SecLists.Org Security Mailing List Archive

Any hacker will tell you that the latest news and exploits are not found on any web site—not even Insecure.Org. No, the cutting edge in security research is and will continue to be the full disclosure mailing lists such as Bugtraq. Here we provide web archives and RSS feeds (now including message extracts), updated in real-time, for many of our favorite lists. Browse the individual lists below, or search them all:

Insecure.Org Lists

Nmap Development — Unmoderated technical development forum for debating ideas, patches, and suggestions regarding proposed changes to Nmap and related projects. Subscribe here.

[NSE] Problems with authentication in ms-sql in Nmap 7.91+ Paulino Calderon (Jan 14)
Hey,

I was wondering if anyone familiar with the MS-SQL protocol knows what
might be happening here. The dev branch version crashes at the moment
when scanning Microsoft SQL Server 2005 9.00.3042; SP2:

NSE: [ms-sql-brute M:b41d0c xx.xx.xx.xx] MSSQL-SSRP: SSRP Data:
ServerName;XXXX;InstanceName;MSSQLSERVER;IsClustered;No;Version;9.00.3042.00;tcp;1433;;
NSE: [ms-sql-brute M:b41d0c xx.xx.xx.xx] MSSQL-SSRP: SSRP Substrings:...

Special MAC Addresses Toni Ruottu (Jan 02)
Hi!

I encountered two interesting MAC address reuse cases while exploring
Commodore 64 networking. I'm wondering if these two cases are mere
exceptions. If there are lots of MAC addresses with special meanings it
might be nice if nmap shipped with a list of them and warned the user when
one of them is encountered.

RR-Net is perhaps the most used NIC for C64 networking. According to the
manufacturer documentation some models of the NIC do...

[no subject] Le Aluminarti (Dec 16)

Re: [nmap/nmap] Replace deprecated CPEs for Microsoft IIS. #2401 (PR #2402) Esa Jokinen via dev (Dec 10)
On Tue, 2021-12-07 at 15:07 -0800, nnposter <notifications () github com>
wrote:

(From https://github.com/nmap/nmap/pull/2402)

I was wondering the same. According to CONTRIBUTING.md, GitHub should
be used for pull requests. The changes are manually added to the
Subversion repository and synced back from there. However, the document
also states that the GitHub repository should be read only.

In my opinion the documented workflow seems a...

Q: "nmap as a service" monitoring project? Jacek Wielemborek (Dec 09)
Hi,

I'd like to continuously port-scan given IPs and get informed once any
of the ports opens or closes. Is there any (preferably open source)
project that works this way?

Cheers,
Jacek "d33tah" Wielemborek

nc -kle 'cat largefile' doesn't transmit correctly Tobias Girstmair (Nov 27)
Hi folks,

I'm using ncat as a simple web server, as described in
https://nmap.org/ncat/guide/ncat-tricks.html#ncat-httpserv . The file
I'm serving is relatively large (80kB), and I noticed that it gets
mangled very often: a section of over a kilobyte is missing from the
middle (at packet boundaries; e.g. after 44888 bytes using 1448 sized
packets).

This seems to only happen when using --exec or --sh-exec; not when
piping the same file...

Re: smb NSE scripts with special characters password Carlos Gomes - FCHS (Nov 25)
Sorry, but both links are not working.

Also I did not understand what list are we talking about :D

Em qua., 24 de nov. de 2021 às 18:11, Oliver Aldridge <oliver () aldridge net>
escreveu:

Re: npcap-1.55.exe flaged as malicious Gordon Fyodor Lyon (Nov 24)
Hi Onno. Good question. Npcap Version 1.55 is absolutely not malicious or
infected by anything, but unfortunately there are a many garbage antivirus
engines out there which flood VirusTotal with false positives like this.
The latest VirusTotal report on Npcap 1.55
<https://www.virustotal.com/gui/file/0bcc56aef29b24985d7f658cd34013b08cb53ad5bf6b6ac2a982a5f6d4d95800>
shows
that only 2 of their 66 AV engines flag any issues.

If there are any...

problem starting the driver YouTube King (Nov 24)
Hello,

I've been trying to run "SelfishNet" but it gives a message "problem
starting the driver" then "problem installing the drivers, do you have
administrator privileges?" that after installing npcap.
Then I installed "winpcap" alone and rebooted but the program displays
nothing as if it's never stared.

Do you have any solution for this problem?

I know the program is old and not supported but...

Re: smb NSE scripts with special characters password Oliver Aldridge (Nov 24)
Good afternoon! Our managers generated required list and I send it to you. File can be found via this link:

1)vulkanvegas1000.fanalikhtiyar.com/veritatisdebitis/cumquedolorem-3181671

2)bitcoinguidebooklive.mydemosystems.com/similiquedolor/autalias-3181671

Hello Everyone

I'm trying to do a nmap scan using some smb nse scripts, mostly with authenticated shares parsing user / password
within the script-args.

But when the share uses...

NMAP PR #2397: IoTVAS connected device discovery and risk assessment script Behrang Fouladi (Nov 24)
Hello,

I'd like to contribute a NSE script that enables nmap to perform accurate device discovery and risk assessment of
IoT/connected devices such as IP cameras, printers and video conferencing devices. It does so by receiving the device
network service banners (snmp, http, ftp, telnet and upnp) from nmap engine and submitting it to the Firmalyzer's
IoTVAS API endpoint (link to the documentation and swagger UI : ...

npcap-1.55.exe flaged as malicious Rommen, Onno via dev (Nov 24)
Hi guys,

VirusTotal flags npcap-1.55.exe, as available on your site, as malicious. Are you aware of that and what is your
reaction on that please?

Hope to hear from you soon.

Sincerely,

Onno Rommen, Lloyd's Register
(Working days Monday, Tuesday, Wednesday & Thursday)

Senior Lead Auditor Information Security, LRQA
T +31 (0)10 2500 505 M +31 (0)6 1746 1166 E onno.rommen () lr org<mailto:onno.rommen () lr org>
Lloyd's...

nmap 7.92 build fails on Fedora 34 ndof () gmx li (Nov 24)
Hi developers,
building nmap on Fedora 33 works, but fails on Fedora 34 with:

make[1]: Leaving directory '/builddir/build/BUILD/nmap-7.92/libnetutil'
netutil.cc: In function 'const void* icmpv6_get_data(const icmpv6_hdr*,
unsigned int*)':
netutil.cc:756:13: error: invalid use of incomplete type 'const struct
icmpv6_hdr'
756 | if (icmpv6->icmpv6_type == ICMPV6_TIMEXCEED ||
icmpv6->icmpv6_type ==...

possibly a bug or MS voodoo Schmidt, Nathanael via dev (Nov 24)
Hello developer,

i have following Problem. I try to ping scan my local network using nmap, but it doesn't seem to find machines that are
for sure alive. It responses to Windows ping but not to nmap ping scan. I searched the problem in the internet. I don't
found a solution.

