Random Problems, Protecting Packages, and Vulns in Designs, Defaults & Data Leaks – ASW #283

This article goes into my favorite category of nicely explained write-up and well-considered risks that point out issues that don't need to be fixed vs. those that do.

Package and source repos are prime targets. We've seen many push for added security like phishing-resistant MFA required for maintainers. This vuln stood out not exactly because of the file-read vuln, but that the file read could access the signing key used for sessions -- which led to a serialization attack.

CrushFTP dates back to the late 90s, which partially explains this phrase from the CVE writeup: “…the default configuration uses reversible DES encryption for passwords...”

These long-lived apps always make me wonder what's the breaking point for a re-design. Not a refactor, but a complete revisit of an app's design and defaults.

The blog has the perfect line for why it caught my attention. It's an "…example of the dangers of designing a cryptographic protocol with a deemed acceptable risk, being used in an unforeseen way such that the risk becomes suddenly unacceptable."

And it's not even a complicated protocol! Just an API that leaks info in an unexpected manner.

Some apps have uses for a deterministic random number generator and for reusing seeds. Sometimes those apps also have a need for "more" random (or cryptographically secure random) when the use cases relate to privacy or security. At no time is it ever useful to mix up the two use cases.

Almost every week I come across a mention in Risky Biz about some number of new malware discovered in NPM or PyPI packages. It's about as routine and as interesting as new CVEs or CISA's updates to its KEV list.

With the push for these package repos to require MFA, it makes me wonder what the underlying cause is for the packages to have included malware. Is MFA adoption not at 100%? Is it some other type of account takeover? Is there some other root cause that these repos could address?

It's been too long since we covered a space-related article. I don't think there's any metaphor to find here of appsec. Just very cool software engineering.

Slightly unfortunate scene over on the OSS Security mailing list: Some researchers tried to get the PHP ECC library to patch a bug from 2021. After getting no response (last commit was 4 years ago), they've gone ahead and forked the project.

So now developers get to play the game of "which library should we be using?"

This is a great writeup, for something that many of us would have stopped after mentioning antivirus software using HTTP for updates, and casting the appropriate amount of side-eye.

(I could link directly to the law, but ain't nobody going to read that, so here's an article from El Reg)

Shipping devices with easily guessable default passwords is now illegal in the UK. Say "thank you" to your government representatives!

Also - reminder to put those default passwords somewhere safe, because in a few years Googling for "default password netgear router" will no longer be of value...

R - the scientific programming language that was very popular in the earlier days of this machine learning wave - has a deserialization bug in the code that loads their serialized data format (RDS).

This writeup feels a little more targeted - they were looking for an exploit in R, and were digging around until they found one, compared to a more casual researcher. That makes for an interesting writeup, as they talk through the hunt as they explore the language...