0:00

Hello and welcome to the Wednesday,

0:02

May 10th, 2023 edition of the Science 100 Storm Center's

0:08

Stormcast. My name is Johannes Ulrich

0:10

and I am recording from Jacksonville,

0:12

Florida. Well

0:15

it was Patch Tuesday. I think I actually

0:17

got it wrong earlier this week where I mentioned

0:20

Patch Tuesday would be next week, but luckily

0:23

Renato has his act together

0:26

and published his usual concise

0:29

overview of all the patches released

0:32

by Microsoft.

0:34

49 vulnerabilities patched, 6 critical

0:37

and 2 are already being exploited.

0:41

One of the exploited vulnerabilities

0:43

that I thought was kind of interesting was

0:46

Secure Boot security feature bypass

0:49

vulnerability. We had vulnerabilities like

0:51

this before. Not absent

0:54

sure which exact variety

0:56

here has already been exploited or whether

0:59

it was already published CVE 2023 24 932. Of

1:05

course in order to exploit this

1:07

vulnerability you need to have physical

1:09

access to the system but that's

1:12

exactly what Secure Boot

1:14

is supposed to protect.

1:17

The second already exploited vulnerability

1:19

is one of those Win32k

1:22

elevation of privilege vulnerabilities.

1:25

Plenty of them in the past so no real

1:27

big surprise here. CVE 2023 29336. CVS

1:34

has score of 7.8 which is kind of what

1:36

you usually get for

1:38

a privilege escalation vulnerability.

1:41

Among the critical vulnerabilities the most

1:44

interesting one is probably the

1:46

Windows Network File System vulnerability.

1:49

A system that we have had a number

1:52

of critical vulnerabilities against in

1:54

the past. Some exploits

1:56

were released against those past

1:58

vulnerabilities.

1:59

CVSS score of 9.8, unauthenticated

2:05

remote code execution over

2:07

the network. As a workaround,

2:10

Microsoft recommends disabling

2:13

NFS version 4. Version 2

2:16

and 3 are not affected

2:18

by this vulnerability. However, Microsoft

2:20

points out there was an earlier vulnerability just

2:22

a year ago in May 2022. So

2:25

that one you still need to patch even

2:28

if you do apply the

2:29

workaround. You also need

2:32

to restart the NFS

2:34

server after you apply the necessary

2:37

configuration change. I don't believe

2:39

NFS is enabled by default

2:42

in Windows, but it may

2:44

easily be enabled if you need

2:46

it for example, often to interact

2:49

with Unix systems. But that's

2:51

not the only remote code execution

2:53

vulnerability that can be exploited over the

2:56

network. The second vulnerability

2:58

is affecting the LDAP

3:01

server CVE 2023-28283. And this again allows an unauthenticated

3:03

attacker to exploit the

3:12

LDAP server by sending

3:14

some crafted LDAP calls.

3:17

Both of these vulnerabilities, NFS

3:19

as well as LDAP, should be

3:22

blocked by any halfway sanely

3:24

configured firewall. Remaining

3:26

critical vulnerabilities affect the

3:29

secure socket

3:29

tunneling protocol, also something that

3:32

was patched in prior months as well.

3:35

The pragmatic general multicast

3:39

protocol. This one, I

3:40

think is a bit interesting. Don't we know enough

3:43

about the protocol, but again, a 9.8

3:46

CVS score here, and

3:49

does lead to remote code execution. Windows

3:52

OLE remote code execution vulnerability,

3:55

well, had plenty of OLE vulnerabilities.

3:58

So not really all that exciting.

3:59

by this one and

4:02

the final critical vulnerability affects

4:05

the SharePoint server. So

4:07

certainly double check your parameter firewall

4:10

configuration make sure none of

4:12

this LDAP and NFS traffic

4:15

can either enter or leave

4:17

your network and we'll

4:19

just get patching.

4:21

And as usual Renato is

4:24

considering the Chromium vulnerabilities

4:26

that we already talked about that were patched

4:29

a couple days ago as part of

4:31

the 59 vulnerabilities patched

4:34

at

4:34

patch Tuesday.

4:37

And GitHub today announced a push protection.

4:40

Push protection has been in beta for

4:42

a while but now it's an official

4:44

feature it's available to free

4:47

account so you don't have to pay

4:49

for it and the big deal about it is that

4:51

it will automatically prevent the

4:54

pushing of changes that

4:56

contain secrets. It

4:59

does sort of know the format of a

5:01

number of different API keys

5:03

and the like and if any of

5:06

your changes contains one of

5:08

those secrets then the push

5:10

will be rejected. If you

5:12

have signed up for GitHub's advanced

5:15

security then you'll also

5:17

be able to customize the patterns

5:20

that are being detected so you could

5:22

include like some internal API

5:25

key format or such that's not

5:27

part of the public set

5:29

that GitHub looks for. I can

5:31

see a couple false positives here when you have like

5:33

sample keys and the like not I'm

5:35

sure yet how this exactly will

5:38

be dealt with.

5:40

Well and that's it for today

5:43

thanks and for listening as usual if

5:45

I forgot something please let

5:47

me know if I made a mistake please let

5:49

me know that's how I know that someone is actually

5:52

listening thanks and talk to you

5:54

again tomorrow bye