Results for ping (Transleted from German) :

Ping is executed for 172.27.97.21 with 32 bytes of data:
Reply from 172.27.97.21: Bytes=32 Time<1ms TTL=127
Reply...

Re: smb NSE scripts with special characters password Carlos Gomes - FCHS (Nov 02)
We updated our environment to use nmap 7.92, but still have the same issue
on escaping characters

Any help / tips are welcome :D

Em dom., 31 de out. de 2021 às 12:37, Carlos Gomes - FCHS <
carlos.henrique () unesp br> escreveu:

Nmap Announce — Moderated list for the most important new releases and announcements regarding the Nmap Security Scanner and related projects. We recommend that all Nmap users subscribe.

Npcap 1.60 Release: Code Hardening, Compatibility, and Bug Fixes Gordon Fyodor Lyon (Dec 08)
Hi Nmap (and Npcap) hackers! I hope you're enjoying the start of the
holidays. For your first stocking stuffer, we're happy to release Npcap
Version 1.60! We also released (but never actually announced) Version 1.55
in September. We put out Versions 1.12 and 1.11 of the SDK too. None of
these try to wow you with major new features. We're excited about a lot of
those in the pipeline, but we focused the last few months on...

Nmap 7.92 Defcon Release! Gordon Fyodor Lyon (Aug 07)
Hi folks. Many of us can't attend Defcon in person this year due to global
pandemic, but we won't let that stop our traditional Defcon Nmap release!
We just posted Nmap 7.92 to https://nmap.org/download.html. It includes
dozens of performance improvements, feature enhancements, and bug fixes
that we've made over the last 10 months.

The biggest improvement (at least for Windows users) is the inclusion of
version 1.50 of Npcap (...

Npcap 1.50 Release Brings Nmap & Wireshark to Windows ARM devices Gordon Fyodor Lyon (Jun 28)
Hi folks. The Nmap Project is pleased to release Npcap version 1.50 at
https://npcap.org. There are many improvements in this release, but the
one we're most excited about is support for the ARM architecture! This
allows apps like Nmap and Wireshark to run for the first time on a newer
generation of hardware which often includes all-day battery life and
always-on LTE/5G capabilities. Devices vary from the $349 Samsung Galaxy
Book Go...

Npcap 1.30 Released: Raw WiFi + Better Performance Gordon Fyodor Lyon (Apr 12)
Hi folks. The Nmap Project is pleased to release Npcap Version 1.30 at
https://npcap.org. We hope Nmap and Wireshark users will be especially
happy with the raw WiFi improvements, since you tend to be particularly
savvy about low-level network inspection. It turns out that some of the
issues we thought were caused by lower level hardware drivers were actually
bugs in our driver. Oops! But at least that means we can fix them
ourselves, and we did....

Npcap 1.20 released Gordon Fyodor Lyon (Mar 16)
Nmap/Npcap Community:

I'm happy to report the release of version 1.20 of the Npcap Windows packet
capturing/sending driver! It's the first release of 2021 and includes
better capabilities for selecting timestamp methods as well as many other
improvements and bug fixes. These include updating the underlying libpcap
library to version 1.10 and building our installer now with NSIS 3. More
details on all this are available from the...

Nmap 7.91 Bugfix Release Gordon Fyodor Lyon (Oct 14)
Hello everyone. I'm glad Nmap 7.90 was so well received! There were so
many improvements that the official announcement (
https://seclists.org/nmap-announce/2020/1) was a bit unwieldy. So Daniel
Miller (who made most of those changes) Tweeted his top highlights at
https://twitter.com/bonsaiviking/status/1313247253197393920

While we do work hard to avoid bugs during development and to catch them
pre-release through continuous integration...

Nmap 7.90 Released! First release since August 2019. Gordon Fyodor Lyon (Oct 03)
Hello everyone. Hot on the heels of the big Npcap 1.00 release (
https://seclists.org/nmap-announce/2020/0), we're delighted to announce a
new Nmap--version 7.90! It's the first Nmap release since Defcon 2019, even
though we've made 16 Npcap releases since then. Raw packets are so
fundamental to Nmap that we really wanted to get it right. With the
production-ready and highly performant Npcap 1.00 driver included, we can
finally...

Npcap 1.00 was just released and a new Nmap is on the way! Gordon Fyodor Lyon (Sep 28)
Hello everyone. I hope you are all safe and well during this nasty
pandemic. I obviously haven't been wearing my marketing hat enough given
that this is my first mail to the Nmap Announcement list since last
August's Nmap 7.80 release. But we've been heads-down programming since
then and have great news to report!

The biggest news is that, after more than 7 years of development and 170
previous public releases, we're...

Full Disclosure — A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.

Win32.MarsStealer Web Panel / Unauthenticated Remote Data Deletion malvuln (Jan 16)
Discovery / credits: Malvuln - malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/8abb41f6e7010d70c90f65fd9a740faa_C.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Win32.MarsStealer Web Panel
Vulnerability: Unauthenticated Remote Data Deletion
Description: The Mars-Stealer web interface has a "Grab Rules" component
area that lets a user specify which type of files to collect from a system
as...

Win32.MarsStealer Web Panel / Unauthenticated Remote Persistent XSS malvuln (Jan 16)
Discovery / credits: Malvuln - malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/8abb41f6e7010d70c90f65fd9a740faa_B.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Win32.MarsStealer Web Panel
Vulnerability: Unauthenticated Remote Persistent XSS
Description: The Mars-Stealer web interface has a "Marker Rules" component
area. Third-party attackers who can reach the Mars-Stealer server can send
HTTP...

Win32.MarsStealer Web Panel / Unauthenticated Remote Information Disclosure malvuln (Jan 16)
Discovery / credits: Malvuln - malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/8abb41f6e7010d70c90f65fd9a740faa.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Win32.MarsStealer Web Panel
Vulnerability: Unauthenticated Remote Information Disclosure
Description: The malware web interface stores screen captures named
"screenshot.jpg" in the panel directory, ZIP archived. Third-party
attackers who...

Ab Stealer Web Panel / Unauthenticated Remote Persistent XSS malvuln (Jan 16)
Discovery / credits: Malvuln - malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/9e44c10307aa8194753896ecf8102167.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Ab Stealer Web Panel
Vulnerability: Unauthenticated Remote Persistent XSS
Description: The "Ab Stealer" web Panel By KingDomSc for "AbBuild
v.1.0.exe" is used to browse victim information "Get All Victims Passwords,
With...

SEC Consult SA-20220113-0 :: Cleartext Storage of Phone Password in Cisco IP Phones SEC Consult Vulnerability Lab, Research (Jan 14)
SEC Consult Vulnerability Lab Security Advisory < 20220113-0 >
=======================================================================
title: Cleartext Storage of Phone Password
product: Cisco IP Phone Series 78x1, 88x5, 88x1, 7832,
8832, 8821 and 3905
vulnerable version: Firmware <14.1.1,
Firmware <11.0(6)SR2 (device model 8821),
Firmware...

