Notices by cR0w :cascadia: (cr0w@infosec.exchange)

Publicly disclosed memory leak in objdump.

https://sourceware.org/bugzilla/show_bug.cgi?id=32716#c0

sev:MED 4.8 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.

https://nvd.nist.gov/vuln/detail/CVE-2025-3198

Go hack some more Ivanti shit. Someone else already has been.

https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US

sev:CRIT 9.0 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.

https://nvd.nist.gov/vuln/detail/CVE-2025-22457

Edit to add:

We are aware of a limited number of customers whose Ivanti Connect Secure (22.7R2.5 or earlier) and End-of-Support Pulse Connect Secure 9.1x appliances have been exploited at the time of disclosure. Pulse Connect Secure 9.1x reached End-of-Support on December 31, 2024, and no longer receive code support or changes.

#ivanti #groundhogDay

@buherator That's so far down on questions I have at this point. 😆

Random reminder that if you ever accidentally enter your password in a username field, please immediately rotate your password. Thank you.

@buherator @GossiTheDog @cisakevtracker CISA has been skeptical about this one too, from what I've heard, and has wanted to confirm that any exploitation was both successful and specifically this vulnerability.

@wdormann Endless loop of "It's a feature, not a bug. Ticket closed. Buy Copilot."

@wdormann Next time put EICAR in the EXIF when you load it on OneDrive.

@wdormann Depending on your quota and the size of the video.

@wdormann I know it shouldn't trigger any action that way, but I'd be curious.

@buherator @wdormann Didn't Microsoft stuff start doing that too? Guessing "infected" or using the context of emails or attachments to guess passwords for archives?

@wdormann @buherator I guess that makes sense if it's password protected but not encrypted, right?

@ryanc @hrbrmstr @greynoise

@hrbrmstr @greynoise Since it's already 1 April in parts of the world, I feel like need to assure you that the links are real text lists and not ASCII anuses or anything. This time.

Following up on the scanning and password spraying that @hrbrmstr and @greynoise have posted about today, I combined a list of IPs I'm seeing going after Palo Alto GlobalProtect with the Greynoise lists:

https://cascadiacrow.com/globalprotectips.txt

I also have a list of usernames attempted by those various IP addresses:

https://cascadiacrow.com/globalprotectusernames.txt

#threatIntel #gayInt

There's another browser getting uninstalled then: https://social.vivaldi.net/@Vivaldi/114233355595486502

Cyclone warnings and hail potentially up to 1" diameter in Western Washington? Sure, why not? It's 2025.

Action taken: None

Explanation: Systems in question are too old to be impacted by recently published vulnerabilities.

Living that critical infrastructure life.

Some of y'all in a few months.

@briankrebs It's not like we can expose anything. The masks are off. We all know where they stand and what they're doing. And even if we expose more, information dissemination won't change anything. We are at the point of going kinetic. The "hacker uprising" will be over radio, not the Internet.

@briankrebs Everything's getting taken down. What's left to hack? Shit we actually need to stay operational like utilities?