#copyfail
-
@rootwyrm im sure youre right, and that there will be edge cases where some one-off webhosted thinger or weirdo node app bullshit or custom binary doodad will have some path to trigger this thing - but the most commonly exploited scenario based on what ive seen the last few years in consulting land is gonna be shops with very lax security, shared accounts, injectable automated processing, ci/cd pipelines, and llm craps
@rootwyrm the nation states are 100% gonna go for those edge cases tho. and its gonna hit shit like fortinets and ciscos and panw and ... hey @cR0w and @da_667 and @reverseics get in here, we're back to ../ again!
-
@rootwyrm the nation states are 100% gonna go for those edge cases tho. and its gonna hit shit like fortinets and ciscos and panw and ... hey @cR0w and @da_667 and @reverseics get in here, we're back to ../ again!
@Viss @cR0w @da_667 @reverseics well yeah, I thought that was kinda obvious when I said basically anything that uses the crypto API could be exploited and www:www still has access to ../../../bin/bash
-
@Viss @cR0w @da_667 @reverseics well yeah, I thought that was kinda obvious when I said basically anything that uses the crypto API could be exploited and www:www still has access to ../../../bin/bash
@rootwyrm @cR0w @da_667 @reverseics its amusing that "firewall appliances" are going to have more surfaces exposed to exploit this thing than linux boxes
-
@rootwyrm @cR0w @da_667 @reverseics its amusing that "firewall appliances" are going to have more surfaces exposed to exploit this thing than linux boxes
@Viss @rootwyrm @da_667 @reverseics you think it's funny? joker quote
-
@Viss @rootwyrm @da_667 @reverseics you think it's funny? joker quote
-
@Viss @cR0w @rootwyrm @reverseics and I'm tired of pretending its not
-
@rootwyrm @cR0w @da_667 @reverseics its amusing that "firewall appliances" are going to have more surfaces exposed to exploit this thing than linux boxes
@Viss @rootwyrm @cR0w @da_667 @reverseics
*what*? perimeter and middleware boxen as platforms to exploite? surely not. they are *security* devices, so they must be more secure!
*choke* *gasp* *cough*
ok. couldn't get that all out with a straight face...
-
right now, every single remote code vuln that will lead to command injection or rce will make this #copyfail thing a very very big deal.
so all those qa servers and staging servers and test boxes you think nobody gives a shit about that are just flapping out there in the public, not being logged, not in the siem, not getting alerted on, not getting patched?
all those are gonna catch the "oops attackers overwrote sshd to steal creds" disease.
or cryptominers. or proxies.
@Viss just think of all the WordPress sites with RCE there where pretty useless up until now.
-
this is why ive been on a tear about architectural defensive measures, and adversarial defensive measures.
because when you build shit from the ground up to be defensively positioned at the architecture layer, this shit is way harder to exploit - purely because its way less accessible.
every k8s cluster out there right now with alpine linux rocking kernel 6.7 or whatever is kindling for this thing.
@Viss or be ready for supply chain exploits doing this to dependencies or typosquats. Then pushing that into containers. That’s the path I’m concerned about
-
@Viss or be ready for supply chain exploits doing this to dependencies or typosquats. Then pushing that into containers. That’s the path I’m concerned about
@onyxraven there are so many angles on this thing
-
@Viss just think of all the WordPress sites with RCE there where pretty useless up until now.
@bhhaskin yeah now you can shell the host its on, theeeeeeeen its a party
-
@Viss @rootwyrm @cR0w @da_667 @reverseics
*what*? perimeter and middleware boxen as platforms to exploite? surely not. they are *security* devices, so they must be more secure!
*choke* *gasp* *cough*
ok. couldn't get that all out with a straight face...
@paul_ipv6 @rootwyrm @cR0w @da_667 @reverseics i am eager to see godaddy catch fire sometime in the near future
-
this fixed it for me:
cat >/etc/modprobe.d/disable-algif-aead.conf <<'EOF'
install algif_aead /bin/false
blacklist algif_aead
EOFdepmod -a
rmmod algif_aead
i tested with this: https://github.com/rootsecdev/cve_2026_31431
@Viss you don’t need to depmod
-
@bhhaskin yeah now you can shell the host its on, theeeeeeeen its a party
@Viss I am betting some state sponsored agencies are not very happy tonight. Same with sys admins and IT departments everywhere lol
-
@Viss I am betting some state sponsored agencies are not very happy tonight. Same with sys admins and IT departments everywhere lol
@bhhaskin oh im 100% sure theres some absolute shithouse madness going on behind the scenes somewhere.
theres probably also a teeeeenyy tiny subset of folks whove been sitting on this bug for ten years who are now super fuckin pissed its burned
and if any of them can see this, my condolences and hat tip me somewhere incase vault7 ever happens again. nerds love it when they get quiet shoutouts like that.
-
@bhhaskin oh im 100% sure theres some absolute shithouse madness going on behind the scenes somewhere.
theres probably also a teeeeenyy tiny subset of folks whove been sitting on this bug for ten years who are now super fuckin pissed its burned
and if any of them can see this, my condolences and hat tip me somewhere incase vault7 ever happens again. nerds love it when they get quiet shoutouts like that.
@Viss what do you think, about a billion dollars in OT tonight?
(Just kidding, IT doesn't get OT)
-
@Viss what do you think, about a billion dollars in OT tonight?
(Just kidding, IT doesn't get OT)
@bhhaskin ot may have shit so old it predates this bug, but also most ot is weird custom bullshit and not the linux kernel, which is largely already a massive problem for ot
-
right now, every single remote code vuln that will lead to command injection or rce will make this #copyfail thing a very very big deal.
so all those qa servers and staging servers and test boxes you think nobody gives a shit about that are just flapping out there in the public, not being logged, not in the siem, not getting alerted on, not getting patched?
all those are gonna catch the "oops attackers overwrote sshd to steal creds" disease.
or cryptominers. or proxies.
@Viss
So you mean that Internet-facing Debian 8 box they refuse to turn off is fucked? -
@Viss
So you mean that Internet-facing Debian 8 box they refuse to turn off is fucked?@FritzAdalis if theres a way to inject a command or run code, yep
-
just to chime in on the copyfail thing, while, yes, it is a very big deal, the prerequisite is that you have a shell on the box you wish to exploit.
so keep that in mind when doing risk register stuff.
attackers will aim for shit like jumpboxes, shared hosting environments, multi-tennancy environments, and places they can get a shell, then move laterally to get you.
shops doing yolo devops are gonna get targeted, and I wouldnt be surprised to see openclaw malicious skills too
@Viss yip, thats pretty much the summary I shit out this morning for the folx that will have to talk to management - patch is a must but due to our environments nature this isnt a "all hands on deck" thing, especially as most of the distros we use havent pushed versions yet afaik
