Hello and welcome to the Friday, March 28, 2025 edition
of the SANS Internet Storm Center's Stormcast. My name is
Johannes Ullrich and today I'm recording from Jacksonville,
Florida. Well, the last couple of days I spent a little bit
of time on creating a couple of new reports for the
Internet Storm Center website. One of them summarizes HTTP
headers. And the reason I started looking more at HTTP
headers was, of course, Next.js. And the header-related
vulnerability. We collected the headers from our
honeypots, but didn't really sort of routinely look at
them. And, well, with these new reports, actually, I
immediately sort of spotted one interesting header here.
And that's the thumbnailaccesstoken header. Only a
couple of requests this last month with this particular
header being set. Well, a little bit of research then
showed that this actually attempts to exploit a
vulnerability in Sitecore. Sitecore is a CMS and it uses
this header for access control. The problem, however,
is that the content of the header, the value, is actually
a .NET object. And then it uses the BinaryFormatter
class to actually extract data from this object. And that
class is most famously known for being, well, subject to
deserialization vulnerabilities. And that's
exactly what's happening here. There was a couple weeks ago a
blog post by Searchlight Cyber. They initially
discovered the vulnerability. The vulnerability was actually
patched back in January, as far as I can tell. But not a
lot of details were released by Sitecore at the time. Now,
with the blog from Searchlight Cyber, we do have a proof-of
-concept exploit. The one problem from our data is that
we are only recording the first 250 characters of header
values. But those characters are exactly matching the proof
-of-concept exploit that was released by Searchlight Cyber.
So, very likely, that's the point of it here. If you
decode it, you also see some of that PowerShell stuff and
such happening. Just not exactly sure what the attacker
is trying to do here yet. But, well, about to fix this
problem. And we are going to collect more of the header.
Just needs a little bit reworking of our back end.
I'll be working more on these header-related reports. And
tomorrow, more of them should move live. Let me know if you
like them. Let me know if you have any other ideas how to
slice and dice the data and how to get more value out of
it. And Ian Beer with the Google Project. Zero published
a real nice detailed blog post on the BlastPass exploit by
NSO. NSO Group, of course, was famous for their iOS, Android,
Zero Day, and Zero Click exploits. One of them, well,
was BlastPass. And the target here was the WebP image
format. WebP is quite a common, a little bit more
modern image format. And as the blog post explains, it can
be lossless. It can also be lossy. So you have different
options here as far as compression goes. And, of
course, whenever you are compressing, memory management
becomes really tricky and interesting. And that's sort
of exactly what this blog post is all about. What went wrong
in this particular case? Now, the exploit itself is, by
Internet standards, pretty old. September 2023 is when it
was patched. But the underlying problems about how
to properly deal with these compressed formats, I think,
is still valid. And we're still seeing similar
vulnerabilities in other software. So definitely, if
you're into exploit development or if you are into
finding these kind of vulnerabilities in software,
very good read. And we've got about a dozen of
vulnerabilities being patched in Splunk. Nothing critical.
Luckily, among those vulnerabilities, there is one
arbitrary code execution vulnerability. However, it
does require valid login credentials. So nothing here,
as far as I can tell, where someone could essentially just
send you some packets, some attack, and the logs as
they're being parsed or so are exploiting Splunk. That's not
the case here. Upgrade, definitely. Make sure you're
patched. This is a critical part of your security
infrastructure, likely. But again, nothing critical here.
And as far as critical vulnerabilities go, well, we
have one from Mozilla for Firefox. Only a sandbox
escape, but a vulnerability that's already being exploited
in the wild. Well, update it or let Firefox do its self
-update in order to be patched. This only affects
Windows. Well, that's it for today. Sorry for the editing
issue in yesterday's podcast. Depending on when you
downloaded it, you may have received a podcast that had
the NPM session multiple times. Well, thanks also to
those who alerted me. So I was able to fix it early this
morning. But probably about half of you or so may have
received the old version. Sometimes podcast apps don't
necessarily update to the latest file. And typically, if
you go to the website, that's sort of enough if that ever
happens, where you sort of get the latest file if you just
stream it from the website. Well, that's it for today.
Thanks for listening and talk to you again on Monday. Bye.
