Notices by Tom Sellers (tomsellers@infosec.exchange)

I'm so tired of the fracking CloudFlare human verification prompts. I used to never get them and then sometime around 3 weeks ago I started getting them all the time.

@Viss @cR0w You forgot the double ROT13

Hey folks, if you run Redis you should be aware of a CVSS 10 vuln, CVE-2025-49844, which is a lua related RCE. Redis have release a patch for this and 3 other CVEs. According to Wiz, this vuln has existed for 13 years. That means forks such as Valkey may also be impacted. Valkey has also released updates to address the same CVEs.

Redis: https://www.runzero.com/blog/redis/

Valkey: https://www.runzero.com/blog/valkey/

#Security #Redis #Valkey #CVE-2025-49844 #CVE202549844

@GossiTheDog It looks like CISA typo'd one of the CVEs. They use CVE-2025-30333 instead of CVE-2025-20333.

I see a couple online news sources stating that CISA has extended the funding. They are using statements such as the following:

CISA says the U.S. government has extended funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program.

They leave out the sourcing on this. Who said it? How was it said? Via direct email requesting a comment? X post? Was it official or OTR? Like, I believe them but please provide SOME form of indication of provenance when claiming statements are made by the US Gov.

#Security #CISA #CVE

Folks have pointed out that in the current state of ... /waves around .. that it might be a good idea for US based institutions to reconsider hosting sites on non-US country code top-level domains (ccTLD) such as .io (Indian Ocean, going away soon anyway), .it (Italy), and .ai (Anguilla)

One that always bugged me was various Mississippi Gov departments using .ms which belongs to Montserrat. In light of current events these might have more risk than they did before. It looks like most of the State of MS related sites are now forwarders/shorteners for the real sites but there are plenty of official sites for MS counties as well as various private orgs that are still fully hosted on .ms domains.

Search: mississippi site:.ms

This happens for other states to various degrees as well. In some cases it's mostly private company domains and in others there are a few official state domains.

Arizona / Azerbaijan
Search: Arizona site:.az

Georgia / Gabon
Search: georgia site:.ga

Idaho / Indonesia
Search: idaho site:.id

Louisiana / Laos
Search: Louisiana site:.la

Maine / Montenegro
Search: Maine site:.me

etc. etc.

#security #risk

@GossiTheDog @dangoodin Compromise of the VMware ESXi host can result in compromise of the guests. Companies often run Active Directory controllers on VMware so compromise of the host can result in AD compromise as well. The VMware management infrastructure, such as vSphere, vCloud Director, etc also runs in VMware so you can compromise those as well. This applies to any sensitive workloads that you can run in a virtual machine.

Networking for the guests is handled by the ESXi host. If you have full control of the host you can sniff and inject traffic, potentially impact local routing, etc.

@GossiTheDog

In the Github version of the advisory and FAQ they actually state that ALL unpatched versions are vulnerable though they indicate that they haven't tested most unsupported versions. Here are few snippets from the link below:

You are affected if you are running any version of VMware ESX, VMware vSphere, VMware Cloud Foundation, or VMware Telco Cloud Platform prior to the versions listed as “fixed” in the VMSA.

For a definitive list of affected versions, please refer to the VMSA directly. If there is any uncertainty about whether a system is affected, it should be presumed vulnerable, and immediate action should be taken.

Does this impact VMware vSphere 6.5 or 6.7?

Yes. A patch has been released for ESX 6.7 and is available via the Support Portal to all customers. ESX 6.5 customers should use the extended support process for access to ESX 6.5 patches.

Products that are past their End of General Support dates are not evaluated as part of security advisories, and are not listed in the official VMSA. Broadcom strongly encourages all customers using vSphere 6.5 and 6.7 to update to vSphere 8.

https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004

Federal Crypto Reserve, the thing you implement when you want something that absolutely cannot be recovered once you steal it.

WAT

H.R.792 - To direct the Secretary of the Interior to arrange for the carving of the figure of President Donald J. Trump on Mount Rushmore National Memorial.

https://www.congress.gov/bill/119th-congress/house-bill/792

@Infoseepage That was my understanding as well. It appears that they have renamed and re-tasked the existing United States Digital Service

New US DOGE Service to have access to all unclassified US Gov records.

