Vendors are still shipping defaults that completely nuke their own security models.
๐ฝ Transparent Disk Decryption
Running IncusOS bare-metal? Your TPM-backed LUKS encryption is security theater against physical access. The default TPM policy doesn't bind to the root partition. An attacker swaps the root drive for a malicious one, boots up, and the TPM blindly forks over the LUKS volume key. They put the original drive back, and Secure Boot doesn't even blink.
- The Fix: Apply the IncusOS advisory to enforce strict TPM validation.
- Hard Truth: Patches only stop future theft. If a server was left physically unguarded, assume the LUKS master key is burned. Rotate it.
๐ Cross-Origin Credential Scraping
Glances shipped a suicidally bad CORS policy: `allow_origins="*"` combined with `allow_credentials=True`. If an authenticated admin visits a malicious site, it silently fires background requests at your internal Glances endpoints. Attackers can scrape passwords, system configs, and process args straight out of your monitoring data.
- The Fix: Upgrade to 4.5.2 per the Glances CORS report.
- Operator Action: Can't patch today? Manually restrict `allow_origins` to trusted internal domains to stop the data hemorrhage.