Hello and welcome to the Friday, July 18, 2025 edition
of the SANS Internet Storm Center's Stormcast. My name is
Johannes Ullrich, recording today from Washington, D.C.
And this episode is brought to you by the SANS.edu Graduate
Certificate Program in Purple Team Operations. Well, after
spending maybe a little bit too much time with alternate
data streams, Xavier decided to look at the Linux side of
this particular problem and figure out how something
similar can be done in Linux. Of course, Linux does not have
alternate data streams, but it has something a little bit
similar, extended attributes. Extended attributes can be
used for things like Mark off the Web, just like in Windows
with alternate data streams. It can also be used to, for
example, encode POSIX X -ACLS, which is one of the
probably more common uses of X -attr or extended attributes.
Xavier implemented a little script that can be used to
take some data, then BASE-64 encode it and split it up
across different files and append it as extended
attributes. He also wrote a script to then retrieve the
data again. So that's pretty much all you need to then hide
data in extended attributes. Extended attributes can also
be just searched for and that's another thing that
Xavier wrote, a little script to find files with extended
attributes. Basically, he lists the name of these
extended attributes as well as the content to allow you to
double check if, well, these are normal, like, for example,
POSIX ACLs or if this may be some malware hiding data in
this particular file. And Cisco patched a critical
vulnerability in its Identity Services Engine or ISE as well
as ISE PIC and this vulnerability allows an
unauthenticated user to gain arbitrary code execution
across the network as root. So it gets the full 10 out of 10
for a CVSS score. This vulnerability is related to
the API that's implemented in the Identity Services Engine
and, well, there's not a lot of detail available at this
point but it just states that input to the API is not
properly validated. And Oracle released its quarterly
critical patch update. This particular update fixed 309
different vulnerabilities. Apparently, nine of these are
considered critical and we do have 144 that are considered
at least high based on the CVSS score, being between 7.0
and 8.9. Now, it's a lot of vulnerabilities but it's also
understood that this applies across the entire Oracle
portfolio. There are about 111 affected products for these
particular vulnerabilities. I sort of browsed through it a
little bit. I saw quite a number of vulnerabilities like
that are related, for example, to the Apache Beans library.
The Beans utility library has had once in the past and what
Oracle is doing here is just updating this component across
its products. Also, some Apache Tomcat and Apache Mina
vulnerabilities that are being addressed in this update. The
issue with some of these open source vulnerabilities is that
they have been around, they have been known for a while.
So, Oracle is playing a little bit catch up here and it is
very possible that they already exploits under
development or have been released for these
vulnerabilities. They may just not have been adapted for
these particular Oracle products. So, there is a
chance that exploit development could happen
pretty quickly. And Broadcom released updates for its
VMware portfolio. VMware ESXi, Workstation Fusion, as well as
VMware tools are affected. Many of the vulnerabilities do
allow VMware escape but do require that an attacker has
administrative privileges on the affected virtual machine.
These types of vulnerabilities are often of concern to
malware reverse engineers that may run malware inside virtual
machines. But, of course, this is also something an attacker
could use to escalate privileges into lateral
movement in any kind of corporate VMware setup. Well,
and this is it for today. So, thanks for listening. Thanks
for subscribing. Thanks for leaving good comments for this
podcast in your favorite podcast platform. And talk to
you again on Monday. Bye.
