Conversation

Notices

1. Embed this notice
   screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:58 JST screaminggoat

   Happy Patch Tuesday to those still suffering. All new security advisories from today will be posted under this toot as a conversation.

   • Embed this notice
     screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:54 JST screaminggoat

     in reply to

     Happy #PatchTuesday from Palo Alto Networks (LIKELY ZERO-DAYS):
     (Note: PAN likes to downplay severity by showing the base + threat metrics CVSSv4 score. I listed base score only)

     1. CVE-2025-0113 (CVSSv4.0: 7.6 high) Cortex XDR Broker VM: Unauthorized Access to Broker VM Docker Containers
     2. CVE-2025-0112 (CVSSv4: 6.8 medium) Cortex XDR Agent: Local Windows User Can Disable the Agent
     3. CVE-2025-0110 (CVSSv4.0: 8.6 high) PAN-OS OpenConfig Plugin: Command Injection Vulnerability in OpenConfig Plugin
        • Exploit Maturity: POC 🤔
     4. PAN-SA-2025-0005 GlobalProtect Clientless VPN: Same-Origin Policy Does Not Apply When Using Clientless VPN
     5. PAN-SA-2025-0004 Chromium: Monthly Vulnerability Update (February 2025) (multiple CVEs)
     6. CVE-2025-0109 (CVSSv4: 6.9 medium) PAN-OS: Unauthenticated File Deletion Vulnerability on the Management Web Interface
        • Exploit Maturity: POC 🤔
     7. CVE-2025-0111 (CVSSv4: 7.1 high) PAN-OS: Authenticated File Read Vulnerability in the Management Web Interface
     8. EDIT: NEW! CVE-2025-0108 (CVSSv4: 8.8 high) PAN-OS: Authentication Bypass in the Management Web Interface

     Palo Alto Networks is not aware of any malicious exploitation of this issue.

     My new concern is whether I should say #zeroday for CVE-2025-0110 and 0109. Based on the First criteria for Exploit Maturity:

     Based on threat intelligence sources each of the following must apply:

     • Proof-of-concept is publicly available
     • No knowledge of reported attempts to exploit this vulnerability
     • No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability

     #paloaltonetworks #infosec #vulnerability #cve #cybersecurity #poc #proofofconcept

   • Embed this notice
     screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:54 JST screaminggoat

     in reply to

     Assetnote: Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108)
     If I'm reading this correctly, Assetnote dropped vulnerability details and proof of concept for CVE-2025-0108 (CVSSv4: 8.8 high) PAN-OS: Authentication Bypass in the Management Web Interface. They are describing this as a zero-day auth bypass, but it should be called "patch bypass." See related PAN security advisory.

     Fun operational mistake: Assetnote wrote This vulnerability was fixed in versions xx and yy and assigned CVE zz. in their conclusion.

     #paloaltonetworks #CVE_2025_0108 #infosec #vulnerability #cve #cybersecurity #poc #proofofconcept

   • Embed this notice
     feld (feld@friedcheese.us)'s status on Thursday, 13-Feb-2025 03:41:54 JST feld

     in reply to
     @screaminggoat why do people build things like this? it's crazy
   • Embed this notice
     screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:55 JST screaminggoat

     in reply to

     • cR0w :cascadia:

     RE: Fortinet's CVE-2024-24472
     Bleeping Computer: Fortinet discloses second firewall auth bypass patched in January

     Update 2/11/25 07:32 PM ET: After publishing our story, Fortinet has informed us that the new CVE-2025-24472 flaw added to FG-IR-24-535 today is not a zero-day and was already fixed in January.

     @cR0w I called it 💪 Not a zero-day.

     #fortinet #cve #infosec #cybersecurity #vulnerability

   • Embed this notice
     screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:55 JST screaminggoat

     in reply to

     Happy #PatchTuesday with GitLab: GitLab Patch Release: 17.8.2, 17.7.4, 17.6.5
     8 CVEs (1 high severity, 7 medium). At a glance, no mention of exploitation.

