Hello and welcome to the Wednesday, March 26, 2025
edition of the SANS Internet Storm Center's
Stormcast. My name is Johannes Ullrich and today I am
recording from Jacksonville, Florida. Well, today in
Diaries we do have an interesting vulnerability that
I saw being exploited. It affects XWiki. Wikis, of
course, are always dangerous. However, the vulnerability
being exploited is not in a feature that's commonly
associated with dangers like uploading files or allowing
users to edit a page. It's in the search feature. And in
this case, actually, the search feature is open to
remote code execution. The problem is that this
particular wiki, and again we're talking about XWiki
here, is written in Java and it does allow for output
rendering transformations. The idea behind this is that part
of the wiki code is essentially these templates
and then as they're being sent to the user, well, they're
being parsed. That's where these rendering
transformations are being applied. But in the search
feature, the search string also was subject to these
rendering transformations. So if you searched for a Groovy,
in this case, code snippet, well, that code was actually
then parsed as the data was returned to the user. And that
led to the remote code execution. The vulnerability
is about a year old. I haven't seen a lot of exploitation
against it. Just sort of now sort of bubbled to the top.
Early expectations were like about in June. But only sort
of, you know, individual hits against our honeypots, which
sort of didn't make it to our threshold where we sort of
consider it something new and noteworthy. Definitely update
xwiki, make sure that it is up to date. But again, there's an
older vulnerability. So nothing that's just breaking
new. And then I have a correction to yesterday's
podcast. Sorry, I don't have the note from the listener who
actually pointed that out anymore. But the problem was
the FBI's announcement about image conversion tools that
actually referred to online tools. So you're not
downloading the tool here. Instead, you're uploading your
image or document to a website that then does the conversion
for you. The threat here is that some of these websites
will basically take content from the document and
exfiltrate it. But they also, when they return then the
converted file, that converted file that you're then
downloading may contain malware. So that was the
threat here, which is something different than sort
of what you usually see. And definitely more makes sense
that there is this special advisory for this particular
threat. And in vulnerabilities, we do have
updates from VMware. This update fixes an authentication
bypass in VMware tools. The scope is a little bit more
limited here. An attacker who has normal user access to a
Windows virtual machine may be able to gain administrative
access to that Windows virtual machine. So not necessarily
sort of a jailbreak style vulnerability. Has a CVSS
score of 7.8. And again, only affects VMware tools and only
on Windows. And I think it was just last week that I was
looking at some Draytek vulnerabilities that were
being exploited against our honeypots. Well, it looks like
Tratech actually had a bad weekend with many customers
reporting that their routers were stuck in a reboot loop.
So Tratech makes these routers, firewall combos, and
apparently a firmware update issue or something like that.
It's not really specified. It did cause that reboot loop.
They do suggest upgrading to the latest firmware. However,
with the router rebooting, that may not be that easy. It
apparently is working better if you disconnect the WAN
interface. And then there's also an option to update via
TFTP, which in itself can be a little bit tricky to set up.
But that's sort of your last resort if the update via the
web application does not work. And Trend Micro released some
details regarding the Microsoft Management Console
vulnerability that was patched by Microsoft this month. This
was one of the vulnerabilities that was already being
exploited. So Trend Micro is now going over some of the
exploits that they have seen as part of Ransom Air and how
the exploit worked. There's a particularly interesting evil
twin issue here where an attacker could basically give
you two snap-ins for the Microsoft Management Console
with the same name, trick you into loading the not evil one,
and then use that to then later execute code from the
evil one. More details in the blog. It's a little bit too
much here for the podcast. Well, and this is it for
today. If you're living in Jacksonville, today on
Wednesday, I'll be speaking over lunch at the InfraGuard
meeting. I'll be going over some of the United Storm
Center. Please register on their website for more details
on that. Thanks for listening and talk to you again
tomorrow. Bye.
