Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1] 2 3 4

Author Topic: Update ALL THE THINGS. [WPA2 Vulnerability] [Infosec Thread]  (Read 5544 times)

TheBiggerFish

  • Bay Watcher
  • Somewhere around here.
    • View Profile
Update ALL THE THINGS. [WPA2 Vulnerability] [Infosec Thread]
« on: February 24, 2017, 01:35:01 am »

Hi guys.

So after finding out that a wide variety of websites may have been compromised by a bug in Cloudflare's services, and realizing there's no infosec thread, here we are.

https://www.reddit.com/r/sysadmin/comments/5vu3yn/cloudbleed_seceurity_bug_cloudflare_reverse/
https://news.ycombinator.com/item?id=13718752
« Last Edit: October 25, 2017, 02:32:46 pm by TheBiggerFish »
Logged
Sigtext

It has been determined that Trump is an average unladen swallow travelling northbound at his maximum sustainable speed of -3 Obama-cubits per second in the middle of a class 3 hurricane.

nenjin

  • Bay Watcher
  • Inscrubtable Exhortations of the Soul
    • View Profile
Re: Cloudbleed Bug [Infosec Thread]
« Reply #1 on: February 24, 2017, 02:12:08 am »

Their wikipedia page makes them sound questionable at best, shady at worst. Which sites exactly do they provide services for?
Logged
Cautivo del Milagro seamos, Penitente.
Quote from: Viktor Frankl
When we are no longer able to change a situation, we are challenged to change ourselves.
Quote from: Sindain
Its kinda silly to complain that a friendly NPC isn't a well designed boss fight.
Quote from: Eric Blank
How will I cheese now assholes?
Quote from: MrRoboto75
Always spaghetti, never forghetti

quinnr

  • Bay Watcher
    • View Profile
Re: Cloudbleed Bug [Infosec Thread]
« Reply #2 on: February 24, 2017, 02:13:46 am »

Their wikipedia page makes them sound questionable at best, shady at worst. Which sites exactly do they provide services for?

I don't know exactly, but I've seen them regularly for sites that have been DDoSed before, especially.
Logged
To exist or not exist, that is the query. For whether it is more optimal of the CPU to endure the viruses and spam of outragous fortune, or to something something something.

Flying Dice

  • Bay Watcher
  • inveterate shitposter
    • View Profile
Re: Cloudbleed Bug [Infosec Thread]
« Reply #3 on: February 24, 2017, 07:56:14 am »

Note that in addition to that list, the admins over at SV are warning people to change their passwords as they use Cloudflare, though they don't believe that user data was compromised at this time.
Logged


Aurora on small monitors:
1. Game Parameters -> Reduced Height Windows.
2. Lock taskbar to the right side of your desktop.
3. Run Resize Enable

palsch

  • Bay Watcher
    • View Profile
Re: Cloudbleed Bug [Infosec Thread]
« Reply #4 on: February 24, 2017, 08:13:06 am »

CloudFlare is huge and until now widely trusted.

That they had a service that served as an effective MITM for SSL connections is a sign of how trusted and valued the service was.

Knowing what was and wasn't compromised isn't easy here. The data was randomly scattered and stored in caches. Google have worked to clean theirs but there is a gift/video on Reddit of someone finding a request in the source of an cached page on another search engine. Thousands of requests and other data could be scattered through caches both public and private, and knowing what is included is likely impossible even for CloudFlare.

Realistically it should only be sites that use their reverse proxy service, but there could be some leaks beyond that if there was data on the edge servers relating to other services. For those sites using the reverse proxy service, anything ever passed between the site and user could be compromised unless encrypted separately to the connection/session SSL.
Logged

Loud Whispers

  • Bay Watcher
  • They said we have to aim higher, so we dug deeper.
    • View Profile
    • I APPLAUD YOU SIRRAH
Re: Cloudbleed Bug [Infosec Thread]
« Reply #5 on: February 24, 2017, 11:21:32 am »

ptw

Baffler

  • Bay Watcher
  • Caveat Lector.
    • View Profile
Re: Cloudbleed Bug [Infosec Thread]
« Reply #6 on: February 24, 2017, 01:21:29 pm »

4chan, patreon, yelp, and uber are the big ones I see. Patreon and uber especially will probably make a lot of people very angry, since they handle money.
Logged
Quote from: Helgoland
Even if you found a suitable opening, I doubt it would prove all too satisfying. And it might leave some nasty wounds, depending on the moral high ground's geology.
Location subject to periodic change.
Baffler likes silver, walnut trees, the color green, tanzanite, and dogs for their loyalty. When possible he prefers to consume beef, iced tea, and cornbread. He absolutely detests ticks.

palsch

  • Bay Watcher
    • View Profile
Re: Cloudbleed Bug [Infosec Thread]
« Reply #7 on: February 24, 2017, 01:57:14 pm »

The worst thing here is we can't really know the true scope unless CloudFlare have really good forensics, and their reaction seems to be downplaying the effects compared to the known impact from the Google report.

