1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

General InfoSec discussion

Discussion in 'Business & Enterprise Computing' started by Gunna, Nov 18, 2019.

  1. OP
    OP
    Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,945
    Location:
    Brisbane
    but it's covid dad, I need to connect to manage my servers......geesh.

    edit: Beaten!!!
     
  2. randomman

    randomman Member

    Joined:
    Oct 21, 2007
    Messages:
    5,259
  3. andrewbt

    andrewbt Member

    Joined:
    Jan 20, 2005
    Messages:
    469
    Location:
    Canberra
  4. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,647
    Location:
    Adelaide
  5. andrewbt

    andrewbt Member

    Joined:
    Jan 20, 2005
    Messages:
    469
    Location:
    Canberra
    At this point, I'm playing "what isn't vulnerable"
     
  6. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,647
    Location:
    Adelaide
    That sounds like a short game. Not interested.
     
    andrewbt likes this.
  7. andrewbt

    andrewbt Member

    Joined:
    Jan 20, 2005
    Messages:
    469
    Location:
    Canberra
    haha, very short.
     
  8. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    46,357
    Location:
    Brisbane
    andrewbt likes this.
  9. andrewbt

    andrewbt Member

    Joined:
    Jan 20, 2005
    Messages:
    469
    Location:
    Canberra
    Cheers - my concern at present is appliances, where we can't readily determine if it is in use or not - Waiting on vendors to release advisories.
    I've got one where it's "We run a vulnerable version, we're pretty sure it can't be exploited in normal operation, but that advice could change".
     
    elvis likes this.
  10. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,981
    Location:
    Pooraka Maccas drivethrough
    shit's fucked
     
    mooboyj, andrewbt and qwertylesh like this.
  11. andrewbt

    andrewbt Member

    Joined:
    Jan 20, 2005
    Messages:
    469
    Location:
    Canberra
    Yep, moved through the 5 stages of grief too?
     
  12. mjunek

    mjunek Member

    Joined:
    Apr 1, 2003
    Messages:
    1,146
    Location:
    Western Sydney
    I just assume that it's vulnerable if it's running any form of Java, given how ubiquitous log4j is.
    Been putting in the mitigation java parameter - one of the platforms has around 90 potentially affected java processes (goodness knows what they use under the hood). 72 patched, 18 to restart tonight. Fun and games. Then there is all the other stuff that who knows what's going on.
    Been working with the one of the infrastructure security blokes today; I'm going to end up setting up a honeypot LDAP host or two, and we're going to spray all machines to get to the exploit. See what then hits the honeypot. Only a few thousand virtual machines to do. Yay.
     
    andrewbt and qwertylesh like this.
  13. mjunek

    mjunek Member

    Joined:
    Apr 1, 2003
    Messages:
    1,146
    Location:
    Western Sydney
    upload_2021-12-14_9-21-22.png

    Ok, so this is interesting. Look at the year of the presentation.
    Lazy developers!
    Not zero day!
     
    andrewbt likes this.
  14. andrewbt

    andrewbt Member

    Joined:
    Jan 20, 2005
    Messages:
    469
    Location:
    Canberra
    Oh wow, nice catch! There was some suggestion this was being exploited earlier this year in some thread I read. I wonder how long people have been sitting on this one for (ie, actively using it)
     
  15. mjunek

    mjunek Member

    Joined:
    Apr 1, 2003
    Messages:
    1,146
    Location:
    Western Sydney
    I'm not surprised, the feature that introduced this has been in the code since Mid-2013. So 8 and half years in the wild.
    No doubt it has been exploited, the question is, how long for, and how serious have the breaches been?
     
    andrewbt likes this.
  16. stiben

    stiben Member

    Joined:
    Aug 5, 2001
    Messages:
    506
    Location:
    Brisbane
    If you've been busy patching log4j2 to version 2.15.0 then you'll be please to know you need to do it all again to version 2.16.0 for the follow-up CVE-2021-45046 :sick:
     
    Yehat and andrewbt like this.
  17. Yehat

    Yehat Member

    Joined:
    Aug 4, 2002
    Messages:
    658
    Location:
    Melbourne
    :thumbup:

    For those wanting more context about why CVE-2021-45046 - v2.16.0 is needed:

    Sources:
    https://logging.apache.org/log4j/2.x/security.html
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

    More info about the original issue: CVE-2021-44228 as covered earlier in this thread post, and here and here
    CNN - 10 vendors affected by the log4j vulnerability, includes some versions of services/products by - AWS, Broadcom, Cisco, ConnectWise, Fortinet, HCL, IBM, N-able, Okta, VMware.
     
    Last edited: Dec 16, 2021
    andrewbt likes this.
  18. andrewbt

    andrewbt Member

    Joined:
    Jan 20, 2005
    Messages:
    469
    Location:
    Canberra
    What a week - I need to be up and about doing stuff today, but I just want to stare at the wall


    Small Rant - get a fairly good CBA phishing email, check out headers - came from popped host for some UK business, but Neutral SPF? WTF?

    cba.com.au. 3600 IN TXT "v=spf1 include:spf1.cba.com.au include:spf2.cba.com.au ip4:144.49.240.0/21 include:spf.protection.outlook.com include:spf.messagelabs.com ~all"

    If you're one of the industries that is frequently targeted for fraudlent activity - would you not do the basic shit and lock down who can send email on your behalf?
     
    tobes, wazza and Rass like this.
  19. Rass

    Rass Member

    Joined:
    Jun 27, 2001
    Messages:
    3,177
    Location:
    Brizbekistan
    You are assuming they are willing to spend money on enough competent IT and security professionals and they haven't just got the absolute bare minimum to keep the lights on.
     
    andrewbt likes this.
  20. wazza

    wazza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,802
    Location:
    NSW
    Literally the only change they needed to make was from ~all to -all though and it would have hard failed.

    Like a lot of things IT/InfoSec though it's probably due to another department though, like a demand from on high that the crayon eating dept should not have to advise IT when they want some other company to send out marketing shit appearing to come from CBA directly, who cares about the security risk.
     
    randomman and andrewbt like this.

Share This Page

Advertisement: