Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Wednesday April 24th,
0:02
2024 edition of the Sands & Storm Centers
0:07
Stormcast. My name is Johannes Ulrich
0:10
and today I'm recording from Jacksonville,
0:12
Florida. Quick
0:15
diary today about an uptick
0:17
in scans for a struts
0:19
to death mode problem.
0:21
I call it a problem, not
0:23
a vulnerability kind of on purpose
0:26
because it's really a feature that
0:28
you should not see enabled on
0:30
a public exposed production website. Death
0:33
mode as the name implies is
0:36
meant for development. It's basically a
0:38
debug mode, gives you additional logs
0:40
and also error messages being
0:42
displayed to the screen which is probably
0:44
not that great either. But most
0:46
importantly as far as we're concerned
0:49
here, it also gives you a
0:51
simple web shell that you can
0:53
use to execute ognl expressions. We
0:56
have seen lately a couple days with
0:59
pretty aggressive scans for
1:01
this particular issue trying
1:04
to figure out if code
1:07
execution is possible. So
1:09
double check your websites. Again this
1:11
is struts to where this may
1:13
be enabled and it's a
1:15
configuration setting. Usually not a
1:18
problem on a development website that's
1:20
not accessible to the public internet
1:23
but definitely should not be
1:25
enabled on a production website.
1:28
And researchers from Microsoft did
1:31
publish details regarding an attack
1:33
that they are attributing to
1:36
Fancy Bear or Forest Blizzard
1:38
as Microsoft calls them these
1:41
days essentially the Russian GRU.
1:44
And this attack uses a tool
1:47
that they refer to as Goos-Egg
1:49
that takes advantage of a number
1:52
of older printer spooler vulnerabilities that
1:54
Microsoft fixed in 2021 and 2022.
2:00
may remember the term print
2:02
nightmare. That's sort of what
2:04
these vulnerabilities were referred under
2:06
and well apparently some people
2:08
still haven't patched. In this
2:10
case, probably nation-state actors aren't
2:13
the only one taking advantage of your systems
2:16
if you are still quite a
2:18
bit behind on patching like this.
2:20
But then again, we also still
2:22
see equation editor being exploited. And
2:26
Microsoft also released the April
2:28
2024 Exchange Server hotfix update
2:31
or often also referred to
2:33
as HEU. This update itself
2:36
is not a security update.
2:38
However, it does fix
2:41
a couple of functional issues that
2:43
you may have experienced after applying
2:45
the March 2024 security update or
2:49
SU. So if you held
2:52
back on applying the March
2:54
security update, then please
2:56
update now. Use this April
2:58
hotfix update in order to
3:01
fix any functional issues that
3:04
have come up. There are also a
3:06
couple of security related updates
3:08
here. One is support for
3:11
elliptic curve certificates and then
3:13
for hybrid modern authentication and
3:16
Outlook web access. And
3:19
earlier this month, I did mention
3:22
remote code execution vulnerability in
3:24
progress software's Flowmon. Flowmon being
3:27
a tool to monitor network
3:29
traffic either for performance or
3:31
security. There is no a
3:34
rather straightforward exploit available for
3:36
this vulnerability. So definitely this
3:38
is now a must patch,
3:41
no authentication required. Rhino security
3:44
labs, they publish a blog
3:46
with details about this vulnerability.
3:49
It's pretty much your Rosley
3:52
textbook command injection vulnerability. The
3:54
root cause here is how
3:56
Flowmon creates PDFs. It has
3:59
a feature where you can turn
4:01
certain crafts and such that you created
4:03
into PDFs. Well, that
4:06
calls an operating system command, a
4:08
script to create PDFs. The
4:10
arguments are not properly escaped,
4:13
even though the way they call
4:15
it, it would be relatively straightforward
4:17
to do it as Rhino security
4:19
points out, but this was sort
4:21
of just a simple omission here.
4:24
And this vulnerability, it's then
4:27
also possible to write a
4:29
file into the document route,
4:31
which can easily be used to
4:33
then create a web shell. So
4:36
easy exploit, definitely a must patch,
4:38
vulnerability at this point, I would
4:40
say even if you don't directly
4:42
expose this product to the internet,
4:44
this would be sort of a
4:46
great internal kind of way to
4:48
leverage this vulnerability given
4:51
also the network access that
4:53
this particular tool provides. And
4:56
one of the often discussed no-nose
4:58
in security is to download updates
5:01
over HTTP versus HTTPS, but still
5:03
occasionally tools are using HTTP. It's
5:05
often hard to point to an
5:08
actual incident where this caused a
5:10
problem. Well, we have a nicely
5:12
documented now, Avast has
5:15
published a blog post where
5:17
attackers have exploited justice
5:20
vulnerability in the eScan
5:22
antivirus update mechanism. Even
5:25
more interesting, of course, that it's a security product
5:27
again, getting us into trouble here. This
5:30
particular vulnerability was fixed
5:32
July last year, or
5:34
at least reported and
5:36
fixed shortly afterwards in
5:38
July. Well, it has been
5:41
exploited in order to infiltrate
5:43
networks with backdoors and also
5:45
the occasional crypto coin miner.
5:49
Well, and this is it for
5:51
today. So thanks for listening. Thanks
5:53
for any feedback that I got.
5:56
Actually, only one person noted that
5:58
I got that day. wrong
6:00
apparently yesterday I haven't listened to it
6:02
myself let me know if anything is
6:04
wrong with these podcasts if I can
6:07
improve anything always
6:09
willing to listen and as
6:11
usual please let your friends know enemies
6:13
let everybody know that there is this
6:16
great podcast they should all listen to
6:18
it thanks and talk to you again
6:20
tomorrow bye
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More