0:00

Hello and welcome to the Wednesday, April 17th, 2024

0:02

edition of the Sands and Storms Center's

0:07

Stormcast. My name is Johannes Ulrich

0:09

and today I'm recording from Washington,

0:12

DC. Well,

0:14

it took less than a

0:16

weekend. It's out. We got

0:18

all the details necessary in

0:21

order to exploit the Palo

0:23

Alto Networks Global Protect Vornability.

0:25

Turns out the Vornability is

0:27

a directory traversal Vornability in

0:30

the session ID. So the

0:32

way the exploit works is

0:34

that the attacker would send

0:36

a cookie. That cookie

0:39

takes advantage of this directory

0:41

traversal Vornability to write a

0:43

file and that's sort of where a

0:45

second part here comes in. That

0:48

file is then being executed

0:50

by the telemetry component. Watchtower,

0:53

Rapid7 and others have

0:55

written some good detailed

0:57

write-ups about how

0:59

this Vornability exactly works and

1:01

how it's being exploited. But

1:03

we are now seeing sort

1:06

of these random internet-wide exploits.

1:08

I posted one in a

1:11

diary today. This particular

1:13

version of the exploit that was

1:15

observed and was sent to us does

1:18

copy the configuration file to

1:20

a readable directory. So an

1:22

attacker could basically use the

1:24

exploit, copy the configuration file

1:26

and then just read it

1:28

by pointing a web

1:30

browser to the file that was

1:32

created. Well, there are a couple

1:35

of constraints the developer of the

1:37

exploit had to overcome in order

1:39

to make this a working reliable

1:42

exploit. In hindsight, of course, these

1:44

are always pretty easy and at this point

1:46

it should be pretty straightforward

1:49

to deploy your favorite crypto

1:51

miner, ransomware or web shell

1:53

in order to further exploit

1:55

the system. And

1:57

over the last couple of days,

2:00

vulnerability in the very popular

2:03

SSH value

2:24

that's unique to a particular NUNS

2:30

is used multiple times or if

2:33

the NUNS is guessable then

2:35

an attacker is able to

2:37

deduct the secret key and

2:39

with that compromise the SSH

2:41

connection. The problem apparently here

2:43

with putty is that they

2:45

created NUNS that's only 512

2:48

bits long not 521 bits

2:50

that led to the first few

2:53

bits always being zero which enables

2:56

an attacker to retrieve the

2:59

secret key by observing

3:01

60 signatures essentially 60

3:04

new connections. Putty versions

3:06

from 0.68 to 0.80 are affected

3:11

by this vulnerability. Earlier

3:13

vulnerabilities did not include

3:15

this particular algorithm so

3:17

they are not affected

3:19

by this vulnerability. Other

3:21

software derived from putty

3:23

like Filecilla when SCP

3:25

tortoise a git and

3:27

tortoise SVN are affected

3:29

as well. Oracle released

3:32

its quarterly critical patch

3:34

update for April 2024.

3:37

This particular update does folks

3:40

441 different vulnerabilities

3:42

the number as always is large but

3:44

it also covers a large

3:46

number of products. I quickly sort of skipped

3:49

through it there are a few sort of

3:51

9.8 vulnerabilities

3:53

so CPU has score of 9.8 they

3:55

are pretty much all related to

3:58

some known vulnerabilities

4:01

in open source components that are used

4:03

by various Oracle

4:05

products. Definitely apply the update

4:08

but totally understand these are

4:10

complex updates to apply in

4:12

particular for some of the

4:15

more critical products delivered by

4:17

Oracle. And

4:20

Ivanti released an update

4:22

for its Avalanche Mobile

4:24

Device Management solution. This

4:27

fixes a number of different vulnerabilities.

4:29

A couple of highlights here there

4:31

are two 9.8 CSS score

4:33

vulnerabilities. They're both heap overflows

4:35

that allow arbitrary code execution

4:38

for unauthenticated users. Also interesting

4:40

a number of 8.8 vulnerabilities.

4:42

So CSS score of 8.8

4:44

they all are requiring authentication

4:51

but then allow for the

4:53

arbitrary code execution as system

4:56

with a directory or path

4:58

traversal vulnerability just like what

5:01

we just had with Palo

5:03

Alto. Think about the

5:06

eight or so vulnerabilities whose description

5:08

looks pretty much identical.

5:11

This update according to Avanti will

5:13

also apply some new security hardening.

5:15

They do state that you need

5:17

to have your MS SQL database

5:19

password available as it's

5:22

not stored for subsequent

5:24

installs. Well

5:28

that's it for today so thanks

5:30

for listening and talk to you

5:32

again tomorrow.