0:00

Hello and welcome to the Wednesday April 24th,

0:02

2024 edition of the Sands & Storm Centers

0:07

Stormcast. My name is Johannes Ulrich

0:10

and today I'm recording from Jacksonville,

0:12

Florida. Quick

0:15

diary today about an uptick

0:17

in scans for a struts

0:19

to death mode problem.

0:21

I call it a problem, not

0:23

a vulnerability kind of on purpose

0:26

because it's really a feature that

0:28

you should not see enabled on

0:30

a public exposed production website. Death

0:33

mode as the name implies is

0:36

meant for development. It's basically a

0:38

debug mode, gives you additional logs

0:40

and also error messages being

0:42

displayed to the screen which is probably

0:44

not that great either. But most

0:46

importantly as far as we're concerned

0:49

here, it also gives you a

0:51

simple web shell that you can

0:53

use to execute ognl expressions. We

0:56

have seen lately a couple days with

0:59

pretty aggressive scans for

1:01

this particular issue trying

1:04

to figure out if code

1:07

execution is possible. So

1:09

double check your websites. Again this

1:11

is struts to where this may

1:13

be enabled and it's a

1:15

configuration setting. Usually not a

1:18

problem on a development website that's

1:20

not accessible to the public internet

1:23

but definitely should not be

1:25

enabled on a production website.

1:28

And researchers from Microsoft did

1:31

publish details regarding an attack

1:33

that they are attributing to

1:36

Fancy Bear or Forest Blizzard

1:38

as Microsoft calls them these

1:41

days essentially the Russian GRU.

1:44

And this attack uses a tool

1:47

that they refer to as Goos-Egg

1:49

that takes advantage of a number

1:52

of older printer spooler vulnerabilities that

1:54

Microsoft fixed in 2021 and 2022.

2:00

may remember the term print

2:02

nightmare. That's sort of what

2:04

these vulnerabilities were referred under

2:06

and well apparently some people

2:08

still haven't patched. In this

2:10

case, probably nation-state actors aren't

2:13

the only one taking advantage of your systems

2:16

if you are still quite a

2:18

bit behind on patching like this.

2:20

But then again, we also still

2:22

see equation editor being exploited. And

2:26

Microsoft also released the April

2:28

2024 Exchange Server hotfix update

2:31

or often also referred to

2:33

as HEU. This update itself

2:36

is not a security update.

2:38

However, it does fix

2:41

a couple of functional issues that

2:43

you may have experienced after applying

2:45

the March 2024 security update or

2:49

SU. So if you held

2:52

back on applying the March

2:54

security update, then please

2:56

update now. Use this April

2:58

hotfix update in order to

3:01

fix any functional issues that

3:04

have come up. There are also a

3:06

couple of security related updates

3:08

here. One is support for

3:11

elliptic curve certificates and then

3:13

for hybrid modern authentication and

3:16

Outlook web access. And

3:19

earlier this month, I did mention

3:22

remote code execution vulnerability in

3:24

progress software's Flowmon. Flowmon being

3:27

a tool to monitor network

3:29

traffic either for performance or

3:31

security. There is no a

3:34

rather straightforward exploit available for

3:36

this vulnerability. So definitely this

3:38

is now a must patch,

3:41

no authentication required. Rhino security

3:44

labs, they publish a blog

3:46

with details about this vulnerability.

3:49

It's pretty much your Rosley

3:52

textbook command injection vulnerability. The

3:54

root cause here is how

3:56

Flowmon creates PDFs. It has

3:59

a feature where you can turn

4:01

certain crafts and such that you created

4:03

into PDFs. Well, that

4:06

calls an operating system command, a

4:08

script to create PDFs. The

4:10

arguments are not properly escaped,

4:13

even though the way they call

4:15

it, it would be relatively straightforward

4:17

to do it as Rhino security

4:19

points out, but this was sort

4:21

of just a simple omission here.

4:24

And this vulnerability, it's then

4:27

also possible to write a

4:29

file into the document route,

4:31

which can easily be used to

4:33

then create a web shell. So

4:36

easy exploit, definitely a must patch,

4:38

vulnerability at this point, I would

4:40

say even if you don't directly

4:42

expose this product to the internet,

4:44

this would be sort of a

4:46

great internal kind of way to

4:48

leverage this vulnerability given

4:51

also the network access that

4:53

this particular tool provides. And

4:56

one of the often discussed no-nose

4:58

in security is to download updates

5:01

over HTTP versus HTTPS, but still

5:03

occasionally tools are using HTTP. It's

5:05

often hard to point to an

5:08

actual incident where this caused a

5:10

problem. Well, we have a nicely

5:12

documented now, Avast has

5:15

published a blog post where

5:17

attackers have exploited justice

5:20

vulnerability in the eScan

5:22

antivirus update mechanism. Even

5:25

more interesting, of course, that it's a security product

5:27

again, getting us into trouble here. This

5:30

particular vulnerability was fixed

5:32

July last year, or

5:34

at least reported and

5:36

fixed shortly afterwards in

5:38

July. Well, it has been

5:41

exploited in order to infiltrate

5:43

networks with backdoors and also

5:45

the occasional crypto coin miner.

5:49

Well, and this is it for

5:51

today. So thanks for listening. Thanks

5:53

for any feedback that I got.

5:56

Actually, only one person noted that

5:58

I got that day. wrong

6:00

apparently yesterday I haven't listened to it

6:02

myself let me know if anything is

6:04

wrong with these podcasts if I can

6:07

improve anything always

6:09

willing to listen and as

6:11

usual please let your friends know enemies

6:13

let everybody know that there is this

6:16

great podcast they should all listen to

6:18

it thanks and talk to you again

6:20

tomorrow bye