Hello and welcome to the Wednesday, October 1st, 2025
edition of the SANS Internet Storm Centers Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Graduate Certificate Program in Purple
Team Operations. When teaching our defensive web application
security class, SEC 522, one of the things of course that
always comes up is mistakes in authentication and access
controls. And one of the examples that is always
mentioned here are, well, simple cookies like a user
equals admin. So I wanted to put this to the test to see
how relevant this issue still is and looked at some of our
honeypots and what kind of cookies like this we are
seeing in the honeypot and well, how often they're
exploited. Certainly exploited quite a bit and the exploits
or the vulnerabilities being associated with these
particular cookies are actually not that super old.
Like the first one here UID equals one goes with DVR
vulnerability that was originally described about a
year ago. You also have this user equals admin a little bit
older. Many of these of course are IoT style vulnerabilities.
So DVRs and wireless access points, routers and the like.
There are a couple interesting ones like there is the admin
ID equals one, GW admin ticket equals one. I believe that one
was from a Chinese VPN that apparently can be administered
using this particular cookie. And then we also have the CMX
saved ID cookies. These are actually apparently associated
with a biometric security system. So yes, these
vulnerabilities are still relevant that they're still
relatively recent vulnerabilities that are
following this patterns where essentially setting a simple
cookie will give you admin access to a system. And
talking about simple IoT devices, we do have an
advisory and patch from Western Digital for its
MyCloud devices. The firmware prior to 531.108 does suffer
from arbitrary command injection vulnerability.
Simple HTTP post request, which is actually one of these
type of requests that also matches the prior story. So
wouldn't be that surprising if it would be a simple cookie or
so that you would need an order to trigger this
vulnerability. But the actual payload would be part of the
post request does not appear to take any kind of
authentication to execute. However, the details regarding
this particular vulnerability are very slim and Western
Digital's advisory is pretty much useless. Just pointing to
the NVD entry, which is what I'll be using in the show
notes and maybe there will be some more useful links there
in the future. So patch your devices and these network
storage devices, please never really connect them to the
internet. Only access them via VPN or from your local network
in order to minimize your footprint. And the
vulnerability in sudo is now officially being exploited
with the vulnerability being added to CISA's catalog of
known exploited vulnerabilities. It wasn't
really a big surprise. It wasn't really a big surprise
and I mentioned it back when the vulnerability came out.
The vulnerability isn't that terribly difficult to exploit.
It uses the dash capital R or change root parameter in sudo.
It's a privilege escalation vulnerability. I usually don't
really talk much about privilege escalation
vulnerabilities, but in this case, well, keeping privileges
apart, that's really all sudo has to do. So certainly a
critical vulnerability as far as sudo is concerned. Patches
have been made available for all the distributions that I
have checked and many of them, like for example, some recent
Red Hat versions and such did not run one of the vulnerable
versions, which is 1.9.14 through 17. So those versions
were the only ones affected by this vulnerability. Well, and
that's it for today. Thanks for listening. Thanks for
liking and subscribing to this podcast and talk to you again
tomorrow. Bye.