Reference: https://www.whitehouse.gov/presidential-actions/2025/01/establishing-and-implementing-the-presidents-department-of-government-efficiency/

Muscle memory is such a powerful thing when not trained away. Recently my wife and I took a trip that involved quite a bit of swimming. As a kid and teenager I enjoyed swimming but unfortunately I haven't done much of it in the last 30 years.

So, muscle memory.. On the recent trip, every time I surfaced from swimming underwater I would use my hands to slick back my hair to keep it, and water, out of my face. This is a very distinctive motion that actually starts just before I surface. Every time, without fail.

Reader, I haven't had hair, much less enough to need slicking back, in over 20 years. It made me laugh nearly every time I surfaced. It has been so long since I spent any time underwater that I had forgotten that I even did it. I chalk that up to rarely swimming now and being blind AF w/o glasses so I wouldn't swim underwater much when I did. It's probably been 10+ years since I did it for any significant time.

Anyway, muscle memory is a hell of a thing and so is being able to laugh at yourself.

@GossiTheDog It's also 6 years old. Seems I skimmed a bit too fast.

@GossiTheDog

Here is a Fortinet PDF for the Is my toothbrush really smart? presentation by Axelle Apvrille at Troopers in 2018. I suspect this information is what they are referencing in the article.

https://filestore.fortinet.com/fortiguard/research/toothbrush.pdf

In my earlier thread I should have recommended that folks be on the lookout for end of life(EoL) versions of Electron that are bundled with software that is itself updated to the latest version. I've observed a case where fully updated software was using Electron 22.x.x that isn't EoL yet, but will be in 2 weeks. In those cases I strongly suggest you notify your vendor and, if it is paid software, pressure them to migrate to a supported version ASAP.

Note: There IS a patched version of 22.x.x which is 22.3.24.

Reference: https://www.electronjs.org/docs/latest/tutorial/electron-timelines

#Security #Electron #SBOM #CVE20234863 #CVE-2023-4863 #CVE_2023_4863

The patched (fixed) versions of Electron are

Electron v22.3.24, v24.8.3, v25.8.1 - released September 13 and fixes CVE-2023-4863 as well as CVE-2023-4763, CVE-2023-4762, and CVE-2023-4761

Electron v26.2.1 - released September 13 and updates Chrome. Fixes the CVEs but does not call them out

Here are the fixed versions of some other common software:

GitHub Desktop v3.3.3 - bumps Electron to v24.8.3 which fixes CVE-2023-4863

VS Code 1.82.2 - bumps Electron to v25.8.1 which fixes CVE-2023-4863

Signal Desktop v6.30.2 - bumps Electron to v25.8.1 which fixes CVE-2023-4863

Slack v4.34.119 - bumps Electron to v26.2.1, indicates a security fix but doesn't label it with its highest risk label

Apple iOS 16.7, 17.0.1
Apple iPadOS 16.7, 17.0.1
Apple macOS Ventura 13.6
Apple macOS Monterey 12.7
Apple watchOS 9.6.3, 10.0.1
Apple Safari 16.6.1

Google Chrome 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows

Mozilla Firefox 117.0.1, ESR 102.15.1, ESR 115.2.1
Mozilla Thunderbird 102.15.1, 115.2.2

Edit: Added Electron v22.3.24 to the patched list. Thanks @delfuego

@mjgardner @dangoodin

I can confirm that a fresh install of Keybase on macoS is using Electron 22.1.0 which has not been patched and will go EoL on October 10. I find this very concerning from security software.

I can also confirm that a fresh install of Microsoft Teams on macOS is using Electron 19.1.8 which has not been patched and went EoL last November. A note that 19.1.9 is the last version of this train and includes at least two security fixes.

Roughly 2 weeks ago Google patched a critical vulnerability, CVE-2023-4863, that was being exploited in the wild. The broad impact of the root cause of the vuln and the fact that it will have a long tail of unpatched software has been poorly communicated. You can read more in @dangoodin 's excellent article on Ars Technica.

As pointed out in the article above, Electron is based on Chromium and is impacted. Electron is bundled in a ton of apps that people might overlook.

I threw together the following shell command to help macOS audit which versions of Electron apps are installed.

When run, you should see something similar to the following:

#Security #Electron #CVE20234863 #CVE-2023-4863