The researchers pointed out that the vulnerability cannot be exploited remotely. An attacker can trigger the issue by providing crafted inputs to applications that employ these [syslog] logging functions [in apps that allow the user to feed crafted data to those functions].
You still need some privileged process to exploit. Glibc code doesn’t get any higher privileges than the rest of the process. From kernel’s point of view, it’s just a part of the program like any other code.
So if triggering the bug in your own process was enough for privilege escalation, it would also be a critical security vulnerability in the kernel - it can’t allow you to execute a magic sequence of instructions in your process and become a root, that completely destroys any semblance of process / user isolation.
The first app named “File Recovery and Data Recovery” (com.spot.music.filedate) has over 1 million installs, and the second one named “File Manager” (com.file.box.master.gkd) has over 500,000 installs.
“Pro-russia hacktivists” that’s a weird way to say “state sponsored hackers”. Also they are using open VNC and default passwords? Really? The parties responsible for that infrastructure should be ashamed.
Am I reading it correctly that it only affects remote admin? Isn’t that generally considered to be a Very Bad Idea? My home network has remote admin disabled, but with VPN access I can remotely manage it, which is (afaik?) a way more secure method than having public https access to your network gear…
Still pretty unimpressive by Cisco to basically just say “sucks to be you” to the owners. I get that it’s EOL but still.
Only reason I would imagine being this to the public is because they lost access or gained what they needed to gain and can show it off now. in any active breach as the actor performing this, you want to be as quiet as possible. Because to quote Kali. The quieter you are the more you hear.
On what grounds does Meta deserve the source code here? Unless Pegasus is considered a “derivative work,” the most Meta should be able to demand is money.
They need to know how they were hacked so they can fix the vulnerability. NSO broke the law when they hacked whatsapp, it seems reasonable that they’re forced to share details to prevent others from using the same method.
I’m wondering on what grounds is NSO allowed to keep the names of their co-conspirators (AKA clients) secret?
I think it’s reasonable to require them to share details, but source code is a copyright issue and shouldn’t be given up. I’m guessing the source has a lot more than just the one attack.
But yeah, I’m also surprised they’re not obligated to reveal the names of anyone involved in planning or ordering the attack. Surely that could be subpoenad.
I replied to another comment with this, but Debian 12(stable, bookworm) and 13(testing, trixie) are affected by this but 12(stable, bookworm) has a patch out in the security repo.
If you wanna know wether or not you’re affected,
apt list libc
will show your version and the one you want is 2.36-9+deb12u4
If you don’t have that,
apt update && apt upgrade
will straighten you out
13(testing, trixie) has 2.37, but it’s not fixed yet.
securityaffairs.com
Hot