Hello and welcome to the Tuesday, February 18th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ulrich and today I'm recording from
Jacksonville, Florida. Well, today's diary was a little bit
more of an opinion piece, but with a practical background.
And that's we are seeing so many vulnerabilities in these
edge devices. CISA and a couple of other international,
also government agencies, did come up with their guidance. I
found it a little bit too abstract in some ways, so I
wanted to distill it down in particular with sort of a
small, medium-sized business background. And what you can
do to really make an impact here and reduce your attack
surface. And that's really one of the big things is reduce
your attack surface. Don't expose those admin interfaces.
Expose as little as possible. Never expose a web application
that you don't have to expose. Simple SSH access, maybe a VPN
like OpenVPN or WireGuard or whatever your preferred VPN
technology is. And even at that, you know, leave it at
one VPN technology. Don't have like two or three exposed.
That'll make life so much easier. And then, of course,
patching and such follows. But that then becomes a little bit
less important. And it's one of those things where you
don't have to be quite behind it to really get stuff updated
as quickly as possible if you're not exposing a lot of
these vulnerable services. Well, take a look. Any
feedback here is very welcome. If there is anything that you
would do different or maybe rank here a little bit
different, let me know. And then a little bit of an update
to the Postgres vulnerability that I talked about yesterday.
That vulnerability, well, there is a Metasploit module
out for it. So consider it already being exploited.
Forgot to mention that yesterday. But given that
Rapid7, the original write-up and Rapid7 is the company
behind Metasploit, no surprise that they also came out with a
Metasploit module to exploit this vulnerability. And the
Japanese cert is reporting that they're seeing exploits
against vulnerability in Ivanti Insecure Connect. This
vulnerability was originally disclosed and patched in
January. The particular botnet that the Japanese cert is
observing here, they're calling it Spawn, or this
particular vulnerability Spawn Chimera is what they're
calling it. Not sure if it goes by any other names. The
advisory from the Japanese cert is only in Japanese. I'll
still link to it, probably with Google Translate and
such. You'll still be able to make sense of it.
Interestingly, this particular exploit also patches the
vulnerability for you. Now, it does not use the original
patch. This particular vulnerability is a buffer
overflow. So they're actually just hooking into the string
and copy function, limiting it to 256 bytes. That way,
they're preventing the buffer overflow from being exploited.
And if you have more buffer overflow vulnerabilities in
compression software, this time it's WinSIP's turn. When
it decompresses 7-zip formatted compressed files, it
may encounter a buffer overflow that then leads to
arbitrary code execution. A patch was released. If you're
running WinSIP version 29 or later, you should be good. And
Xerox fixed a couple of vulnerabilities in its
enterprise Brenners. We all love Brenners and the
vulnerabilities they bring us. The one interesting
vulnerability here, I think, is a credential interception
vulnerability with SMB and FTP where essentially it's
possible to intercept NTLM hashes. Patches are available
for these Brenners. And again, these are over there,
Enterprise class multifunction devices slash Brenners. Well,
and that's it for today. Thanks for listening. A little
bit shorter today. Just too cold here for the full five
minutes. So thanks and talk to you again tomorrow. Bye.
