FFS am I literally the only person who puts /tmp on a seprate volume and mounts it with noexec set?
There has been a land rush of sorts among threat groups trying to use the vulnerability discovered in the open-source Spring Framework last month, and now researchers at Trend Micro are saying it's being actively exploited to run the Mirai botnet. Mirai is a long-running threat that has been around since 2016 and is used to …
Monday 11th April 2022 22:57 GMT doublelayer
Separate volume, lots of people do that. Noexec, not as many people as you'd hope. Although in this case, /tmp is just a convenient place to store things because a lot of these things are embedded devices with little storage but /tmp in RAM. If a target wasn't allowing the chmod from there, the attacker could find somewhere else to put their binary as long as there was some writable storage. That binary could be a very small one that loaded instructions from another file in /tmp that wasn't executed.
Monday 11th April 2022 22:44 GMT hayzoos
"They also can downgrade to a lower JDK version such as version 8, though doing so "could impact application features and open doors to other attacks mitigated in higher versions of JDK," the researchers wrote."
The botnet tools like Mirai are not single function, they are toolsets. The nature of IOT is ship and forget. I would be highly surprised that they do not carry exploits for multiple versions since not doing so would leave a lot of older targets unused. So, um, no, downgrading to avoid the exploit du jour is not going to help in the larger scheme.