0:00

Hello and welcome to the Friday May 10th 2020

0:02

4th edition of the Santa Storms Center's Stormcast.

0:08

My name is Johannes Ulrich

0:10

and today I'm recording from

0:12

San Diego, California. We

0:15

got a great diary today by DDE where yet

0:17

again, he is improving

0:19

one of his tools. If

0:22

you're analyzing a PDF, there

0:25

may be multiple PDF streams

0:27

present. The old

0:29

tool PDFPowersR.py did allow you to

0:31

extract individual streams but well, if

0:34

there are a lot of them,

0:36

that's kind of tedious. So

0:38

users asked for all

0:40

of the PDF streams to be

0:43

exported as at once and

0:45

that's exactly what DDE added

0:48

in version 0.7.9 of PDFPowersR.py.

0:54

Even better, the output is in

0:57

JSON format that can then be

0:59

post-processed with other tools

1:01

in DDE's famous tool

1:03

set. So you can

1:05

decompress, you can analyze

1:08

the mime type

1:10

of different streams and all

1:12

of this all by

1:14

just piping JSON output from one

1:17

tool into the next to further

1:19

process the data. Nice

1:21

examples here from DDE as

1:24

part of the diary if

1:26

you're interested in more details.

1:31

And F5 published an update

1:33

for its Next Central Manager

1:35

product. Next is the name

1:37

of a product series of

1:40

4F5 which is the next

1:42

generation of products and Central

1:44

Manager is the tool that

1:46

you're using to administer these

1:49

different products. The vulnerabilities

1:51

were found by Eclipsium and

1:53

there are a total of

1:55

five vulnerabilities but only two

1:57

of them received CVE numbers.

2:00

These two vulnerabilities are SQL

2:02

injection vulnerabilities. One of them

2:05

actually requires LDAP to be

2:07

enabled. The second one apparently

2:10

doesn't. These SQL

2:12

injection vulnerabilities are

2:14

explained in Eclipsium's blog

2:16

post, including a proof

2:18

of concept that does

2:20

retrieve the admin's password

2:22

hash. The other vulnerabilities

2:24

are less severe, which is why they

2:27

may not have gotten a CVE number,

2:29

like for example a BCrypt hash

2:31

that doesn't use a sufficient cost

2:33

would call this a minor thing.

2:35

The one thing that I'm actually

2:37

a little concerned about, there is

2:39

a vulnerability that allows an attacker

2:41

to change the admin password without

2:43

knowing the old password. However,

2:46

the attacker needs to be

2:48

authenticated as an admin. So

2:52

maybe stealing a session ID or

2:54

something like this could be then

2:56

used to gain more persistent access

2:58

by changing the administrator's password.

3:02

Updates are available from F5, so

3:06

check out that you have the

3:08

latest version of the

3:10

next central manager if you

3:12

already are using this product.

3:16

And backup company Veeam

3:19

did release updates for

3:22

its Veeam service provider console 7 and 8.

3:26

These updates fix de-serialization

3:30

vulnerability that

3:32

according to Veeam could

3:34

be used to achieve

3:37

remote code execution, and

3:39

apparently does not require

3:41

authentication. The vulnerability does

3:44

allow for the remote code execution on

3:46

the Veeam service provider

3:48

console server system. And

3:52

Citrix Ran into a little

3:54

bit of an interesting issue

3:56

with XAN Center, its hypervisor

3:58

solution. That are

4:00

it came with a version of

4:03

party and if you did select

4:05

the connect to as as each

4:07

console option you are basically offered

4:10

to download party and then install

4:12

it of from Zen Center directly.

4:14

This middle bit easier didn't require

4:17

that people have to sort of

4:19

mine as a decline in particular

4:21

for Windows systems are historically they

4:24

weren't some of that readily available

4:26

other a den a puppy but

4:28

recently Party had. A security born

4:31

ability that a would leak private

4:33

keys and Zen center came with

4:35

this war will burst. Not tricky

4:38

part your is that what he

4:40

a patch to send center wouldn't

4:42

really help users who already had

4:45

of the particular of warble versions

4:47

install so instead they're actually going

4:49

to remove party from san center

4:52

and or it's just asking people

4:54

who already have had installed from

4:56

some center from the past versions

4:59

to just directly. Update from

5:01

party. The Six:

5:03

A somewhat reasonable solution than probably better

5:05

for people in particular that are usually

5:08

dealing here with a. People. In

5:10

at least know how to run as

5:12

his age for them to go directly

5:14

to the party website if they want

5:16

install that. Klein and even Windows these

5:19

days comes with an eighth as they

5:21

climbed that can be installed So so

5:23

far that add on be deliberate. As

5:25

part of Zen Center, it's just asking.

5:28

For. More problems down the

5:30

road. And

5:32

visit for two days. So

5:35

thanks for listening to Like

5:37

the podcast and Police are

5:39

recommended to your friends enemies

5:42

pets and your enemies pets.

5:44

Thanks and talk you again

5:46

on a Monday by.