Hello and welcome to the Friday, October 3rd, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Undergraduate Certificate Program in
Cybersecurity Fundamentals. Well, and today once more I
wrote about the .well-known directory. Of course, I have
written about this in the past. Most recently, I think
it was last week, about some backdoors and such, some web
shells that people left behind in that directory. Today it's
a little bit different. Actually, no honeypot data for
a change. But instead, something I observed on our
ISC web server. And that is that attackers are scanning
for URLs in the .well-known directory that are valuable
for reconnaissance. There are a number of systems that add
configuration files to the .well-known directory. Like,
for example, the terraform.json file. That will give an
attacker, of course, some hints as to what APIs your
particular system supports. Some of them are required,
like that terraform.json file, in order to use these tools
effectively. Also, these OAuth and OpenID configuration files
are required if you would like to use these systems. And so
far, it's not a good idea to remove those files from your
system in case you see them on your system. Sometimes they're
not even files. They're just APIs themselves that create
those responses dynamically. So what you want to do is you
want to at least keep an eye on these locations and make
sure that what's being published here is supposed to
be published. I think it was yesterday or at least earlier
this week where we had one case where one of these files
did include some secret keys, some API secrets. It's not
just the public keys that are usually supposed to be listed
in those files. For example, the OAuth and OpenID
configuration. So double check, make sure nothing
there. That's not supposed to be there. But overall, this is
not necessarily a bad thing. It's just, well, a way how
attackers can abuse these features against you for
reconnaissance. And then we have a couple end-of-the-week
vulnerabilities to talk about. First of all, Red Hat released
the advisory warning of privilege escalation
vulnerability in the Red Hat OpenShift AI service. User
with minimal credentials, meaning anybody who can run a
Jupyter notebook on the system, is able to basically
get full admin access to the entire cluster. So this is
something that you want to address. I doubt it's super
critical depending on who you give access to this OpenShift
AI service. But overall, securing Jupyter notebook is
always a little bit tricky because, well, you are running
code sort of by definition on the system. And a badly
configured role like this, yeah, is likely easily
exploited. And Palo Alto released an advisory regarding
three recently patched vulnerabilities in the
TOTOLink X6000R router. This particular manufacturer has
had similar vulnerabilities in the past like pretty much any
router manufacturer like this. So patches have been released
in June. But with this advisory out here now, you
definitely must patch in particular because one of the
critical vulnerabilities here does allow an unauthenticated
command injection. And exploitation for these
vulnerabilities is pretty trivial as explained in this
advisory. So there are some source code snippets here
explaining the exact nature of these vulnerabilities. There
is no proof of concept per se here in the advisory. But yes,
exploitation is not difficult. And talking about routers, we
also got updates from DrayTek for their DrayOS routers, also
known under the name Vigor. The single vulnerability being
addressed here sounds like a buffer overflow. It's not
really clear. It's just as memory corruption here. But it
does also say that it does allow arbitrary code execution
without authentication. One of the mitigating issues they're
covering here, and that's certainly an important one, is
that you really shouldn't expose any web admin interface
like this to the public eyes. Because, well, they tend to be
horribly broken and vulnerable. Well, and I got
one more item, something with a little bit more positive
note to not let you hang in here just with vulnerabilities
for the weekend. Microsoft announced that they're in the
process to no longer display SVG images in line in emails
in Outlook and Outlook 365. They started this process mid
-September and should be finished with it mid-October.
I can't get to the original announcement that Microsoft
published, so I'll link to the Bleeping Computer article
about this. But they have a pretty good summary of it. Of
course, these SVG images have recently been heavily used for
malware and for phishing and a couple of other circumstances.
So that's probably why they're starting to block them now,
like they already are blocking a lot of other attachments.
Well, and that's it for today. So thanks for listening.
Thanks for subscribing. Thanks for liking this podcast. Next
week, I'll be in Denver teaching a class following our
Cloud Summit. And by the way, I only have one more public
class to teach. First week of December in Dallas. So if
you're interested in learning more about web application
security, that's the week for you to sign up. And as always,
any future classes I'll teach are listed in the show notes
on the page on the Internet Storm Center website. Just
below the actual show notes, you'll see a short list of
upcoming classes. Thanks and talk to you again on Monday.
Bye.