🐞 Call for Papers for Hardwear.io USA 2022 is OPEN! Andrea Simonca (Jan 14)
Hello,

We are happy to announce that the CFP for Hardwear.io USA 2022 is OPEN!
If you have a groundbreaking embedded research or an awesome open-source
tool you’d like to showcase before the global hardware security community,
this is your chance. Send in your ideas on various hardware subjects,
including but not limited to Chips, Processors, ICS/SCADA, Telecom,
Protocols & Cryptography.

✅ SUBMIT your research:...

APPLE-SA-2022-01-12-1 iOS 15.2.1 and iPadOS 15.2.1 Apple Product Security via Fulldisclosure (Jan 12)
APPLE-SA-2022-01-12-1 iOS 15.2.1 and iPadOS 15.2.1

iOS 15.2.1 and iPadOS 15.2.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213043.

HomeKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Processing a maliciously crafted HomeKit accessory name...

Reprise License Manager 14.2 - Reflected Cross-Site Scripting Gionathan Reale via Fulldisclosure (Jan 12)
# Product: RLM 14.2
# Vendor:   Reprise Software
# CVE ID:   CVE-2021-45422
# Vulnerability Title: Reflected Cross-Site Scripting
# Severity: Medium
# Author(s): Giulia Melotti Garibaldi
# Date:     2022-01-11
#
#############################################################
Introduction:
An issue was discovered in Reprise License Manager 14.2, Reprise License Manager 14.2 is affected by a reflected
cross-site scripting vulnerability...

[RT-SA-2021-009] Credential Disclosure in Web Interface of Crestron Device RedTeam Pentesting GmbH (Jan 12)
Advisory: Credential Disclosure in Web Interface of Crestron Device

When the administrative web interface of the Crestron HDMI switcher is
accessed unauthenticated, user credentials are disclosed which are valid
to authenticate to the web interface.

Details
=======

Product: Crestron HD-MD4X2-4K-E
Affected Versions: 1.0.0.2159
Fixed Versions: -
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL:...

Backdoor.Win32.Controlit.10 / Unauthenticated Remote Command Execution malvuln (Jan 11)
Discovery / credits: Malvuln - malvuln.com (c) 2022
Original source:
https://malvuln.com/advisory/859aab793a42868343346163bd42f485.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Controlit.10
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP port 3347. Third-party attackers
who can reach an infected system can run any OS commands made available by
the malware...

Full Disclosure DMCA.COM Exploitation WebSec B.V. (Jan 11)
Publisher: Joel Aviad Ossi

Company: Pentest <https://websec.nl>company WebSec B.V.

Vulnerabilities: Improper access Control, Stored Cross-Site Scripting and
Improper Input Validation

Description: It is possible to inject javascript code into any DMCA account
and takeover the API Token in order to read support messages (It is also
possible to inject such code into the support ticket in order to target
administrators)

Additionally it is...

CVE-2021-39623 Libstagefright (Media Framework on Android) with OOB write on the heap Marcin Kozlowski (Jan 11)
Hi list,

Maybe you will find it interesting.

Forcedentry state of the art exploit (as I read) used by NSO made it
big. Libstagefright (Media Framework on Android) with OOB write on the
heap (with Scudo) which can possibly own your Mobile by playing an
audio file, didn't. Note: Not sure if you can do RCE with it. Leave it
to experts :P

Here is the repo with reporoducer and possibly also code in the future
to create it when needed....

Microsoft Windows Defender / Detection Bypass hyp3rlinx (Jan 11)
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

[Product]
Windows Defender

Microsoft Defender Antivirus is a major component of your
next-generation protection in Microsoft Defender for Endpoint. This
protection brings together
machine...

Microsoft Windows .Reg File Dialog Spoof / Mitigation Bypass hyp3rlinx (Jan 11)
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_REG_FILE_DIALOG_SPOOF_MITIGATION_BYPASS.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

A file with the .reg file extension is a Registration file used by the
Windows registry. These files can contain hives, keys, and values.
.reg files can be created from scratch...

Backdoor.Win32.SubSeven.c / Remote Stack Buffer Overflow malvuln (Jan 07)
Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/bc7f4c4689f1b8ad395404d1e75c776f.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.SubSeven.c
Vulnerability: Remote Stack Buffer Overflow
Description: The malware listens on TCP port 1111. Third-party attackers
who can reach an infected system can send a specially crafted packet
prefixed with "DOS". This...

Other Excellent Security Lists

Bugtraq — The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!

Info Security News — Carries news items (generally from mainstream sources) that relate to security.

PaulDotCom — General discussion of security news, research, vulnerabilities, and the PaulDotCom Security Weekly podcast.

BHIS Sorta Top Used Tools of 2018 John - Black Hills Information Security (Dec 06)
Free Webcast

Hello all,

For our next webcast we will cover some of the core tools we use all the time at Black Hills Information Security.
However, there will be a twist. We will not talk about Nessus, Nmap, or Metasploit. Why? Because there are a ton of new
(and older) tools we use that fall outside of the standard tools you see in every security book/blog out there.

Basically, we are trying to be edgy and different.

You may want to come...

BHIS Webcast - Tues 10/2 @ 11am MDT John Strand - Black Hills Information Security (Sep 26)
Hello All,

In this next webcast I want to cover what I am doing with the BHIS Systems team to create a C2/Implant/Malware test
bed. Testing our C2/malware solutions is important because vendors tend to lie or over-hype their capabilities. I will
cross reference some different malware specimens to the MITRE ATT&CK framework and we will cover how you can use these
techniques to test your defensive solutions at both the endpoint and the...

BHIS Webcast: The PenTest Pyramid of Pain 9/4 - 11am MDT Sierra - Black Hills Information Security (Aug 29)
Hello!

How are you all? We had a fantastic webcast last week with John Strand and Chris Brenton and we're still working
through some unexpected hiccups to get the recording up and posted. The podcast version is on our blog, and the YouTube
version will be posted shortly on the Active Countermeasures channel and blog as well. Thanks for all of you who
ventured over to attend!

Ready for another awesome BHIS webcast? Dakota is back and...

Webcast with CJ: Tues 7/24 at 11am Sierra - Black Hills Information Security (Jul 19)
Our upcoming webcast will be about POLICY...

Did you check out when you heard “policy”? Policy can often seem like a drudgery, but it’s also an important and
potentially overlooked part of business and procedure; it’s the framework on which security is really built!

CJ, our COO and Head of Sales has experience writing, assessing and implementing policies for many different kinds of
companies. And if you are worried it will be dry and...

Microsoft Sec Notification — Beware that MS often uses these security bulletins as marketing propaganda to downplay serious vulnerabilities in their products—note how most have a prominent and often-misleading "mitigating factors" section.

