#copyfail
-
@rootwyrm @cR0w @da_667 @reverseics its amusing that "firewall appliances" are going to have more surfaces exposed to exploit this thing than linux boxes
@Viss @rootwyrm @cR0w @da_667 @reverseics
*what*? perimeter and middleware boxen as platforms to exploite? surely not. they are *security* devices, so they must be more secure!
*choke* *gasp* *cough*
ok. couldn't get that all out with a straight face...
-
right now, every single remote code vuln that will lead to command injection or rce will make this #copyfail thing a very very big deal.
so all those qa servers and staging servers and test boxes you think nobody gives a shit about that are just flapping out there in the public, not being logged, not in the siem, not getting alerted on, not getting patched?
all those are gonna catch the "oops attackers overwrote sshd to steal creds" disease.
or cryptominers. or proxies.
@Viss just think of all the WordPress sites with RCE there where pretty useless up until now.
-
this is why ive been on a tear about architectural defensive measures, and adversarial defensive measures.
because when you build shit from the ground up to be defensively positioned at the architecture layer, this shit is way harder to exploit - purely because its way less accessible.
every k8s cluster out there right now with alpine linux rocking kernel 6.7 or whatever is kindling for this thing.
@Viss or be ready for supply chain exploits doing this to dependencies or typosquats. Then pushing that into containers. That’s the path I’m concerned about
-
@Viss or be ready for supply chain exploits doing this to dependencies or typosquats. Then pushing that into containers. That’s the path I’m concerned about
@onyxraven there are so many angles on this thing
-
@Viss just think of all the WordPress sites with RCE there where pretty useless up until now.
@bhhaskin yeah now you can shell the host its on, theeeeeeeen its a party
-
@Viss @rootwyrm @cR0w @da_667 @reverseics
*what*? perimeter and middleware boxen as platforms to exploite? surely not. they are *security* devices, so they must be more secure!
*choke* *gasp* *cough*
ok. couldn't get that all out with a straight face...
@paul_ipv6 @rootwyrm @cR0w @da_667 @reverseics i am eager to see godaddy catch fire sometime in the near future
-
this fixed it for me:
cat >/etc/modprobe.d/disable-algif-aead.conf <<'EOF'
install algif_aead /bin/false
blacklist algif_aead
EOFdepmod -a
rmmod algif_aead
i tested with this: https://github.com/rootsecdev/cve_2026_31431
@Viss you don’t need to depmod
-
@bhhaskin yeah now you can shell the host its on, theeeeeeeen its a party
@Viss I am betting some state sponsored agencies are not very happy tonight. Same with sys admins and IT departments everywhere lol
-
@Viss I am betting some state sponsored agencies are not very happy tonight. Same with sys admins and IT departments everywhere lol
@bhhaskin oh im 100% sure theres some absolute shithouse madness going on behind the scenes somewhere.
theres probably also a teeeeenyy tiny subset of folks whove been sitting on this bug for ten years who are now super fuckin pissed its burned
and if any of them can see this, my condolences and hat tip me somewhere incase vault7 ever happens again. nerds love it when they get quiet shoutouts like that.
-
@bhhaskin oh im 100% sure theres some absolute shithouse madness going on behind the scenes somewhere.
theres probably also a teeeeenyy tiny subset of folks whove been sitting on this bug for ten years who are now super fuckin pissed its burned
and if any of them can see this, my condolences and hat tip me somewhere incase vault7 ever happens again. nerds love it when they get quiet shoutouts like that.
@Viss what do you think, about a billion dollars in OT tonight?
(Just kidding, IT doesn't get OT)
-
@Viss what do you think, about a billion dollars in OT tonight?
(Just kidding, IT doesn't get OT)
@bhhaskin ot may have shit so old it predates this bug, but also most ot is weird custom bullshit and not the linux kernel, which is largely already a massive problem for ot
-
right now, every single remote code vuln that will lead to command injection or rce will make this #copyfail thing a very very big deal.
so all those qa servers and staging servers and test boxes you think nobody gives a shit about that are just flapping out there in the public, not being logged, not in the siem, not getting alerted on, not getting patched?
all those are gonna catch the "oops attackers overwrote sshd to steal creds" disease.
or cryptominers. or proxies.
@Viss
So you mean that Internet-facing Debian 8 box they refuse to turn off is fucked? -
@Viss
So you mean that Internet-facing Debian 8 box they refuse to turn off is fucked?@FritzAdalis if theres a way to inject a command or run code, yep
-
just to chime in on the copyfail thing, while, yes, it is a very big deal, the prerequisite is that you have a shell on the box you wish to exploit.
so keep that in mind when doing risk register stuff.
attackers will aim for shit like jumpboxes, shared hosting environments, multi-tennancy environments, and places they can get a shell, then move laterally to get you.
shops doing yolo devops are gonna get targeted, and I wouldnt be surprised to see openclaw malicious skills too
@Viss yip, thats pretty much the summary I shit out this morning for the folx that will have to talk to management - patch is a must but due to our environments nature this isnt a "all hands on deck" thing, especially as most of the distros we use havent pushed versions yet afaik
-
@Viss yip, thats pretty much the summary I shit out this morning for the folx that will have to talk to management - patch is a must but due to our environments nature this isnt a "all hands on deck" thing, especially as most of the distros we use havent pushed versions yet afaik
@nyanbinary its like our brains are touching again
-
R relay@relay.infosec.exchange shared this topic
