SANS Stormcast Feb 12th 2025: MSFT Patch Tuesday; Adobe Patches; FortiNet Acknowledges Exploitation of FortiOS

February 11, 2025

Episode Transcript

Microsoft Patch Tuesday
Microsoft released patches for 55 vulnerabilities. Three of them are actagorized as critical, two are already exploited and another two have been publicly disclosed. The LDAP server vulnerability could become a huge deal, but it is not clear if an exploit will appear.
https://isc.sans.edu/diary/Microsoft%20February%202025%20Patch%20Tuesday/31674
Adobe Patches
Adobe released patches for seven products. Watch out in particular for the Adobe Commerce issues
https://helpx.adobe.com/security/security-bulletin.html
Fortinet Acknowledges Exploitation of Vulnerability
https://fortiguard.fortinet.com/psirt/FG-IR-24-535

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Wednesday, February 12, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. Well, and of course, today we have to start with Microsoft's Patch Tuesday. We got patches for 55 different vulnerabilities. Three of these are critical, two already exploited and two of the vulnerabilities have been disclosed before today. So two technical surveys and then these other two could have been surveys, but at least we don't know of any exploitation yet. Let me start with the vulnerability that worries me the most, but that I think is also the difficult one to really assess well. And this is an arbitrary code execution vulnerability in LDAP. This vulnerability has a ton of potential. A potential exploit would be able to essentially get to the core of what Microsoft Windows authentication is all about, the LDAP Active Directory. And with that, pretty much any Windows network is potentially vulnerable. However, at this point, we haven't really seen an exploit against this vulnerability or similar vulnerabilities that we had in prior months. Because if you remember, we had a very similar vulnerability description last month. And I think two or three months ago, there was another LDAP vulnerability like that. What you really should consider at this point is, given that we have sort of this succession of different vulnerabilities, there's always a chance that there are more coming. So keep that in mind when you're mitigating this. Keep notes if you're running into any issues with mitigation here. And then, of course, know what do you do to provide additional hardening for Active Directory and LDAP in your network. Potentially, this vulnerability does not require any user interaction to exploit. With that, it's also warmable. However, of course, LDAP typically, at least I hope in your network, is not exposed to the outside, which, of course, limits the impact also somewhat of this vulnerability. So a lot of depends on how you're exactly configuring your network. As far as the already exploited vulnerabilities, those are actually not the ones that I'm super concerned here, even though they are already being exploited. They're both privileged escalation vulnerabilities. A ton of those around. So don't really see them as having that much impact that we have two more privileged escalation vulnerabilities. The already disclosed vulnerabilities, there is yet another NTLM hash disclosure, spoofing vulnerability. Again, something that we pretty much have on a monthly basis. The real trick here is to get rid of NTLM hashes in your environment and, of course, not allow any outbound SMB or similar connections from your network. And then there is also Microsoft Dynamics 365 Elevation Approach Vulnerability. Not the most popular software package, even though companies that do run it probably have a ton of critical data in their Microsoft Dynamics install. Other than that, I think we're dealing here sort of with a sort of, you know, overall average, maybe a little bit less than average, Patch Tuesday. There's also a DHCP client service remote code execution vulnerability. These are always tricky if you have users in untrusted networks and such because you can't really fireball off DHCP in those networks. Excel and other office vulnerabilities, again, nothing really all that fundamentally new, even though there is a critical one here also being addressed. Overall, address the patches. Watch out for the Active Directory and LDAP part, how you're going to deal with that. Again, that's the one that I would really focus my attention on. But a lot depends on how this particular service is used and configured in your network. And then we got all the updates from Adobe for patched use. They updated seven different products. The one that I'm always paying attention to that's also received patches again today is Adobe Commerce. There are a number of different remote code execution vulnerabilities actually being addressed here that are triggered by a cross -site scripting vulnerability. Stored cross-site scripting specifically, definitely something that you must patch. Adobe also assigns these vulnerabilities the highest priority because of the history here that Adobe Commerce, Magento, as it used to be called, is often being specifically targeted. And then we also got confirmation from Fortinet that vulnerability in Fortinet that was patched a month ago. This was the WebSocket issue. It's now officially being exploited. Actually has been exploited for a while, but now we got confirmation from Fortinet. Fortinet also seen some exploits for it on the Internet that appear to be valid. So definitely, if you haven't patched yet, consider any unpatched devices compromised at this point. Well, and this is it for today. So thanks for listening and talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show