AmmarSpaces1d ago

lmao, what is this shitty response MSRC.

We do not need corporate yapping like that. Cybersec people are mostly fulled with engineers.

People do not care with "we see" the complain, we need action.

Say what you will do:
For example "ok, researcher can drop their PoC in a week, should we failed to give decision on what to do" or "okay, we will expand our work framework on both side, so people can treated equally".

Full transcript:
Over the past several days, we have been listening to the conversation around coordinated disclosure and the relationship between security researchers and vendors. We recognize that this relationship is both critical and, at times, fragile. We deeply value the security community, and will continue to take your feedback seriously.

To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.

We recognize the work that goes into researching and submitting a vulnerability. We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products. Each year we process a high volume of vulnerability reports. That volume continues to grow and will continue with the rise of AI-enabled research. We acknowledge that some interactions have fallen short and are working to learn from them.

Many of us have experience on both sides of this work, as researchers reporting vulnerabilities and as responders triaging and assessing them. That perspective informs how we approach this feedback and the importance we place on getting it right, particularly as the volume and complexity of research continues to grow.

The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.

#cybersecurity #infosec #drama #msrc #midnighteclipse

83r71nApr 13, 2024

Palo Alto Networks and Unit 42 are actively tracking and sharing information about a critical vulnerability, CVE-2024-3400, which affects their PAN-OS software. This vulnerability allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. It has a CVSS score of 10.0, indicating a high severity. The vulnerability is specific to PAN-OS 10.2, 11.0, and 11.1 versions when a GlobalProtect gateway and device telemetry are enabled. It does not impact cloud firewalls, Panorama appliances, or Prisma Access.

Palo Alto Networks has identified malicious exploitation of this vulnerability under the name Operation MidnightEclipse. They believe the initial exploitation is limited to a single threat actor but warn that additional actors may attempt to exploit it in the future. The company is providing interim guidance to mitigate the vulnerability, including recommendations for customers with a Threat Prevention subscription to block attacks by enabling Threat ID 95187. For those who cannot apply this mitigation immediately, Palo Alto Networks suggests temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version.

The vulnerability is set to be fixed in an upcoming release of PAN-OS 10.2, 11.0, 11.1, and all later versions, with an estimated release date of April 14, 2024. Palo Alto Networks encourages customers to monitor their networks for abnormal activity and investigate any unexpected network activity as a best practice. They also thank Volexity for discovering this issue and their ongoing collaboration and partnership.

https://unit42.paloaltonetworks.com/cve-2024-3400/

https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

#cybersecurity #paloaltonetworks #unit42 #panos #vulnerability #firewall #globalprotect #cve #midnighteclipse #threat #volexity

Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated April 24)

We detail Operation MidnightEclipse, a campaign exploiting command injection vulnerability CVE-2024-3400, and include protections and mitigations.

Unit 42