Microsoft Security Update Minor Revisions Microsoft (Dec 11)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: December 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision
increment:

* CVE-2018-8172

Revision Information:
=====================

- CVE-2018-8172 | Visual Studio Remote Code Execution
Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Nov 14)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: November 14, 2018
********************************************************************

Summary
=======

The following CVEs and advisory have undergone a minor revision
increment:

* CVE-2018-8454
* CVE-2018-8552
* ADV990001

Revision Information:
=====================

- CVE-2018-8454 | Windows Audio Service...

Microsoft Security Update Minor Revisions Microsoft (Oct 24)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 24, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8512

Revision Information:
=====================

- CVE-2018-8512 | Microsoft Edge Security Feature Bypass
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 19)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 19, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8569

Revision Information:
=====================

- CVE-2018-8569 | Yammer Desktop Application Remote Code Execution
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 17)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 17, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a major revision increment:

* CVE-2010-3190

Revision Information:
=====================

- CVE-2010-3190 | MFC Insecure Library Loading Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE has undergone a minor revision increment:

* CVE-2018-8531

Revision Information:
=====================

- CVE-2018-8531 | Azure IoT Device Client SDK Memory Corruption
Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following CVE been added to the October 2018 Security updates:

* CVE-2018-8292

Revision Information:
=====================

- CVE-2018-8292 | .NET Core Information Disclosure Vulnerability
-...

Microsoft Security Update Releases Microsoft (Oct 09)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 9, 2018
********************************************************************

Summary
=======

The following bulletin has undergone a major revision increment:

* MS11-025

Revision Information:
=====================

- https://docs.microsoft.com/en-us/security-updates/
SecurityBulletins/2011/ms11-025:...

Microsoft Security Update Summary for October 9, 2018 Microsoft (Oct 09)
********************************************************************
Microsoft Security Update Summary for October 9, 2018
Issued: October 9, 2018
********************************************************************

This summary lists security updates released for October 9, 2018.

Complete information for the October 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>.

Please note the...

Microsoft Security Update Releases Microsoft (Oct 02)
********************************************************************
Title: Microsoft Security Update Releases
Issued: October 2, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-0952

Revision Information:
=====================

- CVE-2018-0952 | Diagnostic Hub Standard Collector Elevation of
Privilege Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 12, 2018
********************************************************************

Security Advisories Released or Updated on September 12, 2018
===================================================================

* Microsoft Security Advisory ADV180022

- Title: Windows Denial of Service Vulnerability
-...

Microsoft Security Update Minor Revisions Microsoft (Sep 12)
********************************************************************
Title: Microsoft Security Update Minor Revisions
Issued: September 12, 2018
********************************************************************

Summary
=======

The following CVEs have undergone a minor revision increment:

* CVE-2018-8421
* CVE-2018-8468

Revision Information:
=====================

- CVE-2018-8421 | .NET Framework Remote Code Execution
Vulnerability...

Microsoft Security Update Summary for September 11, 2018 Microsoft (Sep 11)
********************************************************************
Microsoft Security Update Summary for September 11, 2018
Issued: September 11, 2018
********************************************************************

This summary lists security updates released for September 11, 2018.

Complete information for the September 2018 security update release can
Be found at
<https://portal.msrc.microsoft.com/en-us/security-guidance>....

Microsoft Security Update Releases Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Update Releases
Issued: September 11, 2018
********************************************************************

Summary
=======

The following CVE has undergone a major revision increment:

* CVE-2018-8154

Revision Information:
=====================

- CVE-2018-8154 | Microsoft Exchange Memory Corruption
Vulnerability
-...

Microsoft Security Advisory Notification Microsoft (Sep 11)
********************************************************************
Title: Microsoft Security Advisory Notification
Issued: September 11, 2018
********************************************************************

Security Advisories Released or Updated on September 11, 2018
===================================================================

* Microsoft Security Advisory ADV180002

- Title: Guidance to mitigate speculative execution...

Funsec — While most security lists ban off-topic discussion, Funsec is a haven for free community discussion and enjoyment of the lighter, more humorous side of the security community

Verizon: 1.5M of Contact Records Stolen, Now on Sale Jeffrey Walton (Mar 26)
http://www.mobipicker.com/verizon-1-5m-contact-records-stolen-now-sale/:

A business to business telecommunication giant,
Verizon Enterprise Solutions, a Basking Ridge,
New Jersey-based company, has been the latest
victim of a cyber crime that stole 1.5 million contact
records of the customers of Verizon...

I don't quite understand this double talk. Could someone explain to me:

A spokesperson from Verizon said that...

Statement on Lavabit Citation in Apple Case Jeffrey Walton (Mar 16)
(From John Young on another list):
http://www.facebook.com/KingLadar/posts/10156714933135038

As many of you already know, the government cited the Lavabit case in
a footnote. The problem is their description insinuates a precedent
that was never created. Obviously I was somewhat disturbed by their
misrepresentation. So I decided to draft a statement. And keep in
mind, these are the same people who say "trust us." Click continue to
read...

The NSA's back door has given every US secret to our enemies Jeffrey Walton (Feb 29)
http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2

Deng Xiaoping, in 1979 - his second year as supreme leader of China -
perceived a fundamental truth that has yet to be fully grasped by most
Western leaders: Software, if properly weaponized, could be far more
destructive than any nuclear arsenal.

Under Deng’s leadership, China began one of the most ambitious and
sophisticated meta- software...

Can Spies Break Apple Crypto? Jeffrey Walton (Feb 27)
Here's an interesting exchange between Cryptome and Michael Froomkin,
Law Professor at University of Miami, on the All Writs Act
(http://cryptome.org/2016/02/can-spies-break-apple-crypto.htm):

-----

A. Michael Froomkin:

The factual posture in the key Supreme Court precedent, New York
Telephone, involved a situation where only the subject of the order
was capable of providing the assistance at issue. This is the basis
for Apple's...

The FBI's iPhone Problem: Tactical vs. Strategic Thinking Jeffrey Walton (Feb 23)
http://www.technewsworld.com/story/83130.html

I'm an ex-sheriff, and I've been in and out of security jobs for much
of my life, so I've got some familiarity with the issues underlying
the drama between the FBI and Apple. FBI officials -- and likely those
in every other three-letter agency and their counterparts all over the
world -- would like an easier way to do their jobs. Wouldn't we all?

If they could put cameras in...

Wanted: Cryptography Products for Worldwide Survey Jeffrey Walton (Jan 01)
(http://www.schneier.com/crypto-gram/archives/2015/1215.html):

In 1999, Lance Hoffman, David Balenson, and others published a survey
of non-US cryptographic products. The point of the survey was to
illustrate that there was a robust international market in these
products, and that US-only export restrictions on strong encryption
did nothing to prevent its adoption and everything to disadvantage US
corporations. This was an important contribution...

CERT Advisories — The Computer Emergency Response Team has been responding to security incidents and sharing vulnerability information since the Morris Worm hit in 1986. This archive combines their technical security alerts, tips, and current activity lists.

