Aggregator

⸻ 文本来自 Kim Zetter 撰写的《零日倒计时：震网病毒与首次网络武器的问世》。这本书深入探讨了 震网病毒 的技术细节，包括它如何利用 USB 驱动器和数字证书 传播，以及如何针对工业控制系统，特别是西门子的可编程逻辑控制器（PLC）。书中还讨论了网络攻击的早期案例，如澳大利亚水处理厂事件和极光发电机测试，这些事件凸显了工业控制系统固有的安全漏洞，并揭示了在震网病毒被发现之前，人们对这些风险普遍存在的漠视。此外，文本还触及了网络战的概念，包括震网病毒的复杂性及其开发过程，以及震网病毒的后续变种Duqu和Flame。最后，它考察了震网病毒对网络安全政策和国家网络攻击能力发展的影响。 ⸻⸻ ⸻⸻ 你好。今天我们来深入解析一份挺震撼的资料——《零日倒计时》。嗯，这本书讲的 Stuxnet 震网病毒可不是一般的电脑病毒啊。对，它是一个里程碑：第一次被公认为用数字代码去攻击并破坏现实世界的物理设备，不是偷数据，而是直接造成物理损坏。想想看，代码能让工厂里的机器——比如离心机——失控然后损坏，这听起来有点科幻，但千真万确。 ⸻ 先说它是怎么进去的，传播方式很有意思。它不完全靠网络钓鱼，最绝的一招是靠 U盘。看着传统，却特别有效——利用 Windows 处理快捷方式（LNK）文件的漏洞。早期版本用的是 Autorun，后来用更隐蔽的 LNK 漏洞。关键是它能通过 U 盘感染那些为了安全特意不联网的系统，也就是所谓的气隙隔离、物理隔离。工程师拿着 U 盘从一个地方拷文件到另一个地方，就不知不觉成了病毒的带毒人，完全可能。 ⸻ Stuxnet 还会伪装。资料里提到它偷了合法公司的数字证书。数字证书就像软件的身份证，例如它用偷来的 Realtek 等公司的证书给自己的恶意驱动程序签名。系统就完全相信它，以为是合法驱动；杀软可能都不报警。这在当时绝对让人大开眼界。 ⸻ 进去之后总得有个目标。目标非常精准：它只认准西门子的工业控制系统，特别是 Step 7 编程软件和 S7 系列 PLC。例如 315、417 型号它都会检查。它会先侦查系统配置是否与预设目标完全一致，如果不是就潜伏不动；只有完全匹配才动手，把真正的攻击代码——payload——注入 PLC。 ⸻ 具体到破坏物理设备，以书里重点写的伊朗铀浓缩的离心机为例。攻击代码进去后会修改 PLC 控制离心机转速的逻辑，不是一味搞破坏，而是周期性地在很短时间里大幅提高或降低转速，让机器承受不住。操作员看不到吗？这就是高明的地方：攻击之前先偷录下离心机正常运转时的实时数据，在发动攻击时把这些正常的假数据播放给监控系统。也就是说，操作员在控制界面上看到的永远一切正常，设备却悄悄被折磨损坏，表面上风平浪静。 ⸻ 这种攻击能成功，很大程度上是因为工业控制系统本身确实不太安全。许多 PLC 设计于互联网普及之前，那时主要考虑功能、稳定、效率，根本没“网络安全”这个概念。所以它们缺少很多 IT 系统基本的安全功能，比如通信加密、严格的用户身份验证。书里还提了具体例子：很多 PLC 有出厂就写死的默认密码，而且很容易查到。比如西门子某系统用过的 S7 后门密码就有人直接发在网上论坛。这不等于把大门钥匙放在门口吗？差不多就是这个意思。而且它们用的通信协议本身可能就不加密，容易被监听、被篡改。 ⸻ 安全研究员 Dillon Beresford 证明：就算你不是工控专家，只靠公开资料买点二手 PLC 设备，花点时间研究，也能找到不少漏洞并利用起来——攻击门槛其实比我们想象的要低。 ⸻ 再加上这些系统（比如发电厂的控制系统）一运行就是好几年、甚至几十年，不能随便停机；打补丁、升级系统就非常麻烦，维护人员也不愿意。所以就算发现漏洞，也可能拖很久才修复，甚至永远不修，这就给了 Stuxnet 这种攻击可乘之机。 ⸻ Stuxnet 的出现不仅是技术突破，更是战略性事件。它被普遍认为是首个由国家力量开发、明确以物理破坏为目标的网络武器，开启了网络战的时代。它用多个当时没人知道的零日漏洞，还能藏在 PLC 固件里的 PLC rootkit。这些技术细节后来都被安全研究人员分析、披露——意味着技术扩散，其他人可以学习模仿。后来发现的一些恶意软件，如 Duqu，就被指出在代码或开发平台上与 Stuxnet 有联系。模仿者和更厉害的攻击随之而来。 ⸻ 其实控制系统出问题导致严重后果，以前也有：比如澳大利亚玛鲁奇水处理厂由内部人员破坏；又如系统故障或设计问题导致的事故——书里提到美国国土安全部做的 Aurora 测试，用网络攻击就弄坏了一台发电机。这些都是警示，但 Stuxnet 不一样，它是目标明确、精心策划的武器化攻击。 ⸻ 它还带来一个难题：追溯源头非常难。即便是 Stuxnet 这种复杂攻击，到底是谁干的，国际上至今仍有争议，没有百分之百的定论。未来可能出现更难追踪、甚至被用来栽赃嫁祸的网络攻击，这个风险确实存在。 ⸻ 总结一句：Stuxnet 真正给我们敲响了警钟——代码真的能变成武器，直接打到我们生活的物理世界，而它利用的正是支撑电力、供水、交通、制造等关键领域的工业控制系统普遍存在的安全漏洞。既然我们已经知道这种攻击可行、技术细节也被公开，那些围绕在我们周围、控制一切关键基础设施的系统，真的准备好迎接下一次可能形式不同的数字风暴了吗？下一个目标又会在哪里？这值得我们每个人深思。

