SANS Stormcast Friday, June 6th, 2025: Fake Zoom Clients; Python tarfile vulnerability; HPE Insight Remote Support Patch

June 05, 2025

SANS Stormcast Friday, June 6th, 2025: Fake Zoom Clients; Python tarfile vulnerability; HPE Insight Remote Support Patch

Episode Transcript

Be Careful With Fake Zoom Client Downloads
Miscreants are tricking victims into downloading fake Zoom clients (and likely other meeting software) by first sending them fake meeting invites that direct victims to a page that offers malware for download as an update to the Zoom client.
https://isc.sans.edu/diary/Be%20Careful%20With%20Fake%20Zoom%20Client%20Downloads/32014
Python tarfile Vulnerability
Recently, the Python tarfile module introduced a filter option to help mitigate some of the insecure behavior common to software unpacking archives. This filter is, however, not working quite as well as it should.
https://mail.python.org/archives/list/[email protected]/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/
Hewlett Packard Enterprise Insight Remote Support processAttachmentDataStream Directory Traversal Remote Code Execution Vulnerability
HP fixed, among other vulnerabilities, a critical remote code execution vulnerability in Insight Remote Support (IRS)
https://www.zerodayinitiative.com/advisories/ZDI-25-325/

News Tech News Technology

Show Transcript

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Friday, June 6, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and this episode brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity Engineering is recorded in Jacksonville, Florida. Well, in Diaries today we have an interesting one from Xavier who ran into a, well, a scam involving Zoom in this case. The scam arrived as an email. The email was a fake invite for a Zoom meeting. Now, that overall looked legit, has the right layout, right format. And then if you click on the link to join the actual meeting, you'll be greeted with, well, an update notice that your Zoom client is out of date and you need to update it. That's something like this I've definitely seen in other online meeting software where you try to join a meeting, you haven't used a particular client in a while because there are so many of them out there that you're presented with a notice like this that you should update your client. And that would be certainly something that a user could easily fall for, in particular if you sort of created that urgency of having to join this meeting right now, not really being able to wait, just want to get started, want to download that client and get going. Interesting scam here. Certainly something to probably throw into some kind of awareness presentation. Well, and then we have a new vulnerability in the Python tar file module. That module has had issues in the past and there are some fundamental problems whenever you are trying to extract files from something like a tar file or a zip file. And that's usually related to the fact that you may create arbitrary files, additional directories that you don't necessarily intend or want to have created. Now, in the past, there has been a little bit forth and back between the maintainer of the tar file modules and users, how much it's the responsibility of the tar file module, or how much it is the user, basically how they're using this module, who is to blame for any security issues around this. Well, in Python 3 .12, they added actually a new parameter called filter. And that basically constrains a little bit more what can happen with a tar file as it's being untarred. First of all, you have the option of fully trusted. That's kind of the old behavior where basically any file is being created, the permissions are being set and the like, essentially just like you're running the tar command on the command line. And then you have the tar feature here, the tar filter, and it will only honor tar specific filters. And then finally, you do have the data filter. That's sort of the more interesting one here. It allows you to extract any data, any files, but it does not adjust permissions. And with that, for example, it would evade some of the privilege escalation issues. Well, the problem is that apparently these particular features haven't been working correctly. And as a result, it did actually set permissions, even if you set the data filter. And well, that is also the default in the Python 3.14 version. So update Python. And as usual, always be careful when you are extracting files like tar, zip, or any kind of compound file like this. And then we got updates from HP, HP Enterprise, inside remote support. This software suffers from a directory traversal that can then be leading to a remote code execution vulnerability. The vulnerability was originally identified by the Zeroday Initiative. I'll link in the show notes to the Zeroday Initiative description because it's a bit more specific than what HP put out. But essentially, an unauthenticated hacker is able to execute code as system. Well, that's it for today. And for those of you wondering, well, I'm mentioning all these graduate certificates and such lately at the beginning of each podcast. I just want to point out that sans.edu is actually an accredited college. And as part of this, we're offering master's degrees, bachelor's degrees, but we're also offering various certificate programs. Certificate programs are usually three, four different classes that you get at a substantial discount. Everything includes certifications. So you not only get the credit certificate, you also get the individual GIAC certifications. That's it for today. Thanks for listening and talk to you again on Monday. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich