Email or username:

Password:

Forgot your password?
All posts Emelia's posts Post Back to profile
Emelia πŸ‘ΈπŸ»

58.5% of @pixelfed servers still have a critical vulnerability left unpatched.

I'll just highlight something: the vulnerability allows a third-party to gain administrative control over your instance if you don't update.

You really want to update as soon as possible, there's a reason this is a 9.9/10 vulnerability score.

#Pixelfed

13 February at 3:11 | Open on hachyderm.io
16 comments
Emelia πŸ‘ΈπŸ»

To the 208 @pixelfed servers that have upgraded so far, thank you!

13 February at 3:17 | Open on hachyderm.io
Kevin Karhan

@thisismissem @pixelfed Consider reporting it to @certbund & @cert_eu ...

Maybe once it's acknowledged then hosters will intervene because they don't want shit to get abused for malware...

13 February at 3:34 | Open on infosec.space
Emelia πŸ‘ΈπŸ»

@kkarhan @pixelfed @certbund @cert_eu this vulnerability just gives administrative access over the pixelfed software, not to the underlying hardware.

13 February at 3:38 | Open on hachyderm.io
Kevin Karhan

@thisismissem @pixelfed @certbund @cert_eu Even if it'll just allow them to manipulate the public_html directory of said webserver that alone is a problem.

Not to mention they'll likely have eMail setup to sent notificiations and registration confirmations, meaning that can be abused for #Spam...

And at that point most people will point out that Spamming is kinda illegal and that regulators like @BNetzA will go after Spammers within their juristiction...

Having an insecure Webserver-Sided Application up and running is just begging for trouble and will get costly as every hoster & ISP I know will bill the customer in question for the costs of having to intervene due to their criminally gross neglect...

And those bills will get very big quickly, espechally when they had to deal with a shitload of fallout from other sources, like having to undo getting blocklisted for spam and so forth...

@thisismissem @pixelfed @certbund @cert_eu Even if it'll just allow them to manipulate the public_html directory of said webserver that alone is a problem.

Not to mention they'll likely have eMail setup to sent notificiations and registration confirmations, meaning that can be abused for #Spam...

And at that point most people will point out that Spamming is kinda illegal and that regulators like @BNetzA will go after Spammers within their juristiction...

13 February at 3:43 | Open on infosec.space
Emelia πŸ‘ΈπŸ»

@kkarhan please just wait for the full disclosure on the 25th; I know you're trying to be helpful but you're misunderstanding the type of vulnerability.

13 February at 6:05 | Open on hachyderm.io
Kevin Karhan

@thisismissem okay...

I do accept amd understand #ResponsibleDisclosure and why people should first fix it...

Needless to say said CERTs should be made aware as their publications & feeds are also being read by Hosters who may also have the ability to scan their customers' systems and notify them as well or if necessary forcibly shut down vulnerable instances before they get hacked...

13 February at 6:09 | Open on infosec.space
Emelia πŸ‘ΈπŸ»

@kkarhan there's already a CVE and a security advisory on github. For now it's not necessary as far as I know for CERT to be involved

13 February at 6:12 | Open on hachyderm.io
Matrix9180 :ruby: :rust:

@thisismissem @pixelfed hmmm... maybe I can white knight this shit and be the hacker that breaks in, upgrades their instance and leaves lol. Like jailbreakme back in the day. Lol

13 February at 5:30 | Open on hachyderm.io
Emelia πŸ‘ΈπŸ»

@matrix9180 @pixelfed lucky not a vulnerability that gives you shell access as far as I know.

13 February at 6:07 | Open on hachyderm.io
Matrix9180 :ruby: :rust:

@thisismissem @pixelfed that's good at least. Still enough access to set a global notice to everyone that their instance hasn't been upgraded and has been compromised and is still vulnerable. And urge them to pester their admins until it happens...

13 February at 6:09 | Open on hachyderm.io
Anil

@thisismissem @matrix9180 @pixelfed I'm curious how the CVE score is so high without RCE possibilities? escalation of privileges is usually in the 5-6ish range

13 February at 7:43 | Open on fosstodon.org
Matrix9180 :ruby: :rust:

@nil @thisismissem @pixelfed yeah, something is fishy... Critical is usually reserved for "oops all root access on the host" vulns...

13 February at 7:48 | Open on hachyderm.io
Emelia πŸ‘ΈπŸ»
Anil
Matrix9180 :ruby: :rust:

@nil @thisismissem @pixelfed yep, but I suppose it could be that high because it maybe exposes everyone's info. Going to get some rest but I'll probably see what they fixed and go from there lol

13 February at 8:21 | Open on hachyderm.io
Emelia πŸ‘ΈπŸ»

@nil @matrix9180 @pixelfed so yeah, base score is 9.9 β€” though nist's calculator is more explanatory than GitHubs, overall score ended up being 8.4 with all the other factors

13 February at 8:38 | Open on hachyderm.io
Go Up