SANS Stormcast Thursday, May 8th: Modular Malware; Sysaid Vuln; Cisco Wireless Controller Patch; Unifi Protect Camera Patch

May 07, 2025

SANS Stormcast Thursday, May 8th: Modular Malware; Sysaid Vuln; Cisco Wireless Controller Patch; Unifi Protect Camera Patch

Episode Transcript

Example of Modular Malware
Xavier analyzes modular malware that downloads DLLs from GitHub if specific features are required. In particular, the webcam module is inspected in detail.
https://isc.sans.edu/diary/Example%20of%20%22Modular%22%20Malware/31928
Sysaid XXE Vulnerabilities
IT Service Management Software Sysaid patched a number of XXE vulnerabilities. Without authentication, an attacker is able to obtain confidential data and completely compromise the system. watchTowr published a detailed analysis of the flaws including exploit code.
https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability
Cisco Patched a vulnerability in its wireless controller software that may be used to not only upload files but also execute code as root without authentication.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC
Unifi Protect Camera Vulnerability
Ubiquity patched a vulnerability in its Protect camera firmware fixing a buffer overflow flaw.
https://community.ui.com/releases/Security-Advisory-Bulletin-047-047/cef86c37-7421-44fd-b251-84e76475a5bc

News Tech News Technology

Show Transcript

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Thursday, May 8, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from San Diego, California. Today's diary comes from Xavier and Xavier takes a look at an interesting piece of matter. This matter is written in .NET, not Python for a change, and it distincts itself by being very modular. Now, the way the modularity is implemented is if a particular feature is needed, the particular module, a DLL file, is loaded from GitHub and then installed on the system. Some of these modules, for example, can install a rootkit, there is a token grabber module, there also is a password stealer, and then the one module that Xavier looks at a little bit closer is implementing some webcam functionality. The advantage of malware like this is that the initial download, first of all, is smaller and is also less likely going to trigger alerts because it doesn't contain any code that indicates that it may act malicious. That's only then added again later on demand. And since this malware is reasonably simple built, it's not obfuscated, it makes it a great sort of little learning tool in order to better understand how malware works. Then we have an interesting vulnerability to talk about again from sort of friends of the show, watchTowr. This vulnerability affects SysAid. SysAid is an IT service management platform, so it allows you to let help desk tickets, inventory, and various other sort of IT management tasks. Of course, software like this is always in the crosshairs of ransomware gangs given that they are also often used by outsourced IT management companies that would give an actor access to multiple entities using one compromised SysAid instance. Now, the vulnerabilities here start out with XML external entity vulnerabilities. This is a little bit a weird vulnerability if you're not familiar with XML. Essentially, in XML you can define entities that are replacing usually smaller string with a larger string. So it's kind of a simple compression scheme. But external and system entities are allowing you to not just replace strings but also to replace an entity with the content of a file from the file system or the content of an external HTTP or HTTPS URL. So that's where it really gets interesting. watchTowr found three different vulnerabilities like this in SysAid. They used this vulnerability then to read a configuration file from the system. Again, you may just read essentially any file from the file system that your XML parser has access to. This particular file contained the administrative password. Well, of course, with that they have now not just pre -authorification but also authenticated access to the SysAid instance and they then also demonstrate how these vulnerabilities can be used to ultimately achieve remote code execution. As usual, a pretty good read here from watchTowr if you're particularly interested in more details about the XML external entity vulnerability. Patches have been released by SysAid and given that there is an export available for it now, well, you better already applied it. And then we have a patch for the Cisco IOS XE wireless controller software. This patch fixes an arbitrary file upload vulnerability with a CVSS score of 10.0. The vulnerability is due to a hard -coded JSON web token. Well, at least it's not an sh key or a simple password but the effect is the same without really authenticating. The attacker is able to upload files and then trigger execution as root. This vulnerability should be fixed pretty quickly. However, the system is not vulnerable in the default configuration. In order for this vulnerability to be exploitable, you need to enable the out-of-band AP image download feature. If that feature is not enabled, then again, this is not exploitable. And if you're using the popular Unify Protect cameras, be aware there is also a CVSS score 10 vulnerability available for these cameras. Now, a patch is available as well from Ubiquity. The vulnerability itself, as it says here, allows an attacker with access to the management network to execute arbitrary code remotely without authentication, exploiting a heap buffer overflow vulnerability. This affects the firmware version 4.75.43 and earlier. A patch has been released in the last couple of days. This is it for today. Thanks for listening and talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich