Hello and welcome to the Wednesday, May 14th, 2025
edition of the SANS and its Storm Center's Stormcast. My
name is Johannes Ullrich and today's Stormcast is brought
to you from the SANS.EDU Certificate Program in Cloud
Security from Jacksonville, Florida. And the highlight
today, of course, is Microsoft's Patch Tuesday. We
had patches for 78 vulnerabilities in May. Eight
of them had already been patched earlier, but the 70
new vulnerabilities being announced as part of this
release. Out of the 78 vulnerabilities, 11 are
critical and the number that's a little bit higher than
normal is that we have five already exploited
vulnerabilities that are being patched today. Now, out of
those five vulnerabilities, there are four privileged
escalation vulnerabilities. And the sort of couple, I call
them always friends of the show here, the Windows Common
Log File System, driver elevation of privilege
vulnerability. That's something we had a couple of
times before already. That's the old problem where this log
file system driver is running with elevated privileges. It
has to parse various log formats and that often fails.
So definitely something to be aware of. There was one code
execution vulnerability here. And this is the scripting
engine memory corruption vulnerability. However, this
vulnerability is only exploitable if you are running
a Microsoft Edge in an Explorer mode. Because that
scripting engine is of that leftover part from Internet
Explorer. Probably do some configuration checks and such
to make sure that this doesn't happen unintentionally. I can
imagine where developers, maybe some system
administrators that need access to legacy tools as
such, they may need that. But it should be hardly ever where
people actually need to run in an Explorer mode. You
definitely should control that. Now, among the other
sort of interesting vulnerabilities, we did have
one vulnerability that initially sort of caught my
interest. Because, well, it's Windows Desktop Service Remote
Code Execution vulnerability. And you note here, it's only
rated as important. It's not rated as critical. Even though
this vulnerability is exploitable without
authentication. However, there's another big dependency
here. It's a timing vulnerability. And it's only
exploitable while the remote desktop service is being
relaunched. On the same note, if you look a little bit back,
there are also two vulnerabilities here, also
important, that are remote desktop gateway denial of
service vulnerabilities. So, if an attacker would be able
to trigger a restart, maybe with one of these denial of
service vulnerabilities, then the code execution
vulnerability becomes all for a sudden a lot more
exploitable. That's a speculation at this point. So,
I haven't seen anybody really talk about whether the denial
of service can trigger a restart and whether it then
becomes exploitable. Definitely something to patch.
Think a little bit at configuration changes and
such. In particular, with these repeating
vulnerabilities where you probably want to be ready for
the next log system vulnerability or the next
scripting engine vulnerability. Well, maybe
Microsoft's zero days today were a little bit
disappointing for the attackers. Leave it up to
Ivanti to make up for it. Ivanti fixed two already
exploited vulnerabilities in Ivanti's Endpoint Manager
Mobile. The first vulnerability is an
authentication bypass vulnerability. The second
vulnerability then is a remote code execution vulnerability.
This, well, after you exploit the authentication bypass
doesn't require any authentication either. I think
the CVSS score is a little bit on the low side here, given
the overall impact. But that's sort of one of the
difficulties sometimes that a vulnerability by itself may
not really be that much of a big deal. But once you look at
them together and are able to sort of chain exploitation
like this, well, you all for a sudden have a much larger
problem. And talking about already exploited
vulnerabilities, we also got updates from Fortinet.
Fortinet patched stack-based buffer overflow that's already
being exploited and affects a number of Fortinet products.
For example, Forti Camera, Forti Mail, Forti NDR, Forti
Recorder, and Forti Voice. And for all of these several
versions, pretty much all supported versions are
affected. So another thing that I would probably
prioritize ahead of some of the Microsoft updates this
week. Well, and that's it for today. Thanks for listening
and thanks for liking the podcast. Thanks for any
comments and such that are coming in. And for those of
you watching this, as in a video format, I try to add a
couple screenshots of webpages and such to make things a
little bit easier to follow along. Don't do that while I'm
on the road just because there's too many moving parts.
And at home, it's a little bit more set up that I'm using
here makes it a bit easier to add this. Well, that's it for
today. Thanks and talk to you again tomorrow. Bye. Bye. Bye.
