Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Monday April 22nd, 2024 edition
0:02
of the Sanson & Stormcenter's Stormcast.
0:07
My name is Johannes Ulrich
0:09
and I'm recording from Jacksonville,
0:12
Florida. And
0:14
we got more changes to
0:17
CVEs and how vulnerabilities will
0:19
be communicated. MITRE,
0:21
the company who is in
0:23
charge of assigning CVE numbers,
0:26
so far used the CVE
0:28
JSON 4.0 format.
0:30
Well, they now started releasing
0:32
vulnerability information in the JSON
0:35
5.0 format and JSON 4.0
0:40
will go away end of June. So,
0:43
we don't have a lot of time
0:45
here to react and switch over to
0:47
the new feed. Not
0:49
sure how sort of backwards compatible it is,
0:51
I still have to look into it myself. But
0:54
definitely something that you need to get
0:56
ready for if you are consuming these
0:58
feeds directly. This may, of course, also
1:01
affect various open source and commercial
1:04
products that are reading this feed
1:06
directly from MITRE. And
1:09
then we have more vulnerabilities in
1:11
enterprise file transfer software. Remember all
1:13
the chaos that move it cost
1:15
a few months back. This
1:18
time it's crush FTP, crush
1:20
FTP version 11 below 11.1
1:22
have a vulnerability that can
1:27
be used to escape their
1:29
VFS and download
1:31
system files. So this
1:33
has been patched in version 11.1.0.
1:39
And in particular, if you
1:41
are exposing crush FTP to
1:43
the public, you should patch
1:45
now as crowd strike states
1:48
that this vulnerability has already
1:50
been exploited. There are
1:52
also patches available for version 10 of
1:55
crush FTP and version 9
1:57
according to crush FTP.
2:00
is no longer supported so no
2:02
one should be running it
2:04
anymore according to them. And
2:07
we have an interesting vulnerability or
2:09
maybe well an easy to abuse
2:11
feature in a GitHub that is
2:13
being abused in order to distribute
2:16
malware. One of the
2:18
problem with repositories like GitHub
2:20
is that well there are
2:22
different user accounts with a
2:24
widely different reputation. For example
2:27
one account that you probably
2:29
would trust most of the
2:31
time is Microsoft. But
2:33
there is a trick where you can
2:36
make any file look like
2:38
it's hosted on Microsoft's GitHub
2:40
account because well it actually
2:42
is. The trick is that
2:44
you leave a comment for
2:46
a commit and attach the
2:48
malicious file to the comment.
2:51
Later you delete the
2:53
comment. However the file
2:55
will remain part of
2:57
GitHub's Microsoft repository if
3:00
you want to call it this.
3:02
Basically it's part of the Microsoft
3:04
account of GitHub and
3:07
the URL very much looks like a
3:10
Microsoft GitHub URL
3:13
as you're offering this link to
3:15
an unsuspecting victim for download. So
3:17
what is sort of a URL
3:19
obfuscation trick, more a
3:21
social engineering trick in that sense,
3:23
then actually sort of an exploit.
3:25
Definitely something to be aware of.
3:27
It's not clear yet if GitHub
3:29
is able or will be
3:32
fixing this. At the very least
3:34
I guess they could allow the
3:36
repository owner to then
3:38
delete these files. Disabling
3:40
comments is also only possible
3:42
in a temporary fashion not
3:44
sort of in a global
3:46
forever way. And
3:50
UBkey fixed vulnerability and it's
3:52
a UBkey manager for Windows.
3:54
It only affects the Windows
3:56
version of this tool. The
3:58
problem here is relatively simple
4:00
privilege escalation issue the
4:03
UBkey manager GUI tool is
4:05
usually opened as an administrator
4:07
but if you then open
4:09
a browser window from within
4:11
the UBkey manager GUI it
4:14
will open that browser window as
4:16
an administrator which then of course
4:18
could lead to some privilege escalation.
4:21
That bug is now fixed in
4:23
the latest version anything later than
4:25
1.2.6. Non-window versions do not
4:31
require any kind of administrative permissions
4:33
to interact with Fido authenticators
4:36
so that's why they
4:38
are not affected. Then
4:40
just a quick update on Palo
4:42
Alto the sort
4:44
of usual whack-the-mole continues where
4:47
attackers are coming up with
4:49
new exploits that in particular
4:51
are bypassing some of the
4:53
early threat IDs that
4:57
Palo Alto published as part of
4:59
its threat prevention subscription so just
5:01
make sure you keep that updated.
5:03
I'll link again in the show
5:05
notes to the advisory by Palo
5:07
Alto so you get the latest
5:09
and greatest update. Well
5:12
that's it again for today.
5:14
Thanks for listening. Thanks for
5:16
subscribing if you are just
5:18
occasionally listening. Definitely nice if
5:20
you subscribe and also this
5:22
podcast is available via your
5:24
Amazon Alexa if you want
5:26
to add it to your
5:29
morning flash briefing. Thanks and
5:31
talk to you again tomorrow.
5:33
Bye.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More