nkukard

joined 1 year ago
MODERATOR OF
 

Take note of the quote in the article...


OP/bug finder here with some clarifying information. It's a common misconception that this issue can only be abused if you use HTTP boot. That is not the case at all, otherwise it wouldn't be Critical. This bug can be abused locally (privileged malware can overwrite the EFI partition), from an adjacent network if PXE boot is enabled (w/ MiTM), or remotely if HTTP boot is used (w/ MiTM).

More details on these scenarios:

  1. A remote attacker with no privileges in a man-in-the-middle (MitM) position could leverage the issue against a victim machine that uses HTTP boot. No direct access to the victim machine is required.

  2. A remote attacker with privileges and code execution on the victim machine could leverage the issue to bypass Secure Boot, even if the victim does not already use HTTP boot (as long as firmware has HTTP support). How? Several ways:

  • An attacker can edit the boot order variable to specify a controlled attacker server.

  • An attacker can chain shim->GRUB2->shim (via HTTP). For this technique, an attacker would overwrite the boot loader in the EFI partition to a legitimate shim and GRUB2 image. The attacker would create a grub.cfg that chainloads a new shim via HTTP. This is possible because GRUB2's device syntax allows you to specify any supported device, including HTTP (if available).

  1. An adjacent attacker with no privileges in a man-in-the-middle (MitM) position could leverage the issue against a victim machine that uses PXE boot. PXE is separate from HTTP boot, but similar to the local vector, an attacker can chain together shim (via PXE)->GRUB2 (via PXE)->shim (via HTTP).
 

cross-posted from: https://floss.social/users/kde/statuses/111732458987994100

Plasma 6 Release Candidate 1 has landed.

We are less than 50 days away from the final version of #Plasma6.

Along with Frameworks 6 and KDE Gear 24.02, the Megarelaease on the 28th of February will be one of the biggest and more complex upgrades in KDE's history.

One more RC will be released on the 31st of January and then it will be (hopefully) clear sailing until the final release.

https://kde.org/announcements/megarelease/6/rc1/

@[email protected]

[–] [email protected] 2 points 10 months ago (1 children)

Thanks for the reminder, somehow I missed adding the point to my todo list :/

[–] [email protected] 3 points 11 months ago (3 children)
 

"Curl 8.4.0 will hit at around 0600 UTC (0800 CEST, 0700 BST, 0200 EST, 2300 PDT) on October 11 and deal with CVE-2023-38545, which affects both libcurl and the curl tool, and CVE-2023-38546, which only affects libcurl...."

[–] [email protected] 1 points 1 year ago (1 children)

Has anyone tried the POC's for this on their systems? Just curious as to your success rate. I've been running 3 slightly difference POC's for the past 4 days and I'm still yet to drop to root on any of the 3 systems I'm trying on.

 

"Remote code execution requiring no authentication fixed. 2 other RCEs remain unpatched...."

 

"On September 28, 2023, the Snap Store team was notified of a potential security incident. A number of snap users reported several recently published and potentially malicious snaps...."

[–] [email protected] 1 points 1 year ago

No prob, you're right though as soon as a member subscribes to another community, it should show up in the "All" list.