Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Wednesday June 12,
0:02
2024 edition of the Sanson and Stormsiders Stormcast.
0:08
My name is Johannes Ulrich and
0:10
I'm recording from Jacksonville, Florida. It's
0:14
Microsoft's patch. Tuesday and of course
0:16
we'll have to start with what
0:18
Microsoft had to offer today. It
0:21
was a bit less than normal.
0:24
We had 58 total
0:27
vulnerabilities being patched. Now
0:29
seven of these vulnerabilities
0:31
are Chromium vulnerabilities and
0:33
as such they affect
0:35
Microsoft's Brave browser and
0:37
51 vulnerabilities are sort
0:39
of your classic Microsoft
0:41
vulnerabilities. Only one of
0:43
these vulnerabilities is rated critical and
0:45
then we had one vulnerability
0:48
that had been disclosed before. The
0:50
disclosed vulnerability has actually been around
0:52
for a while. It was first
0:55
made public in February. A number
0:57
of German researchers did publish a
1:00
paper and they called it Keytrap.
1:03
It's a DNS-SAC denial
1:05
of service vulnerability. Nothing
1:08
really all that outrageous and
1:10
major. It did affect most
1:13
DNS implementations, not just Microsoft's
1:15
DNS implementation and Microsoft now
1:17
finally got around to actually
1:20
fix this vulnerability. The
1:23
one critical vulnerability affects
1:25
the Microsoft message queuing
1:27
service. This has
1:30
been a service that has had issues
1:32
in the past. Port
1:35
1801 TCP is how you
1:37
reach this service. It
1:39
can be a little bit of a tricky one according
1:42
to some because well there's a
1:44
lot of third party services that often
1:46
use this service. So
1:48
that may make it
1:50
a little bit more difficult to figure out where it's
1:52
actually being used in your environment. Port
1:56
1801 shouldn't really be open for
1:58
inbound traffic into your environment. environment.
2:00
So that should certainly help here
2:03
with mitigation. We do see quite
2:05
a good number. It's not sort of a top port as
2:08
far as the port scanning goes that we
2:10
detect, but there is sort of what I
2:12
refer to as a background hum where you
2:15
have sort of a consistent background noise of
2:17
hits to port 1801. Probably
2:19
need to take a closer look to
2:22
see what exactly they're looking for if
2:24
they're looking for this Microsoft message queuing
2:26
or something else. Other
2:28
than that, you got your usual
2:31
remote code executions in
2:33
office products, some kernel
2:36
privilege escalation vulnerabilities. So
2:38
in short, apply these patches
2:40
as usual. Nothing
2:42
that needs sort of specific
2:45
escalation here. Just follow your
2:47
standard patch procedure. And
2:50
just in case you wonder about
2:52
Adobe didn't see any patches being
2:55
announced from Adobe today. And
2:59
JetBrains fixed a vulnerability that
3:01
does affect all of its
3:03
IntelliJ based products. IntelliJ
3:06
is sort of a generic
3:08
Java based IDE and most
3:10
JetBrains products, their PHP storm,
3:12
PyStorm and all of these
3:14
products do
3:16
include IntelliJ or based
3:18
around IntelliJ. The problem
3:20
here is that the
3:23
GitHub integration actually leaks
3:25
the access credentials to
3:27
GitHub if you
3:29
are making a pull request
3:31
from a malicious repository. In
3:34
order to be vulnerable, you need
3:36
to actually issue the pull request
3:38
from the IDE itself. Many
3:40
people I know myself find it a little
3:43
bit more convenient to do it from the
3:45
command line versus from the IDE. So
3:48
that's required in order to
3:50
trigger the vulnerability. It
3:52
does affect both OAuth as
3:55
well as personal access tokens.
3:57
If you are worried about
3:59
possibly having experience, post them,
4:01
you need to revoke those
4:03
credentials and create new ones.
4:07
And yes, we do
4:09
have another Veeam authentication
4:11
bypass vulnerability, this time
4:14
affecting the Veeam Recovery
4:16
Orchestrator or VRO. In
4:19
order to exploit the vulnerability, an
4:21
attacker needs to know the exact
4:23
username and role of the account
4:25
that they are trying to impersonate.
4:28
This sounds very much like
4:30
the vulnerability actually covered yesterday.
4:32
I double checked it's
4:35
a different CVE number, so
4:37
maybe similar or same
4:39
vulnerability just in a
4:41
slightly different Veeam product.
4:45
Finally, sort of one of
4:47
those fun IoT vulnerabilities, IBM's
4:50
X4 has a blog
4:52
with details regarding a
4:54
couple of vulnerabilities in
4:57
pre-core treadmills. One
4:59
of the more severe ones is
5:01
an exposed SH-keeper that
5:03
would allow someone root-level
5:05
access to three versions
5:07
of the console. And
5:10
with that, an attacker could also
5:12
affect the functionality of the treadmill,
5:14
like for example, causing a sudden
5:16
stop, which of course could
5:19
have possible safety implications.
5:22
Well, this is it for
5:24
today. Thanks for listening. Thanks
5:26
for liking and special thanks
5:29
to anybody who ever left
5:31
a good comment about this
5:33
podcast. So, thanks and talk
5:35
to you again tomorrow. Bye.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More