They have been sending emails to sites which use them claiming that only 150 sites had information revealed. That is based on working with third party caches (Google and similar). Basically searching the caches for inadvertently leaked details and removing them. IMO this is not enough. For sure those sites were compromised but, based on the approach described, they can't have the confidence to say that other sites weren't compromised as they do in the email.

It is assuming that leaked details don't appear in private caches or public caches that weren't included in their original searches. There are any number of webcrawlers and cache services that may still be retaining details from sites not included in their 150. At worst the bug may have been discovered and exploited by hammering one of the vulnerable sites to retrieve random memory in a heartbleed style attack. Unless CloudFlare have a way to search logs to prove that no such attacks happened, and exhaustively review all leaks that did happen, we can't know the actual scope of the issue. They may have that, but I haven't see the question answered yet.

As of just now I have been able to recover a GET request for what appears to be an Indonesian adult video streaming site (fortunately waited till I was home to give this a go rather than exploring on my work PC). This was from a public cache which was earlier used for a public proof of concept and I have seen reported as cleared elsewhere (one of the ones working with the team). In this case it seems to be a record of a visit by the same webcrawler that created the cache (based off of user agent and other fields), but does show that potentially sensitive (or at least amusingly compromising) information may still be public. From other chatter it looks like major caches are slowly being purged, but people who got in early were still able to pull information from Google as it took longest to clean. And my example suggests the cleaning might not be 100% everywhere even now.


EDIT: Also worth mentioning, it would be trivial for an organisation that held a substantial cache to keep a private copy while purging the public one. Unless CloudFlare are more forthcoming you have to assume that any traffic with sites that use their reverse proxy service has been compromised, including https. Encryption on top of https (as with 1password) would still be safe, but that needs confirmation on a site-by-site basis.
« Last Edit: February 24, 2017, 02:05:30 pm by palsch »
Logged

TheBiggerFish

  • Bay Watcher
  • Somewhere around here.
    • View Profile
Logged
Sigtext

It has been determined that Trump is an average unladen swallow travelling northbound at his maximum sustainable speed of -3 Obama-cubits per second in the middle of a class 3 hurricane.

Max™

  • Bay Watcher
  • [CULL:SQUARE]
    • View Profile
Re: Apache Struts 2 Vulnerability [Infosec Thread]
« Reply #9 on: March 09, 2017, 03:56:40 pm »

Is this why bay12 wasn't showing up earlier?
Logged

palsch

  • Bay Watcher
    • View Profile
Re: Cloudbleed Bug [Infosec Thread]
« Reply #10 on: March 09, 2017, 04:03:43 pm »

https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/

Well this is just great.

From the edit;
Quote
The fix here, by contrast, typically requires each Web app that was developed with a vulnerable version of Apache Struts to be recompiled using a patched version.

Yeah, that's fucking catastrophic.
Logged

TheBiggerFish

  • Bay Watcher
  • Somewhere around here.
    • View Profile
Re: Apache Struts 2 Vulnerability [Infosec Thread]
« Reply #11 on: March 09, 2017, 04:12:18 pm »

Is this why bay12 wasn't showing up earlier?
I don't know.
Logged
Sigtext

It has been determined that Trump is an average unladen swallow travelling northbound at his maximum sustainable speed of -3 Obama-cubits per second in the middle of a class 3 hurricane.

Max™

  • Bay Watcher
  • [CULL:SQUARE]
    • View Profile
Re: Apache Struts 2 Vulnerability [Infosec Thread]
« Reply #12 on: March 09, 2017, 04:15:21 pm »

More specifically, I'm guessing one of the servers between here and bay12 ended up either hit or rebooting with updates, someone else on dfg mentioned not being able to pull up the forums while the bay12dwarves site worked fine.
Logged

palsch

  • Bay Watcher
    • View Profile
Re: Apache Struts 2 Vulnerability [Infosec Thread]
« Reply #13 on: March 09, 2017, 04:38:34 pm »

If this is our general infosec thread now, this is a really cute little MySQL exploit. You need them to have left the front door open - arbitrary SQL execution with CREATE TABLE permissions, not as rare as you might hope - but the attacker can escalate that to arbitrary shell commands by tricking you into restoring from backup.
Logged

TheBiggerFish

  • Bay Watcher
  • Somewhere around here.
    • View Profile
Re: Apache Struts 2 Vulnerability [Infosec Thread]
« Reply #14 on: March 09, 2017, 04:47:04 pm »

Well yeah, that's why it says Infosec Thread.
Logged
Sigtext

It has been determined that Trump is an average unladen swallow travelling northbound at his maximum sustainable speed of -3 Obama-cubits per second in the middle of a class 3 hurricane.
Pages: [1] 2 3 4