For anyone considering "Skip this update" due to ITerm2's silly AI thing - NOT updating means missing patches for this fun bag of exploits: https://vin01.github.io/piptagole/escape-sequences/iterm2/hyper/url-handlers/code-execution/2024/05/21/arbitrary-url-schemes-terminal-emulators.html
Maybe time for a new terminal?
📺 💡 Tune in tomorrow for a special episode of runZero Hour with myself, @lorddimwit , and @blainsmith
We're unpacking the findings from our inaugural Research Report. See what our analysis of millions of assets revealed about the state of asset security. Register here: https://runzero.zoom.us/webinar/register/WN_298GtwnOSj-iJ-4YDw3dVA#/registration
Don't like webcasts? You can find the full research report at: https://www.runzero.com/research-report/
Finding zero-day is great and all, but I really love finding bugs that were silently patched. Less disclosure work and often just as much impact.
PS. Using Ruckus Wireless APs? _Definitely_ apply the latest firmware (5.2.1 or newer).
>Dear Customer. Please sign up to attend our "RSA FOMO Party".
>Thank you for your interest in the RSAC 2024 FOMO Party. Unfortunately, due to high interest, we have reached capacity and will not be able to accept any more registrations. We hope to see you at a future event.
I mean, that's one way to drive FOMO. Thanks vendor!
runZero's first research report is live! https://www.businesswire.com/news/home/20240507167076/en/runZero-Research-Explores-Unexpected-Exposures-in-Enterprise-Infrastructure
In San Francisco this week? Swing by at 10:30am tomorrow for a live presentation on the report and our findings: https://www.runzero.com/runzero-research-report-launch/
A RSA conference story in three photos.
runZero.com (@runZeroInc) is hiring software engineers who love Go! These roles are 100% remote but require residence in the mainland US and a green card or citizenship https://www.runzero.com/about/careers/
Apply through the web site to get started and feel free to DM with any questions.
Wondering what we do? Grab a free trial and a community edition license for your homelab at https://www.runzero.com/try/
Looking for something to do in ~90 minutes over a meal? Drop by for the @runZeroInc Hour webcast today with me, @lorddimwit, and @blainsmith.
We're chatting about remote detection of the xz-utils affected SSH binaries, our upcoming research report, the Palo Alto Networks RCE and surprise #golang zero-day in gorilla/sessions, Binarly's epic lighttpd vulnerability and supply chain research, and much more!
https://runzero.zoom.us/webinar/register/1217102670048/WN_4Po_Qnx4S1Og3Plm9KyiZA#/registration
The #golang `gorilla/sessions` directory traversal and file (over)write is now being tracked as GO-2024-2730: https://go-review.googlesource.com/c/vulndb/+/579655
This issue was (co)-discovered as part of watchTowr's analysis of the Palo Alto Networks RCE (#CVE_2024_3400), but is entirely separate, and affects a wide range of Go-based web services.
https://github.com/golang/vulndb/issues/2730
If you use gorilla/sessions with the FilesystemStore, please switch to the CookieStore instead until a patch is available.
Huh. So the Gorilla project went into archive-only mode in 2022. The gorilla/sessions project opened an issue asking for a new maintainer, this issue was closed as "stale", and a final comment was added indicating that the project is archived: https://github.com/gorilla/sessions/issues/250
The Gorilla project website, however, states that as of July 2023, a new maintainer has been identified, and the gorilla/mux project is seeing recent commits, so hopefully the same maintainers are also managing gorilla/sessions. The gorilla/sessions CI automation is failing with a bad credential and it looks like the sessions project specifically hasn't seen much love lately. #golang #vulnerability
Looks like quite a few projects are using session.FilesystemStore: https://github.com/search?q=sessions.NewFilesystemStore+language%3Ago+&type=code