0:00

Hello and welcome to the Thursday, April 25th,

0:02

2024 edition of the Sands & Snorms Center's Stormcast.

0:08

My name is Johannes Ulrich and

0:10

today I'm recording from Jacksonville, Florida.

0:14

Three years ago, Rob published

0:16

some scripts to make it

0:18

easier to read the NVD

0:20

database, in particular on Windows

0:22

systems. Well, Rob updated these

0:24

scripts now in order to

0:26

adapt them to the newer

0:28

version of the API that

0:31

is being offered by NIST.

0:33

If you're interested, more details,

0:36

you can find them in

0:38

Rob's diary from today. And

0:42

Cisco released a blog

0:44

post together with patches

0:46

for three different vulnerabilities

0:48

in response to some

0:50

attacks that they have

0:52

observed taking advantage of

0:54

these vulnerabilities. Affected

0:56

are Cisco ISA and

0:59

Firepower devices. And

1:01

the vulnerabilities being addressed here

1:04

are really more the privilege

1:06

escalation part. The initial attack

1:08

vector, how the attacker originally

1:11

got access as not dedicated

1:13

user, is not included

1:15

here and they say they don't

1:17

really know. So, one assumption is

1:20

that likely that initial attack vector

1:22

was just some weak username and

1:24

password combination that was brute forced

1:27

or found somewhere else. Cisco

1:29

believes that the attacker started working

1:31

on this back in July and

1:34

in January started actually

1:36

launching the first attacks

1:38

using this particular pattern

1:40

and set of vulnerabilities.

1:43

Out of the three vulnerabilities, there

1:45

are two particular interesting. One

1:47

is a local code execution vulnerability,

1:50

the other one a command injection

1:52

vulnerability. Between the two, I think there is

1:54

at least one sort of

1:56

directory traversal vulnerability. For example, one

1:59

of the these vulnerabilities allows

2:01

an attacker who is able to

2:03

restore a backup to override files

2:05

that they are not supposed to

2:08

override. That's very common

2:10

when you're extracting zip files and

2:12

the like and not properly validating

2:14

the paths the files are being

2:17

written into that you end up

2:19

overriding files that you don't intend

2:21

to override. But overall of course

2:23

this sort of continues the pattern

2:25

you have seen over the last

2:27

a few years where parameter devices

2:29

are being attacked more and more. Patch

2:32

your Cisco ASA and

2:35

firepower devices but given

2:37

that none of these

2:39

patches affects of the initial access I

2:42

wouldn't overly expedite these

2:44

patches. If you're

2:46

patching also follow Cisco's advice

2:48

to look for already compromised

2:51

devices. They do offer

2:53

some tips what to look for definitely

2:56

do that just in

2:58

case someone was able to launch

3:00

his attack against one of

3:03

your devices. Citizen

3:06

Lab released a paper with

3:08

details regarding weaknesses in encryption

3:10

used by various PINGEON

3:13

keyboard apps. PINGEON is a

3:15

way how you type Chinese

3:18

characters on Western

3:20

keyboards and with that

3:22

of course many of the affected

3:24

users and devices are in China

3:27

or targeting the Chinese market. Encryption

3:30

weaknesses are for

3:32

the most part fairly straightforward

3:34

and could reveal keystrokes as

3:36

they're being typed by the user.

3:38

One fundamental problem here and one

3:41

reason why the encryption matters is

3:43

also that many of these keyboards

3:47

are using cloud components in

3:49

order to for example do

3:51

things like predicted typing which

3:53

necessitates the keystrokes being actually

3:55

sent across the network. This

3:57

is not the first time

3:59

that vulnerabilities like this were

4:01

found and with

4:05

these add-on keyboards they may

4:07

make typing faster they may

4:09

make things easier to use

4:11

even for non-Chinese speakers even

4:13

for English speakers there are

4:15

some keyboards like this but

4:17

personally I would stay away

4:20

from anything that sends you

4:22

keystrokes across the network. The

4:25

couple with Linus vulnerabilities there

4:27

is an update for the

4:29

Node MySQL 2 library that's

4:32

a library that allows a

4:34

node JavaScript to connect to

4:36

MySQL. The vulnerabilities

4:39

sound bad at first like remote

4:41

code execution but note that in

4:43

order to exploit these vulnerabilities an

4:46

attacker already has to be able

4:48

to connect to the database using

4:50

a node MySQL 2 so

4:53

this is not something that a

4:55

random user connecting to a website

4:57

could necessarily exploit. Still as

5:00

something that you probably do want to

5:02

address given that it could lead to

5:04

remote code execution

5:06

on the database server. But

5:08

several of Cochrane did publish

5:10

a blog post with some of

5:12

the vulnerabilities he found not all

5:15

of them have been addressed at

5:17

this point in part they're going

5:19

public in order to put some

5:21

pressure here on the

5:23

Node MySQL 2 team in

5:25

order to patch the remaining

5:27

vulnerabilities. And

5:30

if you're using one of the popular Netgear

5:32

Night Hawk routers and make sure your firmware

5:34

is up to date the

5:36

latest update does fix

5:38

a buffer overflow vulnerability

5:40

that could lead to

5:42

an authentication bypass. Well

5:44

that's it for today. Today on

5:47

Thursday we also have the AI

5:49

forum a number of SANS instructors

5:51

including myself talking a little bit

5:54

about AI and information

5:56

security so if you're interested tune

5:58

in you should be to

6:00

find it at sans.org/AI.

6:03

Well that's it for today. Thanks for

6:05

listening and talk to you again tomorrow.

6:07

Bye!