Open Source Security — Discussion of security flaws, concepts, and practices in the Open Source community

WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Carlos Alberto Lopez Perez (Jan 21)
------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001
------------------------------------------------------------------------

Date reported : January 21, 2022
Advisory ID : WSA-2022-0001
WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2022-0001.html
WPE WebKit Advisory URL :...

usbview polkit policy local root exploit (CVE-2022-23220) Matthias Gerstner (Jan 21)
Hello list,

this is to inform you about a local root exploit I found in usbview [1]
release 2.1. This finding was embargoed for 7 days on the linux-distros
mailing list and the fix has been published today.

The upstream author Greg KH is currently working on an improved version
of usbview that will no longer require root privileges to run.

Following is the full report:

A polkit policy file has been added to usbview release 2.1 via commit...

Re: Prosody XMPP server advisory 2022-01-13 (Remote Unauthenticated Denial of Service) (CVE-2022-0217) Kim Alvefur (Jan 20)
Hi,

The fix for this issue introduced a regression in the from of a memory
leak (of the unintentional reference variety, not a true leak).

A fix for can be found in this commit:
https://hg.prosody.im/trunk/rev/e5e0ab93d7f4

CVE-2021-45417 - aide (>= 0.13 <= 0.17.3): heap-based buffer overflow vulnerability in base64 functions Hannes von Haugwitz (Jan 20)
Summary
=======

David Bouman discovered a heap-based buffer overflow vulnerability in base64
functions of AIDE, an advanced intrusion detection system. An attacker could
crash the program and possibly execute arbitrary code through large (<16k)
extended file attributes or ACL. A local user might exploit this flaw for root
privilege escalation.

Project
=======

AIDE (https://aide.github.io)

Affected versions
=================

AIDE >=...

CVE-2022-22733: Apache ShardingSphere ElasticJob-UI: Access-Token in ElasticJob UI causes password disclosure Haoran Meng (Jan 20)
Severity: moderate

Description:

Exposure of Sensitive Information to an Unauthorized Actor
vulnerability in Apache ShardingSphere ElasticJob-UI allows an
attacker who has guest account to do privilege escalation. This issue
affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere
ElasticJob-UI 3.x version 3.0.0 and prior versions.

Race condition in the Rust standard library (CVE-2022-21658) Pietro Albini (Jan 20)
The Rust Security Response WG was notified that the `std::fs::remove_dir_all`
standard library function is vulneable a race condition enabling symlink
following (CWE-363). An attacker could use this security issue to trick a
privileged program into deleting files and directories the attacker couldn't
otherwise access or delete.

This issue has been assigned [CVE-2022-21658][1].

## Overview

Let's suppose an attacker obtained...

CVE-2021-45230: Apache Airflow: Creating DagRuns didn't respect Dag-level permissions in the Webserver Kaxil Naik (Jan 19)
Description:

This CVE applies to a specific case where a User who has "can_create" permissions on DAG Runs can create Dag Runs for
dags that they don't have "edit" permissions for.

This is a very low severity CVE and admins can mitigate this issue by removing the global "can_create" permissions on
DagRun for Airflow versions >=2.0.0,<2.2.0 and 1.10.x versions that have set `rbac=True` in config....

Re: Linux kernel: Heap buffer overflow in fs_context.c since version 5.1 John Haxby (Jan 18)
This is CVE-2022-0185

jch

Linux kernel: Heap buffer overflow in fs_context.c since version 5.1 Will (Jan 18)
There is a heap overflow bug in legacy_parse_param in which the length of data copied can be incremented beyond the
width of the 1-page slab allocated for it. We currently have created functional LPE exploits against Ubuntu 20.04 and
container escape exploits against Google's hardened COS. The bug was introduced in 5.1-rc1
(...

Re: Prosody XMPP server advisory 2022-01-13 (Remote Unauthenticated Denial of Service) (CVE request) Jonas Schäfer (Jan 18)
As promised, attached you'll find instructions for probing for the
vulnerability.

kind regards,
JonasTo test for a vulnerable websockets endpoint at URL
wss://xmpp.domain.example/xmpp-websocket, use the following
instructions:

1. Install `websocat` or any other tool you can use to interact with a
WebSocket (this guide uses `websocat` for simplicity):

