0:00

Hello and welcome to the Monday April 22nd, 2024 edition

0:02

of the Sanson & Stormcenter's Stormcast.

0:07

My name is Johannes Ulrich

0:09

and I'm recording from Jacksonville,

0:12

Florida. And

0:14

we got more changes to

0:17

CVEs and how vulnerabilities will

0:19

be communicated. MITRE,

0:21

the company who is in

0:23

charge of assigning CVE numbers,

0:26

so far used the CVE

0:28

JSON 4.0 format.

0:30

Well, they now started releasing

0:32

vulnerability information in the JSON

0:35

5.0 format and JSON 4.0

0:40

will go away end of June. So,

0:43

we don't have a lot of time

0:45

here to react and switch over to

0:47

the new feed. Not

0:49

sure how sort of backwards compatible it is,

0:51

I still have to look into it myself. But

0:54

definitely something that you need to get

0:56

ready for if you are consuming these

0:58

feeds directly. This may, of course, also

1:01

affect various open source and commercial

1:04

products that are reading this feed

1:06

directly from MITRE. And

1:09

then we have more vulnerabilities in

1:11

enterprise file transfer software. Remember all

1:13

the chaos that move it cost

1:15

a few months back. This

1:18

time it's crush FTP, crush

1:20

FTP version 11 below 11.1

1:22

have a vulnerability that can

1:27

be used to escape their

1:29

VFS and download

1:31

system files. So this

1:33

has been patched in version 11.1.0.

1:39

And in particular, if you

1:41

are exposing crush FTP to

1:43

the public, you should patch

1:45

now as crowd strike states

1:48

that this vulnerability has already

1:50

been exploited. There are

1:52

also patches available for version 10 of

1:55

crush FTP and version 9

1:57

according to crush FTP.

2:00

is no longer supported so no

2:02

one should be running it

2:04

anymore according to them. And

2:07

we have an interesting vulnerability or

2:09

maybe well an easy to abuse

2:11

feature in a GitHub that is

2:13

being abused in order to distribute

2:16

malware. One of the

2:18

problem with repositories like GitHub

2:20

is that well there are

2:22

different user accounts with a

2:24

widely different reputation. For example

2:27

one account that you probably

2:29

would trust most of the

2:31

time is Microsoft. But

2:33

there is a trick where you can

2:36

make any file look like

2:38

it's hosted on Microsoft's GitHub

2:40

account because well it actually

2:42

is. The trick is that

2:44

you leave a comment for

2:46

a commit and attach the

2:48

malicious file to the comment.

2:51

Later you delete the

2:53

comment. However the file

2:55

will remain part of

2:57

GitHub's Microsoft repository if

3:00

you want to call it this.

3:02

Basically it's part of the Microsoft

3:04

account of GitHub and

3:07

the URL very much looks like a

3:10

Microsoft GitHub URL

3:13

as you're offering this link to

3:15

an unsuspecting victim for download. So

3:17

what is sort of a URL

3:19

obfuscation trick, more a

3:21

social engineering trick in that sense,

3:23

then actually sort of an exploit.

3:25

Definitely something to be aware of.

3:27

It's not clear yet if GitHub

3:29

is able or will be

3:32

fixing this. At the very least

3:34

I guess they could allow the

3:36

repository owner to then

3:38

delete these files. Disabling

3:40

comments is also only possible

3:42

in a temporary fashion not

3:44

sort of in a global

3:46

forever way. And

3:50

UBkey fixed vulnerability and it's

3:52

a UBkey manager for Windows.

3:54

It only affects the Windows

3:56

version of this tool. The

3:58

problem here is relatively simple

4:00

privilege escalation issue the

4:03

UBkey manager GUI tool is

4:05

usually opened as an administrator

4:07

but if you then open

4:09

a browser window from within

4:11

the UBkey manager GUI it

4:14

will open that browser window as

4:16

an administrator which then of course

4:18

could lead to some privilege escalation.

4:21

That bug is now fixed in

4:23

the latest version anything later than

4:25

1.2.6. Non-window versions do not

4:31

require any kind of administrative permissions

4:33

to interact with Fido authenticators

4:36

so that's why they

4:38

are not affected. Then

4:40

just a quick update on Palo

4:42

Alto the sort

4:44

of usual whack-the-mole continues where

4:47

attackers are coming up with

4:49

new exploits that in particular

4:51

are bypassing some of the

4:53

early threat IDs that

4:57

Palo Alto published as part of

4:59

its threat prevention subscription so just

5:01

make sure you keep that updated.

5:03

I'll link again in the show

5:05

notes to the advisory by Palo

5:07

Alto so you get the latest

5:09

and greatest update. Well

5:12

that's it again for today.

5:14

Thanks for listening. Thanks for

5:16

subscribing if you are just

5:18

occasionally listening. Definitely nice if

5:20

you subscribe and also this

5:22

podcast is available via your

5:24

Amazon Alexa if you want

5:26

to add it to your

5:29

morning flash briefing. Thanks and

5:31

talk to you again tomorrow.

5:33

Bye.