Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114275557601801461">Will Dormann (wdormann@infosec.exchange)'s status on Friday, 04-Apr-2025 04:08:51 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/114275453831928356" rel="in-reply-to">in reply to</a></div></section><article><p>Now, regarding the "silent fix" of CVE-2025-22457, which per Ivanti:</p><p>This vulnerability has been remediated in Ivanti Connect Secure 22.7R2.6 (released February 11, 2025)</p><p>That word remediated...</p><p>Careful readers will see that Ivanti didn't fix the vulnerability in 22.7R2.6.</p><p>What changed in 22.7R2.6? With this version, Ivanti compiled some of the ICS binaries with exploit mitigations that have been around for 20 years. And wouldn't you know it, it paid off already?  Everybody's gotta learn sometime...</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4840199#notice-9479665">In conversation</a><time datetime="2025-04-04T04:08:51+09:00" title="Friday, 04-Apr-2025 04:08:51 JST">about 2 months ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114275557601801461" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114275557601801461">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4410289">ICS 22.7R2.5 doesn't use a stack canary or Fortify, and has partial relro for the web binary.</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/275/552/878/380/322/original/545a16fc157c657d.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/275/552/878/380/322/original/545a16fc157c657d.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4410290">ICS 22.7R2.6 does use a stack canary and Fortify, and has full relro for the web binary.</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/275/562/489/795/107/original/21b3dd2357824bab.png" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/275/562/489/795/107/original/21b3dd2357824bab.png</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Friday, 04-Apr-2025 04:08:51 JST Will Dormann
in reply to
Now, regarding the "silent fix" of CVE-2025-22457, which per Ivanti:
This vulnerability has been remediated in Ivanti Connect Secure 22.7R2.6 (released February 11, 2025)
That word remediated...
Careful readers will see that Ivanti didn't fix the vulnerability in 22.7R2.6.
What changed in 22.7R2.6? With this version, Ivanti compiled some of the ICS binaries with exploit mitigations that have been around for 20 years. And wouldn't you know it, it paid off already? Everybody's gotta learn sometime...
In conversationabout 2 months ago from infosec.exchangepermalink
Attachments
1. ICS 22.7R2.5 doesn't use a stack canary or Fortify, and has partial relro for the web binary.
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/275/552/878/380/322/original/545a16fc157c657d.png
2. ICS 22.7R2.6 does use a stack canary and Fortify, and has full relro for the web binary.
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/275/562/489/795/107/original/21b3dd2357824bab.png

Public

Embed Notice

HTML Code

Corresponding Notice