Lmst

#DLink says replace #vulnerable #routers or risk #pwnage -Register

Owners of older models of DLink #VPN routers are being told to retire & replace their devices following disclosure of a serious #RCE #vulnerability.

#Unauthenticated RCE issues are essentially as bad as #vulnerabilities get, & D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk
#security

https://www.theregister.com/2024/11/20/dlink_rip_replace_router/

@igb

Defo turning away the #OpenWeb unlike here. ¯\_(ツ)_/¯

#unauthenticated is #Welcome on the #fediverse #OpenSocialMedia #news frenly ⟵(o_O)

Vulnerability with 9.8 severity in Control Web Panel is under active exploit

Malicious #hackers have begun exploiting a critical #vulnerability in unpatched versions of the #ControlWebPanel , a widely used interface for web hosting.

“This is an #unauthenticated #RCE ,” members of the #Shadowserver group wrote

https://arstechnica.com/?p=1909755

Attackers Create Terabytes of DDoS Attack Data Using a Single Packet

CVE-2022-26143: TP240PhoneHome reflection/amplification DDoS attack vector

https://blog.cloudflare.com/cve-2022-26143/

#DDoS #reflection #amplification #hacking #PBX #unauthenticated #StressTest

@Trysdyn @KitRedgrave @maple

To expand on what I mean for the people who do not read my posts on a regular basis (they probably have me personally blocked, but whatever), here is what is happening:

1. A user on computerfairi.es posts a post.

2. Somebody who follows that user and is followed by a user on blockedinstance.social makes a reply or boosts the post.

3. The user on blockedinstance.social gets a copy of that interaction because it was addressed to as:Public.

4. blockedinstance.social reconstructs the thread, fetching missing objects in it.

5. Because there is no authentication requirement for fetching objects (or any other passive AP activity), blockedinstance.social now has a copy of your object.

Unfortunately, at present, this means that the best mitigation is to firewall any instance you block that you also do not want to be able to receive posts from you. It is unfortunate that this is the present situation for quite a few reasons (the topological knowledge learned from requiring authentication on fetches would be very helpful for distributing Deletes for example), but it is not a defect in Pleroma or any other ActivityPub software. Instead, it is a defect in ActivityPub itself: since there is no authentication requirement, there is no support for authenticated fetches in any of the implementations.

While it may be disturbing to see, Pleroma is just showing you that ActivityPub is leaking your data all over the fediverse and sending it to instances you don't want it on. Blame the protocol, not the messenger.

Hopefully that clarifies what is going on. You can read also my blog post about this particular issue: https://blog.dereferenced.org/activitypub-the-present-state-or-why-saving-the-worse-is-better-virus-is#unauthenticated-object-fetching

It would be nice in the future if people did not make bad faith assumptions about why things are the way they are and instead reached out and actually asked about it. We are committed to improving the security posture of the fediverse.

@abs markdown ate my links.

https://blog.dereferenced.org/activitypub-the-present-state-or-why-saving-the-worse-is-better-virus-is#unauthenticated-object-fetching

i was linked to this post and feel the need to write about it directly.

https://computerfairi.es/users/maple/statuses/101436332290985254

the defect is not in Pleroma, nor is Pleroma doing anything to respect or disrespect blocks placed against it: the enforcement of blocks in an ActivityPub implementation is controlled by the server which initiated the block.

unfortunately, ActivityPub has major security flaws, such as not requiring authentication to fetch objects from remote servers.

when combined with the thread reconstruction features of fediverse software, this allows for instances that you have blocked to gain copies of objects that exist on your instance.

both Mastodon and Pleroma have thread reconstruction features and have the same behavior in this regard.

the only difference is that Pleroma has publicly visible shared timelines and Mastodon requires you to use a third-party viewer, but the posts are there on both.

if you want to blame something for this design fault, i suggest blaming the W3C for ratifying a specification where security is non-normative, when security is non-normative and non-specified, it should be nobody’s surprise that objects get leaked to servers you don’t want them leaking to.

Creep ran #Mac #malware for 14 years scanning #vulnerable machines with exposed #unauthenticated/weakly secured #RDP type ports. Appeared to be primarily for collecting images of underage children even though there was potential for $$ theft with a #keylogger. #infosec #privacy
https://apple.slashdot.org/story/18/09/30/2130206/fbi-solves-mystery-surrounding-15-year-old-fruitfly-mac-malware-which-was-used-by-a-man-to-watch-victims-via-their-webcams-and-listen-in-on-conversations

#Unauthenticated

Client Info