It’s Alive!, Slow Migrations, Hiding on the Net, BlackLotus Source, & Gaslighting – PSW #790

This really grinds my gears: "Fortinet noted that the bug was addressed in a previous release, without an advisory." - Unless they fixed it without knowing it was a security issue.

Haven't listened yet. In other news, the BlackLotus source code is now available on Github: https://github.com/ldpreload/BlackLotus (or at least something that is very similar as the debate continues https://twitter.com/vxunderground/status/1679197452522356738?s=20)

"As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger. However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging." and "The complete exploit code and a comprehensive write-up will be made publicly available no later than the end of July."

This: "A straightforward implementation of a verified boot implementation has the firmware verify the signature on the bootloader or kernel before executing it. In this scenario, the firmware is the root of trust - it's the first thing that makes a determination about whether something should be allowed to run or not[2]. As long as the firmware behaves correctly, and as long as there aren't any vulnerabilities in our boot chain, we know that we booted an OS that was signed with a key we trust.But what guarantees that the firmware behaves correctly? What if someone replaces our firmware with firmware that trusts different keys, or hot-patches the OS as it's booting it? We can't just ask the firmware whether it's trustworthy - trustworthy firmware will say yes, but the thing about malicious firmware is that it can just lie to us (either directly, or by modifying the OS components it boots to lie instead). This is probably not sufficiently trustworthy!" - Awesome insights in the rest of the article too.

This: "Malicious actors who are actively seeking high-privilege access to Windows operating systems use techniques that attempt to combat the increased protection that endpoint protection platform (EPP) and endpoint detection and response (EDR) technologies provide users and processes. Because of these added layers of protection, attackers tend to opt for the path of least resistance to get their malicious code running via the kernel layer or even lower levels. This is why we believe that such threats will not disappear from threat actors’ toolkits anytime soon."

"The prioritization of vulnerabilities should be a multifaceted approach. The focus should be given to those known to be exploited in the wild (CISA KEV), those with a high likelihood of exploitation (indicated by a high EPSS score), and those with weaponized exploit code available." - Turns out this is a pretty small number of vulnerabilities in comparison to the 200k documented in NVD.

Amazing article: "Simply put, merely by reading from the same block of DRAM memory over and over in a tight loop, you automatically cause it to be rewritten at the same rate, thus greatly increasing the chance that you’ll deliberately, if unpredictably, induce one or more bit flips in nearby memory cells. Using this sort of treachery to provoke memory errors on purpose is what’s known in the jargon by the self-descriptive name rowhammering."

"The third exception creates a loophole that allows a newly compiled driver to be signed with non-revoked certificates issued prior to or expired before July 29, 2015, provided that the certificate chains to a supported cross-signed certificate authority. If a driver is successfully signed this way, it will not be prevented from being installed and started as a service. As a result, multiple open source tools have been developed to exploit this loophole." and in case you're wondering: "Microsoft, in response to our notification, has blocked all certificates discussed in this blog post. Please refer to the advisory published by Microsoft for further information on their response."

So cool

It's alive!!!!!! - "so far, he’s taken the display panel from an iPad and made it work with the Framework board, and designed an entirely new lower case for the Thinkpad. This will hold the Framework board with its USB-C ports at the edge, so in the place of its USB-based expansion modules, he’s made a custom external port replicator. Meanwhile, a Teensy handles that unique keyboard. We’re told that the design files will all eventually be put online should anyone else want to try."

Because we all need a butt warmer built from a pico :)

"Chinese customs have apprehended a man attempting the biggest on-the-person CPU smuggling feat we have seen reported. The perp was stopped at Qingmao Port as he sought to cross from Macau to mainland China with 306 CPUs fashioned into a girdle around his waist." Apparently he was caught because he was walking funny, LOL.

"Almost all modern memory devices themselves contain computing elements, microcontrollers, and firmware to tame the complexities of modern interfaces and the complicated physics of the memory technology itself. Link training, wear leveling, caching, sleep and power management, manufacturing-related test functionality, are just some examples of these complexities. This functionality is backed by deeply-embedded firmware within the memory controller. This firmware is frequently written in the C language, where memory safety concerns pose a significant risk. These concerns increase as the firmware complexity increases, driven by modern memory protocols (such as NVMe) becoming increasingly complicated. "

"It is not hard to imagine the magnitude of impact if malicious actors obtain control over medical systems and remove them from operation at a hospital with hundreds of beds." - I think this is problem, we have to imagine these scenarios While I would never wish someone gets hurt, someone will get hurt and then we'd see a huge increase in security of medical devices with all parties (manufacturers, hospitals, software developers, IT departments, etc..).

I don't think just disabling ICMP will help with discoverability. I think what we are talking about here is Attack Surface Management and reducing your footprint.

*"Attackers identify an exploit and come up with some kind of delivery mechanism (weaponize). They do reconnaissance to find out where to apply the exploit. Then they apply the exploit, compromise the system, and repeat the cycle. My solution focuses on the reconnaissance step, since that's the first time the attacker sends a packet to the server." - This is some interesting thoughts and research into how we can combat threats.

I actually really like this article (which is not typical based on the title). However, the author did a nice job, agree?

This will be a slow migration: "“In order to continue to use such weak cryptographic encryption algorithms, explicit configuration is required,” Cisco stated in a field Notice. “Otherwise, OSPF neighborship will fail to establish and cause service disruption as a result.”