Hello and welcome to the Thursday, September 4th, 2025
edition of the SANS Internet Storm Centers Stormcast. My
name is Johannes Ulrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu graduate certificate program in Purple
Team Operations. Our honeypots last couple days picked up
some attacks for the Dassault DEMLIA Apriso software. Now
you're probably not familiar with that. That's not
necessarily sort of a household name, but it's a
manufacturing operation management software. One of
these complex packages that basically interface with your
plant and your enterprise research planning system and
allow you to sort of get a holistic view of a
manufacturing process, sort of from the devices on the
manufacturing line all the way to the bookkeeping. There have
been a number of vulnerabilities in this
software in recent month. This particular one that we see
exploited is a deserilization vulnerability that was patched
in June. There were a couple other remote code execution
vulnerabilities that I didn't see so far being exploited.
The advisories from Dassault are fairly minimal. It's sort
of a little one-liners, essentially what the
vulnerability is all about. Definitely if you're running
this type of software, make sure you keep it patched. Not
just this particular software from Dassault, but any sort of
complex operation management software and such tends to
have vulnerabilities, in particular deserilization
vulnerabilities like this. We have seen them also often in
ERP software. And yes, they are usually not easy to patch.
So you want to stay ahead of that, not wait for the
emergency, like now hearing that there is active
exploitation of this vulnerability before you have
to apply any patches for this type of software. And we got
the monthly update for Android from Google. This is the
September version of this update. Two vulnerabilities
here. Both privilege escalation vulnerabilities are
already being exploited. One of these vulnerabilities
affects the Linux kernel. I believe that's a vulnerability
that also has been discussed with respect to Linux in
general. And then there's a second vulnerability in the
Android system. There are, in addition to these privilege
escalation vulnerabilities, additional vulnerabilities
that can lead to remote code execution from what they're
calling a network adjacent position. So not necessarily
across the internet, but someone being sort of on the
same Wi-Fi network or on the same LTE or cellular network
that may also be exploitable this way. Well, as usual,
update as these updates become available for your particular
phone. And we have yet an interesting certificate event
to talk about. This time it's a certificate for the IP
address 1.1.1.1.1. This IP address is used by Cloudflare
for its DNS service. So a certificate that is valid for
this IP address may be useful to intercept DNS over HTTPS,
DNS over quick connections to that IP address. The
certificate authority that issued this certificate is
FINA RDC. As far as I know, they're not universally
trusted. However, they're trusted by Microsoft's Edge
browser. This certificate was issued a few months ago. I
think it says three months when it was first seen. It was
properly added to certificate transparency logs, but only
now was noted for some reason. Well, there are a lot of
certificates in those logs. Also, it was added as an
alternative name, which isn't quite as obvious. The main
subject CN for the certificate was test1.hr. .hr is for
Croatia. So it's their country top level domain. Given that
it was test1.hr and test1.hr. It could be that this was just
a test someone was running. Still not good that that
certificate made it sort of through the server authority.
But at this point, we don't know what the purpose of the
certificate was. Just well, that it has been around and is
probably still valid as of me recording this podcast. And
this vulnerability I'm really just covering in part because
it's sort of familiar. It hits a couple buttons with me. In
the ESP IDF web server, an interesting authentication
bypass happens by the web server only comparing as many
characters as the user actually provides. So if you
provide a short password like just the letter S, then only
the first letter of the password S is compared. And
with that, of course, you can primitively brute force
passwords. ESPF IDF web server, if you're familiar
with this, it's part of these little prototype boards and
often use the home automation like where you have a little
ESP CPU with some Wi-Fi, Bluetooth and such interfaces
that allow you to automate some tasks. Well, a patch, of
course, as usual, I'm not sure how many are exposing ESP home
to the internet. Well, this is it for today. So thanks for
listening. Thanks for liking. Thanks for subscribing. And as
always, special thanks if you're leaving a comment in
your favorite podcast platform. I think I haven't
seen a new comments in a while in like Apple or Amazon
particular. Not a lot of people are apparently
listening to Alexa in the morning to this podcast. But
anyway, that's it for today and talk to you again
tomorrow. Bye.
