ,
@simontsui@infosec.exchange avatar

CISA put out an additional security alert about CVE-2024-3400, noting that Palo Alto Networks released workaround guidance for the command injection vulnerability. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/12/palo-alto-networks-releases-guidance-vulnerability-pan-os-cve-2024-3400

simontsui OP ,
@simontsui@infosec.exchange avatar

It should come as no surprise that Palo Alto Networks did not release hotfixes* for affected versions of PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11 by the self-imposed deadline of Sunday 14 April 2024 like they estimated in their security advisory. 48 hours to develop/test/release is a tight delivery window with the whole infosec community breathing down their necks.

adulau , to random
@adulau@infosec.exchange avatar

For the past few months, we have been working at CIRCL (Computer Incident Response Center Luxembourg) to develop an aggregated view of vulnerabilities. This is particularly in response to the recent fragmentation of sources due to regulations, vendors providing their own feeds, and the addition of sources such as the CISA known vulnerability list.

The project, known as 'vulnerability-lookup,' is also an open-source initiative. We offer an online version for user convenience. It already includes more than 15 sources, such as the NIST NVD CVE, CVEProject's cvelist, Cloud Security Alliance, GitHub Advisory Database, PySec Advisory Database, OpenSSF Malicious Packages, and the CSAF (OASIS) sources like Siemens, CERT-Bund, or Cisco.

🔗 https://vulnerability.circl.lu/recent
:github: https://github.com/cve-search/vulnerability-lookup

Thanks to @rafi0t for the crazy work of fighting with the different formats.

@circl

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • test
  • worldmews
  • mews
  • All magazines
    •