FYI: CVE-2024-11053 is *not* a critical security flaw, even if now several security related sites repeat that statement.
This is as good as any reminder that you should read the #curl advisories for #curl issues rather than trusting the scaremongers.
curl.se/docs/CVE-2024-11053.ht…
(edit: I wrote an extra '1' in there at first)
This entry was edited (8 months ago)
daniel:// stenberg:// reshared this.
daniel:// stenberg://
in reply to daniel:// stenberg:// • • •vulnrichment/2024/11xxx/CVE-2024-11053.json at develop · cisagov/vulnrichment
GitHubdaniel:// stenberg://
in reply to daniel:// stenberg:// • • •Frederik Braun �
in reply to daniel:// stenberg:// • • •We had a local password disclosure in Firefox for Android flagged as "remotely exploitable" and therefore "critical". Fixing was easy, at least. Even though I hate how this makes this another thing to care about. github.com/cisagov/vulnrichmen….
Update CVE-2024-11703.json by mozfreddyb · Pull Request #140 · cisagov/vulnrichment
GitHubdaniel:// stenberg://
in reply to daniel:// stenberg:// • • •1. read my description
2. check out these two in CISA's CVSS assessment:
"attackComplexity": "LOW",
"attackVector": "NETWORK",
3. then please educate me how "the attack" is done here. I must be missing something.
maswan
in reply to daniel:// stenberg:// • • •Assume the .netrc is on unsecured NFS over a network that the attacker has already taken over? I guess?
Would probably be easier to manipulate bashrc or authorized_keys or something by that point tho.
daniel:// stenberg://
in reply to maswan • • •maswan
in reply to daniel:// stenberg:// • • •Lars Wirzenius
in reply to daniel:// stenberg:// • • •It's not quite simple, but here's a way to exploit this:
* use an X ray gun to modify the Linux kernel source tree on Linus's personal machine to add a remote execution bug
* exploit that bug to infiltrate the SSD manufacturer to alter the firmware they put in their devices
* have that malware install firmware on the network card at the network card factory
* let the network care alter downloads of the Bash shell
* the altered Bash shell update .netrc when curl is invoked
Voila!
Lars Wirzenius
in reply to Lars Wirzenius • • •daniel:// stenberg://
in reply to Lars Wirzenius • • •alexanderkjall
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to alexanderkjall • • •Hugh Simpson
in reply to daniel:// stenberg:// • • •Alexandre Dulaunoy
in reply to daniel:// stenberg:// • • •We added your clarification in vulnerability-lookup.
vulnerability.circl.lu/cve/CVE…
Now I'm wondering if we should not add the ability to propose the author and maintainer to counter any element from a vulnerability description.
@cedric what do you think of it? Not sure how this could be efficiently implemented.
cvelistv5 - CVE-2024-11053
vulnerability.circl.luZimmie
in reply to daniel:// stenberg:// • • •I get why it’s important to have an independent severity rating for security flaws. Vendors are incentivized to downplay the severity. Does anybody think Adobe would have appropriately rated even *half* of the bugs in Flash?
But for the independent ratings to be useful, they need to have high quality with extreme consistency. We certainly don’t seem to be getting that.