     #gitlab #cve #vulnerability #infosec #cybersecurity

   • Embed this notice
     screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:56 JST screaminggoat

     in reply to

     CISA: CISA Adds Four Known Exploited Vulnerabilities to Catalog

     • CVE-2025-21418 (7.8 high) Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability
     • CVE-2025-21391 (7.1 high) Microsoft Windows Storage Link Following Vulnerability
     • CVE-2024-40890 (8.8 high) Zyxel DSL CPE OS Command Injection Vulnerability
     • CVE-2024-40891 (8.8 high) Zyxel DSL CPE OS Command Injection Vulnerability

     The Zyxel stuff is not new, but since the Microsoft zero-days are part of #PatchTuesday, I'm including them in this conversation.

     #cisa #kev #cisakev #KnownExploitedVulnerabilitiesCatalog #vulnerability #zeroday #eitw #activeexploitation #infosec #cybersecurity #cve

   • Embed this notice
     screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:56 JST screaminggoat

     in reply to

     • BleepingComputer

     Happy #PatchTuesday: Exploited Fortinet zero-day??? FG-IR-24-535
     CVE-2025-24472 (8.1 high) Authentication bypass in Node.js websocket module and CSF requests
     If this security advisory looks familiar, that's because it belongs to the previous Fortinet exploited zero-day CVE-2024-55591 (9.6 critical) . This was tacked onto the same advisory, with no context other than the changelog:

     2025-02-11: Added CVE-2025-24472 and its acknowledgement

     @BleepingComputer seems to think it is: Fortinet warns of new zero-day exploited to hijack firewalls but I'm skeptical.

     #fortinet #infosec #CVE_2024_55591 #vulnerability #cve #CVE_2025_24472 #cybersecurity #eitw #activeexploitation #zeroday

   • Embed this notice
     screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:56 JST screaminggoat

     in reply to

     subtoot about Fortinet zero-day. Those infosec publications are running WILD calling it an exploited zero-day (complete with a backstory) with absolutely no evidence. Are we reading the same security advisory? What the fuck are you guys conjuring up and extrapolating from 2025-02-11: Added CVE-2025-24472 and its acknowledgement?

     EDIT: You've heard of "patch-diffing." Get ready for advisory-diffing:
     https://web.archive.org/web/20250114161659/https://fortiguard.fortinet.com/psirt/FG-IR-24-535 (14 January 2025)
     versus https://fortiguard.fortinet.com/psirt/FG-IR-24-535 (11 February 2025):

     • An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module or via crafted CSF proxy requests.
     • Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool https://docs.fortinet.com/upgrade-tool
     • Please note that the above IP parameters are under attacker control and therefore can be any other IP address. not the actual source IP addresses of the attack traffic, they are generated arbitrarily by the attacker as a parameter. Because of this they should not be used for any blocking.
     • edit 2set intf "allany"
     • Please note as well that an attacker needs to know an admin account's username to perform the attack and log in the CLI. Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a best practice. Keep in mind however that the targeted websocket not being an authentication point, nothing would prevent an attacker from bruteforcing the username.
     • CSF requests issue:Disable Security Fabric from the CLI:Config system csfSet status disableend

     Some of these are explained in the changelog, but I wanted to be certain.

   • Embed this notice
     screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:57 JST screaminggoat

     in reply to

     Happy #PatchTuesday from Fortinet:

