Hacker NewsUnauthenticated remote code execution in OpenCode
#HackerNews #Unauthenticated #remote #code #execution #OpenCode #security #vulnerability #cybersecurity #hacking #news
Rene RobichaudSolarWinds Web Help Desk Vulnerability Enables Unauthenticated RCE
https://cybersecuritynews.com/solarwinds-web-help-desk-vulnerability/
#Infosec #Security #Cybersecurity #CeptBiro #SolarWinds #WebHelpDesk #Vulnerability #Unauthenticated #RCE
PrivacyDigest#DLink says replace #vulnerable #routers or risk #pwnage -Register
Owners of older models of DLink #VPN routers are being told to retire & replace their devices following disclosure of a serious #RCE #vulnerability.
#Unauthenticated RCE issues are essentially as bad as #vulnerabilities get, & D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk
#security
https://www.theregister.com/2024/11/20/dlink_rip_replace_router/
@infosec_jcp ππ done differentlyDefo turning away the #OpenWeb unlike here. Β―\_(γ)_/Β―
#unauthenticated is #Welcome on the #fediverse #OpenSocialMedia #news frenly β΅(o_O)
Vulnerability with 9.8 severity in Control Web Panel is under active exploit
Malicious #hackers have begun exploiting a critical #vulnerability in unpatched versions of the #ControlWebPanel , a widely used interface for web hosting.
βThis is an #unauthenticated #RCE ,β members of the #Shadowserver group wrote
perfect π° forever@Trysdyn @KitRedgrave @maple
To expand on what I mean for the people who do not read my posts on a regular basis (they probably have me personally blocked, but whatever), here is what is happening:
1. A user on computerfairi.es posts a post.
2. Somebody who follows that user and is followed by a user on blockedinstance.social makes a reply or boosts the post.
3. The user on blockedinstance.social gets a copy of that interaction because it was addressed to as:Public.
4. blockedinstance.social reconstructs the thread, fetching missing objects in it.
5. Because there is no authentication requirement for fetching objects (or any other passive AP activity), blockedinstance.social now has a copy of your object.
Unfortunately, at present, this means that the best mitigation is to firewall any instance you block that you also do not want to be able to receive posts from you. It is unfortunate that this is the present situation for quite a few reasons (the topological knowledge learned from requiring authentication on fetches would be very helpful for distributing Deletes for example), but it is not a defect in Pleroma or any other ActivityPub software. Instead, it is a defect in ActivityPub itself: since there is no authentication requirement, there is no support for authenticated fetches in any of the implementations.
While it may be disturbing to see, Pleroma is just showing you that ActivityPub is leaking your data all over the fediverse and sending it to instances you don't want it on. Blame the protocol, not the messenger.
Hopefully that clarifies what is going on. You can read also my blog post about this particular issue: https://blog.dereferenced.org/activitypub-the-present-state-or-why-saving-the-worse-is-better-virus-is#unauthenticated-object-fetching
It would be nice in the future if people did not make bad faith assumptions about why things are the way they are and instead reached out and actually asked about it. We are committed to improving the security posture of the fediverse.
To expand on what I mean for the people who do not read my posts on a regular basis (they probably have me personally blocked, but whatever), here is what is happening:
1. A user on computerfairi.es posts a post.
2. Somebody who follows that user and is followed by a user on blockedinstance.social makes a reply or boosts the post.
3. The user on blockedinstance.social gets a copy of that interaction because it was addressed to as:Public.
4. blockedinstance.social reconstructs the thread, fetching missing objects in it.
5. Because there is no authentication requirement for fetching objects (or any other passive AP activity), blockedinstance.social now has a copy of your object.
Unfortunately, at present, this means that the best mitigation is to firewall any instance you block that you also do not want to be able to receive posts from you. It is unfortunate that this is the present situation for quite a few reasons (the topological knowledge learned from requiring authentication on fetches would be very helpful for distributing Deletes for example), but it is not a defect in Pleroma or any other ActivityPub software. Instead, it is a defect in ActivityPub itself: since there is no authentication requirement, there is no support for authenticated fetches in any of the implementations.
While it may be disturbing to see, Pleroma is just showing you that ActivityPub is leaking your data all over the fediverse and sending it to instances you don't want it on. Blame the protocol, not the messenger.
Hopefully that clarifies what is going on. You can read also my blog post about this particular issue: https://blog.dereferenced.org/activitypub-the-present-state-or-why-saving-the-worse-is-better-virus-is#unauthenticated-object-fetching
It would be nice in the future if people did not make bad faith assumptions about why things are the way they are and instead reached out and actually asked about it. We are committed to improving the security posture of the fediverse.
i was linked to this post and feel the need to write about it directly.
https://computerfairi.es/users/maple/statuses/101436332290985254
the defect is not in Pleroma, nor is Pleroma doing anything to respect or disrespect blocks placed against it: the enforcement of blocks in an ActivityPub implementation is controlled by the server which initiated the block.
unfortunately, ActivityPub has major security flaws, such as not requiring authentication to fetch objects from remote servers.
when combined with the thread reconstruction features of fediverse software, this allows for instances that you have blocked to gain copies of objects that exist on your instance.
both Mastodon and Pleroma have thread reconstruction features and have the same behavior in this regard.
the only difference is that Pleroma has publicly visible shared timelines and Mastodon requires you to use a third-party viewer, but the posts are there on both.
if you want to blame something for this design fault, i suggest blaming the W3C for ratifying a specification where security is non-normative, when security is non-normative and non-specified, it should be nobodyβs surprise that objects get leaked to servers you donβt want them leaking to.
turbo outbun :bot: :amicheck: (@[email protected])
quick admin psa from my charging station, if you are domain blocking any pleroma servers make sure to deny any requests from their domains in your server's firewall as well because pleroma does not honour blocks and will still be able to see your instance's posts and boost them
Aussie RockmanCreep ran #Mac #malware for 14 years scanning #vulnerable machines with exposed #unauthenticated/weakly secured #RDP type ports. Appeared to be primarily for collecting images of underage children even though there was potential for $$ theft with a #keylogger. #infosec #privacy
https://apple.slashdot.org/story/18/09/30/2130206/fbi-solves-mystery-surrounding-15-year-old-fruitfly-mac-malware-which-was-used-by-a-man-to-watch-victims-via-their-webcams-and-listen-in-on-conversations
https://apple.slashdot.org/story/18/09/30/2130206/fbi-solves-mystery-surrounding-15-year-old-fruitfly-mac-malware-which-was-used-by-a-man-to-watch-victims-via-their-webcams-and-listen-in-on-conversations
FBI Solves Mystery Surrounding 15-Year-Old Fruitfly Mac Malware Which Was Used By a Man To Watch Victims Via their Webcams, and Listen in On Conversations - Slashdot
The FBI has solved the final mystery surrounding a strain of Mac malware that was used by an Ohio man to spy on people for 14 years. From a report: The man, 28-year-old Phillip Durachinsky, was arrested in January 2017, and charged a year later, in January 2018. US authorities say he created the Fru...