Hello and welcome to the Thursday, September 11th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Graduate Certificate Program in
Penetration Testing and Ethical Hacking. Well, today's
diary was inspired by a story I covered last week about
Botnet that used DNS for remote command and control,
but they encoded the commands using base64. Didier today
notice, well, hey, base64 actually contains a couple
characters like the slash and the equal symbol that must not
show up in DNS host names. So how did they actually do it?
Well, it turns out as so often that sometimes things that
aren't supposed to work still work under certain
circumstances. And what didier found out is that, for
example, nslookup, if some of these odd characters are being
returned, well, it works just fine with nslookup. This is
actually an important lesson that I often cover when I'm
talking about web allocation security, that you can't
really trust that protocols like DNS only return valid
content. I think it was a few years ago I've written about
this, and maybe I have to write about it again, because
I'm not sure where it ended up. But for example, it is
certainly possible to do things like SQL injection and
cross-site scripting over DNS. If you're not careful in
cleaning up and validating responses, you're getting back
via DNS, very famously, Whois, of course. Now, that's just
plain text. There are a number of Whois entries that have
existed in the past with exploits in them. And yes, you
know, whenever you get any content back from external
systems, you have to make sure that their content actually
matches the structure that you are expecting. We have a
little bit of patch use to clean up to do, and that's
usually about, well, patches that were released yesterday
that we just didn't cover because of all the patches
released by Microsoft and a couple others. First one I
want to cover here is Google Chrome released an update
fixing two security vulnerabilities, one of them
being critical. And well, that's a use after free in
service worker. So definitely a potential here for remote
code execution. So definitely update. But Google Chrome, as
I often say, is pretty good about updating itself. Make
sure you restart Google Chrome once a day. And we got patches
from Ivanti fixing a number of different products,
essentially an entire sort of remote access style suite that
they have, which includes Connect Secure, Ivanti Policy
Secure, CTA Gateway, Neurons for Secure Access. So a number
of different but similar somewhat products. The first
vulnerability here, they call it missing authorization, and
then describe it as allowing a remote authenticated hacker to
hijack existing HTML5 connections. I believe they're
talking here about web socket connections. They have been
similar vulnerabilities before, and they have been
exploited. So there are templates essentially
available how to exploit these type of vulnerabilities, which
makes it more likely that they actually will be exploited in
the future. The second vulnerability here is a cross
-site request forgery vulnerability in the same set
of products. This particular one does allow a remote
unauthenticated hacker to execute sensitive actions. So
the way a cross-site request forgery attack usually works
is that a logged-in victim, while they're still logged in,
is visiting a site that the attacker controls. And then
the attacker can essentially sort of remote control the
browser and the performing actions on behalf of the
victim. So these would be more targeted attacks. They're less
likely going to be sort of widespread and sort of a big
number of victim attacks. As a good measure, of course,
logging out of sites is always a good thing. But we're
talking here about the secure access products, where users
legitimately may be logged in pretty much all day in order
to interact with internal systems and such. And that
logging out is not necessarily a valid countermeasure in this
particular case. So patch, apply the updates, and
hopefully, well, we won't see an exploit for any of these
vulnerabilities too soon. And then we got Sophos releasing
new firmware for its access points, the AP6 series. Well,
fixing an authentication bypass vulnerability that
they're considering critical. Definitely update, not a lot
of detail available yet about what the exact authentication
bypass vulnerability is all about in these access points.
And then, well, also some good news from a defensive point of
view. Yesterday, Apple, of course, released a lot of new
hardware and such. But what they didn't mention that this
also included a new security feature that's supported by
this new hardware. They published this blog post to
explain a little bit what's happening here. They call it
memory integrity enforcement. And essentially what it does
is it allows hardware and software to work together to
make things like buffer overflows and memory
allocation issues less likely to happen and to be
exploitable. Looks interesting. It's also based
on some prior work from others like, I believe, Google and
such that have proposed similar things. They now made
it work in their, again, latest hardware. It's not
going to really affect any older devices. However, they
already introduced some new constructs here, new APIs and
such to basically make it easier to write memory safe
code in Apple devices in general. And overall, what
they're trying to fight here is somewhat of the high-end
nation state like spyware and such that we often have seen
infect particular mobile devices. So that's really what
they're going after here. Well, and this is it for
today. Thanks for listening. Thanks for subscribing. Thanks
for recommending this podcast. Podcast. And that's it.
Thanks. And talk to you again tomorrow. Bye.