     1. FG-IR-24-422 CVE-2024-52966 (2.3 low) Disclosure of Logs of Devices not belonging to the Current ADOM from Log View
     2. FG-IR-23-261 CVE-2023-40721 (6.7 medium) FortiOS / FortiProxy / FortiPAM / FortiSwitchManager - Format string vulnerability in CLI commands
     3. FG-IR-24-300 CVE-2024-52968 (6.7 medium) Improper Authentication in FortiMonitor Agent
     4. FG-IR-23-279 CVE-2024-40586 (6.7 medium) Improper access control to FortiSslvpnNamedPipe
     5. FG-IR-24-311 CVE-2024-40585 (6.5 medium) Insertion of sensitive information into Event log
     6. FG-IR-24-063 CVE-2024-27781 (7.1 high) Multiple Reflected and Stored Cross-Site Scripting
     7. FG-IR-24-147 CVE-2024-36508 (6.0 medium) Multiple arbitrary file deletion in the CLI
     8. FG-IR-24-438 CVE-2024-50567 and CVE-2024-50569 (7.2 high) OS Command Injections
     9. FG-IR-24-220 CVE-2024-40584 (7.2 high) OS command injection in external connector
     10. FG-IR-25-015 CVE-2025-24470 (8.6 high) Off-by-slash vulnerability in Nginx config
     11. FG-IR-24-302 CVE-2024-40591 (8.8 high) Permission escalation due to an Improper Privilege Management
     12. FG-IR-23-324 CVE-2024-27780 (3.1 low) Reflected XSS (cross site scripting) in incident page
     13. FG-IR-24-160 CVE-2024-35279 (8.1 high) Stack buffer overflow in fabric service
     14. FG-IR-24-094 CVE-2024-33504 (4.1 medium) Use of Hard-coded Cryptographic Key to encrypt sensitive data

     Fortinet downplays the CVSSv3.1 score by listing temporal only, I have listed base score instead. No mention of exploitation.

     #fortinet #fortios #fortiproxy #fortiswitchmanager #cve #vulnerability #infosec #cybersecurity

   • Embed this notice
     screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:57 JST screaminggoat

     in reply to

     Happy #PatchTuesday from Microsoft: 4 ZERO-DAYS (2 EXPLOITED) out of 56 new CVEs

     • CVE-2025-21377 (6.5 medium) NTLM Hash Disclosure Spoofing Vulnerability (PUBLICLY DISCLOSED)
     • CVE-2025-21194 (7.1 high) Microsoft Surface Security Feature Bypass Vulnerability (PUBLICLY DISCLOSED)
     • CVE-2025-21418 (7.8 high) Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (EXPLOITED)
     • CVE-2025-21391 (7.1 high) Windows Storage Elevation of Privilege Vulnerability (EXPLOITED)

     #microsoft #zeroday #cve #eitw #activeexploitation #vulnerability #infosec #cybersecurity

   • Embed this notice
     screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:57 JST screaminggoat

     in reply to

     Happy #PatchTuesday from Adobe:

     • APSB25-01 Security Update Available for Adobe InDesign (7 CVEs)
     • APSB25-08 Security update available for Adobe Commerce (31)
     • APSB25-09 Security updates available for Substance 3D Stager (1)
     • APSB25-10 Security Update Available for Adobe InCopy (1)
     • APSB25-11 Security Updates Available for Adobe Illustrator (3)
     • APSB25-12 Security updates available for Substance 3D Designer (1)
     • APSB25-13 Security updates available for Adobe Photoshop Elements (1)

     Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.

     #adobe #cve #indesign #photoshop #incopy #vulnerability #infosec #cybersecurity

   • Embed this notice
     screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:58 JST screaminggoat

     in reply to

     Happy #PatchTuesday from SolarWinds:

     • Sensitive data disclosure vulnerability (CVE-2024-45718) 4.6 medium
     • SolarWinds Platform Information Disclosure Vulnerability (CVE-2024-52611) 3.5 low
     • SolarWinds Platform Server-Side Request Forgery Vulnerability (CVE-2024-52606) 3.5 low

     No mention of exploitation.

     #solarwinds #cve #vulnerability

   • Embed this notice
     screaminggoat (screaminggoat@infosec.exchange)'s status on Thursday, 13-Feb-2025 03:41:58 JST screaminggoat

     in reply to

     Happy #PatchTuesday from Ivanti: February Security Update

     • Security Advisory Ivanti Cloud Services Application (CSA) (CVE-2024-47908, CVE-2024-11771)
     • N-MDM - Security Advisory Ivanti Neurons for MDM (N-MDM)
     • February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs)

     We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program.

     #Ivanti #ivantiCSA #neurons #connectsecure #cve #vulnerability #infosec #cybersecurity