Hello and welcome to the Friday, January 23rd, 2026
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu graduate certificate program in
industrial control system security. And I mentioned
yesterday, but we are currently looking for people
to fill in our SOC survey. So if you haven't gotten around
to it yet, a link to it can be found on the Internet Storm
Center's homepage. Well, Xavier today looked at a new
tool, Bandit. Bandit is a tool that allows you to static code
analysis of Python scripts. Xavier writes a lot of Python
and lately also a lot of Python with AI. And there's of
course a lot of issues that people run into when they are
using AI for coding. And this particular case, it's a script
that Xavier wrote. It's about a thousand or so lines long.
So a pretty good size for a Python script. And he looked
at Bandit to give an idea whether or not the script is
reasonably secure. Well, it turned out it was actually
reasonably secure. It had some minor issues, but then of
course, all depends, as Xavier points out, how the particular
script is used, whether or not these issues matter. A lot of
the static code analysis is sometimes a little bit
mechanical in that sense. When it comes to using AI tools
like to wipe coding, as it's often referred to, one of the
important things, first of all, is that you design your
prompt correctly. And Xavier gives you some hints there in
how to do that and what to look for here. And in my
personal experience, it also helps a lot if you actually
know how to code and use AI sort of more as an assistant
versus having it code all of the code by itself. That way,
sort of do a little bit of review anyway, as you're
checking what the AI tool created for you. And that also
usually helps with a lot of logic flow issues and such,
and some of the less mechanical vulnerabilities
that a tool like this may not find. And then we have a quick
update about the recent hacks against FortiGate devices. I
mentioned that yesterday that the old patch that was
released in December for the single sign-on vulnerability
apparently wasn't quite good enough and is still being
exploited. Arctic Wolf now did summarize its observations in
that matter. And what they found is that, yes, this is
definitely a problem. And attackers are using this
particular vulnerability to exfiltrate the configurations
of devices. So if you are affected, you must reset your
credentials that you're using to access the device. And yes,
then again, the workaround that was published back in
December still applies and is still something that you
probably must deploy. I haven't seen anything yet from
Fortinet. I just looked before starting to record this
podcast. But take a look and see if by the time you're
listening to this, there is something from Fortinet. A
little bit late in that sense, because this is now going on
for at least two days, in the sense that it has become
public. And the attacks apparently have sort of never
really been, have never stopped really since December
when they were originally spotted. Well, and then we
have an interesting denial of service vulnerability in the
ISE bind name server. This vulnerability is something
that I initially didn't really plan to cover because it's
just a denial of service vulnerability. But there's an
interesting spin to it, which sort of caught my attention.
And that's the record types being affected here. There are
two records types. One is the HHIT record. Then we have the
DRID record or BRID record. Record types you probably
haven't really heard about unless you're dealing with
drones. So these record types are part of the DRIP, the
drone ID system. If you're somewhat familiar with drone,
you may know that some drones are broadcasting or beaconing
an ID value. And this DNS extension allows you to
essentially use DNS to then look up additional information
based on this ID. And these IDs are, well, conveniently
128 bits, which kind of makes them IPv6 addresses. And
there's even an IPv6 prefix set aside for these IDs. The
vulnerability is actually relatively straightforward to
exploit. All you need is one of those BRID or HHIT records
with a length of three bytes. They're usually longer. And
that will cause the named name server to outright crash. So
exploitation is pretty straightforward. And even if
you don't specifically support these records, well, the name
server supports them. So all NetHacker needs to do is
somehow trick your name server into looking up one of those
record types. And we got an almost funny vulnerability
here. A smarter tool's smarter mail. Well, they may be smart,
but they're not secure. And watchtower wrote up a recently
patched vulnerability in smarter mail that affects
their password reset API. The vulnerability almost looks
like a backdoor. If you are an administrator and if you are
resetting an administrator's password, you do not need to
provide the old password to the API. So completely without
authentication, you may change the administrator's password.
Interestingly, if you are a normal user, then the old
password is required in order to reset the password via the
API. So very weird authentication vulnerability
here that then leads to anybody being able to reset
the administrator's password without any authentication.
Well, and that's it for today. So thanks again for listening.
Thanks for liking. Thanks for subscribing to this podcast.
And talk to you again on Monday. Bye.
Bye.
