Hello and welcome to the Thursday, June 26, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and this episode brought to you by
the SANS.edu Graduate Certificate Program in
Cybersecurity Engineering is recorded in Stockheim,
Germany. And yes, we do have another vulnerability from
Citrix, Citrix Netscaler. I just talked about a
vulnerability that allowed session credentials to leak a
couple days ago. This one is just a denial of service
vulnerability, still a critical CSS score. And this
vulnerability apparently is already being exploited. Just
like the session leak vulnerability, this particular
vulnerability affects any Netscaler that is configured
as a gateway. So a VPN virtual server, an ICAP proxy, a CVPN,
RDP proxy, which is a very common configuration for these
types of devices. So definitely pay attention to
this. Also, end-of-life versions of Netscaler are
vulnerable. But of course, there's no patch necessarily
available for them. Patches have been made available now
for the currently supported versions. And you should
definitely be applying them quickly given that this
vulnerability may already be exploited. And companies that
offer servers for rent often use a software package called
WebPanel in order to manage SendOS servers. This package
has two parts. One is the admin part that only
administrator is supposed to log into and, of course, gains
administrator privileges to the server. And then there is
a user panel that the user can use to essentially manage
their own website on that particular server. And the
intent is that you have multiple users share the
server. And WebPanel is supposed to keep those users
apart, which, of course, is always a little bit tricky. In
particular, in this case, WebPanel suffered from an
arbitrary file upload vulnerability. This allows an
attacker to, for example, upload .bashrc files and such
into other users' directories. And that can then lead to
arbitrary code execution as this other user. This
vulnerability has been addressed, has been fixed,
proof-of-concept exploits, and a detailed description is
available. So this is a vulnerability that you should
consider being exploited at this point. And one particular
case where you want to pay attention here is if you're
not administering a server via WebPanel, but you're using a
server that is administered via WebPanel, you still want
to make sure that the version of WebPanel is being updated
because your data may be at risk on that server, even
though, of course, you can't do anything other than notify
the administrator to please apply the update. And GOG is
somewhat popular, even though not really very well
-maintained Git server. If you want a nice web-based
interface for Git, that's sort of one of the self-hosted
options that you have. Well, they suffered from an
arbitrary file deletion vulnerability they just
patched. This is related to a vulnerability they patched
almost a year ago. SonarCube back then published a nice
blog with details about the vulnerability and how to
exploit it. But as they patched this vulnerability,
well, they didn't properly consider symlinks, which now
led to this second vulnerability. The problem
with Git repositories is if you can delete or truncate
arbitrary files, you may be able, and that's the case
here, to delete the HEAD file. So the .git slash HEAD file.
Once you truncate or delete that file, then the Git
repository is invalid. It's considered a plain repository.
You can now adjust configurations in that
repository, which will lead to arbitrary code execution. So
not just file deletion here. It's a direct path to
arbitrary code execution. And SonarCube showed that nicely
in their blog from a year ago. And Let's Encrypt announced
that they're almost ready to start issuing IP address-based
certificate. This is a major departure from sort of
traditional TLS certificates. Usually, they include a
hostname or multiple hostnames. But now you may
also include an IP address. And of course, that's
important for devices and such that may not have a hostname.
Now, there are some constraints around this. First
of all, the certificates will only be valid for six days.
There will also be an allow list process. So you have to
basically apply to be part of the allow list in order to use
these certificates. At this point, they have issued a
sample certificate, which is meant to be used for testing.
They apparently also ran into some of compatibility issues
here already with some browsers. They don't have a
fixed timeline yet for when they will start issuing the
certificates. But again, this post here by Let's Encrypt
staff said that they are getting ready to issue these
certificates soon. Well, that's it for today. Thanks
for listening. And as always, thanks for recommending, for
liking, for subscribing. And talk to you again tomorrow.
Bye. Bye.
