https://feed.craftedsignal.io/tags/insecure-configuration/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 22 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-openharness-default-config/Wed, 22 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openharness-default-config/HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit permissive access, potentially leading to unauthorized file disclosure and read access.HKUDS OpenHarness, a tool whose function is not explicitly defined in the source material, prior to the remediation implemented in pull request #147, exhibits an insecure default configuration. This vulnerability arises because remote channels inherit the setting allow_from = ["*"]. This overly permissive configuration allows any remote sender to bypass admission checks, effectively negating intended access controls. The vulnerability was reported on April 21, 2026. Exploitation requires an attacker to reach the configured channel, opening a pathway to host-backed agent runtimes. Successful exploitation can lead to unauthorized file disclosure and read access via default-enabled read-only tools within the OpenHarness environment. Defenders should ensure they are running a version of OpenHarness patched with PR #147 or later.

Attack Chain

1. Attacker gains network access to the OpenHarness instance.
2. Attacker identifies a configured remote channel.
3. Attacker leverages the inherited allow_from = ["*"] configuration to bypass admission controls.
4. Attacker interacts with a host-backed agent runtime.
5. Attacker exploits default-enabled read-only tools available within the runtime.
6. Attacker gains unauthorized read access to sensitive files on the system.
7. Attacker exfiltrates the disclosed files.

Impact

Successful exploitation of this vulnerability allows attackers to bypass intended access controls and gain unauthorized read access to files accessible to the OpenHarness agent. This could lead to the disclosure of sensitive information, potentially impacting confidentiality. The scope of the impact depends on the data accessible to the agent runtime and the sensitivity of those files. Given the default-enabled nature of the vulnerability, any OpenHarness deployment prior to PR #147 is potentially vulnerable.

Recommendation

• Upgrade HKUDS OpenHarness to a version including or following the remediation provided in PR #147.
• Monitor network connections to the OpenHarness instance for unexpected remote channel access, using a network monitoring solution.
• Audit the configuration of OpenHarness channels to ensure that allow_from is not set to ["*"], but rather to a restrictive set of trusted senders.

]]>highadvisoryvulnerabilityinsecure-configurationaccess-controlhttps://feed.craftedsignal.io/briefs/2026-04-libssh-mitm/Tue, 07 Apr 2026 17:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-libssh-mitm/CVE-2025-14821 in libssh allows local man-in-the-middle attacks, SSH downgrade attacks, and trusted host manipulation due to insecure default configuration loading from a world-writable directory on Windows.A critical vulnerability, CVE-2025-14821, has been identified in the libssh library. This flaw arises from an insecure default configuration on Windows systems. Specifically, libssh automatically loads configuration files from the C:\etc directory. Critically, this directory can be created and modified by unprivileged local users. This allows a malicious local user to manipulate the SSH configuration, facilitating man-in-the-middle attacks, downgrading connection security, and manipulating trusted host information. Successful exploitation grants attackers the ability to intercept and potentially modify SSH communications, posing a significant risk to data confidentiality, integrity, and availability.

Attack Chain

1. Attacker creates the directory C:\etc if it does not already exist.
2. Attacker creates a malicious SSH configuration file (e.g., ssh_config) within the C:\etc directory. This configuration can specify settings to downgrade encryption or redirect connections.
3. A legitimate user initiates an SSH connection using an application that leverages the vulnerable libssh library.
4. libssh automatically loads the attacker-controlled configuration file from C:\etc\ssh_config.
5. The malicious configuration settings are applied, potentially downgrading the encryption algorithm used for the SSH connection.
6. The attacker intercepts the SSH traffic, performing a man-in-the-middle attack due to the weakened encryption or connection redirection.
7. The attacker can now eavesdrop on or modify the SSH communication, gaining unauthorized access to sensitive information or injecting malicious commands.
8. Attacker maintains persistent access or exfiltrates sensitive data obtained through the compromised SSH session.

Impact

Successful exploitation of CVE-2025-14821 allows a local attacker to perform man-in-the-middle attacks on SSH connections. This can lead to the compromise of sensitive data transmitted over SSH, such as credentials, configuration files, or confidential documents. The ability to manipulate trusted host information further exacerbates the risk, potentially allowing attackers to impersonate legitimate servers. The vulnerability affects any Windows system using a vulnerable version of libssh and could impact organizations across all sectors that rely on SSH for secure communication and remote administration.

Recommendation

• Monitor for the creation or modification of files within the C:\etc directory, particularly configuration files like ssh_config, using file integrity monitoring (FIM) rules on Windows systems.
• Implement the Sigma rule provided to detect the creation of the C:\etc directory by non-system processes.
• Restrict write access to the C:\etc directory and its contents using appropriate file system permissions on Windows systems.

]]>highadvisorylibsshmitmwindowscve-2025-14821insecure-configuration