A serious and fresh vulnerability discovered in September led to a notice in November from NETGEAR. As you might expect, that company “strongly recommends that you download the latest firmware as soon as possible”.

Fine. That sounds normal until you consider the totality of vulnerable products versus the ones getting updates (those models under active firmware maintenance are fixed, other models are… uh-oh):

Note that big caveat/footnote from the researcher that a previous NETGEAR fix “broke” GRIMM’s exploit code. An odd perspective on something being fixed for users, calling it “inadvertently broken” for adversaries…

Speaking of perspective, it’s worth noting that perhaps GRIMM smelled blood in the water after NETGEAR had to disclose major issues in March and June.

I mean this kind of attention gathering could help explain why summer months turned into two additional unique September disclosures (1 and 2) before now.

To be fair, 2020 was an even noisier vulnerability banner year for NETGEAR disclosures with 22 unique CVE assigned (mostly XSS).

As bad as all this year’s unauthenticated bypass disclosures sound, still we’re talking UPnP in the latest one. Thus it’s also worth mentioning that Shodan probes give a clear “honeypot” warning for those scanning the globe right now.

This timeline is published by Randori itself, disclosing “authorized use” of a zero-day in Palo Alto products.

• 2020-10-26: Randori began initial research on GlobalProtect.
• 2020-11-19: Randori discovered the buffer overflow vulnerability.
• 2020-11-20: Randori discovered the HTTP smuggling capability.
• 2020-12-01: Randori began authorized use of the vulnerability chain as part of Randori’s continuous and automated red team platform.
• 2021-09-22: The buffer overflow vulnerability was disclosed by Randori to PAN.
• 2021-10-11: The HTTP smuggling capability was disclosed by Randori to PAN.
• 2021-11-10: PAN released patches and a security bulletin assigning the vulnerability CVE-2021-3064.
• 2021-11-10: This report was published.

CVE-2021-3064 is a buffer overflow that occurs while parsing user-supplied input into a fixed-length location on the stack. The problematic code is not reachable externally without utilizing an HTTP smuggling technique. Exploitation of these together yields remote code execution under the privileges of the affected component on the firewall device. The smuggling capability was not designated a CVE identifier as it is not considered a security boundary by the affected vendor. In order to exploit this vulnerability, an attacker must have network access to the device on the GlobalProtect service port (default port 443). As the affected product is a VPN portal, this port is often accessible over the Internet.

What does this mean? While it’s tempting to focus on the ethics of Palo Alto for “authorizing” behavior, or for the ethics of that behavior… the reality on the ground is Randori has painted a very large target on themselves as a suspicious repository of zero-day information.

In related news of very large targets, even though this sounds like a headline from a decade ago, Sky admits just now that it left 6 million consumer network devices vulnerable for 1.5 years.

…researchers say it took Sky 18 months to address. The vulnerability could have affected anyone who had not changed the router’s default admin password.

The BBC headline really should have been “The Sky is failing” as in Sky was “failing to meet numerous deadlines they set themselves”.

Here is an excellent lecture by legal scholar Robert C. Post on why speech must be regulated for an environment to encourage free speech.

Research, Post said, is ultimately based in the notion that not everyone has equal knowledge of a given topic and that expert knowledge is created through disciplinary study. “When we are talking about university research and expanding knowledge, it is resting on a disciplinary hierarchy, which is exactly opposite of the democratic equality on which freedom of speech rests,” he said.

Therefore, in order to perform research and to advance it, he said, universities must discriminate on content, make judgments that some ideas are better than others and compel professors and researchers to speak in order to communicate their knowledge. Though these actions further the mission of a university, he said, they violate the rules of the First Amendment.

In other words (pun not intended) improving knowledge using a process of evaluation with measured results, where some inputs can be judged by an authorized process, violates a political framework designed to maintain power (rights) of ignorance.

This is hardly different than saying a moving environment should be regulated based on science of physics (e.g. dismissing the political controversy about seat belts given basic economics of safety) for society to be more physically safe.

Post continues:

“Any teacher knows that students who are threatened or assaulted don’t listen,” he said. “They don’t learn. So you have to create the conditions under which learning is possible, and you have to regulate the speech in order to advance that goal.” Again, he said, these requirements of good teaching and learning necessarily violate the rules of the First Amendment.

Related:

• Does Hegel’s Philosophy Crack the Big Data Security Nut? (e.g. Popper 1945)
• US Judge Rules Online Hate Speech is Physical Harassment
• EU Court: Holocaust Denial is not Protected Speech
• “The first casualties of war are free speech and free press”
• This Day in History 1869: “First-Class Men” Torture and Try to Kill Congressman Who Voted for President Grant
• Is Belief In the Supernatural Declining?
• Mill’s Harm Principle of Free Speech
• Mr. Bean defends freedom of speech

Answer: To crash on the other side.

Recently I was honored and privileged to give a keynote at the MindTheSec 2021 conference. Here are my slides:

MTS21_Ottenheimer_EN.pdf

This one seems to be especially popular:

And here are the numbers they shared with me afterwards: