Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Wednesday, April 17th, 2024
0:02
edition of the Sands and Storms Center's
0:07
Stormcast. My name is Johannes Ulrich
0:09
and today I'm recording from Washington,
0:12
DC. Well,
0:14
it took less than a
0:16
weekend. It's out. We got
0:18
all the details necessary in
0:21
order to exploit the Palo
0:23
Alto Networks Global Protect Vornability.
0:25
Turns out the Vornability is
0:27
a directory traversal Vornability in
0:30
the session ID. So the
0:32
way the exploit works is
0:34
that the attacker would send
0:36
a cookie. That cookie
0:39
takes advantage of this directory
0:41
traversal Vornability to write a
0:43
file and that's sort of where a
0:45
second part here comes in. That
0:48
file is then being executed
0:50
by the telemetry component. Watchtower,
0:53
Rapid7 and others have
0:55
written some good detailed
0:57
write-ups about how
0:59
this Vornability exactly works and
1:01
how it's being exploited. But
1:03
we are now seeing sort
1:06
of these random internet-wide exploits.
1:08
I posted one in a
1:11
diary today. This particular
1:13
version of the exploit that was
1:15
observed and was sent to us does
1:18
copy the configuration file to
1:20
a readable directory. So an
1:22
attacker could basically use the
1:24
exploit, copy the configuration file
1:26
and then just read it
1:28
by pointing a web
1:30
browser to the file that was
1:32
created. Well, there are a couple
1:35
of constraints the developer of the
1:37
exploit had to overcome in order
1:39
to make this a working reliable
1:42
exploit. In hindsight, of course, these
1:44
are always pretty easy and at this point
1:46
it should be pretty straightforward
1:49
to deploy your favorite crypto
1:51
miner, ransomware or web shell
1:53
in order to further exploit
1:55
the system. And
1:57
over the last couple of days,
2:00
vulnerability in the very popular
2:03
SSH value
2:24
that's unique to a particular NUNS
2:30
is used multiple times or if
2:33
the NUNS is guessable then
2:35
an attacker is able to
2:37
deduct the secret key and
2:39
with that compromise the SSH
2:41
connection. The problem apparently here
2:43
with putty is that they
2:45
created NUNS that's only 512
2:48
bits long not 521 bits
2:50
that led to the first few
2:53
bits always being zero which enables
2:56
an attacker to retrieve the
2:59
secret key by observing
3:01
60 signatures essentially 60
3:04
new connections. Putty versions
3:06
from 0.68 to 0.80 are affected
3:11
by this vulnerability. Earlier
3:13
vulnerabilities did not include
3:15
this particular algorithm so
3:17
they are not affected
3:19
by this vulnerability. Other
3:21
software derived from putty
3:23
like Filecilla when SCP
3:25
tortoise a git and
3:27
tortoise SVN are affected
3:29
as well. Oracle released
3:32
its quarterly critical patch
3:34
update for April 2024.
3:37
This particular update does folks
3:40
441 different vulnerabilities
3:42
the number as always is large but
3:44
it also covers a large
3:46
number of products. I quickly sort of skipped
3:49
through it there are a few sort of
3:51
9.8 vulnerabilities
3:53
so CPU has score of 9.8 they
3:55
are pretty much all related to
3:58
some known vulnerabilities
4:01
in open source components that are used
4:03
by various Oracle
4:05
products. Definitely apply the update
4:08
but totally understand these are
4:10
complex updates to apply in
4:12
particular for some of the
4:15
more critical products delivered by
4:17
Oracle. And
4:20
Ivanti released an update
4:22
for its Avalanche Mobile
4:24
Device Management solution. This
4:27
fixes a number of different vulnerabilities.
4:29
A couple of highlights here there
4:31
are two 9.8 CSS score
4:33
vulnerabilities. They're both heap overflows
4:35
that allow arbitrary code execution
4:38
for unauthenticated users. Also interesting
4:40
a number of 8.8 vulnerabilities.
4:42
So CSS score of 8.8
4:44
they all are requiring authentication
4:51
but then allow for the
4:53
arbitrary code execution as system
4:56
with a directory or path
4:58
traversal vulnerability just like what
5:01
we just had with Palo
5:03
Alto. Think about the
5:06
eight or so vulnerabilities whose description
5:08
looks pretty much identical.
5:11
This update according to Avanti will
5:13
also apply some new security hardening.
5:15
They do state that you need
5:17
to have your MS SQL database
5:19
password available as it's
5:22
not stored for subsequent
5:24
installs. Well
5:28
that's it for today so thanks
5:30
for listening and talk to you
5:32
again tomorrow.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More