Will Dormann

@wdormann@infosec.exchange
3.7K Followers
527 Following
2K Posts
I play with vulnerabilities and exploits.
I used to be https://twitter.com/wdormann but Twitter has become unbearable, so here I am.
Will Dormann7h ago

Google published a blog post about 0days and the like. This jumped out at me:

Vendor investments in exploit mitigations are having a clear impact on where threat actors are able to find success.

Stack canaries gained popularity in the Linux world in 2002. When did the Linux-based Ivanti ICS product get stack canaries, after years of ITW exploitation? 2025. That's right. They decided to wait TWENTY THREE YEARS before deciding to turn on a compile-time flag that would have prevented successful exploitation of April's CVE-2025-22457.

We all know that comparing the security disposition of companies/products based on CVE counts is both foolish and futile, but sometimes they make it easy for us. 😂

Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis | Google Cloud Blog

This Google Threat Intelligence Group report presents an analysis of detected 2024 zero-day exploits.

Google Cloud Blog
Show threadWill Dormann4d ago
The fact that a non-admin user can create a junction to a file before April's updates resulting in windows updates never installing after that is not considered worth fixing by MSRC. 😂
https://cyberplace.social/@GossiTheDog/114398293866746480
Kevin Beaumont (@GossiTheDog@cyberplace.social)

Attached: 1 image Microsoft have rated the ability for non-admin users to stop Windows patching as a moderate issue and closed the case. EDR providers, including Microsoft, probably want to add signatures for junction points from \inetpub being created on boot drive as it doesn’t look like this will be fixed any time soon.

Cyberplace
Will Dormann4d ago
ABC News4d ago

Video Hegseth had commercial internet ‘dirty line’ in his office for Signal app: Sources
https://abcnews.go.com/Politics/video/hegseth-commercial-internet-dirty-line-office-signal-app-121138033?utm_source=flipboard&utm_medium=activitypub

Posted into News @news-abc

Video Hegseth had commercial internet ‘dirty line’ in his office for Signal app: Sources

Defense Sec. Pete Hegseth used the Signal app on a personal computer in his office that was connected to the internet on an unsecured commercial line, sources told ABC News.

ABC News
Show threadWill Dormann4d ago

Almost ready to enter the real world!

The fact that indoor-started plants need to gradually get adjusted to sunlight or they'll get sunburn is... Surprising to me. Isn't sunlight what plants crave?

I'll get over it...

Show threadWill Dormann5d ago

Oh, what's that?
'NICIPConfigUpdateDeployment-1745511600265' is not valid?

Oh, let me put my Azure translation hat on. Ok, got it:

You have exceeded your limit of 10 publicly available IP addresses. Please first Disassociate the IP address and then delete it. Otherwise you will get another error message.

Boy, this hat is useful.
Just kidding. There's no such hat.
You need to trudge through things until you brute-force figure things out.

Time to go touch grass...

Show threadWill Dormann5d ago

What's that?

The "Most used by Azure users" VM type that I picked isn't available?

You know what, instead of Go Fish, maybe tell me what I can use?

Edit: Azure Spot pricing apparently isn't a thing. No matter which Size + Region combination you choose, you'll get an error that says that the combo isn't available where you want it. 🤦‍♂️

Show threadWill Dormann5d ago

What's that? I need to remove the number of data disks in my VM? Maybe tell me how to do this?

Ohhhh... You've selected an Azure VM image that requires more than 4 disks, and the VM type currently selected has only 4 disks? I'm no UI/UX expert, but maybe just TELL ME THIS?

Will Dormann5d ago

If you create an ARM VM in Azure, beware that your "Recently used size" will be ARM, and as such you will not be able to create any preconfigured x64 VMs.

Because of course if your "Recently used size" is ARM, Microsoft will disable the ability to pick an x64 size. 🤦‍♂️

Yes, I had to create a sacrificial x84 VM in Azure to work around this. Once my recently used size was x64, I was able to pick any size that I wanted.

Will Dormann6d ago
Show threadcR0w 6d ago

Well what do you know? Cisco actually is impacted by this and is finally putting out an advisory for it.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy

Don't worry about rushing to patch though. Those aren't coming until next month.

Impacted products:

ConfD, ConfD Basic, Network Services Orchestrator (NSO)

Still under investigation:

Network Management and Provisioning

  • Cyber Vision
  • Smart PHY
  • Virtual Topology System (VTS)
  • Virtualized Infrastructure Manager
  • WAE Automation

Routing and Switching - Enterprise and Service Provider

  • ASR 5000 Series Routers (StarOS)
  • Catalyst Center, formerly DNA Center
  • Intelligent Node Software
  • Ultra Cloud Core - Policy Control Function
  • Ultra Cloud Core - Subscriber Microservices Infrastructure

Routing and Switching - Small Business

  • Small Business RV Series Routers

Video, Streaming, TelePresence, and Transcoding Devices

  • Expressway and TelePresence Video Communication Server (VCS)
Cisco Security Advisory: Multiple Cisco Products Unauthenticated Remote Code Execution in Erlang/OTP SSH Server: April 2025

On April 16, 2025, a critical vulnerability in the Erlang/OTP SSH server was disclosed. This vulnerability could allow an unauthenticated, remote attacker to perform remote code execution (RCE) on an affected device. The vulnerability is due to a flaw in the handling of SSH messages during the authentication phase. For a description of this vulnerability, see the Erlang announcement. This advisory will be updated as additional information becomes available. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy

Cisco
Will DormannApr 22
To those with a passport:
Put its expiration date as a reminder (with ample lead time) on your electronic calendar right now, if it's not there already.
×
Show threadWill DormannApr 21

Since the update to patch April's CVE-2025-22457 was included in February's ICS updates (it didn't get CVE attention at that time as presumably Ivanti didn't recognize that stack buffer overflows are exploitable), the Ivanti Advisory indicated that the fix for CVE-2025-22457 could be downloaded from the Download Portal.

Because we are curious people, we read what vendors say. A few things jump out at me:

1) Despite there being existing CPEs for Ivanti Policy Secure (cpe:2.3:a:ivanti:policy_secure:...) and ZTA Gateways (cpe:2.3:a:ivanti:neurons_for_zero-trust_access:...), Ivanti chose either CPE in their advisory. I cannot fathom why.

Sub-wonder: For people using CPE in the real world, how do you know what CPE to use? I had to use ChatGPT to find the latter of the above, which seems... neither practical nor scalable? I'll admit that I know next to nothing about CPE other than inconsistently seeing them in CVE entries.

2) The patch availability for ZTA Gateways was April 19 and "will be automatically applied", and the availability for Ivanti Policy Secure is today (April 21). Might I conclude from this that all ZTA Gateways systems are protected, since April 19 has already passed? And that Ivanti Policy Secure systems have a patch available right now?
Ivanti hasn't updated their advisory since Apri 15.