I am super excited to speak at Black Hat USA this year with Rob King (@lorddimwit) Our work, "Secure Shells in Shambles", dives deep into the Secure Shell protocol, its popular implementations, what's changed, what hasn't, and how this leads to unexpected vulnerabilities and novel attacks. An open source tool, dubbed "sshamble", will be demonstrated, which reproduces these attacks and opens the door for further research.
We've released #PuTTY version 0.81. This is a SECURITY UPDATE, fixing a #vulnerability in ECDSA signing for #SSH.
If you've used a 521-bit ECDSA key (ecdsa-sha2-nistp521) with any previous version of PuTTY, consider it compromised! Generate a new key pair, and remove the old public key from authorized_keys files.
Other key types are not affected, even other sizes of ECDSA. In particular, Ed25519 is fine.
CERT-EU warns of an exploited zero-day for Palo Alto Networks: CVE-2024-3400 (10.0 critical, disclosed 12 April 2024) command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software. Affected versions are PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1. This zero-day is NOT patched yet, and hotfix releases will be made available starting 14 April 2024. 🔗 https://cert.europa.eu/publications/security-advisories/2024-037/ and original Palo Alto Networks security advisory: https://security.paloaltonetworks.com/CVE-2024-3400
Just to make it easier to read through the various reports (saying almost the same exact thing), I've assembled a Palo Alto Networks zero-day MEGA list:
It should come as no surprise that Palo Alto Networks did not release hotfixes* for affected versions of PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11 by the self-imposed deadline of Sunday 14 April 2024 like they estimated in their security advisory. 48 hours to develop/test/release is a tight delivery window with the whole infosec community breathing down their necks.
For the past few months, we have been working at CIRCL (Computer Incident Response Center Luxembourg) to develop an aggregated view of vulnerabilities. This is particularly in response to the recent fragmentation of sources due to regulations, vendors providing their own feeds, and the addition of sources such as the CISA known vulnerability list.
The project, known as 'vulnerability-lookup,' is also an open-source initiative. We offer an online version for user convenience. It already includes more than 15 sources, such as the NIST NVD CVE, CVEProject's cvelist, Cloud Security Alliance, GitHub Advisory Database, PySec Advisory Database, OpenSSF Malicious Packages, and the CSAF (OASIS) sources like Siemens, CERT-Bund, or Cisco.