A vulnerability classified as problematic has been found in WP Booking Calendar Plugin up to 10.11.1 on WordPress. This affects the function wpbc of the component Shortcode Handler. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-4669. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Wise Chat Plugin up to 3.3.3 on WordPress. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /wp-content/uploads of the component File Attachment Handler. The manipulation leads to information disclosure. This vulnerability is handled as CVE-2024-13613. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in WP-Members Plugin up to 3.5.2 on WordPress. It has been declared as problematic. Affected by this vulnerability is the function wpmem_user_memberships of the component Shortcode Handler. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2025-4610. The attack can be launched remotely. There is no exploit available.

Submit #576264 / VDB-309433

A vulnerability was found in WatchGuard Fireware OS up to 12.11.1. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2025-4805. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in WatchGuard Fireware OS up to 12.11.1 and classified as problematic. This issue affects some unknown processing of the component SpamBlocker Module. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2025-4804. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Imagination Graphics DDK up to 24.3 RTM and classified as critical. This vulnerability affects unknown code of the component GPU System Call Handler. The manipulation leads to use after free. This vulnerability was named CVE-2025-1706. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Imagination Graphics DDK up to 24.3 RTM. This affects an unknown part. The manipulation leads to use of out-of-range pointer offset. This vulnerability is uniquely identified as CVE-2024-47893. Attacking locally is a requirement. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Wholesale Market Plugin and Wholesale Market for WooCommerce Plugin on WordPress. Affected by this issue is some unknown functionality of the component Setting Handler. The manipulation leads to cross-site request forgery. This vulnerability is handled as CVE-2022-4363. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in Samsung Internet for Galaxy Watch 5.0.9. Affected by this vulnerability is an unknown functionality of the component TLS Certificate Handler. The manipulation leads to channel accessible by non-endpoint. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is known as CVE-2025-32407. The attack can be launched remotely. There is no exploit available.

A vulnerability classified as problematic has been found in GNU PSPP up to 2.0.1. Affected is the function fill_buffer in the library libPSPP-core.a of the file data/encrypted-file.c of the component Rijndael Decrypt. The manipulation leads to out-of-bounds read. This vulnerability is traded as CVE-2025-48188. The attack needs to be approached locally. There is no exploit available.

A vulnerability was found in GNU C Library up to 2.38. It has been rated as critical. This issue affects some unknown processing of the component Environment Variable Handler. The manipulation of the argument LD_LIBRARY_PATH leads to untrusted search path. The identification of this vulnerability is CVE-2025-4802. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apache Linkis 1.3.x/1.4.x/1.5.x and classified as problematic. Affected by this issue is some unknown functionality of the component Spark EngineConn. The manipulation leads to insufficiently random values. This vulnerability is handled as CVE-2024-39928. The attack needs to be approached within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in itsourcecode Online Tours and Travels Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file forget_password.php. The manipulation of the argument val-email leads to sql injection. This vulnerability was named CVE-2024-48411. The attack can be initiated remotely. There is no exploit available.

A vulnerability was found in Masteriyo LMS Plugin up to 1.13.3 on WordPress. It has been rated as critical. Affected by this issue is some unknown functionality. The manipulation leads to missing authorization. This vulnerability is handled as CVE-2024-10008. The attack may be launched remotely. There is no exploit available.

A vulnerability, which was classified as critical, has been found in eladmin up to 2.7. This issue affects some unknown processing of the file ServerDeployController.java. The manipulation of the argument ip leads to server-side request forgery. The identification of this vulnerability is CVE-2024-51242. Access to the local network is required for this attack to succeed. There is no exploit available.

A vulnerability classified as problematic was found in Safe SVG Plugin up to 2.2.5 on WordPress. This vulnerability affects the function wp_handle_upload. The manipulation leads to cross site scripting. This vulnerability was named CVE-2024-8378. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Flipkart-Clone-PHP 1.0. Affected by this issue is some unknown functionality of the file entry.php. The manipulation of the argument product_title leads to sql injection. This vulnerability is handled as CVE-2022-38947. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as critical has been found in Doctor-Appointment 1.0. Affected is an unknown function of the file /Frontend/signup_com.php. The manipulation leads to unrestricted upload. This vulnerability is traded as CVE-2022-38946. It is possible to launch the attack remotely. There is no exploit available.