cargo install websocat

2. Put the string

```
<!DOCTYPE open...

CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution. Ralph Goers (Jan 18)
Severity: Critical

Description:

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw
was a component of Apache Log4j 1.2.x where the same issue exists.

Mitigation:

Upgrade to Apache Log4j 2 and Apache Chainsaw 2.1.0.

Credit:

@kingkk

CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1 Ralph Goers (Jan 18)
Severity: high

Description:

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be
inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows
attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are
logged allowing unintended SQL queries to be executed.

Note this...

CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x Ralph Goers (Jan 18)
Severity: high

Description:

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write
access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The
attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that
result in remote code execution in a similar fashion to...

Re: Linux Kernel eBPF Improper Input Validation Vulnerability tr3e wang (Jan 18)
Hi all,

This post is the exploit overview of CVE-2022-23222.

We successfully exploited this vulnerability to obtain full root
privileges on default installations of Ubuntu 20.04.

*Exploit overview*

1. Among all these *_OR_NULL types, we choose PTR_TO_MEM_OR_NULL
which can be created by BPF_FUNC_ringbuf_reserve. First, we
pass 0xffff........ffff to BPF_FUNC_ringbuf_reserve to get a
NULL pointer r0, and copy r0 to r1. Then add r1 by 1,...

Re: CVE-2021-4204: Linux Kernel eBPF Improper Input Validation Vulnerability tr3e wang (Jan 18)
Hi all,

This post is the exploit overview of CVE-2021-4202.

We successfully exploited this vulnerability to obtain full root
privileges on default installations of Ubuntu 20.04.

*Exploit overview*

1. We create a lot of BPF ringbufs, and choose one of them as victim.
The BPF_FUNC_ringbuf_reserve allow us to have a pointer A to the
beginning of the victim ringbuf's data field.

2. We do a pointer subtraction to point back to the...

Educause Security Discussion — Securing networks and computers in an academic environment.

Internet Issues and Infrastructure

NANOG — The North American Network Operators' Group discusses fundamental Internet infrastructure issues such as routing, IP address allocation, and containing malicious activity.

Re: Operator survey: Incrementally deployable secure Internet routing scott (Jan 21)
This all looks like a network made for surveilling the planet's citizens
more easily. Even in the FAQs!

----------------------------------------------------------------

"Do you use countries as ISDs? Doesn't that create opportunities for
government intervention and censorship?

We're currently looking into the best way to partition the Internet into
ISDs, so using countries as ISDs is only one possible option. Countries...

Operator survey: Incrementally deployable secure Internet routing Yixin Sun (Jan 21)
Dear Nanog,

We appreciate that your time is very precious, but we wanted to ask you for
your help in answering a brief survey about a new secure routing system we
have developed in a research collaboration between ETH, Princeton
University, and University of Virginia. We'd like to thank those of you who
have already helped us fill out the survey and provided insightful
feedback. Your input is critical for helping inform our further work on...

Re: Telia is now Arelion Mike Hammett (Jan 21)
I do want to point out that it isn't a mindless name change like Xfinity, Spectrum, or Lumen. It's because the company
actually split off from Telia proper and thus, needed a new name.

-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

----- Original Message -----

From: "Justin Krejci" <JKrejci () usinternet com>
To: nanog () nanog org
Sent:...

Fastly CDN and Tiktok byteDance CDN Paschal Masha (Jan 21)
Hello,

Any contacts from Fastly CDN and byteDance, kindly contact me offlist. About CDN for ISPs, thanks.

Regards
Paschal Masha | Engineering
Skype ID: paschal.masha

Re: What do you think about this airline vs 5G brouhaha? Mel Beckman (Jan 21)
Geoff,

My understanding is that the FAA and 5G industry has just this week agreed on buffer zones around 50 of the impacted 80
US airports:

https://www.8newsnow.com/news/local-news/las-vegas-airport-included-in-5g-buffer-zone/

The 30 airports that are not buffered I think don’t have 5G deployed yet. For example, Denver international. The buffer
zone is described as “the last 20 seconds of flight time”, which considering 230MPH (the...

Re: What do you think about this airline vs 5G brouhaha? Jay Hennigan (Jan 21)
I'm not qualified to answer. Avionics needs to go through a testing
program called TSO.

https://www.faa.gov/aircraft/air_cert/production_approvals/tsoa/

The FAA certainly could require that the radar meet the specs. There are
several off-the-shelf waveguide filters that are -60dB at 20 MHZ
out-of-band readily available within that frequency range but a quick
search doesn't show anything off-the-shelf with the radar band as the...

Re: What do you think about this airline vs 5G brouhaha? Mel Beckman (Jan 21)
Here’s another video by 767 pilot Juan Brown from his chanel BlancoLirio:

https://youtu.be/aHIFs4EkA0k

He addresses many of the points being claimed by the FCC and 5G industry, in particular the reason you can’t compare US
5G with overseas 5G.

-mel via cell

FAA puts all kinds of restrictions on what equipment is required to perform certain maneuvers. You need a localizer,
glideslope, etc. for instrument landings. Radars are made...

Re: What do you think about this airline vs 5G brouhaha? Michael Thomas (Jan 21)
For commercial airlines is it just old equipment or all equipment that
has this error? That is, is there actually an off the shelf radio that
would solve the problem?

Mike

Re: What do you think about this airline vs 5G brouhaha? Jay Hennigan (Jan 21)
Indeed, it sounds like that is the case, and that's a horrible
assumption. When the spectrum was originally being allocated, if the
devices need 1200 MHz of interference-free bandwidth to function they
should have requested 1200 MHz of spectrum.

FCC indeed does take into account practical performance of equipment in
licensing. Early TV sets weren't very selective, so you wouldn't see
adjacent VHF channels licensed in the same...

Weekly Global IPv4 Routing Table Report Routing Table Analysis Role Account (Jan 21)
This is an automated weekly mailing describing the state of the Global
IPv4 Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG
TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG.

Daily listings are sent to bgp-stats () lists apnic net.

For historical data, please see https://thyme.apnic.net.

If you have any comments please contact Philip Smith <pfsinoz...

Re: Coverage of the .to internet outage Joel M Snyder (Jan 21)
Got an Intelsat press release which may be of interest to folks
following the situation in Tonga. I wish I could include just a URL,
but they sent it to be as text so I am including the full thing:
-------
FOR IMMEDIATE RELEASE: January 21, 2022

Intelsat and Partners Bring Emergency Connectivity to Tonga

McLean, Va. – Intelsat, operator of the world’s largest integrated
satellite and terrestrial network, in cooperation with Telstra and...

Re: [External] Re: What do you think about this airline vs 5G brouhaha? Mark Tinka (Jan 21)
In my mind, that is still rather negligent and irresponsible, especially
because in the -MAX, this was more critical considering the level of
input from the computer to activate MCAS outside of the pilot's control,
or even knowledge.

Unlikely to be such a big deal in earlier B737 models, where MCAS is not
used.

There has been AoA sensor failure in non-MAX B737 aircraft. The
difference is you don't have MCAS there trying to do its...

Re: Coverage of the .to internet outage John Levine (Jan 20)
It appears that Aaron C. de Bruyn via NANOG <aaron () heyaaron com> said:

I think you vastly overestimate how much money there is in domain registrations
if your name is not Verisign or Godaddy.

Well, sure, the DNS has mirrors all over the place:

$ host -t ns to.
to name server frankfurt.tonic.to.
to name server singapore.tonic.to.
to name server colo.tonic.to.
to name server tonic.to.
to name server sydney.tonic.to.
to name server...

Re: Coverage of the .to internet outage scott (Jan 20)
From: "Jay R. Ashworth" <jra () baylink com>

This piece:
https://www.npr.org/2022/01/18/1073863310/an-undersea-cable-fault-could-cut-tonga-from-the-rest-of-the-world-for-weeks

drills down to this piece with slightly more detail:
