Hello and welcome to the Friday, February 14th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Jacksonville, Florida. Running a honeypot is a lot of fun,
but sometimes if you're trying to explain to, let's say, a
family member during packet night or maybe just for your
own interest what exactly is happening with the honeypot,
well, this can be a little bit tricky to sift through all the
logs. Guy luckily set up a seam add-on for our honeypot that
provides you with some real neat dashboards that really
put some light behind the scenes and show you what
exactly is happening, what attacks the honeypot is seeing
in a relatively nice graphical representation. This is all
built around Elasticsearch, so the usual L stack of
Elasticsearch Logs-Kibana is what you have in this
particular setup. A bunch of additional software, Seek, so
some packet analysis here as well. That's all neatly
summarized. The latest version was just released by Guy and he
did right of a quick summary with some screenshots in his
diary today. So take a look and just one little word of
caution here. Because of all the add-on software, this does
not run sort of in our minimum hardware configuration. You
may need something a little bit more beefy. I've run it
sort of on essentially one of these N100, so these low-end
Intel CPUs that actually sometimes are competitively
priced compared to, let's say, a Raspberry Pi, depending on
the exact setup that you're looking for. And then we got
some Palo Alto vulnerabilities to talk about. This
vulnerability is actually kind of interesting. It's not sort
of your very straightforward command injection or something
like this. It's, as Searchlight Cyber calls it, a
path confusion vulnerability. And it is a common problem in
the sense that whenever you sort of have middle boxes that
are doing authentication for you, that are rewriting URLs,
well, you have to be careful that all the components in
your forwarding chain are interpreting headers and paths
the same way. And that's exactly what's happening here.
They're using NGINX as sort of a front-end proxy that has
some of the authentication. Another problem here is sort
of the adding of authentication-specific
headers and then forwarding the request to Apache, which
then rewrites it, and then it's finally being executed by
PHP. So we have like three different components here. And
due to different interpretations of the path
along the chain, well, we end up with arbitrary code
execution, where essentially an attacker is able to execute
specific PHP scripts without authenticating because the
backend essentially confused about whether or not this
particular request does actually require
authentication or not. Interesting vulnerability. If
you're working with similar system, I think there's a must
read and you really need to understand how headers are
being dealt with along sort of a chain of different middle
boxes and web servers and the like, and also how URLs may be
rewritten. In particular, this was kind of caused by a little
bit of unexpected Apache behavior. So definitely
something to read up on. Maybe something I'll post some
special video about at a later time. The register is also
reporting that they heard of certain Palo Alto devices
randomly rebooting. Doesn't appear to be an attack as far
as I can tell, but of course it could be some kind of
denial of service condition that's being triggered here by
specific requests. Apparently there is an update available
from Palo Alto that fixes this issue if you have it, or maybe
just leave it rebooting. It may make it actually a little
bit more difficult to exploit those devices. And the
recorded future has an update on Salt Typhoon, the threat
actor that did compromise a large number of telco
companies. Apparently they're still out there. They're still
attacking devices, focusing somewhat on older Cisco
vulnerabilities. So definitely keep those updated. CVE 2023
-2273 is what they're particularly looking for.
Recordedfuture calls all of this RedMike. And then also
RecordedFuture calls all of this RedMike. And then also
interesting that they're using a GRE tunnel for command
control. Something I don't really see done a lot, and
something that should trigger all kinds of alarms. But well,
we're talking about people who haven't applied to your old
Cisco updates yet. So they may not be looking for odd
protocols on their network either. And then miscellaneous
updates. We do have an update for CrowdStrike's Falcon
sensor for Linux. Fixes a TLS issue that would allow for
machine-in-the-middle attacks between the sensor and the
cloud where any events are being reported to. Definitely
something you do want to address. A little bit
interesting that we had a TLS issue kind of like that also
recently in Linux itself. So that's definitely something
that may have sort of trickled into the Falcon sensor. Just
apply the update. Well, and that's it for today. Thanks
for listening and talk to you again on Monday. Bye.
