Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/stacksmashing/statuses/113618195347506753">stacksmashing (stacksmashing@infosec.exchange)'s status on Monday, 09-Dec-2024 01:55:04 JST</a><a href="https://infosec.exchange/@stacksmashing" title="stacksmashing@infosec.exchange"><img src="https://gnusocial.jp/avatar/230108-48-20240107080725.webp" width="48" height="48" alt="stacksmashing" style="position: absolute; left: 0; top: 0;">stacksmashing</a></section><article><p>Stop. Truncating. Hashes.</p><p><a href="https://www.phoronix.com/news/OpenWrt-Compromised-ASU-Builds" rel="nofollow noreferrer">https://www.phoronix.com/news/OpenWrt-Compromised-ASU-Builds</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4147485#notice-8106032">In conversation</a><time datetime="2024-12-09T01:55:04+09:00" title="Monday, 09-Dec-2024 01:55:04 JST">about 4 months ago</time> <span>from <span><a href="https://infosec.exchange/@stacksmashing/113618195347506753" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@stacksmashing/113618195347506753">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/3657273">2. **Truncated SHA-256 Hash Collisions**: The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users.</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/618/194/759/678/871/original/eb9e21b42bd9bdf6.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/618/194/759/678/871/original/eb9e21b42bd9bdf6.png</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
stacksmashing (stacksmashing@infosec.exchange)'s status on Monday, 09-Dec-2024 01:55:04 JST stacksmashing
Stop. Truncating. Hashes.
https://www.phoronix.com/news/OpenWrt-Compromised-ASU-Builds
In conversationabout 4 months ago from infosec.exchangepermalink
Attachments
1. 2. **Truncated SHA-256 Hash Collisions**: The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users.
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/618/194/759/678/871/original/eb9e21b42bd9bdf6.png

Public

Embed Notice

HTML Code

Corresponding Notice