Hello and welcome to the Wednesday, April 9th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Jacksonville, Florida. Well, of course, it's Patch Tuesday
today, so we have to start with Microsoft patches. We do
have sort of an average patch Tuesday. Renato, who did our
diary today, counted 125 vulnerabilities. I've seen
others quote 134 vulnerabilities. It typically
depends on whether or not you count the Chromium
vulnerabilities that apply to Microsoft Edge or not. But
either way, let's look at some of the interesting
vulnerabilities that are sort of worth noting. And to start
out, we got sort of a column a friend of the show, the
Logfile System Driver. This is a Windows component that has
led to at least five Saturday vulnerabilities over the last
couple years. And yes, we do have another approach
escalation vulnerability here that is already being
exploited and apparently being exploited by ransomware actors
as well. So not just one of those state actor style
vulnerabilities. Now, why is this component continuing to
be the source of so many vulnerabilities? Pretty
straightforward reasoning behind this. It is a kernel
driver, so it runs with kernel privileges. It must run with
kernel privileges, well, in some ways, because it has to
read all the different logs that it is parsing. And then,
of course, it has to parse those logs. And logs sometimes
do contain, well, hostile content. And that's sort of
the reason yet again where a problem in the log parser is
being exploited to then elevate privileges,
essentially execute code as the driver, which then gets
you full system access. So that story just keeps
repeating. There's not too much you can sort of do sort
of proactively about this other than your standard best
practices hardening your system. But you can't really
just turn off logging. Then you would have other problems.
And then another critical vulnerabilities. We do have
two vulnerabilities against the LDAP server. Again,
something that we had a couple times happening over the last
few months. So not yet exploited and exploitability
is difficult, according to Microsoft, including involving
some timing issues where, again, depends somewhat on the
creativity of the attacker, what they're going to do with
these vulnerabilities. But quite often, if they don't
really sort of control all of the events contributing to the
timing issue, then this may not necessarily be an
exploitable vulnerability. I don't remember seeing any of
the prior LDAP issues being exploited recently, but I may
have missed a vulnerability there. So let me know if there
was a recent new LDAP vulnerability that was
exploited in the wild. In addition, we do have critical
vulnerabilities in Office products, like in particular
in Excel. So that typically involves opening a file and
then code is being executed. Now, given that they're rated
critical, it shouldn't require any user interaction. So this
may execute before you actually open the files or
some kind of preview scenario or something like that. Get it
patched. That's really the best thing you can do here. As
far as sort of priorities go, I would start with your RDP,
your LDAP servers, just because they tend to be the
most exposed systems in your network. So definitely
something that you need to address quickly. Then
definitely the Office products, because that's just
probably the largest sort of attack surface that you have
in your organization. And just to sort of close out this
Windows patch topic here, Windows 10 is affected by many
of the vulnerabilities being addressed today. But there are
no Windows 10 patches available yet. Remember,
Windows 10 is being phased out. There will be patches for
Windows 10, particularly like the LDAP, RDP stuff and things
like that. But Windows 10 is definitely something that you
need to look into to hopefully move away from. And Adobe
today released updates as well as usual. And they released
updates for 12 different products. Two of these
products are set up on my watch list of noteworthy
products. Adobe ColdFusion. There are a number of remote
code execution vulnerabilities here in ColdFusion that are
rated critical. Also, Adobe Commerce received a patch,
also a frequently exploited product. Nothing critical here
in Adobe Commerce. Some privilege escalation
vulnerabilities that probably should look into. Update a
patch. That's really what you should do with both of these
products relatively quickly. Of course, can be tricky in
particular with ColdFusion. And then we got a new release
from OpenSL today. OpenSL 3.5.0. It is a new major release
at 3.5. It's also a long-term support release. No end of
support defined yet for this product, but it will likely be
many years in the future. The big addition here to 3.5 is
post-quantum ciphers. So, definitely a hot topic and
your first opportunity to really play with sort of a
production-level implementation of these
ciphers in OpenSSL. It typically takes quite a while
for these sort of major releases to then trickle into
Linux distributions and such. Maybe it happens a little bit
faster here now given the post-quantum cipher issues. But,
yeah. You can always compile them yourself. And, like I
said, start playing with it. See if any of the software
that you need post-quantum ciphers for will be able to
work with this release. And, Fortinet released a critical
update for FortiSwitch going back to version 6.4. This
particular vulnerability that's being addressed here
may allow an unauthenticated password change. So,
definitely make sure that you update this. It has been
reported internally. So, no exploit known yet. But,
typically, vulnerabilities like this with some patch
diffing are relatively easy to figure out. Well, and this is
it for today. So, thanks again for listening. And if you have
any updates, corrections here, please let me know. Or if I
missed any stories, please let me know. Thanks for
subscribing. And thanks for recommending this podcast to
others. And talk to you again tomorrow. Bye.
