Discussion in 'Business & Enterprise Computing' started by Gunna, Nov 18, 2019.
but it's covid dad, I need to connect to manage my servers......geesh.
New Windows zero-day with public exploit lets you become an admin (bleepingcomputer.com)
Fucking awesome. Enjoy your Holidays!
Good collection of details/detection methods/etc on /r/netsec/
Oh yeah it's vulnerable to this too
Oh yeah, shit's going down
At this point, I'm playing "what isn't vulnerable"
That sounds like a short game. Not interested.
haha, very short.
This might help:
Cheers - my concern at present is appliances, where we can't readily determine if it is in use or not - Waiting on vendors to release advisories.
I've got one where it's "We run a vulnerable version, we're pretty sure it can't be exploited in normal operation, but that advice could change".
Yep, moved through the 5 stages of grief too?
I just assume that it's vulnerable if it's running any form of Java, given how ubiquitous log4j is.
Been putting in the mitigation java parameter - one of the platforms has around 90 potentially affected java processes (goodness knows what they use under the hood). 72 patched, 18 to restart tonight. Fun and games. Then there is all the other stuff that who knows what's going on.
Been working with the one of the infrastructure security blokes today; I'm going to end up setting up a honeypot LDAP host or two, and we're going to spray all machines to get to the exploit. See what then hits the honeypot. Only a few thousand virtual machines to do. Yay.
Ok, so this is interesting. Look at the year of the presentation.
Not zero day!
Oh wow, nice catch! There was some suggestion this was being exploited earlier this year in some thread I read. I wonder how long people have been sitting on this one for (ie, actively using it)
I'm not surprised, the feature that introduced this has been in the code since Mid-2013. So 8 and half years in the wild.
No doubt it has been exploited, the question is, how long for, and how serious have the breaches been?
If you've been busy patching log4j2 to version 2.15.0 then you'll be please to know you need to do it all again to version 2.16.0 for the follow-up CVE-2021-45046
For those wanting more context about why CVE-2021-45046 - v2.16.0 is needed:
More info about the original issue: CVE-2021-44228 as covered earlier in this thread post, and here and here
CNN - 10 vendors affected by the log4j vulnerability, includes some versions of services/products by - AWS, Broadcom, Cisco, ConnectWise, Fortinet, HCL, IBM, N-able, Okta, VMware.
What a week - I need to be up and about doing stuff today, but I just want to stare at the wall
Small Rant - get a fairly good CBA phishing email, check out headers - came from popped host for some UK business, but Neutral SPF? WTF?
cba.com.au. 3600 IN TXT "v=spf1 include:spf1.cba.com.au include:spf2.cba.com.au ip4:126.96.36.199/21 include:spf.protection.outlook.com include:spf.messagelabs.com ~all"
If you're one of the industries that is frequently targeted for fraudlent activity - would you not do the basic shit and lock down who can send email on your behalf?
You are assuming they are willing to spend money on enough competent IT and security professionals and they haven't just got the absolute bare minimum to keep the lights on.
Literally the only change they needed to make was from ~all to -all though and it would have hard failed.
Like a lot of things IT/InfoSec though it's probably due to another department though, like a demand from on high that the crayon eating dept should not have to advise IT when they want some other company to send out marketing shit appearing to come from CBA directly, who cares about the security risk.