Hello and welcome to the Friday, June 27th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and this episode brought to you by
the SANS.edu Graduate Certificate Program in Purple
Team Operations is recorded in Stockheim, Germany. Well, we
got a big supply chain security story to start out
with today. This story was broken by Koi Security. The
problem here is the use of Visual Studio Code clones.
Now, Visual Studio Code, of course, is a Microsoft
product. It comes with its own extension store and this
extension store has had issues in the past. We talked about
this here in this podcast a couple of times, but there are
a couple of clones like, for example, Cursor, the editor
used a lot with AI projects. And the Cursor, because it's
not a Microsoft product, but it is a clone of Visual Studio
Code, cannot use the official Microsoft extension store. In
order to fix this, well, we have OpenVSX. OpenVSX is an
extension store for all these different Visual Studio Code
clones that cannot use the official Microsoft store. The
problem with OpenVSX was that they had two different ways
how a developer could update an extension. One is where you
basically just upload the extension to them. But then
there's another, a little bit more convenient way of doing
it where they are auto -updated. And you basically
just add your extension to the list of extensions for OpenVSX
to auto-update. And then whenever it recognizes there
is a new version, it will download your extensions and
then it will run npm install. And that's where the problem
happens. With npm install, the GitHub action that OpenVSX
uses to update the extensions, well, it's actually executing
code provided by the developer of the extension. And that
code has access to the secret token that's being used by
this GitHub action. And as a result, could basically
update, alter any other extension published in
OpenVSX, putting that entire ecosystem at risk. So it's a
little bit different than some of the prior supply chain
issues with extensions. Usually it was a malicious
developer that sort of bypassed whatever checking
happens or doesn't happen in these extension stores to
publish a particular extension. But with this flaw
in the mechanism, how these extensions are actually being
maintained, an ad hacker could very well modify any trusted,
often used extension. And for example, add malicious code.
So pretty big deal here. Luckily, Koi Security worked
with OpenVSX to have them fix this particular flaw. And it
should be good now. And researchers from German
security company ERNW did publish an initial brief blog
post outlining three different Bluetooth vulnerabilities that
they found in chipsets made by Airoha. If I pronounce this
name correctly, could also be AI or Airoha. I'm not really
sure. But the big problem here is that these chipsets are,
first of all, used in a number of large name brand headsets,
like for example, Bose and Sony and others. And the
vulnerabilities do allow for a compromise of the headset, in
particular for the use of the headset as an eavesdropping
device. The problem here is in part a custom protocol that
this chipset implements that allows direct memory
manipulation of the headset. And well, to make things more
interesting, authentication for this protocol is flawed or
not quite present. And these details are not yet really
made public. But with this, an attacker is then able to
essentially pair to the headset and use it, for
example, as a microphone to listen in. Now, if the headset
is already paired with another device, this connection would
be disrupted. So that would be notable to a victim if all of
a sudden their headset no longer works, no longer
connected to their phone or whatever they have it
connected to. But in particular, if the headset is
just idle, it would, of course, be fairly easy then in
the terms of like not being noticeable for an attacker to
actually then hijack the headset and use it as a
microphone. All of these attacks, of course, require
that the attacker is within Bluetooth distance of the
victim. And Airoha did publish patches for their software
development kit in order to fix these issues. But of
course, they now have to be rolled out into firmware and
such to make them actually available to end users for all
of the affected devices. And Cisco released updates for its
identity services engine. And this update among a number of
not so critical vulnerabilities does address
two critical vulnerabilities that allow unauthenticated
remote code execution. So the CVSS score for these
vulnerabilities is a perfect 10 and that attacker could
completely compromise this critical part of your network
security. This is certainly something that you probably
want to address before going away for the weekend if you
are running this particular solution. Well, and that's it
for today. So thanks for listening. Hope to see some of
you at Science Fire if you aren't registered yet. Well,
still not too late. We'll start in about three weeks, I
think, is when Science Fire will start in Washington, D.C.
And of course, there's also an option to attend classes and
many of the additional events online. But we do have some
special on-site events, for example, our Honeypot
Workshop, where we'll give away a few Honeypots for
anybody interested in running them. That's it for today.
Thanks for listening and talk to you again on Monday. Bye.