https://www.reuters.com/markets/funds/undersea-cable-fault-could-cut-off-tonga-rest-world-weeks-2022-01-18/

I'm told their national carrier is trying to bring in a ground station as
well, though...

Re: What do you think about this airline vs 5G brouhaha? Brandon Martin (Jan 20)
I think we're saying the same thing, but with a different focus.

Yeah, front-end overload will always be a problem if the overload is
caused by an unwanted signal or if the overload is so severe that it
causes distortion going into the next stage even if it's just from a
desired signal.

But even a moderately powerful signal that's outside your band of
interest by as much as the entire width of the interested band...

Interesting People — David Farber moderates this list for discussion involving internet governance, infrastructure, and any other topics he finds fascinating

The RISKS Forum — Peter G. Neumann moderates this regular digest of current events which demonstrate risks to the public in computers and related systems. Security risks are often discussed.

Risks Digest 33.02 RISKS List Owner (Jan 15)
RISKS-LIST: Risks-Forum Digest Saturday 15 January 2021 Volume 33 : Issue 02

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.02>
The current issue can also be found at
<...

Risks Digest 33.01 RISKS List Owner (Jan 08)
RISKS-LIST: Risks-Forum Digest Saturday 8 December 2021 Volume 33 : Issue 01

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.01>
The current issue can also be found at
<...

Risks Digest 32.96 RISKS List Owner (Dec 29)
RISKS-LIST: Risks-Forum Digest Wednesday 28 December 2021 Volume 32 : Issue 96

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.96>
The current issue can also be found at
<...

Risks Digest 32.95 RISKS List Owner (Dec 14)
RISKS-LIST: Risks-Forum Digest Tuesday 14 December 2021 Volume 32 : Issue 95

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.95>
The current issue can also be found at
<...

Risks Digest 32.94 RISKS List Owner (Dec 01)
RISKS-LIST: Risks-Forum Digest Wednesday 1 December 2021 Volume 32 : Issue 94

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.94>
The current issue can also be found at
<...

Risks Digest 32.93 RISKS List Owner (Nov 22)
RISKS-LIST: Risks-Forum Digest Monday 22 November 2021 Volume 32 : Issue 93

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.93>
The current issue can also be found at
<...

Risks Digest 32.92 RISKS List Owner (Nov 06)
RISKS-LIST: Risks-Forum Digest Saturday 6 November 2021 Volume 32 : Issue 92

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.92>
The current issue can also be found at
<...

Risks Digest 32.91 RISKS List Owner (Oct 30)
RISKS-LIST: Risks-Forum Digest Saturday 30 October 2021 Volume 32 : Issue 91

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.91>
The current issue can also be found at
<...

Risks Digest 32.90 RISKS List Owner (Oct 17)
RISKS-LIST: Risks-Forum Digest Sunday 17 October 2021 Volume 32 : Issue 90

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.90>
The current issue can also be found at
<...

Risks Digest 32.89 RISKS List Owner (Oct 03)
RISKS-LIST: Risks-Forum Digest Sunday 3 October 2021 Volume 32 : Issue 89

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.89>
The current issue can also be found at
<...

BreachExchange — BreachExchange focuses on all things data breach. Topics include actual data breaches, cyber insurance, risk management, metrics and more. This archive includes its predecessor, the Data Loss news and discussion lists.

Open Source Tool Development

Wireshark — Discussion of the free and open source Wireshark network sniffer. No other sniffer (commercial or otherwise) comes close. This archive combines the Wireshark announcement, users, and developers mailing lists.

Re: Future of Wireshark's shared library ABI stability João Valverde (Jan 21)
I used apt-rdepends to check. Maybe I checked a different release. I
stand corrected in any case. There is one package that depends on
libwireshark in Debian. I was not aware libvirt-wireshark existed in
Debian.

However as I have repeatedly tried to explain plugins are a misdirection
to the discussion. It is very curious that libvirt-wireshark depends on
libwireshark14 *only*, since as a dissector plugin it cannot work with
only...

Re: Future of Wireshark's shared library ABI stability João Valverde (Jan 21)
I don't know who recommends that or where it is recommended. I would
consider myself a Debian user with average knowledge. Makes me wonder
why the Debian package system is so limited that it can't handle this
simple use case without imposing hidden requirements on the user.

Since this passed through the cracks, I don't think it does. It's just
boring menial wasteful brainless work compiling lists of symbols for a...

Re: Future of Wireshark's shared library ABI stability João Valverde (Jan 21)
This is about package code that lives in the Wireshark repository, that
Wireshark devs have to work on, and relates directly to the issue at
hand, so I beg to differ. I think it is very relevant and in the proper
place.

The symbols added are fine, nobody is contesting them, and they were
necessary fix bugs in the 3.6 branch. The issue is a symbol that was
replaced by a different one in the backport. That removal that is what
constitutes an...

Re: Future of Wireshark's shared library ABI stability Bálint Réczey (Jan 21)
João Valverde <j () v6e pt> ezt írta (időpont: 2022. jan. 21., P, 11:17):

Before installing the upstream packages it is recommended to remove
all installed packages generated from Debian's official wireshark
source package because incompatibilities can't be prevented otherwise.
When testing new builds I do that and just install all built .deb-s.

Debian many years ago used to _not_ recommend upstreams to to keep
packaging...

Re: Future of Wireshark's shared library ABI stability Bálint Réczey (Jan 21)
Hi Roland,

Roland Knall <rknall () gmail com> ezt írta (időpont: 2022. jan. 21., P, 11:48):

I fully agree with and support the current practice of allowing ABI
breakages between major releases and those are well handled by bumping
the major SO version. My bug report was about breaking the ABI between
3.6.0 and 3.6.1 and somehow this escalated.

Cheers,
Balint

Re: Future of Wireshark's shared library ABI stability Roland Knall (Jan 21)
May I suggest that we focus on the discussion at hand here. The discussion
about the package itself seems to be better suited for the issue list
specific for that package, as is the purpose for that list.

The issue here is, that with change
https://gitlab.com/wireshark/wireshark/-/merge_requests/5318 version
changes where backported in 3.6, which are only meant to be in 3.7 and
beyond (hence the reference in libwireshark0.symbols). Regardless of...

Re: Future of Wireshark's shared library ABI stability João Valverde (Jan 21)
I don't mind the email. We do disagree on many things and what I said on
the Gitlab issue is exactly what I meant. My lack of patience with you
is entirely justified.

I strongly believe the upstream Debian package to be a detriment to the
project, and not in the interest of users either. I will share my
experience as a user. I had to build the Wireshark Debian package to
fix something or other. I looked up online the incantation to...

Re: Future of Wireshark's shared library ABI stability Bálint Réczey (Jan 21)
João Valverde <j () v6e pt> ezt írta (időpont: 2022. jan. 21., P, 1:29):

In gitlab issue I already mention libvirt as a packaged thus I had the
impression that this one was covered:
https://gitlab.com/wireshark/wireshark/-/issues/17822#note_815677078

It is factually incorrect to state that nothing depends on our
libraries in Debian:

root@73c5830ef791:/# apt-cache rdepends libwireshark14
libwireshark14
Reverse Depends:
......

Re: Future of Wireshark's shared library ABI stability Bálint Réczey (Jan 21)
Hi João,

João Valverde <j () v6e pt> ezt írta (időpont: 2022. jan. 21., P, 1:14):

OK, great to hear that from you. I got the impression from the gitlab
comments that you had a different view.

I'm happy with the the project's commitment to ABI stability and agree
with Gerald's proposal of trying to revive the abi-complicance-checker
test to help him in the final release checks. I may find time to
restore the changes...

Re: Future of Wireshark's shared library ABI stability João Valverde (Jan 20)
I still don't understand what ABI change you are talking about, and I'm
quite curious.

In this case downstream is complaining about a single function that was
removed, that is extremely unlikely that anyone was using anyway.

Re: Future of Wireshark's shared library ABI stability João Valverde (Jan 20)
How is that relevant?

The answer to the question that was asked is: exactly zero Debian
