Hello and welcome to the Monday January 26, 2026
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Graduate Certificate Program in Cyber
Defense Operations. I just want to start out with a quick
update on the FortiOS SAML bypass issue. We now have an official
statement from Fortinet regarding this problem. And
they basically say, well, kind of what we already knew, that
it was SAML and single sign-on related. So the mitigation
still stands. You should disable single sign-on and
there is no patch available yet. And Fortinet didn't say
about a schedule or anything like this, just that they're
working on it. One interesting sort of little tidbit from the
Fortinet advisory is that this does not just affect the
FortiCloud implementation of single sign-on, but
essentially more or less any system that you're using that
uses SAML to authenticate to FortiOS could potentially be
bypassed. So it's basically how FortiOS implements SAML and
how it verifies whether or not these SAML messages are
correctly signed. This of course is an ongoing issue.
Not just Fortinet has been struggling with implementing
SAML correctly. There have been multiple issues. We have
talked about this here in the podcast before, where it was
possible to bypass SAML authentication by manipulating
these digitally signed messages. And then we got a
second out of band update from Microsoft that was triggered
by January's security updates. This time it's Outlook that's
being patched. Again, these updates are not security
updates so much, but they're fixing problems that were
introduced by the security update. Here, apparently, if
you're using Outlook and you're storing PST files on
OneDrive, you may have Outlook hanging and you can't exit it.
So this problem is now being fixed that this was released
on Saturday. So try to update it. Again, not a security
issue. If you don't experience any problems with Outlook,
then of course you may not need this particular update.
And Broadcom released updated advisory for vCenter.
Originally, these vulnerabilities were patched
in June, but turns out now they're actually being
exploited. Now, I don't always cover just the fact that the
vulnerabilities are being exploited in particular, if
patches have been available for a while. But this sort of
trickled something that I've heard about a few times now.
And that's, you know, of course, many people are
switching away from VMware vCenter, in particular for
things like Homelapse and such, just because of the
difficulties with licensing and Broadcom. Please remember
that many of the alternatives also have these fairly complex
web admin interfaces and such, that, in my opinion, are
likely vulnerable. You may not have seen a lot of
vulnerabilities being disclosed, but just the nature
of the software, when you have these complex web-based admin
interfaces and such, usually means that there are some
vulnerabilities in these systems. In particular, if an
attacker gains some authorized access to them. So please do
yourself a favor and don't expose them directly to the
internet. Well, and this is it for today. So, thanks for
listening. Thanks for liking this podcast. Thanks for
subscribing to it. I still have the thing going where, if
you find a mistake or any kind of, you know, comment or
something, you want a sticker, please let me know and I'll
email you a sticker. And with that, talk to you again
tomorrow. Bye.
