Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Thursday, April 25th,
0:02
2024 edition of the Sands & Snorms Center's Stormcast.
0:08
My name is Johannes Ulrich and
0:10
today I'm recording from Jacksonville, Florida.
0:14
Three years ago, Rob published
0:16
some scripts to make it
0:18
easier to read the NVD
0:20
database, in particular on Windows
0:22
systems. Well, Rob updated these
0:24
scripts now in order to
0:26
adapt them to the newer
0:28
version of the API that
0:31
is being offered by NIST.
0:33
If you're interested, more details,
0:36
you can find them in
0:38
Rob's diary from today. And
0:42
Cisco released a blog
0:44
post together with patches
0:46
for three different vulnerabilities
0:48
in response to some
0:50
attacks that they have
0:52
observed taking advantage of
0:54
these vulnerabilities. Affected
0:56
are Cisco ISA and
0:59
Firepower devices. And
1:01
the vulnerabilities being addressed here
1:04
are really more the privilege
1:06
escalation part. The initial attack
1:08
vector, how the attacker originally
1:11
got access as not dedicated
1:13
user, is not included
1:15
here and they say they don't
1:17
really know. So, one assumption is
1:20
that likely that initial attack vector
1:22
was just some weak username and
1:24
password combination that was brute forced
1:27
or found somewhere else. Cisco
1:29
believes that the attacker started working
1:31
on this back in July and
1:34
in January started actually
1:36
launching the first attacks
1:38
using this particular pattern
1:40
and set of vulnerabilities.
1:43
Out of the three vulnerabilities, there
1:45
are two particular interesting. One
1:47
is a local code execution vulnerability,
1:50
the other one a command injection
1:52
vulnerability. Between the two, I think there is
1:54
at least one sort of
1:56
directory traversal vulnerability. For example, one
1:59
of the these vulnerabilities allows
2:01
an attacker who is able to
2:03
restore a backup to override files
2:05
that they are not supposed to
2:08
override. That's very common
2:10
when you're extracting zip files and
2:12
the like and not properly validating
2:14
the paths the files are being
2:17
written into that you end up
2:19
overriding files that you don't intend
2:21
to override. But overall of course
2:23
this sort of continues the pattern
2:25
you have seen over the last
2:27
a few years where parameter devices
2:29
are being attacked more and more. Patch
2:32
your Cisco ASA and
2:35
firepower devices but given
2:37
that none of these
2:39
patches affects of the initial access I
2:42
wouldn't overly expedite these
2:44
patches. If you're
2:46
patching also follow Cisco's advice
2:48
to look for already compromised
2:51
devices. They do offer
2:53
some tips what to look for definitely
2:56
do that just in
2:58
case someone was able to launch
3:00
his attack against one of
3:03
your devices. Citizen
3:06
Lab released a paper with
3:08
details regarding weaknesses in encryption
3:10
used by various PINGEON
3:13
keyboard apps. PINGEON is a
3:15
way how you type Chinese
3:18
characters on Western
3:20
keyboards and with that
3:22
of course many of the affected
3:24
users and devices are in China
3:27
or targeting the Chinese market. Encryption
3:30
weaknesses are for
3:32
the most part fairly straightforward
3:34
and could reveal keystrokes as
3:36
they're being typed by the user.
3:38
One fundamental problem here and one
3:41
reason why the encryption matters is
3:43
also that many of these keyboards
3:47
are using cloud components in
3:49
order to for example do
3:51
things like predicted typing which
3:53
necessitates the keystrokes being actually
3:55
sent across the network. This
3:57
is not the first time
3:59
that vulnerabilities like this were
4:01
found and with
4:05
these add-on keyboards they may
4:07
make typing faster they may
4:09
make things easier to use
4:11
even for non-Chinese speakers even
4:13
for English speakers there are
4:15
some keyboards like this but
4:17
personally I would stay away
4:20
from anything that sends you
4:22
keystrokes across the network. The
4:25
couple with Linus vulnerabilities there
4:27
is an update for the
4:29
Node MySQL 2 library that's
4:32
a library that allows a
4:34
node JavaScript to connect to
4:36
MySQL. The vulnerabilities
4:39
sound bad at first like remote
4:41
code execution but note that in
4:43
order to exploit these vulnerabilities an
4:46
attacker already has to be able
4:48
to connect to the database using
4:50
a node MySQL 2 so
4:53
this is not something that a
4:55
random user connecting to a website
4:57
could necessarily exploit. Still as
5:00
something that you probably do want to
5:02
address given that it could lead to
5:04
remote code execution
5:06
on the database server. But
5:08
several of Cochrane did publish
5:10
a blog post with some of
5:12
the vulnerabilities he found not all
5:15
of them have been addressed at
5:17
this point in part they're going
5:19
public in order to put some
5:21
pressure here on the
5:23
Node MySQL 2 team in
5:25
order to patch the remaining
5:27
vulnerabilities. And
5:30
if you're using one of the popular Netgear
5:32
Night Hawk routers and make sure your firmware
5:34
is up to date the
5:36
latest update does fix
5:38
a buffer overflow vulnerability
5:40
that could lead to
5:42
an authentication bypass. Well
5:44
that's it for today. Today on
5:47
Thursday we also have the AI
5:49
forum a number of SANS instructors
5:51
including myself talking a little bit
5:54
about AI and information
5:56
security so if you're interested tune
5:58
in you should be to
6:00
find it at sans.org/AI.
6:03
Well that's it for today. Thanks for
6:05
listening and talk to you again tomorrow.
6:07
Bye!
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More