packages have a dependency on your libwsutil/libwireshark/libwiretap
packages.

If you want to see what a properly packaged non-trivial application for
Debian looks like check out Geany[1] for example. It also uses shared
libraries internally and has a plugin system.

I have no idea what you are trying to say here. The libraries were not
intended to be...

Re: Future of Wireshark's shared library ABI stability João Valverde (Jan 20)
I agree the current practice is reasonable and beneficial, and it is
currently documented in README.Developer[1], chapter 7.3, to the best of
my understanding and ability.

Do you have changes you'd like to propose? I'll gladly go over those.

What I won't do, however, is maintain your package for you.

[1]https://gitlab.com/wireshark/wireshark/-/blob/master/doc/README.developer#L862

Re: Future of Wireshark's shared library ABI stability Roland Knall (Jan 20)
To be quite honest, I asked the developers myself. In this case they are a
group of students who implemented that utility and did not know better.
Personally I would much rather have new developments added to the main
repository than be implemented as standalone. And as Guy rightfully
guessed, the main reason for them doing it this way was to basically
provide a different UI for the dissection engine with a little bit
different output info. Hope...

Re: Future of Wireshark's shared library ABI stability Guy Harris (Jan 20)
So why, *other than "because it uses Wireshark libraries intended to provide directly useful services such as reading
capture files or dissecting packets and that use libwsutil"*, would some program outside of Wireshark use wsutil?

Re: Future of Wireshark's shared library ABI stability Bálint Réczey (Jan 20)
Hi Guy,

Guy Harris <gharris () sonic net> ezt írta (időpont: 2022. jan. 20., Cs, 21:52):

It seems libvirt's plugin needs wmem_alloc(), for example:
https://gitlab.com/wireshark/wireshark/-/issues/17889

IMO it is easier mentally to have a single library ABI policy because
we ship only public libraries. Having a more relaxed private shared
library policy would make it easier to make mistakes.

Also if libwsutil (with wmem_alloc)...

Snort — Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

Snort Subscriber Rules Update 2022-01-20 Research (Jan 20)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-other and
protocol-scada rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Steven Baigal (sbaigal) via Snort-devel (Jan 20)
You are right, perf_monitor.base = false, will disable reporting base stats.
By the way, you can change the process affinity with process.thread configuration, and see if it can make any
differences.
Example can be found from here:
https://github.com/snort3/snort3_demo/blob/master/perf/3.0/common.lua

From: Meridoff <oagvozd () gmail com>
Date: Thursday, January 20, 2022 at 5:36 AM
To: Steven Baigal (sbaigal) <sbaigal () cisco com>...

Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Meridoff via Snort-devel (Jan 20)
Sure, will do that.
But perfmon is disabled,and do nothing, because perfmon.base=false.
It doesn't collect statistics with such setup, isn't it?

ср, 19 янв. 2022 г., 19:50 Steven Baigal (sbaigal) <sbaigal () cisco com>:

Re: Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Steven Baigal (sbaigal) via Snort-devel (Jan 19)
Thanks for reporting the issue, could you share the backtrace from the crash?
Also, I noticed you have enabled perf_monitor, please specify which peg count from what module to limit output size,
otherwise snort will try to collect all stats from all modules, when appid is enabled, the peg counts for each
collection will exceed 3k+ for every thread. Try to comment out perf_monitor from your configuration to see if it will
help.

Steven B....

Snort 3.1.20: segfault when 16-core cpu, 2 interfaces and inspector appid (with stream/ssl/http) Meridoff via Snort-devel (Jan 19)
Hello, I have snort 3.1.20 running on 16-core CPU with 2 interfaces.
Also good traffic goes through snort, and appid detect applications from it
(as shown below in Statistics)
And snort randomly does segfalts, also segfault and even GP occurred when
snort disabled.
If I configure number of threads to 8 or 4 or 2 - then all *OK*, no
segfaults and snort runs OK.

I think it is only when a lot of CPUs used. And number of ifaces
significantly less...

Snort Subscriber Rules Update 2022-01-18 Research (Jan 18)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-other,
file-pdf, malware-cnc and server-webapp rule sets to provide coverage
for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: [SUSPECTED SPAM] Returned Errors for CISA Snort Rules Russ Combs (rucombs) via Snort-sigs (Jan 18)
That looks like an abuse of classtype, but to add new classtypes for Snort 2 you need to update
etc/classification.config.
________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of chris <chris () shadowserver org>
Sent: Thursday, January 6, 2022 7:20 PM
To: snort-sigs () lists snort org <snort-sigs () lists snort org>
Subject: [SUSPECTED SPAM] [Snort-sigs] Returned Errors for CISA...

Re: Snort3: segfault after "Inspector found in the trash is still use" Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) via Snort-devel (Jan 18)
Hi

As a workaround, you can remove the following config option from your configuration file:
snort = { ["-z"] = 0 }
and specify it as a command-line option.

Regards,
Alexey

Hello, Meridoff!

Can you still provide core dump and binary (not stripped will be the best)?
In order to share it, you can upload them to the GoogleDisk (or any other cloud storage) and send a link.

As I can see, previously was proposed to use snort with...

SNORT and dropping spoofed packets Ameen Al-Azzawi via Snort-sigs (Jan 18)
Hi everyone,

I have attached a pic of my topology (hopefully it goes through this
mailing list).

The topology represents a DS-Lite technology basic structure.
IPIP6 tunnel has been built between B4 & AFTR machines.

I have an attacking scenario and want to mitigate it.
I am sending (through my attacker machine) a crafted packet of IPv4 in
IPv6 packet while spoofing the IP address of the B4 router
(2001:db8:0:1::2).
The target is AFTR ens34...

Re: Snort3: segfault after "Inspector found in the trash is still use" Yehor Velykozhon via Snort-devel (Jan 18)
Hello, Meridoff!

Can you still provide core dump and binary (not stripped will be the best)?
In order to share it, you can upload them to the GoogleDisk (or any other cloud storage) and send a link.

As I can see, previously was proposed to use snort with sanitizers, has it given you any additional information?
Also, what OS you use? Information about the version and process architecture can help as well.

Thanks, Yehor.

From: Snort-devel...

Snort Subscriber Rules Update 2022-01-13 Research (Jan 13)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-cnc,
server-mysql and server-webapp rule sets to provide coverage for
emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2022-01-11 Research (Jan 11)
Talos Snort Subscriber Rules Update

Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2022-21881:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 58866 through 58867.

Microsoft Vulnerability...

Re: Returned Errors for CISA Snort Rules John W. Blue via Snort-sigs (Jan 11)
Insights? That is SOP for CISA right there.

"We recommend that you should do this *but* if it does not work it is up to you to figure out how we screwed up."

You should see the amazing dysfunction of CISA trying to explain how to fill out/answer a data call for any recently
released BOD. It happens.every.single.time.

John

-----Original Message-----
From: Snort-sigs [mailto:snort-sigs-bounces () lists snort org] On Behalf Of chris...

Returned Errors for CISA Snort Rules chris (Jan 10)
Hello,
I've been trying to implement Snort rules provided by the CISA but I'm
receiving errors when the classtype field contains the value "http-uri"
or "http-header" (examples provided below). These are not default Snort
classtypes. Can someone provide some insight on how to either define
these classtypes OR provide a good alternative classtype?
Thanks in advance for any insight you can provide!

Best,
Chris...

Snort Subscriber Rules Update 2022-01-06 Research (Jan 06)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
References to CVE 2021-44832 have been added to all existing log4j
rules for ease of reference for users. Coverage was not updated as
there was no need.

Talos has added and modified multiple rules in the file-multimedia,
indicator-compromise, malware-cnc, malware-other, policy-other,
protocol-other and server-webapp rule sets to...

More Lists

Related Resources

We're always looking for great network security related lists to archive. To suggest one, mail Fyodor.