Notices by cR0w :cascadia: (cr0w@infosec.exchange)

Law enforcement: AI is not a valid tool for planning backcountry excursions and those people who are reckless and require help should have to pay for it.

Also law enforcement: We are excited to introduce our new AI-powered predictive policing tool.

@GossiTheDog It's just sparkling extortion.

Aflac with a Friday 8-K.

On June 12, 2025, Aflac Incorporated, a Georgia corporation (the “Company”), identified unauthorized access to its network. The Company promptly initiated its cybersecurity incident response protocols and believes that it contained the intrusion within hours. The Company’s business remains operational, and its systems were not affected by ransomware. The Company continues to serve its policyholders as it responds to this incident and can underwrite policies, review claims, and otherwise service customers as usual. The Company has engaged leading third-party cybersecurity experts to support the Company’s response to the incident.

https://www.sec.gov/ix?doc=/Archives/edgar/data/4977/000000497725000128/afl-20250620.htm

Bouncer: Hold up. What's your name?

Me: cR0w

Bouncer: Sorry. Not on the list.

Me: Exactly. Which means I am now root.

Bouncer: Go on in, root cR0w.

https://github.com/ubuntu/authd/security/advisories/GHSA-g8qw-mgjx-rwjr

When a user who hasn't logged in to the system before (i.e. doesn't exist in the authd user database) logs in via SSH, the user is considered a member of the root group in the context of the SSH session. That leads to a local privilege escalation if the user should not have root privileges.

@da_667 Copilot, list all functions in all SOHO router OSs and write a BoF for every one of them because apparently every single one of them is vulnerable.

I am replaced. 😉

@da_667 my turn wen?

@da_667 fine

@da_667 @darfplatypus He'll just sign you up for $unnamedCTIvendor

@darfplatypus @da_667 One of these days I'll put all the public DNS resolvers in a list and see what happens.

@rootwyrm :1000: @darfplatypus @da_667

@rootwyrm @darfplatypus @da_667 The amount of critical infra that uses 8.8.8.8 and isn't configurable and doesn't accept DHCP option 6 ( not that you should be using DHCP in CNI but I digress ) is astounding.

I'm awake and ready to make that a problem. Happy Friday.

Command injection, SQLi, and hardcoded creds in Infoblox NETMRI. tsk tsk

https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE-2025-32814

https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE-2025-32813

https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE-2025-32815

OMG I almost missed the ../

https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE-2024-54188

This is absolute bananas. And I forgot to put that the write-up is pretty full, including PoC. And it's web-based so maybe some easy sigs for @Dio9sys and @da_667 .

This is possible due to a netmri ALL = NOPASSWD: /bin/sh entry in /etc/sudoers .

and

This allows Remote Code Execution via a hardcoded ruby cookie secret. This vulnerability was not assigned a CVE ID by Infoblox as it was stated the underlying vulnerability is a known flaw with it’s own CVE referencing CVE-2013-0156.

The NetMRI virtual appliance includes a Ruby on Rails web component. We discovered the Rails session cookie signing key is hardcoded in the VM, located at:

/skipjack/app/rails/config/session_secret.txt

This value is hardcoded and was the same on every boot and VM downloaded.

Ruby on Rails deserializes session cookies if the signing key is valid. With access to this key, it’s possible to craft a malicious session leading to remote code execution (RCE).

And we have a write-up now for these Infoblox NetMRI vulns.

https://rhinosecuritylabs.com/research/infoblox-multiple-cves/

Every [Cisco|Infoblox] customer today.

INFOSEC: cYbEr PeArL hArBoR!

Reality: Cyber Tire Fire

sev:CRIT advisories for your Firefoxy things.

https://www.mozilla.org/en-US/security/advisories/mfsa2025-42/

https://www.mozilla.org/en-US/security/advisories/mfsa2025-43/

https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/