There’s a fun buffer overflow problem in the Glibc __vsyslog_internal() function. This one’s a real rollercoaster, because logging vulnerabilities are always scary, but at a first look, it seems nearly impossible to exploit. The vulnerability relies on a very long program name, which can overflow an internal buffer. No binaries are going to have a name longer than 1024 bytes, so there’s no problem, right?

Let’s talk about argv. That’s the list of arguments that gets passed into the main() function of every Linux binary when it launches. The first string in that list is the binary name — except that’s a convention, and not particularly enforced anywhere. What really happens is that the execve() system call sets that list of strings. The first argument can be anything, making this an attacker-controlled value. And it doesn’t matter what the program is trying to write to the log, because the vulnerability triggers simply by writing the process name to a buffer.

There is a one-liner to test for a vulnerable Glibc:

exec -a "`printf '%0128000x' 1`" /usr/bin/su < /dev/null

and the Qualys write-up indicates that it can be used for an escalation of privilege attack. The good news is this seems to be a local-only attack. And on top of that, a pair of other lesser severity issues were found and fixed in glibc while fixing this one.

48 Hours to Rip and Repave

We’ve briefly covered the vulnerabilities in Ivanti Connect Secure/Policy Secure devices, but it seems we’ve failed to properly grasp the severity of this threat, given the latest Emergency Directive from CISA. Issued January 31st, it gives all of 48 hours for every US government network to yank the power cord from these devices. This is significant, as we’ve seen plenty of directives to install updates or mitigations, but this may be the first directive that includes full removal.

And then the instructions for getting a device back into service are fairly extreme, too. Complete factory reset, revoke all the certificates associated with the machine, and generally assume that your box has been completely owned. It seems like CISA knows something that maybe we don’t, and it’s not great news for Ivanti users. Do note that this even applies to devices that have had the XML mitigation applied. Yikes.

Jenkins

The Jenkins automation server just fixed a pair of vulnerabilities, both of which have the potential to be pretty bad. Up first is a data leak, where a the parseArgument function will interpret an “@” symbol to mean expanding a file location into a series of arguments. It works out to provide a file read primitive, which can be accessed by any users with read permissions.

There’s also a cross-site scripting problem with the websockets Command Line Interface functionality. Some of the normal protections against XSS problems aren’t applied to websockets connections, so a malicious link can trigger CLI actions when clicked by an authenticated user.

Both of these issues were fixed in 2.442 released on the 24th, but the file read issue now has Proof of Concept code out in the wild. It’s likely not long until those are used in attacks, if it hasn’t happened already.

This vulnerability in #Jenkins is serious CVE-2024-23897

POCs have been published https://t.co/nGtbf8fehdhttps://t.co/pzY0NSL5bA

report by @SonarSource https://t.co/VNAUg2PDN8 pic.twitter.com/vbiWGmj47M

— Florian Roth (@cyb3rops) January 26, 2024

Leaky Vessels

Researchers at Snyk have identified a quartet of vulnerabilities that threaten the sandboxing guarantees of modern containers. There’s one that is in the runc binary itself, where a host file descriptor can be leaked into the container process, exposing the entire host filesystem. This means a docker run or docker build command could have access to the outside system. The other three issues are specific to Docker Buildkit, and also allow system access of varying degrees.

There aren’t any signs of active exploitation, and the runc program has been updated. Snyk has also released a pair of tools to look for Docker images attempting to exploit these issues.

Bits and Bytes

It’s another chess hack, but thankfully this time there’s no buzzers in shoes or other places, this is an XSS of chess.com. This one is a throwback to the original Myspace worm — gaining friends automatically on pageview. The next step was actually running JS on pageview and getting cookie data out. Check and mate.

The FBI hit the killswitch on a few hundred compromised Cisco and Netgear routers in December. These are Internet-connected devices that are either end-of-lifed or simply unpatched, and have been compromised and made part of a botnet. The most fascinating bit is that the disinfecting process included adding a mitigation to prevent reinfection, but one that only lasts til the next reboot. Maybe next time we can get the FBI to upgrade those hacked routers to OpenWRT instead.

The Fortra GoAnywhere Managed File Transfer solution has joined the ranks of the critically vulnerable, as versions 6 and 7 of this software allow unauthorized users to create administrator users via an authentication bypass. The fix landed in 7.4.1, and this is the sort of juicy vulnerability that ransomware groups just love to take advantage of.

And this is your reminder that not every reported data breach is real, and not every online fake is the result of AI. Europcar.com was reported to have lost records for fifty million customers, with the database being offered in the usual places. Except the data didn’t make any sense, with plenty of those users apparently living in imaginary cities. The explanation quickly came out, that it was obviously ChatGPT-generated data — which is apparently now describes any faked data, as this has no signs of actually being produced by a Large Language Model. Ah well.