0:00

Hello and welcome to the Wednesday June 12,

0:02

2024 edition of the Sanson and Stormsiders Stormcast.

0:08

My name is Johannes Ulrich and

0:10

I'm recording from Jacksonville, Florida. It's

0:14

Microsoft's patch. Tuesday and of course

0:16

we'll have to start with what

0:18

Microsoft had to offer today. It

0:21

was a bit less than normal.

0:24

We had 58 total

0:27

vulnerabilities being patched. Now

0:29

seven of these vulnerabilities

0:31

are Chromium vulnerabilities and

0:33

as such they affect

0:35

Microsoft's Brave browser and

0:37

51 vulnerabilities are sort

0:39

of your classic Microsoft

0:41

vulnerabilities. Only one of

0:43

these vulnerabilities is rated critical and

0:45

then we had one vulnerability

0:48

that had been disclosed before. The

0:50

disclosed vulnerability has actually been around

0:52

for a while. It was first

0:55

made public in February. A number

0:57

of German researchers did publish a

1:00

paper and they called it Keytrap.

1:03

It's a DNS-SAC denial

1:05

of service vulnerability. Nothing

1:08

really all that outrageous and

1:10

major. It did affect most

1:13

DNS implementations, not just Microsoft's

1:15

DNS implementation and Microsoft now

1:17

finally got around to actually

1:20

fix this vulnerability. The

1:23

one critical vulnerability affects

1:25

the Microsoft message queuing

1:27

service. This has

1:30

been a service that has had issues

1:32

in the past. Port

1:35

1801 TCP is how you

1:37

reach this service. It

1:39

can be a little bit of a tricky one according

1:42

to some because well there's a

1:44

lot of third party services that often

1:46

use this service. So

1:48

that may make it

1:50

a little bit more difficult to figure out where it's

1:52

actually being used in your environment. Port

1:56

1801 shouldn't really be open for

1:58

inbound traffic into your environment. environment.

2:00

So that should certainly help here

2:03

with mitigation. We do see quite

2:05

a good number. It's not sort of a top port as

2:08

far as the port scanning goes that we

2:10

detect, but there is sort of what I

2:12

refer to as a background hum where you

2:15

have sort of a consistent background noise of

2:17

hits to port 1801. Probably

2:19

need to take a closer look to

2:22

see what exactly they're looking for if

2:24

they're looking for this Microsoft message queuing

2:26

or something else. Other

2:28

than that, you got your usual

2:31

remote code executions in

2:33

office products, some kernel

2:36

privilege escalation vulnerabilities. So

2:38

in short, apply these patches

2:40

as usual. Nothing

2:42

that needs sort of specific

2:45

escalation here. Just follow your

2:47

standard patch procedure. And

2:50

just in case you wonder about

2:52

Adobe didn't see any patches being

2:55

announced from Adobe today. And

2:59

JetBrains fixed a vulnerability that

3:01

does affect all of its

3:03

IntelliJ based products. IntelliJ

3:06

is sort of a generic

3:08

Java based IDE and most

3:10

JetBrains products, their PHP storm,

3:12

PyStorm and all of these

3:14

products do

3:16

include IntelliJ or based

3:18

around IntelliJ. The problem

3:20

here is that the

3:23

GitHub integration actually leaks

3:25

the access credentials to

3:27

GitHub if you

3:29

are making a pull request

3:31

from a malicious repository. In

3:34

order to be vulnerable, you need

3:36

to actually issue the pull request

3:38

from the IDE itself. Many

3:40

people I know myself find it a little

3:43

bit more convenient to do it from the

3:45

command line versus from the IDE. So

3:48

that's required in order to

3:50

trigger the vulnerability. It

3:52

does affect both OAuth as

3:55

well as personal access tokens.

3:57

If you are worried about

3:59

possibly having experience, post them,

4:01

you need to revoke those

4:03

credentials and create new ones.

4:07

And yes, we do

4:09

have another Veeam authentication

4:11

bypass vulnerability, this time

4:14

affecting the Veeam Recovery

4:16

Orchestrator or VRO. In

4:19

order to exploit the vulnerability, an

4:21

attacker needs to know the exact

4:23

username and role of the account

4:25

that they are trying to impersonate.

4:28

This sounds very much like

4:30

the vulnerability actually covered yesterday.

4:32

I double checked it's

4:35

a different CVE number, so

4:37

maybe similar or same

4:39

vulnerability just in a

4:41

slightly different Veeam product.

4:45

Finally, sort of one of

4:47

those fun IoT vulnerabilities, IBM's

4:50

X4 has a blog

4:52

with details regarding a

4:54

couple of vulnerabilities in

4:57

pre-core treadmills. One

4:59

of the more severe ones is

5:01

an exposed SH-keeper that

5:03

would allow someone root-level

5:05

access to three versions

5:07

of the console. And

5:10

with that, an attacker could also

5:12

affect the functionality of the treadmill,

5:14

like for example, causing a sudden

5:16

stop, which of course could

5:19

have possible safety implications.

5:22

Well, this is it for

5:24

today. Thanks for listening. Thanks

5:26

for liking and special thanks

5:29

to anybody who ever left

5:31

a good comment about this

5:33

podcast. So, thanks and talk

5:35

to you again tomorrow. Bye.